ICANN's Pre-emptive Attack On The GDPR Thrown Out By Court In Germany
from the who-is-whois-for? dept
The EU’s General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems’s formal GDPR complaints against Google and Facebook over “forced consent” (pdf). That hardly came as a shock — he’s been flagging up the move on Twitter for some time. But there’s another saga underway that may have escaped people’s notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet’s namespace. Back in 2015, Mike memorably described the organization as “a total freaking mess”, in an article about ICANN’s “war against basic privacy”. Given that history, it’s perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world’s registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:
We realized that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].
All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with “consent management processes”, and a data flow “aligned with the GDPR’s principles”. ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to “preserve Whois data” — that is, to force EPAG to collect those administrative and technical contacts. A post on the Internet Governance Project site explains why those extra Whois contacts matter, and what the real issue here is:
The filing by ICANN’s Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. “The technical contact and the administrative contact have important functions,” the brief asserts. “Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content.”
As the tell-tale word “content” there reveals, the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material. This is precisely the same ICANN overreach that Techdirt reported on back in 2015: the organization is supposed to be running the Internet’s domain name system, not acting as a private copyright police force. The difference is that now the GDPR provides good legal and financial reasons to ignore ICANN’s demands, as EPAG has noted.
In a surprisingly swift decision, the German court hearing ICANN’s request for an injunction against EPAG has already turned it down:
the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
However, as ICANN rightly notes, that still leaves unanswered the key question: would collecting the administrative and technical contact information contravene the GDPR? ICANN says it is “continuing to pursue the ongoing discussions” with the EU on this, and a clarification of the legal situation here would certainly be in everyone’s interests. But there is another important angle to this. As the security researcher Brian Krebs wrote on his blog back in February:
For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.
There’s no reason to doubt the importance of Whois information to Krebs’s work. But the central issue is which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information? It’s an important discussion that is likely to rage for some time, along with many others now being brought into sharper focus thanks to the arrival of the GDPR.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: copyright, domain registrars, enforcement, gdpr, germany, privacy, whois
Companies: epag, icann, tucows
Comments on “ICANN's Pre-emptive Attack On The GDPR Thrown Out By Court In Germany”
Having worked for a domain name registrar and having dealt with ICANN on a regular basis in that capacity… the above statement is hogwash.
Does the copyright industry benefit from the information publicly available in whois? Sure it does. But that’s not why the engineers the created the whois specification 40 years ago set up the requirements. They just thought it would be a good idea for other engineers to know who to contact if you wanted to talk directly to who owned a domain, who managed the domain, or who managed the servers.
I’m no fan of copyright overreach, and ICANN has its issues, but really, come on. Not everything is a content industry conspiracy.
Re: engineers the created the whois specification 40 years ago?
Forty years ago? That’d be 1978. Let’s boogie and disco on down… but there was no DNS (that was 1985 or so) and there were no commercial ISP’s (as ARPANET or whatever other random predecessor of the Internet as government research networks let universities have access, but not the general public). Even the FidoNet dial-up BBS craze has its roots circa-1984.
There was no Whois in 1978 and, even once it was created, it was more likely to be a list of research institutions – not private individuals. The hucksters, the lawyers and the spammers didn’t get to run roughshod to destroy the network until the 1990’s. Frivolous libel suit threats still had to be directed at printed newspapers as no one had heard of WWW – and even then “all the news that doesn’t offend the advertisers” was more of a constraint than spurious litigation. Newspapers were pillars of the community and took their role seriously. By contrast, any dang fool can register a domain today, get space on a shared webserver and become a blogger… and it’s silencing these people through frivolous and vexatious legal threats which is the bread and butter of too many “reputational management” ambulance chasers. Whois gives them a list of people to harass. All a recent phenomenon. Whatever existed 40 years ago is irrelevant today.
Re: Re: Re:
Tell that to Shiva Ayyadurai.
Re: Re: engineers the created the whois specification 40 years ago?
OK fine, RFC 812 was in 1982. So, 36 years.
True, and that perfectly illustrates my point. The people who created whois weren’t thinking "we need to protect Hollywood’s copyrights."
Whois is part of the infrastructure of the Internet. It’s always hard to update infrastructure (whether due to expense or resistance), even if you had consensus that whois was obsolete. That’s why there are some places that still need COBOL and FORTRAN programmers, why fiber-to-the-home isn’t everywhere.
One of the documents I read at ICANN about GDPR wasn’t an attack on it, it was more a case of "uh, guys? you aren’t exactly giving us a lot of time to update things that have been part of the Internet for decades. Can you maybe give us a little extension so we don’t have to worry about being in violation of EU law?"
Re: Re: Re: engineers the created the whois specification 40 years ago?
It doesn’t mean it can’t be used/misused/abused for that aspect. If nothing else, Hollywood is good at perverting things for their own gain.
Re: Re: Re: engineers the created the whois specification 40 years ago?
OTOH, they had two years to do it.
Re: Re: Re:2 engineers the created the whois specification 40 years ago?
And ICANN knew the EU’s position with regards to Whois for at least thirteen years before that:
Opinion 2/2003 on the application of the data protection principles to the Whois directories, June 2003
http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf
Of course, if you’ve ignored someone saying something for that long, you might not notice that the message has changed…
Re: Re:
“But that’s not why the engineers the created the whois specification 40 years ago set up the requirements.”
A lot of things made 40 years ago are used for far different purposes than their inventors originally intended.
Re: Re:
Not everything is a content industry conspiracy
On the other hand, it’s not like it’s a secret that they haven’t already tried. Jim Hood anyone?
Re: Re:
“Not everything is a content industry conspiracy.”
Source needed.
Re: Re:
Re: Re:
A better question to ask is: If Germany has in fact made it illegal to register a domain, will all German websites be limited to IP numbers instead of being able to use DNS going forward?
Re: Anonymous Coward
LOL yeah right! Nice story about the “harmless” imposition of invasive data collection in cyberspace. Are you a bot? LOL
"leaves unanswered the key question" -- Whether ICANN is right!
Do you even notice that after quoting: ‘Mike memorably described the organization as "a total freaking mess"’, you THEN quote Krebs and argue the opposite, that ICANN should get the info because important for security?
So you then recast the story from the first "key question" into "the central issue is which is more important for society" — which you don’t even attempt to answer! I assume because noticed yourself muddled. And you left behind all of Masnick’s folderol about Jane Blogger having to supply personal info.
Anyhoo. On this, "the court" may be right, but it’s still not invasive if Admin and Tech make three people in all. You’re not required to have a web-site in order to publish your views. (You COULD usefully compare ICANN’s demands to Facebook’s, but you give no context.) In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can’t easily remain anonymous, even though apparent intent is to publish to the entire world.
Re: "leaves unanswered the key question" -- Whether ICANN is right!
“On this, “the court” may be right, but it’s still not invasive if Admin and Tech make three people in all”
I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.
“You’re not required to have a web-site in order to publish your views”
No, you crap over other peoples’ sites instead.
“In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can’t easily remain anonymous”
He supports anonymity for anyone who wishes it, even the tossers who pollute his site.
Re: Re: Well, almost
I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.
Not quite, they refuse to comment under a name, but they clearly identify themself anyway whether they want to or not given their plethora of tells.
Re: Re: Re: Well, almost
Honestly I’m never sure if it’s the Coward who screams about TD’s support of over-regulation, or the Coward who screams about TD not supporting Copyright legislation….
Re: Re: Re:2 Well, almost
It’s the latter, different tells.
Re: Remember you have to take your meds everyday or they don’t work.
Here's my prior for Techdirt "free speechers" to censor AGAIN:
You’d be slightly more credible if didn’t support Google surveilling everyone everywhere on the net.
But since Techdirt has tons of Google’s javascript (just save a complete page and look!), with the purported bad enough purpose of targeting advertising, which in fact is collated and used to identify persons everywhere on the net, and which gives NSA "direct access", then as usual you have zero credibility to rail about "privacy" for commercial interests. Since when does Google respect MY privacy? It’s unavoidable. You can’t even "opt out" unless Google can identify you! — Or Techdirt? You claim can do anything you want with names and other info!
Oh, but requiring businesses to fill out an email, that’s tyranny!
As ever for Masnick, he only worries that commercial interests might be a little incovenienced, with no concern for the public, let alone for scams and other known problems.
Every time "business" comes up seems Masnick never heard of commercial law and that businesses are licensed entities that have intrinsic NO rights, are NOT persons, are subject to vast number of constraints and requirements. Masnick comes across like Mitt Romney, simply doesn’t understand that ordinary people rightly regard businesses as predatory.
https://www.techdirt.com/articles/20150623/17321931439/icanns-war-whois-privacy.shtml#c88
Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Many domain name registrants today are individuals, not huge universities or research laboratories. Times have changed. Anyone can register a domain. They ARE persons.
Re: Re:
Your concern for the public is how Malibu Media and Njord Law aren’t allowed to demand the general populace for money to fuel their coffers.
Have a SESTA vote.
Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
“Oh, but requiring businesses to fill out an email, that’s tyranny!”
Are you stupid enough to think that only businesses own domain names? Of course you are…
Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Also, email would be perfectly fine. It’s phone numbers and home addresses of private individuals that are problematic.
Of course, you can already get around registering those by using one of the paid WHOIS-anonimyzing services. The very existence of those services means the entire rationale behind the system is bullshit.
Re: Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Why do you say email addresses are fine? Names and email addresses are personally identifying information, and aren’t needed for the system to work properly. And they often show up as “private registrant” and some registrar-generated random forwarding address already.
If omitting the details will cause some cyber-apocalypse, where are the problems from these existing privacy services? Where’s the crime wave emanating from .de and other domains that already provide the privacy that people are now trying to add to the ICANN roots?
Re: Re: Re:2 Here's my prior for Techdirt "free speechers" to censor AGAIN:
Easy fix: have all the registrars handle anonymization by default, opt-out. That way, large orgs can still register a contact, but all other complaints have to get proxied by the registrars who already have business reasons for holding the PII.
Everyone wins except the registrars, and this would be relatively easy to implement; many consumer registrars already do it.
Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
I’ve had one since 2000. It’s registered under a fictitious name and address and paid for with money orders.
No-ip sends me notices every so often to update my info but I just ignore those.
In other words, it hurts Krebs income stream, therefore he is complaining about it.
I respect Kreb’s work. However, he is a private individual who has no particular mandate – or right – to do the work he does. If things change to make his self-employed job less lucrative, a shame for him personally, but not really a societal issue.
It’s like saying that some of the recent judgements and law changes to make patent/copyright trolling harder are bad because they make life harder for, or are putting these trolling lawyers out of work, therefore we should roll them back. Or like cord-cutting is making cable less profitable, downsizing and firing people. Should we ban cord-cutting?
Shit happens, trends change to make some jobs less valuable (or less easy), while new opportunities arise.
Re: Re:
It could legitimately be about journalism rather than income. Should society be provided this WHOIS information to track criminals? I don’t see the point. It’s really easy to use fake information, meaning only criminals dumb enough to use their own name are affected. And the name (fake or not) will still be on file for police to access with due process.
Krebs’s other point is that he uses the information to contact victims of crime. That might be a good reason for people to opt in to WHOIS listings, but no reason to force it. It’s already a solved problem BTW: the registrar publishes an email address like 4ca484183f7871bf66e27377382e08a6@registrar.example and forwards whatever people send there. That’s been around for years.
Re: Re:
Copyright trolling is nefarious business, which I consider legitimate to combat. KrebsOnSecurity on the other hand, appears to be a reputable business and I don’t see how it would be illegitimate for Krebs to complain that his ability to do business is compromised.
Hands Off WHOIS!
Here’s an example of why WHOIS is required, why GDPR’s obfuscation of WHOIS data is outright detrimental and dangerous:
I use what’s called a reverse firewall on my computers. It catches all calls out of my computers to IP addresses on the Internet and allows me to choose to allow them or not. Reverse firewalls are crucial for stopping malware bots and nefarious software from sending and gathering data to and from nefarious sources. The most common of these ‘phone home’ events is sending my personal, private data to Google Analytics, which I never allow.
But what happens when my reverse firewall can’t resolve who owns a particular IP address when a process on my computer is attempting to call out to the Internet? What happens is that I am left with NO RESOURCES I can use to decide whether the call out to the net is legitimate or abusive.
Today, when I run into this problem, my recourse is WHOIS and only WHOIS. I use it at least weekly for specifically this purpose. It let’s me know that an obscure IP address a process is attempting to access is only Akamai, or it’s only Apple’s servers, or instead it’s some place I’ve never heard of in Russia, or the EU for that matter. With this WHOIS data I am able to CHOOSE what connections my computer makes to the Internet. I am able to DEFEND MY PRIVACY and the integrity of my computer systems.
GDPR takes ALL of that away, unless I play elaborate and annoying bureaucratic games that no mere human wants to endure. Instead, GDPR enables anonymous cowards and criminals to get away with Internet user abuse from which Internet users have only meagre recourse and redress. That’s not acceptable! What we have no works for the benefit of all. If an IP address owner wants to be entirely anonymous, I say NO!
Therefore: Hands Off WHOIS! Get rid of that aspect of GDPR.
Re: Hands Off WHOIS!
Repair: What we have NOW works for the benefit of all.
I want caffeine, now! 😉
Re: Hands Off WHOIS!
“Today, when I run into this problem, my recourse is WHOIS and only WHOIS.”
So, what do you do currently when the WHOIS data is private and not available for you to view? Does everything collapse around you, or do you find a different solution?
“It let’s me know that an obscure IP address…”
What do IP addresses have to do with the domain name WHOIS information that this case deals with?
“If an IP address owner wants to be entirely anonymous, I say NO!|”
Then, fight the current system that allows that. You don’t even get accurate geolocation data at the moment, let alone who the ISP responsible has assigned it to.
Unless, again, you’re getting confused between IP and domain lookups, in which case you surely have a problem with the fact that anyone can pay extra to have their information hidden from your public lookup? What do you do in cases where false information has been provided, or ICANN’s records have not been updated since the domain was registered?
Re: Hands Off WHOIS!
There is an easy answer that does not require whois infomation, block it unless you recognize the site, or have someone else validate it for you. Also, you do not need whois to locate the server, a reverse IP lookup will provide that infomation.
Re: Re: Hands Off WHOIS!
This specific case is about domain registration anyway, not IP delegation. It’s not hard to register a domain with a bogus name. At most the registrar might check that the name matches the name on your credit card (workarounds: get a “secondary user” card with whatever name you want; choose another registrar; use a shell corporation; or, if you’re a criminal, use someone else’s name and card).
Re: Re: Hands Off WHOIS!
Also, the issue in the lawsuit is the storage of information like personal contact names, physical addresses and phone numbers. You don’t need that to confirm if it’s an IP block assigned to Akamai.
Re: Hands Off WHOIS!
Rubbish and snarky replies to my clear and important response to the removal WHOIS data access?
Sorry kiddies, but this is a serious conversation. Get along home now and do some relevant research of WHOIS and how it is used daily by those of us who understand the importance of computer security and privacy. Silly replies are not appreciated.
Re: Re: Hands Off WHOIS!
Re: Re: Hands Off WHOIS!
Silly replies like talking about the fact that you’re mixing up domain and IP lookups? Like pointing out that you don’t have access to 100% of the database in the first place? Like the fact that you’re depending on information known not to be 100% accurate to make your security decisions?
For someone so concerned about security, you seem rather averse to facts, but offended when people mention them. Your network must be a mess, if this is the data you use to manage it.
Re: Re: Re: Hands Off WHOIS!
WHOIS can be used on IP addresses. That’s not exactly what the story’s about, but it’s reasonable to expect the same ICANN/GDPR troubles there (to the extent personal data is provided—usually these are records about corporations).
Re: Re: Re:2 Hands Off WHOIS!
Well, there’s 2 major differences that make conflation of the two pointless in this case.
First, IP addresses are typically not provided to individuals. They will be sold in blocks to companies like the aforementioned Akamai, or to ISPs who then sell the IPs on, or use for dynamic hosting. They have historically also been sold as single purchases, but the vast majority of the time to businesses, not individuals (whereas a great many individuals own domain names). If you want a static IP nowadays, you’ll get it from an ISP, n ot the source of the whois information.
If I do a search on RIPE for my IP address, it will tell me that it’s provided by Telefonica, it won’t identify me as an individual. You can provide personally identifiable reverse lookup information if you’re running your own domain on there of course, but it’s not necessary and on your own head if you make that decision.
The second is that, largely due to the above, the only information that’s available in the whois will in the vast majority of cases be corporate information, which is not needed to be protected by the GDRP. There is little similarity between the two for the purposes of privacy.
The reason why the GDRP applies to domain name whois information is that people have given personal information that’s searchable from anywhere in the world with an internet connection on a single public database. Millions of individuals in the EU likely own domain names without paying the extra fee for privacy. That’s generally not the case with IP whois information, so the same rules aren’t really applicable.
If someone would like to explain where I’m wrong, I’m all ears, but what I’m seeing is someone freaking out because they don’t know what they’re talking about and confusing 2 very different subjects.
Re: Re: Re:3 Hands Off WHOIS!
Is that always the case, or is it up to your ISP whether to provide the granular details?
Re: Re: Re:4 Hands Off WHOIS!
Technically, anything static of /29 or greater should be SWIP’d, ie more information is needed. For IPv6 I would say a /56, but I don’t think anything is really written in stone. A /56 in IPv6 is pretty much the equivalent of a /29 in IPv4, so that my reasoning, most though would probably just allocate a /48 which is a BGP announcement and that definitely should be SWIP’d. Basically /56 is for a physical location, and a /48 is for a company was the reasoning that John Brzozowski gave to me when I was planning IPv6 deployments.
Re: Re: Re:3 Hands Off WHOIS!
Paul, Don’t know about you, but I often SWIP information for I – ie. Individuals. Not uncommon, and really depends on the endusers preferences. For BGP and ARIN, RIPE, et al, I would agree that I very rarely see individuals with an ASN, though there are exceptions of course. AS11875 would be an example…
Re: Re: Re:3 Hands Off WHOIS!
I can’t speak for DerekCurrie, but when I see a suspicious IP address in a log somewhere, I also like to consult WHOIS. Not directly on the address, but on the domain name retrieved via reverse lookup of the address.
This works for more or less shady corporations, like advertising companies. I don’t expect to find the home address of an attacker though.
Re: Re: Re: Hands Off WHOIS!
No, I did not confuse anything. You simply don’t understand what I’m doing, which is actually quite ordinary. You’re also attempting to pretend I said things I never said, like wanting access to 100% of the database.
Move along. This is too complicated for you. Propagandist exaggeration, confabulation and insults have no use here. Back under the bridge with you.
Re: Hands Off WHOIS!
What’s this “reverse firewall” shit?
Firewalls do, and always have, worked in both directions.
Most home users tend to ignore the outbound configuration and allow unrestricted outbound requests. This means the user has chosen to hobble their firewall.
By enabling outbound request filtering as well is nothing special, it’s how a firewall is supposed to be used.
Re: Re: Hands Off WHOIS!
Well, it must be a special piece of firewall, if it’s asking for consent based on IP addresses, possibly with the WHOIS query already integrated in the interface (on the address or the domain name, I don’t care).
But you all couldn’t be bothered to consider these possibilities and just riduculed DerekCurrie for his caution.
Re: Re: Re: Hands Off WHOIS!
Do you have any idea what you are talking about? possibly WHOIS query – obviously you don’t, otherwise the word possibly wouldn’t be being used.
OK, here’s the way any properly configured firewall works.
It blocks all requests, either incoming or outgoing. Then the user configures to allow specific source and destination IP:port sets – both incoming and outgoing.
Host-based software firewalls (including the standard inbuilt Microsoft Windows one) can be configured to pop up a warning (or question) each time an un-approved IP address access is attempted, whether incoming or outgoing. If it’s a question, you can be given options such as block, allow once, allow (some other period of time), allow permanently.
This is nothing special, it is not a ‘reverse’ firewall, it is ‘a’ firewall, and doesn’t use WHOIS. It does it entirely based on the list of pre-approved addresses already configured. i.e. the addresses you’ve already ‘accepeted’ by having previously chosen an ‘allow’ answer to the question.
Re: Re: Re:2 Hands Off WHOIS!
Hmm. I think perhaps I should not have made my point about WHOIS here. I’m baffled by the lack of comprehension, despite my (from my point of view) clarity.
For those interested: A ‘reverse’ firewall monitors outbound rather than inbound computer data traffic. Regular firewalls do NOT commonly stop outgoing queries to the Internet.
Have a read about the ‘reverse’ firewall I use on macOS:
Little Snitch
https://www.obdev.at/products/littlesnitch/index.html
It presents the IP address being queried by specific running processes. It also provides, if it can find it (using a reverse DNS look up), the domain name that matches the IP address. But if there is no such domain name, its listed in Little Snitch as unavailable. At that point, the user has to turn to a WHOIS query for information. This is where WHOIS is, IMHO, a crucial service on and of the Internet that must never be censored.
A simple example is being presented with an IP address beginning with 17, as in 17.xxx.xxx.xxx. Little Snitch has no idea who owns that IP. If one didn’t know better, one would worry it’s the server address of a botnet wrangler, a place malware bots go to get their orders. Perform a WHOIS on that IP and you learn that 17.anything belongs to Apple. They own the lot! Therefore, if some new or obscure process you’ve never seen before is making that querie, you know it’s looking to Apple servers for something or sending something to Apple servers.
As for WHOIS querie results having to give away phone numbers or email addresses or physical addresses, that’s not what’s crucial in the simple case I’m describing. What one wants to know is whether the questionable call out to the Internet by the mysterious process is to a legitimate location or not! If there is no WHOIS data available from any of the WHOIS services, I DENY the querie! If the resulting WHOIS data names some company or person I’ve never heard of and I can’t connect them to the process calling out to that IP address, I DENY the querie.
Apparently, ‘reverse’ firewalls aren’t used or understood by some people here. They are NOT part of common computer or router firewalls, which only filter queries coming INTO a computer or its LAN. The firewalls built into Windows and macOS, for instance, offer only crude blocking of queries out the Internet, typically based upon applications being run within the client’s account. If I install and run an application that gathers and sends my client data to Google Analytics, for example, an OS level firewall is perfectly happy to allow that to happen! But I am not! Because I’m running a ‘reverse’ firewall, those queries to Google Analytics are caught and presented to me for approval or denial. I DENY them.
There is a lot of documentation about ‘reverse’ firewalls out on the net. Here are a few:
http://qa.answers.com/Q/What_is_reverse_firewall
https://askubuntu.com/questions/274237/reverse-firewall-or-application-firewalls
https://patents.google.com/patent/US8453227B2/en
Thank you to those who’ve posted thoughtful replies to my post.
A List Of Every Process This Hurts
Domain Registrations
Transfers of Registrars
Transfers of Registrants
SSL Validations (DV, CV, and EV)
Ownership Disputes
Domain Auction
Domain Redemption
“A murr murr murr [above item X] is an artifact of internet usage and should go away anyway!” you say. That might be true but it’s not the kind of this that can go away quickly or easily. As annoying of an org that ICANN is, I really stand by there side on this fight.
Re: A List Of Every Process This Hurts
Again, I ask the question no defenders have bothered to answer – how is the request for privacy making peoples’ lives any more difficult than the current voluntary privacy services? If the system can cope with people paying extra to have their details hidden from public view, why will it collapse when privacy is the default setting?
I see a lot of talk, but all seem to pretend that the voluntary private system doesn’t exist in order to make their points.
Re: Re: A List Of Every Process This Hurts
Out of my list I’ll pick a Domain Transfer of Registrar. By ICANN regulations an authorization/EPP code is sent to one of the publicly available WHOIS contact emails (well Admin or Registrant, never Tech in my experiences). Without access to this information said code cannot be sent. And no, competing Registrars do not get to see through eachothers’ domain masking services.
So private-by-default is fine I guess but GDPR would imply this information isn’t allowed to even be recorded in the first place. It turns the whole domain registration business on it’s head.
And that’s just the .com world. PIR, the .org registry, doesn’t even record contact data any more. This means most registrars can’t sucessfully register a .org domain until the dust settles on all of this.
Re: Re: Re: A List Of Every Process This Hurts
Do they need to? Why not just send a message to the masked email address? The registrar should then forward it to the correct person. Or is even the masked address disallowed by GDPR?
Re: A List Of Every Process This Hurts
No one here said any of those things should go away. And none of those things requires the personal information the article is about to be available via whois.
And your attempt to make dishonest claims is duly noted.
Whois technical contact
I’ll 2nd (or is higher by now) Brian Krebs point on technical contacts. For several years I monitored attacks on my network and after getting the IP address would do a whois lookup to determine who to contact. Several times I was able to help locate a rogue machine that the technical contact was unaware of, other times we identified machines that had been hijacked.
I’m sure that there are nefarious uses, but I found the technical contact info to be critical to unwinding bot attacks.
jerry
ICANN’T attack GDPR
Disappointing
It’s more than a little disappointing to see such a one-sided take on this from a tech news site. Granted, yes: ICANN is hopelessly mismanaged, and copyright trolls are scum – but just because something is bad for them (and that’s arguable in the case of copyright trolls*), that doesn’t mean it’s automatically good for everyone else. There are legitimate, practical uses for WHOIS information aside from, many of which are routine, mundane parts of day-to-day IT work. And while less-exciting & less headline-grabbing than the sort of stuff Krebs mentions, I think that is where the largest negative impact of WHOIS changes will fall – simply because there are almost certainly more IT people dealing with domain names out there than there are security researchers.
For example, in my experience, most small-to-medium organizations that own domain names (namely: those that aren’t large enough to have in-house IT staff) are hopeless when it comes to managing their domains. E.g. you get a request to transfer someone’s domain name, but it was registered by an employee who hasn’t worked there for 3 years, and who registered in their name, with a personal Hotmail address that no one else in the company has access to (not for malicious reasons, but simply because they didn’t know any better). Step 1 in sorting out that kind of mess is looking at the WHOIS, because without that you often don’t know basic things like “when I submit the registrar transfer request, WHERE will the EMail to authorize the transfer go” – ditto for getting the EPP/transfer code, or resetting the login with the current registrar in order to unlock the domain to allow transfer, etc. In those situations, without being able to get that info from the WHOIS records, you’re basically screwed – or at the very least, you’re stuck going through MCAC (manual change of admin contact) process, which will probably cost the customer 4-5 times the actual transfer fee.
And that’s not speculative, I’ve personally run into that sort of thing with both GTLDs that had privacy enabled, and .CA domains that were registered to individuals (CIRA, the body that controls the .CA CCTLD, requires that you specify a “legal category” when registering a .CA – and if you specify that the domain is owned by individual rather than an organization, the registration info is automatically hidden in the WHOIS output). Speaking of which, if major changes are going to made to the way WHOIS has worked for more than 2 decades, I think the CIRA approach (described above) would at least be a less-bad compromise – as opposed to hiding WHOIS information for ALL domains.
The rationale that I’m familiar (and agree) with goes: if I own a domain name, then it’s essential that it be possible to hold me accountable for things done with that domain name. Though I don’t really see a problem doing away with the tech & billing contacts (or at least not making those public), if only for practical reasons: most organizations that actually use the tech/billing/etc contact info the way it’s intended are also large enough to have their IPs, so the same information found in the tech contact should also be present in their ARIN (or equivalent) records for their IP. And in my experience, organizations smaller than that typically just enter the same info for tech/billing contacts that they enter for the registrant/admin contact (or at most, they just enter their registrar/hosting provider’s info for the tech contact).
*I say that’s arguable in the case of copyright trolling because, if the biggest push to keep WHOIS info public really DOES come from the *PAAs of the world, then probably a waste of effort on their part. Most of the people running sites that would be targets of copyright trolls have enough sense to hide behind WHOIS privacy and/or CloudFlare.