[At-Large] [ALAC-Announce] GNSO Council Request for Input: WHOIS Studies

[Patrick Vande Walle]

Being new to the ALAC, I am not sure what the process is to reply to this
document from the ALAC side or if we want to reply at all. 
Actually, this is the study I would have liked to see years ago, when the
whois issues were first discussed in ICANN circles. 

Here are some concerns I have. Free to read it, keep it or trash it as you
see fit.

Patrick

Area 1  WHOIS misuse studies 

Altough some registrars prevent automated email harvesting by allowing
public web-based access to Whois registrant data only after the user
deciphers a "captcha" image, it has been demonstrated in other contexts
that captchas are now able to be machine deciphered, making them mostly
useless against serious attacks.

While it is commonly mentioned that whois data is used for spamming
purposes, other cases have been reported like identifying opponents and
other people persecuted for their opinions.

Area 2 Compliance with data protection laws and the Registrar Accreditation
Agreement

If local laws allow a registrant (natural person) to oppose the publication
of his/her data in the whois, he/she should still be allowed to register a
domain name. It should not be a prerequisite to surrender one's privacy to
"gain the right" to buy a domain name. 

Further analysis is needed regarding the export of registrant data from one
country to another. It may be the case that a registrar located in country
X is not allowed by law to export natural persons data to a registry in
country Y. This matter is further complicated if the registry subcontracts
the technical backend to an operator with its registered address in country
Z and its data operations in yet another country.

Area 5 Impact of WHOIS data protection on crime and abuse 

It is important to define what is "the legitimate use of gTLD WHOIS data"
and who are those entities, who can invoke it and how. Again, this is often
dependent on local law.

Area 6 Proxy registrar compliance with law enforcement and dispute
resolution requests 

It may be true that some registrars operating proxy/privacy services are
not revealing registrant data when requested in a UDRP proceeding. These
registrars may be prevented to do so under local law. UDRP is an arbitral,
not a legal, process. Different rules may apply, depending on local law. 

Area 7 WHOIS data accuracy and general considerations

As mentioned in RFC 3912: "The WHOIS protocol has not been
internationalised.  The WHOIS  protocol has no mechanism for indicating the
character set in use.[...] This inability to predict or express text
encoding has  adversely impacted the interoperability (and, therefore,
usefulness) of the WHOIS protocol."

RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for
strong security. WHOIS lacks mechanisms for access control, integrity, and
confidentiality. Accordingly, WHOIS-based services should only be used for
information  which is non-sensitive and intended to be accessible to
everyone. The absence of such security mechanisms means this protocol would
not normally be acceptable to the IETF at the time of this writing."

While this is outside the scope of the comments request, ALAC might suggest
now or later that those who think the whois has some usefulness to actually
eat their own dogfood and go through the process of redesigning the whole
whois protocol, rather than (ab)using the security holes in its current
incarnation to serve their business inerests.



On Mon, 8 Sep 2008 01:02:15 -0700, Nick Ashton-Hart
<Nick.Ashton-Hart at icann.org> wrote:
 
> The GNSO Council has requested the ALAC's views on the report recently
> prepared by the Whois Study Hypothesis Group.
> 
> The Council has requested that, if possible, comments should be sent by
> 16th October 2008, in order for them to be discussed in the Council
meeting
> on that date.
> 
> The Report may be found at:
>
http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf