WHOIS review update (July 2016)

Overview

Over the past few months DNCL has been consulting on a review of the .nz WHOIS service. Thanks to everyone who provided us with feedback.  We wanted to hear your views, and we are listening.

This update outlines where we’re currently at with our review. We want to keep all those interested in the review across where we’ve got to; what comes next; and our review process.

With this review, we’ve been working to get as much feedback from the local Internet community as possible. This has involved many discussions with stakeholders and other interested parties. We’ve also run three consultations to get feedback direct from the public and have been taking a close look at how other jurisdictions manage their WHOIS.

In early June, our third public consultation closed – proposing that a privacy process be introduced for the WHOIS.  We received 65 submissions.  It’s fantastic to see this level of engagement in respect of the .nz WHOIS policy. 

Feedback ranged from those saying no information should be made public, through to supporting the proposed privacy process; supporting the status quo and many options in between. The key learning for us from the third consultation was that there is a group of individuals who are concerned about potential harassment as a result of their contact details being publicly available.

Since the third consultation closed we’ve been carefully reading through and considering all the submissions. We’ve had some good discussions and are now looking at different options for withholding and protecting registrant information in the WHOIS.

This work will happen over the next couple of months and include detailed analyses of the impact of each option on registrants, registrars, the registry and the local Internet community.

Importantly, we’ll be putting together some recommendations for our 25 August 2016 Board meeting about what option/s for the WHOIS should be presented.  We know this is an issue that many in the Internet community feel passionately about, and believe the development of a new policy can benefit from allowing for as much input as possible from stakeholders.  So, we intend to issue a further public consultation document later this year. It’s clear to us that whatever option is chosen, the status quo of having all contact information publicly displayed by default isn’t a suitable option going forward, and that there should be a simple mechanism for individuals to avoid having all of their personal contact details exposed.

More information about the background to our WHOIS review, the process we’ve followed so far and the options we’re now considering can be found below.

----

Background

The ‘WHOIS’ is a search service that lets anyone find out who the holder of a .nz domain name (or names) is. When a search on a domain name is done, the WHOIS returns information including the registrant’s name, contact address and email.

.nz WHOIS information has been, and is, available publicly. Our WHOIS review is about deciding how much contact information (and in what circumstances) it’s still appropriate to have publicly displayed.

The review is an important piece of work because, while .nz registrants have a responsibility to be identifiable and contactable, there’s increasing awareness of the sanctity of privacy in today’s hyper-connected online world.  Recent surveys conducted for the Office of the Privacy Commissioner have highlighted that New Zealanders are concerned about the privacy of online information.

On one hand, it’s important that registrants are identifiable for reasons of accountability. Like many other tools in the online world, domain names are used and abused by those with malicious intentions. Bad actors, for example, do use domain names to attack, harass or scam other people.

Our experience is that, among other things, the community uses the current .nz WHOIS to identify the registrants of domain names that are being used inappropriately. Some benefit lies in anybody being able to see who’s behind a domain name and verify the trustworthiness of what might be a dubious .nz website or email address. The WHOIS is also a valid and valuable tool for those who have protection and legal rights to enforce and for increasing consumer confidence where online trade is involved.  Also, if a website is hacked, the WHOIS information can be used to inform the owner that their interests are being compromised.  There is benefit in being able to identify domain name contact details promptly, particularly where harm is occurring.

On the other hand, many people are concerned about the privacy implications of having their contact details publicly visible. For many people, their domain name is an important part of their personal online identity.  For example, there are some individuals who only have a domain name to establish a personalised email address and don’t use the domain name for other purposes.  And one of the most important reasons for wanting to withhold contact details is that it can help protect at-risk and vulnerable people from harassment or worse. We understand that position and have been hearing throughout the review that personal safety is a major concern.

Given all this, the status quo of having all contact information publicly displayed by default isn’t a suitable option going forward.

Our WHOIS review then is a balancing act – one that seeks to keep the benefits of registrant accountability while also taking account of the privacy expectations of individual registrants.

Review to-date

So far we’ve held three public consultations. We launched the first consultation in October 2015 – asking for comment on whether the reasons ‘why’ WHOIS data is collected and made public still apply.

The second consultation started in November 2015, and we also held public meetings in Auckland, Wellington, Christchurch and online, asking for comment on ‘what’ WHOIS information should be displayed and ‘how’.

We received 53 submissions over the first two consultations from individuals, businesses and government agencies. A range of views were put forward, which was encouraging. One of the themes was that registrants should be able to withhold their information and that there are legitimate concerns around spam and privacy.   

Views ranged from maintain the status quo (all registrant information being publicly available by default) to no registrant information being publicly available. Some suggested that eligibility criteria should be introduced for registrants to be able to withhold their information; that independent decision makers e.g. judge or Court should decide whether information should be withheld; and that proxy registrations should be allowed. Registrars highlighted that the consideration of certain options could incur technical and transition costs, and in general terms their preference was for DNC to bear those costs.

The high level of public interest gave us many things to consider. We set about analysing the submissions and putting together a proposed approach.  At the time, we wanted an approach that would keep all of the benefits of an open and transparent register, while also recognising that exceptions can, and should, be made where there’s genuine reason for withholding information for vulnerable and at-risk registrants.

At its February 2016 meeting the DNCL Board agreed in principle that we should establish a draft process where individual registrants could apply to have details withheld from publication in the WHOIS. A third consultation paper was prepared and the proposed process was the subject of the third consultation in May 2016.

The third consultation proposed that there should continue to be an open WHOIS, but that there should also be a process to let individuals have their information withheld in certain circumstances. This recognised that the status quo for WHOIS was no longer the best policy for .nz. In coming up with the draft process, we were trying to strike an appropriate balance between the competing arguments and positions around accountability and privacy.

As part of putting together that draft process, we had a good look at how other registries marry up privacy and accountability. This included ccTLDs and registries like the Electoral Commission and Companies Office. We also approached a range of organisations to talk about the WHOIS review and how best we could design a process for individuals to have their details withheld.

The key points of the draft process in the third consultation were:

  • It would be a service for individual registrants, not organisational registrants.
  • Anyone with genuine concern could apply to withhold their details.
  • It would be available for new and existing registrations.
  • Withheld information would cover all contact details, except the registrant’s name.
  • There would be an independent panel to manage appeals.
  • DNCL would cover all costs i.e. there’d be no application fee.  There would be no costs to registrants or registrars.

In hindsight, the paper could have been better in setting out how we’d come to our proposed position and could have documented how we had taken into account the submissions we had received on the initial consultation papers.  We apologise for that. 

After the paper was released, some concern was expressed about the detail and tone of the consultation paper.  To respond to this we published a list of FAQs to help address people’s concerns about the proposal and how it would operate. 

There was a good level of engagement in the third consultation. We received 65 submissions, suggesting a range of options. These included supporting the status quo, supporting the privacy proposal consulted on, through to no registrant data at all being published. Most submissions suggested something in between the two extremes of the status quo and no registrant data being published. A number of respondents raised concerns about individuals being put at risk of harassment or abuse should their contact details be public.

At its June 2016 meeting the DNCL Board agreed that the registry should continue to collect registrant data. This had been supported from many of the submissions over the three public consultations. The Board also agreed that they don’t see a situation where no registrant information at all is displayed on a WHOIS record.

The objective for the WHOIS review is to identify what information is publicly available, either by default or by request.  A range of viable options were identified from the third consultation round and these need further consideration.  Other than as outlined in the paragraph above, all options that were presented to us are being considered further.

These options include different levels of registrant information being displayed and whether the publication of the details is by default, by opt-in or by opt-out.  They also include the privacy proposal from the third consultation, but with some changes as a result of the submissions received about that.

We’ll now be doing more work on evaluating the different options. As part of that work we’ll analyse in more detail the impact each option will have on registrants, registrars, the registry, the local Internet community and DNCL. This will build on the initial assessments already undertaken. For example, the first consideration of the option that would see registrant name and email only displayed by default was:

Option

Registrant name and email only by default

Outline

Only the registrant name and registrant email would be displayed, along with the domain name’s registration dates, status and registrar.  This would occur by default as the output from the WHOIS when the registrant declares they’re an individual.

Key features and variations

The registrant would be identified by name and be contactable through an email address. All other contact information would be private.

The other contact information could be received and held by the registry. Or, it could be received by the registrar and either not sent to the registry or their details or other proxy contact details be used instead.

Advantages

The registrant is identifiable and contactable over email.

Any issues with contacting the registrant using the email address provided can be raised with DNCL and followed up on.

Enforcement and other appropriate organisations have enough knowledge to identify whether they need to follow up on a request to obtain any further information.

Provides a higher level of privacy than the status quo, but is sufficient enough that it is not in breach of the InternetNZ TLD principle (see https://internetnz.nz/tld-principles) that registrant data is public i.e. the name and email would remain public.

Risks

Registrants may make out they are individuals when they’re not.

If other contact details for the registrant are held by registrars rather than the registry it may be difficult to obtain the information, including by DNCL, in a timely manner.

There may be a high volume of queries for further information including city/country of registrant, given this would be withheld by default.

Impact

Registrants

Provides more privacy by default, although registrants would still be identifiable (name) and contactable (email).

Registrars

Some change would be required as registrars’ systems would to record if a registrant is an individual so that the other contact details are withheld by default.

Registry

Potential impact if DNCL requires more assistance from NZRS to identify registrants

Would require software change to registry system.

Community

Able to identify a registrant’s name and email, but not see if the other contact details match - one indicator of a bad registration.

There would need to be a mechanism for the community to request the other contact information in appropriate circumstances (e.g. where a domain name was being used for criminal purposes).

DNCL

Processes would need to be established so that the other registrant contact information could be obtained where required. 

Criteria would need to be established around when it is appropriate to provide the other, withheld contact information.

Comment

This option is considered to be consistent with InternetNZ’s TLD principle around registrant data being public. This is a feasible option that requires more consideration of the issues and the impacts of the different ways it could be implemented. There are, for example, additional issues to address if the information is not held with the registry – meaning DNCL would not have easy access to the registrant information.

Similar initial assessments have also been completed for the other options suggested in submissions (e.g. including registrant name and email only displayed by opt-in/opt-out, registrant name only displayed, registrant email only displayed and registrant name and city/country only published and other options as well).

There are merits and drawbacks for each of the options, and each has different impacts depending on whether you’re a registrant, registrar or member of the local Internet community. It’s important that we come up with a solution that best meets the needs of all involved and we’ve been spending a lot of time thinking through the implications of each option, with more detailed consideration in progress. After the third consultation, we now have a better appreciation for the concerns of at-risk individuals, and we will strive to implement a solution that protects registrants against potential harassment.

The process from here & next steps

Our challenge is to achieve a process that makes it easy for individuals to have their information withheld if they are concerned about their online privacy, that preserves the integrity of the register, and ensures that WHOIS data can be used appropriately to discover the operators behind domains behaving badly.

What we’ll be doing next is looking in more detail at the viable options. This will include doing a further assessment of each option, with more detailed analysis of the impact on registrants, registrars, the registry, the local Internet community and DNCL.

We’ll also be making contact with some of those who’ve made submissions to see if they’re happy to meet to discuss their comments. This will be useful in better understanding their position face-to-face. Those we hope to meet with will cover the range of options raised in the third round of submissions.  We’ll also seek meetings with other organisations that might have an interest in the review to get their views on the various options.

We’ll be putting some recommendations to the 25 August 2016 DNCL Board meeting about what option/s for the WHOIS should be presented for a further public consultation later this year.

No matter what the final shape of the .nz WHOIS, it’s clear there needs to be better understanding by registrants, and prospective registrants, of what information is collected and how that information is handled.  We recognise and respect registrants’ request for their privacy to be protected and to be aware of what is published and so will also be working to develop a range of suitable guidance material about the WHOIS for registrants.

We want to thank everyone that has contributed to the policy process for taking the time to help shape this important policy decision.  The current arrangements for .nz WHOIS have been in place since the registry was established, and it is clear to us that there is a need for some changes. 

If you have any questions about the WHOIS review that aren't covered above, feel free to use this form to ask.  

DNC news