Summary

The .au Domain Administration (auDA) is currently reviewing its WHOIS policy in relation to making additional .au domain registrant details publically available. As part of its review, auDA has released an Issues Paper1 for public comment. The closing date for submissions is 31 January 2014.    

Introduction

WHOIS is a ‘look-up’ service that provides access to information about registered domain names. The information available for .au domain names is determined by auDA (the self-regulatory body for the .au domain space).

auDA is currently reviewing its WHOIS policy and is considering allowing access to more information about domain name registrations and registrants than it currently does.  As part of its review, auDA has released an Issues Paper which covers two questions:

  • Should there be any changes to auDA’s WHOIS Policy covering the collection, disclosure and use of WHOIS data for .au domain names?
  • Should access to .au domain name data (other than via WHOIS) be opened up?

Many of the issues raised in the Issues Paper were discussed at the Australian Internet Governance Forum on 17 October 2013.

This article summarises the key points in the Issues Paper and comments on how other registration services have dealt with similar issues regarding disclosure of information.

Collection, disclosure and use of WHOIS data for .au domain names

Under the auDA’s current WHOIS policy (2010-06)2, WHOIS only discloses a subset of the information stored on the registry database such as the registrant’s name and email address. The full list of the information disclosed can be found in Schedule A of the WHOIS policy. This limited disclosure can be compared to WHOIS services for other domain spaces such as .com, .nz and .uk, which disclose the registrant’s phone number, physical address, domain name creation and domain name registration expiry date.

The Issue Paper notes that it has been argued that a physical address and telephone number should be disclosed for the commercial second level domains com.au and net.au. Such an approach would be more in line with other top level domains, as well as the disclosure policies of registrant information of Australia’s trademark database (ATMOSS) and other Australian registration databases such as ASIC’s company and business name database. However, the Issues Paper also notes that anecdotal evidence from the .com domain suggests that requiring registrants to disclose more information leads to registrants providing false information to the database or using proxy services in order to obscure their true identity. As one of the requirements of registration of an .au domain name is that the registrant must be Australian or have an Australian link3, if such practices became widespread this would undermine the data accuracy and integrity of the .au domain database.

There is also the question as to whether the disclosure of such additional information would create privacy concerns for individuals. For example, many small businesses using a .au domain may operate from home, meaning a registrant’s domestic address would be publically available. We note that this concern has not prevented other WHOIS services from providing such information, and that this information may otherwise be available to interested parties through (paid) searches of the ASIC company database. For example, a paid search of a registered company reveals the address details of a company’s directors.

A potential option for the WHOIS service moving forward could be for auDA to take a similar path as the ASIC company database, where selected information is available for free with further information only made available upon payment of a small fee.

The Issues Paper notes that domain name creation and expiry dates were originally removed from WHOIS lookup search results in 2002 in response to scammers sending fake renewal notices to registrants at the time their domain name was due to expire. The receipt of such notices is of concern, as they may result in unsuspecting parties being defrauded of monies or handing over additional personal or sensitive information.

We note that:

  • the practice of scammers sending fake renewal notices is common for other databases that disclose expiry information - many trade mark owners receive such fake notices around the time that their trade mark registrations are about to expire;
  • if physical addresses, as well as email addresses, are disclosed, then this may result in an increase of such fake notices to domain name registrants – as scammers will be able to contact registrants through 2 avenues; and
  • the availability of domain name expiry dates would allow scammers to include such information on their fake renewal notices – giving the fake notices an air of legitimacy, which in turn may result in an increase in parties being scammed.

Whilst the receipt of such notices is of concern it is debatable whether such a risk is enough to outweigh the possible benefits to the public as a whole for disclosing such information. The disclosure of such information would have many benefits, including allowing registrants and other interested parties (eg professional advisers) to trace the history of a particular domain name and to check when a particular domain name is due to be renewed. 

We also note that the exclusion of such information from WHOIS search results has not resulted in the cessation of such fake notices being sent – as the ACCC’s report on scams in 20124 highlights.

Should access to .au domain name data (other than via WHOIS) be opened up?

The Issues Paper notes that:

  • currently WHOIS is the only service that provides public access to .au domain name data; and
  • the service has a number of limitations, including only providing allowing searching by domain name (rather than registrant or company name) and restricting the number of look-ups allowed per hour.

The Issues Paper raises for consideration various scenarios in which people might want to access information unfettered by the limitations of WHOIS. For example, an intellectual property lawyer may want to be able to search the database for all domain names belonging to his or her clients, or an Australian law enforcement officer may want to search the database for any information that might assist his or her investigation.

There are good reasons for the limitations – for example, as outlined above, the ability to freely and automatically search the database would allow marketers and fraudsters to more easily spam and target registrants.

The Issues Paper draws attention to some important questions that should be considered when looking at opening up access to information on the database, such as whether there should be restrictions on the purpose of information requests, whether there should be a fee for certain requests and what the privacy implications for registrants might be if these restrictions are amended.

Deadline for submissions

The auDA invites public comment on the issues of data openness in the .au domain. The closing date for submissions is Friday 31 January 2014. Submissions can be made by emailing Jo Lim, Chief Operations and Policy Officer, at jo.lim@auda.org.au