March 25, 2003

Whois, Privacy, and the GNSO Recommendations on Whois Accuracy and Bulk Access

I see that the whois report is coming up for a vote.

Unless things change substantially, I am likely to find myself voting to reject this report.

The issue of personal privacy is intrinsic to the issues surrounding "whois".  That was quite clear even in the days of the IFWP meetings.

Yet this report seems to be have been written in spite of privacy concerns.  (See, for example the report by EPIC - http://www.epic.org/privacy/whois/)

Below is a copy of what I sent to group several months ago (with a couple of spelling errors corrected.)  I consider my comments as valid now as they were then.

Absent a justification why "whois" data should be made public at all, I consider the issue of accuracy to be moot.

And I find the principle of adopting what amounts to a partial report to represent a dangerous indication that privacy in whois will never be addressed.

Adoption of this report would be an affront to the users of the internet, and it would be yet another clear indication that ICANN has become simply a mouthpiece for the industries that have captured it.

From karl@CaveBear.com Tue Oct 22 22:58:10 2002
Date: Sun, 20 Oct 2002 14:48:55 -0700 (PDT)
From: Karl Auerbach <karl@CaveBear.com>
To: comments-whois@dnso.org
Subject: Comment on Oct. 14 Interim report

I see nothing in this interim report that answers the primary question why personally identifiable information must be published to the public at all.

In other words, the report fails to answer what I believe must be the first question: Why is "whois" needed, and by whom?

It is my sense that there is little public value in the existence of a publicly available "whois" database.

There are, of course, small groups who find such a database useful and perhaps even valuable - groups such as marketeers (spammers) and trademark people who seek to redress perceived violations of their rights without resorting to the processes that nations have established for that purpose (i.e. the legal system.)

However, the report fails to indicate that the needs of those groups is of sufficient weight to justify what amounts to a wholesale violation of privacy principles that amounts to nothing less than an anti-privacy tax on anyone who wishes to become visible on the internet through the mechanism of acquiring a domain name.

The report fails to consider privacy protection mechanisms such as the following:

  • Requirements that the data subjects (i.e. the people named in whois records) have free and effective means to maintain the data.

  • Requirements that those who examine the records must first identify themselves, offer proof of that identity, and indicate working means of contact, in particular a valid e-mail address.

    • To ensure that the contact of the person making the inquiry is valid, the response to the query should be returned by e-mail rather than being made online.

    • Special arrangements might be established for those in operational roles (such as people in ISP network operating centers) to have pre-arranged access credentials.

  • That the time, date, and identity of every inquiry be recorded and made available to the data subjects.

  • Requirements that the registries and registrars make no use of the information for any purpose except that for which it was gathered, the maintenance of the registrant's domain name (including the issuance of billing and status statements.)

  • Requirements that registries and registrars take concrete steps ensure that this data is protected by adequate and appropriate security measures.

Posted by karl at March 25, 2003 3:56 PM