ICANN's Pre-emptive Attack On The GDPR Thrown Out By Court In Germany

from the who-is-whois-for? dept

The EU's General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems's formal GDPR complaints against Google and Facebook over "forced consent" (pdf). That hardly came as a shock -- he's been flagging up the move on Twitter for some time. But there's another saga underway that may have escaped people's notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet's namespace. Back in 2015, Mike memorably described the organization as "a total freaking mess", in an article about ICANN's "war against basic privacy". Given that history, it's perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world's registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:

We realized that the domain name registration process, as outlined in ICANN's 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so. What's more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].

All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with "consent management processes", and a data flow "aligned with the GDPR's principles". ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to "preserve Whois data" -- that is, to force EPAG to collect those administrative and technical contacts. A post on the Internet Governance Project site explains why those extra Whois contacts matter, and what the real issue here is:

The filing by ICANN's Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. "The technical contact and the administrative contact have important functions," the brief asserts. "Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content."

As the tell-tale word "content" there reveals, the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material. This is precisely the same ICANN overreach that Techdirt reported on back in 2015: the organization is supposed to be running the Internet's domain name system, not acting as a private copyright police force. The difference is that now the GDPR provides good legal and financial reasons to ignore ICANN's demands, as EPAG has noted.

In a surprisingly swift decision, the German court hearing ICANN's request for an injunction against EPAG has already turned it down:

the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

However, as ICANN rightly notes, that still leaves unanswered the key question: would collecting the administrative and technical contact information contravene the GDPR? ICANN says it is "continuing to pursue the ongoing discussions" with the EU on this, and a clarification of the legal situation here would certainly be in everyone's interests. But there is another important angle to this. As the security researcher Brian Krebs wrote on his blog back in February:

For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.

There's no reason to doubt the importance of Whois information to Krebs's work. But the central issue is which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information? It's an important discussion that is likely to rage for some time, along with many others now being brought into sharper focus thanks to the arrival of the GDPR.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 31 May 2018 @ 8:07pm

    the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information.

    Having worked for a domain name registrar and having dealt with ICANN on a regular basis in that capacity... the above statement is hogwash.

    Does the copyright industry benefit from the information publicly available in whois? Sure it does. But that's not why the engineers the created the whois specification 40 years ago set up the requirements. They just thought it would be a good idea for other engineers to know who to contact if you wanted to talk directly to who owned a domain, who managed the domain, or who managed the servers.

    I'm no fan of copyright overreach, and ICANN has its issues, but really, come on. Not everything is a content industry conspiracy.

    reply to this | link to this | view in chronology ]

    • identicon
      carlb, 31 May 2018 @ 8:55pm

      Re: engineers the created the whois specification 40 years ago?

      Forty years ago? That'd be 1978. Let's boogie and disco on down... but there was no DNS (that was 1985 or so) and there were no commercial ISP's (as ARPANET or whatever other random predecessor of the Internet as government research networks let universities have access, but not the general public). Even the FidoNet dial-up BBS craze has its roots circa-1984.

      There was no Whois in 1978 and, even once it was created, it was more likely to be a list of research institutions - not private individuals. The hucksters, the lawyers and the spammers didn't get to run roughshod to destroy the network until the 1990's. Frivolous libel suit threats still had to be directed at printed newspapers as no one had heard of WWW - and even then "all the news that doesn't offend the advertisers" was more of a constraint than spurious litigation. Newspapers were pillars of the community and took their role seriously. By contrast, any dang fool can register a domain today, get space on a shared webserver and become a blogger... and it's silencing these people through frivolous and vexatious legal threats which is the bread and butter of too many "reputational management" ambulance chasers. Whois gives them a list of people to harass. All a recent phenomenon. Whatever existed 40 years ago is irrelevant today.

      reply to this | link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 31 May 2018 @ 8:58pm

        Re: Re:

        Whatever existed 40 years ago is irrelevant today.

        Tell that to Shiva Ayyadurai.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 May 2018 @ 10:46pm

        Re: Re: engineers the created the whois specification 40 years ago?

        OK fine, RFC 812 was in 1982. So, 36 years.

        once it was created, it was more likely to be a list of research institutions - not private individuals. The hucksters, the lawyers and the spammers didn't get to run roughshod to destroy the network until the 1990's

        True, and that perfectly illustrates my point. The people who created whois weren't thinking "we need to protect Hollywood's copyrights."

        Whois is part of the infrastructure of the Internet. It's always hard to update infrastructure (whether due to expense or resistance), even if you had consensus that whois was obsolete. That's why there are some places that still need COBOL and FORTRAN programmers, why fiber-to-the-home isn't everywhere.

        One of the documents I read at ICANN about GDPR wasn't an attack on it, it was more a case of "uh, guys? you aren't exactly giving us a lot of time to update things that have been part of the Internet for decades. Can you maybe give us a little extension so we don't have to worry about being in violation of EU law?"

        reply to this | link to this | view in chronology ]

        • icon
          Madd the Sane (profile), 1 Jun 2018 @ 2:20am

          Re: Re: Re: engineers the created the whois specification 40 years ago?

          The people who created whois weren't thinking "we need to protect Hollywood's copyrights."

          It doesn't mean it can't be used/misused/abused for that aspect. If nothing else, Hollywood is good at perverting things for their own gain.

          reply to this | link to this | view in chronology ]

        • identicon
          ryuugami, 1 Jun 2018 @ 3:25am

          Re: Re: Re: engineers the created the whois specification 40 years ago?

          it was more a case of "uh, guys? you aren't exactly giving us a lot of time to update things that have been part of the Internet for decades. Can you maybe give us a little extension so we don't have to worry about being in violation of EU law?"

          OTOH, they had two years to do it.

          reply to this | link to this | view in chronology ]

          • identicon
            A nonny mouse, 1 Jun 2018 @ 6:22am

            Re: Re: Re: Re: engineers the created the whois specification 40 years ago?

            And ICANN knew the EU's position with regards to Whois for at least thirteen years before that:

            [WP29] encourages ICANN and the Whois community to look at privacy enhancing ways to run the Whois directories in a way that serves its original purpose whilst protecting the rights of individuals. It should in any case be possible for individuals to register domain names without their personal details appearing on a publicly available register.

            Opinion 2/2003 on the application of the data protection principles to the Whois directories, June 2003 http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en. pdf

            Of course, if you've ignored someone saying something for that long, you might not notice that the message has changed...

            reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Jun 2018 @ 1:33am

      Re:

      "But that's not why the engineers the created the whois specification 40 years ago set up the requirements."

      A lot of things made 40 years ago are used for far different purposes than their inventors originally intended.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 8:27am

      Re:

      Not everything is a content industry conspiracy

      On the other hand, it's not like it's a secret that they haven't already tried. Jim Hood anyone?

      reply to this | link to this | view in chronology ]

    • icon
      Advocate (profile), 1 Jun 2018 @ 8:50am

      Re:

      "Not everything is a content industry conspiracy."

      Source needed.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 1:34pm

      Re:

      > the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material.

      I agree this is garbage. Domain name registrars sell a feature called "whois privacy" for anywhere from $5 to $20/month. It costs them absolutely nothing to provide that privacy and amounts to their most profitable feature, available only to private persons and not companies. Vast numbers of domain names are thus protected and the associated personal info is not available to the public. The only way to get that personal info is to contact the registrar and petition for it; If you're not in law enforcement you can pretty much forget about getting that info.

      This article was going great up to that point. After that it's just witch hunt material.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 1 Jun 2018 @ 10:28pm

      Re:

      A better question to ask is: If Germany has in fact made it illegal to register a domain, will all German websites be limited to IP numbers instead of being able to use DNS going forward?

      reply to this | link to this | view in chronology ]

    • identicon
      No dummy, 1 Jun 2018 @ 11:04pm

      Re: Anonymous Coward

      LOL yeah right! Nice story about the "harmless" imposition of invasive data collection in cyberspace. Are you a bot? LOL

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 31 May 2018 @ 8:41pm

    "leaves unanswered the key question" -- Whether ICANN is right!

    Do you even notice that after quoting: 'Mike memorably described the organization as "a total freaking mess"', you THEN quote Krebs and argue the opposite, that ICANN should get the info because important for security?

    So you then recast the story from the first "key question" into "the central issue is which is more important for society" -- which you don't even attempt to answer! I assume because noticed yourself muddled. And you left behind all of Masnick's folderol about Jane Blogger having to supply personal info.

    Anyhoo. On this, "the court" may be right, but it's still not invasive if Admin and Tech make three people in all. You're not required to have a web-site in order to publish your views. (You COULD usefully compare ICANN's demands to Facebook's, but you give no context.) In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can't easily remain anonymous, even though apparent intent is to publish to the entire world.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Jun 2018 @ 1:31am

      Re: "leaves unanswered the key question" -- Whether ICANN is right!

      "On this, "the court" may be right, but it's still not invasive if Admin and Tech make three people in all"

      I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.

      "You're not required to have a web-site in order to publish your views"

      No, you crap over other peoples' sites instead.

      "In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can't easily remain anonymous"

      He supports anonymity for anyone who wishes it, even the tossers who pollute his site.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 1 Jun 2018 @ 1:35am

        Well, almost

        I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.

        Not quite, they refuse to comment under a name, but they clearly identify themself anyway whether they want to or not given their plethora of tells.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 1:50am

      Remember you have to take your meds everyday or they don’t work.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 31 May 2018 @ 8:41pm

    Here's my prior for Techdirt "free speechers" to censor AGAIN:

    You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.

    But since Techdirt has tons of Google's javascript (just save a complete page and look!), with the purported bad enough purpose of targeting advertising, which in fact is collated and used to identify persons everywhere on the net, and which gives NSA "direct access", then as usual you have zero credibility to rail about "privacy" for commercial interests. Since when does Google respect MY privacy? It's unavoidable. You can't even "opt out" unless Google can identify you! -- Or Techdirt? You claim can do anything you want with names and other info!

    Oh, but requiring businesses to fill out an email, that's tyranny!

    As ever for Masnick, he only worries that commercial interests might be a little incovenienced, with no concern for the public, let alone for scams and other known problems.

    Every time "business" comes up seems Masnick never heard of commercial law and that businesses are licensed entities that have intrinsic NO rights, are NOT persons, are subject to vast number of constraints and requirements. Masnick comes across like Mitt Romney, simply doesn't understand that ordinary people rightly regard businesses as predatory.

    https://www.techdirt.com/articles/20150623/17321931439/icanns-war-whois-privacy.shtml#c88

    reply to this | link to this | view in chronology ]

    • identicon
      carlb, 31 May 2018 @ 8:58pm

      Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

      Many domain name registrants today are individuals, not huge universities or research laboratories. Times have changed. Anyone can register a domain. They ARE persons.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 May 2018 @ 9:28pm

      Re:

      Your concern for the public is how Malibu Media and Njord Law aren't allowed to demand the general populace for money to fuel their coffers.

      Have a SESTA vote.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Jun 2018 @ 1:28am

      Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

      "Oh, but requiring businesses to fill out an email, that's tyranny!"

      Are you stupid enough to think that only businesses own domain names? Of course you are...

      reply to this | link to this | view in chronology ]

      • identicon
        ryuugami, 1 Jun 2018 @ 3:29am

        Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

        Also, email would be perfectly fine. It's phone numbers and home addresses of private individuals that are problematic.

        Of course, you can already get around registering those by using one of the paid WHOIS-anonimyzing services. The very existence of those services means the entire rationale behind the system is bullshit.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Jun 2018 @ 7:36am

          Re: Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

          Why do you say email addresses are fine? Names and email addresses are personally identifying information, and aren't needed for the system to work properly. And they often show up as "private registrant" and some registrar-generated random forwarding address already.

          If omitting the details will cause some cyber-apocalypse, where are the problems from these existing privacy services? Where's the crime wave emanating from .de and other domains that already provide the privacy that people are now trying to add to the ICANN roots?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 1 Jun 2018 @ 10:44am

            Re: Re: Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

            Easy fix: have all the registrars handle anonymization by default, opt-out. That way, large orgs can still register a contact, but all other complaints have to get proxied by the registrars who already have business reasons for holding the PII.

            Everyone wins except the registrars, and this would be relatively easy to implement; many consumer registrars already do it.

            reply to this | link to this | view in chronology ]

      • identicon
        I.T. Guy, 1 Jun 2018 @ 6:32am

        Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:

        I've had one since 2000. It's registered under a fictitious name and address and paid for with money orders.
        No-ip sends me notices every so often to update my info but I just ignore those.

        reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 1 Jun 2018 @ 4:18am

    and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities.

    In other words, it hurts Krebs income stream, therefore he is complaining about it.

    I respect Kreb's work. However, he is a private individual who has no particular mandate - or right - to do the work he does. If things change to make his self-employed job less lucrative, a shame for him personally, but not really a societal issue.

    It's like saying that some of the recent judgements and law changes to make patent/copyright trolling harder are bad because they make life harder for, or are putting these trolling lawyers out of work, therefore we should roll them back. Or like cord-cutting is making cable less profitable, downsizing and firing people. Should we ban cord-cutting?

    Shit happens, trends change to make some jobs less valuable (or less easy), while new opportunities arise.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 7:30am

      Re:

      It could legitimately be about journalism rather than income. Should society be provided this WHOIS information to track criminals? I don't see the point. It's really easy to use fake information, meaning only criminals dumb enough to use their own name are affected. And the name (fake or not) will still be on file for police to access with due process.

      Krebs's other point is that he uses the information to contact victims of crime. That might be a good reason for people to opt in to WHOIS listings, but no reason to force it. It's already a solved problem BTW: the registrar publishes an email address like 4ca484183f7871bf66e27377382e08a6@registrar.example and forwards whatever people send there. That's been around for years.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jun 2018 @ 1:29am

      Re:

      Copyright trolling is nefarious business, which I consider legitimate to combat. KrebsOnSecurity on the other hand, appears to be a reputable business and I don't see how it would be illegitimate for Krebs to complain that his ability to do business is compromised.

      reply to this | link to this | view in chronology ]

  • icon
    DerekCurrie (profile), 1 Jun 2018 @ 5:55am

    Hands Off WHOIS!

    Here's an example of why WHOIS is required, why GDPR's obfuscation of WHOIS data is outright detrimental and dangerous:

    I use what's called a reverse firewall on my computers. It catches all calls out of my computers to IP addresses on the Internet and allows me to choose to allow them or not. Reverse firewalls are crucial for stopping malware bots and nefarious software from sending and gathering data to and from nefarious sources. The most common of these 'phone home' events is sending my personal, private data to Google Analytics, which I never allow.

    But what happens when my reverse firewall can't resolve who owns a particular IP address when a process on my computer is attempting to call out to the Internet? What happens is that I am left with NO RESOURCES I can use to decide whether the call out to the net is legitimate or abusive.

    Today, when I run into this problem, my recourse is WHOIS and only WHOIS. I use it at least weekly for specifically this purpose. It let's me know that an obscure IP address a process is attempting to access is only Akamai, or it's only Apple's servers, or instead it's some place I've never heard of in Russia, or the EU for that matter. With this WHOIS data I am able to CHOOSE what connections my computer makes to the Internet. I am able to DEFEND MY PRIVACY and the integrity of my computer systems.

    GDPR takes ALL of that away, unless I play elaborate and annoying bureaucratic games that no mere human wants to endure. Instead, GDPR enables anonymous cowards and criminals to get away with Internet user abuse from which Internet users have only meagre recourse and redress. That's not acceptable! What we have no works for the benefit of all. If an IP address owner wants to be entirely anonymous, I say NO!

    Therefore: Hands Off WHOIS! Get rid of that aspect of GDPR.

    reply to this | link to this | view in chronology ]

    • icon
      DerekCurrie (profile), 1 Jun 2018 @ 6:07am

      Re: Hands Off WHOIS!

      Repair: What we have NOW works for the benefit of all.

      I want caffeine, now! ;-)

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Jun 2018 @ 6:32am

      Re: Hands Off WHOIS!

      "Today, when I run into this problem, my recourse is WHOIS and only WHOIS."

      So, what do you do currently when the WHOIS data is private and not available for you to view? Does everything collapse around you, or do you find a different solution?

      "It let's me know that an obscure IP address..."

      What do IP addresses have to do with the domain name WHOIS information that this case deals with?

      "If an IP address owner wants to be entirely anonymous, I say NO!|"

      Then, fight the current system that allows that. You don't even get accurate geolocation data at the moment, let alone who the ISP responsible has assigned it to.

      Unless, again, you're getting confused between IP and domain lookups, in which case you surely have a problem with the fact that anyone can pay extra to have their information hidden from your public lookup? What do you do in cases where false information has been provided, or ICANN's records have not been updated since the domain was registered?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 6:35am

      Re: Hands Off WHOIS!

      There is an easy answer that does not require whois infomation, block it unless you recognize the site, or have someone else validate it for you. Also, you do not need whois to locate the server, a reverse IP lookup will provide that infomation.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Jun 2018 @ 7:12am

        Re: Re: Hands Off WHOIS!

        This specific case is about domain registration anyway, not IP delegation. It's not hard to register a domain with a bogus name. At most the registrar might check that the name matches the name on your credit card (workarounds: get a "secondary user" card with whatever name you want; choose another registrar; use a shell corporation; or, if you're a criminal, use someone else's name and card).

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 1 Jun 2018 @ 8:43am

        Re: Re: Hands Off WHOIS!

        Also, the issue in the lawsuit is the storage of information like personal contact names, physical addresses and phone numbers. You don't need that to confirm if it's an IP block assigned to Akamai.

        reply to this | link to this | view in chronology ]

    • icon
      DerekCurrie (profile), 1 Jun 2018 @ 7:20am

      Re: Hands Off WHOIS!

      Rubbish and snarky replies to my clear and important response to the removal WHOIS data access?

      Sorry kiddies, but this is a serious conversation. Get along home now and do some relevant research of WHOIS and how it is used daily by those of us who understand the importance of computer security and privacy. Silly replies are not appreciated.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Jun 2018 @ 7:38am

        Re: Re: Hands Off WHOIS!

        >Silly replies are not appreciated.

        Neither is ignorance.

        >Sorry kiddies

        Fuck you.

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 1 Jun 2018 @ 7:51am

        Re: Re: Hands Off WHOIS!

        Silly replies like talking about the fact that you're mixing up domain and IP lookups? Like pointing out that you don't have access to 100% of the database in the first place? Like the fact that you're depending on information known not to be 100% accurate to make your security decisions?

        For someone so concerned about security, you seem rather averse to facts, but offended when people mention them. Your network must be a mess, if this is the data you use to manage it.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Jun 2018 @ 8:53am

          Re: Re: Re: Hands Off WHOIS!

          WHOIS can be used on IP addresses. That's not exactly what the story's about, but it's reasonable to expect the same ICANN/GDPR troubles there (to the extent personal data is provided—usually these are records about corporations).

          reply to this | link to this | view in chronology ]

          • icon
            PaulT (profile), 1 Jun 2018 @ 9:26am

            Re: Re: Re: Re: Hands Off WHOIS!

            Well, there's 2 major differences that make conflation of the two pointless in this case.

            First, IP addresses are typically not provided to individuals. They will be sold in blocks to companies like the aforementioned Akamai, or to ISPs who then sell the IPs on, or use for dynamic hosting. They have historically also been sold as single purchases, but the vast majority of the time to businesses, not individuals (whereas a great many individuals own domain names). If you want a static IP nowadays, you'll get it from an ISP, n ot the source of the whois information.

            If I do a search on RIPE for my IP address, it will tell me that it's provided by Telefonica, it won't identify me as an individual. You *can* provide personally identifiable reverse lookup information if you're running your own domain on there of course, but it's not necessary and on your own head if you make that decision.

            The second is that, largely due to the above, the only information that's available in the whois will in the vast majority of cases be corporate information, which is not needed to be protected by the GDRP. There is little similarity between the two for the purposes of privacy.

            The reason why the GDRP applies to domain name whois information is that people have given personal information that's searchable from anywhere in the world with an internet connection on a single public database. Millions of individuals in the EU likely own domain names without paying the extra fee for privacy. That's generally not the case with IP whois information, so the same rules aren't really applicable.

            If someone would like to explain where I'm wrong, I'm all ears, but what I'm seeing is someone freaking out because they don't know what they're talking about and confusing 2 very different subjects.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 1 Jun 2018 @ 9:46am

              Re: Re: Re: Re: Re: Hands Off WHOIS!

              If I do a search on RIPE for my IP address, it will tell me that it's provided by Telefonica, it won't identify me as an individual.

              Is that always the case, or is it up to your ISP whether to provide the granular details?

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 1 Jun 2018 @ 4:06pm

                Re: Re: Re: Re: Re: Re: Hands Off WHOIS!

                Technically, anything static of /29 or greater should be SWIP'd, ie more information is needed. For IPv6 I would say a /56, but I don't think anything is really written in stone. A /56 in IPv6 is pretty much the equivalent of a /29 in IPv4, so that my reasoning, most though would probably just allocate a /48 which is a BGP announcement and that definitely should be SWIP'd. Basically /56 is for a physical location, and a /48 is for a company was the reasoning that John Brzozowski gave to me when I was planning IPv6 deployments.

                reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 1 Jun 2018 @ 1:08pm

              Re: Re: Re: Re: Re: Hands Off WHOIS!

              Paul, Don't know about you, but I often SWIP information for I - ie. Individuals. Not uncommon, and really depends on the endusers preferences. For BGP and ARIN, RIPE, et al, I would agree that I very rarely see individuals with an ASN, though there are exceptions of course. AS11875 would be an example...

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 1 Jun 2018 @ 1:29pm

              Re: Re: Re: Re: Re: Hands Off WHOIS!

              I can't speak for DerekCurrie, but when I see a suspicious IP address in a log somewhere, I also like to consult WHOIS. Not directly on the address, but on the domain name retrieved via reverse lookup of the address.

              This works for more or less shady corporations, like advertising companies. I don't expect to find the home address of an attacker though.

              reply to this | link to this | view in chronology ]

        • icon
          DerekCurrie (profile), 1 Jun 2018 @ 2:10pm

          Re: Re: Re: Hands Off WHOIS!

          No, I did not confuse anything. You simply don't understand what I'm doing, which is actually quite ordinary. You're also attempting to pretend I said things I never said, like wanting access to 100% of the database.

          Move along. This is too complicated for you. Propagandist exaggeration, confabulation and insults have no use here. Back under the bridge with you.

          reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 1 Jun 2018 @ 11:45pm

      Re: Hands Off WHOIS!

      What's this "reverse firewall" shit?

      Firewalls do, and always have, worked in both directions.

      Most home users tend to ignore the outbound configuration and allow unrestricted outbound requests. This means the user has chosen to hobble their firewall.

      By enabling outbound request filtering as well is nothing special, it's how a firewall is supposed to be used.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Jun 2018 @ 12:19am

        Re: Re: Hands Off WHOIS!

        Well, it must be a special piece of firewall, if it's asking for consent based on IP addresses, possibly with the WHOIS query already integrated in the interface (on the address or the domain name, I don't care).

        But you all couldn't be bothered to consider these possibilities and just riduculed DerekCurrie for his caution.

        reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 3 Jun 2018 @ 12:32am

          Re: Re: Re: Hands Off WHOIS!

          Well, it must be a special piece of firewall, if it's asking for consent based on IP addresses, possibly with the WHOIS query already integrated in the interface (on the address or the domain name, I don't care).

          Do you have any idea what you are talking about? possibly WHOIS query - obviously you don't, otherwise the word possibly wouldn't be being used.

          OK, here's the way any properly configured firewall works.

          It blocks all requests, either incoming or outgoing. Then the user configures to allow specific source and destination IP:port sets - both incoming and outgoing.

          Host-based software firewalls (including the standard inbuilt Microsoft Windows one) can be configured to pop up a warning (or question) each time an un-approved IP address access is attempted, whether incoming or outgoing. If it's a question, you can be given options such as block, allow once, allow (some other period of time), allow permanently.

          This is nothing special, it is not a 'reverse' firewall, it is 'a' firewall, and doesn't use WHOIS. It does it entirely based on the list of pre-approved addresses already configured. i.e. the addresses you've already 'accepeted' by having previously chosen an 'allow' answer to the question.

          reply to this | link to this | view in chronology ]

          • icon
            DerekCurrie (profile), 3 Jun 2018 @ 4:00pm

            Re: Re: Re: Re: Hands Off WHOIS!

            Hmm. I think perhaps I should not have made my point about WHOIS here. I'm baffled by the lack of comprehension, despite my (from my point of view) clarity.

            For those interested: A 'reverse' firewall monitors outbound rather than inbound computer data traffic. Regular firewalls do NOT commonly stop outgoing queries to the Internet.

            Have a read about the 'reverse' firewall I use on macOS:

            Little Snitch
            https://www.obdev.at/products/littlesnitch/index.html

            It presents the IP address being queried by specific running processes. It also provides, if it can find it (using a reverse DNS look up), the domain name that matches the IP address. But if there is no such domain name, its listed in Little Snitch as unavailable. At that point, the user has to turn to a WHOIS query for information. This is where WHOIS is, IMHO, a crucial service on and of the Internet that must never be censored.

            A simple example is being presented with an IP address beginning with 17, as in 17.xxx.xxx.xxx. Little Snitch has no idea who owns that IP. If one didn't know better, one would worry it's the server address of a botnet wrangler, a place malware bots go to get their orders. Perform a WHOIS on that IP and you learn that 17.anything belongs to Apple. They own the lot! Therefore, if some new or obscure process you've never seen before is making that querie, you know it's looking to Apple servers for something or sending something to Apple servers.

            As for WHOIS querie results having to give away phone numbers or email addresses or physical addresses, that's not what's crucial in the simple case I'm describing. What one wants to know is whether the questionable call out to the Internet by the mysterious process is to a legitimate location or not! If there is no WHOIS data available from any of the WHOIS services, I DENY the querie! If the resulting WHOIS data names some company or person I've never heard of and I can't connect them to the process calling out to that IP address, I DENY the querie.

            Apparently, 'reverse' firewalls aren't used or understood by some people here. They are NOT part of common computer or router firewalls, which only filter queries coming INTO a computer or its LAN. The firewalls built into Windows and macOS, for instance, offer only crude blocking of queries out the Internet, typically based upon applications being run within the client's account. If I install and run an application that gathers and sends my client data to Google Analytics, for example, an OS level firewall is perfectly happy to allow that to happen! But I am not! Because I'm running a 'reverse' firewall, those queries to Google Analytics are caught and presented to me for approval or denial. I DENY them.

            There is a lot of documentation about 'reverse' firewalls out on the net. Here are a few:

            http://qa.answers.com/Q/What_is_reverse_firewall

            https://askubuntu.com/questions/274237/reverse-f irewall-or-application-firewalls

            https://patents.google.com/patent/US8453227B2/en

            Thank you to those who've posted thoughtful replies to my post.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jun 2018 @ 8:28am

    A List Of Every Process This Hurts

    Domain Registrations
    Transfers of Registrars
    Transfers of Registrants
    SSL Validations (DV, CV, and EV)
    Ownership Disputes
    Domain Auction
    Domain Redemption

    "A murr murr murr [above item X] is an artifact of internet usage and should go away anyway!" you say. That might be true but it's not the kind of this that can go away quickly or easily. As annoying of an org that ICANN is, I really stand by there side on this fight.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Jun 2018 @ 8:42am

      Re: A List Of Every Process This Hurts

      Again, I ask the question no defenders have bothered to answer - how is the request for privacy making peoples' lives any more difficult than the current voluntary privacy services? If the system can cope with people paying extra to have their details hidden from public view, why will it collapse when privacy is the default setting?

      I see a lot of talk, but all seem to pretend that the voluntary private system doesn't exist in order to make their points.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Jun 2018 @ 10:23am

        Re: Re: A List Of Every Process This Hurts

        Out of my list I'll pick a Domain Transfer of Registrar. By ICANN regulations an authorization/EPP code is sent to one of the publicly available WHOIS contact emails (well Admin or Registrant, never Tech in my experiences). Without access to this information said code cannot be sent. And no, competing Registrars do not get to see through eachothers' domain masking services.

        So private-by-default is fine I guess but GDPR would imply this information isn't allowed to even be recorded in the first place. It turns the whole domain registration business on it's head.

        And that's just the .com world. PIR, the .org registry, doesn't even record contact data any more. This means most registrars can't sucessfully register a .org domain until the dust settles on all of this.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Jun 2018 @ 1:05pm

          Re: Re: Re: A List Of Every Process This Hurts

          And no, competing Registrars do not get to see through eachothers' domain masking services.

          Do they need to? Why not just send a message to the masked email address? The registrar should then forward it to the correct person. Or is even the masked address disallowed by GDPR?

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 9:55am

      Re: A List Of Every Process This Hurts

      "A murr murr murr [above item X] is an artifact of internet usage and should go away anyway!" you say.

      No one here said any of those things should go away. And none of those things requires the personal information the article is about to be available via whois.

      As annoying of an org that ICANN is, I really stand by there side on this fight.

      And your attempt to make dishonest claims is duly noted.

      reply to this | link to this | view in chronology ]

  • identicon
    Jerry Heyman, 1 Jun 2018 @ 1:59pm

    Whois technical contact

    I'll 2nd (or is higher by now) Brian Krebs point on technical contacts. For several years I monitored attacks on my network and after getting the IP address would do a whois lookup to determine who to contact. Several times I was able to help locate a rogue machine that the technical contact was unaware of, other times we identified machines that had been hijacked.
    I'm sure that there are nefarious uses, but I found the technical contact info to be critical to unwinding bot attacks.

    jerry

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Jun 2018 @ 7:47pm

    ICANN'T attack GDPR

    reply to this | link to this | view in chronology ]

  • identicon
    NickDanger, 13 Jun 2018 @ 8:18am

    Disappointing

    It's more than a little disappointing to see such a one-sided take on this from a tech news site. Granted, yes: ICANN is hopelessly mismanaged, and copyright trolls are scum - but just because something is bad for them (and that's arguable in the case of copyright trolls*), that doesn't mean it's automatically good for everyone else. There are legitimate, practical uses for WHOIS information aside from, many of which are routine, mundane parts of day-to-day IT work. And while less-exciting & less headline-grabbing than the sort of stuff Krebs mentions, I think that is where the largest negative impact of WHOIS changes will fall - simply because there are almost certainly more IT people dealing with domain names out there than there are security researchers.

    For example, in my experience, most small-to-medium organizations that own domain names (namely: those that aren't large enough to have in-house IT staff) are hopeless when it comes to managing their domains. E.g. you get a request to transfer someone's domain name, but it was registered by an employee who hasn't worked there for 3 years, and who registered in their name, with a personal Hotmail address that no one else in the company has access to (not for malicious reasons, but simply because they didn't know any better). Step 1 in sorting out that kind of mess is looking at the WHOIS, because without that you often don't know basic things like "when I submit the registrar transfer request, WHERE will the EMail to authorize the transfer go" - ditto for getting the EPP/transfer code, or resetting the login with the current registrar in order to unlock the domain to allow transfer, etc. In those situations, without being able to get that info from the WHOIS records, you're basically screwed - or at the very least, you're stuck going through MCAC (manual change of admin contact) process, which will probably cost the customer 4-5 times the actual transfer fee.

    And that's not speculative, I've personally run into that sort of thing with both GTLDs that had privacy enabled, and .CA domains that were registered to individuals (CIRA, the body that controls the .CA CCTLD, requires that you specify a "legal category" when registering a .CA - and if you specify that the domain is owned by individual rather than an organization, the registration info is automatically hidden in the WHOIS output). Speaking of which, if major changes are going to made to the way WHOIS has worked for more than 2 decades, I think the CIRA approach (described above) would at least be a less-bad compromise - as opposed to hiding WHOIS information for ALL domains.

    The rationale that I'm familiar (and agree) with goes: if I own a domain name, then it's essential that it be possible to hold me accountable for things done with that domain name. Though I don't really see a problem doing away with the tech & billing contacts (or at least not making those public), if only for practical reasons: most organizations that actually use the tech/billing/etc contact info the way it's intended are also large enough to have their IPs, so the same information found in the tech contact should also be present in their ARIN (or equivalent) records for their IP. And in my experience, organizations smaller than that typically just enter the same info for tech/billing contacts that they enter for the registrant/admin contact (or at most, they just enter their registrar/hosting provider's info for the tech contact).

    *I say that's arguable in the case of copyright trolling because, if the biggest push to keep WHOIS info public really DOES come from the *PAAs of the world, then probably a waste of effort on their part. Most of the people running sites that would be targets of copyright trolls have enough sense to hide behind WHOIS privacy and/or CloudFlare.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.