Commentary

WHOIS Reform Should Not Cater to Extreme Privacy Concerns

Image Cano Icann Whois
19 Sep 2014, 
published in
GPPi

In 2008, the people on eWeek writer Larry Seltzer’s ↪ email address book started getting emails from someone who clearly was not Larry Seltzer. An investigation revealed that an identity thief had accessed Seltzer’s personal information, available online on WHOIS, the internet service that stores data on the registered users of domain names. Someone had hacked Seltzer’s email address and accessed his contact list to send out messages. Although Seltzer filed complaints to the WHOIS administrators, he never got a response. His case is still unresolved.

Seltzer’s story is one of many that can be traced back to the WHOIS database, long criticized for its vulnerability to abuse by spammers and identity thieves. When individuals or companies request a domain name from a registrar, they must provide their names, phone numbers, email and physical addresses. These data are compiled and made accessible to the general public through WHOIS.

In May, the Internet Corporation for Assigned Names and Numbers (ICANN), which administers WHOIS, released a report acknowledging the need to replace the database. ICANN also publicly endorsed the 2013 Carnegie Mellon University’s Cylab report on the misuses of the database by individuals. The report emphasizes the abuse of data by identity thieves who are able to use the names, commercial addresses and phone numbers of users to commit fraud.

In response to concerns about the lack of privacy protection in the existing system, ICANN entrusted an expert working group to create a new database – the Registration Directory Service (RDS) system – that will not make the data public, but would allow limited access to the police or other law enforcement institutions with approved accreditation. For legal accountability purposes, the database will only publish the name and email of the individual legally responsible for the domain.

This has not been well-received by everyone. A report commissioned by the Council of Europe and released in June criticized ICANN’s plans, arguing that the RDS system is not the solution. The report argued that it offered inadequate privacy protection, raising concerns that accredited police may abuse private data. In the report’s opinion, a new database where data would still be partially accessible through an accreditation system is still considered a disproportional interference with the citizen’s right to privacy.

But WHOIS should not cater to privacy concerns only. An online database is necessary to foster legal accountability and prevent cybercrime. When a user has a website, he or she consciously recognizes limits to his or her privacy by publishing personal data. The user agrees to provide this information following 2013 ICANN registry policies. This has its benefits, for example, when it comes to disputes over intellectual property rights.

The database also allows law enforcement institutions to establish responsibility for illegal activities online. It might happen that a domain is incurring illegal activity that may even violate human rights, for example child pornography, hate speech or defamation. The new database proposed by ICANN promises to achieve the balance between privacy and legal accountability and we should welcome it as an important step in the global debate on privacy.

Overall, the Council of Europe report appears to be guided by an absolute and particular definition of privacy or legal accountability. The definition implied by the report infers that a user should have the right to remain anonymous for any content he or she publishes. The concerns raised in the report ignore the need for a global database that benefits users and law enforcement institutions. Furthermore, these concerns do not consider the needs of local police to access personal data for crime prevention.

The report also ignores the need to reconcile different legal interpretations of rights, a challenge that arises when creating a global system to be complemented by national legislation. ICANN has the challenge of leading a global system of governance that satisfies different understandings of privacy. In replacing the existing database, we need to consider different needs from different legal cultures while balancing the right to privacy with crime prevention and legal accountability. The architects of the new system are considering several interpretations of privacy and freedom of expression.

The new database would respond to a balanced global understanding of privacy and the local realities of law enforcement and access to data. We have to understand that we are building a global system of governance where European interpretations are often challenged. The new database is potentially a good tool to reconcile the non-absolute right to privacy, accountability and crime prevention. The multiple actors influencing ICANN’s global policies have a unique opportunity to endorse this system and recognize that conflicting interpretations in the privacy versus crime prevention debate can be reconciled. 

Related

Hensing 2025 DFS Event OJ
events

#DFS2025: Economic Security and Critical Tech in Trump 2.0

Hensing 2025 neurotech E Uand DEU OJ
Article

Neurotechnology: A New Frontier for Prosperity and Security in Germany and Europe?

By Jakob Hensing, Andreas Faika
Hensing 2025 5 G Tower OJ
Article

Mehr Wirtschaftssicherheit wagen

By Thorsten Benner, Jakob Hensing, Florian Klumpp
Benner 2025 Vonder Leyen Parliament OJ
Commentary

Europe's Moment to Get on the Front Foot on De-Risking from China

By Thorsten Benner, Jakob Hensing, Florian Klumpp
CET Jake Sullivan01 Hensing
Case study

“As Large of a Lead as Possible”?

By Florian Klumpp, Jakob Hensing
Benner 2024 Unterseekabel kritisch ungeschuetzt
Article

Unterseekabel: Kritisch ungeschützt

By Thorsten Benner
Hensing 2024 Neurotech Project
Project

Neurotechnology: Considerations for Foreign and Security Policy

Hoxtell 2024 Disinfo1
Study

Mitigating Disinformation in Europe

By Wade Hoxtell