ccTLD Meetings Rome 2004

WHOIS & Data PrivacyJean-Christophe Vignes

Registry Liaison Manager

Uses of WHOIS• Internet Stability

– Allows network managers to contact each other quickly to try and fix issues. (RFCs 812 & 954)

– Helps others benefit from the Internet by checking Domain names availability and Register them

• Law enforcement– Find out quickly the holder of a web site carrying offending

or infringing content– Contact details used to serve legal documents

• E-Commerce– Customers can find out what entity is behind a web site

with a well known domain name

WHOIS and Data Privacy

• Contact Details are useful to facilitate technical communications

• But WHOIS can also be used for Data Mining.

• Data Privacy laws and Best Practices may be needed to protect the Registrants’ Rights– E.g: CENTR -

http://www.centr.org/docs/statements/CENTR-Position-on-Whois.html

WHOIS Legal Framework

• Depends of the country in which the Registry operates.

• General trend to establish “privacy” laws• Specific Directive applies to member-states of

the European Union• Many countries recently passed national Privacy

Law with the same guidelines - YMMV :-)– Canada (January 1st 2004)– Australia (December 21st 2004) – Japan (May 23rd 2003)– …

Basic Concepts for Data Privacy

• “Personal Data”– Data characterizing the individual– I.e. name, address, phone number…– > WHOIS holds Personal Data!

• “Data Subject” and “Controller”– The Data Subject is the Registrant– The Controller is the Registry (or the Registrar)

• “Processing”– To Integrate the data into a database by

automatic or electronic means.

Basic Concepts for Data Privacy (Cont’d)

• “Consent”– The Data Subject has to agree before its data

can be processed and/or published.

• The Controller may have to inform a “Supervisory Authority” on the Process before collecting Data from subjects.

• I.e: Federal Privacy Commissioner (Au), Office for Personal Data Protection (Cz), Information Commissioner (UK)…

• http://www.privacylaws.com/links/linknational.htm

Data Privacy:Usual Principles

• The Controller has to be clearly identified

• The Data Subject has the opportunity to give its Explicit Consent before Data is processed

• The Data Subject is allowed to Check and Rectify the Data stored by the Data Controller

• The Controller can only keep the Data for an appropriate amount of time

• The Controller has to keep the Data accurate and up-to-date

• Transfer to third parties in other countries can only happen under certain conditions

Data Privacy:ccTLD Perspective - 1

• Provide the Registrant with the full details of the entity processing the Data– The Registrant has to know how and where to contact the

Registry, the information has to be readily available on the Registry’s site

– the controller […] must provide the data subject with […] the identity of the controller and of his representative, if any (Article 10a of the ECD)

• Inform the Registrant of any process hat might take place on its data– Privacy Policy page may be clearly accessible on the Registry’s

site (On the index page in a easy to read format and wording)– the controller […] must provide the data subject with […] the purposes of

the processing for which the data are intended [and] the recipients or categories of recipients of the data (Articles 10b & 10c of the ECD)

Data Privacy:ccTLD Perspective - 2

• Consent– Check-Box at the bottom of the Registration agreement– any freely given specific and informed indication of his wishes by which

the data subject signifies his agreement to personal data relating to him being processed (Article 2 of the ECD)

• Check and Rectify– E.g: Web form to access and edit the Data, dedicated e-

mail address (Privacy@Registry.ccTLD ?) to ask for an output of the stored Data.

– Data subject [has] the right to obtain from the controller […] as appropriate the rectification, erasure or blocking of data (Article 23b of the ECD)

Data Privacy:ccTLD Perspective - 3

• Maintain the Data– Data should be kept on a secure server and rendered

anonymous after a certain period of time – The controller must implement appropriate technical and organizational

measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, (Articles 13-2 and 17 of the ECD)

• Transfer to third parties– If the Registry transfers the Data in another country (to

Registrars)it has to make sure the Data is protected.– the transfer to a third country of personal data […] may take place only

[…]the third country in question ensures an adequate level of protection. (Article 25-1 of the ECD)

Data Privacy:ccTLD Perspective - 4

• Accuracy of the Data– Important role for the Registrar– National Law?

• I.e: U.S. Bill HR 4640

– Registry Terms & Conditions• The Registrant has to make sure and represent that

Data submitted fro Registration is accurate.

Beyond WHOIS

• Allow Registrants to refuse publication of selected data– “ex-listed”– i.e www.nic.TM/New1.html

• Provide an “availability-only” service– Easy way to know if a Domain is available

without providing personal data– avail.nic.TM on Port 43

• Tiered Access

Conclusion

• Data Privacy has become a worldwide preoccupation

• WHOIS service causes concern that may be addressed by Registries

• Solutions exist that preserve flexibility and the Registrants’ rights

• Towards WHOIS Best Practices?

Thank You !

Jean-Christophe.Vignes@Nic.TM