Re: [alac] Proposed ALAC restatement on WHOIS (draft2)

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

In February 2003, the Interim At-Large Advisory Committee issued a
formal statement on the issues of WHOIS accuracy and bulk access,
<http://alac.icann.org/whois/whois_final_report_accuracy-20feb03.htm>.
At the time, we remarked on the privacy concerns raised by the
policy mandating that domain name registrants submit accurate and
truthful identifying information while giving them no opportunity to
protect that information from disclosure or public display.

Accuracy was only half the equation, with privacy protections the
necessary complement.
 
Although we did not then seek to delay enforcement of accuracy
requirements, we recommended that work be commenced swiftly to give
registrants more and better privacy options.  We concluded that:
 
     The Task Force's recommendations to systematically enforce the
     accuracy of WHOIS data shift the existing balance between the
     interests of data users and data subjects in favor of data
     users. In an environment where registrants have perceived
     "inaccurate" data to be one of the most practical methods for
     protecting their privacy, this shift of balance is reason for
     concern. It will inevitably increase the need for privacy
     protection mechanisms to be built into the contractual
     framework.

Unfortunately, there has been no progress since February.  Indeed,
on the privacy front, there has been regress.  Domain name
registrants are forbidden from using pseudonyms or fuzzy,
"inaccurate" data in order to protect their privacy, and risk losing
their domain name due to "improved" accuracy enforcement. Yet there
are no new safeguards or mechanisms by which they can shield their
identifying details from disclosure.  As many feared at the time the
GNSO mandated stricter enforcement of "accuracy" on registrants and
registrars, domain name registrants (including members of the
at-large public) lose out.
 
The small businessperson working from a home office must list that
home address and telephone number, as must the weblogger who wishes
to publish at her own domain name.  The political dissident who
wants to criticize his country's political regime is told to
disclose his identity or find a trustworthy friend who is willing to
do so instead.  Domain names are indisputably a tool of online
expression, on an Internet in which individuals can speak alongside
corporations and governments, yet many individuals are chilled by
the prospect of signing a "speakers' registry" before they can
participate fully.

Proxy or escrow services, proposed by many as a privacy solution,
have not developed to fill the gap.  They do not work in practice,
giving up the names of their clients on a mere request; and even in
theory they are a poor second-best for registrants seeking full
control of their identities.  The public deserves better.

It is time for ICANN to move forward on privacy.

One simple solution, requiring no new infrastructure, would be to
make all data fields in WHOIS optional, allowing domain name
registrants themselves to make the choice between contactability and
privacy.  A more complete solution would also permit registrants to
give accurate information to their registrars without putting that
into the generally-accessible WHOIS (the online equivalent of an
unlisted telephone number).
 
 
ICANN owes it to the Internet-using public to complete the equation
begun early this year.  It should remedy the imbalance between data
users and data subjects by allowing registrants to limit data
collection and disclosure in domain name registration and WHOIS, and
should do so without delay.