Columns Archive

Dot-ca privacy plan a Canadian compromise

While the Internet has transformed many aspects of daily life, among the most important is near-instant access to an unparalleled electronic library.

In addition to news, banking, and health information, most Internet users have discovered a surprisingly rich level of detail about themselves.

“Googling” yourself often yields old Internet postings, inclusion in community newsletters, as well as other connections and activities long forgotten.

The availability of detailed personal information has its advantages, but it also poses significant risks since such information can be used to develop detailed consumer profiles, to initiate unwanted com- munication, or to be harvested by spammers.

The access and disclosure policies associated with many sources of publicly available information date back at least ten years, when privacy legislation was scarcely on the radar screen.

As organizations become increasingly aware of the implications of their data policies, many are contemplating amendments that provide users with greater control over their personal information.

The Canadian Internet Registration Authority (CIRA), the agency that manages Canada’s dot-ca domain, is in the midst of a re-evaluation of its policy on public access to domain-name registration information (in the interests of full disclosure, it should be noted that I am a member of the CIRA board). The policy, commonly referred to as a “whois” policy (as in “who is” the registrant of a particular domain name), raises complex issues involving privacy protection, law enforcement needs, intellectual property rights enforcement, and the smooth functioning of the domain name system.

When CIRA was first established, its whois policy permitted detailed disclosures about domain name registrants.

Much like most other domain name registries around the world, a typical whois entry included the domain name itself, the name of the registrant, and comprehensive contact information including postal address, phone and fax numbers, as well as e-mail addresses.

The ready availability of such information proved useful to law enforcement, which often used whois information as part of Internet fraud or other cybercrime investigations.

Similarly, the pursuit of intellectual property infringement claims, such as domain name cybersquatting cases, relied upon access to whois information to commence legal challenges to domain name registrations.

Notwithstanding these uses, CIRA recognized that its policy of publicly disclosing personal information was generating significant discomfort among many registrants.

Citing privacy and spam concerns, many registrants would prefer to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration would have access to the personal information).

Moreover, registrants of controversial domain names, such as domains used for Web sites devoted to public criticism or political advocacy, often prefer to shield their personal information for fear of public censure.

Following months of consultations, CIRA recently released its proposed revised whois policy.

Under the new policy, which is open for public comment until Jan. 12, 2005, CIRA will continue to collect the same contact information from registrants as under its current policy.

However, it will no longer require that such information be publicly available through its whois directory.

In its place, CIRA will only require the public disclosure of limited technical information. Notwithstanding the minimal disclosure, individual registrants may voluntarily “opt-in” to include their personal information in the publicly available whois directory.

While the CIRA policy protects the privacy of individual registrants, corporate or organizational registrants will typically have their full information publicly disclosed (though an organization can request that its information be removed from the public whois directory and CIRA has committed to review each request).

The policy recognizes that corporate information does not raise specific privacy concerns since corporate information does not constitute personally identifiable information. Moreover, consumers may often want to access corporate whois information when judging the reliability of a Web site.

Although the new policy limits public access to whois information, CIRA may still disclose personal information in several circumstances.

These include instances where a court orders CIRA to do so, or when the domain name is subject to a claim under the dot-ca dispute resolution policy, which seeks to resolve intellectual property rights holders’ claims of bad faith domain name registration.

CIRA has also sought to establish strict limits on the use of whois information.

For example, the policy will prohibit harvesting electronic whois information for the purposes of sending spam, performing market research, or engaging in other solicitation activities.

Once implemented, the CIRA policy will provide dot-ca registrants with greater privacy protection than that enjoyed by dot-com domain registrants.

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization responsible for administering the global domain name system, has struggled with its whois policy process. Although ICANN has issued several reports on the issue, no new policies have emerged.

Given its impact on personal privacy, the new CIRA whois policy deserves close scrutiny and comment.

If adopted, it will likely attract global attention as a model for balancing privacy, commercial, free speech, and law enforcement interests.

Comments are closed.