.nz WHOIS Review - Options proposal for withholding registrant contact information in the .nz WHOIS

This consultation closed at 11am, Tuesday 8 November 2016.

Earlier this year, we ran a third public consultation as part of our .nz WHOIS review. We were pleased by the response, with members of the community giving a range of feedback about the introduction of a proposed WHOIS privacy option.

REMINDER:

  • The WHOIS is the publicly available search service that lets people find information about a domain name (or names) listed in the .nz register. Using the WHOIS is commonly known as a ‘domain name search’.

  • Under .nz policies, certain information must be supplied when a .nz domain name is registered. This includes registrant name and contact details, admin name and contact details, and technical name and contact details. 

  • All of this information is currently made publicly available when a WHOIS search is done on a .nz domain name.

Thank you to everyone who participated in the third (and previous) public consultation round. The WHOIS is a critical part of the .nz domain name space and it’s encouraging to see people engaging in the process. It’s the expression of just such a range of views which is helping us as we work through our review.

As a result of recent submissions, feedback and meetings with some submitters, we’ve since been thinking through a number of other options for withholding and protecting information for individual registrants in the WHOIS. These options and our analysis is outlined in the background document.

The consultation paper is also available as a pdf and you can read more in the FAQs.

This paper contains a new proposal from that put forward in our third consultation and we’d like you to comment on our current thinking for protecting the personal information of individual registrants.

Throughout our review, we’ve been focussing our analysis and thinking on the requirement to balance the need for greater registrant privacy with the accountabilities that individual registrants have regarding their .nz domain name. That accountability extends to registrants still being able to be identified and contacted.

In this, our fourth public consultation, we’re proposing two options for what contact information might be withheld for individual registrants in the WHOIS and what information might still be publicly visible.

We want to change the process so that any registrant who self-identifies as an individual can have certain personal information withheld – e.g. their contact address and phone number.

The options we’re proposing and want your feedback on are:

  • Option 1 – to only display individual registrants’ name and email address.
  • Option 2 – to only display individual registrants’ name, email address and geography e.g. city/region/country, or just country.

With both options, all contact address and telephone number information (including for Admin and Technical contact) would be withheld from publication.

This would happen automatically once a registrant has declared they’re an individual. We would work with .nz registrars on how individuals could make that declaration in as easy a way as possible – likely just involving a simple tick box.

With both options, the same WHOIS information would be disclosed for organisations as it is now.

As with all .nz policies, whichever option we end up implementing would be regularly reviewed to ensure it’s working as intended and meets the needs of all those involved in the .nz domain name space – registrants, registrars and the wider Internet community. We also plan to increase awareness among the Internet community – especially registrants – about the WHOIS and how it operates. 

 

Options rationale summary:

We’ve settled on the two proposed options after carefully considering all feedback received over the course of our previous consultations, public meetings and one-on-one meetings with those with a strong interest in various aspects of the WHOIS.

It’s clear that for reasons of privacy and personal safety the status quo of having all contact information for individual registrants publicly displayed without exception is no longer appropriate.

In other words, to help reduce the potential for harm, we don’t think the WHOIS needs to disclose all contact information for an individual registrant. What we’re proposing is that any individual can have the majority of their details withheld.

However, individual registrants do need to be accountable for the registration and use of their .nz domain name, and so it’s still appropriate for some information to be displayed, enabling registrants to be identified and contacted.

An outline of why registrant accountability is important can be found in the ‘Public Good’ section of the background document. The background document also explains why some options suggested by submitters in the third consultation have been ruled out and sets out how we settled on the two options now being proposed.

PLEASE LET US KNOW…

Which of the two options proposed for withholding WHOIS information do you prefer and why?

If you prefer neither option, what other solution do you think would balance individual registrants’ WHOIS privacy with their accountabilities as .nz domain name holders?

 

Release of information:

Going by the experience of regulators in other jurisdictions, it’s clear we’ll get requests for access to withheld information. So for any option implemented where WHOIS information is withheld there would need to be a fair and appropriate process for responding to requests for releasing information.

In all situations, for example, we would need to release information when compelled by law. With the two options proposed this would be the withheld contact address and phone information.

Release of withheld information would, where possible, involve the registrant being notified and release would be carried out based on set criteria consistent with the Privacy Act – notably Principle 11 dealing with limits on the disclosure of personal information.

This may include entering into formal agreements with some organisations – again, with strict and defined criteria, and we would look to the Privacy Commission to help us in developing and monitoring processes around any release of information.

Whatever form the process for release of information takes, we propose implementing transparency reporting. These reports would include the number of times we’re asked to release withheld information, who is making requests (i.e. law enforcement or legal practitioner), and how many times requests are approved or denied.

PLEASE LET US KNOW…

Under what circumstances, and to whom do you think it would be appropriate to release withheld WHOIS information?

What process do you think would work best in releasing withheld WHOIS information?

If an individual registrant has an issue with the release of their withheld WHOIS  information, or does not respond to a notification, what should happen?

 

Make a submission:

We’re interested in your comments on the two proposed options and what process should be put in place for release of withheld WHOIS information.

We’re also open to your comments on any other solution that you think offers a better solution in balancing individual registrants’ privacy with their accountabilities as the holder of a .nz domain name. 

To make a submission you should first read through the background document and list of FAQs, which contain more information. Please let us know if there’s anything you’re not clear on - info@dnc.org.nz.

Submissions closed at 11am, Tuesday 8 November 2016.

We publish all submissions on our website as we receive them. 

 

 

Background document - .nz WHOIS review

Summary of review to-date

Our WHOIS review is an important and wide-ranging piece of work that’s been going on since October 2015. It will continue into the first half of 2017.

So far, we've run three public consultations and have received a good level of feedback about what information should (or should not) be displayed in response to a WHOIS search.  

We launched our first consultation in October 2015 – asking for comment on why WHOIS data should be collected and made public. We launched our second consultation in November 2015 and held public meetings asking for comment on ‘what’ information should be displayed and ‘how’.

All up, we received 53 submissions over the first two consultations, with a mixed range of views from individuals, registrars, businesses and government agencies.  

It became clear to us at that time that the status quo of having all information publicly displayed without exception was no longer appropriate. But, whatever its final shape, any WHOIS information displayed needs to balance the right to privacy of individual registrants with their accountabilities as holders of .nz domain names.

We therefore designed a proposed privacy option that would have allowed individual registrants to withhold their details in certain circumstances. That privacy option was put to the community in a third consultation in May 2016.

There was a higher level of interest in the third consultation, with strong and sustained feedback given concerning the proposed privacy option and how it would work. Following this feedback and one-on-one meetings with a number of submitters we focussed our review on other options for withholding and protecting registrant information in the WHOIS that were raised in submissions.

A summary of the options and how we went about considering these can be found below. A key consideration throughout has been how well various options met the registrant accountability requirement, while also working to safeguard and improve the privacy of individual registrants.

Options considered

As noted above, we’ve received a large number and range of submissions throughout our WHOIS review. Reviewing all submissions, we identified the following options for withholding/displaying information in the WHOIS.

  1. Proposed process to allow registrants to request their details be withheld
  2. All information automatically private
  3. Registrant name and email only automatically
  4. Registrant name and email by opt-out
  5. Registrant name and email only automatically with registrants able to opt in for other contact details to be displayed
  6. Registrant name only displayed
  7. Registrant email only displayed
  8. Registrant name and city/country only displayed
  9. Technical contact details only displayed
  10. Status Quo

As already noted, the status quo of having all contact information displayed without exception was not considered a suitable option for the future and so wasn’t evaluated any further.

At its June 2016 meeting the DNCL Board agreed NZRS should continue to collect registrant data. This had been supported by many of the submissions over the three public consultations. The Board also agreed they didn’t see a situation where no registrant information at all is displayed.

Our challenge is to achieve a process that makes it easy for individuals to have their information withheld if they’re concerned about their online privacy, but which also preserves the integrity of the register and ensures, for example, that WHOIS data can be used to discover the operators behind domains behaving badly.

There are a number of ‘public good’ reasons for registrant information to be displayed, as outlined in the following section. In line with this, and reflecting the Board’s decision, the option that all information is automatically private, and that of only the technical contact details being displayed, weren’t considered workable.

It’s acknowledged that any change to the current WHOIS will have an impact on registrants, registrars, the Local Internet Community, the registry and DNCL. So as well as analysing the advantages and disadvantages of the identified options, the impact on each of these stakeholders was considered.

Some registrars, for example, expressed concern about the possible level of change they would have to make to their systems, especially if those changes were unique to the .nz situation.  Although we have no hesitation in imposing appropriate requirements on registrars, we don’t consider it reasonable to expect registrars to amend their current registration processes solely for .nz domain names where there’s not a clear benefit to the market.

We also felt that if too much individualisation of registrars’ systems was necessary to enable them to manage .nz domain names this may lead to some registrars exiting the market, which could have a negative effect on provider choice.  For this reason, the option of allowing registrants to pick what contact information they wanted displayed was discounted – although it may be considered in future as technology develops.

Evaluation of publishing different registration information

As part of our review, we’ve been considering all options that strike an appropriate balance between privacy and accountability.

For accountability, this can be separated into two different areas – being identifiable and being contactable. The question we considered is whether it’s enough for one of these two to be present or if true accountability requires both aspects.

The following information is, and will continue to be, collected by registrars and held by the registry:

  • Registrant name
  • Registrant contact address
  • Registrant contact phone
  • Registrant contact email

(note that we will no longer collect registrant contact fax details)

Registrant name

The registrant name allows the registrant to be identified but does not by itself enable the registrant to be contacted. Though privacy of the registrant is reduced by their name being displayed, it makes them more accountable as they are identifiable. 

The degree to which the privacy of the registrant is reduced depends on what other information is displayed alongside the name.  For example, name and an email address has less impact on privacy than name and a contact address does.

Identification of the registrant is significant to a number of people, for example those involved in investigations and those enforcing intellectual property rights.  Even a false name in a record can be an investigative aid in certain circumstances.  Use of the WHOIS to enforce a right is a valid use of the information and the lack of a registrant name may mean some rights are unable to be enforced appropriately.

Within the .nz policy framework, we have a Dispute Resolution Service (DRS) that requires the complainant to demonstrate that the registration in the hands of the respondent is unfair.  This could be difficult to do without identifying the individual.  There’s also provision in the DRS for complainants to show a pattern of similar unfair registrations by the registrant, but if the identity of the registrant is unknown this will be impossible to do.  Not displaying the registrant name therefore creates potential, and quite real, conflict with other .nz policy.

Registrant contact address

Contact address has the most impact on a registrant’s privacy. It’s also the area that everyone we spoke with acknowledged was their main concern around personal safety. It’s not cheap or simple to change a contact address and not every individual registrant has access to an alternative address they can use aside from their residential one.

If any registrant information is to be withheld, we think that should include the registrant contact address. We are considering whether there is value in a city or country being displayed. Many spoken with felt that wouldn’t make much of a difference and they would rather have a name and email address for contact only. It’s noted that including the city along with the registrant name makes the registrant more identifiable and this has an impact on privacy. However a country or city identifier would allow members of the community to identify if a particular website is registered to someone located in New Zealand or overseas, which could help them judge its reliability.

Registrant phone

Access to phone information was the form of contact where views were the most divided.  A few in the IT and security area used registrant phone numbers to contact people about vulnerabilities where time was of the essence.  The majority of people spoken to said they never used phone number information and it wasn’t a priority to them. 

People usually can’t be readily identified by their phone number, unless the person has the details in their own directory and it appears on caller ID. It’s also possible for a person to decline to answer a call.  One person, who was speaking from the perspective of a vulnerable person, commented that hearing a particular voice could be distressing and they wished both address and phone number to be withheld. 

Given there is a potential for harm, and the apparent low level of use of the phone information, it’s considered that the withheld information could include the registrant’s phone number.

Registrant email

Email was the registrant contact mechanism that most people commented should be displayed in the WHOIS.  Email addresses can be obtained freely and with control over the appearance of the email address so as to make identification of the registrant easy or hard.  This means that the privacy registrants can get from an email address, if they choose to do so, can be high.  However, it does also mean that at times it can be difficult to identify the registrant through their email address.

With email, the ability to make contact is relatively high and there are alerts when delivery of an email has not been successful.  Nevertheless, of all the contact information that can be provided, the email address is considered the best option for balancing benefit of contact over possible harms. 

Evaluation summary

In summary, when it comes to withholding registrant information, we considered that it should be the contact address and phone and possibly a geographic indicator of the country, region or city a registrant lives in. The registrant name and email address still being displayed allows the registrant to be identified and contacted – and therefore accountable. 

Following internal discussion and analysis, it was felt that registrants should not have to go through an application process for protection (as previously proposed). Rather, protections should be automatic on declaration that a registrant is an individual. It was therefore decided not to proceed with the proposal raised in the third consultation. Therefore, the two ‘name and email’ options now being proposed are enough to satisfy the accountability requirements while also balancing privacy.

The two options now being proposed are consistent with InternetNZ’s TLD Principle 5 which states that registrant data should be public with the intended core requirement that a registrant is contactable. That is, the purpose of a public and free register lookup service like the WHOIS is ‘so that members of the public can contact a registrant or their registrar for technical, operation or other reasons’. 

InternetNZ’s principle goes on to state, ‘Registrants must use their own name or that of another legal entity for domain name registrations, and must include contact details through which they can be reached’.  Given this text is under the title of ‘Registrant data should be public’ then it’s interpreted that the name, together with contact details, is what is intended to be public under this principle.

The one area where there wasn’t a clear preference among submitters was around registrant geographic information being displayed.  This could be either the country only or the city/region and country.  This is why two options are being proposed in this consultation.

Which registrants would our proposed options apply to and how?

Any change to allow registrant contact information to be withheld from publication would only apply to individual registrants. .nz registrants must be properly constituted organisations or individuals and, given those organisations already have their information displayed on public registers, there’s no reason to extend any privacy provision to them.

Under our proposed options, individual registrants would be given an opportunity to identity as an individual wanting to make use of the privacy provisions. Should an individual registrant want all their contact information displayed, they wouldn’t make this declaration.

 

Public good in displaying identifying information

Having some identifying information for individual registrants in the WHOIS is useful from a public good perspective. This is because:

  • It acts as a self-check tool for registrants

Registrants can use identifying information in the WHOIS to check registration details against their domain name. This is important as domain names are, at times, registered not by individual registrants but on their behalf by a third party such as a website developer. In some cases, the third party may register using their own contact name – raising issues of which person rightfully ‘holds’ the domain name.

  • It helps inform the public about who they’re dealing with online

Registrants can use identifying information in the WHOIS to see who’s behind a domain name and verify the trustworthiness of what might be a dubious website or email address being used to send spam.

Having some contact information in the WHOIS also means the community can self-warn against registrants with a history of bad online behavior. Also, if a website is hacked, identifying information can be used to inform the registrant that their interests are being compromised. There’s benefit in being able to identify domain name contacts promptly, especially when harm is occurring.

  • It helps to keep registrants accountable

Having identifying information in the WHOIS helps induce positive behaviour around the registration and use of .nz domain names and reduces the likelihood of large numbers of .nz domain name being used to attack, harass, scam or rip-off others.

The unfortunate reality is that there are some who would maliciously take advantage of a WHOIS with blanket privacy. The presence of some contact information (e.g. name and email address-only) would help keep registrants honest and accountable.

  • It enables rights to be enforced

The WHOIS is a valid and valuable tool for a wide range of agencies and bodies who have protection and legal rights to enforce – for example the DIA’s Anti Spam Unit, the Commerce Commission and intellectual property organisations.

Identifying information in the WHOIS also acts as a valuable aid for registrants when issues of ‘rights’ to a domain name arise and disputes are taken through the .nz Dispute Resolution Service. Information in the WHOIS is often a registrants’ very first step in establishing who has registered a domain name they believe is rightfully theirs.   

How we protect information in the .nz WHOIS

Over the course of our WHOIS review, some submitters have raised the issue of public availability of individual registrants’ email address – for reasons relating to the harvesting of addresses for spam.

The .nz registry takes active steps to protect information contained in the register. This includes rate limiting the number of WHOIS searches that can be done at any one time, monitoring transactions and prohibiting wildcard searches.

The registry also takes steps to avoid data mining; copies of the .nz zone file are not publicly available; and there’s an extremely high threshold to be met on the rare occasion the zone file is applied for and released.

 

With our WHOIS review, the important thing is that we get as much feedback from the local Internet community as possible. We’re interested in hearing your thoughts on the two options proposed, as well as what a fair and appropriate process for disclosure of withheld information might look like. In this way, ultimately, we’ll be able to shape a final policy for the WHOIS that best meets the needs of everybody involved in the .nz domain name space – including existing registrants, prospective registrants, registrars and everyday users of the Internet.

 

Submissions:

Garth Bray html

Television New Zealand Limited pdf

New Zealand Institute of Patent Attorneys pdf

Jo Mill html

New Zealand Bankers' Association html

Baldwins Intellectual Property pdf

Richard Clark html

Michael Fincham html

Ewen McNeill html

International Trademark Association html

Andrew Gall html

Library and Information Association of New Zealand Aotearoa pdf

Mark Foster html

Don Hollander html

Martin Kealey html

Alastair Galloway html

Nathan Torkington html

Jonathan Brewer html

Matthew Brown html

Malcolm Hunt html

Vik Olliver html

Mike Forbes html

Gary Jensen html

Sean OConnor (amended 4.10pm, 28 September 2016) html