April 1, 2005

NTIA, .us, Whois, and the Privacy Act of 1974

An agency of the US Department of Commerce, the NTIA,  has decreed that domain name registration information ("whois") for the .us top level domain must be made available to all comers, for any reason, at any time.

The Privacy Act of 1974 defines the obligations and duties of Federal agencies that control databases containing personally identifiable information.  That act may be found at 5 USC 552a (be careful about that trailing 'a' else you end up with a related, but entirely different chunk of law, the Freedom of Information Act.)

The act covers systems of records - which section (a)(5) the act defines as:

a group of any records under the control of any agency from which information is retrieved  by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual

For purposes of the .us whois database perhaps the most important words in the above definition are "under the control".

Back in 1997 I raised the issue whether the National Science Foundation was under Privacy Act obligations with respect to the whois of that era.  After much heming and hawing (and a failure to meet statutory deadlines) the NSF excused itself by claiming that the whois database of that pre-ICANN era was the property of Network Solutions and was not under the control of the National Science Foundation.  (The NSF letter is an excellent example of bureaucratic gobbledygook and slight-of-hand - it tried to use Freedom of Information Act law - a completely distinct law - to claim that it had nothing to do with "whois".)

Well times have changed and now we have NTIA, the Federal agency that has stepped into NSF's role with respect to the internet.

And NTIA has exercised considerable control over the .us top level domain and over the policies under which it operates.  Most importantly, NTIA has mandated not only that "whois" information be collected but has also dictated the information privacy rules under which the .us whois operates.

It seems to me that NTIA is exercising sufficient control over the .us top level domain and over the associated registration records ("whois") to trigger Privacy Act obligations on NTIA and Privacy Act rights in individuals who may or may not be named in that database.  Even if we were to use the agency-excusing standards that NSF used in its letter to me in 1997, it is hard to see that that NTIA can escape being subject to the act.

It would be an interesting exercise to make a request (similar to the one I made in 1997 to NSF) to NTIA and see how the agency reacts.  A current-day request would need to indicate the factual situation so that NTIA would not be able to easily wiggle away from the fact that it does, in fact, control the whois database affiliated with the .us top level domain.

By-the-way, there's a petition protesting NTIA's policy over the .us TLD.

Posted by karl at April 1, 2005 12:46 AM