WHATIS? WHOIS? Privacy? Huh? Have Your Say!

In Privacy Week, there’s a debate going on about publication of addresses and contact details as part of the registration of a .nz domain name. In this long post, InternetNZ Chief Executive Jordan Carter shares his take on the issue and fleshes out a bit of the background. Submissions are due by 7 June – have your say!

When you register a domain name, you provide a set of details as part of the registration process.

In the .nz domain name space, as in many others, the domain name has to be registered in the name of someone. That’s the registrant, who could be a person or an organisation. Their address and contact details, along with the name, address and contact details of someone who administers the domain name and someone who functions as a technical contact, are all collected during registration.

As you go through the registration process and provide that information, along with some other information about which name servers you want the domain to point to, eventually your domain name gets added to the register of domain names. This register is the authoritative source of .nz names – there has to be such a listing service, to make sure two people don’t claim or try to use the same name. 

Our subsidiary companies run this process for .nz. The Domain Name Commission (DNCL) sets out the policy framework for how .nz operates, consistent with high level rules set out as principles by InternetNZ (our TLD Principles). NZRS Ltd operates the register of domain names and propagates it to the Internet through the DNS.

The register of domain names is a public register. You can head along to www.dnc.org.nz and type in a query about any .nz domain name. It will generate a report showing the details as registered. People who register domain names have a responsibility to ensure their details are accurate when they register, and kept up to date should they change.  

The service by which you query the register is known as the WHOIS. This public searchability of the domain name register has been a feature in .nz since it was established, so far as I know. The TLD Principles I mentioned above include it as a basic tenet of how .nz works:

Registrant data should be public: A free and publicly available register lookup service (such as WHOIS) should be maintained, with relevant authoritative information about the registrant, registrar and DNS servers for the domain.

Since the second half of 2015, the Domain Name Commission has been reviewing the WHOIS policy. Inspired perhaps by ICANN’s review of directory services/WHOIS for the generic Top Level Domains (like .com, for instance), the Commission started with a very open question about what data if any should be collected as part of a registration process, and whether it should be published.

Feedback suggested collecting data was useful, but that there were mixed views about what should be published. The second stage of consultation honed in on details about precisely what should be collected and displayed.

Following that feedback round, DNCL accepted the logic that in some circumstances there should be privacy for information collected. That is, the WHOIS results for domain names might in some circumstances not include publishing the full details provided during registration.

This proposal would be a fundamental change to the approach for .nz: from everything public at all times, to a new settlement that balances the tension between two fundamentally important principles:

  • The right to privacy
  • The benefits of openness

You could argue that the benefits of both are axiomatic – that it’s “obvious” privacy, or openness, are desirable. Assertions like that don’t especially help. The FAQ DNCL has published today sets out the public good benefits in having an open register. I think it’s a logical argument that the scrutiny and transparency allowed by a public register contributes to .nz being a relatively “healthy” domain – services making use of those names can be traced back to the registrant in a fairly straight forward manner. Those benefits need to be considered alongside the benefits of privacy, which can include, for instance, safety for people who have been the victims of online harassment. 

There are multiple ways of dealing with any of these issues, of course – the whole point of the ongoing consultation process is to work out the balance, and how we are going to do it in .nz. To that end, the third stage of DNCL’s consultation is now open, seeking comments on the fundamental change proposed (providing an option for privacy) and on the how and why of implementing that change.

As with any policy process that starts broad and gets specific, public attention increases as you approach the specifics, and as you approach the decision. This is especially true if those specifics involve balancing competing rights or interests. In policy, they usually do. 

Since DNCL released their consultation paper last week, I’ve seen more feedback than I have before on this issue – and that’s fantastic, because the wider the debate and the broader the set of perspectives that informs the decisions that will follow this consultation, the better the decisions will be. 

What’s also positive is that much of the input through the whole process has been carefully considered and constructive. Another positive is that more people are looking at the work DNCL and InternetNZ do in this area. Next time an issue needs public input, hopefully more people will know about the opportunity to have a say.

Of course, the scrutiny that comes with the profile increases the chance that people will find problems or perceive gaps or flaws in the process or the substance of the matter under discussion.  That’s been apparent in some of the public commentary I have seen and in some of the latest submissions I have read. 

In particular, I’ve registered the assertion that input or submissions have been disregarded by DNCL in the development of the proposed policy change now out for consultation. I want to say something about that aspect. I’m a long time participant and observer in domain name policymaking in New Zealand. The one thing I am entirely confident of is that every view expressed in the consultation process is considered carefully and with an open mind by the team at DNCL. I’ve never seen a pre-determination about any issue from them, and don’t see that now. They’re just down the hall, so it’s easy to get a sense of the vibe.

None of that is to say this – or any other – process is perfect. Feedback on the “how” of policymaking is as welcome, and as important, as on the policy question itself. It might not always make happy reading at our end, but hearing what people think about the how as well as the what is part of what we do.

I’d also like to share a few thoughts about some of the constraints DNCL faces in establishing the policy changes here. Consider these as a few:

  • InternetNZ sets and stands behind the openness principle I copied above. To the extent that DNCL proposes moving away from that principle (which, for instance, a blanket privacy imposition would clearly do), InternetNZ will need to decide as the .nz domain name steward whether it can accept that change, whether it rejects that and maintains the status quo, or whether it has to consult the Internet community on changing such a fundamental principle.
  • There is clear benefit to the public from a relatively open register. There is also clear benefit to the public in providing ways for those to whom its important to keep their details private. People need to be contactable at the details given for a domain name, and they do not need to publish their own private address – but that isn’t always obvious.
  • DNCL’s job is to propose and maintain a policy framework that is in the interests of all current and prospective registrants. That involves difficult balances at times, and this might be one of them.

When institutions like the Privacy Commission, specialists in this area, support an open approach (see for instance their submission in the first stage of the review), while others make compelling arguments for privacy (see for instance a submission by Jethro Carr in the current consultation), it is clear that what’s going on is an important debate, and that a resolution is not going to be a simple black and white answer. 

The answer *I* give to the key question (private by default or open by default, with exemptions either way) depends on a principled and deeply personal view. For me, openness wins out, and I am not concerned that my details are published in the register. In saying that I acknowledge that my knowledge level is not typical of registrants or Internet users. I know I can use my work’s contact details for my registration – but that doesn’t mean others do, or that they should feel that they have to. I work in a job in the public eye, in an industry that tends not to create risks for my safety by being in it. I live in an apartment with layers of security between me and the outside world. It's not a typical situation, it's just my situation. 

Others have other situations that give a completely different take on the answer to that question. The debate is teasing those different perspectives out. 

Reconciling conflicting principles like this is exactly what policy has to do, and is exactly what is being asked for now.In essence, DNCL is proposing to maintain openness by default for registrant data, but to allow for privacy. To me that position makes sense, but raises other questions still to be answered – for example:

  • What are the sorts of tests or criteria that DNCL will apply in deciding whether details can be private?
  • How can the application process be made as simple as possible?
  • How can prospective registrants be sensitised to the fact that as a default, the details they give when they register a domain name will be public? (Complicated by the reality that some registrars are global, and won’t accept specific procedures for .nz names.)
  • Should people have to register their details in order to search for a domain name through WHOIS?

You’ll have your own questions and things that you wonder about here. My list above takes the basic premises of introducing a privacy option as a given. You may take a different view.

Whatever your perspective, it’s important to me and I know to the Commission that you’re able to share it. We’re all listening.

A final thought: let’s make this a policy debate to be proud of. Let’s engage on the substance in a way that is respectful of the diversity of views and the passion with which they are held. Let’s acknowledge that this is an issue where your position depends on deeply held values and where compromise can be tough. Let’s consider the process followed too, and talk about that in ways that acknowledge strengths and improve weaknesses.

The .nz domain is there to serve the New Zealand community in the best possible way. Debates like this make sure it can do just that. 

Submissions close 7 June. Details at https://dnc.org.nz/