Europe slams WHOIS data demands

A European watchdog has opposed moved by the Internet Corporation for Assigned Named and Numbers (ICANN) to force domain name registrars to improve accuracy of the WHOIS database.

Jacob Kohnstamm, chairman of the European Union's working party on data protection, told ICANN's chairman and interim CEO in a letter that the proposed changes to the organisation's registrar accreditation agreements would likely run contrary to European citizens' right to privacy.

News blog Domain Incite, which published the EU letter, said the changes included forcing registrars to re-verify domain registrant contact data every year while retaining customer data for two years after registration ends.

The changes have been requested by law enforcement, according to Domain Incite, and is backed up by the Governmental Advisory Committee (GAC) of ICANN. Australia has a supporting delegate in the committee.

The WHOIS database provides public information about website registration details including contact information and registration.

It was originally designed to provide contact points for technical and registration queries but has of late been accessed by law enforcement to track down criminal activity on the Internet.

"The fact that WHOIS data can be used for other beneficial purposes does not in itself legitimise the collection and processing of personal data for those other purposes," Kohnstamm wrote.

The re-verification requirement was "excessive and therefore unlawful", he said.

Due to WHOIS databases having unlimited public accessibility, contact details in them have been harvested on a large scale and abused for spamming, the Working Group said.

Thanks to the abuse, there is a strong incentive for people to provide inaccurate contact details.

ICANN had failed to address the spamming problem, making the proposed solution a "disproportionate infringement of the right to protection of personal data".

A second proposal requiring extensive data retention based on wishes from law enforcement was also deemed unlawful by the Working Group.

Under ICANN's propsal, registrars would be forced to retain not only registrants' personal information for two years after the registration ceases, but also a raft of other data including phone and email addresses not in WHOIS, credit card data and communications identifiers such as Skype handles.

Extensive logging with source Internet Protocol addresses and HTTP headers, as well as dates, times, and time zones of communications and sessions was also suggested.

Acccording to Domain Incite, ICANN could impose the new requirements despite EU objections, giving registrars in the European Union the ability to stay out of the new requirements to comply with local privacy laws.

ICANN negotiations are currently being held on the topic have been underway over WHOIS, whose information is often considered inaccurate, obfuscated or non-existent.