In a column dated April 29, 2008,[1] Law professor Michael Geist called a draft version of CIRA’s WHOIS policy “a model for domain name registries around the world.”[2] When the policy was finally introduced in July, Professor Geist’s position changed dramatically; WHOIS was now “a significant setback.”[3] Why the stunning volte-face?
First, some background. CIRA’s maintains a database of individuals and companies who have registered Canadian internet domain names. Previously, this database was publicly accessible, to the frustration of registrants. This frustration, combined with newly enacted privacy legislation, led CIRA to reconsider its practices.
After extended public consultation, CIRA announced WHOIS, a revised policy, on July 11, 2008.[4] Information collected from individual registrants would private by default, subject to a privacy waiver; data collected by corporate registrants would be public unless the corporation could justify privacy. Controversially, WHOIS allows CIRA to release registrant information to rights holders and legal authorities.
This new policy, CIRA declared, balanced privacy interests, property rights and legal concerns.[5] Professor Giest disagreed, stating that WHOIS sold out privacy rights to appease law enforcement officials and big business.[6]
Geist is right on the facts: WHOIS compromises registrants’ privacy. However, it does so reasonably. Canadians do not benefit from a domain-name policy that guarantees absolute anonymity to registrants.
Cyber crime remains real. Blakes Lawyer Antonio Turco writes that incidents of such crimes as cyber-squatting and domain tasting are actually on the rise, citing a report by the World Intellectual Property Office that says that domain-name disputes went up 25 percent from 2005 to 2006 and up again by 18 percent from 2006 to 2007.[7] To effectively protect legitimate rights, it is necessary that lawmakers and rights-holders be able to pursue bad-faith registrants. This requires some mechanism for finding contact information.
Futhermore, the rights our legal system accords individuals and companies should carry as much weight online as they do in other media. Geist writes that whistleblowers and public critics will remain silent if their anonymity cannot be protected.
However, as long recognized by publishers and TV newscasters, the public’s right to information needs to be balanced with concerns for slander and libel. Targets of internet attacks have a right that any criticism be factually correct. When rumours are not, the costs to the affected parties can be great.
Consider the example of TD Canada Trust, which saw its stock fall dramatically in January, 2008, when a false rumour spread that it was dangerously exposed to bad mortgage debt.[8] As rumours such as this find accommodating homes on chat-boards and blogs,[9] it is essential that interested parties be able to pursue websites that host them. This requires some compromise of privacy. Further, it encourages internet sites to be as vigilant as other media in being responsible with what they report or host.
Individual registrants are right to expect of CIRA some protection of their personal information. Geist’s column spells out several good reasons to do so. However, where websites are used to commit cyber-crime or libel, anonymity serves only the guilty.
[1] M. Geist, ‘Domain Name Policy Balances Privacy with Public Access’ Ottawa Citizen (29 April 2008) D1 Front.
[2] Ibid.
[3] M. Geist, ‘CIRA’s ‘whois’ policy a stunning setback for
privacy’ Toronto Star (30 June 2008).
[4] ‘Canadian Internet Registration Authority ends free-for-all over personal information’ Canada NewsWire (11 June 2008).
[5] Ibid.
[6] Supra, note 3.
[7] A. Turco, ‘Domain Names: whoandwhatisnew.com’ Blakes Bulletin on Information Technology (May 2008).
[8] T. Perkins, ‘How a nasty rumour can ruin an investor’s day’ Globe and Mail (11 January 2008) b13.
[9] Ibid. A source in this article discusses the challenges of trying to pursue the sources of internet rumours: “‘Most chat rooms or posting sites really guard the identity of who is posting,’ Ms. Jensen said. ‘So, that kind of gets into the whole area of privacy versus knowledge of who is doing it.’”