CIRA’s ‘whois’ policy a stunning setback for privacy?

For years, if you registered a .ca domain, anyone could see your name, address and email in online “whois” databases. In 2008, the Canadian Internet Registration Authority (CIRA) restricted access to this information. Internet law guru Michael Geist hailed early drafts of the CIRA’s new whois policy as “a model for domain name registries around the world”. Still, in a last-minute change, CIRA allowed access to a domain owner’s identity for parties claiming IP infringement by the domain name. In response to Professor Geist’s accusation of a “stunning setback for privacy”, CIRA’s President and CEO Byron Holland called the new policy “thoughtful” and “effective” with the “best privacy protection in the world”.

Does CIRA’s whois policy strike the right balance between registrants’ privacy and IP owners’ rights?

Yes, CIRA cites the need to fight cybersquatting in defense of its disclosure policy. Registering domains for the sole purpose of reselling at a premium is a common problem on the internet. Few short domain names are now openly available for legitimate purposes. A more sinister extension of cybersquatting is phishing – posing as a third party to obtain confidential information such as passwords.

Yes, CIRA’s disclosure policy also protects IP rights. It simplifies contacting alleged infringers and helps resolve IP disputes outside of court. The opportunities for IP infringement in domain names alone are huge due to the nature of the internet. Any alternative dispute resolution can help relieve a potentially large burden on the justice system.

But there are serious flaws in CIRA’s whois policy.

Disclosure without consent impairs registrants’ privacy. It is also probably unlawful. CIRA’s disclosure policy does not meet any of the conditions in s. 7(3) of the Personal Information Protection and Electronic Documents Act, which contains the exhaustive list of circumstances when disclosure without consent is allowed in the private sector.

CIRA’s policy also undermines the freedom of speech. Whistleblowers or political activists will lose their anonymity unduly if they register a domain name referring to the organization they criticize. Instead of having to go through court, claimants need only show CIRA reasonable belief of IP infringement to obtain the registrant’s identity.

CIRA’s policy is unbalanced.

Registrants’ privacy and freedom of speech suffer irrevocably, while IP owners retain their rights and avenues for pursuing infringers regardless of CIRA’s cooperation. The barrier to obtain personal information is too low. CIRA does not specify how or whether it considers merits of infringement claims. Frivolous claims that wouldn’t make it to courtroom can survive under CIRA’s laxer procedures. Citing the need to contact registrants is unreasonable because CIRA already passes electronic messages to registrants via its website. It should also be able to send regular mail on behalf and at the expense of any IP claimants.

CIRA owes a statutory duty to registrants who entrust it with their personal information. Among all the options to facilitate resolution of IP disputes, CIRA chose one that puts it in unjustifiable breach of this duty.