Registrar collects personal information to combat domain name hijacking

PIPEDA Case Summary #2006-363

[Principles 4.2, 4.3, 4.4, and subsection 5(3)]

The complainant, who operates a web site connected to an organization he runs, claimed that the company (a domain name registrar) that provided domain name registration and management services to his web site was attempting to collect more personal information from him than required in order for him to make a change to his web site registration information. The domain name registrar was asking the complainant to provide a copy of his driver’s licence or passport in order to change the administration e-mail address for the web site domain name.

It transpired that the complainant was not the registrant for his web site. Therefore, the domain name registrar needed to be certain that the complainant had the authority to make the changes he proposed, as domain name hijacking is of concern to the industry. In any event, as the complainant did not provide the requested documents, there was no collection of personal information. The Assistant Privacy Commissioner nevertheless considered the registrar’s purpose to be appropriate in the circumstances and the collection not excessive.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

A domain name registrar is a company accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) to sell Internet domain names. The registrar in question offers domain name services for generic top-level domains, including .com, .net, and .ca.

Nearly a year after first having his web site registered with the registrar, the complainant learned that the registrar had suspended his web site domain service and had restricted access to the site. He claimed that the registrar had made an error with respect to the administrative e-mail address. As a result, the password necessary to make changes to the account could not be mailed to the complainant’s web site administrator.

The registrar stated that the renewal process for web site domain services is automated. When the term of registration is completed or has expired, the domain name is automatically placed on hold, causing the web site to go offline. In this case, the renewal notices were sent to the listed administrative e-mail address as shown on the WHOIS record. A WHOIS record is a record from the WHOIS database, an online database that provides Internet users with a directory listing the contact information of domain name registrants.

The complainant’s lawyer originally processed the web site registration application. The complainant alleged that his lawyer had been required to provide photo identification at the time of registration. According to the registrar, the lawyer was required to complete certain fields within the WHOIS. There was no request, however, for identification, and the lawyer stated that he did not recall being required to provide photo identification.

The Office reviewed a copy of the form containing the domain information provided at the time of registration. The contact information of the registrant contained the first and last name of the lawyer, the organization’s name and address, and a telephone number. An e-mail address was also provided. The registrar noted that the registrant is responsible for the data in the WHOIS record and it is the individual who in fact inputs the data at the time of registration. It stated that the complainant did not receive its e-mails regarding renewals as he was not the listed contact. The registrar sent all renewal notices to the e-mail address listed in the record on several occasions before denying the complainant access to the site.

According to the complainant, there was no written agreement with the registrar. He also stated that the registration was done over the telephone. The registrar noted that domain names are not registered directly through the company, but through one of its 6,000 resellers (registration service providers). In most instances, one would submit a request through an online sign-up form.

The registrar provided the Office with an overview of what is required when processing changes to a domain web site. If a change is requested from a valid registrant or representative, then the change is processed. If the requestor is not the registrant or the representative, then the registrar must verify the organization or administrative information by comparing it to photo identification and other business documents provided by the requestor before processing any changes. The registrar requires a number of documents, only one of which is personal information, namely, photo identification. If there is a match, the change is made; otherwise, it is not.

Since the complainant wanted to make a change to an administrative e-mail address, we reviewed the registrar’s administrative e-mail address change form, which the requestor must complete and send in. The form at the time did not explicitly identify the purpose for collecting personal information (the photo identification) but did indicate that the information requested should belong to someone with demonstrable signing authority for the organization, as shown on the business registration documents (which must be submitted with the request). If customers ask about the collection, the registrar tells them that it is for the purpose of verifying and confirming the identity of the individual making the request and, in the case of a business, to demonstrate that he or she is legitimately connected to the business and has signing authority. The Office reviewed the company’s privacy policy and noticed that it does not address the collection and use of registrant information for the purpose of domain name registration and renewal.

In this case, the registrar needed to verify that the complainant, as the individual making the request, was who he claimed to be and thus authorized to represent the registrant. When the complainant attempted to address his concerns about the collection of his personal information with the company, he was told that in order for the company to change any information in the WHOIS record, it would have be notified by the listed registrant (his lawyer). According to the registrar, changing the administrative contact e-mail is comparable to handing over the keys to a business.

It was the registrar’s position that its request for identification and the verification of information was not excessive and that it was done to protect the legitimate domain name owners in a time when domain name hijacking is common. Domain name hijacking occurs when someone fraudulently takes control of a domain name, often by masquerading as the legitimate administrative contact. The e-mail addresses of administrative contacts are used to verify domain name holders. Web sites, both big and small, face the risk of having their web addresses stolen and used for purposes other than those for which they were originally intended. According to the registrar, it would be remiss if it honoured a request without requiring specific supporting documentation of those wanting to make changes to domain name registration records.

The complainant was not willing to provide the company with a copy of his driver’s licence or passport. He claimed that the registrar did not explain the purpose for the collection although he asked for it. He also wanted it to change its policy and issue him an apology. According to the registrar, its customer service area had made several attempts to respond to his complaint and explain the purpose for collecting the information it was requesting. The credit services manager, who routinely deals with customer questions related to identity verification, recalled that he told the complainant he did not need to include his driver’s licence registration number or passport number.

The registrar is accountable to two industry regulatory bodies: ICANN and the Canadian Internet Registration Authority (CIRA). ICANN accredits the domain name registrars and is responsible for managing and coordinating the Domain Names System. The registrar bases its procedures for the registration of domain names upon ICANN standards. The management and distribution of generic and country code top level domains is handled by registries. For example, CIRA is responsible for operating top level domains such as “.ca.” The registrar is an accredited .ca registrar.

According to ICANN’s “Policy on Transfer of Registrations between Registrars,” acceptable forms of physical identity for the purposes of domain name holders transferring their domain name registrations between registrars include a valid driver’s licence or passport.

During the investigation, the registrar indicated that it would welcome any suggestions that our Office had regarding its personal information handling processes. We felt that the company could better explain its purposes for the collection and use of personal information. To that end, the registrar agreed to specify on its privacy policy the purpose for the collection and use of personal information with respect to registration of domain names and any subsequent changes to domain name registration records. It is also clarifying the purpose for that collection and use directly on the administrative e-mail address change form, and will note on the form that it will accept photocopies of driver’s licences and passports with the permit or certificate number blacked out.

Findings

Issued December 14, 2006

Application: Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Under Principle 4.3, the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

In making her determinations, the Assistant Commissioner deliberated as follows:

• As there was no collection of personal information, there was no contravention of Principle 4.3.

Accordingly, the Assistant Commissioner concluded that the complaint was not well-founded.

Other Considerations

Notwithstanding this finding, the Assistant Commissioner commented on the registrar’s purpose for the collection of personal information.

• The purpose for collecting photo identification, such as a driver’s licence or passport, is to ensure that the individual making the request for changes to the administrative e-mail address in the domain name registration records has the authority to do so. 
• In her opinion, such a purpose is appropriate in the circumstances, and meets the reasonable person test as outlined in subsection 5(3). Domain name hijacking is of concern to the industry, and the registrar is accountable to ICANN and CIRA, industry regulatory bodies. It bases its procedures on ICANN standards. ICANN also lists a valid driver’s licence and passport as acceptable forms of identification when transferring domain name registrations.
• The Assistant Commissioner noted that this purpose was not explicitly referred to in the company’s privacy policy although it is alluded to on the administrative e-mail address change form. Both the policy and the form in question, however, have since been revised to better explain the purpose. The use of the information is explained in the terms and conditions of the company’s domain registration agreement that would have been applicable when the complainant’s site was initially registered by his lawyer. (This agreement, she noted, states that the customer is required to update the service provider promptly should registration information changes so that its records are current, complete and accurate.) The registrar’s credit services staff routinely explain the purpose of the collection of personal information to customers when they contact the company by phone. Such a measure is consistent with the requirement set out in Principle 4.2 to identify the purpose of a collection of personal information.
• As for whether the collection is excessive, the Assistant Commissioner noted that the registrar is requesting only one piece of personal information, namely, photo identification, and a number of business-related documents collecting the domain name, a signed letter of request on company letterhead, business registration documents, photo identification, the new administrative e-mail address, and the owner’s signature. In the Assistant Commissioner's view, this is not excessive for the purpose of ensuring that the requestor has the authority to change any information, and meets the requirements of Principle 4.4. She noted that the registrar had also changed this form to specify that it will accept photocopies of licences and passports without the permit or certificate number included.
• The Assistant Commissioner was pleased with the steps taken by the registrar to improve the information it provides to customers on its privacy policies and practices.