Slashdot Mirror
Congressional Hearings on WHOIS
-
'It seems eminently clear to me that websites conducting e-commerce have little "right to privacy". . .[however] isn't political speech worth protecting by redacting the personally identifiable contact information for the website owner?' -- Rep. Howard Berman (D-CA)
-
'Given that the compilers of marketing lists have for years used Whois registration information as a source of personal information (in some cases scavenged free, in others bought from registrars), concerns over the data privacy are well justified. Most people avoid putting their home address on their web sites, and they should be able to register a domain name without effectively giving up this precaution. The public policy objective of privacy law is to preserve the individual's right to privacy, while still permitting societal participation.' -- Dr. Jason Catlett, President and CEO, Junkbusters Corp
-
'As it stands today an accredited domain name registrar is not required to allow domain name registrants to opt-out of having their personal information provided to third parties for marketing purposes. This type of an opt-out should be provided to all registrants.' -- Lori Fena, Chairman of the Board, TrustE
-
'In 2000, the IDSA used authority provided in the Digital Millennium Copyright Act (DMCA) to achieve approximately 3000 "takedowns" of infringing material on the Internet. Over the last year we also filed 10 civil lawsuits against Internet pirates as enforcement actions on behalf of our members, assisted in additional actions brought by member companies, and made a number of criminal referrals to law enforcement. This is in addition to thousands more takedowns and numerous lawsuits initiated individually by our member companies. These accomplishments are reflective of similar successes reported by the other copyright-based industries. DMCA self-help allows us to reduce to a fraction the losses we would suffer if limited only to court-imposed process and remedies. These efforts are made much less effective without the unrestricted access we currently have to WHOIS data, including contact information regarding domain name registrants.' -- Stevan D. Mitchell Vice President, Intellectual Property Policy Interactive Digital Software Association
-
'In fact, if anything, the I[nternational]A[nti]C[ounterfeiting] C[oalition] believes that registrants should be required to improve their performance in insuring that domain name registrants provide correct and updated information. Because a person (legal or individual) voluntarily chooses to be present on the Internet, the identity and contact information of domain name registrants are entitled to no more privacy protection than are a business or home addresses in the physical world.' -- Timothy P. Trainer, President, International AntiCounterfeiting Coalition (IACC)
-
'The breadth of these issues indicates that Congress should not act too quickly. We are dealing simultaneously with intellectual property rights, privacy rights, and free speech rights and cannot simply play a legislative game of [rock, scissors, paper] to figure which one should win in the end.' -- Rep. John Conyers, Jr. (D-MI)
Additional information:
http://www.house.gov/judiciary_democrats/internetp rivacyhrgstmt71201.pdf"
If you think your privacy is so important, you need to get over yourself. No one gives a damn about you, personally; unless they know you, in which case what does the privacy serve?
Maybe other people just attract more attention than I do, or seem more enjoyable to victimize, or something of that sort. Or maybe people just watch too many news specials on the TV, and haven't learned that most of the world isn't out to get you. And if you have a problem with a specific person, deal with that person -- hiding from the entire world is not really justified unless you went state's evidence or are hiding from the law.
And this isn't a big privacy concern -- it's not like WHOIS has records of sexual activity or brain scans. It's just a freaking address.
Um, that's what they're thinking about changing...
'In fact, if anything, the I[nternational]A[nti]C[ounterfeiting] C[oalition] believes that registrants should be required to improve their performance in insuring that domain name registrants provide correct and updated information. Because a person (legal or individual) voluntarily chooses to be present on the Internet, the identity and contact information of domain name registrants are entitled to no more privacy protection than are a business or home addresses in the physical world.' -- Timothy P. Trainer, President, International AntiCounterfeiting Coalition (IACC)
--
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
> to have responsibility. Having the ability to,
> with one command, get a email addres, phone
> number, and snail mail address of someone
> responsible for every IP and domain on the
> internet is invaluable.
I was initially thinking the exact same thing you did... then i changed my mind. We don't need the contact info for every domain.. just every IP. Remember (for us machines at least), there's two different whois registries, the ARIN registries (important), and the general one for domain names (not important for anyone other than domain squatters).
For hack attempts/openrelays/general troublemakers, we don't need the contact info from the general domain database... we get it from ARIN database.
Imho, being able to be 'unlisted' from the domain registry database is just fine... because it doesn't really serve any particular purpose, hell half the time it's not even correct info. With ARIN's database, the information *has* to be correct, because ARIN *has* to be sending them a hugeass (multi thousands of dollars) bill every year.
ARIN is responsible for allocating IPs for people/businesses on a large scale (in north america). If you're a big corporation, or even a medium sized ISP, you apply to ARIN to get IP blocks. (The smallers just use the ipblocks of their upstream provider.)
ARIN provides a database of every routeable IP that it has given out, so at any given time, i can, from a person's IP, look up his provider and instantly get their (as in their ISP's, necessarily the user's themselves) name/address/phone number. This is incredibly useful for spamcontrol and/or scriptkiddiecontrol.
Contrast this with the domainname registry, which holds the registration information for like who owns 'foo.com'. As long as i'm not planning to buy foo.com (and my pocketbook says i'm not), i have no reason to need this information. If there is a problem originating in the foo.com domain, that's great, but i'm getting the contact info from the ARIN registry, because 1) it's probably more correct, and 2) reverse dns isn't necessarily authoritative, ie i could make my machine reverse lookup to foo.com, even though i don't own the foo.com itself. Granted my forward/reverse wouldn't match, but when was the last time you've seen an apache setup that required them to.
...the identity and contact information of domain name registrants are entitled to no more privacy protection than are a business or home addresses in the physical world.
First of all, are identity and contact information entitled to anything? I don't know about you, but my telephone number doesn't have any rights. I have the right to disclose or not to disclose information, but information itself has no rights. Second, assuming that Timothy P. Trainer was actually referring to the rights of registrants, and the responsibility of REGISTRARS to ENSURE that registrants provide accurate and current information, I now must ask whether he thinks that registrants somehow exist in the incorporeal world, and regular folks exist in the physical world? That's what his words imply.
As a registrant, I want to assure him that I am just a normal guy who is distinguished only by having information in the WHOIS database. I assume that the same applies to most registrants.
However, back to the question of privacy: I happen to largely agree with Timothy P. Trainer. Can the editor of the Washington Post keep his identity and contact information private? Did we allow Bill to keep his blowjob private? Do paparazzi allow celebrities to escape from their candid photos? Doesn't the public almost always relentlessly claim the right to know, regardless of how empty that knowledge frequently is?
Neopets - the best free game on the Int
One database for domain names, and one for IP addresses.
;-), I think it's essential that the IP adress database has full accurate contact information (including phone numbers and email addresses). IP addresses are normally registered by providers, so there are fewer privacy issues involved (read: hardly any, basically it belongs to their job of providing a network connection for their clients).
While I can understand privacy concerns associated with the domain name database (and concerns of comapanies that they reveal some pieces of their business plans because they have registered some domain name
It would be a real pitty if both databases were treated the same way by some well-meaning politicians. The IP address WHOIS database is a valuable tool in tracking down net abuse, of course. Abolishing it or reducing the provided contact information could have a negative impact on the net as whole.
Disadvantages:
You cannot pick up a phone and call a responsible person. You have no second avenue to contact a person, say, if someone was forging their domain name. If someone from your domain is spamming and blocking traffic, you cannot be easily contacted to do the right thing.
Put it another way. I can go to City Hall and find out who owns every piece of property in the city. With the current system, I can find out who owns every piece of cyberspace. It seems eminently reasonable. It also lets you know which of your neighbors are respnsible citizens, and which ones spam, and which ones run porno sites. Ownership bears SOME responsibility. Making domain ownership anonymous reduces this responsibility, and I can see good and bad things that would result.
Did the editors decide to replace the term "Rohambo" with the more commonly recognized term?
Lets see, yes. First I kick the house majority leader in the nuts as hard as I can....
---
/bin/fortune | slashdotsig.sh
I mean, I have no say in the matter, I didn't elect them. And yet they will decide on which of my personal details will be made available?
jalalski,
.sig available on 'Need To Know' basis only!
Given that the primary purpose of WHOIS is to publish site operational points-of-contact, to aid in tracking down problems, I find interesting that none of the witnesses were representatives of Internet service providers. Apparently the committee doesn't care about whether WHOIS can serve its intended purpose (before or after any legislation which Congress might enact) - they only care about whether WHOIS can be used for unintended purposes.
I use the WHOIS database to find out who's responsible when I get spammed or when I detect a hacking attempt. Fact is, having a bunch of anonymous thirteen year old kids running around DoSing people, or having assholes kill your mail server with a million "FREE HOT XXX" messages is bad enough. If they're able to do it with impunity, nevery having to worry about their ISP getting a phone call, it'll be out of control.
We continue to discover that the trust based internet simply does not work. There are too many shitholes willing to take advantage of it. The only way we can have any sort of order is to have responsibility. Having the ability to, with one command, get a email addres, phone number, and snail mail address of someone responsible for every IP and domain on the internet is invaluable.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''Moreover, if you are found guilty of copyright infringement, deliberately false information in WHOIS will be considered as evidence of willful premeditation on your part. (Much like wearing a ski mask during a robbery indicates that you have planned to carry out the crime.)
Your 'solution' is to make every 'net copyright infringement involve at least one federal lawsuit + a private investigation, both of which are exceedingly expensive. And this is supposed to help individuals and small companies?Generally speaking, any 'solution' that involves making information expensive and difficult to obtain does not help the little guy.
(If you're worried about being 'harassed' for saying things on the Internet, either shut up or grow a spine. If you aren't willing to take flack over what you say, then by your own measure it wasn't worth saying.)
-- ;-)
Kuro5hin.org: where the good times never end.
In the European Union, you have that right under the Privacy Directive.
... so why must americans continue discussing these issues as internal matters? The Internet is widely used by ALL nations of the world. ANYONE around the world is capable of registering a domain name and domain registrars aren't limited to American companies.
Think about what countries like China and India will begin demanding as their net ussage rises. Between them, they account for nearly 40% of the world population. I highly doubt they'll allow this behavior to continue as is quietly
kill_9_1
Oh they still go to court. They just don't like the feeling of bringing a lawsuit against fifteen John Does.
icqqm [ICQ:11952102]
There's nothing stopping people, including myself, including false information in their whois entries.
For those of you who took the time to read the tech law journal artical, you probably also saw the introduction of the location privacy bill from Sen. John Edwards. I find this equally interesting news for nerds given the typical slashdotter paranoia.
Under the bill, "any company that monitors consumers' physical location will be prohibited from using or disclosing that information without express permission from the consumer. And third parties that gain access to the information cannot use or disclose it without the individual's permission first."
- You don't know how to maintain a station wagon either!
I wonder if the privacy flap led Network Solutions to pull their DotComDirectory.com service. These days you only get a mirror of NetSol's main site. It used to be a search service where you could query for business web sites (and phone/address) by name and geographic location, with the data presumably coming from domain records. It was actually a useful service.
On the other hand, WHOIS information can be an be an easy tool for hackers to gather info on a perspective target. It's also good for finding phone exchanges to war dial but any Jr. sysadmin should know that so I don't think its worth removing.
Slashdot's token middle-aged housewife
You cannot pick up a phone and call a responsible person. You have no second avenue to contact a person, say, if someone was forging their domain name. If someone from your domain is spamming and blocking traffic, you cannot be easily contacted to do the right thing.
Except that you do have all these avenues still available to you, because that information is available via RIPE. If you have a problem, find the IP of the host that is causing the problem, look it up, see who owns the netblock, contact them instead, let them deal with it - it's their responsibility.
Now, should detailed contact info be available for the IP registries through WHOIS lookup? I think so, and this is why:
The way it's setup assumes that the owners of netblocks allocated by RIPE are significantly-sized Internet-savvy bodies with their own technical staff, who do not mind being easily-contactable. I think that's a reasonable assumption to make. How many of you own your own personal netblocks?
Now, how many of you own your own personal domain? How many of your non-technical friends own a personal domain?
See the difference? Domains have a very large public ownership. Netblocks do not.
It seems eminently sensible to me that only the contact information that is actually required for the Internet to function should be available via WHOIS, whilst maximizing personal privacy for those who have no day-to-day bearing on the running of the Internet.
I don't understand why the gTLD's have this ridiculous requirement to have your personal data in the whois entry. It's simply not necessary at all.
The .uk ccTLD, for example, works like this:
Every domain registered has only 4 things associated with it in the WHOIS entry (there can be more but these 4 are the only required fields):
And that's it. Now, what's the IPSTAG? Well, it's a tag for the entity (ISP/Domain Registrar usually) that controls the domain. Only fully checked and paid-up members of the NIC, Nominet, have an IPSTAG. When you register a domain, the company that you register through registers the domain with their IPSTAG. If you wish to transfer a domain to another host/ISP, you ask the existing IPSTAG holder to either transfer the IPSTAG for that domain to another IPSTAG holder, or simply change the nameservers. It is the task of the current IPSTAG holder to verify that you are who you say you are.
If there is a legal problem and someone wants to take your site/domain down, well - they contact the IPSTAG holder or the operators of the nameservers (usually these are the same people but they don't have to be). The IPSTAG holder or nameserver operators then get in touch with you, or take their own initiative in sorting the problem out - i.e. disable DNS for that domain if all other avenues fail. (under the UK Data Protection Act they cannot give your personal details out to a third party, there are severe penalties for them if they do). Of course, as with any site, an interested party could simply do a whois query on the hosted site's IP address, which will give them the owner of the netblock, who will surely be able to track down the host's owner.
The system is fully automated too - via the Automaton. The Automaton accepts email commands to change entries in the WHOIS database, but only from IPSTAG holders who have signed their email with their PGP key (every IPSTAG holder has one).
If you have a dispute about the way your IPSTAG holder has treated you, you may take your complaint to Nominet, where it will get dealt with by the Nominet committee, made up of representatives of the longest-serving IPSTAG holders (most of these are people like you and me - sysadmins and hostmasters). There are strict rules about what an IPSTAG holder may or may not do to customers and what they may or may not charge for certain services (for instance, IPSTAG holder transfer must be free), and breaking those rules is dealt with severely - usually by loss of the IPSTAG and sometimes disbarment from holding an IPSTAG in the future. Not pleasant.
Note that more information about you is stored by Nominet, but only for sending you crappy certificates. It never appears on the WHOIS entry, and under UK law cannot be given out to third parties without your permission. Billing is handled by the IPSTAG holder.
Advantages to this system:
Disadvantages:
just wondering, could you technically claim that you hold your personal information as your Intellectual Property, and furthormore, when you issue it to anyone, you license the information to them. Any redistribution of your information would thus be considered a violation of hte DMCA and you could sue their asses
kinda off topic, and likely to be modded down, but still
When it comes to domain names and address space, those are publicly accessible resources, and _should_ be accessible to anyone that needs that contact information. I don't think it's fair to shroud the names of individuals that use finite Internet resources. This information, after all, is public record.
/* ---- */
// Agent Green (Ian / IU7)
The reason this is an issue at all is because of how easy the information is to get. Let's take another example of public record...
I'm sure more people would be up in arms if the RMV (or DMV in some states) decided to put its records search information online. As it is, I can run any license plate or license number if I have it...but waiting in line is a pain in the ass.
It's really sad that the low tactics of marketers has made this such a problem and brought this issue into the spotlight.
// Agent Green (Ian / IU7 / KB1JQO)
// IEEE 802.3: All 10base Are Belong To Us
When I worked for a small commercial web design/hosting firm, I managed all the servers, including one Linux mail server running sendmail. Something hiccupped and my box started contacting someone else's mail server OVER AND OVER for hours, filling up his logs but never quite making it into mine. He used whois to contact me and inform me of the problem. Turns out, my box choked on some mail because the server got some invalid DNS information.
Someone out there is going to flame me about how I should have had my box setup to only retry every 30 minutes or so... Whoever you are - get over it. This post is about how whois is beneficial, not how improperly configured sendmail instances are Satan's own kin.
quis custodiet ipsos custodes - Juvenal
Oh, that's just peachy. For those of you who might not remember, the IDSA is a cartel similar in function to the RIAA and MPAA, but they act on the behalf on software companies. They have shut down web sites containing rom files of games from the 1980's because of "copyright". These are the idiots who seem to think Nintendo is losing money over copies of Mario 3 "illegally" downloaded over the internet.
Now, I'm not a fan of the RIAA, but at least they have a valid concern-most of their music is still sold! If the IDSA can use Whois to shut down emulation-related websites, I'm all for the option of being "unlisted".
Eliminating or restricting access to whois is folly, really.
I work for a domain name registrar, which I like to think gives me a better perspective on this issue.
Removing the info already in the whois database would have some technical consequences most likely ignored by congress and friends. They are:
a) Registrar-to-registrar domain name transfers would be slowed to a standstill, because without the administrative contact email gleaned from whois, current ICANN transfer regulations would make it impossible to authorise a transfer. The way the current system works depends on the email listed for the admin contact on domain pending transfer -- an auth request email is sent there and, if the email is responded to, the domain is transferred.
b) Without whois, the only way to verify, pre-propagation, that nameserver changes were succesful would to dig the domain on the box acting as its SOA. Even if you could find out before propagation, how many web-based dig lookups have you seen, compared to web-based whois lookups? 90% or so of domain purchasers have never even seen a command prompt.
c) As previously mentioned, whois is instrumental in ferreting out spam hierarchies.
As it stands now, too much is dependant upon the existing whois database. Change it, and you change the way domains are registered and administered. Most domain purchasers are just barely competent enough (and tons still aren't) to handle their domains using the existing system. Changing it now would be counter-productive, at best.