ITBusiness.ca

CIRA revamps privacy policy for PIPEDA compliance

It may be long overdue, but opposition from law enforcement and copyright holders has slowed the rollout of a new privacy policy for the dot-ca domain name WHOIS registry.

The policy will keep the personal information of registrants from being publicly displayed; however, this information will still be accessible to the public by request. The www.cira.caCanadian Internet Registration Authority (CIRA) has approved the policy, but more consultation is taking place with the public on how it will be implemented.

The WHOIS registry was developed in the 1980s and hasn’t been modified much since then. But Canada’s privacy legislation, PIPEDA, is forcing change.

“The first and foremost reason for us going down this path is PIPEDA, to be in accordance with the law,” said Bernard Turcotte, president and CEO of CIRA. But he sees the move as a positive one for the public.

“There are a lot of people who don’t put in correct information because they don’t want to be bugged,” he said. “In Canada we actually do verification on complaints or on our own and we advise people and they get upset.” The new policy is expected to greatly improve the accuracy of information in the WHOIS registry, Turcotte said, since people don’t have to worry about it being made publicly available.

There are concerns by trademark holders, however, about access to registrants who they think are infringing on their copyright. Before, they could have looked these people up themselves. Now they’ll have to go through a more formalized process.

“It’s one thing when the registry is doing it because it’s concerned,” said Turcotte. “It’s a whole other thing when it’s a national law.” But most trademark holders will grudgingly live with the new policy, he added, if they have some sort of mechanism in place to formally notify registrants without giving out personal information.

There is also concern from the law enforcement community. “There’s a provision in our laws that if the right groups ask you simply divulge but you notify the person concerned – law enforcement did not like that at all,” he said. The policy as it stands now will allow law enforcement to go through a cycle of investigation and have time to make a decision as to whether they should apply to a court to have CIRA’s requirement to notify delayed or cancelled.

“It’s a tension, because we’re trying to meet the requirements of federal agencies on two sides, the privacy commissioner and the RCMP, so it’s challenging sometimes.” But it doesn’t prevent formal organizations that have the right credentials from obtaining the information, he added.

“It’s quite a balancing act between the privacy rights and the reasonable access to the data that is required for important public purposes like ensuring that domain names are not registered in bad faith or infringing on trademarks,” said Fazila Nurani, president and founder of PrivaTech Consulting, a privacy and information security consulting firm. But she believes CIRA has struck the right balance, since the individual registrant’s information is kept confidential by default, but someone who has concerns about a particular domain name can use CIRA’s dispute resolution process to access that information – a process that Nurani has participated in. “It’s a very good process and it’s not an expensive route to take as opposed to going through any sort of legal action.”

Some 80 per cent of registrars around the world are still open and provide public access to registrants’ information. “Everyone’s sticking with the status quo, so it’s not easy to make this change,” she said, “but it really puts Canada at a forefront in terms of being a privacy protected environment on the Internet.”

At the same time, she’s surprised it’s taken this long, since there have been no modifications to the policy since the 1980s. And it’s not finished yet – CIRA is in the final phase of what has been a two-year consultation process.

The public can participate in this final consultation until Sept. 8 by clicking on the “WHOIS Consultation” link on CIRA’s Web site.

Comment: info@itbusiness.ca

Exit mobile version