EPIC Comments on Whois Task Force Report
January 12, 2007
EPIC respectfully submits the following comments regarding the GNSO Whois Task Force's "Preliminary Task Force Report on Whois Services." EPIC supports the Operational Point of Contact proposal for the removal of registrants' contact information, namely postal addresses, phone and fax numbers and email addresses from the Whois database. Tthe protection of individuals' privacy further requires the removal of registrants' names and countries of origin from the database. The Noncommercial Users Constituency similarly concludes that it is unnecessary to publish the name and jurisdiction of registrants, and EPIC supports their comments on this point.
Current Whois policy requires that domain name registrants' names, mailing addresses, e-mail addresses, telephone numbers, and fax numbers be made publicly available. In its preliminary report, the Whois Task Force agrees that new mechanisms to restrict contact data from publication should be adopted to address privacy concerns.
Several international organizations have addressed the issue of Whois privacy, and these experts are in consensus that registrants should not be compelled to disclose personal information. These organizations include the International Working Group on Data Protection in Telecommunications, the Article 29 Working Party, and the Directorate General of Internal Markets for the European Commission. Each of these organizations criticized the mandatory publication of users' personal information, and noted that Whois should be used only for its original, technical purposes.
On April 12, 2006, the GNSO Council adopted a working definition of the purpose of Whois that restricts use of Whois data to its original purpose: the resolution of issues related to the configuration of the records associated with the domain name.
In Privacy and Human Rights ("PHR2005"), the leading report on privacy developments around the world, EPIC and Privacy International highlight the risks of publishing personal data unnecessarily. In the following text, we excerpt the conclusions from that report on Whois and underscore the key findings.
PHR2005 draws attention to the growing concerns about identity theft and the likelihood that a Whois policy that makes personal information widely available puts the privacy and security of Internet users at substantially greater risk.
According to the US Federal Trade Commission, over 255,000 ID theft complaints were received by the FTC in 2005. Identity theft has emerged as the #1 crime in the US. The Better Business Bureau reports that approximately 10 million Americans each year fall victim to identity theft. The Better Business Bureau estimates that the annual cost is $57 billion to the US economy. Moreover, the FTC finds that prosecutions are rare as police investigations are costly, time-consuming and easily stymied.
In addition, PHR2005 notes that current ICANN Whois policies that require the publication of registrants' information conflict with national privacy laws.
The ICANN Whois policies conflict with national privacy laws, including the EU Data Protection Directive, which require the establishment of a legal framework to ensure that when personal information is collected, it is used only for its intended purpose. At a recent ICANN meeting, George Papapavlou, a representative from the European Commission stated that if the original purpose of the Whois database is purely technical, the rights of access to and collection of that information pertain solely to that original purpose. Speaking at the "Freedom 2.0" conference held by EPIC in May 2004, Vinton G. Cerf, the President of ICANN, confirmed directly that the original purpose of Whois was indeed purely technical. As personal information in the directory is used for other purposes and ICANN's policy keeps the information public and anonymously accessible, the database could be found illegal according to many data protection laws including the European Data Protection Directive.
Under European law, technical users would be the only ones with a legitimate claim to the information. While intellectual property lawyers and law enforcement officials claim the Whois database must retain all its current data in its public form as a resource for investigations, the fact that the Whois database was originally created for technical purposes makes it clear that such claims to the database would be inconsistent with its original purpose.
Finally, PHR2005 also notes that public access to Whois data could particularly contradict the practices that are likely to be enforced for ccTLDs in jurisdictions where there are clear privacy laws.
Significantly, country code Top Level Domains are moving to provide more privacy protection in accordance with national law. For example, regarding Australia's TLD, .au, the Whois policy of the .au Domain Administration Ltd (AUDA) states in section 4.2, "In order to comply with Australian privacy legislation, registrant telephone and facsimile numbers will not be disclosed. In the case of id.au domain names (for individual registrants, rather than corporate registrants), the registrant contact name and address details also will not be disclosed." In addition, auDA does not allow bulk access to Whois data, which ICANN's gTLDs do.
The OPoC proposal correctly recognizes that registrants' contact information is not necessary to the original purpose of Whois and that the public posting of Whois information exposes registrants to "undesirable behaviours like renewal scams, data-mining, phishing, identity theft, and so on". The removal of registrants' personal information and use of an intermediary contact for communication with registrants fulfills Whois' technical purpose while protecting the privacy and security of registrants.
The removal of registrants' contact information from the Whois database is an important first step toward protecting the privacy rights of individuals. However, EPIC disagrees with the OPoC's proposal to continue to publish registrants' names and countries of origin. The task force stated that the publication of registrants' names and countries of origin would assist third parties considering or pursuing enforcement actions; this is beyond the scope of the purpose of Whois data, as confirmed by the definition adopted by GNSO Council.
In addition to being outside of the purpose of Whois, the publication of registrants' personal information creates serious implications for free speech. PHR2005 expresses concern that the ICANN has not acknowledged the right of individuals, such as human rights advocates, to maintain anonymous web addresses.
Under ICANN's Whois policy, Internet users are unable to register for a domain anonymously. The Whois database broadly exposes domain name registrants' personal information to a global audience, including criminals and spammers. Anyone with Internet access has access to Whois data, including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual property lawyers, and police agents without legal authority. Even those speaking out for human rights cannot conceal their identity. While it is true that some registrants use the Internet to conduct fraud, most domain name registrants do not, and many have legitimate reasons to conceal their identities and to register domain names anonymously. For example, political, artistic and religious groups around the world rely on the Internet to provide information and express views while avoiding persecution. Concealing actual identity may be critical for political, artistic, and religious expression.
Agencies such as the American Red Cross, have found Whois data to be a helpful tool in pursuing the registrants of fraudulent websites. The Operational Point of Contact proposal should not hinder enforcement activities; registrants' information would still be collected by the registrars, and would still be accessible for law enforcement purposes by regular legal channels such as subpoenas. Further, the Operational Point of Contact information could be used to communicate cease and desist letters for fraudulent websites. This is no different from the Red Cross' current practice of using technical contact details to notify a registrant's hosting company of unauthorized or fraudulent activity.
The removal of all registrant information, including names, addresses, phone and fax numbers, and email addresses from the Whois database is necessary for the protection of the privacy of registrants. We concluded in 2005 that the ICANN Whois policy has "failed to resolve the privacy risks faced by Internet users that result directly from ICANN's own data practices".
We urge the ICANN to remove all registrants' information from the Whois database, and instead publish an Operational Point of Contact who can contact the registrant if necessary to resolve issues related to the configuration of the records associated with the domain name.
Thank you for your consideration of our views.
International Working Group on Data Protection in Telecommunications:
Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet
Article 29 Working Party: Opinion 2/2003 on the application of the data protection principles to the Whois directories http://europa.eu.int/comm/justice_home/fsj/.../docs/wpdocs/2003/wp76_en.pdf
Directorate General of Internal Markets for the European Commission:
Contribution of the European Commission to the general discussion on the Whois database raised by the Reports produced by the ICANN Whois Task Force
Privacy and Human Rights: An International Survey of Privacy Laws and Developments, (EPIC and Privacy International 2005)
Available for sale at http://epic.org/bookstore/phr2005/phr2005.html
Federal Trade Commission: Consumer Fraud and Identity Theft Complaint Data Report (2005) http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf
EPIC Brief Amicus Curiae of EPIC, Peterson v. Nat. Telecomm. & Info. Admin., No. 06-1216 (4th Cir. Apr. 24, 2006).
EPIC Testimony Before House Subcommittee, Financial Institutions and Consumer Credit, Committee on Financial Services "ICANN and the WHOIS Database: Providing Access to Protect Consumers from Phishing"
EPIC Whois Page http://www.epic.org/privacy/whois