WHATIS Going To Happen To WHOIS?

dmoberhaus writes: A European data privacy law goes into effect in May, but it's already having far reaching consequences, especially when it comes to publicly available WHOIS data. Motherboard spoke to a domain registrar, ICANN and some security researchers about how anticipation of the EU privacy laws implementation has already gutted WHOIS data, why this is dangerous and what the future of WHOIS looks like.
ICANN requires registars to make data on their customers publicly available -- but registrars would be more than happy to stop, according to Tim Chen, the CEO of a WHOIS data analytics firm. Besides hiding their customer lists, it would also address complaints about spammers harvesting email addresses. So registars like GoDaddy "are taking this opportunity to see how far they can push things."

But the article has some sympathy for ICANN. "On the one hand, the organization is under pressure from law enforcement officials and security researchers who depend on WHOIS data to investigate possible crimes or mitigate devastating malware attacks. On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

"The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

Nonsense

[Njovich]

This is total nonsense. GDRP is about disclosing how you handle data and giving people handles when they want to be removed from your system. In no way does it stop you from creating a phone book for domains holders.

Re:Nonsense

Ironic that you call it nonsense and then give a nonsense summary yourself. Data access and portability are two of the many areas you ignored. I could certainly see hosting companies making decisions to change how they present WHOIS based on GDPR, for example keeping logs of what is displayed and to whom given their responsibility to record processing of relevant data.

Re:Nonsense

[zifn4b]

Before you post, do a 5 second Google search and locate this nice, easy to parse GDPR Key Changes document

Re:Nonsense

[Njovich]

Nothing here contradicts what I said. Which part would ban WHOIS?

Re:Nonsense

[Njovich]

You misunderstand data access if you think I didn't cover it. As far as portability is concerned, that's the whole point of WHOIS, they have that covered.

Re:Nonsense

[zifn4b]

Which part would ban WHOIS?

Where is the claim that GDPR would ban WHOIS? Are you making things up? The part of the summary that is related to GDPR is that the current WHOIS service is not compatible with GDPR:

On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

Re:Nonsense

[Njovich]

I didn't say you claimed that. Are *you* making things up? I just asked two questions, where your page contradicts my statement, and which part of GDPR forbids WHOIS. You answered neither question (your quote certainly doesn't point it out).

Re:Nonsense

[zifn4b]

I asked you what this is in reference to and you failed to respond.

Which part would ban WHOIS?

I didn't claim anything of this nature and I don't see where anyone or anything did. Why would i continue to talk with someone who is making shit up? There is no way to have a conversation with someone who is doing that. If you want to continue, tell me what this statement YOU made is in reference to, otherwise, have a nice day because I don't talk with irrational people that just make things up.

Re:Does anyone actually use that

[spaceman375]

I use it sometimes. Mostly to keep track of expiration dates for my own and client's domains, but it's not all obfuscated. Even just the creation date can be useful when looking into something.

Scammers use data...

[Camel+Pilot]

Anyone who has a registered domain or ssl certificate is familiar with the perennial scam of getting a fraudulent letter or emailing informing them that their domain is about to expire please send money now.

Re: Scammers use data...

[Monster_user]

Well, now I'm wondering why I don't...

Molehill

[bidule]

What's wrong with having WHOIS point to a middleman who must forward to the owner?

There's no privacy issue that way.

Re:Molehill

[93+Escort+Wagon]

This - or some variant of this - is how Dreamhost has handled WHOIS for years. Currently if you look up my hobby site, the admin contact is {domain name}@proxy.dreamhost.com .

Re:Molehill

[davecb]

I was peripheral to the discussion, and a customer bid on the "new whois" proposal: this is how it was supposed to work. A domain name in .com was supposed to be just like a business, and it was expected that the business contact could be your marketing department or in-house counsel. In .net and .org it was the same.

In .ca, the registrant name is the registrar, and when contacted they will contact me.

Re:Molehill

[marvinglenn]

As long as there's a mechanism where all domains from the same entity point to the same something so that I can find which domains have a common owner. I've found such _very_ handy in blocking/rejecting certain types of spammers.

undermined

[clangerbanger]

by scripts, running methodically and slowly on various machinery, scrape whois. then spread the result beyond control.

Is there even any point?

[ZorinLynx]

Most domains are owned by proxy anyway, so if you do a whois you're just going to get the name of the proxy.

The days of using whois to hold domain owners responsible for anything have been long over for a long time; anyone doing anything shady (or just wanting basic privacy) is using a proxy.

WHOknows

But I do know this much: trump will hang for treason.

WHOIS for netblocks is very useful

[E-Lad]

People tend to focus on domains when it comes to WHOIS usage; however I've found myself using it more to see who administrates/SWIPP'd a given block of IPs rather than looking up often inaccurate or obfuscated info on domain ownership.

Re:WHOIS for netblocks is very useful

[sjwest]

I agree - any whois that says do not block me, or "I AM NOT SPAMMING YOU" is worthy of a mallet

Re:WHOIS for netblocks is very useful

[OolimPhon]

Yep. I'm not really interested in the contact details. What I want to know is where an IP originates and what subnet it is part of. I would be happy for my contact details to be held somewhere and only passed on in accordance to local laws.

When I find that somebody has scanned my address, resulting in firewall drop messages, then I will assume that all addresses in the subnet containing that address could also be compromised. WHOIS tells me that info, and which country it is. Based on that, I'll drop the whole subnet, which also means less spam in my firewall logs.

I'm all for privacy laws

[flightmaker]

My registrar offered to make my personal information private something like 18 months ago, an offer which I immediately accepted. As a result I've had no more scam letters from assholes telling me I owe them money to renew my domain.

Typing a domain name into a computer without proper authority should never ever reveal the name, address and phone number of the owner for the very same reasons that in the UK you can't type the registration number of a car into a computer to obtain the name address and phone number of the owner.

Um... so what? Obfuscation already exists

[Kargan]

My domain registrar (Hover.com, based in Canada) offers WHOIS obfuscation for free. I'd be an idiot not to take advantage of it.

"How to make it work"

[zifn4b]

The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work.

I am going to create a piece of legislation that states "all citizens have a right to be able to time travel". I guess since it's the law we have to invent the time machine. Apparently the best approach to decision making is to shoot first and aim later.

Re:Does anyone actually use that

[JMJimmy]

Not irrelevant but CIRA (Canada's registry) did the same sort of thing a long time ago and it works just fine. Just saves people from having to pay stupid fees for privacy protection.

Re:Does anyone actually use that

[cayenne8]

Yeah...I've used it to find people that own domains I want and is nice to be able to contact them to see if they are interested in selling, etc.....

Why doesn't ICANN tell them to take a fucking hike...and if they don't want WHOIS available in their country, then they can block it into their country with their own firewalls or whatever.

I just list the address of the local post office.

[OldMugwump]

My home address doesn't need to be public. I list the address of the local post office, and my real name. Mail sent there will reach me. And of course a unique email address with very strong spam filters on it. Been doing it this way more than 10 years - no problems yet.

Re:Does anyone actually use that

[sjwest]

I do. - we also count bad dns requests to our dns servers - hit a limit and well thats not my problem

Re: Does anyone actually use that

[Monster_user]

I use whois it to determine the nature of traffic. I typically don't bother with contact information, I'm just looking for information I can use to identify whether the traffic is legitimate or not, so I know which PC to pull from the network,

solution: record salting

[lambsonic]

The data will always find a way out. Just allow registrars to salt records, like what is done with political donations.

Other important questions ...

[fahrbot-bot]

WHATIS Going To Happen To WHOIS?

Namely: WHEREIS, WHYIS, WHENIS and HOWIS ?

Does anyone actually use their real names?

[wolfheart111]

Just wondering if this is common. :) Its not like you have to show ID or anything. A 99 cent godaddy domain... WTF do I want to give real info anyways....

Reminds me of David Brin's Transparent Society

[Paul+Fernhout]

https://en.wikipedia.org/wiki/...
"Brin argues that it will be good for society if the powers of surveillance are shared with the citizenry, allowing "sousveillance" or "viewing from below," enabling the public to watch the watchers. According to Brin, this only continues the same trend promoted by Adam Smith, John Locke, the US Constitutionalists and the western enlightenment, who held that any elite (whether commercial, governmental, or aristocratic) should experience constraints upon its power. And there is no power-equalizer greater than knowledge."

From the article: "The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

Re:Reminds me of David Brin's Transparent Society

[DNS-and-BIND]

That would never happen, it would deprive our journalist class of their power to define what should be paid attention to. We saw citizen journalism explode in 2016 and Google/Facebook/Twitter spent all of 2017 smacking it down and putting it on page 146 of the search results.

ICANN't are idiots

So you have a problem with leaking "personally identifyable information" ("PII").

So your solution is an identification-wall that requires more identification, thus more PII, and "justification" data.

Syeah, that's gonna work.

Why do we publish all that whois data anyway? It's a hold-over from the early days. The useful bits of info are the registration date, the organisation behind it so you can match various domains to the same owner, and (should it still have been reliable), an easy contact point for abuse like through email and an out-of-band contact point for tech issues like a phone number.

Administrative contacts? Not really useful. Billing contacts? No point in making those public. Names of people associated with various contact points? Only rarely if ever useful, except for "owner" and tracing what else he's got--some scammers are crafty but these days it's all behind a privacy wall anyway. Where it isn't shielded, physical address is mainly useful to get an impression just whereabouts on the globe they are. We could put a lat/lon on there instead.

So most of the data can simply be made not public. I do think that the email and telephone contact points should remain public, and rigorously checked for validity. But the rest? Certainly the individual info in there we can do without.

Oh and by the way, replacing WHOIS by a website is a no-go. In addition is fine, but websites go poorly with command line interfaces. And I still run whois several times a day on systems that don't sport graphics much less a(n oversized stupidly heavy) browser.

Whois is Still Useful?

[Greyfox]

Every time I tried to use it to look someone up, the address was always held by some corporation clearly designed to hide that information. I don't think the database has actually been useful for at least a couple of decades.

Re:Whois is Still Useful?

[marvinglenn]

I've found it still somewhat useful, in that a couple of those masking companies, like "Whois Guard" in particular on my system(1), are so bad that I can reject email for purely being from a domain that uses their services.

(1) My current stats have >2300 unique domains using their service that I've rejected email from.

Does anyone buy a domain name without privacy?

[ayesnymous]

When I buy a domain, I can always find a coupon for free or 99 cent WHOIS privacy.

Should be public

[bradley13]

WHOIS is the internet-equivalent of a property registry. If I want to know who owns that building over there, I can go to the township, look in the public records, and find out. This is important, whether it's because you want to buy the building, or perhaps you have a problem with something that is happening there. Sure, in some cases, ownership will be obscured through some intermediate legal entity, but that will still be the responsible legal entity.

WHOIS should be exactly the same thing. If you are interested in a domain - for whatever reason - you should have a way to contact the legal entity responsible for it. Concerns about spam are misplaced - this happens in the physical world as well. There are scammers in the world, news at 11:00.

tl;dr: The domain registries are the property registries of the Internet, and the registrations should be public.

Re:Malware and scammers links day in day out.

[www.sorehands.com]

I call bullshit on you, or at least in general. Most of the proxy services claim that they keep you from getting spam. However, they forward the e-mails, so they still forward the spam and virus.

Re:Does anyone actually use that

[sabbede]

Yeah, I do. At least once every couple of days to check the ownership and validity of domains to answer questions like, "what's this traffic?", "is this a legit email?", "should this site be allowed or blocked?", etc.

What I'm hearing now sounds like a boon for criminals worldwide. Not a good thing.