Internet Corporation for Assigned Names and Numbers Study of Whois Privacy and Proxy Service Abuse

12 November 2013

Our reference: 12/000213-03

Ms Mary Wong
Senior Policy Director
Internet Corporation for Assigned Names and Numbers

Via email: comments-whois-pp-abuse-study-24sep13@icann.org

Dear Ms Wong

Study of Whois Privacy and Proxy Service Abuse

Thank you for the opportunity to provide comments about the draft Study of Whois Privacy and Proxy Service Abuse (the Study) undertaken by the National Physical Laboratory on behalf of the Internet Corporation for Assigned Names and Numbers (ICANN).

The Office of the Australian Information Commissioner (OAIC) makes these comments in its capacity as Australia’s independent national privacy regulator.

Office of the Australian Information Commissioner

The OAIC is an independent statutory agency headed by the Australian Information Commissioner, supported by the Freedom of Information Commissioner and the Privacy Commissioner.

The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information in one agency, to advance the development of consistent, workable information policy across all Australian Government agencies.

The Study’s conclusions about use of privacy and proxy services

The OAIC holds concerns about the volume of personal information about domain registrants collected, retained and made publicly available through current Whois database arrangements. The OAIC’s view is that ‘privacy and proxy services’ — that is, services which prevent the disclosure of domain registrants’ personal information through the Whois database, or register domain names on behalf of the registrant — play an important role for domain registrants who do not want their contact details published online due to privacy concerns.

For this reason the OAIC welcomes the Study and other ICANN initiatives aimed at facilitating Whois reform, whether through improvements to existing arrangements or the development of a replacement domain registration information scheme. These initiatives include the eventual development of a ‘Privacy and Proxy Accreditation Program’ under the 2013 Registrar Accreditation Agreement[1] (RAA) and recommendations about Whois reform from the Expert Working Group on gTLD Directory Services[2] and the Whois Policy Review Team.[3]

The OAIC notes with interest the Study’s conclusion that:

...we DID find clear evidence that:

“A significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator’s identity”.

But, although we did find that it was often true, we DID NOT find that in all cases:

“The percentage of domain names used to conduct illegal or harmful Internet activities that are registered via privacy or proxy services is significantly greater than the percentage of domain names used for lawful Internet activities that employ privacy or proxy services.”

Additionally, we learnt that these statements ARE correct:

“When domain names are registered with the intent of conducting illegal or harmful Internet activities then a range of different methods are used to avoid providing viable contact information – with a consistent outcome no matter which method is used.

However, although many more domains registered for entirely lawful Internet activities have viable telephone contact information recorded within the Whois system, a great percentage of them do not.”[4]

To the extent that the Study’s terms of reference and sample size permits, the OAIC would welcome further analysis about the apparent unwillingness or inability of a proportion of registrants of domains for both ‘illegal or harmful’ and ‘legal and harmless’ activities to comply with Whois data collection requirements.

The OAIC has recently released the results from its 2013 Community Attitudes to Privacy Survey, a longitudinal study into public awareness of, and concern about, privacy. The survey results suggest that sections of the Australian community actively take steps to avoid providing personal information to government agencies and private sector organisations because of privacy concerns.[5] Thirty-two per cent of survey respondents reported having provided false details to an agency or organisation to protect their privacy, while thirty per cent reported having provided a false name. This would appear to support findings of ICANN’s Study that individuals sometimes provide false contact information simply to protect their privacy rather than to hide any particular wrongdoing.

The OAIC’s position is that the use of privacy and proxy services to support ‘illegal or harmful internet activities’ should not invalidate their use by domain registrants with legitimate concerns about making their personal information available online. Abuse of privacy and proxy services to support illegal activities should instead be addressed through governance frameworks that allow appropriate bodies to access the relevant domain registrant information where needed for purposes such as law enforcement.

The OAIC believes that further evidence about these matters, whether arising from the Study or as a result of other ICANN initiatives such as the Privacy and Proxy Accreditation Program proposed in the 2013 RAA, would inform discussion about reforming the Whois system in a way that respects personal privacy.

If the OAIC can be of further assistance in relation to this matter, please contact Mark Gallagher, Adviser on [contact details provided].

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner
12 November 2013

Footnotes

[1] ICANN, 2013 Registrar Accreditation Agreement, June 2013, paragraph 3.14,available at <www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13-en.htm>.

[2] Expert Working Group on gTLD Directory Services, Initial Report from the Expert Working Group on gTLD Directory Services: A Next Generation Registration Directory Services1.74 MB, June 2013, available at <www.icann.org/en/groups/other/gtld-directory-services/initial-report-24jun13-en.pdf>.

[3] Whois Policy Review Team, Whois Policy Review Team Final Report1.47 MB, May 2012, available at <www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf>.

[4] National Physical Laboratory, A Study of Whois Privacy and Proxy Service Abuse (draft report)6.25 KB, September 2013, p 58, available at <http://gnso.icann.org/en/issues/whois/pp-abuse-study-20sep13-en.pdf>.

[5] OAIC, OAIC Community Attitudes to Privacy Survey Research Report 2013, October 2013, pp 29-31, available at <www.oaic.gov.au/privacy/privacy-resources/privacy-reports/oaic-community-attitudes-to-privacy-survey-research-report-2013>.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au