IP: A letter on NSI's whois data sale

[Dave Farber <farber () cis upenn edu>]

http://www.epic.org/privacy/internet/ICANN_privacy.html

February 16, 2001

Representative Fred Upton
2333 Rayburn House Office Building
Washington, DC 20515

Representative Edward J. Markey
2108 Rayburn House Office Building
Washington, DC 20515

Senator Conrad Burns
187 Dirksen Senate Office Building
Washington, DC 20510

Senator Fritz Hollings
125 Russell Senate Office Building
Washington, DC 20510

Dear Congressmen,

We are writing to you on behalf of the Electronic Privacy
Information Center (EPIC) to bring your attention to a privacy issue
of importance to Internet users around the world, and of particular
concern to users in the United States who register domain names.
According to a report in The Wall Street Journal today, Network
Solutions, Inc., the largest domain registration company in the
country, is now selling information on 6 million Internet customers
to direct marketers. The information was obtained by Network
Solutions, Inc. for the purpose of registration and is not unlike
motor vehicle information for which Congress has passed important
privacy legislation, The Drivers Privacy Protection Act of 1994,
that was recently upheld by the United States Supreme Court in Reno
v. Condon, 528 U.S. 141.

We are writing to you to urge you to examine whether this sale is
currently permissible and if so, whether it is therefore necessary
to adopt new legislation to safeguard the information that is
provided by Internet users and companies as a condition of
registering a domain name. We believe that the sale violates well
established principles of U.S. law as well as international privacy
standards, including privacy rules specifically developed to address
concerns related to privacy in the context of domain name
registration.

Thus far privacy has received only passing attention during the
discussion of ICANN's authority. The Subcommittee on Communications
recently held hearings on the Internet Corporation for Assigned
Names and Numbers, otherwise known as ICANN. ICANN is the central
authority for all Internet users worldwide that wish to register a
domain name. As mentioned during the recent hearings held by your
Subcommittee, part of ICANN's responsibility is to protect the
privacy of its domain name registrants. Also mentioned during the
hearings was the low level of privacy protection offered for this
personal information. As you pursue further work on ICANN, we urge
you to focus on the much-needed privacy protections for this
personal information.

A domain name is virtually required for any individual or
organization that wishes to establish a website. Only once an
individual or organization obtains a domain name can one participate
fully in the Internet that has been recognized by federal courts as
"the most participatory form of mass speech yet developed," Reno v.
ACLU, 929 F. Supp. 824, 883 (E.D. Pa. 1996) aff'd 521 U.S. 844
(1997). However, before one can participate in this medium, domain
name registrants are required to provide personal information for
the purpose of billing and other technical reasons. The types of
information required for registration include name, mailing address,
email address, and telephone number.

There are three major privacy issues that must be addressed when
considering the treatment of this information. The first is how the
registrar, the company that processes the registration of a domain
name, is permitted to use the information in its possession. The
most direct guidance for the level of privacy protection a registrar
must provide is the ICANN Registrar Accreditation Agreement (RAA)
(http://www.icann.org/nsi/icann-raa-04nov99.htm). The RAA was
approved by the ICANN Board of Directors in November 1999. At that
time, Network Solutions, Inc. was the only registrar that could
process domain name registrations for .com, .net, and .org, by far
the most popular top-level domains (TLDs) in which individuals and
organization were registering domain names.

Part of the RAA specifically allows registrars to sell bulk access
to their databases of domain name registrants for a fee (see RAA
II.F.6). Further, registrars that choose to sell bulk access to
their databases are only restricted to the extent that the
third-party recipient of the data does not use registrant data to
send unsolicited commercial email (also known as spam) and that they
may establish an opt-out for registrants if they so wish. In
addition, ICANN has sought to restrict the ability of registrars to
establish a higher level of privacy protection on their own, see
ICANN's Amicus Curiae Memorandum, Register.com, Inc. v. Verio Inc.,
(http://www.icann.org/registrars/register.com-verio/amicus-22sep00.htm).

Such a permissive policy with respect to registrant data has led to
attempts by registrars to aggressively market the personal data of
domain name registrants. For example, the dotcom.com website, owned
by VeriSign and its subsidiary Network Solutions Inc., displays the
following message on its "Data Services" webpage at
http://www.dotcom.com/services/:

        Winning With Data From Network Solutions

        Ready to win the Internet marketing game? Take your marketing
        program to the next level with Data Services from
        Verisign/Network Solutions. No other source offers the reach
        and depth of data when targeting companies who are doing
        business on the Internet.

        Taking advantage of our position as a market leader, we have
        organized our pool of over 15 million registered domain names
        into a customer database of over 5 million unique customers.
        Our data service offers access to the key decision-makers
        behind millions of leading Web businesses.

        We also track the progress of sites through key stages in the
        dotcom lifecycle, including live or not-live sites, e-commerce
        status, membership features and more. Want to target only
        small businesses with live sites? Nobody offers a better
        snapshot of this hard-to-reach group than we do. After all,
        over 80 percent of our customers are small businesses,
        representing every major small business category you could
        hope to reach.

        For ISPs and other service providers, meanwhile, we offer
        extensive data on registered businesses' site switching
        behavior and hosting arrangements. ISPs and Web hosting firms
        can use this data to target customers when they're most likely
        to be ready for new opportunities.

        To learn more about this unique service, just fill out the
        form below, and we'll follow up shortly. If you'd prefer, you
        may also get in touch via phone at (866) 293-5710.

The second privacy issue is how a registrar chooses to enter or make
available such information in the Whois database. The Whois database
is a publicly accessible database that allows any individual to look
up information about a holder of a domain name. (You may want to
examine the information available at www.allwhois.com or
www.betterwhois.com). For good reasons related to the technical and
security considerations of maintaining websites and domains, it is
necessary to make such information publicly available. Making such
contact information available has been the practice of the domain
name process for many years and is well-accepted by the many in the
Internet community.

However, over the past few years, as the Internet has grown in
enormous popularity, non-technically inclined individuals and
families are registering domain names for personal use. Similarly,
many entrepreneurs are taking advantage of the Internet to launch
their businesses and may be operating out of their own homes. But,
in both these cases, many people who register domain names are
unaware that their home address and phone number will immediately
become available to any Internet user in the world.

A third issue closely tied to the privacy concerns outlined above,
but with First Amendment implications, is that the current level of
privacy protections essentially eliminates the ability of Internet
users to anonymously register domain names. Anonymous publication of
information is well recognized in U.S. case law. In McIntyre v. Ohio
Elections Commission, the U.S. Supreme Court stated that:

        Anonymity is a shield from the tyranny of the majority. It
        thus exemplifies the purpose behind the Bill of Rights, and of
        the First Amendment in particular: to protect unpopular
        individuals from retaliation; and their ideas from
        suppression; at the hand of an intolerant society. 514 U.S.
        334, 357 (1995).

In short, a First Amendment right to anonymous publication is
currently invalidated by the procedures adopted by ICANN, which some
have argued is a government actor, with respect to domain name
registration and the Whois database.

We urge the Subcommittee on Communications to closely examine these
issues and consider them during future hearings on ICANN. In these
upcoming hearings, we urge the members of the Subcommittee to
explore how:

(1) How well ICANN and ICANN-accredited registrars seek to limit the
amount and types of information collected about domain name
registrants and/or made available through the Whois database.

(2) Efforts are made to educate domain name registrants about the
existence and purpose of the Whois database.

(3) ICANN and ICANN-accredited registrars can and should raise the
level of privacy protection offered domain name registrants.

(4) ICANN and ICANN-accredited registrars can and should prevent the
sale of personal data collected from domain name registrants.

(5) Ways in which ICANN and ICANN-accredited registrars can enable
anonymous registration of domain names.

(6) Whether ICANN, as a body with international reach, complies with
data protection laws around the world that seek to protect personal
information.

(7) Whether legislation is necessary to safeguard the privacy
interests of Americans who register an Internet domain name.

Privacy protection is critical to establish trust and confidence in
network services. We believe that the recent decision by Network
Solutions to sell data on Internet users provided simply for the
purpose of domain name registration poses a substantial risk to the
future growth of the Internet. We urge you to pursue this issue.

Sincerely yours,

/s/

Marc Rotenberg
Executive Director
EPIC

/s/

Andrew Shen
Policy Analyst
EPIC



For archives see: http://www.interesting-people.org/