Guest article: Public registers & privacy – NZ DNS introduces IRPO

Occasionally we publish guest articles about matters relevant to civil liberties in New Zealand. The following article discusses an important change in how people can register New Zealand domain names (.nz) while still maintaining their privacy.

The author, Kieran Reid, works at Freeparking, a domain registrar and web host company based in New Plymouth and Auckland.

Domain name privacy is coming to .NZ domain names

As it stands in New Zealand, there are three publicly accessible databases containing personally identifiable information about us kiwis: Domain Name Commission’s WHOIS search, the Electoral Comission’s Electoral Roll and the Companies Register, operated by the Ministry of Business, Innovation & Employment. For historical, legislative and policy reasons, the public benefit of providing this information has tended to outweigh the individual’s privacy.

A new “pro-privacy” feature introduced by the DNC on the 28th November 2017 has recently come into effect. Individual Registrant Privacy Option (or IRPO for short) is new policy and functionality that lets domain registrars implement this new feature, and by extension, provide the service to their end users – individual .nz domain holders.

Prior to this change, if you owned a .nz domain, your name and contact details were required (by DNC policy) to be valid and publicly available to anyone who searched the DNC’s WHOIS search

What is the IRPO?

The IRPO is a new DNC policy (and functionality) that enables individuals who own .nz domains to make their contact information private. The DNC, who oversee policies for .nz domains and authorise .nz registrars, have recently introduced the policy and turned on functionality on the NZRS (New Zealand Registry Services) backend system to allow for more privacy around individual domain name ownership.

It is designed for individual registrants only – i.e. those not in ‘significant trade’, so not businesses or organizations. Individual owners of .nz domain names will now be able to opt to withhold some of their contact information from being publicly searchable.

But I already have domain privacy?

Various “domain privacy” services have been offered for years by large international domain registrars, think GoDaddy or NameCheap, who manage ICANN domain TLDs (Top Level Domains) like .COM, .NET and .ORG. These services are somewhat of a policy grey-area as the privacy services offered are not registry-backed privacy options and essentially delegate ownership of your domain to someone else who you choose to trust.

This IRPO change, in comparison, is a registry (DNC) initiated change and is somewhat different in function and scope to the “domain privacy” services that you may have seen offered on ICANN domains. There are, however, similar privacy protections offered at the registry level on .UK domains and a few other ccTLD’s (country-code Top Level Domains).

Who is the DNC?

The Domain Name Commission are the group tasked with developing and monitoring the competitive registrar market for the .NZ domain space. They oversee authorisation and de-authorisation of registrars and administer any .nz disputes. They do not sell domains themselves to the general public or businesses, instead they delegate this responsibility to authorized registrars.

Why was IRPO introduced in New Zealand?

The IRPO functionality was introduced as part of an ongoing WHOIS review process where consultations identified that there was some public benefit in having domain contact details withheld under certain conditions. Having your details private avoids unwanted sales calls from spammers, direct marketers, and other unsolicited contact. Enhanced privacy can help to protect the domain owners from other threats, including identity theft and cyber criminals.

There have also been concerns raised about personal safety, and freedom of speech being expressed safely in the NZ domain space. The primary concern raised from consultations is that an individual’s home address information is publicly published on the DNC WHOIS database and they have no way to hide this for their own privacy other than to place falsified information, which would contravene DNC policy.

The IRPO was introduced after many in the .nz internet community called for greater measures to protect privacy online. There was an in-depth review, including five public consultations from 2015 to 2017.

How does it work?

The domain name owner has to apply to their .nz domain name provider to have their domain name ownership made private and “turn on” IRPO domain privacy. So far, only a few domain name providers have started to extend IRPO to their end-users, at this point it is optional for registrars to offer as a service.

From the 28th March 2018, all .nz authorised registrars will be required by DNC to offer IRPO to their customers. To apply, you must declare that you are an individual, and not using your domain for ‘significant trade’. If approved, the DNC removes the contact address, email address and telephone number of the domain name owner from appearing publicly in the WHOIS database.

You will need to do this for each domain you own, after confirming for each domain that it is for personal use and not for trade.

Release of information

There are a some situations where a need was identified, by DNC via consultation, to release “protected” information to authorised private and public entities. Although this process is still under some review, a requesting organization would be authorised by DNC via means of a Memorandum of Understanding. This MOU is a specific type of contractual agreement between an organization and the DNC that outlines the terms and conditions of the nature of the shared information.

As it stands, the release of private information will require requesters to declare what information they need (email address, physical address, and/ or phone numbers), the purpose they need the information for, and to agree that the information cannot be used, published, disclosed or disseminated in any other way.

If a situation arises where an individual’s information has been set to private, and subsequently released and misused, then there will be some recourse. The DNC could choose to end the MOU and withdraw the ability to access the information from the entity, additionally a complaint could be made to an authority such as the Office of the Privacy Commissioner, and/or legal recourse could be sought.

There are currently no signed MOU’s for requester organizations, however the DNC will publish these on their website in due course:

Why weren’t domain holder details made private automatically?

A number of countries have privacy by default already but the DNC noted that .nz’s top level domain principles when originally developed, have always included having registrant data being completely open.

For the large majority of people, the information being available isn’t a great deal of concern, and a lot of the information is easily found online anyway. There is also the counter-point raised by a few interested parties during WHOIS consultations, that because WHOIS is used often by police, lawyers, journalists and other professionals, that by removing that information from public display, and making it more difficult to access, it may cause more harm and delay lawful access.

What are the possible negative outcomes?

As an untested new practice, there appears to be some vagueness where political, controversial or whistle-blowing individual blogs (for example) could be deemed to be in ‘significant trade’ and the domain owner’s details forcibly published. The implications for the vagueness of ‘significant trade’ are yet to be realised, and we will see how this unfolds over time.

What does it mean for you?

You still must provide your contact details to your domain name provider, but you can apply to make that information private. This can help in being  protected from automated WHOIS harvesting spammers and a variety of cold-calling marketers.

If you are a running a business from home and are in ‘significant trade’, you will still be required to publicly list your details. One workaround is to utilize a P.O. Box as the public address to protect your home address. If you run a blog that receives income from advertisers, this may constitute ‘significant trade’ and could result (in extenuating situations) in home addresses being published publicly. It is up to you to decide if action needs to be taken, and depending on your business, the IRPO may not even be relevant to you.

These changes reflect a growing public awareness of our own privacy. This pro-privacy IRPO change could even signal a shift in the way these public databases are managed in New Zealand, and overall, these kind of changes are a net gain for individual privacy in Aotearoa. Hopefully this trend continues, but it still leaves the Electoral Roll and the Company Register open to privacy abuse.