Non-Commercial Users Constituency Statement on WHOIS Task Force 2
April 2004
The Noncommercial Users Constituency (NCUC) represents the views of one of the largest and most dynamic set of domain name registrants: the noncommercial community, including human rights organizations, political and civil liberties groups, libraries and archives, families, hobbyists, technologists, universities and academics, and organizations bringing the Internet and new technologies to developing countries.
We note the importance of our group as highlighted by W.G. Champion Mitchell, chair and CEO of Network Solutions (the largest ICANN-accredited registrar) to the ICANN Board in the public forum of the ICANN meeting in Rome: “I WOULD LIKE TO SPEAK WITH YOU, HOWEVER, AND TRY TO SPEAK WITH A VOICE OF A CONSTITUENCY THAT IS NOT BEING HEARD TODAY, THE MOST IMPORTANT CONSTITUENCY THAT EXISTS, THE ONE THAT I AM SURE YOU CARE ABOUT GREATLY, AND I KNOW I CARE ABOUT GREATLY, AND THAT IS THE AVERAGE USER OF THE INTERNET AND OF OUR SERVICES.”
In analyzing the data elements of the WHOIS, and what data elements should be removed and revised, it is critical for TF2 to consider closely the concerns of those who are the domain name owners – those who data is subject to the use and abuse of the WHOIS database/directory.
The Noncommercial Users Constituency submits:
1) TF2 and ICANN must recognize the well established data protection principle that the purpose of data and data collection processes must be well defined before policies regarding its use and access can be established. The purpose of Whois originally was identification of domain owners for purposes of solving technical and operational problems. See, for example, comments of European Commission, Internal Marketing DG, http://www.dnso.org/dnso/notes/ec-comments-whois-22jan03.pdf. (The purpose was *not* to provide law enforcement and other self policing interests with a means of circumventing normal due process requirements for gaining access to contact information.) None of the current Whois Task Forces are mandated to revise the purpose of the Whois directory. Therefore, the original technical and operational purpose of the WHOIS database/directory must be assumed until and unless ICANN initiates a new policy development process to change it.
2) Under no circumstances (now or in the future) may the purposes of a tool mandated by ICANN or maintained under the terms of an ICANN contract be greater than the purpose of ICANN itself. According to ICANN’s recently revised agreement with the US Department of Commerce, ICANN’s purpose is straight-forward: “the technical management of the DNS.” Amendment 6 to ICANN/DOC MOU, http://www.icann.org/general/amend6-jpamou-17sep03.htm. The WHOIS database/directory must exist, if at all, to serve no more than technical and operational purposes within ICANN’s scope of authority.
3) ICANN has no legal or moral authority to preempt and supercede national law national privacy protections accorded by many countries to their citizens and residents. There are numerous countries with comprehensive privacy laws in European and throughout the world. The original of many of these privacy principles dates back to the human rights abuses of World War II and the Holocaust. That ICANN’s contracts require collection and disclosure of personal data in excess of national law is clear from the comments of the EC, the Article 29 Data Protection Working Party, and the International Working Group on Data Protection in Telecommunications to TF2 and its predecessor. In light of such clear concern and opposition to the WHOIS data elements, ICANN must change its practices to not conflict with closely-held and much-valued privacy laws and principles.
4) ICANN must stop putting ICANN-accredited registrars and thick registries in an untenable position: the need to comply with the ICANN-mandated collection and disclosure of personal data of DN registrants vs. legal obligations to comply with their country’s laws and the laws of the country in which the DN registrant is located. Complaints are already being filed against registrars in EU countries; EU data protection commissioners are already contacting ccTLDs and gTLDs (e.g., .NAME) to change their registrant collection and disclosure practices; and the Italian Data Protection Authority’s Secretary-General made clear at the ICANN meeting in Rome that he will begin serious enforcement of Italian Privacy Law not only against Italy-based registrars and registries, but also in some cases, against registrars and registries based outside of Italy, but working with the registrants within Italy. Registrars and registries must be allowed to comply with national law regarding collection, disclosure and transborder transfer of personal data absent superceding contractual obligations of ICANN.
5) ICANN must stay out of the battles over freedom of expression v. intellectual property expansion online. The NCUC submits that WHOIS was never intended to be a list of all speakers or a single point for all content policing. Further, the laws of some countries, such as the US, protect anonymous political and personal speech as a fundamental value of open and democratic societies. It is not for the ICANN community to second-guess or supercede these values of free speech and freedom of expression.
6) No amount of secondary use of WHOIS date justifies setting aside fundamental principles of freedom of expression and personal privacy as a matter of ICANN policy. Certainly intellectual property and law enforcement are aided in having huge amounts of information regarding content providers available instantaneously. But so too are those engaged in identity theft, stalking, abuse of intellectual property, law enforcement illegalities, and other abuses (see further discussion below). Both intellectual property owners and law enforcement, for legitimate purposes, have tremendous powers to command information under due process procedures; what they need and are entitled to, they can legally and expeditiously obtain. But, the mere fact that a private data field, once disclosed, has valuable secondary uses does not override a registrant's privacy rights. By analogy, we note that millions of people around the world routinely use digitized, copyrighted music files through peer-to-peer networks (and feel justified in doing so, and that there is no available substitute for their method of access). However, in making public policy on file-sharing, we do not simply take a public opinion poll of those users. We take into consideration the existing legal rights of producers of the music, and NCUC asserts that the same principle must be applied to the WHOIS.
Accordingly, and in light of the concerns, national laws and principles set out above, the NCUC strongly urges WHOIS TF2 and ICANN to:
1) Remove from the WHOIS database/directory those data elements that identify the registrant directly, namely: Registrant and Administrative Contact (which for small organizations, families, individuals, and many others, is the same as the registrant).
2) ICANN must remove from the Registrar Accreditation Agreements requirements that registrars collect and disclose registrant and administrative contact data to the world in the globally available WHOIS database. [RAA]
3) ICANN must remove requirements that anyone serving as a proxy and providing privacy and anonymity for domain name registrants, as protected by national law, disclose the data for reasons short of due process (including unsubstantiated threats against the registrant or to the registry or registrar). [RAA]
4) The WHOIS database/directory will operate within the bounds of the ICANN technical mandate and the bounds of data protection laws if: the WHOIS listing provides the following important fields: technical contact, registry [new field], registrar [new field], and name servers of the registrant.
Appendix:
Sections of NCUC comments regarding abuses of WHOIS data
Submitted February 2004 to TF2, in its data gathering phase
The Noncommercial Users Constituency (NCUC) has tremendous concerns with the collection of many WHOIS data elements. We are concerned about making contact information available unconditionally and anonymously to the public, companies, and governments without accountability, auditability or due process. Such a requirement is contrary to national law and policy. NCUC calls on Whois Task Force 2 to correct the situation by reforming WHOIS to better protect privacy and freedom of expression.
We address the data elements of concern below, and offer an array of reasons for the harm and threat their complete and full disclosure may pose to domain name registrants in the noncommercial community.
I. Personal WHOIS Data Reveal Peoples’ Homes and Families
WHOIS Data Elements of Concern:
Group A: Personal Data
Registrant Name
Registrant Address
Registrant Phone Number
Registrant Email
Administrative Contact Address
Administrative Contact Phone Number
Administrative Contact Email
For small organizations, the same person almost invariably serves as the domain name registrant and the administrative contact. Thus, the Administrative Contact address and phone fields raise the same privacy concerns as those of the corresponding Registrant fields.
The NCUC does not seek to be inflammatory, but the harms raised by the forced collection and publication of personal information in data fields cannot be taken lightly. Such harms, as we outline in brief below, cannot be discounted or dismissed. Such harms include:
* Identity Theft
* Spamming and other Forms of Email and Phone Harassment
* Stalking
* Unwarranted Threats from Overly Broad Intellectual Property Claims
* Unwarranted Surveillance and Threats from Companies, Government, and Law
* Basic Violations of Personal Privacy
A. IDENTITY THEFT
Identity theft is a common and growing problem. It is the subject of considerable information and advice from consumer and government groups worldwide. The fundamental piece of advice for preventing identity theft remains: don’t give out your personal information online.
Yet registering a domain name, even for noncommercial community, requires the disclosure of exactly the type of personal data, such as name, address, phone and email, that we are urged not to give out online – and certainly not to allowed published in global forms available to all.
TF2 should use the change of WHOIS practices to remove, or allow the opting-out, of fields which assist Identity Theft.
B. TELEMARKETING, SPAMMING AND OTHER FORMS OF EMAIL AND PHONE HARASSMENT
The global publication of email addresses and phone numbers creates the means for people to be harassed by phone and email: through crank calls, telemarketing, and especially spam. With the current publication of all elements, without any opting-out option, this information is freely available for any fraudulent or spamming entity to use and abuse. Revealing this information to the world should not be a condition of registering a domain name or posting expression online.
C. STALKING
One home address can lead to stalking and lead to death. Unfortunately, over a million people in the US have been stalked. One stalking website described the harsh reality:
“High-profile cases of celebrities being stalked have raised the public's awareness to this crime. But the majority of stalking victims are ordinary people, mostly women, who are being pursued and threatened by someone with whom they have had a prior relationship. Approximately 80% of stalking cases involve women stalked by ex- boyfriends and former husbands.” http://www.privacyrights.org/fs/fs14-stk.htm
One harsh example changed the way government agencies throughout the US deal with personal data, including home address and phone. Until the late 1990s, many Department of Motor Vehicles (DMVs) sold their driver’s license data – including names and address provided as a condition of receiving a license. Robert Bard, a deranged fan of the young actress Rebecca Schaeffer, bought her address from the California DMV, stalked her and killed her. There are many descriptions of this story online. One is at:
http://www.tvtome.com/tvtome/servlet/PersonDetail/personid-8786.
It would be easy to dismiss stalking as a problem outside the Internet and DNS were there not examples of the WHOIS data being used for stalking. Some posted examples include:
1) “Because my information was listed on whois, a man who has been harassing me online for about a year, was able to get my home address, and telephone number and step up his harassment of me.” Network Solutions Domain Name Registrant. Example provided by Brian Cute, NSI, at Tunisia WHOIS Workshop, http://www.icann.org/carthage/whois-workshop-agenda.htm.
2) “Bingo! After being stalked until I moved to a different state I can tell you that privacy is a major factor and that WHOIS should not be the criteria for customers need for accurate information regarding a business. I had a small home business (resume consulting and word processing - no walk in traffic) and had no problems with customers who screened me as well as I screened them. The phone book had only the city listed, as did the display ad, yet whois insisted on my home street address [emphasis added]. I had to put up tall fencing, security doors, bars on the windows and get guard dogs as a result of the stalking that was a direct result of whois. I now use a P.O. Box and have an unlisted number for my family and friends to use. ***** My personal and family privacy is a safety concern as well as the usual concerns. Anyone working from a SOHO has the same concerns. Personal safety and privacy are rights we count on and the expectation of preserving them is written in our US Constitution. I should not have to pay for a service to hide my information from the public. It should be automatically done. As long as the registrar has the information in its files, that is sufficient for those who have a (proven)legitimate need for it. If you don't want to do business with me, that's just fine. I'm not inviting you to my home, so you don't need my address.”
by ldg on Thursday February 05 2004, @09:33PM (#12934)
User #2935
The NCUC does not believe that noncommercial speakers should have to reveal their home address, and expose themselves and their families to dangers such as stalking as a condition of registering domain names and sharing noncommercial expression online.
We note that, with the rise of easy access to reverse directories, the home phone number also provides access to home addresses, and raises the same privacy concerns as an address.
D. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM OVERLY BROAD INTELLECTUAL PROPERTY ALLEGATIONS
Since the mid-1990s, with the rise of World Wide Web technology and greater knowledge of domain name registration, there have been conflicts over domain names, the extent of trademark law, and whether common words should be open to all (as they are in all other forms of speech) or favored for trademark owners.
In the mid-1990s, Intellectual Property Attorneys, especially those with the big firms and representing large clients, found a new tool: the WHOIS data. Never before was it so easy to reach a small noncommercial organization, families, individuals, even children, at their home due to the availability of personal fields in the WHOIS data. This availability has lead to flagrant abuse, with small noncommercial organizations and individuals receiving unsubstantiated and overbroad threats – made all the scarier by the letters being sent to the home.
“As a telecommunications and intellectual property attorney in the mid-1990s, I was amazed to see the horrible letters sent to domain name registrants at their homes. These letters often were (and sometimes still are) outside the bounds of professional conduct. Taking advantage of the big vs. little discrepancy, and sensing the vulnerability of a domain name registrant for a small organization reached at his/her home, these letters threatened ongoing harassment, litigation, triple damages and even jail. Generally, the more threatening the letter, the less substantiated the claims, and some were downright reverse domain name hijacking. But people feel very scared by these letters. Kathryn Kleiman, Esq., Co-Founder of NCUC and Internet Law and Policy Attorney.
Unsubstantiated allegations by intellectual property owners involving domain names are so pervasive they have their own name: reverse domain name hijacking. ICANN defines this as: the “bad faith [to] attempt to deprive a registered domain-name holder of a domain name.” http://www.icann.org/dndr/udrp/uniform-rules.htm, Section 1, Definitions.
Mere allegation of infringement or misuse should not require the disclosure of the domain name registrant’s home address or phone number. No such disclosure is required for the publication of information by noncommercial organizations in any other communications medium, including newspapers, broadcasting or telephones. The NCUC submits that national and local law provide the due process mechanisms for when accusers can contact the accused. Such rules should be followed by ICANN, not circumvented by global WHOIS data element publication.
E. UNWARRANTED THREATS OF JAIL AND HEAVY FINES FROM COMPANIES, GOVERNMENT AND LAW ENFORCEMENT ACTING OUTSIDE OF LEGAL SCOPE AND LEGITIMATE NEED
Noncommercial organizations throughout the world regularly invite the wrath of corporations, governments and law enforcement by criticizing their actions. In some countries, corporate criticism is a daily practice of newspaper editors and broadcasters, but in other parts of the world it is practiced at great cost by those desperate to share information about corporate sweatshops, pollution, or bribery of governments (as a few examples).
Similarly, in some countries, noncommercial organizations are chartered to openly and publicly criticize government officials and law enforcement practices. These organizations openly lobby for civil liberties and due process, and take to court government officials and law enforcement officers who act illegally outside the scope of their office. In other countries, such criticism is not published openly, for fear of arrest, trial and treason. Instead, people will publish anonymously or under pen names, or even leave the country to share their concerns and impassioned pleas for help with the world. Such messages about government abuse can include torture, massacres, jailing of political dissidents, harsh suppression of protests on campuses, unfair laws, and failure of law enforcement to equally and fairly protect all (as a few examples).
To all the open and global publication of a registrant’s name, address and phone as a condition of registering a domain name for human rights, political speech, and civil liberties discussion is a violation of principles worldwide that protect noncommercial and political speech. The United National Declaration of Human Rights, treaties, national and local laws protection such political criticism with high praise and anonymity. It seems unfair and fundamentally immoral to allow unlimited, unaccountable access to the information about human rights organizations, and other noncommercial political groups, based solely on the fact they have registered a domain name.
F. BASIC VIOLATIONS OF PERSONAL PRIVACY
Laws worldwide protect the collection, distribution and publication of personal data and give people a right to expect that their home addresses, phone numbers and email addresses will be protected. The EU Privacy Directive is the model of these laws, and its principles have been adopted by many countries (both members and not members of the EU). Citizens of these countries have the right to know that the protections of their national laws are being followed by registries and registrars in these countries. This is not the situation under the current WHOIS system today.
II. Additional data in WHOIS exposes people to spam, deceptive marketing practices, and more.
WHOIS Data Elements of Concern:
Group B: Additional Data Subject to Abuse and Misuse
Registrant and Administrative Contact E-Mail address
Registrant and Administrative Contact Fax number
Creation Date
Expiration Date
While not raising privacy concerns per se, these elements are subject to misuse, from spam to manipulative and fraudulent service office offerings. We think these fields would be better handled under the system we set forth in the section below.
III. Conclusion of Concerns Section
If Whois data remains fully accessible on a public and anonymous basis, we strongly favor the elimination of all personally identifiable contact data as a required element of Whois except for:
Technical Contact Name
Technical Contact Address
Technical Contact E-Mail address
Technical Contact Phone number
Technical Contact Fax number
Other data elements containing contact information could be continued as voluntary elements; i.e., registrants would have the right to fill them out or leave them blank as desired.
We favor continued mandatory inclusion of the following data elements:
Domain Status
Domain Name ID
Domain Name
Registrar ID*
Name of Registrar
Name Server(s)
Name Server ID*
Our recommendations are intended to return Whois to its original purpose as a technical coordination vehicle. We note that the best way to improve accuracy of the data is to provide privacy and security. Domain name registrants’ incentives to provide accurate information will dramatically increase once they feel the information is secure.
If these data elements are not fully removed from the Whois database, NCUC favors immediate adoption of privacy protections for the WHOIS fields, and the creation of an “opt-out” policy that allows a domain name registrant to fully understand and freely choose whether or not to allow his/her personal data to be published in worldwide directories and available anonymously in any form. These options would apply to all of the data elements we favor removing from the data elements above.
Accordingly, the NCUC calls upon TF2 to recommend solutions for the WHOIS data elements that:
- protect personal privacy
- protect the expression of noncommercial organizations
- protect political speakers
- protect personal and family speakers
- protect hobbyists
- protect academics
