I’ve been a huge fan of so-called “thick” WHOIS data provisioning for ALL gTLDs and I had always wondered why this model was not adopted when VeriSign moved the COM and NET registries to EPP protocol (from the previous protocol, whose name escapes me, so perhaps if you knew what that was, that would be appreciated) in the mid-2000s. Unfortunately, it seems the COM and NET registries were still required to only display “thin” information upon looking up a domain name, forcing us to use third-party “WHOIS aggregation services” or go directly to that particular registrar’s WHOIS database. This problem was compounded last year when GoDaddy.com, the largest domain name registrar, started displaying only registry-level information on its own WHOIS database, potentially in breach of its registrar accreditation agreement.

I’d like to see ALL of the gTLD registry operators add the best CAPTCHA technology to the registry-level databases, for enhanced security of personal information and to prevent “scraping” or “harvesting” by “spambots”.

A “thick” WHOIS model, as you said, has many benefits, the primary one being enhanced access to registrant data supposedly held in escrow. Registrars, as I understand it, are supposedly required to escrow all of their data with a third-party so that, in the event of their failure, ICANN can reach out to the appropriate customers and transfer them to an alternative registrars. The problem is:  can we trust what data the registrant is placing in escrow is reliable and done regularly? Are multiple revisions of that data kept? One question I have, for those customers using WHOIS privacy services, is the the underlying data of the registrants required to be held in escrow still?

Finally, when do you expect VeriSign to adopt the “thick” WHOIS model?

Cheers,
Doug M.

P.S. Also, why won’t CIRA adopt the “thick” WHOIS model?

from the previous protocol, whose name escapes me, so perhaps if you knew what that was, that would be appreciated

The previous protocol was RRP: https://tools.ietf.org/html/rfc2832

I’d like to see ALL of the gTLD registry operators add the best CAPTCHA technology to the registry-level databases, for enhanced security of personal information and to prevent “scraping” or “harvesting” by “spambots”.

No, that’s a bad idea. CAPTCHA is not the solution. Any system that attempts to prevent abuse will be gamed when there is enough value at stake.

can we trust what data the registrant is placing in escrow is reliable and done regularly?

If registrars want to keep their accreditation, then it would seem they are obliged to escrow. Of course this assumes that someone is patrolling that data, and only ICANN knows that.

Are multiple revisions of that data kept?

That probably depends on the escrow service. You would think that each revision would be kept.

One question I have, for those customers using WHOIS privacy services, is the the underlying data of the registrants required to be held in escrow still?

Yes. Same for whois proxy, at least according to the latest RAA.

Sincerely,
Anthony Eden

P.S. Because CIRA doesn’t need to adopt it and maybe doesn’t want to centralize such a significant amount of valuable personal data?

The previous protocol was RRP: https://tools.ietf.org/html/rfc2832

Ah, yes, RRP. I remember that now. Thanks, Anthony! :)

No, that’s a bad idea. CAPTCHA is not the solution. Any system that attempts to prevent abuse will be gamed when there is enough value at stake.

Well, the registrars’ WHOIS databases already use CAPTCHA technology (or, rather, largely they do), what’s wrong with adopting this at the registry level, at least until a better technological solution comes along? GoDaddy.com has already stopped displaying its own formatted registrar-level WHOIS in favour of data from the registry. The problem is, VeriSign’s COM and NET gTLD registries don’t yet display all of the data. In absence of a “better” solution, I’d still argue we need to adopt CAPTCHA technology at the registry level now. :)

If registrars want to keep their accreditation, then it would seem they are obliged to escrow. Of course this assumes that someone is patrolling that data, and only ICANN knows that.

That’s exactly what I’m questioning. Does ICANN not regularly review the accuracy of data stored in escrow and whether multiple revisions are being kept? In particular, especially in terms of underlying data held in escrow from the WHOIS privacy services, does ICANN review this data accuracy at all? It’s easy to say, “if registrars want to keep their accreditation, they’ll do x,” but as a former customer of the RegisterFly mess and eNom’s role in the whole debacle of not taking action sooner against their reseller, registrars have a particularly shoddy history at WHOIS data accuracy. ;)

Cheers,
Doug

Because CIRA doesn’t need to adopt it and maybe doesn’t want to centralize such a significant amount of valuable personal data?

I used to support ccTLD registry autonomy in decision making, but one thing I don’t like about CIRA’s governance in particular is their complete lack of transparency. Sure, they may offer online voting and yes I am a CIRA member, but where they gain points for that, they lose them in their complete lack of disclosure in terms of policy discussions at the board level and WHOIS accessibility. Intellectual property holders should have a right to find out when someone is using a second-level domain .CA domain name in contravention of their rights. The general public should have a right to look up who owns a .CA second-level name, a key Canadian strategic digital asset. Everyone should have a right to find out who .CA domain squatters are. Plain and simple. I’m not certain how anyone could argue against these views. Anything else is tantamount to less democratic regimes, like China, holding Internet data private. :(

That said, I am in generally in favour of WHOIS privacy services for those that wish to protect their WHOIS data, at a nominal cost, provided the underlying data is escrowed and that escrowed data is periodically reviewed by registry-appointed auditors, presumably, on a “random sample” basis.

It’s for the above-noted reasons CIRA gets, at best, a C in overall transparency and governance and one of the reasons I’d like to see IANA (which is currently managed by ICANN under contract, or another body) given additional broad powers to set master ccTLD registry policies and a “framework” that is a sort of minimally-accepted standards by which ALL ccTLD registries must operate or risk losing their registry operation contracts. The governments would retain their right to appoint a new registry operator, of course, but IANA (or that other body) would act as a “ccTLD arbiter” of sorts of when a ccTLD registry operator is acting in contravention of that framework and, after x number of warnings, ICANN could essentially suspend/terminate its ability to act as a ccTLD registry operator, forcing the country’s government to appoint a new operator. Registry operators would be, of course, free to set their own registry and registrar policies, as long as they achieve the minimum stated aims of the “global ccTLD registry framework”.

I realize it takes away some country autonomy, but the gains in standardization in terms of governance and transparency on a global level, more than outweight any losses in country autonomy over its namespace, don’t you think? As we’ve seen time and again, countries (including Canada) don’t make the best decisions vis a vis its strategic digital assets. ;)

Cheers,
Doug