[gnso-thickwhoispdp-wg] Dangers and risks of thick Whois
Several of the statements we are receiving have warned of potential dangers of moving from a thin to thick Whois. I would really like to understand more about these, and have some concrete examples. Such examples or preferably situations that have actually existed with the many TLDs that use a thick Whois are necessary if we are going to do fact-based policy development. The ALAC statement attempted to head off these concerns, but I feel it is necessary to address some of these issues directly. Data integrity and security: It is quite true that having more repositories means that any one is more likely to be penetrated or altered maliciously. However, that very replication makes it much less likely that any such change will be un-noticed or unrecoverable. In the particular cases we are looking for. I am quite comfortable that Verisign is able to build and support a more robust repository than many of the smaller registrars. If we posit that Verisign is a better target than a small registrar, and conceivably they could have a security lapse (which I am *not* predicting), having a copy of the data at the registrar adds an extra level of security. If both of them get hacked simultaneously, then the registrar alone would have been an even easier target. Impact on Privacy: I completely understand the many concerns that have been raised with Whois with respect to privacy, but I fail to understand how the transition from a thin to a thick registry impacts this. *ALL* of the information that we are talking about sending to the registry is public. Not only is it public and freely accessible, but it is already replicated in untold repositories around the world, and particularly in repositories in the country where the registries in question reside. I agree that if data is sitting on a server in the US, managed by a US company, that company may be subject to US law and demands from US law enforcement or governments. But all they can reveal is information that is already public. Where is the additional harm? Once of the scenarios that I have heard reglates to a person in some privacy-sensitive country using a registrar and a proxy service in that country. All that is in Whois is the contact information for the proxy service (I am using the definitions that the AoC Whoius Review used: A privacy service replaces some of the contact information with their own, a proxy service replaces the complete identity of the beneficial owner with their own). There is nothing that the registry now has about the registrant that is not already public. If a US agency wants to know who the beneficial owner is (that is, who is hiding behind the proxy), they will have to go to the proxy provider (which may or may not also be the registrar). Those reside in the privacy-sensitive country. If they are liable to having the US government force them to reveal the real registration data, they would have been just as liable to the demand if the TLD was still thin. Let's look at a concrete example, I will pick on our friend Michele Neylon's company Blacknight (I have not asked his permission nor do I know if he espouses the same views as I do - it was just an easy example to look up). The attachment "Blacknight WHOIS Server.pdf" is the Whois record for blacknight.com from their own registrar (Blacknight - a registrar subject to Irish and EU privacy laws), the only "official" source of this Whois data. But the other attachments are the same data available from several other sources, one of whom just queries Blacknight, one is a private copy in the US, and the third I am not sure. And as you know, there are many more copies and access sources for this same data. I do understand that this registration is for a company and not a private individual, and was not done through a privacy or proxy service, but I will get to that next. How would (or better still how COULD) this data be MORE available if .com were a thick registry? If this registration had been done through an Irish Proxy service, it would be subject to Irish laws. Even if the "authoritative" version of the data resided at the registry, it would still just contain the details about the proxy service. Getting them to open their books would presumably be an issue of Irish law. But if there were some way the US could force them to disclose, why would that be any easier if the registry were thick? Perhaps I am just not sufficiently imaginative to come up with the danger scenarios. Can someone help? Alan Attachment:
Blacknight WHOIS Server.pdf Attachment:
Blacknight-Whois.net.pdf Attachment:
DT-BlacKnight.pdf Attachment:
Blacknight-easyWhois.pdf
|