Analysis of NSF's Response

Overview of The Analysis

NSF's response makes two broad claims:

(1) The collection of records comprising what I call "the Domain Name Database" does not fall under the Privacy Act of 1974, and thus, NSF is not obligated to reply to my request.
(2) That even if the Privacy Act were to apply,  the NSF maintains that there are no time limits on the period in which it has to reply to requests under the Privacy Act..

Only the first of these two claims is important.  I address the latter only because it it indicates the degree to which NSF is willing to make unjustified representations of the applicable laws.

Does the Privacy Act Apply?

In 1992, the National Science Foundation issued a "Solicitation for Network Information Services Manager for NSFnet and the NREN"

Three "Cooperative Agreements" were awarded:  AT&T was to manage the InterNIC Directory and Database Services project; NSI was to manage the Registration Services project, and General Atomics was to manage the Information Services project.

The InterNIC, as a whole, was essentially a consolidation and continuation of earlier activities performed under previous Federal contracts by SRI, BBN, and other companies.  (NSF's 1992 Solicitation is so vague in its terms and definitions that it can only be understood by looking to the then-current activities of other contractors for context.)

At the start of the InterNIC projects, databases from the prior activities (including databases containing records concerning named individuals) were transferred to the new InterNIC contractors.

NSI has, as a result of its "Cooperative Agreement" with NSF, a worldwide monopoly on domain name registrations in the .gov, .edu, .com, .net, and .org top level domains.

When someone registers a domain name they are required to fill out a domain name registration form.

Within the form the registrant must provide the following information about individuals: (lines 4a through 6l)

This information transferred among the InterNIC contractors per NSF's contractual mandate, is aggregated and published as described on the Internic's own Web pages: (

Domains are registered via a standard form available through a Web interface or our FTP archive ( New domain information is installed into the DNS root servers daily. Information regarding the root servers is kept at

From the domain and contact forms, POC information is extracted and individuals who are not already registered are given records in the Whois database, our registry of domains, networks, ASNs and their associated points of contact. World Wide Web, Gopher, and Wais interfaces are available for retrieving information and accessing Whois. Online documents maintained at registration services include registration-related RFCs, registration templates, and various network information files. Many of the online files are also available through our automatic mail service.   (emphasis added)

In other words, NSI cooperates with AT&T, per their relationship under their respective Cooperative Agreements with NSF, to publicly publish information, including information about individuals, gathered through NSI's contractual performance of domain name registration activities.

For convenience, I refer to this aggregate of information gathered via the domain name registration process as "The Domain Name Database."

The term "record" is defined by the Privacy Act as:

(4) the term ``record'' means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph  ( 5 USC 552a(a)(4) )

The term "system of records" is defined by the Privacy Act as:

(5)  the term ``system of records'' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual  ( 5 USC 552a(a)(5) )

NSF has not contested that the records collected, maintained, and published by the InterNIC fail to constitute a "system of records" except in one respect:  NSF maintains that these records are not "under the control" of the National Science Foundation.

The Privacy Act states:

(b) Conditions of Disclosure.-- No agency shall disclose any record which is contained in a system of records ...  ( 5 USC 552a(b) )

NSF has not contested that the records collected, maintained, and published by the InterNIC are disclosed to the public.

It is clear that the Privacy Act contemplates databases operated on behalf of agencies by private contractors:

(m)(1) Government Contractors.-- When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system.  ( 5 USC 552a(m)(1) )

So the issue to resolve is this: Are the records in the Domain Name Database "under the control" of NSF or not?

There are two parts to this question:

(1) What are the legal standards used to measure "control"?
(2) How do the facts measure up against those standards?

What is the legal measure of the phrase "under the control of any agency" in the definition of "system of records" ( 5 USC 552a(a)(4) )?

NSF cites Department of Justice v. Tax Analysts, 492 U.S. 136 (1989).

That case is not relevant; it is based on a statute entirely separate from the Privacy Act.

Department of Justice v. Tax Analysts is based on the Freedom of Information Act (FOIA) ( 5 USC 552 )  (It is easy to confuse the citations -- FOIA is 5 USC 552 and the Privacy Act is the next section - 5 USC 552a.):

To quote Justice Marshall's majority opinion in the case:

The question presented is whether the Freedom of Information Act (FOIA or Act), 5 U.S.C. A 552 (1982 ed. and Supp. V), requires the United States Department of Justice (Department) to make available copies of district court decisions that it receives in the course of litigating tax cases on behalf of the Federal Government.

FOIA was enacted in order to open Federal processes and records to public inspection in order to promote a more informed electorate.  FOIA is designed to promote First Amendment rights of informed discourse and participation in democratic processes.

The Privacy Act, on the other hand, was enacted to protect individual rights.   These rights are those of privacy (per Griswold v. Connecticut 381 U.S. 479 (1965) ) and the Fifth Amendment right of Due Process.

In addition, the Privacy Act serves the administrative purpose of giving individuals not only the right, but also the incentive to ensure that the Federal government's records are up-to-date and accurate.

Senate Report No. 93-1183 (the Senate report on its version of the legislation which would become the Privacy Act) makes it clear that agencies should have little leeway to wiggle out of their obligations under the Act:

The Committee therefore intends in S. 3418 to require strict reporting by agencies and departments

The FOIA and Privacy Acts are in tension with one another; the FOIA promotes disclosure of Government records to everyone.   The Privacy Act blocks disclosure or personally identifiable records except under limited circumstances or to the individual involved.

Since the purposes of the two acts are in opposition, it would be inappropriate to blindly use Freedom of Information Act cases to measure obligations of agencies under the Privacy Act.

In the absence of cases addressing the specific issue of the definition of "under the control of any agency" in the privacy we need to resort to the legislative history and extrapolations from cases such as Department of Justice v. Tax Analysts.

<<**insert legislative history analysis**>>

There will always be situations where it is unclear whether a collection of records is controlled by a government agency.  The governmental purpose of FOIA is the promotion of an informed body politic.  The Privacy Act promotes more fundamental, more personal rights -- those of privacy and Due Process.  Thus, in identical areas of ambiguity, the Privacy Act ought to be interpreted to give broader scope to what constitutes Government records than FOIA.

An analysis of the facts will indicate that even if one were to apply the criteria of Department of Justice v. Tax Analysts, the records collected, maintained, and published by the InterNIC are clearly "under the control" of the National Science Foundation.

How much control does National Science Foundation have, in fact, over the records collected, maintained, and published by the InterNIC?

Let's examine two types of "control" - financial and contractual.

Let us also consider that "control" does not necessarily mean that NSF employees have their hands in the filing cabinets that contain the data.   Rather, let us consider that there may be "indirect control" -- the notion that NSF as the puppet master could manipulate its contractors in order to exercise indirect control over the databases.  As section (m) of the Privacy Act indicates, such indirect control is clearly within the mandate of the statute.

And finally, let us not forget that the notion of "control" does not require that such control actually be exercised.  The latent potentiality of control is all that is necessary.

Financial Control

One must begin by looking at the "Solicitation for Network Information Services Manager for NSFnet and the NREN" issued by the NSF in 1992.

  1. Before the establishment of the InterNIC, neither NSI nor AT&T were engaged in the services which they went on to perform as InterNIC contractors.  In particular, NSI was not involved in any way with the Domain Name System of the Internet, much less any registration services.

  2. NSF paid the InterNIC contractors several millions of dollars a year to perform their activities.

  3. As the Internet grew NSI's expenses grew.  Because the Cooperative Agreement is a "Cost-Plus-Fixed-Fee Cooperative Agreement" there were means through which NSI could have expenses covered.

    However, NSF and NSI did not work out a cost-reimbursement program.  Rather NSI proposed a fee-for-service concept to NSF in letters of June 19, 1995 and June 30, 1995.   As a result, NSF amended the Cooperative Agreement with NSI to permit the imposition of registration fees.

    This amendment, far from being a "Cost-Plus-Fixed-Fee" arrangement was, in fact, a grant of a world wide monopoly to NSI and a guaranteed revenue stream of several tens of millions of dollars per year.  It is hard to see what compensation, if any, NSF received in return.

    It is also interesting to note that when NSF "gave away the store" to NSI,   NSF eliminated Article 15 of the original Cooperative Agreement which requires that "any user fees so collected ... shall be used to defray the Awardee's and the Foundation's Project" and substituted a new provision allowing NSI to the revenue far beyond any "Cost-Plus" rationale.

    Under the original Cooperative Agreement, NSI was obligated to perform registration in the educational (.edu) and governmental (.gov) domains without fee.  The costs were covered by NSF's payments under the Cooperative Agreement.

    However, when the Cooperative Agreement was amended, it added considerable sugar to an already exceedingly sweet deal:  NSF agreed begin paying for registrations in the .edu and .gov domains.  Yet no corresponding reduction was made in the yearly money paid by NSF to NSI under the Cooperative Agreement.

    (Perhaps one may say with justification that NSF was under the control of Network Solutions.  Indeed, with the prospective abandonment of the Domain Name Database by NSF to NSI on March 31, 1998, one may perhaps say that NSF is still under the control of Network Solutions, Inc.)

  4. AT&T has announced that when NSF funding for the Cooperative Agreements to the InterNIC cease on March 31, 1998,  that it will cease publishing the various databases which comprise it's part of the InterNIC.

These facts clearly demonstrate that NSF controls the activities of the InterNIC by virtue of its control of the purse strings.

Indeed, what could more constitute "control" of a record than NSF's ability to control, via the flow of money, whether those records are even collected by the registrar (NSI) or published by the database contractor (AT&T)?

But there is more.

When NSF allowed NSI to collect registration fees, NSF mandated that 30% of those fees be withheld and set aside beyond NSI's use.  NSF directed that these funds

will be placed into an interest-bearing account which will be used for the preservation and enhancement of the "Intellectual Infrastructure" of the Internet in general conformance with approved Program Plans. Awardee will develop and implement mechanisms to insure the involvement of the Internet communities in determining and overseeing disbursements from this account.

In other words, NSF directed NSI to withhold what amounts to a 30% "sales tax" on the registration of domain names.  Further, NSF directed that those funds be expended under a vague budget, not part of any plan created by Congress or the President, and under the guidance of  vague "Internet communities".

As it has turned out in practice, this 30% fund is being used by NSF and the Federal Government.

As a practical matter, NSF has a direct financial stake in the domain name registration process.

NSI, as a for-profit corporation, would not normally be expected to offer 30% of its gross revenue stream to another organization unless compelled to do so.  The fact that NSI did acquiesce to the 30% withholding, a provision that was directly opposed to its financial interests, is indicative of NSF's overwhelming control of NSI's operations.

As a result of its funding and as demonstrated by NSF's imposition of the 30% "domain tax"  NSF had  a compelling control over NSI.    NSF thus had strong indirect control over the personally identifiable records collected by NSI and incorporated into Domain Name Database.

Contractual Control

NSF's InterNIC solicitation is an unbelievably vague document.  It is impossible to comprehend what it is asking bidders to provide without knowledge of how the Internet had been run prior to that date.

As it turns out, the InterNIC solicitation was merely for an extension of prior procedures.  The InterNIC is essentially new faces doing old jobs.

Those old jobs involved the collection of personally identifiable data as part of domain name registrations.  Indeed the registration templates bear a very strong resemblance to those in use today.

And prior to the InterNIC, registration information was aggregated, collated, and published.

Thus, despite the vague language of NSF's InterNIC solicitation, NSF knew exactly what it was asking for in terms of data gathering and data publication.

In particular, NSF knew that it was putting out a solicitation for the gathering and publishing of personally identifiable data.

This is "control" in its most raw form -- NSF was saying to bidders "Do these things and we will pay you money."

Control by the US Government

So far I've been discussing the notion of control by NSF.

We see, however, that other parts of the US Government, in particular the White House and the Department of Commerce and its National Telelcommunications and Information Administration (NTIA) strongly belive that the US Government has "control" over the domain name database.

The recent "Green Paper", which is formalled entitled: A PROPOSAL TO IMPROVE TECHNICAL MANAGEMENT OF INTERNET NAMES AND ADDRESSES - DISCUSSION DRAFT 1/30/98, contains a plan for significant reorganization of the domain name system, including the transfer of those portions of the domain name database which contain personally identifible data.

This is control beyond any degree of doubt.

Clearly NSF and the Department of Commerce need to get their stories straight.

NSF argued in it's December 24, 1997 letter to Karl Auerbach that NSF's obligations under the Privacy Act are obviated because NSF does not use the information collected by NSI.

If one goes back to 1973 report of the Secretary's Advisory Committee on Automated  Data Systems commissioned by the Department of Health, Education, & Welfare, Records, Computers, and the Rights of Citizens, one finds the following language:

1. "There must be no data record-keeping systems whose very existence is secret." 
2. "There must be a way for an individual to find out what information about him is in a record and how it is used."
3. "There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent." 
4. "There must be a way for an individual to correct or amend a record of identifiable information about him."
5. "Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data."

This report was very influential and had a strong impact upon the ultimate form and contact of the Privacy Act of 1974.  (See the pages entitled History of the Privacy Act of 1974.)

The focus of  these principles is on the individual about whom information is being collected.  What is important is the fact of information being gathered.   It is indeed not relevant  that the information is used on any particular day or in any particular way by any particular Governmental agency.  It is the mere existence of the collection itself that is  central, not the use of the collection.

Section (a)(3) of the Privacy Act clearly indicates that it is sufficient to trigger the Act if an agency simply collects information about an individual.  It is not necessary that an agency actually uses or disseminate that information.

Thus the fact that NSF may not directly use the information in the Domain Name Database does not excuse the NSF from its obligations under the Act.

But let's look a bit deeper.

Notice that two of the domains for which NSF contracted for NSI to perform registration services are .gov and .edu.

The .gov domain is defined in RFC1591 to be "agencies of the US Federal government".

And the .edu domain is defined in RFC1591 to be "4 year colleges and universities".

The NSF is specifically authorized by 42 USC 1862(g):

to foster and support access by the research and education communities to computer networks

And there is no doubt that NSF is itself an organization of the US Federal government.

Thus, NSF, in the performance of its statutory obligations and a part of the Federal Government, is a user of the information in the Domain Name Database.

It is NSF's contention that the Domain Name Database can be severed into two distinct parts.  NSF claims that there is a part that contains no personally identifiable information and a distinct part that contains the names of individuals. NSF claims, further, that that latter part is not under the control of the NSF but, rather, is under the control of NSI and is used only by NSI.

That claim can not be supported.

The "zone" files used by the Domain Name System would rapidly become stale, useless bits without continuing maintenance of the quality of the information.

And that maintenance is not possible without the "contact" records that contain the names of the individuals who registered or who are responsible for a particular domain.

In addition, NSF clearly contracted for the collection, aggregation, and publication of this contact information.

Moreover, the collection of this contact information has historically gone hand-in-hand with domain name registrations for many, many years prior to the conception of the InterNIC.

What Time Limits Apply to Requests Made Under The Privacy Act?




These statements should be considered as authoritative statements of NSF's positions.

If NSF were to change its positions, it would invalidate the legal argument on which it reached its decision to reject my request. These kinds of situations invoke the legal doctrine of "estoppel".

The legal notion behind estoppel is that if one makes a statement or logical argument in one situation, one is denied the opportunity to take advantage of subsequently substantially changing those statements or logical argument in another related situation.

NSF has made a rather questionable reply, and at the same time, put itself on-record regarding its positions on the ownership of the information in the Domain Name System.

Proceed to Next Section

Updated: January 31, 1998