The associated European data protection authorities (the Article 29 Working Party) issued a formal opinion on WHOIS directories. These directories associate social information (like holder's identity and contact information) with network identifiers such as domain names or IP addresses.

The opinion is focused on domain name WHOIS, especially the fact that personal data about individual domain name holders are publicly accessible.

The working party notes that the original purpose of making these data publicly available -- finding contact points for addressing technical problems in operating the internet -- is legitimate. Concerns are raised about the compatibility of other purposes for which the data are being used today, e.g., private policing of intellectual property rights.

The working party questions whether the publication of contact information about individual registrants is actually relevant to the original purpose. This purpose could be served well -- or even better -- by publishing contact information pointing to the registrant's ISP, who would then know how to reach the registrant. The working party finds that "there is no legal ground justifying the mandatory publication of personal data referring to this person." Publication would lead to a conflict with directive 2002/58/EC (Privacy in the electronic communications sector).

Concerns are also raised about proposals to introduce extended search services which would, for instance, return a list of all domain names registered by one individual. Earlier, the working party concluded that the inclusion of personal data with this kind of services must be based on unambiguous and informed consent of the individual.

The working party explicitly supports recent decisions of the Internet Corporation for Assigned Names and Numbers (ICANN) to improve the accuracy of the data collected, and to forbid any marketing uses of WHOIS data obtained in bulk.

Very recently, ICANN held a workshop in Montreal, Canada, on WHOIS policy. This policy is part of ICANN's contracts with domain name retailers ('registrars') and database operators ('registries').

Registrars in general pointed to the contribution of WHOIS data to consumer fraud. European registrars in particular noted that the WHOIS provisions of their contracts with ICANN may be incompatible with applicable law. Data users from the Intellectual Property and Law Enforcement communities considered any possible restriction of access to WHOIS data as a nuisance which would hamper effective law enforcement on the internet.

Opinion 2/2003 on the application of the data protection principles to the WHOIS directories
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp7...

WHOIS-related consensus policies recently adopted by ICANN
http://www.icann.org/minutes/minutes-27mar03.htm#GNSORecommendationonW...

Background material for the Montreal WHOIS workshop
http://www.icann.org/montreal/whois-topic.htm

(Contribution by Thomas Roessler, FITUG)