Recent efforts to introduce or revise policies governing Whois for ICANN generic Top Level Domains have come under intense criticisms of the policy regarding public display of point of contact information associated with a domain name registration (1, 2, 3). In this post I provide some explanation of a domain name registrant’s obligation to provide complete and accurate point of contact information and also explain how to register a domain name without disclosing personal data.
What the RAA says
The 2013 ICANN Registrar Accreditation Agreement RAA says the following about public display of registration data:
“The Registered Name Holder with whom Registrar enters into a registration agreement must be a person or legal entity other than the Registrar” (4)
The phrase “Legal entity other than the Registrar” is included in the RAA to make clear that submitting the name of a natural person is a choice not an obligation. The obligation is that you submit contact data – legal name, postal address, voice telephone number, email address – that will allow parties to reach you, your business or organization, or an agent that you authorize to respond on your behalf to technical or administrative inquiries. The very existence of domain privacy services demonstrates that personal names – and identifying data generally – are not required. (It is also worth noting that subsequent clauses in the RAA accommodate the enforcement of personal data protection laws where such apply.)
There are many ways other than using your personal data or a privacy protection service to satisfy this obligation. Some examples follow.
Your registrant name need not be your natural name
If an individual chooses to do business under his or her natural person name, and also chooses to submit this name as a registrant name, then it is true that a Whois query would return the registrant’s natural person name. If you don’t want to expose your natural person name and you live in countries where personal data protection laws do not apply, you still have options.
For example, if you do business in the United States under an assumed business name (DBA), then you can submit this legal name as the registrant organization name and use a role name such as “domain contact” or any name that is meaningful to you as the Registrant Name, and you’ll fully comply with the Whois obligation.
This is a common large enterprise practice, see, for example:
Domain Name: GRATEFULDEAD.COM
Registrant Name: Rhino Entertainment
Registrant Organization: Rhino Entertainment
Domain Name: BEYONCE.COM
Registrant Name: Domain Administrator
Registrant Organization: BGK Trademark Holdings, LLC
If it's good enough for Beyoncé, it's probably good enough for you. There's a cost: you'll have to incorporate or file your DBA. There are advantages to filing a DBA and privacy protection is one of them. My experience having once established a small business is that the benefits of filing your DBA are worth the cost.
Your registrant email need not be your personal email
You are obliged to provide a reachable email address so that your registrar can contact you with notices regarding your registration and also for situations where someone must contact you for technical or administrative purposes, however, you do not have to use a personal email address. Instead, use an email address that is separate from your personal email address. ICANN’s Security and Stability Advisory Committee recommends such measures for security minded organizations and also comments that:
“Individuals or small businesses can implement a similar defensive measure. Create email accounts for points of contact through an email service provider that has earned a positive reputation for managing its mail service.” (SAC 044)
SSAC further recommends that you should use email address named outside your domain name for domain name registration. For example, if your domain name is marysembroidery.<tld>, you could create a email address at Gmail of the form [email protected]. or [email protected].
Debunking the “but I’ll get lots of spam” myth
I follow the advice I give here. I’ve created an email address for my domain name registrations. I don’t use this email for any purpose not related to my domain name. Below is two years’ correspondence from my In Box of my Gmail account for my domain and I haven’t received spam at this address.
While #YMMV may apply, the evidence I illustrate here is consistent with the findings from an ICANN SSAC study (SAC023) on whether Whois is a source of email address harvesting for spammers.
You can keep your phone number personal
If you choose to use your home or personal mobile phone number to conduct business, you’ve made a conscious choice to conflate this phone number’s purpose as both personal and business. It is again likely that you’ve published this number on business cards, your web site or in a phone directory.
You are, however, not obliged to publish your personal phone number. Get a separate phone number for your business use. A Skype Personal Number or business number or a VOIP number from a service like NocTel or Vonage will do nicely Some small businesses choose to use Google Voice. Your options are simple, abundant and inexpensive. And so long as you can be reached at this number, you’ve complied with the Whois obligation.
You needn’t provide your home address as a Whois point of contact address
If you choose to publish your home address in any online or printed directory form, or on your web site, then publishing your address in Whois does not expose you to more or different data collection than you’ve already accepted.
You are, again, not obliged to publish your home address or address of any other physical residence. You can rent a postal box and use this, or (better) you can arrange with your attorney, accountant, agent or other party whom you know and trust to use their address as your postal address. I favor this approach because these are parties that you know and trust. As your authorized representatives, they will do as you instruct, consult with you, and comply with legal orders. These services may incur a fee, but while these fees may be higher than a privacy protection service, you know that these parties are very likely to serve you personally and well.
Having to choose is not the same as forcing you to disclose
Claims that ICANN will force you to disclose personal data are patently wrong. You have a choice to disclose personal data or to substitute equally compliant, complete and accurate contact information without revealing personal data when registering a domain name from an ICANN accredited registrar for an ICANN accredited Top Level Domain. There may be fees involved, but it should be increasingly clear today that what is "free" on the Internet often costs you in units of personal data. If you are interested in protecting your personal data, think carefully about protecting your personal data and about the value of separating business from personal identities. As an individual or home/small business operator, assess which arrangements of the kinds I’ve illustrated meet your needs.