Home / Blogs

Loudmouths Wanted for ICANN WHOIS Replacement Work

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Neil Schwartzman

TL;DR? It's worth reading, BUT, if not — ICANN has yet another group looking at WHOIS, and there is a huge push to redact it to nothing. I spend easily half my day in WHOIS data fighting online crime, losing it would not make my job harder, it will make it impossible.

PLEASE JOIN THE ICANN GROUP and help us fight back against people who are fighting in favour of crime.

M3AAWG has submitted at least three comments in this regard, but that's not how ICANN works, they consider numbers of submissions to be more important than who is making a statement. M3 with hundreds of member companies, counts for one vote.

Do it now; it is time for the security community to stand up strong to this nonsense. Thanks.

Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org

Rant shared with permission:

-------------------------------

Subject: ICANN WHOIS Replacement Work
Date: March 24, 2017 at 4:05:52 PM GMT-4

We have been trolling them with facts for a month now. I learned a lot about that group in that time. Here's a blood pressure boosting wall-of-text rundown:

The group is a bunch of registrars and "right to be forgotten" privacy people. They want to kill DomainTools and all similar services.

The "privacy" advocates want domain ownership to be anonymous without a court order. They have no concern about privacy violation caused by criminals. They don't care that anonymous free speech is already available or that the domain system they are trying to create will be tremendously dangerous for dissidents and so forth to trust. They want to create privacy by forcing us to delete data we have collected from public sources. They are extremist fanatics with ideas unburdened by knowledge. People on this mailing list have done far more to protect privacy than these so called advocates.

And for the registrars, it appears they are intent on saving money as they don't want to deal with the complaints or maintenance of whois. They seem uninterested in the fact that their small savings will cause huge losses for someone else. Some are dismissive of law enforcement, and some have spoken hostile words about Spamhaus, where the only other mouths I have heard such words from belonged to spammers. The arrogance from some of them is palpable.

I am not exaggerating. The list archives are public, and you should decide for yourself.

-------------------------------

I don't want this to be an entirely negative reactionary issue. There are opportunities. If enough people *who actually use WHOIS and own domains* participate, we can make WHOIS better.

  • Have you ever been irritated with a bad domain that enjoys the benefits of WHOIS privacy?
  • Have you ever been irritated that a registrar makes you visit their website and answer a CAPTCHA to see the WHOIS record, only to find out their website is broken?
  • Have you ever been irritated with a registrar that gives your search warrants the middle finger and discloses no whois?
  • Have you ever been irritated with registrars that minimize their exposure on DomainTools(and other WHOIS archivers) so they can appeal to abusers?

If we don't participate, the risk is that bad policy hurts the Internet while increasing the profit of a minority. It has happened before. Here are some past ICANN policy issues:

  • The .ZIP TLD, apparently no one involved saw a potential problem, but they certainly saw profits
  • An explosion in general of TLDs that increased profits for registrars, with few controls on price abuse to the benefit of registries and the expense of everyone else.
  • Companies spending hundreds of thousands of dollars to get a TLD, and domains on new TLDs- to prevent anyone else from using their name.

Make no mistake, killing our visibility will reduce the money they spend on abuse complaints and subpoenas. It is insane that this minuscule industry dictates policy that increases risk for the global financial system.

-------------------------------

In case you didn't see this, here is a list of quotes said in earnest by people who ICANN is taking policy input from. Feel free to cross reference them with the public archives, and you will see that they absolutely believe this, and that they dominate the conversation:

"Shit Registrars Say"

On defenders losing access to WHOIS:
"Buhu my work will get harder"

--

On law enforcement stating that access is crucial:
"Good thing that police are law "enforcement" not legislators. They can ask for anything they like, it is not like it has legal binding status. It is a wish list, nothing more..."

--

Stepping on toes:
"Harvesting and storage of whois data to be re-wrapped and sold is illegal and many registrars state this on the terms and conditions.
[...]
storage of whois data is illegal unless it was for a lawful purpose and the only one I can think of is transfers.
[...]
This will step on some registrars toes as well as [Brand Protection professional]'s toes who have a business model around the supply of whois data for commercial gain (namely charging for it)."

--

On the legality of Domaintools and WHOIS archives:
"Who says we need a Whois Archive? The GDRP have explicitly a section about the right to be forgotten, that will say all records deleted!

The way f.ex Domaintools operate today are not in the terms of a lot of whois providers conditions and in some cases illegal"

--

On what you can do with WHOIS data you query:
"Depends on the terms you accept when you make the whois inquiry. You may be violating the terms of the registrar or registry providing the whois service. "

-------------------------------

Feel free to share my observations with others(TLP:GREEN) because we should spread awareness. This is regulatory capture at significant expense to us but we can stop it. Participate, vote, and we can make ICANN great again.

You can join the ICANN working group via this page. There is no barrier to entry, no cost, and no minimum requirement beyond filling out a statement of interest.

https://community.icann.org/display/gTLDRDS/Next-Generation+gTLD+Registration+Directory+Services+to+Replace+Whois

We've played bad cop/worse cop enough. Yall to show up and say something. Right now our community's concerns receive mockery and disrespect. You need more than one voice there. You need a multitude. These people need to become a minority.

Thanks,

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cyberattack, Cybercrime, DNS, Spam, Whois

 
   

Comments

>The group is a bunch of registrars Charles Christopher  –  Mar 24, 2017 5:49 PM PDT

>The group is a bunch of registrars and "right to be forgotten" privacy
>people. They want to kill DomainTools and all similar services.

As a registrar I want to no longer have the responsibility for a whois server. Whois should be in the Registry NOT the registrar. Its not just cost, it is also an issue of "true authority".

I would also point out the number of errors many registrars have when they present whois data, data that does not match the regisTRY. I cringe anytime I here DomainTools as being authoritative, it is not and never could be. However, if Verisign becomes a thick registry, and whois is then pulled from Verisign, THEN pulled whois is authoritative.

So it seems to me there should be an interest in moving forward with Verisign being a thick registry.

>And for the registrars, it appears they are intent on saving money as
>they don't want to deal with the complaints or maintenance of whois.

Last year ICANN notified registrars of the better formatted whois data server we were supposed to all have implemented by February of this year. That seemed to annoy enough folks that that requirement changed and now Versign will be a thick registry by 2018. In fact, if memory serves, we are now supposed to be supporting contact objects and filling them with new registrant info.

So your post leaves me very confused as to what you are saying. When it comes to "authoritative whois" that can only exist at the registry, no where else. Sorry, but registrars can't be authoritative even though most ASSuME them to be, such as DomainTools.

So it sounds to me like your post is arguing against the current shift to Verisign becoming a thick registry like all the other registries. And I can't see any reason to support that view.

Am I missing something?

>The "privacy" advocates want domain ownership to be anonymous without a court order.

The other day I had a credit card dispute, to "identify me" I was asked about my previous home locations and what cars I have owned in the past. And frankly, it pisses me off that such info is being used in this way and I told them that. There response was "it's public info" .... Yea, well were do I go to pull that info without PAYING THE STATE TO SETUP AN ACCOUNT! No it is NOT public, its a revenue generator for the state, in the guise of "public info".

Now, my home, that a different story. The info is still fire walled a bit, but not entirely. So everyone can see I own my house, and I can find out who owns other properties. It actually protects me, and that is the purpose for this part of the recorders office for 400 years if I recall (ignoring the MERS foreclosure scandal).

To me its the same as the county recorder, there should be no whois privacy and all info should be public. In fact I want instantiation of my whois to prove my registrations. I have the benefit of having been involved in some cases, like you, and whois privacy is the foundation of more problems than whois privacy supposedly solves. It should be forbidden. And I have said that for years .... And the response I always get is "you can't overrule EU privacy laws, and thus the world must follow the EU". So when laws are convenient for those in control, they are observed, and when they are not, well, that is why you become a supranational organization .....

@ Charles Christopher,VeriSign Hacked: What We Don't Louise  –  Mar 27, 2017 1:26 PM PDT

@ Charles Christopher,

VeriSign Hacked: What We Don't Know Might Hurt Us
http://www.pcworld.com/article/249242/verisign_hacked_what_we_dont_know_might_hurt_us.html

VeriSign Hacked Multiple Times in 2010
http://www.pcmag.com/article2/0,2817,2399773,00.asp

VeriSign did not properly report these breaches, so is not to be trusted.

Whois data is safer distributed among the many Registrars that act as intermediaries.

Louise, how many times have you looked Charles Christopher  –  Mar 27, 2017 2:11 PM PDT

Louise, how many times have you looked at a registrars whois data, and then looked at the underlying Verisign data and seen with your own eyeballs the registrar was presenting bad data?

I am talking about bad creation and expiration dates, domain status, and DNS server values.

I have lost count of the number of times I have had this experience ....

@ Charles Christopher, when facts state VeriSign Louise Timmons  –  Mar 27, 2017 3:52 PM PDT

@ Charles Christopher, when facts state VeriSign has done bad, why do you defend VeriSign?

What is your agenda?

Why are you promoting VeriSign, over other trusted sources?

>why do you defend VeriSign?Am I? News Charles Christopher  –  Mar 27, 2017 4:57 PM PDT

>why do you defend VeriSign?

Am I? News to me. I am defending the old saying:

"Man with one watch always knows what time it is.
Man with two watches never knows what time it is."

I am defending the authority of a central repository as that is the only way to achieve authority. Like it or not.

If there is only one source, then there can only ever be one answer.

>What is your agenda?

One Truth, versus many truths.

>over other trusted sources?

What trusted source are you referring to? I have already commented about what I have seen over the years. Whois scrapers are not authoritative, mostly they get it right, but not always.

That the industry has evolved without a central repository does not make the existing ones authoritative, its makes them all that there is and all that we have.

Let me take your position. Are you willing to fight to have the current thick registries be turned into thin registries so as to move the data out to the registrars? You are taking that position, that they are a trusted source, so what is good for .com is good for all TLDs. Or are we going to take the position that both thin and thick registries are the same? That they are both authoritative? If so how to we reconcile the differences that come up in the thin registry model?

If you can pull only from Verisign, that is the only answer there is.

For me that is an authoritative result. You and I have no choice but to agree on the value at any given moment, because we shall always receive the same result. Its when we ask to different sources, and each get different answers, that we can't know what truth is.

And to be specific, in theory the registrar is "authoritative" for the contact records, but not the dates, DNS values, or status semaphores, which are centralized at the registry. Its those centralized values that registrar whois gets out of sync on. But a whois record is treated and a "whole". Next you have someone going to say ENOM to pull whois records, but ENOM has been hammering my whois server so I have cut them off from access at the moment, so you do not get any whois result.

@ Charles Christopher,>What trusted source are you Louise Timmons  –  Mar 27, 2017 11:30 PM PDT

@ Charles Christopher,

>What trusted source are you referring to?

DomainTools. It has fairly an unblemished record. I would choose Domaintools data over VeriSign.

On research, I see you HAVE promoted thick whois for years. Distributed whois data IS a solution voiced by some tech experts. I didn't invent it.

VeriSign is not to be trusted, is why distributed whois for dot com is imperitive. If the internet is a trillion dollars economy, dot com is its de facto currency. We both know that.

VeriSign has botched security in its past. Worse, it swept its security lapse under the carpet, instead of inform its clients.

Verisign's spawn, Symantec, has mis-issued 30,000 certificates. Not only has this unfathonable security breach cast doubt on the root, but it is breaking the internet. See:

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs

Neustar I trust. The dot info/dot org Registry I trust (Afilias?).

VeriSign and ICANN have turned a blind eye to domain trafficking from US Registrars, straight to the Chinese market. China came late to the dot com market.

Every nation's dream is access to the US market, is why it's easy to promote investment in global dot com extension.

Trench Wars didn't pan out real well during WWI Theo Geurts  –  Mar 25, 2017 2:53 AM PDT

Neil,

As a Registrar, assisting LEA's in numerous cases, I know how valuable the WHOIS is when it comes to abuse. And no "solution" would be a disaster when it would come to combatting abuse.

Your article, in my opinion, points out one of the problems why we have gotten ourselves into a huge mess. Thank you for that.

The problems:
-Fear of chance
-Ignorance
-No long term vision
-And a lot more

The WHOIS, is and was a "nice to have," not a "must have."
Within ICANN we created tons of policies on a "nice to have" solution.
Not one of these policies displays a technical solution that has incorporated the right to privacy. We could have done that, but we didn't.
I am sure that every privacy problem within ICANN could have solved with a technical solution. The reason that I am sure is simple, looking outside of the ICANN bubble I see countless of companies and governments who manage to balance the right to privacy and purpose. They also deal with crime and illegal activity.

Granted hindsight is always 20/20.

Now we have over 100 countries with privacy laws, and we ignored it.
The EU GDPR is coming with fines up to 20 million Euro or 4% of the companies annual turnover worldwide.
Registries and Registrars who deal with EU customers cannot ignore this. This is not just an EU Registrar issue; it affects everyone.

Adding more loudmouths to the RDS won't help, the RDS WG just figured out last week that a huge shift is required thanks to the input from the EU data commissioners, the U.N. Special Rapporteur on the right to privacy and Caroline Goemans-Dorny INTERPOL's data protection officer.

If we do not start working as a community real quick and fast, there will be no WHOIS at the end of May 2018, but there will be a huge mess.

Time to reset the discussion.

Thanks for mentioning the enforcement possibilities of Ayden Férdeline  –  Mar 25, 2017 5:15 AM PDT

Thanks for mentioning the enforcement possibilities of the GDPR, Theo. It is important to note the legislative interventions that the Next-Generation Registration Directory Service Policy Development Process Working Group must respect.

The conversations on the mailing list, which have been partially quoted above in Neil's post, reflect the growing recognition by *governments* worldwide that privacy is a fundamental human right. Against this landscape, where there are data protection laws in over 100 countries, it is incumbent upon the Working Group to recommend a path forward which balances the privacy rights of natural and legal persons against other rights and interests.

A common goal which I believe all Working Group members share is to foster mutual trust between all stakeholder groups in the current (or replacement) Registration Directory Service. Doing so requires a thorough understanding of the intricacies of the interplay among human rights ideologies, societal values, government policies, business interests, and legal systems. I think the Working Group is making a good faith effort to do just that; but if you think a view is missing, membership is open and you are of course welcome to join and to contribute to the discussions. You might be surprised to discover that the law enforcement communities, and private investigators, are already actively involved in the Working Group's work. If I was to note which stakeholder group had the softest voice, I would say it was civil society (but I would say that).

Inertia and the status quo are not options. WHOIS as it exists today needs to evolve. Not because we want to make the jobs of private investigators more difficult, but because the collection and use of vast amounts of personal data with phenomenal ease, efficiency, and no safeguards poses immense risks to privacy, raises serious concerns about the protection of personal data, and does not comply with the law in many jurisdictions.

Privacy Neil Schwartzman  –  Mar 25, 2017 6:01 AM PDT

I like privacy. i fought to uphold it ever day of my working life since 1995.

Let's start with concrete examples of privacy abuse in WHOIS, since they are cited as a reason to redact. I've been spammed at my WHOIS available email address more than a few times, but hardly in the numbers I see for other email addresses I maintain.

If I am to have a position it is to adopt the Canadian model. Commercial enterprises may not have WHOIS privacy (proxy registrations) in place. They give up the right to privacy when they begin commercial activities. For one, they must register their business and declare it to their respective governments. This information is usually available in a publicly-viewable database. However, there are fuzzy instances to a commercial/individual demarcation:

Individuals who do a little business on the side, and sensitive businesses like those in the adult industry and, for example, womens' shelters.

In these cases a post office box and/or lawyer's office answers the need to keep their civic address away from those who would do them harm, while satisfying the need for disclosure of a point of contact.

The fact of the matter is, when we cite privacy as a concern, for every instance of a privacy violation gleaned via WHOIS data, I can provide 10,000, a real number (probably an order of two magnitudes smaller than the actual one), of people being abused by owners of domains with erroneous or obfuscated WHOIS data.

Here's the one for CAUCE. we are perfectly contactable (yes, we'll have been at this for 20 years come May, 2017)

Domain Name: CAUCE.ORG
Updated Date: 2016-04-04T04:30:18Z
Creation Date: 1997-05-02T04:00:00Z
Registry Expiry Date: 2017-05-03T04:00:00Z

Registrant Name: Host Master
Registrant Organization: Coalition Against Unsolicited Commercial E-mail
Registrant Street: PO Box 727
Registrant City: Trumansburg
Registrant State/Province: NY
Registrant Postal Code: 14886
Registrant Country: US
Registrant Phone: +1.6073305711
Registrant Email: hostmaster@cauce.org

There is no "privacy" for land holdings Charles Christopher  –  Mar 25, 2017 8:15 AM PDT

There is no "privacy" for land holdings in the EU:

https://e-justice.europa.eu/content_land_registers_at_european_level-108-en.do

This link state it well, the echoes of history:

https://fee.org/articles/europe-meets-america-property-rights-in-the-new-world/

"What de Soto discovered was that the experts had failed to recognize the centrality of secure property rights in the development of the United States and the West in general. Rather, they mistakenly believed that prosperity grew out of the thicket of regulations and rules that exist today. Recapturing those missing lessons is important if we are to avoid inadvertently destroying the foundations of our freedom and prosperity."

"Change occurs peacefully in such circumstances because it is a byproduct of trade rather than the result of the decision of an autocrat. That peace and prosperity flow from property is the ultimate lesson, one that too few remember today."

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

Government Guidance for Email Authentication Has Arrived in USA and UK

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year