The CCG team recently wrote a memo on the privacy implications of the WHOIS database, which is available here.

Document Summary

Background

The WHOIS service is a public, unrestricted database on which anyone can find out the real world identity, business location and contact information (including email address) of the registrant. The Affirmation of Commitments between the US Department of Commerce and ICANN requires ICANN to ensure timely, unrestricted and public access to WHOIS information.

Key Concerns

WHOIS contact information has been used to target the physical safety of domain registrants, especially women entrepreneurs, small business owners working from home, activists living in totalitarian regimes, LGBTQ bloggers, etc. It has also been used for spam.

Although Law Enforcement Agencies (LEAs) seek access to this data to identify registrants of particular websites, LEAs of oppressive countries with records of human rights violations can use this facility to identify dissidents or the owners of blogs and subject them to violent treatment.

The WHOIS policy is widely criticized for lacking accuracy. The present system has enough loopholes that enable fabrication of data, or mechanisms to keep details private.

Recommendations:

1. Mechanisms to contact registrants without offering access to information about them.
2. Permitting registrant to submit an email address as contact information, without her actual name or other details.
3. Developing systems for Law Enforcement Agencies LEAs to identify law-breakers without the WHOIS database (since law-breakers are unlikely to submit accurate details anyhow). E.g. technological methods to track people using their email addresses.