Privacy Commissioner on Domain Name Registrant ID Requirements

The Privacy Commissioner of Canada has just released a finding that considers domain name registrar requirements of personal identification, such as a driver's license, in order to change the administrative email address for a domain name registration.  The Commissioner found that the requirement was reasonable, noting that ID requirements are needed to prevent domain name hijacking.


  1. Crosbie Fitch says:

    However, the domain registrar does not need personal identification, only identification sufficient to authenticate the domain owner. It is up to the person registering the domain as to what identification they provide, as long as it meets this purpose (which may at their option comprise credentials that personally identify them).

    My point is, that it is possible to create digital identities that do not identify the person, yet fully and reliably identify the domain owner.

    (Incidentally, I had to use an image editor in order to decipher your captcha – and even then I failed the first time.)

  2. Christopher Mercer says:

    I’d like to know what the Privacy Commissioner says when challenged about how to administer a system where a person’s drivers license, or other photo ID needs to be presented. Will domain registrars have to set up brick and mortar shops or will we be expected to send our ID’s to them? I highly doubt we will be seeing a store front for or

    While I think his idea merits discussion I think the stark realities will place unnecessary burdens on businesses.

  3. More work needed in this area
    Generally, more work is needed around domain registration. There’s a pretty big problem at the moment with middleman ID providers, in order to protect the real person from potential lawsuits. The typical scam is as follows:

    Pay for the service of a middleman. Use the middleman as your ID when purchasing web hosting. Use your new hosting space for whatever activities you want.

    While there may be legitimate privacy concerns (you don’t want your individual name spread all over the world as being the owner, these sorts of go-betweens are also used for sites that are spreading malware or copyright infringing software.

  4. Crosbie Fitch says:

    But Chris, no-one commits a crime with a domain name, nor even with a webserver and an IP address.

    Crimes are committed by people who produce illicit material and publish it. There are other crimes of misrepresentation (fraud), privacy violation, and data corruption, but they are likely to be ephemeral crimes committed from cybercafes and hence unlikely to benefit from personal identification of PC owners.

    Being able to locate illicit material at a particular IP address on a certain person’s PC doesn’t necessarily improve the ability to trace the author.

    With blogs and wikis becoming ever more popular, even private individuals are becoming automatic re-publishers of anonymously uploaded works. Soon, every PC on the Internet will simply be a resource node – used by all, with far too much capacity and throughput to be vetted by its owner.

    I think the only crimes we can look forward to detecting are those where the perpetrator personally identifies themselves as the author of their illicit work. Everything else is undesirable content for which technical solutions are probably the only remedy.

    So, I still don’t really see any benefit to requiring Internet participants to personally identify themselves to each other. They certainly need to identify themselves to each other, but is habeus corpus really required?

    You can easily say that criminals can hide behind anonymity, but requiring non-criminals to be personally identifiable, still doesn’t help identify criminals.