Columns Archive

CIRA Creates Backdoor to Domain Name Information

Appeared in the Toronto Star on June 30, 2008 as CIRA's 'whois' Policy a Stunning Setback for Privacy

Two months ago, I wrote a glowing review of the Canadian Internet Registration Authority's new "whois" policy that was supposed to better protect the privacy of hundreds of thousands of Canadians.  The column argued that the policy, which governs access to personal information of dot-ca domain name registrants, would serve as a model for other domain name registries around the world.

Apparently I spoke too soon.  While dot-ca registrants across the country were being advised of the new policy, special interests representing law enforcement and trademark holders were quietly pressuring CIRA to create a backdoor that will enable these two groups to have special access to registrant information.  Just days before the new policy took effect, CIRA caved to the behind-the-scenes pressure and took a major step backward in the implementation of its policy.

Several years in the making, the new whois policy was to have conformed with national privacy laws by providing individuals with increased privacy protection over public access to their personal information.  CIRA promised to continue to collect the same contact information from registrants but it would no longer require that such information be publicly available through its whois directory. In its place, CIRA would only require the public disclosure of limited technical information, though individual registrants would be able to voluntarily "opt-in" to providing more personal information.

Changes to the policy were driven by privacy and spam concerns, with many registrants preferring to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration retain access to the personal information).  Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure.

When the policy launched on June 10th, the personal information was shielded from the general public, yet CIRA unexpectedly instituted the backdoor approaches that grant access to both law enforcement and trademark interests.    

In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (such as denial-of-service attacks) and the agency will hand over registrant information without court oversight.  While it would have been preferable to disclose these exceptions earlier, they appear to be reasonably tailored to specific time-sensitive harms.

In the case of trademark holders (as well as copyright and patent owners), however, claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information. This represents a stunning about-face after years of public consultation on the whois policy.   

The exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access.  

For example, consider a Canadian that registers a dot-ca domain to be used as a whistleblower site about a company.  The registrant may understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions.  Under the new CIRA policy, if they use fake registrant information, they risk losing the domain.  On the other hand, the backdoor exception means that the trademark holder can easily uncover the identity of the registrant since CIRA will simply hand over this information.

CIRA has defended the changes by arguing that the policy will be reviewed in 12 months and that it falls to the government to provide legal protection for whistleblowers. Yet CIRA could just have easily retained the no-exception policy and reviewed its effect one year later. Moreover, it is CIRA's policies – not government law and policy – that leaves online activists stuck between the proverbial "rock and a hard place."

The CIRA whois database is one of the largest publicly-accessible databases of personal information in the country.  The agency's last minute about-face represents a significant setback for those registrants who were promised better privacy protection.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law.  He served on the CIRA board from 2000 – 2006. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Tags: / /

2 Comments

  1. I tend to agree with the CIRA’s policy in this case of including those two exceptions. It is the responsibility of the government to provide protection to whistle blowers.

    CIRA is taking the correct approach with reviewing the policy in 12 months. I think it’s a bit silly to condemn the inclusion of these two well-intentioned exceptions simply, because there is a remote possibility for potential abuse. If such abuse does take place, I would believe the CIRA would make changes to their policy to prevent it in the future.

  2. Horrible Policy
    CIRA’s hidden whois is a horrible overreaction to imaginary problems, and ONLY benefits deliberate squatters and lawyers. There is (was) a neglible amount of spam from CIRA’s previous whois (CIRA could have used a graphically generated email to eliminate bots), and people could always shelter their phone by using the Alternate Phone field. People could use their business address, or use, FOR FREE, the privacy service of namespro.ca and domainsatcost.ca (the 2nd and 3rd least expensive registrars), which only left the registrant’s name disclosed. Only a lawyer would think it reasonable that a trade-mark owner can’t conceal his identity, but that another party abusing that trade-mark , or otherwise slagging it on a website, can conceal his identity. The trade-mark owner then has no choice but to hire a lawyer, at a minimum of $10,000, instead of being able to try to mitigate things himself.