Currently .eu and .gr domains do not have any whois records. .eu makes them available online, but .gr is under a much stricter privacy law in Greece, and makes no whois records available to anyone. This has been so for years, and I can tell you of a few things / observations about this, since I’ve had many domains with both TLDs. First of all, anything that looks up for an e-mail in the whois records, just doesn’t work. That means that if you want a certificate for this domain, and you follow the traditional, manual, way, you either need a mail serve running there so hostmaster / postmaster / webmaster work, or the only way then is to add files. And that if you have something running on the base domain and you don’t just use this for subdomains. Second, you never get any spam. If they can’t find your e-mail address, they can’t send you spam. Third, it blocks legitimate uses of whois by people who need to know the identity of domain operators, such as abuse tracking projects, scam / phish projects, law enforcement, etc. Finally, there are two ways to contact a domain owner. The first one is to look for a contact page in the website, if there is one. The second is to contact their registrar (the details of the domain registrar are available in the whois), and have them reach out to the owner on your behalf. In my opinion, not all the information in the whois records should be there, from an individual point of view, but the all or nothing situation right now isn’t great. If I had to choose however, I would choose the no whois for now, over the other, more leaky one. I personally believe a lot of people would agree, given the fact that there’s an entire market, and a plethora of domains using Whois Guard or in general whois masking tools, for free, or for a fee. As far as abuse tracking goes, having whois available can help correlate websites, but only if the domain registrar allows only verified data to be added, whois masking is not used, or malicious actors only use the same data over and over. That last part may happen because the registrar does some verification, so it limits their choice of domain registrars. P.S.: About the first thing, some CAs may e-mail the domain registrar’s e-mail (which is usually admin / support / IT) for domain verification, which I’m not sure if fine.. :-)

On 14 Apr 2018, at 17:30, Rubens Kuhl <rubensk@gmail.com> wrote:

On Sat, Apr 14, 2018 at 11:21 AM, Filip Hruska <fhr@fhrnet.eu> wrote:

...

EURID (.eu) WHOIS already works on a basis that no information about the registrant is available via standard WHOIS. In order to get any useful information you have to go to https://whois.eurid.eu and make a request there.

Seems like a reasonable solution.

GDPR and other privacy regimes apply to both port-43 and WebWHOIS.

Rubens

On Sat, Apr 14, 2018 at 12:14 PM, Rich Kulawiec <rsk@gsp.org> wrote:

The only people served by restriction on WHOIS availability are abusers and attackers, and the entities (e.g., registrars) who profit from them.

Not that whois data for domain names has been particularly useful for the past decade anyhow since most TLDs and registrars either provide for free, or sell as an addon, "private" registration via some "proxy corporation" or whatever. Domain name whois for most TLDs has not been the sort of accountability measure that ICANN seems to think it is for a very long time, at least in practice. I'd be much more concerned about RIPE's whois data for AS and IP address maintainers.

On Sat, Apr 14, 2018 at 2:24 PM, DaKnOb <daknob.mac@gmail.com> wrote:

As far as IP Addresses go (and domains too), currently GDPR recognizes the rights of individuals, not companies, which means that a company can be in the whois query, since it does not have the right to privacy.

My understanding is that this will only affect natural persons.

The domain contacts of a domain owned by a legal entity are natural persons, and are also protected by GDPR. So unless a domain contact is something generic like "Technical Contact - techpoc@example.com" or similar role accounts, that contact data is also considered PII. Rubens

On 04/14/2018 02:46 PM, bzs@theworld.com wrote:

So why not just have a checkmark at domain registration which asks whether you believe yourself to be within the EU's jurisdiction and, if so, no WHOIS publication for you, or very limited.

FWIW, I've been reading quite a bit of (unverified) information about this subject. If my impressions mean anything, that field would need to say "I am not in EU's jurisdiction", and the default would be *un*checked.

On April 14, 2018 at 19:00 rubensk@gmail.com (Rubens Kuhl) wrote:

On Sat, Apr 14, 2018 at 6:46 PM, <bzs@theworld.com> wrote:

GDPR only has jurisdiction over individuals who are citizens of countries which are members of the EU. About 27 countries out of almost 200 in this world. And companies which manage that data and are also within the EU's jurisdiction.

Try finding a company in this area that does not have a subsidiary in the EU, acquired an EU company, is based in the EU or has EU resellers. 

What area? Do you mean geographical or trade? My company doesn't fit that description. Non-ccTLD registrars and registries (and RIRs in this case) have a certain contractual relationship with ICANN. But ccTLDs seem a pretty good counter-example, I doubt CNNIC accepts EU legal authority for .CN, there are probably over 150 examples like that. Do you imagine the EU will try to hold CNNIC to GDPR requirements?

 

But that jurisdiction arises from an individual's EU nation citizenship.

So why not just have a checkmark at domain registration which asks whether you believe yourself to be within the EU's jurisdiction and, if so, no WHOIS publication for you, or very limited.

For the companies that are subject to GDPR, they have to do this for every natural person, not only the EU ones. 

So this checkmark could in fact be "The registrant is a legal person, not a natural person". 

No, because EU regulation doesn't apply to anything even approaching a majority of persons on this planet. There are about 500M people within the EU, and arguably the regulations can also extend to those doing business with companies doing any business within the EU. Nonetheless there are still about 7 billion people on the planet of which around 3 billion or so regularly use the internet and maybe 300M who own domain names, etc. And the extent to which a company might be beholden to an EU regulation such as this in the case of a non-EU citizen merely due to EU legal jurisdiction over that company (or one of its subsidiaries) is, to be kind, unsettled law. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On 04/14/2018 07:24 PM, DaKnOb wrote:

As far as IP Addresses go (and domains too), currently GDPR recognizes the rights of individuals, not companies, which means that a company can be in the whois query, since it does not have the right to privacy.

My understanding is that this will only affect natural persons.

...

On 14 Apr 2018, at 20:19, Matt Harris <matt@netfire.net> wrote:

...

On Sat, Apr 14, 2018 at 12:14 PM, Rich Kulawiec <rsk@gsp.org> wrote:

The only people served by restriction on WHOIS availability are abusers and attackers, and the entities (e.g., registrars) who profit from them.

Not that whois data for domain names has been particularly useful for the past decade anyhow since most TLDs and registrars either provide for free, or sell as an addon, "private" registration via some "proxy corporation" or whatever. Domain name whois for most TLDs has not been the sort of accountability measure that ICANN seems to think it is for a very long time, at least in practice.

I'd be much more concerned about RIPE's whois data for AS and IP address An individual can also own an ASN and IP space. You don't have to be a company.

-- Filip Hruska Linux System Administrator

On April 14, 2018 at 17:29 nanog@nanog.org (Aaron C. de Bruyn via NANOG) wrote:

So why are you proposing that I can't run my *personal* "I strongly believe in {insert emotionally-charged issue} site" without letting psychos know exactly where I live?

I wasn't the one proposing but GDPR basically prohibits your information from being exposed via WHOIS even if you would like it to be exposed. It's not difficult to hide your info, most registrars provide a free or low cost privacy option so any inquiry just responds with information about the registrar or some proxy service. Or you can contract with your own proxy service. THAT SAID, most countries require you to provide accurate and up to date contact information if you are doing business with the general public. Thus this whole issue is really just a product of the trend towards personal, non-business (vanity, etc) web sites. Which itself is the result of inexpensive and ubiquitous always-on internet connections and the rise of hosting services. And points out something of a contradiction: Prohibiting or severely restricting the publication of contact information (WHOIS) while simultaneously requiring contact information is made available (to the general public.) Does anyone believe privacy etc will be enhanced by forbidding your finding out who owns this domain you were directed towards by a search engine? Granted you may not get a satisfactory answer but then maybe you choose not to do business with them, ok, your choice. But what if the response is "SORRY BLOCKED BY GDPR"? Do you do business with them? Or not? -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On Sat, Apr 14, 2018 at 05:29:35PM +0000, Aaron C. de Bruyn via NANOG wrote:

So why are you proposing that I can't run my *personal* "I strongly believe in {insert emotionally-charged issue} site" without letting psychos know exactly where I live?

A PO box might suffice. There are also mail forwarding (and phone forwarding) services that serve the purpose. Having encountered exactly these sorts of psychos, this might be a good idea if you think it's a threat you may have to face. (Although let me note that your address is likely available anyway through some deliberate-public database or through one that's been hacked and subsequently leaked. Or via someone you know who "checked in" with a geolocation app while visiting. Or via someone who handed it over to a third party because they were shipping you something. Or...) Let me suggest that a better choice for these situations is not to register a domain *at all*. Consider: doing so creates a record at your registrar that has information-of-interest about you. All that stands between a psycho and that information is a security breach, a dataloss incident, or -- maybe -- a hundred bucks in an envelope (old style) or a cryptocurrency transfer (new style). Maaaaybe it would be better not to create that record at all. That's why I've always recommended (for example) that dissident political movements in repressive countries avoid registering domains: any dictator worthy of the title will easily acquire the real registration details, whether they're held in-country or not. ---rsk

* Filip Hruska:

EURID (.eu) WHOIS already works on a basis that no information about the registrant is available via standard WHOIS. In order to get any useful information you have to go to https://whois.eurid.eu and make a request there.

Seems like a reasonable solution.

Why? How does the protocol matter? Either you may publish individual personal information for use by the general public, or you may not. Adding a 4 to the port number doesn't change that.

* Filip Hruska:

On 04/14/2018 07:29 PM, Florian Weimer wrote:

...

* Filip Hruska:

...

EURID (.eu) WHOIS already works on a basis that no information about the registrant is available via standard WHOIS. In order to get any useful information you have to go to https://whois.eurid.eu and make a request there.

Seems like a reasonable solution. Why? How does the protocol matter?

Either you may publish individual personal information for use by the general public, or you may not. Adding a 4 to the port number doesn't change that.

The EURID webwhois cannot be scraped, there are anti-bot measures in place (captcha, throttling, all information displayed in images). Scraping WHOIS systems for thousands domains at once using the WHOIS protocol is easy though. There are "WHOIS History" sites which scrape all domains and then publish the data along with the date of retrieval.

GDPR contains this in relation to the right to erasure:

1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, *the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure* by such controllers of any links to, or*copy or replication of, those personal data*.

Wouldn't that require a channel to the recipient of WHOIS data, so that the controller can notify those who have accessed it once erasure is requested? A simple webform doesn't achieve that because it's not much different from the way traditional WHOIS works.

On Sat, Apr 14, 2018 at 08:20:06PM +0000, Filip Hruska wrote:

Scraping WHOIS systems for thousands domains at once using the WHOIS protocol is easy though. There are "WHOIS History" sites which scrape all domains and then publish the data along with the date of retrieval.

Which would not be necessary if all WHOIS information was fully published in text/XML/whatever form, available for immediate download/rsync to everyone, and refreshed at intervals (say, once a day). This would neatly undercut the business model for these sites and would ensure that anyone who wants the information can get it efficiently. ---rsk

One of the memes driving this WHOIS change is the old idea of "starving the beast". People involved in policy discussions complain that "spammers" -- many only marginally fit that term other than by the strictest interpretation -- use the public WHOIS data to contact domain owners. I've countered that 20+ years experience trying to "starve the beast" by trying to deny them access to email and other casual contact info has proven the approach to be useless. Choosing the privacy options on your domain registration is probably just as, if not more, effective. Another argument against this whole idea is that in most countries one is required by law to provide valid contact information if they are doing business with the general public. That would include soliciting donations etc. And that's essentially why domains exist, organizational contact. This trend towards "vanity" domains is relatively recent and really the only reason one can even claim there is a problem. Granted there's that gray area of dissident political movements etc. but their full time job is protecting their identity. I doubt Microsoft or General Motors are excited to see that their domain registration contact information will soon be protected by law. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

Inline... On April 19, 2018 at 22:24 farzi@gatech.edu (Badiei, Farzaneh) wrote:

“Granted there's that gray area of dissident political movements etc. but their full time job is protecting their identity.”

You think? The median number of domain name registration that used privacy proxy service in the Middle East is 24%. See the DNS Market study: https:// www.icann.org/en/system/files/files/meac-dns-study-26feb16-en.pdf

Now lets look at the distribution of that number: “Rates of privacy proxy registrations varied across countries in the region, with the lowest rates seen in Iran (7%) and Turkey (12%), and the highest rates in Syria (32%), Algeria and Egypt (31% each).” I guess some people who share your band name in those countries with the lowest percentage of privacy proxy service might not really know how they can use privacy proxy services ! Lets just keep their personal information public until they find out how and why their house has been raided.

So you think restricting WHOIS access will protect dissidents from abusive governments? Of all the rationalizations that one seems particularly weak. Can we possibly find a lower common denominator on which to base global internet policy? And is anyone going to assure them that new WHOIS policies will protect them? Even allow them (or their surviving kin) to sue etc if it fails? Where is the warranty here? I think dissidents who might, if identified as domain owners, become targets of government reprisal need a better plan than some new WHOIS policies.

Also I don’t really understand why people keep saying “whois is going away” and “whois is going dark”

It is not. Personal information in the database should be made private. WHOIS contains more than personal information. You are the technical people, you know better than me.

It should contain exactly whatever contact information the registrant provides for public disclosure, including a privacy option. That's commonly available right now. This is why I suggested putting the WHOIS information into the DNS under each domain owner's control.

Thanks for bringing up the grey area anyway. Not many consider that in the discussions. But it’s not only dissidents. It’s also journalists and especially female journalists that work on issues that some might not like. Also sometimes you don’t even know you have to hide your identity because you don’t think you are doing anything against the law, the problem is that we don’t have the rule of law everywhere in the world.

And I'll say no one is going to fix that by making WHOIS info less public. They need to use proxies or privatization options (or overthrow their governments but easier said than done.) Even that doesn't protect them from, for example, govt authorities just demanding the information from registrars within their jurisdiction (e.g., ccTLDs), or a sympathetic jurisdiction. Or hosting or cloud companies etc. Any link in the chain. As I said, if one is fearful of reprisal they need to design their own privacy or hire someone who can provide it. I know there are hosting companies who specialize in political dissidents and similar and have worked through issues such as jurisdiction. I can understand the feelgood appeal of all this but I think the problem is way beyond crippling WHOIS for some people. (end of my reply)

Best

Dr. Farzaneh Badiei Research Associate, School of Public Policy Executive Director, Internet Governance Project

From: bzs@theworld.com Sent: Thursday, April 19, 2018 5:58 PM To: Aaron C. de Bruyn Cc: nanog@nanog.org; Rich Kulawiec Subject: Re: Is WHOIS going to go away?

One of the memes driving this WHOIS change is the old idea of "starving the beast".

People involved in policy discussions complain that "spammers" -- many only marginally fit that term other than by the strictest interpretation -- use the public WHOIS data to contact domain owners.

I've countered that 20+ years experience trying to "starve the beast" by trying to deny them access to email and other casual contact info has proven the approach to be useless.

Choosing the privacy options on your domain registration is probably just as, if not more, effective.

Another argument against this whole idea is that in most countries one is required by law to provide valid contact information if they are doing business with the general public. That would include soliciting donations etc.

And that's essentially why domains exist, organizational contact.

This trend towards "vanity" domains is relatively recent and really the only reason one can even claim there is a problem. I doubt Microsoft or General Motors are excited to see that their domain registration contact information will soon be protected by law.

-- -Barry Shein

Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On April 19, 2018 at 22:43 johnl@iecc.com (John Levine) wrote:

In article <23257.12824.250276.763926@gargle.gargle.HOWL> you write:

...

So you think restricting WHOIS access will protect dissidents from abusive governments?

Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point. This is a meme that's been floating around in academia for a decade: the brave dissident who somehow has managed to find web hosting, e-mail, broadband, and mobile phone service but for whom nothing stands between her and certain death but the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting something he heard somewhere and has no idea how the Internet actually works.

+1 I'm more sympathetic to for example abused women who I can see have little wherewithal to figure out every way to hide their (new) contact information. Unlike political dissidents they didn't volunteer for their situation. Nonetheless I don't think crippling the entire WHOIS system for everyone for cases such as this is a reasonable approach. As they say hard cases make bad law. Educate people, maybe in particular domestic abuse lawyers and counselors, about better alternatives such as clicking the little privacy option box on their registrar's domain registration form. There, that wasn't very hard, but it's only a tiny part of their problem anyhow, unfortunately. Maybe we need to get back to the GDPR which is actually driving this WHOIS discussion. For example: Facebook to exclude 1.5 billion users from GDPR privacy protections https://www.engadget.com/2018/04/19/facebook-exclude-1-5-billion-users-gdpr-... or http://tinyurl.com/y9abrw37

R's, John

-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

Inline... On April 20, 2018 at 03:47 farzi@gatech.edu (Badiei, Farzaneh) wrote:

Dear John,

The days when some in the technical community could just discard others arguments by saying that "[you] have no idea how the Internet works" have long passed. I will not get intimidated nor will I step back. Old tricks, won't work, it's as old as the dysfunctional WHOIS and will disappear.

No one responded most likely because you are speaking to a vast "room" of engineers etc and just said WHOIS is "old and dysfunctional" without a single word as to why you believe this to be the case. The DNS system is almost exactly the same age, is that also a problem? At least that's what pops into a technical person's mind. And "dysfunctional" seems like it's based on assumptions others here may not share. So we are left to guess whether you have any idea how any of this works, it's an article of faith? Challenging someone's understanding of a system they are criticizing is not "intimidation", it's just an assumption lacking any evidence to the contrary. And TBH "it will disappear" sounds like a purely political threat. We shall see in the fullness of time...in about 20 years ICANN has failed to do much anything regarding WHOIS other than talk about it a lot.

Also your last paragraph obliges me to clarify: it's not always a "he" that might be arguing! it's sometimes, though might it be rarely, a "she".

No one asked to protect people from their governments (I have heard this before as well). But also people should not be endangered or even minimally disturbed by making their personal information public. There are many many scenarios when personal information can be abused, and governments might not be involved.

So why aren't current privacy options sufficient? Why not, as I have suggested in many forums now, just move the publicly visable information into the DNS and thus completely under the domain owner's control? Why does ICANN simultaneously press for the accuracy (and precision) of this information while bemoaning its public availability? Well, there are reasons, I could answer that I suppose. But disconnecting the public function of WHOIS from the business need for customer information seems like a reasonable approach. As is even stated in the relevant RFCs WHOIS is a public directory of domain owners and contact information. Not very different from a phone directory, and with similar provisions for privacy. It's not like the IETF et al created WHOIS out of thin air, it was intended to be a lot like a phone (or similar) directory.

I might not know as much as you do about how the Internet works. But I know one thing: There will be a change. The convenience of security researchers and trademark owners is not going to be set above domain name registrants right to data protection. But I am sure the cybersecurity community can come up with a more creative way of preserving cybersecurity without relying on using personal information of domain name registrants and violating their rights!

But the current ICANN proposals as I understand them make all this information available to anyone who can pay the price or meet certain criteria which don't seem terribly exclusive other than "those we respect vs those we don't". They've proposed a "tiered access". Which sounds to me more like an intent to monetize WHOIS not protect its content in general. Or is only allowing for example folks like Cambridge Analytica or other vast and well-funded opinion and marketing organizations access somehow a protection of "rights"? One problem with that sort of access is that once it's out there, it's out there! One can write rules about "legitimate" use and redistribution but as we see every day breaches and just disregard for such rules are rampant. Why pretend that making WHOIS non-public will protect anyone? The current system has its appeal, it's public information, if you do not want your information public there are various ways to protect your own information (e.g., check that privacy box, pay a third party proxy, etc.) And for that matter one of those "access tiers" is "law enforcement", what government won't meet that criteria? Is there some intent by ICANN to vet "good" governments vs "bad" governments when granting law enforcement general access? Note: This is not search warrant type access, it's general access to the entire WHOIS database without prior restraint. And there's still that annoying question about warrantability of this supposed protection of privacy. You really haven't spent a word answering any of the issues raised here, you mostly complained about the pronouns used. They might be valid complaints, but they're not sufficient to provide a response to the issues. P.S For the record we know each other from ICANN meetings and Farzaneh can do a lot better than this.

Farzaneh

In article <23257.12824.250276.763926@gargle.gargle.HOWL> you write:

...

So you think restricting WHOIS access will protect dissidents from abusive governments?

Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point. This is a meme that's been floating around in academia for a decade: the brave dissident who somehow has managed to find web hosting, e-mail, broadband, and mobile phone service but for whom nothing stands between her and certain death but the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting something he heard somewhere and has no idea how the Internet actually works.

------------------------------------------------------------------------------- From: NANOG <nanog-bounces@nanog.org> on behalf of John Levine <johnl@iecc.com> Sent: Thursday, April 19, 2018 10:43 PM To: nanog@nanog.org Cc: bzs@theworld.com Subject: Re: Is WHOIS going to go away?

In article <23257.12824.250276.763926@gargle.gargle.HOWL> you write:

...

So you think restricting WHOIS access will protect dissidents from abusive governments?

Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point. This is a meme that's been floating around in academia for a decade: the brave dissident who somehow has managed to find web hosting, e-mail, broadband, and mobile phone service but for whom nothing stands between her and certain death but the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting something he heard somewhere and has no idea how the Internet actually works.

R's, John

-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

In article <DM5PR07MB35809FB2252B3AA022D915B3DAB40@DM5PR07MB3580.namprd07.prod.outlook.com> you write:

The days when some in the technical community could just discard others arguments by saying that "[you] have no idea how the Internet works" have long passed. I will not get intimidated nor will I step back. Old tricks, won't work, it's as old as the dysfunctional WHOIS and will disappear.

Now I'm confused. Surely you do not mean that we should take your arguments seriously even though you have no idea how the Internet works. In my experience, the nanog crowd can be grumpy but it is entirely open to discussions that are based on facts and an understanding of the issues. R's, John

On April 20, 2018 at 02:58 aaron@heyaaron.com (Aaron C. de Bruyn) wrote:

On Thu, Apr 19, 2018 at 5:20 PM <bzs@theworld.com> wrote:

So you think restricting WHOIS access will protect dissidents from abusive governments?

Every government has subpoena power.  Some of them even have the power to beat people with a rubber hose in the back room until they get the information they want.

Being able to put bogus data into whois won't prevent the government from finding you, but it may prevent crazies from showing up at my house, or even knowing that I run a particular site.

That's part of the contradiction in all this vis a vis ICANN. ICANN has had a push for years to improve the accuracy (and I assume precision) of domain registration information and therefore WHOIS. I know because I've sat in on any number of ICANN meetings with slides and talks about how frequently domains are registered to "Donald Duck" or similar. The numbers vary from report to report but I remember numbers like over 25% of registrations seemed to be prima facie bogus like that. So they developed that letter you get if you have a domain registered which says check your domain reg information and fix it because if it's not accurate (and precise) you risk losing your domain. And required registrars to send you that letter periodically typically around 30-60 days before renewal. Which means by pushing on the problem of domain name registration information accuracy they also made it much more difficult for people who may've had a good reason to not enter accurate (and/or precise) information. But we also got privacy options from registrars and third-parties. So the net result maybe isn't all that terrible unless you have a good reason to hide your information even from your registrar (and ICANN), checking a privacy option won't accomplish that, they still have your info they're just not revealing it via WHOIS. ANYHOW this is too long and boring already, I'm not sure I can even stand to proofread it, but it's all a rather tangled story which probably amounts to: The road to hell is paved with good intentions. And some pretty bad intentions also.

-A

-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On April 20, 2018 at 05:06 i.grok@comcast.net (Scott Schmit) wrote:

On Thu, Apr 19, 2018 at 11:44:10PM -0400, bzs@theworld.com wrote:

...

So the net result maybe isn't all that terrible unless you have a good reason to hide your information even from your registrar (and ICANN), checking a privacy option won't accomplish that, they still have your info they're just not revealing it via WHOIS.

Bear in mind that not all TLDs allow enabling privacy (e.g., .us).

I'm aware of this with .US, is there another example? That's the only one I've ever seen mentioned but there are an Avogadro number of TLDs. Hold on, I found a list...da goog turned up da goog... https://support.google.com/domains/answer/3251242?hl=en .CO.IN, .CO.NZ, .CO.UK, .FR, .IN, .JP, and .US So all are cctlds (country code TLDs), and the first three are for companies (or commercial) which may be what's driving that policy. In many countries if one acts as a commercial entity they must provide public contact information. ICANN (in the metonymous sense) no doubt is aware of this, I wonder if it conflicts with any proposals for this new WHOIS? That page also has a pretty good FAQ on private registration in general. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

Tei wrote:

Maybe a good balance for whois is to include organization information so I know where a website is hosted, but not personal information, so I can't show in their house and steal their dog.

I feel uneasy about having my phone available to literally everyone on the internet.

Technical contact information is supposed to be available for technical purposes. Not that that purpose has been reliable as time has gone by. Has that (required) purpose just flown past the policy makers? Christian

On Fri, Apr 20, 2018 at 4:10 PM, <bzs@theworld.com> wrote:

On April 20, 2018 at 12:03 oscar.vives@gmail.com (Tei) wrote:

...

Maybe a good balance for whois is to include organization information so I know where a website is hosted, but not personal information, so I can't show in their house and steal their dog.

I feel uneasy about having my phone available to literally everyone on the internet.

There are various privacy options available when one registers a domain, generally a matter of checking a box and usually free.

Those privacy options work until one wants to transfer a domain to a different registrar. Almost always that will imply in a brief removal of privacy, during which an adversary (either a nation-state or some Sideshow Bob-type wacko) will learn the true identity of the domain holder. Rubens

I don't see why there should not be a way to know who is publishing data on the Internet. In almost all other forms of communication, there is some accountability for the origination of information. Newspaper publishers are known, radio stations are usually licensed and publicly known, television is licensed as well. Your phone and Internet traffic is available to the government and law enforcement. People need to be held legally accountable for the information they present to the public otherwise you would have absolutely no recourse in the event that you were slandered, scammed, or otherwise harmed by this information. People being scared of their government is a real thing, however it is not up to the Internet to protect people from their own governments, that is a political problem not a technical one. Always think of the negative side of the argument. If a website was distributing unauthorized compromising photos of your children would you want them to be completely anonymous? Think of how aggravated we all are with the spam we receive every day and how much you like spoofed caller ID data when you talk about anonymity. Publishing information for access by the entire public should have some sort of accountability with it. When you get into the business of "protecting" people from their own "oppressive" governments, you are also protecting "enemies and criminals" from another perspective. Most all nation states would have the ability to track the communications to their source in any case so all you are really doing is protecting the data from the public. It would appear to me that the ICANN proposal is nothing more than a means to monetize what used to be public data. Why should Google have all the fun? Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of bzs@theworld.com Sent: Friday, April 20, 2018 2:11 PM To: Tei Cc: nanog@nanog.org Subject: Re: Is WHOIS going to go away? On April 20, 2018 at 12:03 oscar.vives@gmail.com (Tei) wrote:

Maybe a good balance for whois is to include organization information so I know where a website is hosted, but not personal information, so I can't show in their house and steal their dog.

I feel uneasy about having my phone available to literally everyone on the internet.

There are various privacy options available when one registers a domain, generally a matter of checking a box and usually free.

-- -- ℱin del ℳensaje.

-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

...

"I don't see why there should not be a way to know who is publishing data on the Internet. In almost all other forms of communication, there is some accountability for the origination of information."

...in every other form of communication, the phrase "get a warrant" comes to mind.

Except on the internet where we require the information to be public so that anyone and their dog can view it without a warrant.

This last statement is entirely untrue. WHOIS provides information as to the PUBLISHER (such as one would find on the masthead of a newspaper). This is, ought to be, and should remain, public information. You still need to "get a warrant" (or a rubber hose) as you so quaintly put it to ascertain the origination of the information published. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.

On April 20, 2018 at 20:36 nanog@nanog.org (Aaron C. de Bruyn via NANOG) wrote:

On Fri, Apr 20, 2018 at 12:53 PM Keith Medcalf <kmedcalf@dessus.com> wrote:

...

This last statement is entirely untrue. WHOIS provides information as to the PUBLISHER (such as one would find on the masthead of a newspaper). This is, ought to be, and should remain, public information.

Oh, so I'm a newspaper now? Or are you telling me there's some magical setting in media publishing that prevents someone from hitting 'print' without attaching an identifying masthead?

To a great extent the current situation has evolved due to the evolution of inexpensive always-on internet links and the rise of hosting companies. Prior to this one might pick up a vanity domain but for most individuals having an actual, functioning web site was prohibitively expensive. This situation was why we first had the rise of services like wordpress and myspace, and for that matter flickr and pinterest etc, where one could host their relatively non-commercial activity (or very tiny commercial activity, their garage band etc) for almost no cost. Facebook still caters to that -- non-domain siting (pages, groups) , but at this point for other reasons namely their own large ecosystem. But by and large it also arose from the same basic business model. It wasn't the domain per se so much as the always available hosting. Similar can be said for a lot of "the cloud". But domains pointing at personal web sites or even just email still have their appeal, clearly, around 300M have been sold. This wasn't a problem previously because commercial interests were required by law (in most countries) to provide clear contact info anyhow, and why wouldn't they unless they were dishonest or very unusual. But now that they have managed to sell many millions of cheap domains to non-commercial interests the issue of "privacy" arises almost entirely from that trend. But crippling WHOIS won't achieve privacy. If anyone believes that isn't true show me the warranty. At best it will just raise the barrier of entry to your "privacy" a little. And one breach and it's gone anyhow. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On Apr 21, 2018, at 2:47 PM, Keith Medcalf <kmedcalf@dessus.com> wrote:

Actually, a I doubt that there are any "real" people with vanity domains behind this move. I suspect that it is the scammers and spammers who want to hide their information for very good reason.

And of course, the "powers of the EU" seem to be in cahoots with those scammers and spammers (if they are not the scammers and spammers who themselves are wanting to hide).

I also think more fine-grained control of the data would satisfy many needs. E.g., for my own domains, for the purposes of contacting me to deal with abuse (or insanely large but unlikely buyout offers), all you need is an email contact address. I can put my personal or company name out there, along with a working email address, and still not hand over my home address, phone numbers, etc. For domains backing consumer-facing companies, they would likely want to expose more information. There is no one-size-fits-all here. And that's where the EU is losing credibility. --lyndon

"Wrong on several counts. You can publicly access the records of who owns every radio station, television station, and newspaper in the US and a lot of other countries. "

You can't access their *sources* without a warrant. You seem to be conflating private individuals with corporations.

"No one ever had the liberty of publishing information to the public without accountability."

That's provably false. I can type whatever I want, hit print, and scatter it around town unobserved at 3 AM.

"The whole protecting you from the government point is nothing but a straw man."

That's not what I'm advocating. If whois disappeared entirely tomorrow, it wouldn't protect me from government. But it *would* protect me from crazy nutjobs.

"Do you really believe that ICANN will stand up to the world governments if they ask for the data?"

Obviously not. But there's nothing I can do about it except tell them to come back with a warrant. There *is* something I can do to help limit the ability of crazy nutjobs to find out my information so they can visit my home and harass my family. Anyways, I think this has rambled on long enough. -A On Fri, Apr 20, 2018 at 1:55 PM Naslund, Steve <SNaslund@medline.com> wrote:

...

...in every other form of communication, the phrase "get a warrant" comes to mind. Except on the internet where we require the information to be public so that anyone and their dog can view it without a warrant.

Wrong on several counts. You can publicly access the records of who owns every radio station, television station, and newspaper in the US and a lot of other countries. All of those organizations are REQUIRED by law to file ownership statements. Every periodical published in the United States has a block in it identifying the publisher. Every book sold has a publisher listed even if the author chooses to remain anonymous. It is a violation of the law for a telemarketer to call you without identifying themselves (which is what we complain about with phone scammers).

Get a warrant only applies to communications (like your phone calls and your personal Internet traffic) that have a reasonable expectation of privacy. If you are in the public square shouting to the world you have no expectation of anonymity and you can actually be held responsible for false statements about another individual. A publicly accessible website’s published pages would not have any expectation of privacy whatsoever. Besides we are talking about identification of ownership of a communications site not the communications going through it. Just because I have your WHOIS data does not mean I have root access to your server. The government needs a warrant to listen to your phone calls but not to know you have a phone and where it is. We are not letting people monitor your traffic through WHOIS, we are only identifying who is responsible for all communications coming from that site.

Another point is that “get a warrant” does not apply in totalitarian countries in any case. Try saying get a warrant in North Korean or China. Pretty moot point there.

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

No one ever had the liberty of publishing information to the public without accountability. There are tons of laws protecting you from false statements and communications intended to harm your reputation or damage your business.

You are giving up an essential liberty here which is knowing who is saying what about you. Do you not want the right to know the sources of information presented to the public? Do you think I should be able to post anything I want about you in the public square without accountability? Can I put up a billboard criticizing you personally and keep my identity a complete secret? Might it be nice to know that the source of political news might have an axe to grind or an ideological bent, would you like to know that the news story you just read was actually from an opposition candidate? Are we not making a huge deal about Russia messing around with elections and trolling? How would you ever know that was going on with no accountability of the source of information?

The whole protecting you from the government point is nothing but a straw man. There is no nation state that does not have enough resources to recover that information from you or your communications carrier. Even if your traffic is encrypted, it is trivial to figure out who is posting to social media or underground websites via other intelligence or simple traffic analysis. They can deny their entire populations access to just about any communications media they like. Most of them don’t because it is actually a more lucrative source of intelligence than a threat. If you are a dissident I might be better off leaving you on the Internet and trying to map your network of people even though it would be easy to just interrupt your comms.

From a technical perspective, the domain naming system and Internet addressing system are assets you do not own. They are assigned to you and are considered a type of resource under quasi governmental control. If you keep WHOIS data secret all you are really doing is keeping the public out and the government in. Do you really believe that ICANN will stand up to the world governments if they ask for the data? If so, you probably also believe that the UN is effective at keeping the world at peace.

Steven Naslund Chicago IL

Steve,

I think you should re-examine the early history of the USA. Anonymous pamphleteering was the origin of our rebellion against England, with Benjamin Franklin and many of the other founding fathers publishing without their identities being registered anywhere. The Federalist Papers which form the basis for our system of government were published anonymously. It's a fundamental part of our liberties.

They did not in fact have the "right" to publish those pamphlets. They were in fact considered sedition by England. Just because something was done or seems correct does not make it a legal right. Freedom of speech is a right, anonymity is not a right, and privacy is not a right you have when you do things in public. That is simple well established law.

No COMMERCIAL publisher will do that himself, but any individual who wants to may do so. "Freedom of the Press is guaranteed only to those who own one", and with the Internet, for the first time in many years, it is again practical to publish anonymously.

And you would be violating the law if it was ruled that your publication was in fact a publication under the law. Freedom of the Press is not absolute because you do not have the right to violate MY rights by publishing slanderous materials, you do not have the right to communicate a threat. Publications are responsible for what they say. That is also well established law. Freedom of the Press does not equal right to anonymity.

It is the entrenched powers who want to require strict identification of all sources.

ICANN already has all of the data and they report to the world governments ultimately. ICANN is a non-profit corporation under California law so ultimately whatever they do is subject to US law and they could be compelled to comply with California or US court orders. I would say the powers that be already have the data.

I refer you to the Electronic Frontier Foundation website, and to the Internet law blog, and the Reporters Committee for freedom of the press, and any good American History book for further information. - Brian

I refer you to the LAW of whatever country you are in. They don't care what the EFF thinks and that blog won't keep you out of jail. Steven Naslund

On Fri, Apr 20, 2018 at 6:35 PM, Aaron C. de Bruyn via NANOG < nanog@nanog.org> wrote:

On Fri, Apr 20, 2018 at 2:27 PM Naslund, Steve <SNaslund@medline.com> wrote:

...

They did not in fact have the "right" to publish those pamphlets.

Now we're way off-topic, but our constitution acknowledges that is a pre-existing right. The constitution didn't grant it to you. (Rights are inherent, privileges are granted)

People have the right to speak, write, and publish whatever they want.

-A

Free speech is not the same as anonymity in all jurisdictions. In mine, anonymity is forbidden by the constitution... in some, anonymity is considered part of free speech. Matching local laws to a global policy is a challenge. Rubens

Now we're way off-topic, but our constitution acknowledges that is a pre-existing right. The constitution didn't grant it to you. (Rights are inherent, privileges are granted)

People have the right to speak, write, and publish whatever they want.

-A

Our Constitution does not equal worldwide law and that is what we are really talking about here They were under British law before the Declaration of Independence (and it was vague until the war concluded). So they did not have that right under the current law in their jurisdiction. They were in fact criminals at the time. I don’t think that was right but it was the fact. You are way off base in your argument here because I am not disputing that you have the right to publish whatever you want on the Internet. Go ahead and put up any web site you like. I am just saying that you do NOT have the right to privacy when broadcasting information in a public forum. No broadcast media is private by definition. Steven Naslund Chicago IL

Now we're way off-topic, but our constitution acknowledges that is a pre-existing right. The constitution didn't grant it to you. (Rights are inherent, privileges are granted)

People have the right to speak, write, and publish whatever they want.

-A

Whois contact details need to work so you can contact the zone owner when the DNS is broken for the zone. Publishing Whois data in the zone does not work for this purpose. This is not to discount other reasons for having a independent communications channel. -- Mark Andrews

On 21 Apr 2018, at 08:17, Brian Kantor <Brian@ampr.org> wrote:

Steve,

I believe you are mistaken as to current law in the USA:

The Supreme Court has ruled repeatedly that the right to anonymous free speech is protected by the First Amendment. A frequently cited 1995 Supreme Court ruling in McIntyre v. Ohio Elections Commission reads: Anonymity is a shield from the tyranny of the majority...

Google for that phrase "anonymity is a shield from the tyranny of the majority" to see more references.

I'll drop the discussion here, as it's likely to only continue down the rathole and I've said my piece. - Brian

On April 21, 2018 at 08:38 marka@isc.org (Mark Andrews) wrote:

Whois contact details need to work so you can contact the zone owner when the DNS is broken for the zone.

Publishing Whois data in the zone does not work for this purpose.

This is not to discount other reasons for having a independent communications channel.

That's actually an excellent point and counterpoint to my suggestion to move the WHOIS information into DNS RRs. But backup and failover are reasonably well understood technologies where one cares. Registrars could for example cache copies of those zone records and act as failover whois servers. In practice the vast majority, by number though not criticality, would be served by registrars anyhow as that's where most domain owners' zone info etc is anyhow. And many more valuable applications use various DNS backup services now. Nonetheless the point you raise would need to be on any requirements list for the change I suggest (move WHOIS into the DNS) and would need to be addressed. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On Apr 21, 2018, at 2:27 PM, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:

...

But backup and failover are reasonably well understood technologies where one cares. Registrars could for example cache copies of those zone records and act as failover whois servers.

Sorry! I left out the last line that was the point of my diatribe. Using SRV to point to multiple domain-specific whois servers eliminates the caching problem Barry raised.

On Apr 21, 2018, at 3:48 PM, Mark Andrews <marka@isc.org> wrote:

You have a logic fail. This fails because it STILL depends on the DNS for the zone working.

If the DNS fails to that extent, everything fails. I was addressing the single application endpoint point-of-failure. But from a practical standpoint, you're probably right :-( --lyndon

On Fri, 20 Apr 2018 20:53:06 -0000, "Naslund, Steve" said:

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

No one ever had the liberty of publishing information to the public without accountability.

You are giving up an essential liberty here which is knowing who is saying what about you. Do you not want the right to know the sources of information presented to the public?

https://en.wikipedia.org/wiki/The_Federalist_Papers It's a good thing that those were stamped out and not made widely available because they were written anonymously, isn't it?

On Fri, 20 Apr 2018 12:03:37 +0200, Tei said:

Maybe a good balance for whois is to include organization information so I know where a website is hosted, but not personal information, so I can't show in their house and steal their dog.

In many cases, the *OWNER* of a website doesn't have any real idea where their website is hosted