Uses of WHOIS Internet Stability –Allows network managers to contact each other quickly to try and fix issues. (RFCs 812 & 954) –Helps others benefit from the Internet by checking Domain names availability and Register them Law enforcement –Find out quickly the holder of a web site carrying offending or infringing content –Contact details used to serve legal documents E-Commerce –Customers can find out what entity is behind a web site with a well known domain name
WHOIS and Data Privacy Contact Details are useful to facilitate technical communications But WHOIS can also be used for Data Mining. Data Privacy laws and Best Practices may be needed to protect the Registrants’ Rights –E.g: CENTR - http://www.centr.org/docs/statements/CENTR-Position- on-Whois.html
WHOIS Legal Framework Depends of the country in which the Registry operates. General trend to establish “privacy” laws Specific Directive applies to member-states of the European Union Many countries recently passed national Privacy Law with the same guidelines - YMMV :-) –Canada (January 1st 2004) –Australia (December 21st 2004) –Japan (May 23rd 2003) –…
Basic Concepts for Data Privacy “Personal Data” –Data characterizing the individual –I.e. name, address, phone number… –> WHOIS holds Personal Data! “Data Subject” and “Controller” –The Data Subject is the Registrant –The Controller is the Registry (or the Registrar) “Processing” –To Integrate the data into a database by automatic or electronic means.
Basic Concepts for Data Privacy (Cont’d) “Consent” –The Data Subject has to agree before its data can be processed and/or published. The Controller may have to inform a “Supervisory Authority” on the Process before collecting Data from subjects. I.e: Federal Privacy Commissioner (Au), Office for Personal Data Protection (Cz), Information Commissioner (UK)… http://www.privacylaws.com/links/linknational.htm
Data Privacy: Usual Principles The Controller has to be clearly identified The Data Subject has the opportunity to give its Explicit Consent before Data is processed The Data Subject is allowed to Check and Rectify the Data stored by the Data Controller The Controller can only keep the Data for an appropriate amount of time The Controller has to keep the Data accurate and up-to-date Transfer to third parties in other countries can only happen under certain conditions
Data Privacy: ccTLD Perspective - 2 Consent –Check-Box at the bottom of the Registration agreement –any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed (Article 2 of the ECD) Check and Rectify –E.g: Web form to access and edit the Data, dedicated e-mail address (Privacy@Registry.ccTLD ?) to ask for an output of the stored Data.Privacy@Registry.ccTLD –Data subject [has] the right to obtain from the controller […] as appropriate the rectification, erasure or blocking of data (Article 23b of the ECD)
Data Privacy: ccTLD Perspective - 3 Maintain the Data –Data should be kept on a secure server and rendered anonymous after a certain period of time –The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, (Articles 13-2 and 17 of the ECD) Transfer to third parties –If the Registry transfers the Data in another country (to Registrars)it has to make sure the Data is protected. –the transfer to a third country of personal data […] may take place only […]the third country in question ensures an adequate level of protection. (Article 25-1 of the ECD)
Data Privacy: ccTLD Perspective - 4 Accuracy of the Data –Important role for the Registrar –National Law? I.e: U.S. Bill HR 4640 – Registry Terms & Conditions The Registrant has to make sure and represent that Data submitted fro Registration is accurate.
Beyond WHOIS Allow Registrants to refuse publication of selected data –“ex-listed” –i.e www.nic.TM/New1.htmlwww.nic.TM/New1.html Provide an “availability-only” service –Easy way to know if a Domain is available without providing personal data –avail.nic.TM on Port 43 Tiered Access
Conclusion Data Privacy has become a worldwide preoccupation WHOIS service causes concern that may be addressed by Registries Solutions exist that preserve flexibility and the Registrants’ rights Towards WHOIS Best Practices?