ICANN's WHOIS Policy Letter

Download PDF

WHOIS Letter to ICANN


28 October 2003

Mr. Paul Twomey
President and Chief Executive Officer
Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6601
United States of America


Dear Mr. Twomey,

We write to you, on behalf of many consumer and civil liberties organizations from around the world, regarding the significant privacy issues surrounding the WHOIS database and the need to ensure that strong privacy safeguards are established. ICANN has moved aggressively to establish accuracy requirements for domain name registrants, but has failed to establish corresponding protections for personal information that is provided. As representatives of Internet users around the world, we are keen to ensure that the policies developed for the WHOIS database respect the freedom of expression and the privacy of every individual who registers Internet domains.

Many organizations, consumer advocates, and technical experts have advocated strong protection for privacy interests. Those privacy concerns have not thus far been adequately addressed. We hope that our comments will be given due consideration during the WHOIS workshop at the upcoming ICANN meetings in Carthage, Tunisia.

1. The main purpose of the WHOIS database should be to resolve technical network issues, the most important being spam.

The WHOIS database was originally intended to allow network administrators to find and fix problems to maintain the stability of the Internet. It now exposes domain name registrants' personal information to many other users for many other purposes unrelated to network access. Anyone with Internet access can now have access to WHOIS data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers. The original purpose for WHOIS should be reestablished.

One of the most important technical problems that threaten public use of the Internet today is spam. A sensible WHOIS policy would improve contact-ability and data accuracy for network administrators. It would not make personal information more widely accessible to third parties.

2. The use and management of the WHOIS database without adequate data protection safeguards raises risks for domain name holders' right to privacy and freedom of expression.

Users of domain names have a legitimate and reasonable expectation of privacy. There are many users, particularly in the non-commercial world, who have valid reasons to conceal their identities or to register domain names anonymously. Although there are some domain name registrants who use the Internet to conduct fraud or to infringe on other people's or companies' intellectual property rights, we believe that a sensible privacy policy for WHOIS must protect the legitimate privacy expectations for domain registrants.

First, for domain name registrars to compel registrants to disclose personal information, even information related to domain registration, poses dangers to freedom of expression and privacy on the Internet. Many domain name registrants--and particularly noncommercial users--do not wish to make public the information that they furnished to registrars. Some of them may have legitimate reasons to conceal their actual identities or to register domain names anonymously. For example, there are political, cultural, religious groups, media organizations, non-profit and public interest groups around the world that rely on anonymous access to the Internet to publish their messages. Anonymity may be critical to them in order to avoid persecution.

Second, WHOIS data should not be available to just anyone who happens to have access to the Internet. It is well known that broad access to personal information online contributes to fraud such as identity theft. US Federal Trade Commission (FTC) advises consumers to protect themselves from identity theft, and generally from Internet-related frauds, by not disclosing personally identifiable information. The mandatory publication of WHOIS data is contrary to the FTC's advice.

We urge ICANN to consider the views of consumer organizations and civil liberties groups on the WHOIS. At a minimum, we believe that adequate privacy safeguards should include the following principles:

  • The purposes for which domain name holders' personal data may be collected and published in the WHOIS database have to be specified; they should, as a minimum, be legitimate and compatible to the original purpose for which this database was created; and this original purpose cannot be extended to other purposes simply because they are considered desirable by some users of the WHOIS database;
  • The most relevant purpose for collecting WHOIS data is to combat spam;
  • The amount of data collected and made publicly available in the course of the registration of a domain name is limited to what is essential to fulfill the purposes specified;
  • Any secondary use that is incompatible with the original purpose specified requires the individual's freely given and informed consent;
  • The publication of individuals' personal information on the Internet through the WHOIS database should not be mandatory; it should be possible for individuals to register domain names without their personal information appearing on a publicly available register; and
  • Disclosure of WHOIS information to a law enforcement official or in the context of civil litigation must be pursuant to explicit legal authority set out in statute.



Such a policy would not frustrate lawful criminal investigations. It would instead establish necessary privacy safeguards, and reduce the risk that the widespread availability of WHOIS information will lead to greater fraud, more spam, and jeopardize freedom of expression.



Respectfully submitted,



Signatories:


American Library Association, http://www.alawash.org

USA

 

ANSOL - Associação Nacional para o Software Livre, http://www.ansol.org

PORTUGAL

 

Association Electronique Libre, http://www.ael.be

BELGIUM

 

Association for Progressive Communication, http://www.apc.org

USA

 

Australian Council for Civil Liberties, http://www.nswccl.org.au/

AUSTRALIA

 

Australian Privacy Foundation, http://www.privacy.org.au/

AUSTRALIA

 

Canadian Internet Policy and Public Interest Clinic (CIPPIC), http://www.commonlaw.uottawa.ca/tech/html/lawclinic.html

CANADA

 

Centre de Coordination pour la Recherche et l'Enseignement en Informatique et Société (CREIS), http://www.creis.sgdg.org

FRANCE

 

Centre de Ressources pour la Promotion des Droits des Personnes Handicapées (CRPH)

SENEGAL

 

Common Cause, http://www.CommonCause.org

USA

 

Computer Professionals for Social Responsibility, http://www.cpsr.org

USA

 

Consumer Action, http://www.consumer-action.org

USA

 

Consumer Federation of America, http://www.cfa.org

USA

 

Consumer Project on Technology, http://www.cptech.org

USA

 

Cyber-Rights & Cyber-Liberties, http://www.cyber-rights.org

UK

 

Digital Rights, http://www.digitalrights.dk

DENMARK

 

Ekpizo (Consumers' Association for the Quality of Life), http://www.ekpizo.org.gr/

GREECE

 

Electronic Frontier Argentina

ARGENTINA

 

Electronic Frontiers Australia Inc. (EFA), http://www.efa.org.au

AUSTRALIA

 

Electronic Frontier Finland, http://www.effi.org

FINLAND

 

Electronic Frontier Foundation, http://www.eff.org

USA

 

Electronic Frontier Italy (ALCEI), http://www.alcei.it

ITALY

 

Electronic Privacy Information Center, http://www.epic.org

USA

 

Fairfax County Privacy Council

USA

 

Fédération Informatique et Libertés, http://www.vie-privee.org/

FRANCE

 

Foundation for Information Policy Research, http://www.fipr.org

UK

 

HANDICAP FormEduC (Formation Education Communication et Culture)

SENEGAL

 

Imaginons un Réseau Internet Solidaire (IRIS), http://www.iris.sgdg.org

FRANCE

 

Information Network for the Third Sector – Rede de Informações para o Terceiro Setor (RITS), http://www.rits.org.br

BRAZIL

 

Instituto de Investigación para la Justicia, http://www.iijusticia.edu.ar

ARGENTINA

 

IP Justice, http://www.ipjustice.org

USA

 

Junkbusters, http://www.junkbusters.com

USA

 

LatinoamerICANN, http://latinoamericann.derecho.org.ar/

PERU

 

LINK Centre, http://link.wits.ac.za/

SOUTH AFRICA

 

Media Access Project, http://www.mediaaccess.org

USA

 

NetAction, http://www.netaction.org

USA

 

Netzwerk Neue Medien e.V. (Network for New Media), http://www.nnm-ev.de

GERMANY

 

New South Wales Council for Civil Liberties, http://www.nswccl.org.au

AUSTRALIA

 

Petition.hu

HUNGARY

 

PrivacyActivism, http://www.privacyactivism.org

USA

 

Privacy Rights Clearinghouse, http://www.privacyrights.org

USA

 

Privacy Rights Now Coalition, http://www.privacyrightsnow.com/default_content.htm

USA

 

Privacy Times, http://www.privacytimes.com

USA

 

Privacy Ukraine, http://www.internetrights.org.ua

UKRAINE

 

Private Citizen, Inc., http://www.private-citizen.com

USA

 

Privaterra - An ongoing project of CPSR, http://www.privaterra.org

USA

 

Projet Garentic (Groupe Africain de Recherche et d’Etude sur les Nouvelles Technologies de l’Information et de la Communication), http://www.garentic.org

SENEGAL

 

Public Interest Advocacy Centre, http://www.piac.ca

CANADA

 

Quintessenz, http://quintessenz.org

AUSTRIA

 

Statewatch, http://www.statewatch.org

UK

 

STOP1984, http://www.stop1984.org

GERMANY

 

Studentski domovi v Ljubljani - lokacija Rozna dolina

SLOVENIA

 

Think Centre, http://www.thinkcentre.org

SINGAPORE

 

Taiwan Association for Human Rights (TAHR), http://www.tahr.org.tw

TAIWAN

 

USAConcertAction Femmes Estrie, http://www.femmesenestrie.qc.ca/cafe/

CANADA

 

US Public Policy Committee of the Association for Computing Machinery (USACM), http://www.acm.org/usacm/

USA

 

VECAM, http://www.vecam.org

FRANCE

 

VIBE!AT - Verein für Internet-Benutzer Österreichs, http://www.vibe.at/

AUSTRIA

 

Virtual Activism USA, http://www.virtualactivism.org

USA




------------------------------------



REFERENCES:

Memo from ICANN President Paul Twomey concerning WHOIS, 18 September 2003.

ICANN Carthage WHOIS Workshop Agenda, 30 September 2003.

ICANN WHOIS Privacy Steering Group webpage.

ICANN, Staff Manager's Issues Report on Issues Related to WHOIS, 13 May 2003.

Public Internet Registry, Letter regarding WHOIS to Chairman Lamar Smith, United States House Judiciary Committee, Subcommittee on Courts, the Internet, and Intellectual Property, 16 September 2003.

Public Interest Registry, Comments to the Final Report of the GNSO Council's WHOIS Task Force Accuracy and Bulk Access, 17 February 2003.

Generic Names Supporting Organization (GNSO), WHOIS Privacy Issues Table, 14 August 2003.

GNSO WHOIS Task Force, Final Report of the GNSO Council's WHOIS Task Force Accuracy and Bulk Access, 19 February 2003.

Electronic Privacy Information Center (EPIC), Minority Comments to the Final Report of the GNSO Council's WHOIS Task Force Accuracy and Bulk Access.

EPIC WHOIS webpage.

EPIC WHOIS Privacy Issues Report, 10 March 2003.

EPIC and Privacy International, Privacy and Human Rights - An international Survey of Privacy Laws and Developments, 2003.

Organization for Economic Co-operation and Development (OECD), Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. (English), (franÌf®'Ì,å¤ais).

European Union, Directive 1995/46/EC of the European Parliament and the Council on the Protection of Individuals with regard to the processing of Personal Data and on the Free Movement of such Data ("EU Data Protection Directive"). (English). (franÌf®'Ì,å¤ais). (espaÌf®'Ì,å±ol).

European Union Article 29 Data Protection Working Group, Opinion 2/2003 (WP 76) on the application of the data protection principles to the Whois directories, 13 June 2003. (English). (franÌf®'Ì,å¤ais). (espaÌf®'Ì,å±ol).

International Working Group on Data Protection in Telecommunications, "Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet" (adopted at the 27th meeting of the Working Group on May 4-5, 2000 in Rethymnon, Crete).

United States Federal Trade Commission, National and State Trends in Fraud and Identity Theft (January 2002 - December 2002), January 22, 2003.

 

 

Related Articles

Global Technology Policy Newsletter – March 2017
ACM PUBLIC POLICY HIGHLIGHTS ACM provides independent, nonpartisan, and technology-neutral research and resources to policy leaders, stakeholders, and the public about public policy issues, as drawn from the deep technical expertise of the computing community. Apply for the new A ...Read More

  • (Posted on 12-Mar-17)
  • ACM Joint Task Force on Cybersecurity Education Grabs Spotlight at U.S. Congressional Hearing
    The ACM Joint Task Force on Cybersecurity Education seized the spotlight during a congressional hearing on “Strengthening U.S. Cybersecurity Capabilities” on Capitol Hill on February 14, 2017. The hearing before the House Science, Space, and Technology Subcommittee on ...Read More

  • (Posted on 18-Feb-17)
  • Global Technology Policy Newsletter – February 2017
    ACM PUBLIC POLICY HIGHLIGHTS ACM seeks to educate policymakers, the computing community, and the public about policies that will that foster and accelerate innovations in computing, computing education, and related disciplines in ways that benefit society. ACM Statement on U.S. E ...Read More

  • (Posted on 12-Feb-17)
  • ACM Sponsors Data Sciences Education Roundtable at the U.S. National Academies of Sciences
    ACM is sponsoring a new 3-year initiative by the National Academy of Sciences on data science postsecondary education. A series of roundtable discussions will bring together representatives from academia, industry, funding agencies, and professional societies to explore the trans ...Read More

  • (Posted on 17-Jan-17)
  • Global Technology Policy Update – December 2016
    ACM PUBLIC POLICY HIGHLIGHTS Cybersecurity Education and Research in Europe – The ACM Europe Policy Committee released a policy white paper “Advancing Cybersecurity Education and Research in Europe.” Committee Chair Fabrizio Gagliardi recently presented the find ...Read More

  • (Posted on 12-Dec-16)
  • Global Technology Policy Update – October 2016
    ACM PUBLIC POLICY HIGHLIGHTS Computer Science Education and Research in Europe – ACM Europe Policy Committee members will be attending the European Computer Science Summit in Budapest, Hungary on October 24-26, which features programs on the challenges and opportunities in ...Read More

  • (Posted on 09-Oct-16)