Governments and Intellectual Property Community Fight For Open Whois Access

By Monika Ermert for Intellectual Property Watch

Should everybody who registers an Internet domain name be forced to publish his private address, email address and phone number on the Internet? A storm broke out over the question of the so-called Whois data at the meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Marrakech last week.

ICANN is the technical coordination body for the Internet domain name system, and is headquartered in California and operating under an arrangement with the US Department of Commerce. Every domain name registrant is required to submit their contact information, known as Whois data, which is published publicly on the Internet. This has been useful to law enforcement and intellectual property right holders, but has concerned companies who sell domain names to end users and are required to collect accurate information, Internet service providers required to hold the data, and privacy advocates. It also has been seen as a feeding ground for spammers who send out mass unsolicited commercial emails, and has been found to have a high proportion of inaccurate data.

The open Whois has caused registrars in countries with strict data protection laws, for example those in the European Union, considerable headaches in recent years. European data protection officials have warned ICANN on several occasions to stay within EU data protection laws. Peter Schaar, Germany’s federal commissioner for data protection and freedom of information and currently head of the Article 29 group of European data protection officials, reiterated this warning at the end of the week.

The question is anything but new to domain name registrars, but an ICANN task force of the Generic Name Supporting Organisation (GNSO) that was dedicated to the Whois question has struggled for nearly six years to reach consensus between registrars and users on the one side and trademark and intellectual property representatives on the other.

After the GNSO Council decided in a split vote earlier this year that the purpose of the Whois service was strictly technical, governments and stakeholders from ICANN’s Intellectual Property Constituency and Business Constituency in ICANN joined forces in their claim that they must not be stripped of that source of information on domain name registrants.

A Critical Consumer Protection Tool

Representatives of the US Federal Trade Commission (FTC), the Dutch Telecommunications Regulatory Authority Opta and Japan’s Telecommunications Consumer Policy Division of the Japanese Ministry of Internal Affairs and Communications warned against limitations in access to personal data of domain name owners at a panel session of ICANN’s Government Advisory Committee (GAC) organized by Susanne Sene of the US Department of Commerce. FTC Commissioner Jon Leibowitz said: “If ICANN restricts the use of Whois data to technical proposes only, it will greatly impair the FTC’s abilities to identify Internet malefactors quickly.”

FTC investigators have relied heavily on information in the Whois database for the last decade to identify spammers and scammers, said Leibowitz. “Whois databases often are one of the first tools FTC investigators use to identify wrongdoers,” he said. “The FTC is concerned that any attempt to limit the Whois to this narrow purpose will put its ability to protect consumers and their privacy in peril.”

The head of Opta, Chris Fonteijn, and Hiroyo Hiramatsu of the Japanese communications ministry supported Leibowitz’ view, with Hiramatsu clearly addressing the violation of IP rights as a major problem that made an open Whois database necessary. According to the Japanese provider liability law (enacted in 2002) IP owners can ask Internet service providers (ISPs) to take down material posted on the Internet when they see their rights violated. Without Whois access their investigations would be difficult, they said.

A group of domain name registrars reacted quickly to the concerns by confirming that they certainly would “continue to collect the data commonly known as Whois data” and also “continue to provide access to such data by law enforcement, intellectual property, ISPs and other legitimate users, through appropriate processes.” In fact, registrars that hold the main volume of Whois data were “open to improve those processes for more efficient access by legitimate users.” According to the registry-registrar agreement they would store more data for a period of three years after the end of the contract with a specific customer, and all this data was available to law enforcement, again “through appropriate processes.”

GNSO Council member Mawaki Chango, a Togolese academic who worked for the UN Educational, Scientific and Cultural Organization (UNESCO), said: “If I build a house, I don’t build it for the purpose of law enforcement. But if I do something bad, law enforcement entities can come in and search.” In that way, the whole debate on the purpose of the Whois data is a waste of time, he said.

The final report of the Whois task force would only be ready by the end of the year, he said. According to GNSO planning, the ICANN board shall decide on the future Whois in early 2007.

Making the Right Info Accessible to the Right People

In the end, the question comes down to what “appropriate procedures” for access mean and how the much-discussed concept of “tiered access” will be realized. Tiered access that will be technically perfected by a Whois follow-up system (a system currently being developed by the Internet Engineering Task Force under the title CRISP) means that only some information will be public, while the full data set will be only available through formal procedures. But formal procedures could slow down the speed of investigations and consume more time and cost, especially in cross-border investigations, officials said.

“We would need formal requests and would have to enforce them against registrars, which is a more complex process,” said Opta’s Fonteijn. “Research for historic data and patterns would become more difficult,” he said. “Spam enforcement internationally would become very difficult and the Internet could become a safe haven for abuse.”

Leibowitz said: “Where a registrar is located in a foreign jurisdiction, the FTC often has no other way to obtain the information it needs. The FTC cannot, in most cases, readily require a foreign entity to provide us with information.” The US Department of Justice at an ICANN meeting in Montreal in 2002 asked for a completely open Whois in order to allow the authorities to search Whois data without being identifiable as law enforcement or public investigators.

Leibowitz said in Marrakech that not only governments but also normal users should have open Whois access. If users could start to look into the issues themselves it would also support public authorities. This demand was echoed by various members of the Business and IP Constituency of ICANN who want to investigate violations in IP and trademark rights.

Sunlight on Illegal Internet Behaviour

“The publicly available Whois provides sunlight in the battle against illegal and improper behaviour on the Internet”, said Steve Metalitz of the ICANN Intellectual Property Constituency and a Washington lobbyist. “If we’re going to block that sunlight in some way through changes to the system, what are we going to do to bring light to these corners of the Internet?”

ICANN’s Non-Commercial Constituency representatives said they are wary of the alliance between government and IP interests and at Marrakech they especially warned against a Whois policy that contradicts European data protection law.

Milton Mueller, a professor at the School of Information Studies at Syracuse University (US), asked the representatives of government agencies: “How do you protect us against spam by publishing contact data for every spammer that could be automatically harvested from the Whois database?”

Questions of Consistency with EU Law

Nigel Williams, administrator for the country-code top-level domain for Jersey (.je) and Guernsey (.gg), referred to the EU privacy directive and to Article 8 of the Convention on Human Rights of the Council of Europe. Both would be violated by a Government Advisory Committee decision to oblige people to have their personal data published online. “The law in 25 countries is pretty clear,” said Williams.

This was clearly confirmed by Schaar, the German federal commissioner of data protection and freedom of information. In answer to questions from Intellectual Property Watch, Schaar wrote: “The purpose of Whois databases is to ensure communication over the Net. It’s a technical purpose and it should be kept that narrow in the future, too.” Schaar said also that the scope of the data collected had to be reviewed carefully.

“The principle that data should only be collected and used as there is a need for them is a fundamental principle of European data protection law”, said Schaar. General access should be basically restricted to technical information as identifying the provider of a domain and their contact data. “Above this only government agencies might be given accesss according to the law,” as long as they have data protection themselves.

“Should users not be allowed to protect themselves?” Kathy Kleiman, co-founder of the Noncommercial Users Constituency, asked ICANN in Marrakech. Kleiman cited several cases of stalking of individuals from the public Whois database.

IP owners at the ICANN meeting said that they felt violated mainly from private “pirates”. And Sarah Deutsch, vice president and associate general counsel at Internet service provider Verizon said: “Just because a person is an individual doesn’t mean that they should have the right to privacy necessarily. There’s no right of privacy to commit a crime, and we should not be in a situation where registrars are flooded with subpoenas for every single trademark or copyright.”

The GNSO Council reacted to the fierce debate offering that the Whois task force would take into account Government Advisory Committee and community considerations – so the battle goes on.