Our reference: 12/000213-03
Ms Jo Lim
Chief Operations and Policy Officer
.au Domain Administration Ltd
Via email: [email protected]
Dear Ms Lim
Whois policy review for the .au domain
Thank you for the opportunity to provide comments on .au Domain Administration Ltd's
(auDA's) issues paper about the review of Whois policy for .au domain names (the Issues
Paper).
Office of the Australian Information Commissioner
The Office of the Australian Information Commissioner (OAIC) is an independent statutory
agency headed by the Australian Information Commissioner, supported by the Freedom of
Information Commissioner and the Privacy Commissioner.
The OAIC brings together the functions of information policy and independent oversight of
privacy protection and freedom of information in one agency, to advance the development of
consistent, workable information policy across all Australian Government agencies.
Comments in response to Issues Paper questions
Question 1: Should there be any changes to auDA's Whois Policy covering the collection,
disclosure and use of Whois data for .au domain names?
The OAIC has previously expressed concern to the Internet Corporation for Assigned Names
and Numbers (ICANN) about the volume of personal information about domain registrants
collected, retained and made publicly available through current Whois database
1
arrangements.
In terms of redeveloping the .au Whois policy, the OAIC suggests that existing privacy
protections in the policy should be retained and further steps to protect personal information
of .au domain registrants be considered.
1
The OAIC provided comments about an ICANN study of Who is privacy and proxy service abuse in November
2013. The comments are available on the OAIC website at www.oaic.gov.au/news-andevents/ su bm iss ions/privacy-s ub miss1ons/i can n-stu dy-of-wh ois-privacy-a nd-p roxv-service-a buse .
P +61 2 9284 9800
GPO Box 5218 Sydney NSW 2001
F +61 2 9284 9666 • enquirie [email protected] • Enqui nes 1300 363 992 ' TTY 1800 620 241 • www.oa1c.gov.au
ABN 85 249 230 937
Positive features of existing .au Whois arrangements
The current auDA Whois Policy for .au domain names and Registration Accreditation Criteria
for .au domain registrars include several provisions which protect the personal privacy of .au
domain registrants, including:
•
excluding domain registrants' physical address and phone/facsimile number from
2
publicly-available Whois information
•
requiring .au domain registrars to implement controls preventing automated access to
3
and harvesting of registrant email addresses
•
prohibiting the use of Whois data to support an automated electronic query process
or providing access to Whois data through any means other than individual queries to
4
the Whois database
•
requiring domain registrars to opt in to the Privacy Act 1988 (Cth} (Privacy Act}.
5
The result of these provisions is that Whois arrangements for .au domains provide greater
protection for the personal information of domain registrants than is the case with other
domains (such as .com or .net}. The OAIC's view is that these provisions should be retained to
ensure that the privacy of .au domain registrants is not weakened through greater disclosure
of personal information through the Whois database.
Another positive aspect of the current auDA Whois policy is its specific advice that .au domain
registrants do not need to nominate their personal email address as a contact address when
registering a domain -the implication being that registrants can nominate an email address
6
created specifically for that purpose. This complements the point made in the Issues Paper
that .au domain registrants can use a generic contact name, such as 'The Manager' (pp 1-2}.
The OAIC suggests auDA should consider ways to encourage .au domain registrars to
communicate this message to domain registrants during the domain application process.
Opt-out arrangements for Whois information of individuals registering .au domains
The Issues Paper referenced the October 2013 auDA Whois and data openness workshop. In
that workshop, the question was raised as to whether auDA should adopt an opt-out system
for certain categories of personal information about individual .au domain registrants that are
7
currently made publicly available through Whois. The example of the United Kingdom was
2
auDA, 2010-06 - Whois Policy (Whois Policy), December 2010, paragraph 4.2, available at
http :1/www .au da. org.a u/po licies/ current -policies/2010-06/.
3
Whois Policy, paragraph 4.3.
4
Whois Policy, paragraph 5.1.
5
auDA, 2013-04 - Registrar Accreditation Criteria, October 2013, paragraph 3.7, available at
http :1/www .au da. org.a u/policies/ current -poli cies/2013-04/.
6
Whois Policy, paragraph 4.3.
7
auDA, au/GF Workshop: Whois and data openness in the .au domain space, available at
http ://youtu. be/KIAU 052 UgoO.
2
mentioned, where individuals registering a .uk domain can opt out from having their physical
8
address details made publicly available through the Whois database.
It was noted in the workshop that an Australian equivalent to this scheme would involve
establishing an opt-out mechanism allowing individuals who register .id.au domains (which
are intended for personal use by Australian citizens and residents) to opt out from having
their address displayed on Whois. Registrants of .com.au and .net.au domains (which are
intended for commercial entities) would not fall under such a scheme.
The OAIC supports the idea of providing individual domain registrants with greater control
about how their personal information is made available through Whois. However, the OAIC
would also suggest that an opt-out model may not be the most effective way of protecting
registrant privacy as the use of an opt-out mechanism to infer an individual's consent to use
or disclose their personal information is only appropriate in limited circumstances. 9
Whois arrangements for the Canadian .ca domain offer an alternative model that more
effectively protects personal privacy. Unlike the opt-out procedure for .uk domain
registrations, Whois records for individual .ca domains by default do not include the domain
registrant's personal information. 10 This approach, as well as protecting more personal
information than simply the domain registrant's address, ensures that privacy protection is an
integral part of the domain registration process and avoids the difficulties inherent in the .uk
approach with gaining implied consent via an opt-out mechanism. Consequently, the OAIC
recommends that auDA consider the Canadian approach of providing privacy for individual
domain registrants as a default setting rather than the more limited UK opt-out model.
In considering the privacy of individual domain registrants, it is also relevant that it can
sometimes be difficult to draw a clear distinction between personal information relating to
sole traders' businesses and their personal lives. As such, the OAIC suggests that any new
Whois privacy arrangements should also extend to sole traders who register .com.au or
.net.au domains.
Risk of inaccurate personal information in Whois records
The Issues Paper notes 'anecdotal evidence' that the disclosure of domain registrants'
physical address and telephone/facsimile numbers in other domain namespaces via Whois
has led to registrants providing false information when registering domains (p 1). This leads to
the conclusion that increasing the amount of information disclosed about .au domain
registrants via Whois may result in registrants providing false or inaccurate personal
information.
8
Nominet, 'Opt out', www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/optout.
9
Advice about opt-out mechanisms and factors that allow organisations to assess whether an opt-out
mechanism has established an individual's implied consent is available in the draft Australian Privacy Principles
Guidelines, available at www.oaic.gov.au (see Chapter B - Key Concepts, paragraph 8.27). These guidelines
provide advice about the Australian Privacy Principles that will apply under the Privacy Act from 12 March 2014.
1
Canadian Internet Registration Authority (CIRA), Whois Backgrounder, http://www.cira.ca/utilitypages/WHOIS-Backgrounder/.
°
3
The OAIC notes the results of the Study of Whois Privacy and Proxy Abuse (the Study)
undertaken on behalf of ICANN, a draft of which was released for consultation in September
2013. 11 The Study's conclusions included the observation that a large number of publiclyavailable Whois entries for registered domains contained inaccurate information, even where
12
those domains were apparently registered 'for entirely lawful Internet activities'.
As the OAIC noted in its comments to ICANN about the Study, results from the OAIC's 2013
Community Attitudes to Privacy Survey (the Survey) 13 suggest that providing false information
is a common tactic when indhziduals are concerned about the amount of personal information
they must disclose in order to access a particular website or service. Results from the Survey
suggest that sections of the Australian community actively take steps to avoid providing
personal information to government agencies and private sector organisations because of
privacy concerns. Thirty-two per cent of respondents to the Survey reported having provided
false details to an agency or organisation to protect their privacy, while thirty per cent
14
reported having provided a false name.
Similarly, the Australian Communications and Media Authority's 2013 Digital Footprints and
Identities attitudinal research report found that 47.7 per cent of respondents were willing to
give inaccurate personal information in cases where they 'wanted to access a particular site,
15
service or application but found the information required to register to be excessive'.
Consequently, if more information about .au domain registrants becomes publicly available
through Whois, the above research suggests an increasing likelihood that domain registrants
may provide false personal information during the registration process. The OAIC would
expect this to be more likely to occur if more personal information about .au domain
registrants became available through Whois without the introduction of additional controls to
protect personal privacy.
Question 2: should access to .au domain name data (other than via WHOIS} be opened up?
The Issues Paper asked:
•
should there be restrictions on the purpose for which registry information can be
requested and/or used (e.g. only in relation to legal proceedings)?
•
should there be a fee for different levels of access to registry information, or for
different types of request (e.g. commercial versus non-commercial, government versus
non-government)?
11
National Physical Laboratory, A Study of Whois Privacy and Proxy Service Abuse {draft reportL September
2013, p 58, available at http://gnso.icann.org/en/issues/whois/pp-abuse-study-20sep13-en.pdf.
12
The Study, p 58.
13
OAIC, Community Attitudes to Privacy Survey Research Report 2013, October 2013, available at
www .oa ic.gov .au/privacy/p rivacy-resou rces/p riva ey-re ports/ oa ic-co m m u nity-attitud es-to-privacy-su rveyresearch-report-2013. The Survey is a longitudinal study into Australian public awareness of, and concern about,
privacy.
14
The Survey, pp 29-31.
15
Australian Communications and Media Authority, Digital Footprints and Identities attitudinal research report,
November 2013, pp 16-18, available at www.acma.gov.au/theACMA/Library/researchacma/Digital-societyresearch/digital-footprints-long-report-landing.
4
•
what are the privacy implications/rights for .au registrants?
The OAIC's view is that internet governance frameworks should allow appropriate bodies to
access relevant domain registration information where needed for purposes such as law
enforcement. Other moves to provide increased access to domain registration data could
undermine the introduction of greater privacy protections for domain registrants such as
those discussed above.
However, Whois arrangements in other domain namespaces suggests it is possible to both
protect the privacy of individual domain registrants and provide mechanisms to address
concerns about an inability to contact a domain registrant or to access information about a
registered domain. For example, the Canadian .ca domain Whois arrangements mentioned
above allow interested parties to send messages to the registrant of a particular domain
6
without gaining access to their contact details/ as well as a dispute resolution process that
provides for access to Whois records about individual .ca domain registrants in specified
17
circumstances, such as copyright infringement or identity theft. Similarly, it is possible to
18
lodge a complaint that a .uk domain registrant has incorrectly opted out of Whois.
The OAIC suggests that, if auDA does introduce increased privacy protection for individual
domain registrants, practical measures such as these could help to address stakeholder
concerns about a lack of access to domain registration data in cases where there is a
legitimate reason to seek access.
Finally, I note the amendments to the Privacy Act that come into effect on 12 March 2014.
The amendments include a new set of Australian Privacy Principles {APPs) that will regulate
how entities collect, use, disclose and store personal information. Further information is
available in the OAIC's draft Australian Privacy Principle Guidelines, available at
www.oaic.gov.au.
I trust that these comments are of use to auDA's Whois policy development process. If the
OAIC can be of further assistance in relation to this matter please contact Tim de Sousa
{Assistant Director- Regulation & Strategy) on 1300 363 992 or [email protected].
Yours sincerely
Australian Privacy Commissioner
3 February 2014
16
CIRA, Interested Party Contact: Message Delivery Form, available at
https://services.cira.ca/agree/mdf/index.action.
17
CIRA, Request for Disclosure of Registrant information - Rules and Procedures Version 1.6 (July 4, 2013},
ava i Ia b le at http :(/www. ci ra .ca/ assets/Docu m ents/Lega 1/Registra nts/d isclosu reregistrant. pdf.
18
Nominet, Register a complaint about a domain name that is incorrectly opted out of Whois, available at
https ://secure. nom in et.o rg. u k/accou nt/whois-com pIa i nt. htm I.
5