ICANN ICANN Email List Archives

[gnso-thickwhoispdp-wg]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois

  • To: Alan Greenberg <alan.greenberg@xxxxxxxxx>
  • Subject: Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois
  • From: Frédéric Guillemaut <fg@xxxxxxxxxxx>
  • Date: Tue, 29 Jan 2013 09:34:19 +0100


Hello Alan,

On the matter of security I agree with you.

On the matter of privacy, I would view it as a matter if someone could resell the data. Maybe this is dealt under another item :

But accessing to the whole whois data and being able to resell it is a real problem in the EU.

It would be possible for me to view the data of blacknight.eu, in the thick whois from Eurid, after having to pass an anti-robot captcha, but I will never be able to buy the whole whois, as the Commission forbids this.

If the thick whois database from .eu moved (this is pure fiction) from a EU company to the another country with less privacy protection, this would be an issue as the protection laws would not apply any more. And the new registry could sell my data to marketing companies or publish my private phone number, as an individual.

These are my 2 cents.

Frederic








Le 29/01/2013 05:04, Alan Greenberg a écrit :
Several of the statements we are receiving have warned of potential
dangers of moving from a thin to thick Whois. I would really like to
understand more about these, and have some concrete examples. Such
examples or preferably situations that have actually existed with the
many TLDs that use a thick Whois are necessary if we are going to do
fact-based policy development.

The ALAC statement attempted to head off these concerns, but I feel it
is necessary to address some of these issues directly.

*Data integrity and security:***It is quite true that having more
repositories means that any one is more likely to be penetrated or
altered maliciously. However, that very replication makes it much less
likely that any such change will be un-noticed or unrecoverable. In the
particular cases we are looking for. I am quite comfortable that
Verisign is able to build and support a more robust repository than many
of the smaller registrars.

If we posit that Verisign is a better target than a small registrar, and
conceivably they could have a security lapse (which I am *not*
predicting), having a copy of the data at the registrar adds an extra
level of security. If both of them get hacked simultaneously, then the
registrar alone would have been an even easier target.

*Impact on Privacy:* I completely understand the many concerns that have
been raised with Whois with respect to privacy, but I fail to understand
how the transition from a thin to a thick registry impacts this. *ALL*
of the information that we are talking about sending to the registry is
public. Not only is it public and freely accessible, but it is already
replicated in untold repositories around the world, and particularly in
repositories in the country where the registries in question reside. I
agree that if data is sitting on a server in the US, managed by a US
company, that company may be subject to US law and demands from US law
enforcement or governments. But all they can reveal is information that
is already public. Where is the additional harm?

Once of the scenarios that I have heard reglates to a person in some
privacy-sensitive country using a registrar and a proxy service in that
country. All that is in Whois is the contact information for the proxy
service (I am using the definitions that the AoC Whoius Review used: A
privacy service replaces some of the contact information with their own,
a proxy service replaces the complete identity of the beneficial owner
with their own). There is nothing that the registry now has about the
registrant that is not already public. If a US agency wants to know who
the beneficial owner is (that is, who is hiding behind the proxy), they
will have to go to the proxy provider (which may or may not also be the
registrar). Those reside in the privacy-sensitive country. If they are
liable to having the US government force them to reveal the real
registration data, they would have been just as liable to the demand if
the TLD was still thin.

Let's look at a concrete example, I will pick on our friend Michele
Neylon's company Blacknight (I have not asked his permission nor do I
know if he espouses the same views as I do - it was just an easy example
to look up).

The attachment "Blacknight WHOIS Server.pdf" is the Whois record for
blacknight.com from their own registrar (Blacknight - a registrar
subject to Irish and EU privacy laws), the only "official" source of
this Whois data. But the other attachments are the same data available
from several other sources, one of whom just queries Blacknight, one is
a private copy in the US, and the third I am not sure. And as you know,
there are many more copies and access sources for this same data.

I do understand that this registration is for a company and not a
private individual, and was not done through a privacy or proxy service,
but I will get to that next.

How would (or better still how COULD) this data be MORE available if
.com were a thick registry?

If this registration had been done through an Irish Proxy service, it
would be subject to Irish laws. Even if the "authoritative" version of
the data resided at the registry, it would still just contain the
details about the proxy service. Getting them to open their books would
presumably be an issue of Irish law. But if there were some way the US
could force them to disclose, why would that be any easier if the
registry were thick?

Perhaps I am just not sufficiently imaginative to come up with the
danger scenarios. Can someone help?

Alan




--


Frédéric Guillemaut
fg@xxxxxxxxxxx
Tel : +33 (0)4 88 66 22 07
COO

Mailclub
Pôle Média de la Belle de Mai
37, rue Guibal
13356 Marseille Cedex 03
www.mailclub.fr
Fax : +33 (0)4 88 66 22 20



IMPORTANT :
Pensez toujours à nous communiquer une adresse email valide tout au long de votre abonnement, l'email étant notre principal moyen de communication avec vous. Si vous changez d'adresse email n'oubliez pas de modifier votre profil, accessible à partir de l'Espace Client.



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy