Home / Blogs

Privacy Matters: Is It Time To Abolish The WHOIS Database?

Rod Dixon

Recently, I entered my domain name in a "WHOIS" database query to test the results of the database by using WHOIS on a number of domain name registrar websites. WHOIS is a database service that allows Internet users to look up a number of matters associated with domain names, including the full name of the owner of a domain name, the name of the domain name hosting service, the Internet Protocol or I.P. number(s) corresponding to the domain name, as well as personally identifying information on those who have registered domain names. I was astonished to find different results from WHOIS depending upon which ICANN-approved (the Internet Corporation for Assigned Names and Numbers uses the acronym ICANN) Registrar I used. I was shocked by the results because I had assumed that ICANN's registrars access the same shared registry system database of WHOIS, and disclose the same results. Not so, I discovered. In fact, the indifferent manner of how WHOIS is currently administered has led me to conclude that WHOIS is not a well-managed resource, and should either be abolished or substantially modified to serve the limited technical purposes of domain name query, administrative contact data, and domain name server IP number coordination.

ICANN maintains indirect responsibility for the content and access to WHOIS (VeriSign maintains direct technical accountability for WHOIS) , and its Domain Name Supporting Organization (DNSO) is overseeing a task force that recently issued an Interim Report on that included recommendations regarding whether ICANN should seek to modify its WHOIS policy. Of course, ICANN's policy needs modification, and the Task Force's interim recommendations indicate that, but the recommendations do not go far enough. Generally, the task force seems to have assumed that the existence of WHOIS represents good policy. Hence, the task force recommendations begin with the dubious premise that WHOIS ought to be made better by being made stronger.

A better WHOIS is weaker WHOIS. By weaker, I do not mean less secure. Instead, I mean less capable of disclosing personal information, less data collection, and less access. There is no need to strengthen penalties for providing inaccurate personal information, if the information is neither requested, nor disclosed in the first place. A registrar may need to collect personal information to process payment for registration services, but this does not mean that the customer's data should be disclosed to the public. I cannot imagine, for example, a website like amazon.com providing public access to a database of the names and addresses of its online book buyers merely because the information had been collected. The notion that transactions in domain names ought to be treated differently, in this respect, seems to be a misguided attempt to take the notion of "public resource" far beyond the context it was intended.

I noticed that the public policy argument was twisted slightly differently during hearings held by the United States Congress on WHOIS last year; namely, the privacy interests of domain name holders were explicitly relegated to a backwater status by those advocating a lofty role for WHOIS in protecting the super-abounding interests of trademark holders. Regardless of the lofty heights some seek to elevate for WHOIS, there is no legitimate reason that the WHOIS database ought to contain, much less disclose, personally identifying information on domain name holders. No principle I know of would support framing the debate over what information in WHOIS should be disclosed and to whom it should be disclosed as a question of line-drawing between privacy interests and the interests of law enforcement and Intellectual Property holders. Privacy matters are often concerned with balancing diverging interests, but that form of balancing is inappropriate with WHOIS.

Nearly every ICANN-approved Registrar maintains free website access to the WHOIS database associated with the most popular Top-level Domains (gTLDs). Although the Task Force echoed concerns over the privacy interests for the data contained in the WHOIS database, the Interim Report identifies as its primary concern the accuracy and integrity of the data currently maintained. This is a marginal benefit to domain name holders since the personally identifying data of domain name holders would be far more secure if it were not in the database at all.

Some have argued that personally identifying information should not be removed from WHOIS because the data serves an essential role in enabling law enforcement to investigate Internet crime, and in aiding Intellectual Property holders locate those committing piracy. Of course, these arguments miss the point entirely. The question is not whether another interest may be served by ignoring the privacy interests of domain name holders, if that were so, privacy rights would never withstand the scrutiny of a countervailing interest. Instead, the question is whether privacy matters and, if so, how may the privacy interest of domain name holders be protected while providing due regard for the substantial interests of others?

Although many registrars have adopted a practice of not disclosing personal information in response to simple domain name queries, this privacy enhancing practice is neither widespread, nor mandated by ICANN. ICANN, it seems, actually requires registrars to expose personal information about registrants as part of a perceived need to provide public access to personal domain name registration information to safeguard the interests of Intellectual Property holders. Yet, to date, ICANN has done nothing when faced with increasing evidence that public access WHOIS is often abused, and the privacy interests of those for whom the database exists are violated. Currently, WHOIS guarantees that unsolicited messages will reach domain name registrants by e-mail, postal mail, fax and telephone. Given the wide-ranging reach of WHOIS-generated SPAM, it is ironic that so much of Task Force's Interim Report concerns the accuracy of domain name holder data. One wonders whether this might be due to too much influence from SPAMMERS within ICANN.

Of course, many different entities abuse the WHOIS database. In part, WHOIS is abused because public access to the database has been so straightforward that many assume that the database actually is a type of Internet-based telephone directory or address book. Lawyers use it routinely to determine who to threaten to sue in a domain name dispute or hijacking; domain name Registrars misuse WHOIS by pilfering customers from each other; spammers use WHOIS to send unsolicited e-mail; and some Internet users have targeted WHOIS as a search engine for cybersquatting. Nearly all of the illicit uses of WHOIS violate the privacy interests of domain name holders, yet few have argued for a substantial change in the manner in which the WHOIS database is maintained.

Few have argued, as I am, that the database should be abolished or its public services considerably reduced. The Electronic Privacy Information Center (EPIC) has similarly urged re-thinking with regard to the presumption that personal data ought to be collected and disclosed through WHOIS. EPIC argues that "in order to take full advantage of the Internet's unprecedented potential for encouraging the dissemination of speech" ICANN ought to consider modifying its WHOIS policy by requiring registrars to provide "anonymous registration of domain names as the default" condition for registering domain names. In this manner, WHOIS services may still provide personal data, if a registrant decided to make that information publicly available, while also promoting freedom of anonymous speech.

So far, most WHOIS reformers assume, without argument, that WHOIS serves important public policy purposes that are not likely to be achieved by alternative means. In this respect, these reformers urge that WHOIS be made stronger: its data more secure and its content more reliable. Even assuming that WHOIS serves more than a voyeur's purpose, there is no reason that would sustain the straightforward manner in which the database discloses personally identifying information.

Prospective domain name registrants need only determine whether a given domain name is available, Trademark owners and agents of law enforcement should have access to registrars, ISPs, and web hosting services to obtain the information they need, and public curiosity over domain name ownership should rarely be satisfied through private contracts forcing involuntary disclosure. The point is not that these other interests are unimportant, some certainly are important, but the argument has not been made that the public policy interests of WHOIS ought o be exalted by subverting the privacy interests of domain name holders. As noted, there are alternatives to the current WHOIS.

Nor am I convinced that a third-party intermediary should be used by those registrants concerned about privacy. The argument is cynically based upon an assumption that an insignificant number of domain name registrants care about privacy and, hence, the use of third-party intermediaries for domain name registration would not, itself, suffocate the useful life of WHOIS. The third-party intermediary option is, perhaps, a well-designed opt-out construct, and although the ability to opt-out of a privacy-invading system is likely to be better than having no alternative, it is now common sense that opt-out choices are rarely exercised - - even when they are simple and free, unlike the third-party intermediary - - and provide very little useful data regarding whether an individual would prefer a more privacy-enhancing alternative. Consequently, WHOIS does not currently adequately safeguard the privacy interests of domain name holders.

Responses to the Interim Report of the Names Council's WHOIS Task Force are due November 8, 2002; those affected by ICANN's whois policy include the DNSO Constituencies, the General Assembly, and the Internet community at large. Consequently, any actual or potential domain name holder ought to weigh in on the Task Force's recommendations. The Interim Report primarily addresses four key areas: [1] the accuracy of the data contained in the WHOIS database, [2] the uniformity of formats and elements across various TLDs and registrars, [3] improvements in the database's searchability, and [4] increased privacy and security protection of the contents of the database when used for marketing.

By Rod Dixon, Attorney
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Privacy Matters: Is It Time To Abolish The WHOIS Database? Alfonso  –  Jul 15, 2004 4:59 AM PDT

I totally agree that WHOIS should be abolished in its present form simply based on the fact that it is an abuse of basic privacy rights. The WHOIS content should be composed of voluntary submissions. Those who have specifically agreed to be included in the database should be the ones included.

One would expect that at least the USA government would have intervened in this matter on a national level by now. After all, it does profess to be the champion of human rights and even clasims to fight wars to assure those human rights for non-Americans. So why the apparent blindness in relation to this particular obvious disregard for the privacy rights of its citizens by WHOIS?

Is it lack of motivation?
If so--why?
Why would a government that boasts that it is the champion of human rights not take notice and feel responsibility to takje action to right this WHOIS obscenity?

Perhaps the answer lies in human nature itself-if there is such a thing. The human tendency to wait until a house collapses before making one with a better foundation?

Ironically, and I truly hope it never has to be this way, what motivates government intervention very often and very effectively seems to be that very thing--disasters.

During California's last seismic activity a bridge or overpass in an overpass collapsed
causeing the death of motorists trapped beneath and injury of those upon it. 

After which the government imediately swung intoaction promising to take effective preventative measures to insure that such a thing not happen again.

Is this what we need in this case?
Some horrible thing to happen?
Perhaps someone getting crippled, or murdered due to some maniac using this WHOIS service to gain the info he needs to reach his intended victim?

But question is Why?
Why must regulatory agencies wait for such tragedies to occur before attending to things which obviously will inevitably lead to such a tragedy? After all, our familiarity with the criminality inherent in our society indicates that it is only a matter of time until such a thing happens.

Is the reluctance to bring all forces to bear based on insufficiency of funds?
We do send billions to Iraq and nary blink an eyelash.

So that can't be it.
What is it then that allows promotes this complacency in reference to citizen rights? a violation which will lead inexorably to only one horrible demonstration that private information dispensed to everyone in blatant disregard for a person's wishes is morally wrong!

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API