A Letter on NSI's Whois Data Sale
February 16, 2001
Representative Fred Upton
2333 Rayburn House Office Building
Washington, DC 20515
Representative Edward J. Markey
2108 Rayburn House Office Building
Washington, DC 20515
Senator Conrad Burns
187 Dirksen Senate Office Building
Washington, DC 20510
Senator Fritz Hollings
125 Russell Senate Office Building
Washington, DC 20510
We are writing to you on behalf of the Electronic Privacy Information Center (EPIC) to bring your attention to a privacy issue of importance to Internet users around the world, and of particular concern to users in the United States who register domain names.
According to a report in The Wall Street Journal today, Network Solutions, Inc., the largest domain registration company in the country, is now selling information on 6 million Internet customers to direct marketers. The information was obtained by Network Solutions, Inc. for the purpose of registration and is not unlike motor vehicle information for which Congress has passed important privacy legislation, The Drivers Privacy Protection Act of 1994, that was recently upheld by the United States Supreme Court in Reno v. Condon, 528 U.S. 141.
We are writing to you to urge you to examine whether this sale is currently permissible and if so, whether it is therefore necessary to adopt new legislation to safeguard the information that is provided by Internet users and companies as a condition of registering a domain name. We believe that the sale violates well established principles of U.S. law as well as international privacy standards, including privacy rules specifically developed to address concerns related to privacy in the context of domain name registration.
Thus far privacy has received only passing attention during the discussion of ICANN's authority. The Subcommittee on Communications recently held hearings on the Internet Corporation for Assigned Names and Numbers, otherwise known as ICANN. ICANN is the central authority for all Internet users worldwide that wish to register a domain name. As mentioned during the recent hearings held by your Subcommittee, part of ICANN's responsibility is to protect the privacy of its domain name registrants. Also mentioned during the hearings was the low level of privacy protection offered for this personal information. As you pursue further work on ICANN, we urge you to focus on the much-needed privacy protections for this personal information.
A domain name is virtually required for any individual or organization that wishes to establish a website. Only once an individual or organization obtains a domain name can one participate fully in the Internet that has been recognized by federal courts as "the most participatory form of mass speech yet developed," Reno v. ACLU, 929 F. Supp. 824, 883 (E.D. Pa. 1996) aff'd 521 U.S. 844 (1997). However, before one can participate in this medium, domain name registrants are required to provide personal information for the purpose of billing and other technical reasons. The types of information required for registration include name, mailing address,
email address, and telephone number.
There are three major privacy issues that must be addressed when considering the treatment of this information. The first is how the registrar, the company that processes the registration of a domain name, is permitted to use the information in its possession. The most direct guidance for the level of privacy protection a registrar must provide is the ICANN Registrar Accreditation Agreement (RAA)
(http://www.icann.org/nsi/icann-raa-04nov99.htm). The RAA was approved by the ICANN Board of Directors in November 1999. At that time, Network Solutions, Inc. was the only registrar that could process domain name registrations for .com, .net, and .org, by far the most popular top-level domains (TLDs) in which individuals and organization were registering domain names.
Part of the RAA specifically allows registrars to sell bulk access to their databases of domain name registrants for a fee (see RAA II.F.6). Further, registrars that choose to sell bulk access to their databases are only restricted to the extent that the third-party recipient of the data does not use registrant data to send unsolicited commercial email (also known as spam) and that they may establish an opt-out for registrants if they so wish. In addition, ICANN has sought to restrict the ability of registrars to establish a higher level of privacy protection on their own, see ICANN's Amicus Curiae Memorandum, Register.com, Inc. v. Verio Inc.,
Such a permissive policy with respect to registrant data has led to attempts by registrars to aggressively market the personal data of domain name registrants. For example, the dotcom.com website, owned by VeriSign and its subsidiary Network Solutions Inc., displays the following message on its "Data Services" webpage at
Winning With Data From Network Solutions
Ready to win the Internet marketing game? Take your marketing program to the next level with Data Services from Verisign/Network Solutions. No other source offers the reach and depth of data when targeting companies who are doing business on the Internet.
Taking advantage of our position as a market leader, we have organized our pool of over 15 million registered domain names into a customer database of over 5 million unique customers. Our data service offers access to the key decision-makers behind millions of leading Web businesses.
We also track the progress of sites through key stages in the dotcom lifecycle, including live or not-live sites, e-commerce status, membership features and more. Want to target only small businesses with live sites? Nobody offers a better snapshot of this hard-to-reach group than we do. After all, over 80 percent of our customers are small businesses, representing every major small business category you could hope to reach.
For ISPs and other service providers, meanwhile, we offer extensive data on registered businesses' site switching behavior and hosting arrangements. ISPs and Web hosting firms can use this data to target customers when they're most likely to be ready for new opportunities.
To learn more about this unique service, just fill out the form below, and we'll follow up shortly. If you'd prefer, you may also get in touch via phone at (866) 293-5710.
The second privacy issue is how a registrar chooses to enter or make available such information in the Whois database. The Whois database is a publicly accessible database that allows any individual to look up information about a holder of a domain name. (You may want to examine the information available at www.allwhois.com or www.betterwhois.com). For good reasons related to the technical and security considerations of maintaining websites and domains, it is necessary to make such information publicly available. Making such contact information available has been the practice of the domain name process for many years and is well-accepted by the many in the Internet community.
However, over the past few years, as the Internet has grown in enormous popularity, non-technically inclined individuals and families are registering domain names for personal use. Similarly, many entrepreneurs are taking advantage of the Internet to launch their businesses and may be operating out of their own homes. But, in both these cases, many people who register domain names are unaware that their home address and phone number will immediately become available to any Internet user in the world.
A third issue closely tied to the privacy concerns outlined above, but with First Amendment implications, is that the current level of privacy protections essentially eliminates the ability of Internet users to anonymously register domain names. Anonymous publication of information is well recognized in U.S. case law. In McIntyre v. Ohio
Elections Commission, the U.S. Supreme Court stated that:
Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation; and their ideas from suppression; at the hand of an intolerant society. 514 U.S. 334, 357 (1995).
In short, a First Amendment right to anonymous publication is currently invalidated by the procedures adopted by ICANN, which some have argued is a government actor, with respect to domain name registration and the Whois database.
We urge the Subcommittee on Communications to closely examine these issues and consider them during future hearings on ICANN. In these upcoming hearings, we urge the members of the Subcommittee to explore how:
(1) How well ICANN and ICANN-accredited registrars seek to limit the amount and types of information collected about domain name registrants and/or made available through the Whois database.
(2) Efforts are made to educate domain name registrants about the existence and purpose of the Whois database.
(3) ICANN and ICANN-accredited registrars can and should raise the level of privacy protection offered domain name registrants.
(4) ICANN and ICANN-accredited registrars can and should prevent the sale of personal data collected from domain name registrants.
(5) Ways in which ICANN and ICANN-accredited registrars can enable anonymous registration of domain names.
(6) Whether ICANN, as a body with international reach, complies with data protection laws around the world that seek to protect personal information.
(7) Whether legislation is necessary to safeguard the privacy interests of Americans who register an Internet domain name.
Privacy protection is critical to establish trust and confidence in network services. We believe that the recent decision by Network Solutions to sell data on Internet users provided simply for the purpose of domain name registration poses a substantial risk to the future growth of the Internet. We urge you to pursue this issue.