Home / Blogs

WHOIS: How Could I Have Been So Blind?

Neil Schwartzman

A colleague was recently commenting on an article by Michele Neylon "European Data Protection Authorities Send Clear Message to ICANN” citing the EU Data Commissioners of the Article 29 Working Party, the grouping a determinate factor In the impending death of WHOIS.

He is on point when he said:

What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement, but a cast of others (anti-spam/abuse initiates, DDoS mitigation, etc.) who are not law enforcement but do rely upon visibility into the DNS Whois to perform their services.

But then goes on to write:

… it is apparent that such position lacks consideration of the impact to other fundamental rights provided by the Union.

and thus misses the point, and worse yet, fails to sup upon the delicious, delicious irony. Their well-meaning initiatives are subject to a much higher court, the court that administers The Law of Unintended Consequences. Deprecate WHOIS, and so doing, deprecate the very privacy you are seeking to protect.

I consider spam to be a common, but mild invasion of privacy, a misuse of personal information, better put. To expect law enforcement to magically become aware of the millions of spam attacks totaling billions of electronic messages of all types that occur daily is either naive or insane. Or so I had thought:

I just now had an epiphany, a revelation! I've been looking at this all wrong.

Clearly, the EU has set aside massive amounts of money to hire the army of new law enforcement personnel necessary to investigate spam attacks.

Obviously, the universally beloved EU Data Commissioners have made expertly-crafted anti-spam laws and creative new international legal frameworks foremost in the docket, ready to be deployed in the coming months.

I can't imagine otherwise, nor is the notion conceivable that these wise and exalted Data Commissioners, paragons in every respect, do not have a really fantastic rabbit up their sleeve (or up somewhere), to fully address the open question of what happens when the imminent WHOIS closure causes current spam protection mechanisms and operations teams, dependant to a great degree upon WHOIS to fail; unable to stop untold billions of malicious emails May 29, 2018.

No. I won't have a word of it!

Between the time the spam is launched at a network and the time these new super-cybercops arrest the criminals with their newly-minted laws, between those points in time, and between those spam and their intended recipients are soon-to-be hobbled spam filters that rely upon WHOIS data. But since that telemetry will be lost, the DPs (using that term in the adult video sense seems to make sense, since all this cleverness will serve to address several holes) must have some new secret technology to protect networks and individual users, slated to be launched May 28, 2018. I can't WAIT to see what they've come up with! A heretofore unknown, top-secret FUSSP* spam filter that will make up for any shortfalls choking the living crap out of WHOIS will accomplish is undoubtedly ready to roll.

* Final Ultimate Solution to the Spam Problem

At risk of sounding a little cynical, this is also a great personal boon. I consult with law enforcement agencies globally and train them in investigation techniques, so I expect more major new contracts than I can possibly handle. My prices must go up; I adjusted my price list for a 3 x increase June 01, 2018. Too little? So confident am I in the EU Data Commissioners, who enjoy Papal-grade infallibility to have foreseen all angles, I've put in for one of those fancy new Aston Martin Valkyries (although the new Tesla Roadster is tempting, too ... bah. I can afford them both!)

It will be like having my birthday at the end of May, I'm certain.

I am a little concerned about the Registrar Industry though. Their sheer selflessness, emblematic in their willingness to so readily accept the massive losses to their revenue streams as the absence of public WHOIS rendering proxy registration services more anachronistic than Whale Oil might cause there to be a few pinches to the pocketbooks of those employed as a result of that lucrative gravy train running dry. I can't think of another industry ever having been so generous of spirit and funds, so very socially aware that nary a creature can be found to be stirring, not even a mouse.

No matter, I'm dead sure the domains will be flying off the shelves now that it is safe to buy one in total secrecy, free of any reservations that may exist under the current exploitative, onerous régime.

In summation, I'd like to apologize to all and sundry for my wrongheadedness in my afore-expressed stance on this matter. WHOIS? Kill it! Kill it with FIRE!

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Just wait for the increase in domain Charles Christopher  –  Dec 08, 2017 8:47 AM PST

Just wait for the increase in domain thefts, and reduced ability to prove one was the previous registrant.

http://www.circleid.com/posts/20170326_a_case_to_further_dns_registrar_industry_self_regulation/

Domain "registration" will now only be exclusively at the registrar sponsorship level.

Now lets dig a little deeper. Domains are a very low margin business, most of the money goes to the registry not the registrar. So it only take one tech support call and a registrar will have lost all their profit on a domain name. Thus we see policies like this:

https://www.thedomains.com/2013/12/09/looks-like-godaddy-charges-some-customers-50-if-they-get-hit-with-a-udrp/

https://www.godaddy.com/legal-agreements.aspx

"GoDaddy also reserves the right to charge you reasonable "administrative fees" or "processing fees" for (i) tasks GoDaddy may perform outside the normal scope of its Services, (ii) additional time and/or costs GoDaddy may incur in providing its Services, and/or (iii) your noncompliance with this Agreement (as determined by GoDaddy in its sole and absolute discretion).  Typical administrative or processing fee scenarios include, but are not limited to (i) customer service issues that require additional personal time or attention; (ii) UDRP actions(s) in connection with your domain name(s) and/or disputes that require accounting or legal services, whether performed by GoDaddy staff or by outside firms retained by GoDaddy; (iii) recouping any and all costs and fees, including the cost of Services, incurred by GoDaddy as the results of chargebacks or other payment disputes brought by you, your bank or Payment Method processor. These administrative fees or processing fees will be billed to the Payment Method you have on file with GoDaddy."

To be clear, I am not picking on GoDaddy. Being the largest registrar, they just make it easy for me to make my point in a way that can't be dismissed. I am a registrar to and so I understand the costs involved and the reason GoDaddy does what it does.

The point is removing Whois is only going to make life more difficult for registrants, and thus registrars. Registrars WILL charge additional fees to cover the problems and depending on the circumstances registrants may just give up and then the entire domain industry takes a hit because of bad customer experiences .... And the customer/registrant can't even wrap their heads around why this is happening. Registrants will know its wrong and nonsensical, but the true reasons for the problems will always elude them. Back to:

http://www.circleid.com/posts/20170326_a_case_to_further_dns_registrar_industry_self_regulation/

I think the best way to capture the problem was when, at an ICANN meeting, some folks asked the ICANN employees if they themselves had any domain names. In other words asked them if they ate their own dog food:

https://en.wikipedia.org/wiki/Eating_your_own_dog_food

They AVOIDED the question entirely. I asked how they benefited registrants, and received the same response.

Nobody should be surprised where we are at, or where we are heading. If you are, you have not been paying attention.

Here is a suggestion, and yew I Charles Christopher  –  Dec 08, 2017 9:00 AM PST

Here is a suggestion, and yew I know this will never happen:

The president and CEO of ICANN shall be REQUIRED to be the registrant of ICANN.ORG. They shall be required to pay for renewals via their personal credit card, and maintain credit card updates with the current registrar. They shall only renew 1 year in advance, never more that one year. Renewals shall only be done via transfers before the expiration date. Transfer shall only be to a registrar which has not been a sponsor of ICANN.ORG for the last 10 years. The registry, PIR, shall not be allowed to treat ICANN.ORG any differently than any other .ORG registration. In fact PIR shall not be allowed to apply server locks on ICANN.ORG unless at least 25% of total .ORG registrations are also using this service. Privacy whois shall not be used on ICANN.ORG and the whois value of ICANN.ORG shall be the president and CEOs personal address, phone number, and email address.

If anybody thinks my proposal is unfair or inappropriate, I would LOVE to hear why you think so. The president and CEO of ICANN is basically in charge of all domain names, so lets make sure they actually know that that entails ...... Perhaps it should even be a requirement for the job, now that's a silly idea!

Regardless of what you think... Volker Greimann  –  Dec 12, 2017 4:43 AM PST

...of the GDPR, it is the law of the land and we will have to live with it. Surely you cannot be suggesting that contracted parties break the law. Sure, sometimes such laws have unintended consequences and sometimes they intentionally favor the importance of one aspect over another. In the end, it does not matter. We will have to make changes to avoid being in breach, some of which may be process-breaking for many parties, including ourselves.

But we will adapt and make it work. I suggest you do the same instead of crying over spilled milk and wallowing in sarcasm.

>it is the law of the land Charles Christopher  –  Dec 12, 2017 11:09 AM PST

>it is the law of the land and we will have to live with it.
>Surely you cannot be suggesting that contracted parties break the law.

https://www.youtube.com/watch?v=jBkgdGIBv00

"An individual who breaks a law that conscience tells him is unjust, and who willingly accepts the penalty of imprisonment in order to arouse the conscience of the community over its injustice, is in reality expressing the highest respect for the law”
― Dr. Martin Luther King Jr.

http://ij.org/report/policing-for-profit/grading-state-federal-civil-forfeiture-laws/

"The news team found that rather than working eastbound lanes, where smugglers transport drugs to the East Coast, officers focused on westbound lanes, where smugglers haul cash back to Mexico. A subsequent review of drug task force records indicated that officers made 10 times as many stops on the westbound side of the highway as they did on the eastbound side."

"In what became a case study of forfeiture abuse, police officers stopped out-of-state drivers for insubstantial reasons in order to search the vehicles. Upon discovering cash or other items of value, officers seized the properties and threatened owners with bogus charges—even state removal of their children—if they refused to waive their rights to the properties. Forfeiture proceeds were used to buy, among other things, a $500 popcorn machine, candy for a poultry festival and $400 worth of catering. Money also went to a local chamber of commerce, a youth baseball league, a local Baptist church and the pocket of a Tenaha police officer whose name appeared in complaints from stopped motorists.6"

https://www.ushmm.org/wlc/en/article.php?ModuleId=10005681#

"Local governments also issued regulations that affected other spheres of Jewish life: in Saxony, Jews could no longer slaughter animals according to ritual purity requirements, effectively preventing them from obeying Jewish dietary laws."

https://americanheritage-dev.byu.edu/Pages/Database/The-Human-Predicament.aspx

“It does not require a majority to prevail, but rather an irate, tireless minority keen to set brush fires in people’s minds.”
– Samuel Adams

Totally spot on Neil. Just for "fun": Derek  –  Dec 19, 2017 2:24 PM PST

Totally spot on Neil. Just for "fun": We recently exposed a massive loan scam syndicate targeting Europe from Benin, West Africa.
https://blog.aa419.org/2017/04/19/from-benin-a-loan-scam-syndicate/
We saw a few UDRPs lodged in the past with zero effect. The great fun started where I as citizen in a non-European Member country tried escalating that issue to the European Union authorities. Surely they would love to know about such issues? Seems not. All the doors were slammed in my face as either this is "not what we look at", all those nice advertised protections came to nothing, passing the buck, or silence. Even an email to the French regulator went unanswered. WHOIS details was fake in all cases, yet clearly interlinked and key to dismantling an incestuous nest target Europe and Canada from West Africa. The assistance from any European country was extremely underwhelming. Eventually ordinary non-European member citizens dismantled the nest to simply protect European citizens.

But now an ill advised decision by regulators representing less than 10% of the world population, who currently do not have that "magical" ability to stop abuse and domain based fraud, is holding the world to ransom and dooming consumers (and law enforcement) elsewhere in more than 90% in the world. What is wrong with this picture? If somebody ask me for my money on the net, am I not allowed to do due diligence? Also do not say the "illiterate rabble", aka consumers, do not know about WHOIS. I have many emails and tip-offs from those "illiterate rabble" from all parts of the world where they point out details using WHOIS details.

I'm not sure who has been smoking what, but it's bound to be a consumer bloodbath. Thing is certain registrars would love to sweep this troublesome fake registration details issue under the privacy carpet, not open to public scrutiny, those same registrars that blatantly ignore provisions in the ICANN RAA. Just as I had one large German registrar stating "We are only a registrar" (and can do squat), despite showing proven fraudulent WHOIS details to them and the associated domains openly used in defrauding consumers.  I suspect this is why "blanket privacy" had it's support in certain corners of the registry community.

Fun time now, the after party morning after is coming soon. "WHOIS data protects" is a simple truth.

>Just as I had one large German Charles Christopher  –  Dec 19, 2017 4:01 PM PST

>Just as I had one large German registrar stating "We are only a registrar" (and can do squat)

ICANN budget requires supermajority approval by registrars. ICANN no longer provides the ability to vote NO on their budget, only YES. The fact that they removed the ability to vote NO should give people something to think about.

So, one solution is "do nothing" and no longer vote on the ICANN budget.

And to those that say ICANN has no control over the EU. Lets give that a test by not approving their budget and see what happens .... And that will never happen.

>I suspect this is why "blanket privacy" had it's support in certain corners of the registry community.

Recently I was researching a domain and found GoDaddy returned a truncated Port 43 whois record which was absent all contact records. ICANN's whois service also returned the truncated record as well. It did include an HTTPS: link which did then return contact info after the captcha was entered. But the key here is I am a registrar (private), if this was for a transfer in then GoDaddy just removed the means for me to progamatically transfer the domain. Thus there is a great conflict of interest here. Its to GoDaddy's benefit to increase my transfer in costs and thus increase its customer retention. It only makes sense for ALL REGISTRARS to use this as an opportunity to retain customer registrations, AKA block transfers.

At least with privacy whois the transfer notice still routes somewhere, now there is no ability to even send the notice. And the new transfer procedures are even more dependent on obtaining an email address even if it's a privacy proxy.

So I would argue on the basis of customer retention alone, all registrars have financial interest to remove whois from their system. The EU just gave registrars a gift they were looking for, a way to increase customer retention.

On the flip side, having to run whois is a royal pain as most of the traffic is scrapping and not transfer notices. Not to mention DDOS attacks. Thus the current transition of Verisign from thin to thick registry eventually *MIGHT* make that information available via EPP. But that is not clear either as an email I received today made it clear contact info would only be available if the Info() query provides the current auth code. I believe that behavior is a catch 22 in regards to the current transfer policy as the auth code is then needed BEFORE the registrant approves the transfer at the gaining registrar, in order to ask the customer if they wish to transfer in ...... Thus we are back to impeding domain transfers (.COM) between registrars even in the thick registry backend which registrars have "non-public" access to. I have not checked the other thick registries to see if they now demand the current auth code to return records for an Info() query.

>Also do not say the "illiterate rabble", aka consumers, do not know about WHOIS.

Most do not.

Most are "illiterate".

Most do have some "geek" friend, or available IT staff where they work, or acquaintance, that they ask for help from.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias