CIRA’s WHOIS Policy Strikes a Balance

Update July 7, 2009: Jonathan Giraldi's post "CIRA’s WHOIS Policy Strikes a Balance" won the Gowlings LLP Best Blog in IP Law and Technology Prize Fall 2008 in Professor D'Agostino's IP class

In a hotly-debated move, Canada’s internet domain registry authority has allowed select groups to request the personal information of domain registrants, after promising to remove all public access.  However, the change is not as dire as many would have you believe.

The Canadian Internet Registration Authority (CIRA), responsible for registering dot-ca domain names, had promised to eliminate access to their WHOIS database to comply with national privacy legislation.  Previously, that database provided public access to the full contact information of dot-ca domain name holders.  But when the new CIRA policy was introduced on June 10, 2008, it became apparent that select groups still had potential access to this personal information.

One of those groups is law enforcement agencies.  The potential access to personal information by law enforcement under certain conditions (i.e., to enforce a child exploitation offence under the Criminal Code [1] ) has not been contentious.  Rather, it is potential access by another group, intellectual property (IP) owners, that has sparked debate.

Although the new policy has been depicted as simple backdoor access to personal information for IP owners, this is overly simplistic.  In reality, current requirements ensure that only legitimate requests will be considered.  For example, to file a request an individual must certify that they reasonably believe in good faith that a registrant’s domain name or its content infringes their Canadian registered trademark (or copyright or issued patent), or infringes their registered business name [2].   Because the policy requires the filing of supporting documentation (through a notarized copy of a registration of copyright, patent, etc.) unsubstantiated requests will not be considered.

While the release of personal information is disconcerting, CIRA is right to allow limited access.  The internet is a unique environment in that IP infringers cannot be readily identified and summoned to court to account for their actions.  An absolute ban on access to personal information would create an extra hurdle for IP owners seeking to protect their rights on the internet.  Users treading too close to a protected right should not be surprised when they are required to defend their actions, nor should they be able to use the internet to prolong their abuse of an IP right.

Furthermore, CIRA provides an online message delivery form to communicate with registrants whose personal information has been concealed.  IP owners requesting personal information must make use of this tool at least 14 days prior to a request.  Registrants will therefore have at least two weeks’ notice that their personal information may be requested.  With that knowledge, registrants can attempt to resolve a dispute with an IP owner without disclosing personal information, request that CIRA withhold their personal information, or seek legal advice as to their rights.

Although the actual fairness of the new privacy policy remains to be seen, on the surface it appears to strike a good balance between privacy concerns and the rights of IP owners.  At the very least, the personal information of dot-ca registrants is safer now than it was prior to June 10, 2008.

[1] http://www.cira.ca/en/documents/2008/PRP-request-disclosure-lawv1.1.pdf
[2] http://www.cira.ca/en/documents/2008/PRP-request-disclosure-rantv1.2.pdf