At a workshop held in late June in Montreal (Canada)—Karl Auerbach had submitted some live coverage to CircleID—, the Internet Corporation for Assigned Names and Numbers (ICANN) had an in-depth look at various aspects of the Internet’s WHOIS databases. These databases associate social information (like holders’ names and contact information) with network identifiers, such as IP addresses and domain names. Current policy for these databases—in particular in the generic top level domain area—is part of ICANN’s contracts with domain name retailers (“registrars”) and database operators (“registries”), and permits for use of the data by arbitrary parties for arbitrary purposes.

The week before the workshop, the EU’s article 29 working party had issued an opinion (pdf), focused on domain name WHOIS and individual registrants’ data. The working party identifies the WHOIS databases’ original purpose—finding contact points to solve operative network problems—as legitimate, but raises concerns about other purposes for which the database is being used today, e.g. private policing of copyrights. Concerning extended search services which would, e.g., permit to search for all domain names registered by a particular individual, the working party cites an earlier opinion which notes that “the processing of personal data in reverse directories or multi-criteria searching services without unambiguous and informed consent by the individual is unfair and unlawful.” The working party supports the WHOIS consensus policies which ICANN’s board had adopted in March.

In Montreal, this position was represented by the EU Commission’s Diana Alonso-Blas, who also said that the working party would be pleased to be involved with further discussion of the topic.

Others at the workshop gave insights into current WHOIS practice. Bruce Tonkin, CTO with Australian registrar Melbourne IT, and chairman of the GNSO Council, pointed to frauds and abuses in which WHOIS data give perpetrators information about the contractual relationships between registrars and domain name holders, and thereby make it easier for fraudsters to impersonate registrars. Statistics alone demonstrate that WHOIS isn’t just used for the occasional queries it was intended for: On a normal day, there are about 2 million queries from less than 140,000 source addresses.

Data users were represented by (among quite a few others) Jane Mutimear (Bird & Bird), the chair of the GNSO’s “Intellectual Property and Anticounterfeiting Interests Constituency”. She emphasized the importance of private policing of intellectual property rights and the contribution of WHOIS to these activities, and called for continued public access and the introduction of extended search services. Ms. Mutimear also elaborated on the use of WHOIS as a tool for managing domain name portfolios.

Things were wrapped up on two panels. Registrars acknowledged that they were in an uncomfortable situation, having contracts with ICANN which are apparently in conflict with applicable law. There was some hope that revising WHOIS policies could help, for instance by making different sets of data available to different tiers of data users. Intellectual Property and Law Enforcement representatives on the panels aggressively advocated continued easy and public access to the data, though. Safeguards for data subjects’ rights were by most of these panelists considered as nuisances which would hamper effective law enforcement in cyberspace. One observer was lead to diagnose widespread “Internet exceptionalism” among panelists.