Home / Blogs

New CIRA Whois Policy Strikes Balance Between Privacy and Access

My weekly technology law column (Toronto Star version, homepage version) focuses this week on the new CIRA whois policy that is scheduled to take effect on June 10, 2008. The whois issue has attracted little public attention, yet it has been the subject of heated debate within the domain name community for many years. It revolves around the whois database, a publicly accessible, searchable list of domain name registrant information (as in “who is” the registrant of a particular domain name).

When CIRA was first established, its whois policy permitted detailed disclosures about domain name registrants. A typical whois entry included the domain name itself, the name of the registrant, and comprehensive contact information including postal address, phone and fax numbers, as well as email addresses. The ready availability of such information proved useful to law enforcement, which often used whois information as part of cybercrime investigations. Similarly, the pursuit of intellectual property infringement claims, such as domain name cybersquatting cases, relied upon access to whois information to commence legal challenges to domain name registrations.

Notwithstanding these uses, CIRA recognized that its policy of publicly disclosing personal information was generating significant discomfort among many registrants. Citing privacy and spam concerns, many registrants preferred to conceal their identity from the public (though CIRA and the domain name registrar responsible for the registration would have access to the personal information). Moreover, registrants of controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, often wanted to shield their personal information for fear of public censure.

As privacy and data protection commissioners began to express reservations about the legality of requiring domain name registrants to disclosure their personal information, CIRA proposed a new policy in 2004. After two major public consultations, mounting opposition from law enforcement about its loss to “unfettered” access to WHOIS data, and years of operational delays, CIRA last week began informing registrants that the new policy will take effect on June 10, 2008.

Under the new policy, CIRA will continue to collect the same contact information from registrants as under its current policy. However, it will no longer require that such information be publicly available through its whois directory. In its place, CIRA will only require the public disclosure of limited technical information, though individual registrants may voluntarily “opt-in” to providing more personal information.

While the CIRA policy protects the privacy of individual registrants, corporate or organizational registrants will typically have their full information publicly disclosed. The policy recognizes that corporate information does not raise specific privacy concerns since corporate information does not constitute personally identifiable information. Moreover, consumers may often want to access corporate whois information when judging the reliability of a website. In order to ensure that domain name registrants can still be contacted, CIRA has also established a unique message delivery system. CIRA will allow the public to contact domain name registrants without access to their personal information by relaying the message through a web-based submission form.

The Canadian changes may be long overdue, however, they also instantly catapult the dot-ca into a global leadership position. With more than a million Canadian domain name registrations, the resolution of the whois issue ensures that the Canadian domain name space is set for continued growth as it now features a “privacy advantage” over other domains struggling to strike a similar compromise.

By Michael Geist, Chair of Internet and E-commerce Law

Filed Under


Jay Daley  –  May 9, 2008 1:19 PM

Credit where credit is due please Michael.  The policy being introduced by CIRA is very similar to the policy in place for .uk, which was introduced in 2002.  Our policy also makes the distinction between personal registrants and corporates/organisations, allowing the personal registrants to opt-out from having their details revealed.

The email contact system may well be unique but given the inventiveness of the many registries and their different ways of doing things I would not bet on it. 

So yes the CIRA step is a very important and well considered one that will deliver great benefit, but many other countries are doing similar clever things.  The big contrast is with the gTLD WHOIS debate where the various sides appear unshakeable in their opinions.

roderick whitney stillwell  –  May 10, 2008 10:13 AM

I spent considerable time last Fall trying to find just who CIRA board members consulted in making the decision to follow the UK in anonymizing dot ca domain registrations. Suffice it to say, responses by those involved in fighting cybercrime, spam, spamvertized sites and a litany of other net abuses expressed either skepticism or opposition the proposed revision.

I concluded that there must have been a deal of “cherry picking” in the consultation process.

I did find a consensus around a policy whereby registrants wishing to be anonymous could apply on an exception basis ... a process the bad guys would be feign to follow while still respecting that there are legitimate and verifiable reasons for some to merit privacy without prejudice.

The revised policy presents unnecessary obstruction to identifying, pursuing and mitigating criminal and other abusers while affording little or no demonstrable benefit to the public at large. The rationale is both specious and self-serving inasmuch as the appearance of security appeals to the naive and insulates the nefarious while serving to justify the institution of a bureaucracy under the aegis of CIRA.

Roderick Whitney Stillwell

go2ao  –  May 21, 2008 8:09 PM

This post from CIRA sycophant, Michael Geist, is unmitigated .CA-CA. The CIRA policy does NOT strike a balance between privacy and access, notwithstanding Canadian privacy rules, which are an excuse for CIRA to extend and reinforce its monopolization of the .CA name space.. Check instead the CIRA registration rules which are numerous and prolific. .CA domain names ultimately and only belong to CIRA, according to CIRA. The new CIRA disclosure policy would amount to anti-trust violation in the U.S. (for example) in that its actual purpose is to interfere with the existing marketplace for .CA domain names and, thus, perpetuate monopolization of the .CA name space by CIRA. When a .CA domain name changes ownership, this presents a legal dilemma for CIRA which requires that all registrants agree that they do not own the domain that they paid for in the first place. To my knowledge CIRA has not to date interfered with the market in the sense of forbidding a registrant to sell a domain. It if did, it would lose in any Canadian legal jurisdiction, which would be precedent setting that CIRA most assuredly does not want to happen. The REAL purpose of the policy is to prevent where possible .CA domain name ownership changes by a self-proclaimed “private” entity run by a bunch of monopolizers that do not now, nor have they ever had, “authority” to monopolize anything, let alone the .CA domain space. CIRA’s only original “authority” stems from a single letter from the Canadian government which allowed CIRA to manage the name space. For CIRA to claim that it is either (a) a private entity or (b) has “authority” to either monopolize the name space or interfere with the marketplace is as absurd as the post from lawyer Michael Geist. As it stands, the new policy DOES allow registrants to make public their information, if they choose. However, most registrants will not know about the opt-out provision. If CIRA wants to “protect” privacy in keeping with Canadian privacy legislation, all that is required for private registrants is a registration pseudonym and a working email address for every non-commercial domain name so that potential purchasers of .CA domain names can communicate with each other. Check back soon with CIRA which will more than likely decide to subsequently levy an additional tariff for so-called “private” registrations in the .CA name space.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix