[At-Large] [ALAC] WHOIS Studies

[Derek Smythe]

Karl Auerbach wrote:
> ....
>
> I have long suggested that any one who makes an inquiry into the whois 
> data should be obligated to leave an electric "calling card" record 
> that informs the data subject of the name, identity, affiliation, 
> contact information, and asserted reason for making the inquiry. It 
> seems only fair that if Mr. X is asking about you that you should be 
> able to know who Mr. X is and why he's looking you up.
>
>         --karl--
>
We have a perfect world vs a real world scenario here.

In theory the answer would be yes of course. In reality it may not be a 
good idea.

We have three points of contact - the address for postal mail, the email 
address and the email address.

If the postal address is used, be ready for a wave of complaints from 
the USA, also to a lesser extent Europe, that people are named in domain 
registrations for domains they never knew existed, some do not even 
known what a domain is. Of course the suggested  may be accompanied by a 
message that if you do not known anything about this domain, please 
report it which would be great.

The mileage on the telephone number may vary. International forwarding 
numbers from the UK to untraceable destinations are very popular. 
Likewise untraceable cellphones.

Email addresses are a definite bad idea.

I will explain:
Right now we have a class of registrant that will register domains for 
nefarious purposes such as spamming, phishing, money mule websites etc. 
It is common knowledge (I believe so at least, but easily provable), 
that these registrants do not supply their real details. Remember, 
criminals love anonymity. In the process the registrant details are 
populated with details obtained from the internet, as the result of 
phishing attempts, stolen databases or other security breaches etc. The 
extent of this problem is rapidly escalating.

Using the telephone or email contact details will simply alert a 
criminal that somebody is researching his activities. If Joe queried 
domain A registered to registrant X, domain B registered to Y, domain C 
registered to Z and X, Y and Z is the same person in real life using 
these domains for illegal purposes and he became aware of Joe querying 
his domains, he will disappear very fast or even retaliate is he could 
trace Joe (and he could most likely not use nice legal methods either).

In theory in the perfect world, this party querying the whois would be a 
law enforcement agency. Real life dictates it will most likely be not 
be. I will not delve into the challenges the victims of cyber-criminals 
face.

However, a postal mail would be a great idea - if the real X, Y or Z in 
the example above denies knowledge of the domain, the domain should be 
canceled.

Of course once again the postage costs would be prohibitive and may form 
the basis of a DDoS attack for registrars and  legitimate registrants 
(proxies, botnets etc), so this is also a bad idea.

Currently the whois data entering the system is not verified or where it 
does take place, it is not really conclusive, that is the problem. 
Before the bogus whois issue is somehow fixed (while protecting innocent 
registrants), we cannot try and fix the other problems this causes.

So reality dictates I have to disagree.

Regards

Derek