Columns

New CIRA Whois Policy Strikes Balance Between Privacy and Access

My weekly technology law column (Toronto Star version, homepage version) focuses this week on the new CIRA whois policy that is scheduled to take effect on June 10, 2008.  The whois issue has attracted little public attention, yet it has been the subject of heated debate within the domain name community for many years.  It revolves around the whois database, a publicly accessible, searchable list of domain name registrant information (as in "who is" the registrant of a particular domain name).
When CIRA was first established, its whois policy permitted detailed disclosures about domain name registrants.  A typical whois entry included the domain name itself, the name of the registrant, and comprehensive contact information including postal address, phone and fax numbers, as well as email addresses. The ready availability of such information proved useful to law enforcement, which often used whois information as part of cybercrime investigations.  Similarly, the pursuit of intellectual property infringement claims, such as domain name cybersquatting cases, relied upon access to whois information to commence legal challenges to domain name registrations.

Notwithstanding these uses, CIRA recognized that its policy of publicly disclosing personal information was generating significant discomfort among many registrants.  Citing privacy and spam concerns, many registrants preferred to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration would have access to the personal information).  Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure.

As privacy and data protection commissioners began to express reservations about the legality of requiring domain name registrants to disclosure their personal information, CIRA proposed a new policy in 2004.   After two major public consultations, mounting opposition from law enforcement about its loss to "unfettered" access to WHOIS data, and years of operational delays, CIRA last week began informing registrants that the new policy will take effect on June 10, 2008.

Under the new policy, CIRA will continue to collect the same contact information from registrants as under its current policy.  However, it will no longer require that such information be publicly available through its whois directory. In its place, CIRA will only require the public disclosure of limited technical information, though individual registrants may voluntarily "opt-in" to providing more personal information.

While the CIRA policy protects the privacy of individual registrants, corporate or organizational registrants will typically have their full information publicly disclosed. The policy recognizes that corporate information does not raise specific privacy concerns since corporate information does not constitute personally identifiable information.  Moreover, consumers may often want to access corporate whois information when judging the reliability of a website.  In order to ensure that domain name registrants can still be contacted, CIRA has also established a unique message delivery system.  CIRA will allow the public to contact domain name registrants without access to their personal information by relaying the message through a web-based submission form.

The Canadian changes may be long overdue, however, they also instantly catapult the dot-ca into a global leadership position. With more than a million Canadian domain name registrations, the resolution of the whois issue ensures that the Canadian domain name space is set for continued growth as it now features a "privacy advantage" over other domains struggling to strike a similar compromise.

5 Comments

  1. Who Is
    It is about time they look into this

    Never did like the idea that anyone could find out were i live based on the fact i own a Canadian domain name.

    To me this was a gross violation of my privacy

    Better now then never

    My 2 Watts

  2. Anonymous says:

    AS long as infringers and criminals like kiddie porn merchants can still be traced, this is good thing.

  3. Good Thing?
    People seem to be assuming this is a good thing. I am not so sure. If abuse was widespread and rampant, then I would agree. I have registered many .ca names, and aside from a couple of letters from Domain Registry of Canada, I don’t believe there has been any abuse of my private info.

    Indeed on occasions I have used the registry info to try to purchase a domain, sometimes successfully and sometimes not. On another occasion I helped a friend regain control of their domain when the person who had registered it was hard to find. All of this would have been a lot more difficult under the future rules.

    While the prospect of putting a serious dent into the shady business business practices of outfits like Domain Registry of Canada is very appealing, on balance I don’t like it. Alex A.

  4. Matthew "TofuMatt" Riley says:

    Protecting your info…
    Many registrars have offered privacy services for some time now. Domainsatcost, the registrar I use for my .ca (a most common gTLDs) domains will protect your info on WHOIS, with pretty much a click of the mouse. If you find it obtrusive that your info is out there for the world to see (which is understandable, especially if you say, host a blog critical of some employers practices or something on a domain you own), then protect it. But I’m with what Alex A said: I find WHOIS to be a great/fun little tool, and having to opt-in to the privacy service gimps it much less than the proposed scenario. I’ll be trying to make my info public, at any rate.

  5. Master Domaindi says:

    Welcome to the world of Domaindi.com
    Useful information shared. I am extremely pleased to read this write-up, it is juat a marvelous posting.
    I seriously enjoyed reading it, you’re a great author.I will ensure that I bookmark your blog and will eventually come back at some point. I want to encourage you continue your great work, have a nice morning, afternoon or evening! Thanks again for giving us nice info and concise article.