Group lobbies for domain buyers' privacy

Individuals and small-business owners should be able to buy domain names without being required to divulge their personal information, an international coalition plans to argue.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
3 min read
Individuals and small-business owners should be able to buy domain names without being required to divulge their mailing address, phone number and e-mail address, an international coalition plans to say in a letter Tuesday evening.

Currently, the Internet Coalition for Assigned Names and Numbers (ICANN) broadly requires that such details be made publicly available through the "Whois" directories. That policy enables spammers, direct marketers and identity thieves to loot the directory for personal information about domain name owners, the coalition's draft letter to ICANN charges.

"The main purpose of the Whois database should be stick to the original purpose for which the Whois database was created, which is to resolve network issues," said Cedric Laurant, policy counsel at the Electronic Privacy Information Center and one of the drafters of the letter. "The database should not be used by spammers and bulk e-mailers for purposes of direct marketing."

The draft letter to ICANN president Paul Twomey has been signed by about 50 nonprofit groups so far, Laurant said, and represents 21 countries on six continents. Signers include the American Library Association, the U.S. Association for Computing Machinery, the Australian Council for Civil Liberties, Electronic Frontier Finland, Privacy Ukraine, and the United Kingdom's Foundation for Information Policy Research.

The coalition's effort comes as ICANN tries to decide how to balance domain name owners' privacy with accountability--a priority of law enforcement agencies and trademark owners who are seeking to unmask suspected infringers. In September, the Bush administration ordered ICANN to improve the "accuracy of Whois data."

That should not come at the expense of privacy and anonymity, the draft letter argues: "The WHOIS database was originally intended to allow network administrators to find and fix problems to maintain the stability of the Internet...Anyone with Internet access can now have access to WHOIS data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers. The original purpose for WHOIS should be reestablished."

In a Sept. 18 announcement, ICANN's Twomey noted that the group, which oversees domain name governance, already had convened a Whois workshop in June in an attempt to "advance work on Whois in a coordinated and cooperative manner." At its meeting this week in Carthage, Tunisia, ICANN is scheduled to assemble on Wednesday to discuss "address accuracy and privacy issues, including data collection and verification measures, complaint procedures and investigatory methods for false information."

Another factor ICANN may consider is whether the current Whois practice runs afoul of privacy laws. A June 2003 report from a European Commission working group said data protection rules--outlined in the European Data Protection Directive--cover the Whois directory.

The report does not go as far as do Laurant and the privacy advocates at EPIC, who argue that anonymous domain purchases should be allowed. But it does say that only the domain name registrar needs to know the identity of someone who's buying a domain for individual use: "There is no legal ground justifying the mandatory publication of personal data referring to this person."

ICANN's formal agreement with domain name registrars says customers must provide "accurate and reliable contact details and promptly correct and update them during the term of the...registration" or risk losing their domain.

Some registrars such as Go Daddy Software offer "private registrations" that cloak customers' home addresses and phone numbers for an additional fee of about $9 a year per domain name.