Security threats Toolkit

Whois database 'contributes to identity theft'

Tags:
Id Theft,
Internet Privacy,
Whois,
Icann

Munir Kotadia ZDNet.co.uk

Published: 06 Nov 2003 13:00 GMT

Whois, an online database that contains personal information about Internet domain name holders, is a major contributor to identity theft and defies advice from the Federal Trade Commission (FTC), according to a group of civil liberties organisations.

When an Internet domain is registered, the details of the owner are entered into the Whois database and published by the Internet Corporation for Assigned Names and Numbers (ICANN). This procedure was designed to ensure that when technical difficulties or incompatibilities arose, it was relatively easy to contact the owner of the domain. However, the database has now grown beyond all expectations and is open for exploitation, privacy groups argue.

More than 50 organisations from around the world signed a letter to Paul Twomey, chief executive of ICANN, asking for better protection of the personal details stored on the Whois database. The letter was originally made public in late October.

"Whois data should not be available to just anyone who happens to have access to the Internet. It is well known that broad access to personal information online contributes to fraud such as identity theft," the letter said. It cited advice from the FTC that warns consumers to protect themselves from identity theft by not disclosing personally identifiable information. "The mandatory publication of Whois data is contrary to the FTC's advice," the letter said.

Additionally, the letter said that people should be allowed to register domain names anonymously in order to protect freedom of speech and expression. "There are political, cultural, religious groups, media organisations, non-profit and public interest groups around the world that rely on anonymous access to the Internet to publish their messages. Anonymity may be critical to them in order to avoid persecution," it said.

The letter has been signed by organisations from 21 countries including the American Library Association, the UK's Foundation for Information Policy Research, the Consumer Federation of America, the Australian Privacy Foundation and the Fédération Informatique et Libertés in France.

ICANN is a non-profit organisation set up in 1998 to centrally manage Internet domain names, IP addresses and other technical matters.

The coalition's effort comes as ICANN tries to decide how to balance domain name owners' privacy with accountability -- a priority of law enforcement agencies and trademark owners who are seeking to unmask suspected infringers. In September, the Bush administration ordered ICANN to improve the "accuracy of Whois data".

That should not come at the expense of privacy and anonymity, the draft letter argues: "The Whois database was originally intended to allow network administrators to find and fix problems to maintain the stability of the Internet... Anyone with Internet access can now have access to Whois data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers. The original purpose for Whois should be reestablished."

In a 18 September announcement, ICANN's Twomey noted that the group, which oversees domain name governance, already had convened a Whois workshop in June in an attempt to "advance work on Whois in a coordinated and cooperative manner". At its meeting this week in Carthage, Tunisia, ICANN is scheduled to assemble on Wednesday to discuss "address accuracy and privacy issues, including data collection and verification measures, complaint procedures and investigatory methods for false information".

Another factor ICANN may consider is whether the current Whois practice runs afoul of privacy laws. A June 2003 report from a European Commission working group said data protection rules -- outlined in the European Data Protection Directive -- cover the Whois directory.

The report does not go as far as Laurant and the privacy advocates at EPIC, who argue that anonymous domain purchases should be allowed. But it does say that only the domain name registrar needs to know the identity of someone who's buying a domain for individual use: "There is no legal ground justifying the mandatory publication of personal data referring to this person."

ICANN's formal agreement with domain name registrars says customers must provide "accurate and reliable contact details and promptly correct and update them during the term of the... registration" or risk losing their domain.

Some registrars such as Go Daddy Software offer "private registrations" that cloak customers' home addresses and phone numbers for an additional fee of about £6 a year per domain name.

CNET News.com's Declan McCullagh contributed to this report.