Home / Blogs

ICANN Cannot Expect the DPAs to Re-Design WHOIS, but Asking for a Reprieve Makes Sense

We are on the brink of the most serious threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an “interim” plan that will hide critical information in WHOIS. Security, threat intelligence, and anti-abuse professionals rely on WHOIS to track down bad guys and keep the Internet as safe and secure as possible.

ICANN and the registrars have been going back and forth on ways to align privacy laws with the WHOIS system, which functions as a public “phone book” for Internet domains, recording information that includes the name, email address, street address, and phone number of the company or individual who registered the domain.

For years, there has been an accepted procedure for handling situations in which WHOIS conflicts with privacy law—nobody disputes the importance of protecting the privacy of natural persons. But now, with less than sixty days to go before the General Data Protection Regulation (GDPR) adopted by the European Union (EU) comes into force, registrars, who finance ICANN, have pressured ICANN into closing the public phone book effectively altogether, turning the open and public Internet into a Tor-like deep and dark net. Specifically, ICANN came out with an interim solution nicknamed the “Cookbook,” which suggests completely masking the contact email address, thereby completely hiding who is responsible for managing or controlling a resource on the Internet. The Cookbook also suggests masking certain information for corporations, even though GDPR doesn’t apply to them.

The ability to register domains anonymously is a massive problem for the security of the internet—attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they’ll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on WHOIS to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware—the vast majority of cybercriminal activities. Some think that it is the hosting provider’s problem to fix, but unless their customer is reaching out to them, they likely have a different service department handling the issue, and probably even have a backlog to deal with. By reaching out directly to the victims in parallel by phone and email, those victims are able to help themselves more quickly.

The Cookbook also makes it impossible to see which sites are connected or under the same management or control. For example, if someone in an organization’s marketing department registered a domain using a corporate account without going through the correct internal procedures, and that site did not have the right patches or was not scanned for vulnerabilities, their online customers and visitors will likely become exposed to phishing and malware.

With the registrar business being low-margin, anything that will reduce the security line item on their budget is attractive to many registrars if they can get away with it. Registrars generally would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. Because GDPR is complex, difficult to interpret at this early stage and comes with heavy fines of up to 4% of annual global turnover, GDPR has been weaponized by registrars to pressure ICANN into making the domain name system more closed and private.

The Governmental Advisory Committee (GAC) of ICANN met in San Juan, Puerto Rico in March 2018. The GAC advised the ICANN Board to instruct ICANN to maintain the current structure of the WHOIS to the greatest extent possible. The GAC essentially pleaded to the ICANN Board to instruct ICANN that it must reconsider hiding the registrant email addresses from the free phone book, emphasizing (quite diplomatically) that it may not be proportionate given the significant adverse impact on law enforcement, cybersecurity, and rights protection it would have.

The GAC appropriately went even further by emphasizing to the ICANN Board that it must instruct ICANN not to erroneously use GDPR, which applies to people, as an excuse to shut down public access to corporate contacts in the phone book, which is not even in the remit of GDPR. This unjustifiable over-application of GDPR prevents companies from effectively defending their very own infrastructure. Whether requiring the same cryptographic hash function across registrars for individually owned domains so you can still pivot on the email across registrars is technically feasible, has been submitted for discussions right now with the world’s top experts in this area. Technical discussions are also underway on whether requiring the local part of the registrant email on a corporate domain to be generic moving forward and otherwise masked (leaving only the corporate domain, which has no information relating to an identified or identifiable natural person) can be done for the sake of security and stability. These less drastic (conceivably possible) measures will certainly not be coming from the DPAs on their own initiative. The ICANN org must do that work.

If the phone book must change in some ways, notwithstanding the accepted procedures for handling WHOIS conflicts with privacy laws, then ICANN must ensure that those with a legitimate purpose still have continued access to the contact information needed to protect business and the public until the re-designed phone book is ready for use. You can’t just close the book and tell security professionals, who rely on WHOIS data to keep the internet safe, to come back when it’s re-designed, potentially months later. It’s entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory. The phone books also have to be easy to use in today’s world, i.e., not designed to impose limits that undermine all functionality in the digital age—if you can only use the phone book manually or less than you would reasonably need, the query volume limitation is no more than a disguised blockade. I guarantee that the registrars do not have the resources to start taking on the additional work needed on the back-end that is being done for them using bulk access. But unless and until the accreditation system is up and running efficiently, that is what would have to happen to avoid disrupting the stable and secure operation of the Internet’s identifiers.

To repeat, we are on the brink of the most serious threat to the open and public Internet for decades. We must step up to the plate and not get complacent about this. ICANN must have a way to hold registrars accountable if they abuse GDPR as an excuse to cripple WHOIS.

We at RiskIQ sent a letter requesting such adequate assurances from the Board on March 26. To express your concern, we prepared a generic letter you can fill out here. This letter will go to ICANN’s Board, ICANN’s CEO, and the GAC Public Safety Working Group Co-Chairs. Copies will be sent to the DPAs. ICANN has since then corresponded in writing and subsequently published yesterday, twenty eight letters to DPAs asking for help:

We request you to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.

The DPAs will not be able to come up with the technical solutions that are necessary to architect WHOIS in a way that is both compliant with GDPR and at the same time not damaging to the security and stability of the DNS. That is the only way an ICANN temporary policy can be used to hold registrars accountable. We need to do that work. A moratorium is not needed on enforcement, but rather, a tiered-phase enforcement forbearance that has strong snapback provisions. The phases should be subject to discussion between ICANN, the community, and the DPAs. One phase may be re-designing the public Whois so that it is minimally disruptive to the security and stability of the DNS and consistent with GDPR. The second phase may look at an accreditation model and what needs to be done by ICANN to help the community build it into the system architecture in a fair and just manner. For each phase, deadlines can be set against which the DPAs can measure whether to have enforcement snap back into force.

Yesterday, ICANN’s President and CEO met with the technology subgroup of the Article 29 Working Party. It appears to have been confirmed based on a third-party source that as anticipated by ICANN, the WHOIS system is on the upcoming Article 29 plenary’s agenda in less than two weeks. ICANN is hopeful that it will be provided with a moratorium on enforcement that would allow sufficient time to implement the model and build the appropriate accreditation system. The model must reflect GAC consensus advice not to make changes to the current WHOIS that are not required by GDPR and disrupt the stability and security of the DNS.

By Jonathan Matkowsky, VP of Intellectual Property & Brand Security at RiskIQ

Filed Under

Comments

Exaggeration and misinformation. OwBo  –  Mar 30, 2018 9:14 PM

The sky is not falling and the internet will remain open and public regardless of what gets published in WHOIS. The contact information will still be there and accessible by those that have a valid reason to see the data, the difference is that people’s private contact information will not be published for every spammer and scammer to see, scrape, and store. This is a good thing and the way it should be. Hiding registrant contact information will in no way disrupt the stability and security of the internet.

Attackers, phishers, and their ilk are not using valid or reliable contact information and no one uses WHOIS data to track them down since it is going to be bogus. You do not use WHOIS to get information about IP addresses or subnets as you mention as WHOIS does not contain that data. Registrars and registries do not use this information to take down malicious sites as it does not matter. Any sort of law enforcement or other valid entity can still get the data if needed.

WHOIS data is really only valuable to criminals and IP lawyers, it’s completely useless for the actual functionality and security of the internet. If anything, publishing registrants contact information is a detriment to it.

Whois for IP addresses Leo Vegoda  –  Mar 30, 2018 10:12 PM

You do not use WHOIS to get information about IP addresses or subnets as you mention as WHOIS does not contain that data.
Yes you do, albeit run by different organizations. Athina Fragkouli, the RIPE NCC's Head of Legal, recently published an article about how they are managing this.

Dead wrong boyo. Neil Schwartzman  –  Mar 30, 2018 9:52 PM

Owbo makes the usual uninformed claim that since miscreants put wrong info in whois it is useless to use to find them.

As always, it doesn’t matter. If I can find 100 more domains usuing a fake address, I’m good.

The sky is falling denying it won’t make it better.

I'd wager that the internet will continue OwBo  –  Mar 30, 2018 10:40 PM

I'd wager that the internet will continue operating as intended even without making registrant contact information public.

A concern I have which seems to Charles Christopher  –  Mar 31, 2018 2:20 AM

A concern I have which seems to get little attention is increase in domain theft. Or put another way, decrease in ability to defend against theft and have ones domain returned.

As to the internet continuing without whois, I agree it will. However my position is not only should we have whois, proxy/privacy whois should not be allowed and should be a reason for domain deletion.

The key here is trust. Trust in the mind of individuals.

If I can’t PROVE a domain is mine via public instantiation of whois ownership/contact info, then what I have is nothing (see 400 years of property rights laws). The low margins mean registrars don’t care and rarely fight for the registrant. Its the same as my county recorder having my information publicly available for my home, it protects me.

Remove those protections and trust will erode. That’s not the internet I am interested in. I am interested in an internet that brings in more participation, through trust and confidence that ones work, embodied in a website, actually has some protections.

And being the cynic that I am, I personally think erosion of trust is the goal here. As stated, corporations are not the issue, only individuals are. This is just another cut among thousands that move us away from the great “organic” internet we once had.

Further, ignoring malware, spam, and other nuisances, I am concerned about sanctioned bad actors acting in a cloak of darkness. Benefiting from hiding from view. At least with whois there is a requirement that is is correct, and I can create real costs to the domain sponsor if someone is playing whois games. Thus the sponsor looks into it and is on the hook for verification. Now sanctioned bad actors have a little easier job of hiding. Often its passionate out of the box thinking by unique individuals that can spot such registrations.

So here is an out the the box silly thought, how about ICANN actually not playing victim and use some of those 100’s of millions it has in the bank to read the riot act to the EU on behalf of registrants, registrars, and the internet in general? Sorry, just because a government bureaucracy creates a pretty piece of paper with pretty writing on it does not mean we should just rollover and play dead. As applied to whois this is foolishness.

The internet will continue, but this is going to move us in a bad direction.

Let me give some examples.I have been Charles Christopher  –  Mar 31, 2018 4:55 PM

Let me give some examples.

I have been involved with domain names since 1999. I have been very active helping others, for which I have learned even more.

I participated in the Afilias .INFO landrush and acquired 100’s of domains. The first landrushes were implemented very differently than today. I had ten’s of thousands of dollars billed for refundable catch fees as I put my orders in at every participating registrar. It took me 6 months of work to get my fees refunded for the unsuccessful orders. It was a great lesson of how corrupt this industry can be.

Early on in the above experience it became clear how nefarious registrars can be. I had printed a copy of the whois for all the domains I had applied for, those won and those not won by me. I then periodically checked these registrations. The whois for 2 domains I had at one registrar changed to an unknown party. They were valuable 3 letter domains. I contacted the registrar and they told me I had in fact not won the domains even though I had been charged. I then contacted Afilias. Afilias, by written policy not be backend coding, had required registrar to not change whois values for 60 days after initial landrush registration. I emailed a copy of the original whois and Afilias verified it had changed. Afilias made clear their legal time was going to have a very stern discussion with this registrar and a few days later the whois changed back to my details. I wish I could recall the registrar, but I do recall that shortly thereafter they went out of business. No surprise. When these things happen I know I am far from being alone, MANY others are having the same experience even though we don’t hear about it.

Note well this was a REGISTRAR that attempted to steal the domain, not a third party, and that it was the available public whois that prevented this from happening successfully.

Next up RegisterFly. Having learned over the years just how uncaring registrars actually are I wrote an application (which I still use today for managing my own registrar) to monitor domain whois. One day it reported the whois on some 3 letter domains at RegisterFly had changed. I call them up and received an apology and the whois was immediately changed back to my information. Two weeks later it happened again and I transfered the domains out. I also posted my experience on DomainState.com and encouraged everyone to get their domain out of RegisterFly ASAP before they were stolen. Shortly after that domains were stolen and the RegisterFly fiasco occurred, resulting in the creation of the ICANN escrow system. 

Note well again this was a REGISTRAR that attempted to steal the domain, not a third party, and that it was the available public whois that prevented this from happening successfully.

And for those that may be so foolish to believe that can’t happen now:

http://www.circleid.com/posts/20170326_a_case_to_further_dns_registrar_industry_self_regulation/

Yesteryear registrar were very clear on this point, if fact many had this very line in their terms of service:

“We reserve the right to change these terms at any time without notice to you.”

Which rendered everything else meaningless. Today last I look they say the same thing, but use legalese to be less obvious about this fact. They also reference out to other documents thus not placing their entire TOS in one place.

And today while others have hardcoded transfer lock logic in their backends, Verisign DOES NOT. This means after theft one can transfer, “launder”, the domain through multiple registrars (in a very brief period of time, before theft detection) to make recovery even more difficult.

I am picking on registrars to make the point that if they are complicit, and are just more crafty about how they do it these days, then how is one to protect themselves when a third party is involved? Loss of public whois will make it exponentially harder to recover a stolen domain as proving ownership will be harder. In many cases it will make recovery impossible.

Other ways this occurs:
1) Claim the of file credit card was invalid, when it WAS VALID but conveniently ignored (see my TOS comment above)
2) Once renewed their domains out 2 years, then changed their email and never received the renewal failure notices
3) Business uses a consultant for domain registration and web developement, Business demands their info in contact record but since its no public its useless data.
4) Email account becomes compromised and domain is outright stolen
5) As in SEX.COM social engineering results in domain tranfer
6) The one that has always bothered me the most, registrant does not understand their registration is with a reseller and not directly with the registrar. The reseller transfers/steals the domain.

While some of my examples would be considered “registrant error” I include them to make the point that without public whois proving predation becomes much harder when it happens. And again, once we add a third party being the thief, recovery it far more difficult as prove of original ownership is less/not possible.

Domain theft is an issue but, Theo Geurts  –  Mar 31, 2018 7:27 PM

IRTP-D

Shoddy registrars will have to pay the fee of the dispute provider if they mess things up with domain theft and unauthorized transfers. It’s almost, almost,  like we really given that policy some thought when we cooked this one up. From the entire IRTP PDP’s we did, this one was the best, and the least visible and known.

>if they mess things up Prove it.That's Charles Christopher  –  Mar 31, 2018 9:44 PM

>if they mess things up Prove it. That's the point. Saying it's easy does not make it so. Public whois is, WAS, a great tool to use as proof. For example, start with moving a domain from one account to another inside the registrar and IRTP-D does not apply ("push"). Now change the email so as to receive the IRTP-D handshake, then change it back to what it was. And the IRTP-D did what? Nothing. >IRTP-D Why did IRTP-D fail is these cases, and what was the "fee" paid by these "Shoddy registrars" (your words not mine): 2017-05 https://domaingang.com/domain-crime/corporate-crime-domain-stolen-by-former-employee-at-godaddy/ "Sounds like this should be an easy one, but just like all else GoDaddy, it isn’t. No one responds and all we get are bot responses." 2017-04 https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/ "hackers changed the Domain Name System registrations of all 36 of the bank's online properties" 2017-09 https://www.theregister.co.uk/2017/09/07/enom_security_snafu/ "The security lapse allowed .uk domains to be transferred between Enom accounts with no verification, authorisation or logs." 2018-02 https://domainnamewire.com/2018/02/12/newtek-domain-theft-major-impact-customers/ "First, Newtek is a Tucows reseller and managed all of these domains through its reseller account." "the thief or thieves moved the domain names to three different registrars: P.A. Viet Nam Company Limited, INET Corporation and GMO Internet, respectively." 2017-04 https://domainnamewire.com/2017/04/21/popular-website-stolen-held-ransom/ "The domain name was transferred from Register.com to Internet BS as part of the theft." 2018-02 https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/ "Newtek acknowledged the outage was the result of a “dispute” over three domains, webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com. " "A search at Domaintools indicates that this address is linked to the registration records for four domains, including one (giakiemnew[dot]com) that was recently hosted on a dedicated server operated by Newtek’s legacy business unit Crystaltek [full disclosure: Domaintools is an advertiser on this site]. Recall that Crystaltek[dot]com was among the three hijacked domains." 2017-07 https://domaingang.com/domain-crime/domain-theft-report-of-stolen-domain-names-for-august-2017/ "HRI.com, Sapphire.com, 988.com, ASZ.com, 864.com, GR.org, OLP.com, FDE.com, EOL.com, NNN.com, WOK.com, WTV.com, JOL.com, Tang.com, Zhang.com, TNTG.com" Note well that is a list of domains of considerable value, and include a 2 letter .com. When its a large block of domains, with many registrants involved, proof is easier. If it is just one domain then you will get ignored as the registrar is always considered to be "in the know" and the registrant is always considered to be "an idiot". Sorry to be so blunt but I have seen this for almost 20 years now, it will never change. Registrants don't want to know how things work, they just want things TO WORK. We have data for the most obvious cases, not the individual cases. And for those that frequent CircleId and know how the system works, we will be formidable in our challenging a theft. The average person has no clue and the theft will succeed, especially after being unable to prove ownership through public whois (historic records). I believe all the above examples occurred after IRTP-D. I have managed thousands of domains. No pretty piece of paper with pretty writing will stop domain theft, but pretty pieces of paper with pretty writing WILL make it much easier to get away with.

Time to start looking at alternative means to achieve your goals Volker Greimann  –  Apr 3, 2018 2:53 PM

For all of those that have relied on public records of private details the warnings have been written on the wall in large capital letters for ages. This model of doing business was destined to go away as it violates the rights to data privacy of millions. No other industry has to provide similar data on their customers, at least not without legislatively mandated justification. Public whois will go away in six weeks, but this does not mean that legitimate access to data will go away too. If you have a legal right to access certain data, you will still be able to exercise this legal right, no matter what happens. For example, even though subscriber data for internet access is not public, certain parties have a legal right to under certain circumstances access this data and find out whom a certain IP address was assigned to at a certain time. So just because it is no longer public, the data is not gone.

“Closing the phone book” - If you take this as an analogy, in many countries people must now opt in to the publication of their data in a public phone register. So the actual phone book is already closed.

“Proving ownership rights”: I would assume that down the road there will be the ability to opt-in to the publication of your details in some form of whois. Until then, people will have to rely on other means of showing their ownership, such as a clever use of DNS records or disclaimer notes on the websites, certification of current registration by registrars, etc. As all data is constantly being escrowed a track of ownership records is constantly maintained. While it may require some changes to the escrow agreement to allow the use of this data in an alleged theft, the GDPR even provides for a right of the data subject to retrieve the data on themselves on file with the escrow agent.

Fighting abuse: Whois is but one tool of many used by the anti-abuse agencies to combat abuse and cybercrime. So this likely means that if one tool goes away or is changed, the other tools become more significant abnd further tools can take its place. As abuse-fighting mechanisms need to be constantly evolving anyway based on the nature of their enemies, I fail to see the doom and gloom scenario resulting from the loss of just one tool in their arsenal.

Domain theft: If anything, social engineering becomes harder to do for the thief as he has less data to go on.

Usefulness of incorrect data: This seems to be a never-ending discussion, with some alleging that even incorrect or stolen data is helpful while others deny that. I believe it depends on the abuser. If the abuser is an idiot, he will use the same stolen details in every domain he registers. If he is not, he will have a database that randomly populates each registration with unique, accurate details that will pass any security or fraud check. In my experience of reviewing abuse complaints, the latter is predominantly the case. Abusers were actually helped by the ICANN requirements to validate addresses as of the 2013 RAA as it forced them to up their game.

All the above said, all parties will need to find means and methods to deal with the incoming changes, and this includes ICANN contracted parties too. Registrars and registries will have to start offering services to help registrants better deal with ownership issues. Abuse fighters will have to develop new tools and methodologies. Due process will have a role to play, just as it does in other internet industries currently unregulated by ICANN.

No one I know is using GDPR as an excuse. We see it as an inevitable circumstance that forces the industries to address a legal problem it should have addresses a long time ago. If you want to blame someone, blame those within ICANN who have over the years vigorously defended the status quo against any suggestions for change. Back then, change could have been introduced over time, with well-thought out measures to alleviate any concerns. It is the need for swift change now that will create the problem in the short term. In the long term though, most concerns will be properly resolved.

This goes back to the same never Charles Christopher  –  Apr 3, 2018 4:23 PM

This goes back to the same never ending issue. People in this industry are STAGGERINGLY DISCONNECTED from the true end users of domain names: REGISTRANTS. >This model of doing business was destined to go away as >it violates the rights to data privacy of millions. I also have a right to prove I own something, particularly after it is stolen. Now the thief gets the "right" to hide their theft thus creating the illusion that the victim has no right to the data. The fact that law enforcement has access is meaningless, the victim must be able to "motivate" law enforcement to act which is becoming increasingly difficult: http://www.fox5atlanta.com/news/atlanta-police-to-no-longer-respond-to-some-shoplifting-calls "The chief believes that time can be better spent by having those officers handle serious crimes, from burglaries to carjackings. Shields said if a shoplifting takes place, the larceny can still be reported and will be counted in the APD stats. The chief puts the onus on the merchant to file the incident and, if necessary, spend the funds to hire an off-duty Atlanta or metro officer who can make the sure the culprit is made to pay for his crime." The most motivated individual will always be the victim, now they can't defend themself as their primary tool for proof of ownership is removed. THEY can't prove legal right to access, that is the point, their domain was stolen. >No other industry has to provide similar data on their customers, >at least not without legislatively mandated justification. My jaw dropped reading that! Land Rights. Vehicle Registration. Recreational Vehicle Registration. Drivers License / National ID (proof of self) - Required for me to get a library card - Required when I use my credit card at some locations - Required for alcohol purchase https://en.wikipedia.org/wiki/Land_registration "Land registration generally describes systems by which matters concerning ownership, possession or other rights in land can be recorded (usually with a government agency or department) to provide evidence of title, facilitate transactions and to prevent unlawful disposal. The information recorded and the protection provided will vary by jurisdiction." >If anything, social engineering becomes harder to >do for the thief as he has less data to go on. Another jaw dropper. As if Social Engineering is the only method of theft. Why are you choosing to present this as the only way domains are stolen? ..... >As all data is constantly being escrowed a track >of ownership records is constantly maintained. Please provide proof of that statement. ICANN escrow allows the escrow of privacy contact records, thus rendering it useless. In other words ICANN escrow protects registrants from honest registrars, something that was never needed in the first place. https://www.icann.org/en/system/files/files/rde-specs-09nov07-en.pdf "4.1.5 Registrars that allow customers to register domain names through Whois privacy or proxy services that incidentally prevent escrow of the beneficial domain name users' contact information may include additional fields in the text file to escrow the names, addresses, telephone/fax numbers, and email addresses of the beneficial users. Registrars that elect not to deposit such beneficial user information will be not be licensed use of ICANN's registrar data escrow logo." We don't get to use ICANN's pretty picture, great. And how does that serve registrant's interest? >If you want to blame someone, blame those within ICANN who have over the years >vigorously defended the status quo against any suggestions for change. Agreed. >Back then, change could have been introduced over time, >with well-thought out measures to alleviate any concerns. I seem to be missing the defeatist gene. >It is the need for swift change now that will >create the problem in the short term. I must have missed the memo. Collateral damage is collateral damage. I don't see anybody suggesting we need to avoid taking Facebook (and others) behind the outhouse for a good old fashion fanny reddening. And its the lack of end user understanding that requires some level of protection be put in place. But its that same lack of understanding of whois usefullness that those same end users need to be protected from. The whois serves them VERY WELL and I struggle to name a registrar that DENIES use of proxy whois. For those registries that deny proxy whois, let them change to allow it to satisfy GDPR and thus the registrant has such options. The option to NO USE proxy whois and prove ownership. The key here is the registrant has lost the right to display powerfully usefull ownership information. They have NO CLUE this is happening, and we here are who they have entrusted to protect them. Proxy whois exists, use it if you are concerned about privacy that's why it started! Every registrar admin panel I have seen makes this feature MORE THAN OBVIOUS. Domain whois is Collateral damage of the GDPR objective.

> I also have a right to Volker Greimann  –  Apr 3, 2018 4:57 PM

> I also have a right to prove I own something, particularly after it is stolen. Correct, but in many real world examples this is hard to do as no register exists. >The most motivated individual will always be the victim, now they can't defend >themself as their primary tool for proof of ownership is removed. THEY can't >prove legal right to access, that is the point, their domain was stolen. This just means that we will need to invent other methods of proving ownership, such as DNS records, website disclaimers or I-have-not-thought-of-them-yet. >>No other industry has to provide similar data on their customers, >>at least not without legislatively mandated justification. >My jaw dropped reading that! >Land Rights. Legally mandated, e.g. there is a law that requires such a register and what is to be published in it. >Vehicle Registration. Legally mandated, e.g. there is a law that requires such a register and what is to be published in it, who has access, etc. >Recreational Vehicle Registration. Legally mandated, e.g. there is a law that requires such a register and what is to be published in it, who has access, etc. >Drivers License / National ID (proof of self) Legally mandated, e.g. there is a law that requires such a register and what is to be published in it, who has access, etc. >- Required for me to get a library card It is required to prove your elegibility, however they should not be keeping a record of your data - Required when I use my credit card at some locations It is required to prove your elegibility, however they should not be keeping a record of your data - Required for alcohol purchase It is required to prove your elegibility, however they should not be keeping a record of your data >As if Social Engineering is the only method of theft. Why are you choosing to >present this as the only way domains are stolen? ..... It isn't, but it is a vector that you yourself referenced. >>As all data is constantly being escrowed a track >>of ownership records is constantly maintained. >Please provide proof of that statement. It is all in the RAA, which also specifies that if privacy is offered by the contracted party or an affiliated entity, the underlying data must be escrowed as well to prevent another RegistrarFly. > I must have missed the memo. Quite a number of memos actually, some dating back over a decade. > Collateral damage is collateral damage. Absolutely! Which is why we all need to come together for a solution that works. > But its that same lack of understanding of whois usefullness that those same end Just because something is useful does not mean it is legitimate. Owning guns is useful, yet certain jurisdictions ban it outright or have strict limitations based on other legitimate considerations. > The option to NO USE proxy whois and prove ownership. Which is why we will need an opt-in to publication. > The key here is the registrant has lost the right to display powerfully usefull > ownership information. They have NO CLUE this is happening, and we here are who > they have entrusted to protect them. In my experience, most registrants have no clue that this information is published in the first place, despite all the information and reminders we put out.

>Correct, but in many real world examples Charles Christopher  –  Apr 3, 2018 8:44 PM

>Correct, but in many real world examples this >is hard to do as no register exists. This is not about a table knife or fork, or other examples of items for which registration costs make no sense or the registration cost would be greater than the item cost. This is about something that an individual may be using to place a roof over their head and food onto their table, and clothing on their child. Up until now public whois has been a tool to protect their lively hood. This is precisely why we have land registration. And I would argue, it has been part of the benefit public whois registration has given us. Discussing this point has not been an issue. The entire industry has been implementing it, and over 16 years addressed the privacy issues GDPR says need to me addressed. Its called Privacy Whois. >This just means that we will need to invent >other methods of proving ownership We have that now. Perhaps the fact the people are unwilling to defend the current solution, and seem anxious to spend lots of money and time to reinvent the wheel, is the problem. >Legally mandated, e.g. there is a law that requires such >a register and what is to be published in it. Administrative law, yes there is no civil or criminal law that says I must mow my lawn. However if I fail to do so my local city, which is a private corporation, will fine me and put a lien against my house. If I fail to follow ICANN contract requirements, my contract will be terminated. And as ICANN is now a supranational organizational power, the smell of “Global Administrative Law" handed down through its relationship with the US gov and participation by other governments is clear. If it walks like a duck and quacks like a duck its a duck. ICANN is a monopoly, thus its administrative law rights as I can't gain access to the registries without going through ICANN. Right now I am under administrative law, per the 2013 RAA, to provide public whois. >It isn't, but it is a vector that you yourself referenced. Thanks you for at least, in part, acknowledging theft is a problem made worse by GDPR. >It is all in the RAA, which also specifies that if privacy >is offered by the contracted party or an affiliated entity, >the underlying data must be escrowed as well to prevent >another RegistrarFly. The link I provided was the ICANN Escrow contract, and the text I quoted came from that contract. I have just done a text search of the 2013 RAA and find no such requirement, only that the registrar internally have the registration contact info. Please site the RAA section and text you are referring to. After doing so I will talk to my council on this matter. >or an affiliated entity I am only referring to the relationship of the registrar and registrant, not third parties nor resellers. We both know resellers and other participating third parties, such as unethical consultants, are a potential nightmare for registrants. The issue is an offered baseline, direct relationship with the domain sponsor/registrar, from which the registrant may apply their freewill and enter a relationship with less protections. Their choice. >Just because something is useful does not mean it is legitimate. >Owning guns is useful, yet certain jurisdictions ban it outright >or have strict limitations based on other legitimate considerations. My read is you are either changing the subject, or you are suggesting public whois is not legitimate. >In my experience, most registrants have no clue that >this information is published in the first place, >despite all the information and reminders we put out. We are in total agreement on this point. But its leads each of us in entirely different directions. Most will never need to know. Just as the property records for ones home is something few have any real clue about. Until they need them. The ignorance in fact suggests the system works relatively well. Its a good sign, as opposed to a valid argument to get rid of it at which point people WILL understand what it was doing for them. This is something we want most registrants to have a deer in the headlights look about. You may not be aware but in the US people are submitting quitclaim deeds to overworked recorders who are not checking those deeds before recording them. As a result people are actually stealing other peoples homes: http://www.miamiherald.com/news/nation-world/national/article47702025.html "In a scam that authorities say has proliferated in recent years, Cleland fell victim to swindlers who used bogus quitclaim deeds to secretly strip her of the property, then sold the home to a Pembroke Pines investment firm." “It’s just too easy to steal somebody’s property by filing a fraudulent quitclaim deed,” Miami-Dade Inspector General Mary Cagle told the Miami Herald" I offer the above not to change the subject but to draw clear attention to what is at stake, and my reference model for domains has always been an individual using a domain name to place a roof over their head and food onto their table, and clothing on their child. The more the cost of access increases the more damage will be done. In the case of land, I can just walk into the recorders office, there is no barrier to the “whois” at all. Those false quitclaim deeds are no different than an email sent, or formed checked, via a compromised domain admin account or unauthorized intra-registrar push. Once done reversing the process is a nightmare, we should be putting in effort to make it easier not harder, or at least avoid damaging what we have. Even the current domain whois registration system is not perfect as we well know, but its a lot better than nothing. Going dark publicly should not be an acceptable option. Its the very fact that registrants have no clue what is about to be lost that is the reason we should be arguing the case for them. Proxy whois works, and exists now. To satisfy GDPR ICANN could require registrars to make proxy whois the default thus requiring the registrant to opt-in to public whois. These leaves choice in the hands of the registrant. Changing a proxy whois semaphore on a software initialization page is a lot less work, less cost, and more timely, than reinventing whois system deployment.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API