Proposed Whois Privacy and Proxy Service Restrictions

1 July 2015

Ms Mary Wong
Senior Policy Director
Internet Corporation for Assigned Names

By email:

Dear Ms Wong

Proposed Whois Privacy and Proxy Service Restrictions

Thank you for the opportunity to comment on the Initial Report on Privacy and Proxy Services Accreditation Issues[1] prepared by the Generic Names Supporting Organisation (GNSO) Working Group (the Working Group) on behalf of the Internet Corporation for Assigned Names and Numbers (ICANN).

I am writing to respond to the question posed for consultation in the initial report, namely, whether privacy and proxy services for WHOIS data should remain available to website registrants.

The Office of the Australian Information Commissioner (OAIC) is concerned that prohibiting the use of privacy and proxy services by domain names associated with commercial activities, and which are used for online financial transactions would raise privacy issues for individual domain registrants captured within that prohibition.

The Office of the Australian Information Commissioner

The OAIC is an independent statutory agency that supports the work of the Australian Information Commissioner and the Privacy Commissioner. I make these comments in my capacity as Australian Privacy Commissioner.The OAIC has a range of functions and powers directed towards protecting the privacy of individuals by ensuring the proper handling of personal information. These functions and powers are conferred by the Privacy Act 1988 (Cth)[2] (the Australian Privacy Act) and by other legislation containing privacy protection provisions.

OAIC comments

I have previously commented on the important role played by privacy and proxy services in a Submission on ICANN’s Study of Whois Privacy and Proxy Service Abuse,[3] noting that any abuse of privacy and proxy services should not invalidate the use of these services by domain registrants with legitimate privacy concerns. Instead, concerns about the use of privacy and proxy services to support illegal or harmful activity should be addressed through governance frameworks that allow appropriate bodies such as law enforcement or copyright owners, to access the relevant domain registrant information where needed.

The initial report sets out a framework for accrediting privacy and proxy service providers including contractual arrangements for enforcing rules and policies on a consistent basis across all commercial providers of these services. This framework appears to provide a means for people with a legitimate interest in contacting a website registrant to do so. Given the protections that this framework will provide, it is unclear why there would be a need to restrict website registrants with legitimate privacy concerns from protecting their personal information via a privacy and proxy service.

Privacy risks to domain owners

The risks, for individual domain owners of commercial websites of a prohibition of privacy and proxy services may include increased exposure to identity theft, scam and spam attempts, stalking and harassment, and doxing.

I am therefore concerned that public access to domain registrants’ personal details may result in a high risk of harm for certain individuals, if their personal details were published in the Whois directory against their wishes. I demonstrated my concern in relation to such issues in a recent determination[4] I made, where I concluded that a telecommunications company had breached the Australian Privacy Act by publishing an individual’s personal details in a publicly available telephone directory, against the individual’s wishes. The complainant in this matter was a judge who regularly received threats from parties whose matters he had heard, and I awarded him $18,000 AUD to compensate for the privacy breach.

Potential accuracy concerns

I am also concerned that if domain registrants are no longer able to access privacy and proxy services they will instead resort to falsifying data in the Whois directory to protect their identity, thus reducing Whois data accuracy.

The OAIC’s Community Attitudes to Privacy Survey,[5] conducted in 2013, relevantly noted that 32% of survey respondents reported having provided false details to an agency or organisation to protect their privacy, while 30% reported having provided a false name. Domain registrants who are particularly motivated to keep their personal information private out of fear of harassment or other adverse consequences may therefore be inclined to provide false data rather than compromise their privacy.

It is possible that restricting access to privacy and proxy services could have the unanticipated consequence of making it more difficult for parties with a legitimate need to contact domain owners to obtain their contact details.

Our view

For the reasons outlined above, the OAIC does not consider a prohibition against the use of privacy and proxy services to be an appropriate solution to the issues raised by some Working Group members. I urge the Working Group members to adopt a model that sees the continuing wide availability of privacy and proxy services.

If the OAIC can be of further assistance in relation to this matter, please contact Natacha Doust, Adviser by email at [contact details redacted] or on [contact details redacted].


Timothy Pilgrim
Australian Privacy Commissioner

July 2015


[1] Available online at <>

[2] Available online at <>

[3] Available online at <>

[4] ‘DK’ and Telstra Corporation Limited [2014] AICmr 118 (30 October 2014), available online at <>

[5] Available online at <>

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at