ccTLD%20Meetings%20Rome%202004

1
ccTLD Meetings Rome 2004

• WHOIS Data Privacy
• Jean-Christophe Vignes
• Registry Liaison Manager

2
Uses of WHOIS

• Internet Stability
• Allows network managers to contact each other
  quickly to try and fix issues. (RFCs 812 954)
• Helps others benefit from the Internet by
  checking Domain names availability and Register
  them
• Law enforcement
• Find out quickly the holder of a web site
  carrying offending or infringing content
• Contact details used to serve legal documents
• E-Commerce
• Customers can find out what entity is behind a
  web site with a well known domain name

3
WHOIS and Data Privacy

• Contact Details are useful to facilitate
  technical communications
• But WHOIS can also be used for Data Mining.
• Data Privacy laws and Best Practices may be
  needed to protect the Registrants Rights
• E.g CENTR - http//www.centr.org/docs/statements/
  CENTR-Position-on-Whois.html

4
WHOIS Legal Framework

• Depends of the country in which the Registry
  operates.
• General trend to establish privacy laws
• Specific Directive applies to member-states of
  the European Union
• Many countries recently passed national Privacy
  Law with the same guidelines - YMMV -)
• Canada (January 1st 2004)
• Australia (December 21st 2004)
• Japan (May 23rd 2003)

5
Basic Concepts for Data Privacy

• Personal Data
• Data characterizing the individual
• I.e. name, address, phone number
• gt WHOIS holds Personal Data!
• Data Subject and Controller
• The Data Subject is the Registrant
• The Controller is the Registry (or the Registrar)
• Processing
• To Integrate the data into a database by
  automatic or electronic means.

6
Basic Concepts for Data Privacy (Contd)

• Consent
• The Data Subject has to agree before its data can
  be processed and/or published.
• The Controller may have to inform a Supervisory
  Authority on the Process before collecting Data
  from subjects.
• I.e Federal Privacy Commissioner (Au), Office
  for Personal Data Protection (Cz), Information
  Commissioner (UK)
• http//www.privacylaws.com/links/linknational.htm

7
Data PrivacyUsual Principles

• The Controller has to be clearly identified
• The Data Subject has the opportunity to give its
  Explicit Consent before Data is processed
• The Data Subject is allowed to Check and Rectify
  the Data stored by the Data Controller
• The Controller can only keep the Data for an
  appropriate amount of time
• The Controller has to keep the Data accurate and
  up-to-date
• Transfer to third parties in other countries can
  only happen under certain conditions

8
Data PrivacyccTLD Perspective - 1

• Provide the Registrant with the full details of
  the entity processing the Data
• The Registrant has to know how and where to
  contact the Registry, the information has to be
  readily available on the Registrys site
• the controller must provide the data subject
  with the identity of the controller and of
  his representative, if any (Article 10a of the
  ECD)
• Inform the Registrant of any process hat might
  take place on its data
• Privacy Policy page may be clearly accessible on
  the Registrys site (On the index page in a easy
  to read format and wording)
• the controller must provide the data subject
  with the purposes of the processing for which
  the data are intended and the recipients or
  categories of recipients of the data (Articles
  10b 10c of the ECD)

9
Data PrivacyccTLD Perspective - 2

• Consent
• Check-Box at the bottom of the Registration
  agreement
• any freely given specific and informed indication
  of his wishes by which the data subject signifies
  his agreement to personal data relating to him
  being processed (Article 2 of the ECD)
• Check and Rectify
• E.g Web form to access and edit the Data,
  dedicated e-mail address (Privacy_at_Registry.ccTLD
  ?) to ask for an output of the stored Data.
• Data subject has the right to obtain from the
  controller as appropriate the rectification,
  erasure or blocking of data (Article 23b of the
  ECD)

10
Data PrivacyccTLD Perspective - 3

• Maintain the Data
• Data should be kept on a secure server and
  rendered anonymous after a certain period of time
  
• The controller must implement appropriate
  technical and organizational measures to protect
  personal data against accidental or unlawful
  destruction or accidental loss, alteration,
  unauthorized disclosure or access, (Articles 13-2
  and 17 of the ECD)
• Transfer to third parties
• If the Registry transfers the Data in another
  country (to Registrars)it has to make sure the
  Data is protected.
• the transfer to a third country of personal data
  may take place only the third country in
  question ensures an adequate level of protection.
  (Article 25-1 of the ECD)

11
Data PrivacyccTLD Perspective - 4

• Accuracy of the Data
• Important role for the Registrar
• National Law?
• I.e U.S. Bill HR 4640
• Registry Terms Conditions
• The Registrant has to make sure and represent
  that Data submitted fro Registration is accurate.
  

12
Beyond WHOIS

• Allow Registrants to refuse publication of
  selected data
• ex-listed
• i.e www.nic.TM/New1.html
• Provide an availability-only service
• Easy way to know if a Domain is available without
  providing personal data
• avail.nic.TM on Port 43
• Tiered Access

13
Conclusion

• Data Privacy has become a worldwide preoccupation
• WHOIS service causes concern that may be
  addressed by Registries
• Solutions exist that preserve flexibility and the
  Registrants rights
• Towards WHOIS Best Practices?

14
Thank You !

• Jean-Christophe.Vignes_at_Nic.TM