Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Privacy Watchdog To ICANN: Law Enforcement WHOIS Demands "Unlawful"

Posted by timothy on from the whois-you-to-make-these-demands? dept.

First time accepted submitter benyacrick writes "WHOIS was invented as an address book for sysadmins. These days, it's more likely to be used by Law Enforcement to identify a perpetrator or victim of an online crime. With ICANN's own study showing that 29% of WHOIS data is junk, it's no surprise that Law Enforcement have been lobbying ICANN hard to improve WHOIS accuracy. The EU's privacy watchdog, the Article 29 Data Protection Working Party, has stepped into the fray with a letter claiming that two of Law Enforcement's twelve asks are "unlawful" (PDF). The problem proposals are data retention — where registrant details will be kept for up to two years after a domain has expired — and re-verification, where a registrant's phone number and e-mail will be checked annually and published in the WHOIS database. The community consultation takes place at ICANN 45 in Toronto on October 15th."

57 of 81 comments (clear)

  1. Who's job is it? by houstonbofh · · Score: 4, Interesting

    What is this push the past few years that technical companies need to do the job of law enforcement? The craigslist hooker scandal is a prime example... Here is this nice list of criminals for you to arrest, yet it is the websites fault?

  2. Working phone number in whois by bobbutts · · Score: 5, Insightful

    That would be a problem for me. I have hundreds of domains with a made up phone number. The last thing I wanted was calls from robo-dialers mining the whois db to a real number.

    1. Re:Working phone number in whois by radiumsoup · · Score: 3, Informative

      you could always get a Google Voice number and not forward it anywhere (or set it to perma-do-not-disturb) - you'd still be able to browse through voicemails if necessary through an email interface

    2. Re:Working phone number in whois by jonbryce · · Score: 4, Interesting

      I have a few .uk domains. Because I am a non-trading individual, my details other than my name are not available to the public, but law enforcement can apply to the courts to get the details if my domain names are being used for illegal purposes. That seems to me to be a good balance between allowing law enforcement to shut down websites used to sell fake concert tickets, distribute malware and so on; and catch those responsible while ensuring I don't get continually harrassed by "The Domain Registry of Europe" and similar outfits that law enforcement ought to be going after.

    3. Re:Working phone number in whois by mjwalshe · · Score: 1

      So register with your countrys telephone preference service then?

      And what are you using those domains for eh? MFA sites maybe and your trying to hide ownership from the big G

    4. Re:Working phone number in whois by Frosty+Piss · · Score: 2

      ...but law enforcement can apply to the courts to get the details if my domain names are being used for illegal purposes. That seems to me to be a good balance..."

      Yes, but who defines "illegal purposes" and who vets the alleged "illegal purposes" to determine the validity of the request?

      "Law Enforcement" is well known to have, shall we say, "unique" ideas about the definition of "illegal purposes". Not only that, "L.E." is also well know to flat-out LIE.

      --
      If you want news from today, you have to come back tomorrow.
    5. Re:Working phone number in whois by phantomfive · · Score: 1

      Yes, but who defines "illegal purposes"

      The legislature, acting in their constitutionally provided role as representatives of the people. To be confirmed or vetoed by the president, according to his constitutionally provided role.

      who vets the alleged "illegal purposes" to determine the validity of the request?

      Judges do, as part of their role in the judicial system. Really, I thought that you would understand this.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Working phone number in whois by heypete · · Score: 4, Informative

      Exactly. This seems like a good idea, and a balance between the .US TLD policy (all information is public) and the .SE TLD policy (no information other than a unique ID string is available to the public with no contact information -- not even an email is available).

      I rather like the implementation of whois privacy used by Gandi.net (a French registrar who handles registration for a bunch of TLDs): for domains that are private-by-default (.SE, .uk for individuals, etc.) then they use the registry for privacy and include no information in whois. For domains where whois privacy is available (.com/net/org, etc.) they include the registrant's full name (so it's clear that they are the ones who legally own the domain) and then provide the Gandi postal address where all mail is presumably shredded. They also provide a unique, randomly-generated email address to protect against spam: if you get spam to that address you can simply push a button and a new, random address is created. Legitimate mail is forwarded on to the contact while spam is filtered out.

      Gandi offers these privacy services to individuals only: companies and organizations are assumed to be less in need of privacy protecting services and must include their regular contact information.

      I have no problem with law enforcement being able to get the details with a warrant issued by a relevant court, but I think the time for having all personal contact information being made public in whois has passed. It used to be that the name and contact information corresponded to a technical contact at an organization responsible for that domain but now many domains are owned by private individuals and this assumption can no longer hold.

      Of course, even with a warrant the whois information for suspected bad guys is unlikely to be of use: I doubt the bad guys put in accurate and correct whois information or pay using their personal credit cards (as opposed to anonymous prepaid cards).

    7. Re:Working phone number in whois by sjames · · Score: 4, Insightful

      That would be a work-around, but it's more reasonable to recognize that it's not reasonable to force someone to publish their phone number to every pointy-headed moron in the world that thinks I owe them my time so they can make a sales pitch in my home.

      If 'Law Enforcement' would care to actually pursue said morons when they violate the do not call list or commit various frauds AND they would care to narrow the exceptions to the DNC list, people might not be so resistant to give a real phone number.

      It's not like whois is the only hope to track down a domain owner. IF they have a sufficient reason to track them down they can follow the IP address to a provider and present a warrant for the account information OR they can present the warrant to the domain registrar. If they don't have good enough reason to get a warrant, they shouldn't be pursuing it in the first place.

    8. Re:Working phone number in whois by pla · · Score: 4, Interesting

      And what are you using those domains for eh? MFA sites maybe and your trying to hide ownership from the big G

      This spring, I registered an "ego" domain - My own name dot net, on a whim.

      I paid for it with a credit card in my name. I gave a fake phone number, and a PO box for my address. I used a real email address (albeit one made specifically to catch the junk I expected by registering.

      And three days later, GoDaddy locked my domain and reversed the charges, refusing to do business with me until I sent them a scan of my driver's license. WTF?

      So, I told GoDaddy to go fuck themselves, and registered with a no-name, for less, with automatic free privacy protection (the WhoIs contacts go to them, rather than to me) and that doesn't give the least damn if I want to register as George Bush.


      The real problem here involves laziness on the part of law enforcement, pure and simple - IP addresses don't mean LEOs can't track you down, it just means they actually need to come up with enough evidence to convince a judge to demand the ISP turn over the owner's info. It makes doing their job an actual job, rather than a five second query against WhoIs.

      Stop expecting to rest of the world to do your work for you, guys. If you need to track me down, do so. But don't expect me to put up with nonstop telemarketers, not to mention the risk of some crazy actually showing up at my door because he doesn't like what I said about Rush Limbaugh, just to save you from having to do some legwork if someday I break the law.

      Innocent until proven guilty. Read up on it sometime, eh?

    9. Re:Working phone number in whois by sjames · · Score: 3

      The whole point is that law enforcement wants to do an end run around the judge by enforcing the accuracy of the published data and to hell with everyone else.

    10. Re:Working phone number in whois by phantomfive · · Score: 1
      If you've been reading the thread, the earlier point was:

      Because I am a non-trading individual, my details other than my name are not available to the public, but law enforcement can apply to the courts to get the details if my domain names are being used for illegal purposes. That seems to me to be a good balance

      --
      "First they came for the slanderers and i said nothing."
    11. Re:Working phone number in whois by houstonbofh · · Score: 1

      It's not like whois is the only hope to track down a domain owner. IF they have a sufficient reason to track them down they can follow the IP address to a provider and present a warrant for the account information OR they can present the warrant to the domain registrar. If they don't have good enough reason to get a warrant, they shouldn't be pursuing it in the first place.

      Why is your comment not +5 Insightful yet? All this will do is increase business to "Protected Listings" in whois. Oh, wait... I forgot who government works for.

    12. Re:Working phone number in whois by Frosty+Piss · · Score: 1

      Judges do, as part of their role in the judicial system. Really, I thought that you would understand this.

      Here in the USA, judges tend to rubber-stamp warrants, and then there is the Patriot Act, Mr. Snarky. As you say, "Really, I thought that you would understand this."

      --
      If you want news from today, you have to come back tomorrow.
    13. Re:Working phone number in whois by AliasMarlowe · · Score: 4, Funny

      you could always get a Google Voice number and not forward it anywhere (or set it to perma-do-not-disturb) - you'd still be able to browse through voicemails if necessary through an email interface

      Bonus points for wasting their time as well as their call charges. Make your answering machine give a lengthy message, such as:
      "You have reached the number that you dialed. Please check the number, and try your call again. Your call is important to you. Your patience and perseverance are valuable impediments to your business. Please don't hold. " Repeat that sequence as long as your message allows. A robo-caller will perhaps get confused by the pattern of pauses and statements, and might even bring a human on the line. An actual human will become grumpy and hang up in disgust.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    14. Re:Working phone number in whois by Anonymous Coward · · Score: 2, Funny

      You have reached an imaginary number. Please rotate your phone 90 degrees and try the number again."

      That usually confuses any human on the line.

    15. Re:Working phone number in whois by sjames · · Score: 3, Insightful

      A side point is that law enforcement loves for corporations to have have lots of information on individuals that is legally mandated to be correct so they can 'ask' for it without a warrant from a judge. That seems to be their angle here.

    16. Re:Working phone number in whois by sumdumass · · Score: 1

      To be fair, he said he was using .uk domains and talking about Europe laws which is what this story is about (EU directive).

      I'm sure the names can be changed and so on to make it fit, but there will be some differences because not every country has the same rights protected from government as the ''US" does.

    17. Re:Working phone number in whois by phantomfive · · Score: 1

      You need to meet the standards for a good warrant, police know what they are, so they don't usually submit warrants that won't get approved, so of course the vast majority of warrants are approved. If you start thinking, these kinds of things will begin to make sense to you.

      --
      "First they came for the slanderers and i said nothing."
    18. Re:Working phone number in whois by icebraining · · Score: 3, Informative

      Yes, damn that government! Except the ones pushing for the more "accurate" WHOIS data is ICANN, a private organization, and the one pushing back is a governmental organization (created by the EU). But don't let facts get in the way of your anti-government diatribe.

      --
      Dilbert RSS feed
    19. Re:Working phone number in whois by gmhowell · · Score: 1

      You have reached an imaginary number. Please rotate your phone 90 degrees and try the number again."

      That usually confuses any human on the line.

      Multiply your imaginary phone numbers by i if you are having trouble dialing.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
    20. Re:Working phone number in whois by Joce640k · · Score: 1

      Give 'em a number they can't call for free. That usually does the trick.

      (I don't know how it works where you live but around here cellphones always cost money to call)

      --
      No sig today...
    21. Re:Working phone number in whois by sjames · · Score: 2

      Unfortunately, here you get charged for receiving or making a call on a cellphone.

    22. Re:Working phone number in whois by houstonbofh · · Score: 1

      Law Enforcement is done by private organizations in your country? (Law enforcement is pushing for it)

    23. Re:Working phone number in whois by sjames · · Score: 2

      Close, The U.S.

    24. Re:Working phone number in whois by sociocapitalist · · Score: 1

      The real problem here involves laziness on the part of law enforcement, pure and simple - IP addresses don't mean LEOs can't track you down, it just means they actually need to come up with enough evidence to convince a judge to demand the ISP turn over the owner's info. It makes doing their job an actual job, rather than a five second query against WhoIs.

      IP addresses are useless as anyone doing fraud can easily move from cafe to cafe to maintain their site(s).

      I could see having to get a warrant to get at the identification data kept by a registrar but in order to be useful this still requires the registrar to make sure of your identity when you sign up. I have no problem with this so long as the registrar then has to abide by the (in my case EU and thus actually existant and useful) data protection / sharing rules and has an opt out (or better an opt in) for marketing to me.

      --
      blindly antisocialist = antisocial
    25. Re:Working phone number in whois by Toad-san · · Score: 1

      So you (and a million criminals) stay anonymous. Hey, how about dealing with the bastards running the robo-dialers, eh? Fix the problem, don't avoid it.

      "Oh, we don't go down that road: too many robbers."

      Riii-ight.

  3. just attach a website to a phone number by circletimessquare · · Score: 1

    you need to type in a PIN that is SMSed to the phone to register the website. filter out online only phone numbers. phone numbers can be traced to an owner, or "oh yeah, my boyfriend {XYZ} borrowed my phone that day" which is law enforcement due diligence when investigating crime

    seems to be about as good a system as you can hope for

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:just attach a website to a phone number by icebraining · · Score: 2

      phone numbers can be traced to an owner

      Not where I live (European country): you can get an anonymous prepaid SIM card easily - mobile operators often offer them as promotional gifts, too. And you can add money using cash on many small shops.

      --
      Dilbert RSS feed
    2. Re:just attach a website to a phone number by circletimessquare · · Score: 1

      so then, there's just no hope for connecting a website to a real person

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    3. Re:just attach a website to a phone number by Anonymous Coward · · Score: 1

      That.. is a good thing..Whatever it takes to get rid of the all too corruptible DNS. Nuke it from orbit, if need be.

    4. Re:just attach a website to a phone number by circletimessquare · · Score: 1

      do you have a superior solution?

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    5. Re:just attach a website to a phone number by circletimessquare · · Score: 1

      +1 funny

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. "Law Enforcement?" by Anonymous Coward · · Score: 2, Insightful

    I didn't RTFA, but who exactly is "Law Enforcement?" The capitalization makes it seem like it's the proper name of some organization.

    1. Re:"Law Enforcement?" by fustakrakich · · Score: 1

      ..who exactly is "Law Enforcement?

      Anybody with a gun and a badge to hide behind when they go rogue.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:"Law Enforcement?" by houstonbofh · · Score: 2

      The entertainment industry. (I default to looking for the worst case scenario...)

    3. Re:"Law Enforcement?" by Anonymous Coward · · Score: 2, Informative

      I didn't RTFA, but who exactly is "Law Enforcement?" The capitalization makes it seem like it's the proper name of some organization.

      Reading the articles would not help, their description does not go beyond this:

      ICANN and the Registrars have engaged in six additional negotiation sessions, including two all-day, in-person meetings held in Washington D.C. (one of which was attended by Governmental Advisory Committee members and law enforcement representatives).

      "law enforcement representatives" without capitalization.

  5. Read the truth about ICANN and the DNS by Anonymous Coward · · Score: 1

    The rotten and corrupt Domain Name System.

  6. "asks" by grumpy_old_grandpa · · Score: 2

    > two of Law Enforcement's twelve asks

    Also known as questions in plain English. Or in this instance, possibly requirements.

    1. Re:"asks" by Anonymous Coward · · Score: 1

      Indeed.

      Ask #1: Use proper English

  7. I can give up the on line aspect of the computer. by Anonymous Coward · · Score: 1

    It might become like flying I was a regular, I no longer fly.
    Some thing others want worse than I do.

    Prices gets high on grocery items I don't buy them, the store wants them worse than I do.
    Same with products and services cost to much in my time or money I find something else to do.

  8. When it's Free to be Anonymous, by Fear+the+Clam · · Score: 1

    I'll give the correct information on my domains. Until then, ICANN can go fuck itself. I'm tired of receiving spam sent to the address I use on my WHOIS listings.

    1. Re:When it's Free to be Anonymous, by Anonymous Coward · · Score: 1

      I just use a privacy feature that Network Solutions or other domains have. No spam here so far. Yes, it costs more, but it does work.

      As for ICANN, people may bellyache about them, but they are a lot better than the alternative that the UN is trying to push. The UN's replacement would not be limited in actions by bad press unlike ICANN. It also means a website in the US gets shut down and thrown off the Internet because someone across the world considers it against their lese majeste laws, or that sites get thrown off the net because they criticize Hinduism. No appeal possible.

      So, ICANN may suck nads, but at least I don't have to worry about some third world nation kicking my site and business off the net because my corporate logo if turned backwards and blurred might look like their king.

    2. Re:When it's Free to be Anonymous, by Fear+the+Clam · · Score: 1

      I just use a privacy feature that Network Solutions or other domains have. No spam here so far. Yes, it costs more, but it does work.

      Oh, I know they work, but I refuse to pay extra for something they should be requiring my registrar to supply for free. It's very simple--if they require me to supply real information, they need to also make it a requirement that I can hide that information from harvesters for no extra charge. Until that happens, I'll continue to use false information. I'm not saying that ICANN is the worst of all possible worlds, but in this respect they fucked up and I refuse to play along.

      In a similar way, I refuse to have my phone listed my own name. Since having an unlisted number costs extra, I simply have it listed under someone else's name.

    3. Re:When it's Free to be Anonymous, by zoloto · · Score: 1
      domainmonster.com (mine, customer only, no affiliation aside from that) gives privacy stuff for free.

      that shit shouldn't cost a dime

    4. Re:When it's Free to be Anonymous, by heypete · · Score: 1

      As does Gandi and Hover (customer only, no other affiliation).

    5. Re:When it's Free to be Anonymous, by lothos · · Score: 1

      As does NameSilo.com. They've got some of the lower prices I've seen. You can use coupon code BUCKOFF to save a dollar on your first order with them.

      Internet.bs has low prices also and always free whois privacy. They don't generally do coupons though.

      --
      Hosting and Domain name coupons
    6. Re:When it's Free to be Anonymous, by Fear+the+Clam · · Score: 1

      Thanks, folks, I'll check them out.

  9. All Of Which Is Trivially Defeated by Greyfox · · Score: 1
    By having a shell corporation hold your domains. Which is all pretty much the last several of my whois requests returned, anyway. Bounce through a couple of international shell companies to register your domain, and that'll shut down pretty much any law enforcement request. They might be able to shut down your domain, but they're not going to find out who you are that way.

    They might hope that Whois would allow them to short-circuit the good old-fashioned policework method of following the money, but I'm afraid it's just not going to be that easy. Sorry guys, try again!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  10. Does "ask" have to become a noun? by wonkey_monkey · · Score: 1

    two of Law Enforcement's twelve asks are "unlawful"

    Can't you call them "requests" like a normal person?

    --
    systemd is Roko's Basilisk.
  11. WHOIS - and ICANN - is worthless anyways by damn_registrars · · Score: 1

    WHOIS data has been crap for a long time now. There is no longer any incentive for registrars and ISPs to keep accurate WHOIS data as there is no penalty for providing garbage. ICANN doesn't give a shit that hte data is crap, they only give lip service to the problem and then go back to rolling in their piles of cash.

    The real question is who is the idiot who told law enforcement officers that there is meaningful data in the WHOIS databases anyways. I would bet that the ICANN assertion of 29% of it being bad is a huge underestimate.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  12. Just subterfuge by NSN+A392-99-964-5927 · · Score: 1

    Welcome to another New World Order / Law Enforcement Policy. Make up your own mind; but those are my thoughts.

     

    --
    All cows eat grass!
  13. Local Entity Still Required by andersh · · Score: 1

    This does not apply to all European countries, there are still European countries that require that you have a local corporation and registration number to apply for domains [under the national TLD]. I assume you're wrongly using EU as a synonym for all of Europe(?)

    The EU only requires that you don't put barriers in place, in any form, that hinder inter-European trade. French and Italian TLDs require a European address, but nothing beyond that.

  14. Europe > EEA > EU by andersh · · Score: 1

    Even within the EU's economic area (EEA), as per your original comment, includes countries that are not members of the EU itself. The same laws apply in the whole EEA-region.

    http://en.wikipedia.org/wiki/File:Supranational_European_Bodies.png

    It is in fact amongst this group of countries you will the few registrars that [still] require a local entity. I see now that there are very few left...

    NORID of Norway's requirements are as follows:

    Main requirements
    To register a domain name within .no, you need to:
    - have a local presence in Norway
    - be an organization. At present this is defined as being one of certain forms of organization registered in the Brønnøysund Register Centre
    - ensure that the domain is technically operative

    http://www.norid.no/regelverk/index.en.html

  15. Comes down to the desire of anonymity vs contact by Linuxmagic · · Score: 1

    This was/is a big issue at every conference, where of course the focus is always placed on 'policing' agencies wanting to know who operates an IP Address, however the concept is a lot greater than that. And of course, there is a perception that even at the highest levels (the Board) there is a lot of pressure by hosting companies who want to accomodate the customers who wish anonymity. The fact is that an IP Address or domain is/are Public lookup , and if you want to have an IP address/domain that is available to the public, you should post some public identity. This is used for a lot more than simply policing. Eg, various reputation services, auditing systems, and legitimate network operators who need to be able to identify the operator. Already, there are policies in place in theory to require this information; we already have tools and policies to do this, the problem that we hear is enforcement, and a mandate to take action during enforcement. There is a lot of finger pointing on this issue even amongst ARIN/ICANN officials and board members. And far too many times we see abusive behavior from 'Privacy Protected' holders of Public information. Now, it can be that the line on how much information about the holder should be publicized, but the operator/organization information at least MUST be provided, and the upstream providers should have a way to validate this information. And this has to be bigger than just ICANN/ARIN. We talk to operators who blatantly state that they do not collect information, and do NOT monitor activity on their networks, because they are concerned that if they 'know' about what is going on, they can be held responsible. Some protection must be given upstream providers, registrars etc, but on the basis they are diligent on getting information of the holders of public resources they assign.

  16. Re:Poor Baby by cavreader · · Score: 1, Informative

    "The EU is behind more positive changes in IT"
    Name one mainstream application platform, development environment, or key technology that isn't built upon technology originally developed in the US or blatantly stolen by countries like China. IBM, MS, Apple, Xerox, Dell, HP, Google, Facebook, Twitter, Oracle, Red Hat, and CISCO are just a few examples of the global IT contributions developed in the US. And while the Internet has grown due to contributions from both inside the US and outside the US the fact is the Internet began life as a DARPA project. There is a good reason the Internet root servers are under US management and will remain so. Nationalism be damned the fact is the world at large contributes very little to advancing IT technology. Why should they invest the time and money when you can just use what others develop. This mirrors why the EU would rather rely on US military technology and protection. That's not to say their are no foreign contributors but the majority of non-US professionals live and work in the US because that is were the opportunities are. Even Torvalds had to immigrate to the US to advance his Linux development because even though Linux might be considered open source he actually got corporate sponsorship and a salary while doing continuing his work. Do you think Google would have succeeded if it was developed in Russia? About the only country contributing any thing worthwhile in IT technology is Isreal.

    And your privacy issue is 100% BS. England has a CCTV on every corner. And while people everywhere bemoan privacy issues you should remember the US government could have tracked you down way before the Internet was every built. Drivers licenses, Mortgages, Personal property deeds, bank accounts, tax rolls, birth certificates, and even wire tapping have been available for quite a while. It might have taking more time to put the information together but the end result is the same. And wile I can't speak for Europe or any other country the US has strict rules of evidence in place for judicial procedures and I have seen no evidence any US citizen has been convicted of a crime based upon warrant less data collection. Evidence collected illegally is regular in admissible in court proceedings. The only way to get around this is for the prosecutor to argue inevitable discovery. Also give me an example of the EU sticking up for it's citizens. No government or system is perfect by any means but the EU has really never shown that they have a spine to deal with any important problems facing the world today. They prefer to castigate the US for not providing a solution and when the US tries they get accused of meddling. And finally I really wish the EU would develop their own IT technology because I am tired of traveling to the European continent to help make sure their technology and associated applications actually work.

  17. Re:Poor Baby by jareth-0205 · · Score: 1

    "The EU is behind more positive changes in IT"
    Name one mainstream application platform, development environment, or key technology

    I'll name three, off the top of my head:

    1. The World Wide Web
    2. Linux
    3. The ARM CPU