CIRA Creates Backdoor WHOIS Exceptions for Police and IP Owners

Earlier this year, I wrote glowingly about the new CIRA whois policy, which took effect today and which I described as striking the right balance between access and privacy.  The policy was to have provided new privacy protection to individual registrants – hundreds of thousands of Canadians – by removing the public disclosure of their personal contact information (though the information is collected and stored by domain name registrars). 

Apparently I spoke too soon.  Faced with the prospect of a privacy balance, special interests representing law enforcement and trademark holders quietly pressured CIRA to create a backdoor that will enable these two groups (and these two groups alone) to have special access to registrant information.  In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (ie. denial-of-service attacks) and CIRA will hand over registrant information without court oversight.  In the case of trademark holders (as well as copyright and patent owners), claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information.

This represents a stunning about-face after years of public consultation on the whois policy.   While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access.  For example, consider a Canadian that registers (name your company) as a whistleblower site about a particular company.  They understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions.  Under the new CIRA policy, if they use fake registrant information, they risk losing the domain.  On the other hand, the backdoor exception means that the trademark holder can easily smoke out the identity of the registrant as CIRA will simply hand over this information.

Just over six weeks ago, CIRA celebrated its one millionth domain name registration and claimed world class status.  Today, the organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members.


  1. Anonymous says:


  2. Not just police?
    Woah, so if I claim that is using one of my photo or stole my icons or something, I can magically get access to all your whois information?

  3. Fine, the police and trademark owners should have these rights; when granted by a judge in a similar manner as to obtain a search warrant!

  4. Is there any
    Is there any recourse for people whose information has been trolled by the alleged “trademark holder” when it turns out that they are just looking for direct marketing information?

    I have no particular problem with what the police were granted, however a warrant would be better. I can’t see most police abusing this. “Trademark holders”, on the other hand…

  5. Re: Not just police?
    Rajio, no, that can’t happen. In the case of a photo or icons, copyright would apply, not trademarks. Copyright is what protects creative works, whereas trademarks are used to protect brand names and other types of commerce and trade labels. So, if Chrysler for some reason felt that was using the name of Chrysler to benefit themselves for any reason without the express written consent of Daimler-Chrysler Inc. Ltd. LLC ETC., then they could get access to all of the whois information, no questions asked.

    Its still a miserable policy that needs to change right away. I’ll be sending my MP and the privacy minister a letter to be sure.

  6. That probably means I’ll be getting contacted shortly about my domain.

    My quick impression is that all of this information could be got using a standard Pharmacol order.

  8. R. Bassett Jr says:

    I’ll write a letter regarding this issue this week. This is not what I voted for in the CIRA elections.
    – CIRA memeber.

  9. Just as I thought
    Sorry, but I told you so. This new policy will only serve the criminal element as well as unlawful search and seizure.

  10. Anonymous says:

    Something of a contradiction (i.e. hypocrisy) here! We get endless sermons from the Professor on the importance of transparency. And just last week there was the nonsense about Minister Prentice’s Wikipedia entry being altered by people whose IP addresses were traced to Industry Canada. So why the hysteria about a WHOIS change that really doesn’t amount to much?

  11. Just looking at the rules…
    that CIRA has in place for a disclosure… there is specific supporting documentation required in order to get hold of the information (name, address and email only, not the full info) through this exemption.

    Unfortunately, none of the information is related to a complaint filed with a judicial body… they need only claim infringement and be able to provide proof that they are the rights holder (via notarized copies of registration documents). But at least this would keep companies like Yahoo or other search engines from finding out who the owner is to solicit them for buying sponsored links.

  12. David Hicks says:

    New CIRA Privacy Policy Clarification
    The new privacy policy and WHOIS look-up tool governing dot-ca domain name registrations took effect June 10. For the first time, the privacy of individual dot-ca Registrants has been secured, providing an added measure of protection against identity theft, hacking, phishing, and pharming. As of this writing, over 600,000 of the one million plus dot-ca domain names now enjoy the best privacy protection in the world for domain name Registrants.

    The new policy is a direct reflection of the input received during extensive, open, transparent public consultations with many stakeholder groups spanning more than two years. Details are readily accessible on the CIRA website, at The resulting policy puts the online privacy rights of Canadians ahead of any and all special interests by severely restricting access to individual Registrant’s contact information.

    The policy does allow for limited circumstances where limited Registrant contact information may be disclosed to a third party. These conditions for disclosure are tightly controlled, well-documented, and can only be requested if specific criteria are met. The policy and procedures are publicly available at a far cry from allegations of ‘backdoor’ access to ‘special interests.’

    The limited disclosure procedures may only be invoked under specific circumstances: child endangerment, threats to the integrity or stability of the Internet (e.g. denial of service attacks), good-faith intellectual property or registered business name disputes, or identity theft. The processes feature significant safeguards against abuse including requirements for supporting documentation (e.g. a notarized copy of a valid trademark or patent registration), certified statements, prior use of CIRA’s Interested Party Contact mechanism, and built-in waiting periods.

    If Registrant information is disclosed, only the domain Registrant name and name, address, and email address of the Administrative and Technical Contacts are disclosed. Furthermore, if Registrant information is disclosed, the policy insists on timely notification of the disclosure to the Registrant. These protections are key features of Canada’s new dot-ca privacy policy and guarantee the process strikes the right balance between privacy and legitimate access.

    Mr. Geist’s desire for stronger whistleblower protection would be better targeted towards Parliament and other legislative bodies. Attempts to link whistleblower legislation to the new dot-ca privacy policy is misdirected and undermines the legitimate, reasonable, and restricted access to information that this world-leading policy provides.

    The privacy policy was developed through a multi-stakeholder consultative process and CIRA has continued this approach through active discussions with stakeholder groups during its implementation. Now that the policy has launched, CIRA will continue this dialogue through a commitment to conduct further public consultation within the next 12 months. In the meantime, all Canadians can be proud that their space on the Internet is more secure than ever.

    David Hicks
    Director of Marketing and Communications
    Canadian Internet Registration Authority (CIRA)

  13. Sebastian says:

    RE: New CIRA Privacy Policy Clarificatio
    In response to “the policy insists on timely notification of the disclosure to the Registrant”:

    Is it possible that in some cases the information would be disclosed without timely notification of the disclosure? To be more specific, could a court order you to release information without notifying the registrant?

  14. Marketing and Communications Spin
    That all sounds very pretty, Mr. Hicks, but what objection do you and the rest of the board have to requiring complainants to go through proper channels and get a court order to view personal information?
    How does requiring a judicial examination of the issue before violating a member’s privacy cause harm to any person or to CIRA?

  15. a registrar says:

    registrars have access
    Uhm, no one here has mentioned that .CA registrars have access to the raw/complete whois info. Given that it’s $2050 to setup a registrar, and a bright kid could copy the whole .CA whois database in a couple days…? (It might take longer than that to figure out HOW to do it, implement it and debug it, but still, that’s not much of a barrier to entry … (I don’t know what protection the privacy laws provide… and t seems to me the offender would need to be caught…?)

    … everything is a balance… the current system is better than the old system… It just might not be worth of “glowing praise” …

  16. .ca privacy still unsecure
    The only thing this policy really protects is your spam/junk box.

    Weak policy. Your information is still not private from those that really want it.

    This is the just an illusion of privacy that will dupe a lot of canadians.

    When no proper warrant or court order is needed or any entity can just cry infringement to get your personal information then that’s not really privacy protection.

    As posted above, the complete .ca whois database is still accessible through any .ca registrar as well.

    Besides that, no policay can block the previous whois lookups for many of the 600000 covered domains that have already been cached.

    There’s even programming freelance contracts up for bid to make accessible .ca whois lookups of their own as I write this post. Either from the .ca whois database or cached results.

    Simply put, the policy is weak, the privacy of Canadian individuals is still unprotected and for every .ca you register you are putting your personal info at a greater risk.

    Why it took 2 WHOLE YEARS to come up with such a policy is incomprehensible. How the heck did that take 2yrs?! They should be ashamed to call themselves Canadian because this was a failed opportunity to give canadians back some solid rights to privacy.