EU Privacy Watchdog To ICANN: Law Enforcement WHOIS Demands "Unlawful"

← Back to Stories (view on slashdot.org)

EU Privacy Watchdog To ICANN: Law Enforcement WHOIS Demands "Unlawful"

Posted by timothy on Sunday September 30, 2012 @04:49AM from the whois-you-to-make-these-demands? dept.

First time accepted submitter benyacrick writes "WHOIS was invented as an address book for sysadmins. These days, it's more likely to be used by Law Enforcement to identify a perpetrator or victim of an online crime. With ICANN's own study showing that 29% of WHOIS data is junk, it's no surprise that Law Enforcement have been lobbying ICANN hard to improve WHOIS accuracy. The EU's privacy watchdog, the Article 29 Data Protection Working Party, has stepped into the fray with a letter claiming that two of Law Enforcement's twelve asks are "unlawful" (PDF). The problem proposals are data retention — where registrant details will be kept for up to two years after a domain has expired — and re-verification, where a registrant's phone number and e-mail will be checked annually and published in the WHOIS database. The community consultation takes place at ICANN 45 in Toronto on October 15th."

20 of 81 comments (clear)

Min score:

Reason:

Sort:

Who's job is it? by houstonbofh · 2012-09-30 04:56 · Score: 4, Interesting

What is this push the past few years that technical companies need to do the job of law enforcement? The craigslist hooker scandal is a prime example... Here is this nice list of criminals for you to arrest, yet it is the websites fault?
Working phone number in whois by bobbutts · 2012-09-30 05:05 · Score: 5, Insightful

That would be a problem for me. I have hundreds of domains with a made up phone number. The last thing I wanted was calls from robo-dialers mining the whois db to a real number.
1. Re:Working phone number in whois by radiumsoup · 2012-09-30 05:16 · Score: 3, Informative
  
  you could always get a Google Voice number and not forward it anywhere (or set it to perma-do-not-disturb) - you'd still be able to browse through voicemails if necessary through an email interface
2. Re:Working phone number in whois by jonbryce · 2012-09-30 05:18 · Score: 4, Interesting
  
  I have a few .uk domains. Because I am a non-trading individual, my details other than my name are not available to the public, but law enforcement can apply to the courts to get the details if my domain names are being used for illegal purposes. That seems to me to be a good balance between allowing law enforcement to shut down websites used to sell fake concert tickets, distribute malware and so on; and catch those responsible while ensuring I don't get continually harrassed by "The Domain Registry of Europe" and similar outfits that law enforcement ought to be going after.
3. Re:Working phone number in whois by Frosty+Piss · 2012-09-30 06:07 · Score: 2
  
  ...but law enforcement can apply to the courts to get the details if my domain names are being used for illegal purposes. That seems to me to be a good balance..."
  Yes, but who defines "illegal purposes" and who vets the alleged "illegal purposes" to determine the validity of the request?
  "Law Enforcement" is well known to have, shall we say, "unique" ideas about the definition of "illegal purposes". Not only that, "L.E." is also well know to flat-out LIE.
  
  --
  If you want news from today, you have to come back tomorrow.
4. Re:Working phone number in whois by heypete · 2012-09-30 06:13 · Score: 4, Informative
  
  Exactly. This seems like a good idea, and a balance between the .US TLD policy (all information is public) and the .SE TLD policy (no information other than a unique ID string is available to the public with no contact information -- not even an email is available).
  I rather like the implementation of whois privacy used by Gandi.net (a French registrar who handles registration for a bunch of TLDs): for domains that are private-by-default (.SE, .uk for individuals, etc.) then they use the registry for privacy and include no information in whois. For domains where whois privacy is available (.com/net/org, etc.) they include the registrant's full name (so it's clear that they are the ones who legally own the domain) and then provide the Gandi postal address where all mail is presumably shredded. They also provide a unique, randomly-generated email address to protect against spam: if you get spam to that address you can simply push a button and a new, random address is created. Legitimate mail is forwarded on to the contact while spam is filtered out.
  Gandi offers these privacy services to individuals only: companies and organizations are assumed to be less in need of privacy protecting services and must include their regular contact information.
  I have no problem with law enforcement being able to get the details with a warrant issued by a relevant court, but I think the time for having all personal contact information being made public in whois has passed. It used to be that the name and contact information corresponded to a technical contact at an organization responsible for that domain but now many domains are owned by private individuals and this assumption can no longer hold.
  Of course, even with a warrant the whois information for suspected bad guys is unlikely to be of use: I doubt the bad guys put in accurate and correct whois information or pay using their personal credit cards (as opposed to anonymous prepaid cards).
5. Re:Working phone number in whois by sjames · 2012-09-30 06:27 · Score: 4, Insightful
  
  That would be a work-around, but it's more reasonable to recognize that it's not reasonable to force someone to publish their phone number to every pointy-headed moron in the world that thinks I owe them my time so they can make a sales pitch in my home.
  If 'Law Enforcement' would care to actually pursue said morons when they violate the do not call list or commit various frauds AND they would care to narrow the exceptions to the DNC list, people might not be so resistant to give a real phone number.
  It's not like whois is the only hope to track down a domain owner. IF they have a sufficient reason to track them down they can follow the IP address to a provider and present a warrant for the account information OR they can present the warrant to the domain registrar. If they don't have good enough reason to get a warrant, they shouldn't be pursuing it in the first place.
6. Re:Working phone number in whois by pla · 2012-09-30 06:28 · Score: 4, Interesting
  
  And what are you using those domains for eh? MFA sites maybe and your trying to hide ownership from the big G
  
  This spring, I registered an "ego" domain - My own name dot net, on a whim.
  
  I paid for it with a credit card in my name. I gave a fake phone number, and a PO box for my address. I used a real email address (albeit one made specifically to catch the junk I expected by registering.
  
  And three days later, GoDaddy locked my domain and reversed the charges, refusing to do business with me until I sent them a scan of my driver's license. WTF?
  
  So, I told GoDaddy to go fuck themselves, and registered with a no-name, for less, with automatic free privacy protection (the WhoIs contacts go to them, rather than to me) and that doesn't give the least damn if I want to register as George Bush.
  
  The real problem here involves laziness on the part of law enforcement, pure and simple - IP addresses don't mean LEOs can't track you down, it just means they actually need to come up with enough evidence to convince a judge to demand the ISP turn over the owner's info. It makes doing their job an actual job, rather than a five second query against WhoIs.
  
  Stop expecting to rest of the world to do your work for you, guys. If you need to track me down, do so. But don't expect me to put up with nonstop telemarketers, not to mention the risk of some crazy actually showing up at my door because he doesn't like what I said about Rush Limbaugh, just to save you from having to do some legwork if someday I break the law.
  
  Innocent until proven guilty. Read up on it sometime, eh?
7. Re:Working phone number in whois by sjames · 2012-09-30 06:30 · Score: 3
  
  The whole point is that law enforcement wants to do an end run around the judge by enforcing the accuracy of the published data and to hell with everyone else.
8. Re:Working phone number in whois by AliasMarlowe · 2012-09-30 06:49 · Score: 4, Funny
  
  you could always get a Google Voice number and not forward it anywhere (or set it to perma-do-not-disturb) - you'd still be able to browse through voicemails if necessary through an email interface
  Bonus points for wasting their time as well as their call charges. Make your answering machine give a lengthy message, such as:
  "You have reached the number that you dialed. Please check the number, and try your call again. Your call is important to you. Your patience and perseverance are valuable impediments to your business. Please don't hold. " Repeat that sequence as long as your message allows. A robo-caller will perhaps get confused by the pattern of pauses and statements, and might even bring a human on the line. An actual human will become grumpy and hang up in disgust.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
9. Re:Working phone number in whois by Anonymous Coward · 2012-09-30 06:53 · Score: 2, Funny
  
  You have reached an imaginary number. Please rotate your phone 90 degrees and try the number again."
  That usually confuses any human on the line.
10. Re:Working phone number in whois by sjames · 2012-09-30 06:56 · Score: 3, Insightful
  
  A side point is that law enforcement loves for corporations to have have lots of information on individuals that is legally mandated to be correct so they can 'ask' for it without a warrant from a judge. That seems to be their angle here.
11. Re:Working phone number in whois by icebraining · 2012-09-30 07:40 · Score: 3, Informative
  
  Yes, damn that government! Except the ones pushing for the more "accurate" WHOIS data is ICANN, a private organization, and the one pushing back is a governmental organization (created by the EU). But don't let facts get in the way of your anti-government diatribe.
  
  --
  Dilbert RSS feed
12. Re:Working phone number in whois by sjames · 2012-09-30 13:29 · Score: 2
  
  Unfortunately, here you get charged for receiving or making a call on a cellphone.
13. Re:Working phone number in whois by sjames · 2012-09-30 17:27 · Score: 2
  
  Close, The U.S.
"Law Enforcement?" by Anonymous Coward · 2012-09-30 05:18 · Score: 2, Insightful

I didn't RTFA, but who exactly is "Law Enforcement?" The capitalization makes it seem like it's the proper name of some organization.
1. Re:"Law Enforcement?" by houstonbofh · 2012-09-30 06:46 · Score: 2
  
  The entertainment industry. (I default to looking for the worst case scenario...)
2. Re:"Law Enforcement?" by Anonymous Coward · 2012-09-30 07:30 · Score: 2, Informative
  
  I didn't RTFA, but who exactly is "Law Enforcement?" The capitalization makes it seem like it's the proper name of some organization.
  Reading the articles would not help, their description does not go beyond this:
  
  ICANN and the Registrars have engaged in six additional negotiation sessions, including two all-day, in-person meetings held in Washington D.C. (one of which was attended by Governmental Advisory Committee members and law enforcement representatives).
  "law enforcement representatives" without capitalization.
Re:just attach a website to a phone number by icebraining · 2012-09-30 05:27 · Score: 2

phone numbers can be traced to an owner
Not where I live (European country): you can get an anonymous prepaid SIM card easily - mobile operators often offer them as promotional gifts, too. And you can add money using cash on many small shops.

--
Dilbert RSS feed
"asks" by grumpy_old_grandpa · 2012-09-30 06:03 · Score: 2

> two of Law Enforcement's twelve asks

Also known as questions in plain English. Or in this instance, possibly requirements.