Slashdot Mirror
Congressional Hearings on WHOIS
-
'It seems eminently clear to me that websites conducting e-commerce have little "right to privacy". . .[however] isn't political speech worth protecting by redacting the personally identifiable contact information for the website owner?' -- Rep. Howard Berman (D-CA)
-
'Given that the compilers of marketing lists have for years used Whois registration information as a source of personal information (in some cases scavenged free, in others bought from registrars), concerns over the data privacy are well justified. Most people avoid putting their home address on their web sites, and they should be able to register a domain name without effectively giving up this precaution. The public policy objective of privacy law is to preserve the individual's right to privacy, while still permitting societal participation.' -- Dr. Jason Catlett, President and CEO, Junkbusters Corp
-
'As it stands today an accredited domain name registrar is not required to allow domain name registrants to opt-out of having their personal information provided to third parties for marketing purposes. This type of an opt-out should be provided to all registrants.' -- Lori Fena, Chairman of the Board, TrustE
-
'In 2000, the IDSA used authority provided in the Digital Millennium Copyright Act (DMCA) to achieve approximately 3000 "takedowns" of infringing material on the Internet. Over the last year we also filed 10 civil lawsuits against Internet pirates as enforcement actions on behalf of our members, assisted in additional actions brought by member companies, and made a number of criminal referrals to law enforcement. This is in addition to thousands more takedowns and numerous lawsuits initiated individually by our member companies. These accomplishments are reflective of similar successes reported by the other copyright-based industries. DMCA self-help allows us to reduce to a fraction the losses we would suffer if limited only to court-imposed process and remedies. These efforts are made much less effective without the unrestricted access we currently have to WHOIS data, including contact information regarding domain name registrants.' -- Stevan D. Mitchell Vice President, Intellectual Property Policy Interactive Digital Software Association
-
'In fact, if anything, the I[nternational]A[nti]C[ounterfeiting] C[oalition] believes that registrants should be required to improve their performance in insuring that domain name registrants provide correct and updated information. Because a person (legal or individual) voluntarily chooses to be present on the Internet, the identity and contact information of domain name registrants are entitled to no more privacy protection than are a business or home addresses in the physical world.' -- Timothy P. Trainer, President, International AntiCounterfeiting Coalition (IACC)
-
'The breadth of these issues indicates that Congress should not act too quickly. We are dealing simultaneously with intellectual property rights, privacy rights, and free speech rights and cannot simply play a legislative game of [rock, scissors, paper] to figure which one should win in the end.' -- Rep. John Conyers, Jr. (D-MI)
Additional information:
http://www.house.gov/judiciary_democrats/internetp rivacyhrgstmt71201.pdf"
> to have responsibility. Having the ability to,
> with one command, get a email addres, phone
> number, and snail mail address of someone
> responsible for every IP and domain on the
> internet is invaluable.
I was initially thinking the exact same thing you did... then i changed my mind. We don't need the contact info for every domain.. just every IP. Remember (for us machines at least), there's two different whois registries, the ARIN registries (important), and the general one for domain names (not important for anyone other than domain squatters).
For hack attempts/openrelays/general troublemakers, we don't need the contact info from the general domain database... we get it from ARIN database.
Imho, being able to be 'unlisted' from the domain registry database is just fine... because it doesn't really serve any particular purpose, hell half the time it's not even correct info. With ARIN's database, the information *has* to be correct, because ARIN *has* to be sending them a hugeass (multi thousands of dollars) bill every year.
ARIN is responsible for allocating IPs for people/businesses on a large scale (in north america). If you're a big corporation, or even a medium sized ISP, you apply to ARIN to get IP blocks. (The smallers just use the ipblocks of their upstream provider.)
ARIN provides a database of every routeable IP that it has given out, so at any given time, i can, from a person's IP, look up his provider and instantly get their (as in their ISP's, necessarily the user's themselves) name/address/phone number. This is incredibly useful for spamcontrol and/or scriptkiddiecontrol.
Contrast this with the domainname registry, which holds the registration information for like who owns 'foo.com'. As long as i'm not planning to buy foo.com (and my pocketbook says i'm not), i have no reason to need this information. If there is a problem originating in the foo.com domain, that's great, but i'm getting the contact info from the ARIN registry, because 1) it's probably more correct, and 2) reverse dns isn't necessarily authoritative, ie i could make my machine reverse lookup to foo.com, even though i don't own the foo.com itself. Granted my forward/reverse wouldn't match, but when was the last time you've seen an apache setup that required them to.
Did the editors decide to replace the term "Rohambo" with the more commonly recognized term?
Lets see, yes. First I kick the house majority leader in the nuts as hard as I can....
---
/bin/fortune | slashdotsig.sh
I mean, I have no say in the matter, I didn't elect them. And yet they will decide on which of my personal details will be made available?
jalalski,
.sig available on 'Need To Know' basis only!
Given that the primary purpose of WHOIS is to publish site operational points-of-contact, to aid in tracking down problems, I find interesting that none of the witnesses were representatives of Internet service providers. Apparently the committee doesn't care about whether WHOIS can serve its intended purpose (before or after any legislation which Congress might enact) - they only care about whether WHOIS can be used for unintended purposes.
I use the WHOIS database to find out who's responsible when I get spammed or when I detect a hacking attempt. Fact is, having a bunch of anonymous thirteen year old kids running around DoSing people, or having assholes kill your mail server with a million "FREE HOT XXX" messages is bad enough. If they're able to do it with impunity, nevery having to worry about their ISP getting a phone call, it'll be out of control.
We continue to discover that the trust based internet simply does not work. There are too many shitholes willing to take advantage of it. The only way we can have any sort of order is to have responsibility. Having the ability to, with one command, get a email addres, phone number, and snail mail address of someone responsible for every IP and domain on the internet is invaluable.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''... so why must americans continue discussing these issues as internal matters? The Internet is widely used by ALL nations of the world. ANYONE around the world is capable of registering a domain name and domain registrars aren't limited to American companies.
Think about what countries like China and India will begin demanding as their net ussage rises. Between them, they account for nearly 40% of the world population. I highly doubt they'll allow this behavior to continue as is quietly
kill_9_1
I don't understand why the gTLD's have this ridiculous requirement to have your personal data in the whois entry. It's simply not necessary at all.
The .uk ccTLD, for example, works like this:
Every domain registered has only 4 things associated with it in the WHOIS entry (there can be more but these 4 are the only required fields):
And that's it. Now, what's the IPSTAG? Well, it's a tag for the entity (ISP/Domain Registrar usually) that controls the domain. Only fully checked and paid-up members of the NIC, Nominet, have an IPSTAG. When you register a domain, the company that you register through registers the domain with their IPSTAG. If you wish to transfer a domain to another host/ISP, you ask the existing IPSTAG holder to either transfer the IPSTAG for that domain to another IPSTAG holder, or simply change the nameservers. It is the task of the current IPSTAG holder to verify that you are who you say you are.
If there is a legal problem and someone wants to take your site/domain down, well - they contact the IPSTAG holder or the operators of the nameservers (usually these are the same people but they don't have to be). The IPSTAG holder or nameserver operators then get in touch with you, or take their own initiative in sorting the problem out - i.e. disable DNS for that domain if all other avenues fail. (under the UK Data Protection Act they cannot give your personal details out to a third party, there are severe penalties for them if they do). Of course, as with any site, an interested party could simply do a whois query on the hosted site's IP address, which will give them the owner of the netblock, who will surely be able to track down the host's owner.
The system is fully automated too - via the Automaton. The Automaton accepts email commands to change entries in the WHOIS database, but only from IPSTAG holders who have signed their email with their PGP key (every IPSTAG holder has one).
If you have a dispute about the way your IPSTAG holder has treated you, you may take your complaint to Nominet, where it will get dealt with by the Nominet committee, made up of representatives of the longest-serving IPSTAG holders (most of these are people like you and me - sysadmins and hostmasters). There are strict rules about what an IPSTAG holder may or may not do to customers and what they may or may not charge for certain services (for instance, IPSTAG holder transfer must be free), and breaking those rules is dealt with severely - usually by loss of the IPSTAG and sometimes disbarment from holding an IPSTAG in the future. Not pleasant.
Note that more information about you is stored by Nominet, but only for sending you crappy certificates. It never appears on the WHOIS entry, and under UK law cannot be given out to third parties without your permission. Billing is handled by the IPSTAG holder.
Advantages to this system:
Disadvantages:
When I worked for a small commercial web design/hosting firm, I managed all the servers, including one Linux mail server running sendmail. Something hiccupped and my box started contacting someone else's mail server OVER AND OVER for hours, filling up his logs but never quite making it into mine. He used whois to contact me and inform me of the problem. Turns out, my box choked on some mail because the server got some invalid DNS information.
Someone out there is going to flame me about how I should have had my box setup to only retry every 30 minutes or so... Whoever you are - get over it. This post is about how whois is beneficial, not how improperly configured sendmail instances are Satan's own kin.
quis custodiet ipsos custodes - Juvenal