The working group at Internet Corporation for Assignment of Names and Number (ICANN) that has been tasked with designing a new domain registration database can’t seem to wrap its head around why privacy matters when it comes to domain registration services. ICANN’s Expert Working Group on gTLD Registration Directory Services (EWG) issued a Preliminary Issue Report on Next-Generation gTLD Registration Directory Services to Replace WHOIS in July, and EFF has submitted comments. Our bottom line is this:
ICANN must make user privacy a central tenet of any new registration data system. To achieve that goal, any new system should collect the minimum amount of data required for legitimate purposes, and make such data available only as needed to fulfill such purposes.
The WHOIS system is used for querying databases of information about Internet domain names—including the name and address of a domain name's owner. When it was first designed in the early 1980s, there were no limits placed on who could make queries, for what purpose, or what they could do with the information. The design of the system hasn’t changed much since, and it creates an easy way to target domain name owners for shakedowns or other abuses. The need to redesign the system to include robust privacy protections has became obvious.
Although this report is still in its preliminary stages, we think it’s important to let ICANN and the EWG know what we think now, because the existing WHOIS system itself is fundamentally flawed, and it's important that its replacement doesn't repeat the same mistakes. Earlier in the year, in another ICANN working group, some entertainment industry, law enforcement, and major brand interests went so far as proposing a complete ban on privacy services for websites that are used for a “commercial purpose.” Commercial services in the proposal were broadly defined to include any sites that “handl[e] online financial transactions for commercial purpose.”
EFF joined dozens of organizations and individuals to oppose that proposal. We’re hoping that weighing in at this early stage will prevent a flawed proposal for a replacement registration data system for gTLDs from moving forward as well.
Specifically, we looked at five questions derived from the report, and answered them with privacy—and practicality—in mind. Here’s the tl;dr:
1. Should gTLD registration data continue to be accessible for any purpose, or should data be accessible only for specific purposes?
[P]ersonal data should only be processed for specific, explicit, and legitimate purposes….registration data that is personal data should be collected and used for specific purposes only.
ICANN also needs to take a critical look at what those purposes are, since, as a rich seam of data, “registration data has accumulated more and more [use] justifications over time” from various parties—including using the data for copyright and trademark enforcement without the safeguards of court supervision.
2. Should gTLD registration data continue to be entirely public, or should access to some data be limited to a subset of all users?
The answer to this question is quite simple: “gTLD registration data should not continue to be entirely public.”
3. Is gTLD registration data sufficiently complete and accurate, or further steps should be taken to overcome barriers to accuracy?
We think one of the main barriers to accuracy is privacy. Many people put false information in the WHOIS database in order to protect their privacy. This should be addressed first, because “[a]ny accuracy problems remaining in a system designed with privacy in mind will be narrower and more easily addressed.”
4. Are existing registration data elements sufficient for each stated purpose, or is a new purpose-driven policy framework needed to guide the collection, storage, and disclosure of data elements?
The legitimate purposes for accessing registration data require no new registration data elements. We agree that the data accessible to each class of requesting user should be determined by the legitimate purposes of the use.
5. Is a new policy framework needed to meet gTLD registration data requirements for each purpose in a manner that enables compliance with applicable data protection, privacy, and free speech laws and addresses the overall privacy needs of registrants?
“Absolutely, yes...ICANN should base its new policy framework on the core concept of no disclosure of personal information without opt-in consent” for each purpose registrant data might be used for.
We look forward to seeing the final report on registration services, and delivering our further comments in person during the next ICANN meeting in October. In the meantime, if you want to help ICANN get the message that the privacy of domain registrants is important, sign our petition telling ICANN “to pursue with greater urgency the comprehensive improvement of the legacy WHOIS service, to build in privacy and security by design.”