During the WHOIS review process, the forces of privacy protection and individual rights have made substantial headway, due to a combination of pressure from the
registrars (especially European ones), European data protection officials, the Noncommercial Users Constituency,
and the ALAC. But there are strong vested interests at work. |
By permitting (and even requiring) Whois data to be available to intellectual property monitoring firms for several years, ICANN has fostered the creation of
commercial information services based on unlimited access to whois data. It has created an entire generation of IPR lawyers who believe that they have a
God-given right to rummage through all domain name holders' contact data at any time, for any reason.
These vested interests
talk a lot about "law enforcement," but legitimate law enforcement needs can easily be reconciled with privacy rights through due
process. What is really at stake for them is money. Companies like Thomson and Thomson and
Mark Monitor have built businesses around your domain name registration data. They won't give it up without a
fight, and ICANN's industry self-regulation ethic frequently elevates such commercial considerations over individual rights.
ICANN's Whois review process has converged around the concept of "tiered access."
Tiered access means that some of the Whois data -that considered to be nonsensitive - will
be accessible to anyone and everyone as it is now (call it "Tier 1). But the more sensitive data, such as
registrant telephone number, email and postal address, and possibly even registrant
name, would be shielded from public anonymous access (Tier 2). To get it, a Whois data user would have to jump
through a hoop or two. What kind of a hoop? That is the question.
Registrars, NCUC and ALAC have fought to make those requesting access to Tier 2 data certify who
they are, and specify a legitimate purpose for their use of the data. More importantly, they want these
requests to be made individually for each domain name that is being requested. The mere fact that .025% of
all domain name registrants are suspected of infringing trademarks should not give a law firm untrammeled
access to the contact information of the other 99.975% of the registrants. Both the identification
requirement and the specification of purpose could be automated, they argue; the former through digital
certificates and the latter by means of a multiple choice list that would easily be translated into all the world's languages.
The business/surveillance interests, on the other hand, propose the concept of a "white list" of whois data
users. The "White List" is intended to give certain approved
users the right to access sensitive data via port 43 (or other means).
Organizations would apply for approval and once they were placed on
the White list they could search, store and download sensitive whois data,
without any further restriction.
The White List concept, if implemented as the business interests want, is a
disaster for the following reasons.
1. The concept is impractical.
Creating such a list would add a huge operational burden to ICANN.
There are hundreds of millions of Internet users and they come from
every geographic region and language group, and involve data use purposes
ranging from academic research to IP enforcement. ICANN would in effect be
setting up a global certification process that had to be able to respond to
all this diversity. If ICANN did this task conscientiously, the administrative
burden would be huge. Not only would it have to investigate the legitimacy
of each applicant, it should in principle also be able to constantly monitor the
behavior of approved entities to make sure that they were not abusing their
privileges. It would have to be willing to withdraw the privilege, and handle
disputes and appeals relating to that.
If ICANN did not do this task conscientiously, if it simply added entities
pro forma to the list whenever they applied, then there is no reason to
create the list at all. Anyone and everyone could get the status, which is
no different than opening up all Whois information to everyone.
2. The concept is discriminatory
The right to access Whois data must be balanced against the privacy
rights of the domain name registrants. Once the proper balance is
struck, all Internet users should have the same rights to access Whois data
under the same terms and conditions. Intellectual property interests
have no greater claim on that information than anyone else. The White
List is designed to create a two-class world of the
spied-upon users, who have no rights, and privileged, surveillance-
authorized users, who are permitted to spy on registrants.
3. The concept violates international privacy norms
A White List would give any approved user the equivalent of bulk
access to whois zone files. According to George Papapavlou of the European
Union, under data protection law bulk access is a "disproportionate, privacy
infringing step, unless a very convincing, specific case can be made which has
to be followed by due process. This applies not only to marketing but to any
purpose." In other words, no one has the right to fish through sensitive
personal data just to see if they can find anything of interest. But a White
List would grant this right to anyone who applied.
4. The White List concept is unnecessary
Under the proposals supported by registrars, NCUC, and ALAC,
the concept of a known user with a known purpose making a request
for each individual domain name she wants to investigate can give legitimate
users and purposes access to the information they need without
creating a centralized administrative entity and without violating
Keep an eye on the Whois reform process for the next three weeks. A public comment period will follow on the release of the Task Force reports.