Two months ago, I wrote a glowing review of the Canadian Internet Registration Authority's new "whois" policy that was supposed to better protect the privacy of hundreds of thousands of Canadians. The column argued that the policy, which governs access to personal information of dot-ca domain name registrants, would serve as a model for other domain name registries around the world.
Apparently I spoke too soon. While dot-ca registrants across the country were being advised of the new policy, special interests representing law enforcement and trademark holders were quietly pressuring CIRA to create a backdoor that will enable these two groups to have special access to registrant information. Just days before the new policy took effect, CIRA caved to the behind-the-scenes pressure and took a major step backward in the implementation of its policy.
Several years in the making, the new whois policy was to have conformed with national privacy laws by providing individuals with increased privacy protection over public access to their personal information. CIRA promised to continue to collect the same contact information from registrants but it would no longer require that such information be publicly available through its whois directory. In its place, CIRA would only require the public disclosure of limited technical information, though individual registrants would be able to voluntarily "opt-in" to providing more personal information.
Changes to the policy were driven by privacy and spam concerns, with many registrants preferring to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration retain access to the personal information). Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure.
When the policy launched on June 10th, the personal information was shielded from the general public, yet CIRA unexpectedly instituted the backdoor approaches that grant access to both law enforcement and trademark interests.
In the case of law enforcement, police can bring cases to CIRA involving immediate risk to children or the Internet (such as denial-of-service attacks) and the agency will hand over registrant information without court oversight. While it would have been preferable to disclose these exceptions earlier, they appear to be reasonably tailored to specific time-sensitive harms.
In the case of trademark holders (as well as copyright and patent owners), however, claims that a domain name infringes their rights will be enough to allow CIRA to again disclose registrant information. This represents a stunning about-face after years of public consultation on the whois policy.
The exception for trademark, copyright, and patent interests undermines a crucial part of the whois policy, namely compliance with Canadian privacy law (the policy now arguably violates the law) and the appropriate balance between privacy and access.
For example, consider a Canadian that registers a dot-ca domain to be used as a whistleblower site about a company. The registrant may understandably wish to remain anonymous to the general public since disclosure of their personal information could lead to negative repercussions. Under the new CIRA policy, if they use fake registrant information, they risk losing the domain. On the other hand, the backdoor exception means that the trademark holder can easily uncover the identity of the registrant since CIRA will simply hand over this information.
CIRA has defended the changes by arguing that the policy will be reviewed in 12 months and that it falls to the government to provide legal protection for whistleblowers. Yet CIRA could just have easily retained the no-exception policy and reviewed its effect one year later. Moreover, it is CIRA's policies – not government law and policy – that leaves online activists stuck between the proverbial "rock and a hard place."
The CIRA whois database is one of the largest publicly-accessible databases of personal information in the country. The agency's last minute about-face represents a significant setback for those registrants who were promised better privacy protection.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He served on the CIRA board from 2000 – 2006. He can reached at email@example.com or online at www.michaelgeist.ca.