EPIC Supports Formulation 1
Dear ICANN, We respectfully request that the views of the Electronic Privacy Information Center (EPIC) be considered in the ICANN evaluation of the "Preliminary task force report on the purpose of Whois and of the Whois contacts 18 January, 2006." We understand that the formal deadline for comments expired 8 February 2006. We received no formal notification of this proceeding, and only recently learned from our colleagues in the NCUC that just one comment was provided in support of the privacy of Internet users. Therefore, we ask that you consider our views so that your decision about this important matter well be informed and that, whatever decision you reach, will be based on sufficient information. We write to express our firm support for "Formulation 1," as this has
been put forward in the Task Force Report. This is almost precisely the
description that EPIC and Privacy International have presented in the
leading report on privacy developments around the globe, Privacy and
Human Rights ("PHR 2004"). In the following text, we excerpt the
conclusions from that report on WHOIS and underscore the key findings.
Further, we draw attention to the growing concerns about identity theft
and the likelihood that a WHOIS policy that makes personal information
widely available will put the privacy and security of Internet users at
substantially greater risk.[The report may be cited as <Marc Rotenberg and Cedric Laurant, "Privacy and Human Rights: An International Survey of Privacy Laws and Developments" (EPIC and Privacy International 2004)>, available online at http://www.privacyinternational.org/article.shtml?cmd[347] =x-347-82586&als[theme]=Privacy%20and%20Human%20Rights&headline=PHR2004, available for sale at http://www.epic.org/bookstore/phr2004/. the excerpts below may be found in the print edition at pages 133-37.] PHR2004 recognized the important role that the Internet plays in promoting many beneficial services. WHOIS
In the first quarter of 2004, more than 4.7 million new domain
names were registered. This brings the total number of
registrations to an all time high of 63 million domain names.[521]
Registrants include large and small businesses, individuals, media
organizations, non-profit groups, public interest organizations,
political, and religious organizations, and support groups. These
domain name registrants share their services, ideas, views,
activities, and more by way of websites, e-mail, newsgroups, and
other Internet media. Registrants are required to provide
information in the registration process, which is then made
publicly available.PHR2004 further discusses the central role of the ICANN in establishing
the registration procedures, as well as many policy issues, for Internet
users.
The Internet Corporation for Assigned Names and Numbers (ICANN), a
private-sector corporation that coordinates policy for the
Internet,[522] has established contractual arrangements with the
registries that manage the top-level domains and the registrars
that sell the domain names to the registrants. ICANN requires
public disclosure on the Internet of domain name registrants'
contact information (such as mailing address, phone number and
e-mail address), administrative contact information, technical
contact information, domain name and servers, and other
information.[523] This information is referred to as "WHOIS" data.
Its public availability has generated concerns over privacy
protection.
PHR2004 expresses concern that the ICANN has not acknowledged the
right of individuals, such as human rights advocates, to maintain
anonymous web addresses. Under ICANN's WHOIS policy, Internet users are unable to register
for a domain anonymously. The WHOIS database broadly exposes
domain name registrants' personal information to a global
audience, including criminals and spammers.[524] Anyone with
Internet access has access to WHOIS data, including stalkers,
corrupt governments cracking down on dissidents, spammers,
aggressive intellectual property lawyers, and police agents
without legal authority.[525] Even those speaking out for human
rights cannot conceal their identity. While it is true that some
registrants use the Internet to conduct fraud, most domain name
registrants do not, and many have legitimate reasons to conceal
their identities and to register domain names anonymously. For
example, political, artistic and religious groups around the world
rely on the Internet to provide information and express views
while avoiding persecution. Concealing actual identity may be
critical for political, artistic, and religious expression.[526]
PHR2004 acknowledges that WHOIS data can be used for both good and
bad purposes, but most importantly concludes that "the WHOIS database
was no originally intended to allow access for such a variety of
purpose." The original purpose of WHOIS, as PHR2004 makes clear was
"to allow network administrators to find and fix technical problems
with minimum hassle in order to maintain the stability of the Internet."
WHOIS data lends itself to both good faith and bad faith uses, and
investigating fraud is only one of many uses of WHOIS data.[527]
There now exist various automated data mining procedures that
provide bad-faith users with access to large amounts of personal
data at a time, rather than just individual queries. Web-based
WHOIS services now have to complicate their access procedures, for
example, requiring users to enter number codes before they can
retrieve information. The WHOIS database was not originally
intended to allow access for such a variety of purposes. The
original purpose of WHOIS was instead to allow network
administrators to find and fix technical problems with minimal
hassle in order to maintain the stability of the Internet.
PHR2004 further notes that requiring accurate data without safeguards
for privacy needlessly puts individuals at risk.
ICANN's WHOIS policy requires that registrants provide accurate
WHOIS information, or otherwise forgo a domain name.[528] If a
domain registration is assumed to have inaccurate information,
registrants are contacted and given a very limited amount of time
to address the problem. Data entered at registration may change in
the real world and registrant may forget to update it. They may
lose their domain if they are unable to respond quickly to any
attempts to contact them. Privacy experts have noted that a policy
requiring accurate WHOIS data and then publicly disclosing the
data creates serious implications for free speech.[529]
The ICANN WHOIS policies conflict with national privacy laws,
including the EU Data Protection Directive, which require the
establishment of a legal framework to ensure that when personal
information is collected, it is used only for its intended
purpose. At a recent ICANN meeting, George Papapavlou, a
representative from the European Commission stated that if the
original purpose of the WHOIS database is purely technical, the
rights of access to and collection of that information pertain
solely to that original purpose.[530] Speaking at the "Freedom
2.0" conference held by EPIC in May 2004, Vinton G. Cerf, the
President of ICANN, confirmed directly that the original purpose
of WHOIS was indeed purely technical.[531] As personal information
in the directory is used for other purposes and ICANN's policy
keeps the information public and anonymously accessible, the
database could be found illegal according to many data protection
laws including the European Data Protection Directive.[532]
As the PHR2004 report explains, the collection of information for
a technical purpose would not provide justification for other uses.
Such a conclusion would violate the laws of any country with a modern
privacy regime. Under European law, technical users would be the only ones with a
legitimate claim to the information. While intellectual property
lawyers and law enforcement officials claim the WHOIS database
must retain all its current data in its public form as a resource
for investigations, the fact that the WHOIS database was
originally created for technical purposes makes it clear that such
claims to the database would be inconsistent with its original
purpose.
In 2003, ICANN's Generic Names Supporting Organization (GNSO)
began a policy development process identifying three issues,
access, data and accuracy, and creating task forces to study and
make recommendations on each. EPIC is serving on one of the WHOIS
task forces. The outcome of the WHOIS Policy Development Process
will have a significant impact on privacy, civil liberties, and
freedom of expression for Internet users.[533] Civil liberties
groups and the Non-Commercial Users Constituency[534] of ICANN
have urged ICANN to limit the use and scope of the WHOIS database
to its original purpose, which is the resolution of technical
network issues, and to establish strong privacy protections based
on internationally accepted privacy standards. This limitation
would entail restricting access to the data, minimizing data
required to only that needed for technical matters, and not
penalizing registrants for protecting their personal information
by entering inaccurate personal data elements.
The task forces have drafted reports[535] on WHOIS policy in these
three areas, yet it is unclear whether the recommendations will
improve privacy protections. Some of the recommendations entail
more privacy risks than safeguards. At the same time, some of the
better recommendations, including some restrictions on access and
data required, may not be accepted by the GNSO Council and the
ICANN Board should they decide to rule on the policy development.
After three years, this policy development process, including the
establishment of previous task forces, has not made any strides
in the protection of privacy and the current problematic policy
remains.
PHR2004 also notes that the prospect of developing policies for access
to WHOIS data could particularly contradict the practices that are
likely to be enforced for ccTLDs in jurisdictions where there are
clear privacy laws.
While ICANN has considerable authority over the development of
WHOIS policies for the generic top-level domains (gTLDs), such as
.com, .org, and .net, it is unclear whether ICANN will be able to
exercise similar control over the country-code top-level domains
(ccTLDs), such as .uk and .de, which may choose to follow national
policies. Significantly, country code Top Level Domains are moving
to provide more privacy protection in accordance with national
law. For example, regarding Australia's TLD, .au, the WHOIS policy
of the .au Domain Administration Ltd (AUDA) states in section 4.2,
"In order to comply with Australian privacy legislation,
registrant telephone and facsimile numbers will not be disclosed.
In the case of id.au domain names (for individual registrants,
rather than corporate registrants), the registrant contact name
and address details also will not be disclosed." In addition, auDA
does not allow bulk access to WHOIS data, which ICANN's gTLDs
do.[536] It is unclear what, if any, indirect effect the GNSO
WHOIS policy development will have on the policies of ccTLDs.
The ICANN WHOIS policy process has continued for several years,
yet has failed to resolve the privacy risks faced by Internet
users that result directly from ICANN's own data practices.We concluded in 2004 that the ICANN WHOIS policy has "failed to resolve the privacy risks faced by Internet users that *result directly from ICANN's own data practices.*" (emphasis added). This last point is critical: It is ICANN that is placing the privacy and security of Internet users at risk by collecting and making publicly available personal information that need not be collected and certainly should not be disclosed. We have learned in the United States over the last few years about the extraordinary risks to personal privacy that result from the improper disclosure of personal information. Identity theft has emerged as the #1 crime in the US. According the US Federal Trade Commission, almost 250,000 ID theft complaints were received by the FTC in 2004. The FTC reports that approximately 10 million Americans each year fall victim to identity theft. The FTC estimates that the annual cost is $53 b to the US economy. Moreover, the FTC found that prosecutions are rare as police investigations are costly, time-consuming and easily stymied. Has the ICANN given any serious consideration to the likelihood that it
may exacerbate dramatically the risk of identity theft for Internet
users if it makes personal information widely available to anyone with
access to the WHOIS database without any consequences for how that
information is used??
The wisdom of privacy laws has become increasingly self-evident
over the last several years. Those countries that have limited the
disclosure of personal information have simply not experienced the
same level of criminal conduct as have those countries that make
this information widely available.ICANN has every reason to adopt Formulation 1 from the Preliminary Task For Report of January 2006: (1) It is consistent with the original purpose of WHOIS data
(2) It is consistent with the privacy laws of many countries
(3) It is consistent with the best practices of the ccTLDs
that have addressed the WHOIS issue
(4) It will help safeguard the privacy and security of Internet
usersWe urge the ICANN to adopt this sensible approach to a very serious issue. (Further information regarding WHOIS Privacy may be found at the EPIC page, http://www.epic.org/privacy/whois/) Thank you for your consideration of our views.
|