EPIC Supports Formulation 1
We respectfully request that the views of the Electronic Privacy Information Center (EPIC) be considered in the ICANN evaluation of the "Preliminary task force report on the purpose of Whois and of the Whois contacts 18 January, 2006." We understand that the formal deadline for comments expired 8 February 2006. We received no formal notification of this proceeding, and only recently learned from our colleagues in the NCUC that just one comment was provided in support of the privacy of Internet users. Therefore, we ask that you consider our views so that your decision about this important matter well be informed and that, whatever decision you reach, will be based on sufficient information.
We write to express our firm support for "Formulation 1," as this has been put forward in the Task Force Report. This is almost precisely the description that EPIC and Privacy International have presented in the leading report on privacy developments around the globe, Privacy and Human Rights ("PHR 2004"). In the following text, we excerpt the conclusions from that report on WHOIS and underscore the key findings. Further, we draw attention to the growing concerns about identity theft and the likelihood that a WHOIS policy that makes personal information widely available will put the privacy and security of Internet users at substantially greater risk.
[The report may be cited as <Marc Rotenberg and Cedric Laurant, "Privacy
and Human Rights: An International Survey of Privacy Laws and
Developments" (EPIC and Privacy International 2004)>, available online at
available for sale at http://www.epic.org/bookstore/phr2004/.
the excerpts below may be found in the print edition at pages 133-37.]
PHR2004 recognized the important role that the Internet plays in promoting many beneficial services.
WHOIS In the first quarter of 2004, more than 4.7 million new domain names were registered. This brings the total number of registrations to an all time high of 63 million domain names. Registrants include large and small businesses, individuals, media organizations, non-profit groups, public interest organizations, political, and religious organizations, and support groups. These domain name registrants share their services, ideas, views, activities, and more by way of websites, e-mail, newsgroups, and other Internet media. Registrants are required to provide information in the registration process, which is then made publicly available.
PHR2004 further discusses the central role of the ICANN in establishing the registration procedures, as well as many policy issues, for Internet users. The Internet Corporation for Assigned Names and Numbers (ICANN), a private-sector corporation that coordinates policy for the Internet, has established contractual arrangements with the registries that manage the top-level domains and the registrars that sell the domain names to the registrants. ICANN requires public disclosure on the Internet of domain name registrants' contact information (such as mailing address, phone number and e-mail address), administrative contact information, technical contact information, domain name and servers, and other information. This information is referred to as "WHOIS" data. Its public availability has generated concerns over privacy protection. PHR2004 expresses concern that the ICANN has not acknowledged the right of individuals, such as human rights advocates, to maintain anonymous web addresses.
Under ICANN's WHOIS policy, Internet users are unable to register for a domain anonymously. The WHOIS database broadly exposes domain name registrants' personal information to a global audience, including criminals and spammers. Anyone with Internet access has access to WHOIS data, including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual property lawyers, and police agents without legal authority. Even those speaking out for human rights cannot conceal their identity. While it is true that some registrants use the Internet to conduct fraud, most domain name registrants do not, and many have legitimate reasons to conceal their identities and to register domain names anonymously. For example, political, artistic and religious groups around the world rely on the Internet to provide information and express views while avoiding persecution. Concealing actual identity may be critical for political, artistic, and religious expression. PHR2004 acknowledges that WHOIS data can be used for both good and bad purposes, but most importantly concludes that "the WHOIS database was no originally intended to allow access for such a variety of purpose." The original purpose of WHOIS, as PHR2004 makes clear was "to allow network administrators to find and fix technical problems with minimum hassle in order to maintain the stability of the Internet." WHOIS data lends itself to both good faith and bad faith uses, and investigating fraud is only one of many uses of WHOIS data. There now exist various automated data mining procedures that provide bad-faith users with access to large amounts of personal data at a time, rather than just individual queries. Web-based WHOIS services now have to complicate their access procedures, for example, requiring users to enter number codes before they can retrieve information. The WHOIS database was not originally intended to allow access for such a variety of purposes. The original purpose of WHOIS was instead to allow network administrators to find and fix technical problems with minimal hassle in order to maintain the stability of the Internet. PHR2004 further notes that requiring accurate data without safeguards for privacy needlessly puts individuals at risk. ICANN's WHOIS policy requires that registrants provide accurate WHOIS information, or otherwise forgo a domain name. If a domain registration is assumed to have inaccurate information, registrants are contacted and given a very limited amount of time to address the problem. Data entered at registration may change in the real world and registrant may forget to update it. They may lose their domain if they are unable to respond quickly to any attempts to contact them. Privacy experts have noted that a policy requiring accurate WHOIS data and then publicly disclosing the data creates serious implications for free speech. The ICANN WHOIS policies conflict with national privacy laws, including the EU Data Protection Directive, which require the establishment of a legal framework to ensure that when personal information is collected, it is used only for its intended purpose. At a recent ICANN meeting, George Papapavlou, a representative from the European Commission stated that if the original purpose of the WHOIS database is purely technical, the rights of access to and collection of that information pertain solely to that original purpose. Speaking at the "Freedom 2.0" conference held by EPIC in May 2004, Vinton G. Cerf, the President of ICANN, confirmed directly that the original purpose of WHOIS was indeed purely technical. As personal information in the directory is used for other purposes and ICANN's policy keeps the information public and anonymously accessible, the database could be found illegal according to many data protection laws including the European Data Protection Directive. As the PHR2004 report explains, the collection of information for a technical purpose would not provide justification for other uses. Such a conclusion would violate the laws of any country with a modern privacy regime.
Under European law, technical users would be the only ones with a legitimate claim to the information. While intellectual property lawyers and law enforcement officials claim the WHOIS database must retain all its current data in its public form as a resource for investigations, the fact that the WHOIS database was originally created for technical purposes makes it clear that such claims to the database would be inconsistent with its original purpose. In 2003, ICANN's Generic Names Supporting Organization (GNSO) began a policy development process identifying three issues, access, data and accuracy, and creating task forces to study and make recommendations on each. EPIC is serving on one of the WHOIS task forces. The outcome of the WHOIS Policy Development Process will have a significant impact on privacy, civil liberties, and freedom of expression for Internet users. Civil liberties groups and the Non-Commercial Users Constituency of ICANN have urged ICANN to limit the use and scope of the WHOIS database to its original purpose, which is the resolution of technical network issues, and to establish strong privacy protections based on internationally accepted privacy standards. This limitation would entail restricting access to the data, minimizing data required to only that needed for technical matters, and not penalizing registrants for protecting their personal information by entering inaccurate personal data elements. The task forces have drafted reports on WHOIS policy in these three areas, yet it is unclear whether the recommendations will improve privacy protections. Some of the recommendations entail more privacy risks than safeguards. At the same time, some of the better recommendations, including some restrictions on access and data required, may not be accepted by the GNSO Council and the ICANN Board should they decide to rule on the policy development. After three years, this policy development process, including the establishment of previous task forces, has not made any strides in the protection of privacy and the current problematic policy remains. PHR2004 also notes that the prospect of developing policies for access to WHOIS data could particularly contradict the practices that are likely to be enforced for ccTLDs in jurisdictions where there are clear privacy laws. While ICANN has considerable authority over the development of WHOIS policies for the generic top-level domains (gTLDs), such as .com, .org, and .net, it is unclear whether ICANN will be able to exercise similar control over the country-code top-level domains (ccTLDs), such as .uk and .de, which may choose to follow national policies. Significantly, country code Top Level Domains are moving to provide more privacy protection in accordance with national law. For example, regarding Australia's TLD, .au, the WHOIS policy of the .au Domain Administration Ltd (AUDA) states in section 4.2, "In order to comply with Australian privacy legislation, registrant telephone and facsimile numbers will not be disclosed. In the case of id.au domain names (for individual registrants, rather than corporate registrants), the registrant contact name and address details also will not be disclosed." In addition, auDA does not allow bulk access to WHOIS data, which ICANN's gTLDs do. It is unclear what, if any, indirect effect the GNSO WHOIS policy development will have on the policies of ccTLDs. The ICANN WHOIS policy process has continued for several years, yet has failed to resolve the privacy risks faced by Internet users that result directly from ICANN's own data practices.
We concluded in 2004 that the ICANN WHOIS policy has "failed to resolve the privacy risks faced by Internet users that *result directly from ICANN's own data practices.*" (emphasis added).
This last point is critical: It is ICANN that is placing the privacy and security of Internet users at risk by collecting and making publicly available personal information that need not be collected and certainly should not be disclosed.
We have learned in the United States over the last few years about the extraordinary risks to personal privacy that result from the improper disclosure of personal information.
Identity theft has emerged as the #1 crime in the US. According the US Federal Trade Commission, almost 250,000 ID theft complaints were received by the FTC in 2004. The FTC reports that approximately 10 million Americans each year fall victim to identity theft. The FTC estimates that the annual cost is $53 b to the US economy. Moreover, the FTC found that prosecutions are rare as police investigations are costly, time-consuming and easily stymied.
Has the ICANN given any serious consideration to the likelihood that it may exacerbate dramatically the risk of identity theft for Internet users if it makes personal information widely available to anyone with access to the WHOIS database without any consequences for how that information is used?? The wisdom of privacy laws has become increasingly self-evident over the last several years. Those countries that have limited the disclosure of personal information have simply not experienced the same level of criminal conduct as have those countries that make this information widely available.
ICANN has every reason to adopt Formulation 1 from the Preliminary Task For Report of January 2006:
(1) It is consistent with the original purpose of WHOIS data (2) It is consistent with the privacy laws of many countries (3) It is consistent with the best practices of the ccTLDs that have addressed the WHOIS issue (4) It will help safeguard the privacy and security of Internet users
We urge the ICANN to adopt this sensible approach to a very serious issue.
(Further information regarding WHOIS Privacy may be found at the EPIC page, http://www.epic.org/privacy/whois/)
Thank you for your consideration of our views.