Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Lindsay, David --- "Whose WHOIS privacy? - The Nominet case" [2004] PrivLawPRpr 43; (2004) 11(4) Privacy Law and Policy Reporter 91

Whose WHOIS privacy? - The Nominet case

David Lindsay

This casenote and comment explores a recent Federal Court decision concerning remedies available when an Australian company uses personal data on domain name holders sourced from overseas – who can take effective action, and what policies should ICANN and registries adopt to protect privacy? In this case, use of copyright and fair trading laws was necessary for the protection of privacy. (General Editor)

Nominet UK v Diverse Internet Pty Ltd [2004] FCA 1244

Federal Court of Australia – French J (22 September 2004).

Copyright in WHOIS domain name database – data mining (unauthorised access to database of personal information) – infringement by authorisation – notices sent to domain name registrants – misleading or deceptive conduct – accessory liability – assertion of right to payment for unsolicited services.

Facts

Nominet UK, a company limited by guarantee, is responsible for operating the registry for domain names for the .uk country code top level domain (ccTLD). Registry operators manage and maintain the database (or register) of domain name and associated information, including contact details of domain name holders. Nominet is also responsible for managing the WHOIS database for the .uk ccTLD. The WHOIS database is used to find the names and contact details of individuals or organisations that have registered domain names.[1] It may, for example, be used by those seeking to purchase the domain name to contact the domain name registrant, or by trade mark owners wishing to bring an action against the domain name registrant.

Nominet adopted techniques designed to ensure the security of the WHOIS database. The database was protected by authentication and encryption techniques. Although end users could make specific inquiries of the database about registration details of particular domain names, use of the service was subject to the following condition:

You are not allowed to reuse, compile, store or transmit any or all of the WHOIS records unless you have our prior written consent. You are not allowed to conduct automated queries or use this service for advertising or similar activities ... By conducting a WHOIS search you agree to be bound by these terms.

If a particular Internet (IP) address was identified as making excessive queries of the database, Nominet would limit access by blocking that IP address.

In January 2003, two Australian companies – Diverse Internet Pty Ltd and Internet Payments Pty Ltd - used ‘data mining’ techniques to extract and collate names and contact details of registrants on the Nominet WHOIS database. Specifically, a computer program was used to generate a large number of automated queries in alphabetical order. The ‘attack’ on the database used a large number of proxy servers in an attempt to disguise the source of the attack. The pattern of queries, which altered over time, was so persistent that Nominet was forced to temporarily disable all access to the WHOIS database, a drastic step that had never before been necessary.

A company registered in the Seychelles, (UK) Internet Registry, used the information extracted from the database to engage in a direct mail-out of notices to 50,000 .uk domain name registrants. In early 2003, the Nominet register contained records for approximately 3,800,000 domain names. The notices had the style and presentation of an invoice for services. It was conceded that each notice created the impression that it was a notice for renewal of the .uk domain name held by the registrant and that the existing domain name would expire if payment was not made. It was only after a close reading of the notice that the recipient would discover that it was actually soliciting registration of the equivalent of the .uk registered domain name in the .com top level domain.

Nominet brought actions in the Federal Court against the Australian companies, the Seychelles company, and the two company directors. The actions alleged breach of copyright in Nominet’s WHOIS database and that the notices sent to registrants were misleading and deceptive under State fair trading Acts. The proceedings against the companies and one of the directors were settled. The other director, Justin Norrish, denied involvement in the copyright infringements and in the misleading behaviour.

Held

The following issues arose in relation to the actions against Mr Norrish:

1. Whether Norrish, as a director of Diverse Internet, was liable for authorising the infringement of Nominet’s copyright in the WHOIS database;

2. Whether Norrish was a ‘person involved’ in misleading and deceptive conduct in breach of the Fair Trading Act 1987 (WA) in relation to representations made in the payment notices; and

3. Whether Norrish was a ‘person involved’ in asserting a right to payment for unsolicited services where there was no right to payment, and no reasonable cause to believe that there was a right to payment, in breach of the Fair Trading Act 1987 (WA).

Authorisation of copyright infringement

The defendant conceded that an employee of Diverse Internet had breached copyright in Nominet’s WHOIS database by reproducing names and addresses from the database. The argument before French J therefore centred on whether Norrish had authorised the copyright infringement. After pointing out that authorisation liability is, in each case, a question of fact, French J held that Norrish had authorised the copyright infringement on the following bases:

1. As director of Diverse Internet, it was within Norrish’s power to prevent infringements by an employee of the company;

2. Norrish took no reasonable steps to prevent the infringing acts;

3. Norrish had actual knowledge of the infringing acts, it being ‘beyond the limits of credulity’ to suppose that Norrish did not know what the employee was doing;

4. Norrish was in a ‘scheme’ with the other director, which involved the infringement of copyright in the database.

Misleading and deceptive conduct

Nominet claimed that Norrish was liable as an accessory for infringement of section 10 of the Fair Trading Act (WA), which mirrors section 52 of the Trade Practices Act 1974 (Cth), in that he was ‘knowingly involved’ with the infringements. Under section 4(2), the Fair Trading Act is extended to conduct engaged in outside Western Australia by corporations incorporated in Western Australia or carrying on business within Western Australia, or by Western Australian residents. The State Act differs from the Trade Practices Act in that consent of the Attorney-General is not required in order to bring an action for conduct occurring outside the jurisdiction. Mainly because Mr Rafferty, the other defendant and sole director of (UK) Internet Registry, was a Western Australian resident, French J held that the company was ‘carrying on business’ in Western Australia.

Norrish conceded that there had been some misleading representations, but denied that the notices contained misleading representations of sponsorship approval and affiliation with Nominet. Norrish also denied being ‘knowingly involved’ in the misrepresentations that he conceded had occurred.

French J held that, as a question of fact, the notices conveyed the impression that they had the sponsorship or approval of Nominet, even though a careful reading of the text may have dispelled this impression. After examining the sequence of events leading up to the sending of the notices, French J also held that Norrish, although not a director of the Seychelles company, was a party to the preparation of the notices, and to the arrangements for sending them to the domain name registrants. No questions of choice of law arose as, although the misleading conduct occurred outside Western Australia, like the equivalent provisions of the Trade Practices Act, the Fair Trading Act (WA) will be applied as a mandatory law to conduct to which the Act extends.[2]

Asserting payment for unsolicited services

Section 29 of the Fair Trading Act (WA), the equivalent of section 64 of the Trade Practices Act, prohibits the assertion of a right to payment for unsolicited goods or services without reasonable cause to believe there is a right to payment. In .au Domain Administration Ltd v Domain Names Australia Pty Ltd,[3] which concerned the issue of misleading notices relating to domain name registrations by one of the defendants in the instant case (Mr Rafferty), Finkelstein J held that section 64 of the Trade Practices Act did not apply to services that had not been provided. This view was based on the definition of ‘unsolicited services’ in section 4 of the Trade Practices Act as ‘services supplied to a person without any request made by him or her or on his or her behalf’. This was contrary to the view expressed by Pincus J in Rizzo v Fitzgerald.[4] In the instant case, French J concluded that the construction adopted by Finkelstein J was debatable, but clearly open, and so declined to depart from it. His Honour therefore held that there was no breach of section 29 as the notices related to services that had not been provided.

In sum, French J concluded that Norrish had authorised copyright infringement, and participated as an accessory in misleading and deceptive conduct, and that Nominet was entitled to a declaration, injunction and damages.

Alternative approaches: Individuals and ICANN

On its face, the Nominet case concerned authorisation of copyright infringement and consumer protection, not privacy law. Nevertheless, as the decision dealt with unauthorised access to a database of personal information, and use of that information for the purpose of misleading direct marketing, the case clearly raises issues that are relevant to information privacy law. Two distinct sorts of issues may be identified:

1. General issues relating to actions available in the event of unauthorised access to a database of personal information, and subsequent unauthorised use of that information, especially where access has been obtained by someone in a jurisdiction other than that of the data subject; and

2. Specific issues relating to the general availability of personal information by means of the WHOIS service, and ICANN’s approach.

Whose privacy? – The data subject’s position

The facts in Nominet raise questions relating to the protection of personal information where there is unauthorised access to the information by someone in a jurisdiction other than that of the data subject. In this case, actions were brought in relation to both the unauthorised access and the misleading notices by Nominet, the data holder. What, then, is the position of the data subject when faced with similar facts?

First, the data subject is obviously not the owner of copyright in the WHOIS database, so cannot bring an action for copyright infringement.

Secondly, a data subject who received a notice, such as that sent by (UK) Internet Registry in this case, could clearly bring an action under consumer protection laws. In the event of unauthorised access from someone outside of the jurisdiction, however, the availability of an action for misleading conduct would depend upon the existence of a provision similar to section 5(1) of the Trade Practices Act or section 4(2) of the Fair Trading Act (WA), which allows actions to be brought in relation to conduct engaged in outside the jurisdiction. Even if such a provision exists, however, difficulties remain. An action for misleading conduct can only be brought in relation to misleading use of the personal information after the event, and not in relation to unauthorised access. More importantly, however, bringing an action outside of the jurisdiction is likely to be too costly for most data subjects, especially when compared with the likely damage from a misleading notice, such as the notices sent in this case. Fraudulent marketers, such as the defendants in this case, often depend upon receiving a considerable number of relatively small payments.

Thirdly, in relation to the unauthorised access to the personal information, an action may be available for breach of information privacy principles relating to the unauthorised collection of personal information, particularly the fair collection principle, the minimality principle and the purpose specification principle. Difficulties, however, remain with actions under information privacy laws where there is unauthorised access from someone outside of the jurisdiction. First, there are conflict of laws considerations. Secondly, as with actions for misleading conduct, it is costly for individual data subjects to bring actions in other jurisdictions.

It may well be that, as a practical matter, data subjects may have to rely on actions being taken by data holders in relation to unauthorised access to personal information, or misleading use of that personal information, by a defendant based in a jurisdiction outside that of the data subject.

ICANN and specific WHOIS issues

The Internet Corporation for Assigned Names and Numbers (ICANN) is the organisation responsible for governance and management of generic top-level domains (gTLDs), such as .com and .org. ICANN is responsible for policies relating to the WHOIS service for gTLDs, whereas country code administrators, such as Nominet, are responsible for WHOIS policies for ccTLDs. Since the formation of ICANN in late 1998, issues relating to the WHOIS database have been controversial, and under almost constant review.

ICANN has adopted four consensus policies that relate to the WHOIS database.[5] Issues relating to third party bulk access to the database are dealt with by the Whois Marketing Restriction Policy, which will come into effect from 12 November 2004. The Marketing Restriction Policy revises paragraph 3.3.6 of ICANN’s Registrar Accreditation Agreement, which sets out terms and conditions for third party bulk access to the WHOIS database. The Policy introduces the following two new restrictions on third party bulk access:

• The access agreement must require the third party to agree not to use the data to allow, enable or support any marketing activities, regardless of the medium used; and

• The access agreement must require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated in a product or service that does not permit extraction of a substantial portion of the bulk data.

The ICANN WHOIS consensus policies were developed from recommendations made by a task force established by ICANN’s Domain Name Supporting Organization (DNSO). The final report of the task force was adopted by the successor to the DNSO, the Generic Names Supporting Organisation (GNSO), in February 2003.[6] The final report recommended that work continue on WHOIS policy issues, especially accuracy of WHOIS data and privacy issues. This eventually led to the establishment of the following three GNSO task forces in October 2003:

• Task Force 1: Restricting access to WHOIS data for marketing purposes.

• Task Force 2: Review of data collected and displayed.

• Task Force 3: Improving accuracy of collected data.

The three task forces presented preliminary reports in May 2004.[7] Notably, the recommendations of Task Force 2 included:

• More conspicuous notice to registrants of possible uses of WHOIS data;

• More conspicuous notice to registrants of the process by which data will be shared;

• Establishment of a process for changing the WHOIS policy to conform to local data protection laws;

• Further investigation of feasibility of a ‘tiered access’ system to provide different levels of access to the database to better balance privacy interests with the need to contact registrants.

At the last GNSO Council meeting, in July 2004, it was decided to merge the work of task forces 1 and 2, and that the combined group should focus on the ‘tiered access’ option and providing greater notice of use of WHOIS data to registrants.[8]

The main privacy issues in the WHOIS area arise mainly because of the public nature of the database and the increase, over time, in the purposes for accessing the database.[9] Originally, the database was established for purely technical purposes, to allow the registrant to be contacted to assist in the resolution of technical issues relating to the domain name. With the growth of the Internet, however, other uses of the database emerged, including uses relating to law enforcement, consumer protection, business information and marketing.

The central challenges facing the development of WHOIS privacy policies concern the application of the purpose specification and use limitation (finality) principles to the database. This would seem, at a minimum, to require adoption of the following measures:

• General unrestricted public access to personal information in the WHOIS database should be discontinued;

• More work should be undertaken on the controversial issue of identifying the purposes for accessing the database that should be permitted and those that should be prohibited;

• In any case, more work should be undertaken exploring technological protection measures to ensure that WHOIS information cannot be used for marketing purposes, or other unauthorised purposes;

• More work should be undertaken in further defining what amounts to ‘marketing activities’ for the purpose of ICANN’s Whois Marketing Restriction Policy;

• Work being conducted by the GNSO task force in relation to ‘tiered access’ should be supported insofar as it allows the level of access to the database to be restricted in accordance with the purpose for which access is sought; and

In any case, more work should be undertaken to inform organisations responsible for WHOIS databases of their responsibilities under information privacy/data protection laws.

In sum, ICANN’s recent WHOIS consensus policies, and the work of the GNSO task forces, represent an important step towards addressing privacy issues relating to the WHOIS database, but are little more than a start. The outcome of the present policy process cannot be assessed until more information is available on the ‘tiered access’ arrangements being investigated by the GNSO task force. Even if privacy-friendly policy are adopted by ICANN, however, much work will necessarily remain in establishing measures to to ensure compliance with the policies, and in developing effective means of enforcement. l

[1] The WHOIS service is formally defined as ‘a TCP transaction based query/response server, running on a few specific central machines, that provides netwide directory service to Internet users’: Joan Gargano and Ken Weiss, ‘Whois and Network Information Lookup Service Whois++’ RFC 1834 (August 1995), para [I].

[2] See, for example, Francis Travel Marketing Pty Ltd v Virgin Atlantic Airways Ltd (1996) 39 NSWLR 160, 164.

[3] [2004] FCA 424.

[4] (1988) 19 FCR 175.

[5] Whois Data Reminder Policy (adopted by ICANN Board 27 March 2003; implementation documents issued 16 June 2003); Whois Marketing Restriction Policy (effective on 12 November 2004; adopted by ICANN Board 27 March 2003; implementation documents issued 12 August 2004); Restored Names Accuracy Policy (effective on 12 November 2004; adopted by ICANN Board 27 March 2003; implementation documents issued 12 August 2004); Expired Domain Deletion Policy (effective on 21 December 2004; adopted by ICANN Board 31 October 2003; implementation documents issued 21 September 2004).

[6] WHOIS Task Force, Final Report of the GNSO Council’s WHOIS Task Force: Accuracy and Bulk Access (6 February 2003; Amended 19 February 2003).

[7] Task Force 1, Restricting Access of WHOIS for Marketing Purposes (Preliminary Report, May 28 2004); Task Force 2, Review of Data Collected and Displayed (Preliminary Report, May 28 2004); Task Force 3, Improve the Accuracy of Data Collected from gTLD Registrants (Preliminary Report, May 28 2004).

[8] GNSO Council Meeting in Kuala Lumpur (July 20 2004).

[9] These were the two main issues identified by the EU Article 29 Working Party in their 2003 Opinion on Whois: Article 29 Data Protection Working Party, Opinion 2/2003 on the application of the data protection principles to the Whois directories (10972/03/EN final WP76; adopted 13 June 2003).