ICANN Must Do a Better Job with Privacy and WHOIS

In June, an Expert Working Group (EWG) with ICANN – the entity that controls the allocation of domain names and IP addresses on the Internet – released a report that proposed extensive changes to the WHOIS system. WHOIS allows anyone to look up details on who owns a domain name (e.g., the cdt.org WHOIS entry). The EWG asked for public input in response to their report and yesterday CDT submitted comments critical of the draft report, specifically focusing on serious privacy concerns.

WHOIS, which was developed way back in 1982, initially served as a mechanism to identify who operated certain servers to make it easier to get contact information of these operators in case something technical went awry. These days, with many, many millions of domain names in operation and many more on the horizon, WHOIS is showing its age in a number of respects. For example, for personal domain registrants – e.g., josephall.org – WHOIS essentially reports sensitive contact information, notably email addresses, postal addresses, and phone numbers. It’s widely known that WHOIS data is highly inaccurate; many individual domain name registrants provide inaccurate data to avoid having their personal information broadcast to the world (to be fair, spammers and scammers also provide inaccurate data to avoid scrutiny). Many others – like me! – use proxy services that mask personal information but that still allow email and postal mail to eventually be routed to them through the proxy provider.

The EWG was chartered to provide possible solutions for a revamped WHOIS that would better address privacy, security, and accessibility of WHOIS data. The draft report proposed a centralized, validated WHOIS system with a gated access model where registrant data would be made freely available. In our comments we raised a number of concerns about this approach and offered recommendations, including:

1. The current WHOIS system raises privacy and free expression concerns by requiring registrants to disclose sensitive information. The EWG report does a good job of outlining use cases for access to currently available registrant data, but we think it should also reexaminine what data must be available today, in light of the vastly more complex modern Internet environment.
2. The proposed privacy scheme and validation of registrants is unnecessary and unworkable. Instead, ICANN should protect registrants’ privacy by default. We believe that individual registrants (noncommercial entities) should not have any information disclosed by default other than what is needed for the proper technical functioning of the domain name system.
3. A centralized system is unnecessary and unstable. The gatekeeper under the new proposal would be a poor substitute for existing legal processes because the WHOIS database operator would likely lack the capacity to identify and/or reject illegitimate or overly broad requests. ICANN is unique and must act in an extra-jurisdictional capacity, so it is difficult to see how this new WHOIS would deal with, for example, a Chinese law enforcement request targeting a citizen of another country.

Additionally, the EWG focused on a single model for a new registrant database, rather than a suite of possible models for the public and stakeholders to consider. This greatly limits the conversation that can be had around possible enhancements to WHOIS. We encourage ICANN to consider multiple solutions to this complicated problem and believe the EWG should be explicitly re-tasked with recommending a number of additional models in light of feedback they receive, not just the one current flawed proposal.