PFIR Comments on Access to WHOIS Data

[Lauren Weinstein <lauren@xxxxxxxxxx>]

[ Please confirm receipt of this text.  Thanks! ]




Comments Regarding Access to WHOIS Data
PFIR - People For Internet Responsibility
http://www.pfir.org

Lauren Weinstein
Peter G. Neumann
David J. Farber

June 16, 2004

We are extremely concerned that restricting non-bulk access to detailed
WHOIS contact data could potentially have dramatic negative impacts on the
security, stability, and reliability of the Internet.  These concerns extend
to "ad hoc" proxy registration and other obscuring techniques now being
deployed by individual registrars, and to any changes proposed by ICANN or
other authorities that would impact non-bulk access to WHOIS data.  We are
not addressing issues of WHOIS data accuracy in these comments, except to
note that we believe that reasonable accuracy in this data is also crucial to
Internet stability, security, and reliability.

While it is true that privacy-related problems can and do occur in relation
to WHOIS -- and we have a long history working to promote privacy issues --
it is also true that the domain name system was not designed as a means of
obscuring responsible parties participating in the cooperative that is the
Internet.

The lack of formal centralized control over Internet operations (a situation
that many would be loath to change even if it were technically possible to
do so) means that in most cases of problems relating to Internet operations,
site administrators are frequently <b>on their own</b> to track down often
serious problems.  Access to WHOIS data -- especially including contact
telephone numbers but often physical addresses as well -- can be critical in
such situations.

In our own direct experience, immediate access to WHOIS data has proven
invaluable and irreplaceable in tracking down and solving both technical and
non-technical operational problems relating to hackers, spams, serious
network traffic congestion and related problems (both intentional in the
forms of denials of service and other attacks, and unintentional in the form
of remote site misconfigurations), forged e-mails, libelous statements,
false postings, dishonest merchants, and on and on.  Access to WHOIS data
has also proven important on numerous occasions to <b>solving</b> problems
related to personal privacy abuses brought to the attention of the PRIVACY
Forum, such as libelous or otherwise falsified e-mail or postings,
fraudulent merchants, credit card crimes, and a wide range of other abuses
that require immediate action to contain a rapidly expanding sphere of
damage.

Without straightforward and immediate access to detailed WHOIS registration
and technical data, made available without having to jump through delaying
hoops, many such problems can rapidly escalate in ways that are impossible
to put back into the proverbial bottle.

We do agree that bulk access to such data should be highly restricted if
permitted at all to non-registrars.  Reasonable mechanisms (e.g.,
frequency-based usage "throttles") to limit the ability of a single user to
rapidly extract large numbers of WHOIS entries over a short period of time
also make sense.  Audit trails detailing access to WHOIS data also would
seem reasonable, but we do not agree that this implies that automatic
notification to a domain holder every time their WHOIS information is
accessed necessarily makes sense (under some scenarios, unscrupulous domain
holders might use such information for retaliatory purposes). However,
notifications in cases of query abuse would seem appropriate.

We do not believe that limiting access to detailed WHOIS registration and
technical contact data to holders of identity certifications is practical,
unless it is planned to make the purchase and maintenance of such
certificates a requirement for all Internet users -- a concept that at the
present time would be both controversial and unworkable from a practical
standpoint.

Also, we strongly feel that making access to WHOIS registration data more
limited than access to WHOIS technical data for domains would be a huge
error.  Both forms of data need to be readily and quickly available to deal
with network security and reliability issues of all sorts.  

All too often, the technical contact data shown for a domain is the main
telephone number and name for a very large ISP -- often a generic low-tier
ISP customer service number is the only one listed along with a low-tier ISP
customer service e-mail address.  Attempts to deal with important network
issues on a timely basis through such contacts is unlikely to succeed.  It's
crucial that it be possible to have access to the <b>registrant</b> data
which provides contacts for the entity actually operating and/or using the
computers and systems in question.  

Given the immediate availability of accurate registration and technical
WHOIS data for a domain, it may be sensible to allow for the routine masking
<b>only</b> of "billing address" data -- if and only if the billing address 
data <b>differs</b> from the listed registration data.  

It is important to remember that virtually all network operations can
technically be performed without an individually-registered domain name.
It's relatively easy to postulate individual cases where someone might
desire the convenience of a domain name, and simultaneously wish to protect
their identity.  However, just as businesses cannot operate using fictitious
names without full disclosure of address and other information in the public
record, domain names should not become widely seen as an obscuring
mechanism, regardless of whether or not they are being used for business
purposes.

Time is often of great essence when network-related problems appear.  If a
site starts flooding other sites with unwanted data (either purposely or
through configuration error), the targeted organizations and/or individuals
may be utterly unable to conduct normal Internet traffic, including basic
functions such as e-mail and Web access.  For many entities, such a
situation may be devastating and even dangerous.  It's critical to have the
ability to use other facilities to rapidly track down the source of the
problems -- often by using the phone to call the listed WHOIS contacts for
the offending site -- especially when network connectivity has been
disrupted by those very problems.

On the non-technical front, how much time should be required between, for
example, the appearance of forged e-mails or wider Internet postings
containing libelous materials, false accusations aimed at ruining
reputations or causing massive financial loss, vs. the ability of the
aggrieved party to start discovering who is behind the attack before
reputations or even entire organizations are massively damaged?  Timely
access to registrant WHOIS data can be crucial in such cases, because as a
practical matter <b>there is nowhere else to go</b> for all but the most
well-heeled of Internet users.  

WHOIS data is also critical in avoiding misunderstandings over similar
sounding or appearing domain names, often purposely chosen to foster user
confusion.  This class of problem has becoming increasingly severe with the
massive proliferation of domain names, and will be exacerbated with the
internationalization of domain name character sets.

In numerous cases, upset individuals have assumed that one domain that
appears similar to another is the source of their aggrievements -- even to
the level of threatening immediate legal or police action.  Often a quick
reference to WHOIS, showing that the two domains are not affiliated and are
at different locations, is enough to prevent such situations from blowing
completely out of control unnecessarily.  Without the WHOIS data, such
situations would be <b>much</b> more difficult and time consuming to clear
up.  While some lawyers might well relish this prospect, most of the rest of
us would not.

The sorts of cases described above, among many others, represent situations
we've already seen where immediate and complete WHOIS access was key to
fixing the situation -- or at least limiting or preventing further damage.

Certainly nobody conducting <b>any</b> sort of commercial or non-commercial
financial transactions relating to their domain names should be permitted to
mask any portion of their registration data in any manner.  One would think
that this point would be obvious to all observers.  But as the examples above
demonstrate, the potential security, reliability, and other risks from
unavailable, delayed, or partial access to complete WHOIS data for
<b>any</b> domain -- even ones not engaged in financial transactions or
business operations -- can be extremely serious. 

When an attack on your systems is occurring, whether purposeful or
accidental, it doesn't matter if the perpetrator is a multi-billion dollar
transnational conglomerate or a nice suburban family using the Net strictly
for fun.  A way is needed to <b>immediately</b> find out who is behind the
trouble and contact them as quickly as possible.  Again, many of these
problems can be cleared up with a single phone call.

We recognize that there may be an <b>extremely limited</b> set of cases where
domain holders might demonstrate a clear public safety or other critical
need that may possibly justify masking of some WHOIS data related to their
domains.  However, even in this narrowly circumscribed context we would
object to such masking on stability, security, and reliability grounds
unless a third-party entity -- reachable by phone on a 24/7/365 basis, and in
possession of all contact information for such domains, existed to act as a
"go-between" to <b>immediately</b> reach those domain holders in the kinds of
situations we have described above, while still protecting those domain
holders' identity information to an appropriate extent.

Again, such a third-party service should be extremely limited in scope to
<b>only</b> handling queries regarding domains that have shown a
demonstrated, justifiable need for masking.  

For all but a relatively few domains, WHOIS technical contact and
registration data should be directly and immediately available from WHOIS
for non-bulk access by any Internet users.  In the globally distributed,
non-centrally-controlled Internet, this is crucial to the continued
operation of the Internet itself.


<p>

- - - - -

<p>
Lauren Weinstein<br>

<a href="mailto:lauren@xxxxxxxx";>lauren@xxxxxxxx</a> or
<a href="mailto:lauren@xxxxxxxxxx";>lauren@xxxxxxxxxx</a> or
<a href="mailto:lauren@xxxxxxxxxxxxxxxx";>lauren@xxxxxxxxxxxxxxxx</a><br>

Tel: +1 (818) 225-2800<br>

Co-Founder, PFIR - People For Internet Responsibility - 
<a href="http://www.pfir.org";>http://www.pfir.org</a><br>

Co-Founder, URIICA - Union for Representative International Internet<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cooperation and Analysis - <a 
href="http://www.uriica.org";>www.uriica.org</a><br>

Moderator, PRIVACY
Forum - <a href="http://www.vortex.com";>http://www.vortex.com</a><br>
Member, ACM Committee on Computers and Public Policy<br>
<a href="http://www.pfir.org/lauren";>http://www.pfir.org/lauren</a>


<p>

Peter G. Neumann<br>

<a href="mailto:neumann@xxxxxxxx";>neumann@xxxxxxxx</a> or
<a href="mailto:neumann@xxxxxxxxxxx";>neumann@xxxxxxxxxxx</a> or
<a href="mailto:neumann@xxxxxxxxx";>neumann@xxxxxxxxx</a><br>

Tel: +1 (650) 859-2375<br>

Co-Founder, PFIR - People For Internet Responsibility - 
<a href="http://www.pfir.org";>http://www.pfir.org</a><br>

Co-Founder, URIICA - Union for Representative International Internet<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cooperation and Analysis - <a 
href="http://www.uriica.org";>www.uriica.org</a><br>

Moderator, RISKS Forum - 
<a href="http://catless.ncl.ac.uk/Risks";>http://catless.ncl.ac.uk/Risks</a>
or <a href="http://www.risks.org";>http://www.risks.org</a><br>

Chairman, ACM Committee on Computers and Public Policy -
<a href="http://www.csl.sri.com/neumann";>http://www.csl.sri.com/neumann</a><br>

Principal Scientist, SRI International Computer Science Laboratory -
<a href="http://www.csl.sri.com/neumann";>http://www.csl.sri.com/neumann</a>

<p>

David J. Farber<br>
<a href="mailto:dave@xxxxxxxxxx";>dave@xxxxxxxxxx</a><br>
Tel: +1 (412) 726-9889<br>
Distinguished Career Professor of Computer Science and Public Policy,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Carnegie Mellon University, School of Computer 
Science<br>
Member of the Board of Trustees EFF - <a 
href="http://www.eff.org";>www.eff.org</a><br>
Member of the Advisory Board -- EPIC - <a 
href="http://www.epic.org";>www.epic.org</a><br>
Member of the Advisory Board -- CDT - <a 
href="http://www.cdt.org";>www.cdt.org</a><br>
Member of Board of Directors -- PFIR - <a 
href="http://www.pfir.org";>www.pfir.org</a><br>
Co-Founder, URIICA - Union for Representative International Internet<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cooperation and Analysis - <a 
href="http://www.uriica.org";>www.uriica.org</a><br>
Member of the Executive Committee USACM<br>
<a href="http://www.cis.upenn.edu/~farber";>www.cis.upenn.edu/~farber</a><p>
<p>   
(Affiliations shown for identification only.)
<p>