Home / Blogs

With No Privacy Standards Who Knows Who Is Abusing The Whois Database

Rod Dixon

John Banks is a loan officer in New York. John's supervisor recently warned John about the potential number of bad loans he may be carrying as part of his portfolio. To dump some of the bad loans he might be carrying, John came up with a scheme. He pointed his web browser to www.whois.org and entered terms denoting disease or poor health such as 'cancer' and 'illness'. This query on the Internet's WHOIS database reported results of names and addresses of domain name owners who had developed websites devoted to providing information on certain serious illnesses. John compared these names and addresses with those in his portfolio of loans. For the matches, he canceled the loans and required immediate payment-in-full.

Unmistakably, John's example is an awful potential abuse to personal privacy that arises from unfettered public access to computer databases in Cyberspace. Notwithstanding that John's example is, thankfully, only hypothetical, the circumstances could just as likely ring true given that the Internet Corporation for Assigned Names and Numbers (ICANN) wrapped up its Rio de Janeiro meeting this March by eliminating any remaining optimism that amidst current reform efforts the interests of trademark holders would cease to take extraordinary precedence over the privacy interests of Internet users.

Saving privacy matters for another day, ICANN's board responded rather favorably to the concerns of trademark holders, who regard the WHOIS database primarily as a means to track down potential cybersquatters; the board pushed through final adoption of all four recommendations in the "Final Report of the GNSO Council's Whois Task Force on Whois Data Accuracy and Bulk Access to Whois Data" Since ICANN opted to enforce standards governing the accuracy of WHOIS information before addressing the obvious associated privacy issues involving the WHOIS database, the odds are stacked against the likelihood that ICANN will protect the privacy interests of domain name holders.

ICANN's new WHOIS database policies will aid trademark holders fight cybersquatters by providing, among other constraints, stricter enforcement of ICANN's policy against the inclusion of "false" or inaccurate information in the WHOIS database, which, in addition to other data, lists the names and addresses of domain name registrants. By adopting stricter controls — false information listed in WHOIS can be grounds for cancellation of a domain name registration — over the data accuracy of WHOIS without setting related privacy safeguards, ICANN is embarked on a decision-making process containing an inherent risk; namely, that a delayed review of privacy will necessarily include reliance on false or improper assumptions about the importance Internet users attach to restricting disclosure of personal information when registering a domain name. Arguments regarding implicit user consent and technological fiat, for example, are often given undue weight in post hoc discussions about privacy.

Still, there is little doubt that ICANN's new enforcement will help ensure the accuracy and integrity of the WHOIS database as well as retard abusive and excessive use of the database by bulk users. But, these concerns are related to privacy, not distinct from it. ICANN should have insisted that its task force address database accuracy issues and domain name privacy issues together. Nearly all of the illicit uses of the WHOIS database in some manner intrude upon the privacy interests of domain name holders. For example, many misuse WHOIS routinely to identify the names and addresses of Internet users who are threatened with litigation over implausible allegations; domain name Registrars misuse WHOIS by pilfering customers from each other; spammers use WHOIS to send unsolicited email; and some Internet users have targeted WHOIS improperly as a search engine for Cybersquatting. In each instance, enforcing strict standards regarding the use of WHOIS or the accuracy of its content is an inadequate solution for abuse, if there are no similar standards for safeguarding the privacy interests of domain name holders.

ICANN's new President, Dr. Paul Twomey, recently indicated that he may push ICANN toward the right direction regarding privacy. Apparently, ICANN may soon recognize that there are privacy issues that have been neglected throughout its 5-year charge to manage Cyberspace. President Twomey established the "President's Standing Committee on Privacy," which may propose guidelines on the handling of personal data when privacy matters are affected by ICANN's policies. Of course, only time-will-tell whether Internet users should remain hopeful that this ambitious privacy panel will aid ICANN in developing a uniform method to address a full range of privacy issues, including those associated with WHOIS and ENUM.

Although ICANN's mission does not encompass privacy issues, generally, ICANN's policies, as noted earlier, often relate to matters within the scope of privacy or having implications for personal privacy. Under Twomey's guidance, the panel is to consider comprehensive approaches to privacy, rather than the piecemeal solutions. As such, I will offer a few points for the panel's future considerations.

Since disclosure in the public WHOIS database is tied to domain name registration, a basic concern among Internet users arises from the widespread anxiety about the degree of personal autonomy Internet users may be forced to give up simply because the user owns a domain name. To address these concerns, the backdrop of the panel's considerations of individual Internet users must include the assumption that personal autonomy does not become less important simply because an Internet user engages in electronic commerce or domain name registration. Indeed, what should weigh heavily in the eyes of ICANN, are factors that serve to remind the organization that without both symbolic support for privacy and vigilant protection of justifiable expectations of privacy, privacy for domain name registrants would become improbable in Cyberspace; this should be foremost in importance for an organization like ICANN which, rightfully or wrongly, is viewed by many as the Internet's core source of governance.

Needless to say, not every abuse of privacy norms warrants legal intervention. Some intrusions are so trivial that it will be experienced by most people as mere annoyances or rudeness. The intensity of modern social life inevitably results in frequent minor personal offenses. These breaches of social norms are easily repaired through ritual interchanges — a simple apology is the most obvious example — which are designed to affirm the norm violated and to vindicate the victim's claim to basic forms of respect. ICANN, however, should be concerned with serious violations of personal autonomy that arise as a result of or derive from policies or procedures implemented or controlled by ICANN.

An abuse of a privacy norm that warrants ICANN's intervention may occur when an individual is systematically deprived of privacy through the exercise of power by another — such as ICANN's mandatory registrant data inclusion requirement for WHOIS. One wonders why the public WHOIS database is not limited to disclosing the accompanying numerical IP address of a domain name and the ISP or owner of the IP address block. WHOIS is a commercial database, and those that have the most to gain by its ease of access are intellectual property holders who engage in business.

Not long ago, a U.S. District Court in New York City, ordered Verio to stop using customer contact information housed in Register.com's WHOIS database to carry out a telephone and email campaign. As a result of Register.com v. Verio, it is likely that a court might find the use of WHOIS to compile massive lists of new customers and flooding them with marketing messages an impermissible use. Notably, Register.com filed suit against Verio after receiving a number of complaints from domain name registrants who had been solicited by Verio by email and postal mail. In this respect, if Register.com had not had an acceptable use policy that restricted permissible uses of its database, domain name registrants may have had no other avenue available to them to vindicate their rights since ICANN maintains no privacy policy obligating registrars to safeguard WHOIS data from deploying robotic searches or other software applications to pull data from WHOIS. In other words, the district court's order should become the Verio-Rule; a privacy-enhancing rule adopted by ICANN that forbids deploying robotic searches or other software applications to pull data from WHOIS.

Finally, ICANN's gtld Registry operator and Registrar agreements ought to set clear standards for the practice of data-collection, storage, and transmission. This should reflect what is commonly known as the Code of Fair Information Practices. There are four widely-accepted fair information practices: [1] Notice, which could establish that Registrars are required to provide Internet users clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities; [2] Choice, which could establish that Registrars are required to offer domain name Registrants choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass uses in WHOIS (such as an option to register as an anonymous registrant); [3] Access, which could establish that Registrars and Registries are required to offer Internet users reasonable access to the information collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information; and [4] Security, which could establish that Registrars providing anonymous registration services must take reasonable steps to protect the security of the information they collected from anonymous Registrants.

Since some Registrars have become highly active spammers and others have undoubtedly engaged in sales of registrant information, it is fitting to adopt the Code of Fair Information Practices as part of registry agreements as well as encourage these entities to participate in self-regulatory privacy enforcement initiatives such as online privacy seal programs. These programs require their licensees to implement certain fair information practices and to submit to various types of compliance monitoring in order to display a privacy seal on their Web sites. In this manner, WHOIS services may still provide personal data, if a registrant decided to make that information publicly available, while also promoting fundamental fairness in protecting the privacy interests of domain name holders.

By Rod Dixon, Attorney
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign