[At-Large] Issue Report on Thick Whois

Neil Schwartzman neil at cauce.org
Thu Nov 24 14:32:50 UTC 2011

On 2011-11-22, at 2:58 PM, Karl Auerbach wrote:

> Sonme of us believe that there ought not to be a domain name whois at
> all; that if one wants to penetrate into the business records of a
> domain registration that one ought to:
>  - Demonstrate, in writing and into a permanent log visible to the
> registrant, the requester's identity and credentials.
>  - Make a written claim, that is also recorded in a permanent log
> visible to the registrant, that a legally cognizable harm to the
> requester has been committed by the registrant.
>  - Provide, again into the permanent log, some degree of evidence
> (beyond mere assertions) to back up that claim.
>  - Deposit some money to compensate the registrant for his/her troubles
> if that claim proves to false and made with reckless disregard of the facts.
>  - Pay for the cost of the access and record-keeping.
>  - Be denied from making contradictory or inconsistent claims at a
> later time or against another accused party.

I'd love to hear from anyone else who believes any of this. On second thought, maybe I wouldn't.

Just for the record, CAUCE supports a complete implementation of Thick WHOIS, without qualification nor exception. the vast majority of investigations into abuse of hundreds of millions of end users that happens daily is predicated upon the use of clear and complete WHOIS data, by security researchers, not law enforcement. It is our work tht is then passed on to LEA for consideration.

Yes, WHOIS data is faked. But there are patterns and repetition within the data that allow us to identify criminals.

Obfuscating the data particularly along the inane lines noted above will force any kind of security work to grind to a halt; domains are becoming an ever-more important vector for research in an IPv6 world.

I'll warn anyone who is considering thin to also consider these facts.

I'm wondering - for any of those who tout the privacy concerns of domain owners, why you hold them in higher regard than the privacy concerns of victims of spamming, phishing, malware, and identity theft, let alone more egregious activities. I'm also wondering have you ever conducted an abuse investigation yourselves, or i this just theoretical for you?

Neil Schwartzman
Executive Director
CAUCE : The Coalition Against Unsolicited Commercial Email

IM: caucecanada
Tel.: +1 (303) 800 6345

I'd love to hear from anyone else who believes any of this.

More information about the At-Large mailing list