Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Dixon, Tim --- "Privacy issues in domain names" [2001] PrivLawPRpr 23; (2001) 8(1) Privacy Law and Policy Reporter 14

Privacy issues in domain names

Tim Dixon

The text of the following article was made as a submission in March 2001 to the Australian Domain Administration (auDA) Model Competition Advisory Panel on behalf of the Australian Privacy Foundation. Tim Dixon is Chairman of the Foundation (General Editor).

The Australian Privacy Foundation believes that the proposed changes to domain name registration procedures raise serious privacy issues for both Australian and international internet users. In particular, we would suggest that auDA must take steps to ensure that the public accessibility of personal information through the Whois protocol is restricted and monitored such that it can become neither a threat to individuals’ privacy, nor a disincentive for the use of the internet in general.

While the auDA Stage 3 Report for Public Consultation does make some brief mention of privacy concerns, it provides only the most minimal consideration of the nature of the threats to the security of personal information involved in maintaining the public registries and deals only briefly with how such threats might be addressed in any final stipulation. Such concerns must be taken into account in order to preserve users’ rights to privacy and choice when applying for domain names.

The need for a cogent and co-ordinated response to the management of the personal information maintained by the registries is all the more vital in light of the fact that such databases may be beyond the scope of the recent changes to privacy legislation that come into effect in December 2001 with the commence-ment of the Privacy Amendment (Private Sector) Act 2000 (Cth), because of the exclusion of personal information which is published already in a generally available publication. The management of information stored in a Whois database is therefore beyond the scope of legislative control. For this reason, it is imperative that auDA take reasonable steps to ensure the protection of users’ personal information in order to avoid exposing them to unreasonable and irremediable abuses.

The ability to obtain and maintain a domain name is an increasingly critical part of internet usage. It is among the most basic facilities enabling individuals and groups to interact in the online environment, and provides an excellent opportunity for the free exchange of ideas and debate. Such freedom of communication is a basic right that should not be made contingent on willingness to supply personal information. By requiring organisations and companies to release sensitive personal information to the public as a condition of obtaining a domain name, auDA would, in effect, be forcing users to choose between their right to privacy and their right to communication.

As seen recently in the US with Verisign’s decision to sell domain name registration information to marketers, publicly accessible Whois protocols are somewhat of a double edged sword for internet users. On the one hand, they ensure that companies and individuals who operate websites are accountable for the content of such sites, ensuring a degree of consumer protection. On the other hand, however, they can deter individuals and small organisations who are unwilling to make their personal information freely available from registering a domain name. This is especially the case where an individual may operate from home and may therefore be forced to place his or her home address and phone number on the registry.

In light of such conflicting concerns, it is important to understand the extent of the threat posed by the proposed restructuring of the domain name registration system, and the potential for significant improvement in terms of the protection of personal information. One particular area of concern relates to the ways in which independent second level domains (2LDs), acting as registrars, might be allowed to use the information they collect from registering parties. The Verisign example demonstrates that consumers and companies are extremely concerned about registrars transferring or selling their information to other organisations — a fact that has been continually demonstrated by consumer surveys. The US example of Verisign has even more resonance in the Australian context as a result of the fact that, unlike Verisign, the current AUNIC registry has no privacy policy whatsoever.

These problems exist at present and should be rectified by whichever model the Panel chooses to adopt. To this end, the Foundation believes that by allowing bulk access to registry data as a means of cost recovery, even where spamming is expressly prohibited, would unreasonably compromise a registrant’s privacy. A reasonable compromise would be to provide registrants with the opportunity to ‘opt in’ to such arrangements, so that the bulk access lists contain only the details of those who consent to the release of their information. This scheme has an added benefit for those seeking bulk access, in that they can ensure that their target audience is limited to those groups most keen to receive marketing information.

Moreover, a dedicated ‘opt in’ approach to the release of personal information would have the benefit of ensuring that individual privacy is not sacrificed, yet it would stop short of a situation of registrant anonymity that would compromise consumer protection. While it is certainly necessary for registries to collect contact information for technical and administrative contacts so as to ensure that criminal and fraudulent activities can be traced to individuals, there is no reason why such information needs to be publicly available.

Publicly accessible information should be restricted to the:

• domain name;
• internet protocol (IP) address; and
• name of the registrant.

The personal and contact information for individuals should only be available to government authorities (such as the police, ACCC, the courts, ASIO, and so on) where it is required for:

• criminal investigation and law enforce-ment;
• trademark and cybersquatting disputes; and
• consumer protection.

Again, an ‘opt in’ provision would allow those who are comfortable with the release of their information to provide contact details, yet allow a certain degree of anonymity which may be essential where members of registrant organisations risk prejudice and persecution.

Under Proposal 4.3A of the Report for Public Consultation, some further degree of protection would probably be required as the multiplicity of registrars allows for the possibility of greater abuse. Nevertheless, such problems could be overcome were auDA to prescribe certain standards that 2LDs must apply in protecting personal information. Under para 4.3.32 the Advisory Panel suggests that auDA might mandate technical standards with which all registrar 2LDs must comply. We would submit that in addition to these standards, a set of personal information protection standards should be adopted to ensure that such information is not misused.

Such standards should (at the very least) require that each 2LD:

• have a privacy policy detailing:
  • what information is collected;
  • how information is used; and
  • when information will be disclosed to third parties;
• provide a means by which registrants can gain access to the registries information about them and rectify any errors; and
• adopt a high level of security in dealing with personal information so that it is safe from hackers and software failures.

A related issue relates to the way in which the collected information is made publicly available. Currently, registries such as AUNIC fail to give clear notification to potential registering parties that the personal information they provide in the registering process will become publicly available through the Whois protocol. This prevents organis-ations and individuals from making informed choices as to the provision of their personal information and potentially exposes them to greater level of public disclosure than that to which they would ordinarily give consent. This also breaches basic fundamental privacy principles which have been accepted internationally since the OECD promulgated its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, and which are embodied in laws throughout the world. Whether Proposal 4.3A or 4.3B is adopted, it is essential that registrars be required to provide clear notification of what information will be publicly available, thereby allowing potential registrants to make informed choices.

In summary the Australian Privacy Foundation recommends that:

• auDA adopt and mandate a set of procedures to ensure the protection of personal information applying to all registries;
• these procedures include the adoption of privacy policies by all registries as well as a requirement that registries notify registrants as to how their information be used;
• auDA should continue to collect all the information it currently collects but that only the domain name, IP address and registrant’s name be in the public domain;
• auDA allow registrants to ‘opt in’ to further disclosure so that those who choose to release their personal information can do so;
• auDA allow a small number of specified government agencies access to all registry information for criminal investigation, trade mark and consumer protection purposes; and
• auDA allow all registrants to ‘opt in’ to any purchasable bulk access arrange-ment so that only the details of users who consent to the release of their personal information are publicly available.

It is imperative that auDA considers not simply the interests of e-commerce and trading sites, but also that of public interest groups, small organisations and individuals for whom the release of personal information may represent a considerable compromise of their right to privacy. Such concerns can be balanced against the need for registered information about domain name registrants by requiring that only the essential information about a registrant is publicly available, and by allowing these groups to determine their own level of exposure beyond this basic level. This would not prevent contact information from being accessed by government authorities for legitimate criminal investigation and consumer protection purposes, yet would nevertheless preserve both the registrants’ right to communicate and their right to privacy. In the longer term, it would help us to realise the tremendous benefits which the internet can bring to our democracy.

Tim Dixon, Solicitor, Baker & McKenzie, Sydney.