Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois

[Frédéric Guillemaut <fg@xxxxxxxxxxx>]

Hello Alan,

On the matter of security I agree with you.

On the matter of privacy, I would view it as a matter if someone could 
resell the data. Maybe this is dealt under another item :
But accessing to the whole whois data and being able to resell it is a 
real problem in  the EU.
It would be possible for me to view the data of blacknight.eu, in the 
thick whois from Eurid, after having to pass an anti-robot captcha, but 
I will never be able to buy the whole whois, as the Commission forbids 
this.
If the thick whois database from .eu moved (this is pure fiction) from a 
EU company to the another country with less privacy protection, this 
would be an issue as the protection laws would not apply any more. And 
the new registry could sell my data to marketing companies or publish my 
private phone number, as an individual.
These are my 2 cents.

Frederic








Le 29/01/2013 05:04, Alan Greenberg a écrit :
> Several of the statements we are receiving have warned of potential
> dangers of moving from a thin to thick Whois. I would really like to
> understand more about these, and have some concrete examples. Such
> examples or preferably situations that have actually existed with the
> many TLDs that use a thick Whois are necessary if we are going to do
> fact-based policy development.
>
> The ALAC statement attempted to head off these concerns, but I feel it
> is necessary to address some of these issues directly.
>
> *Data integrity and security:***It is quite true that having more
> repositories means that any one is more likely to be penetrated or
> altered maliciously. However, that very replication makes it much less
> likely that any such change will be un-noticed or unrecoverable. In the
> particular cases we are looking for. I am quite comfortable that
> Verisign is able to build and support a more robust repository than many
> of the smaller registrars.
>
> If we posit that Verisign is a better target than a small registrar, and
> conceivably they could have a security lapse (which I am *not*
> predicting), having a copy of the data at the registrar adds an extra
> level of security. If both of them get hacked simultaneously, then the
> registrar alone would have been an even easier target.
>
> *Impact on Privacy:* I completely understand the many concerns that have
> been raised with Whois with respect to privacy, but I fail to understand
> how the transition from a thin to a thick registry impacts this. *ALL*
> of the information that we are talking about sending to the registry is
> public. Not only is it public and freely accessible, but it is already
> replicated in untold repositories around the world, and particularly in
> repositories in the country where the registries in question reside. I
> agree that if data is sitting on a server in the US, managed by a US
> company, that company may be subject to US law and demands from US law
> enforcement or governments. But all they can reveal is information that
> is already public. Where is the additional harm?
>
> Once of the scenarios that I have heard reglates to a person in some
> privacy-sensitive country using a registrar and a proxy service in that
> country. All that is in Whois is the contact information for the proxy
> service (I am using the definitions that the AoC Whoius Review used: A
> privacy service replaces some of the contact information with their own,
> a proxy service replaces the complete identity of the beneficial owner
> with their own). There is nothing that the registry now has about the
> registrant that is not already public. If a US agency wants to know who
> the beneficial owner is (that is, who is hiding behind the proxy), they
> will have to go to the proxy provider (which may or may not also be the
> registrar). Those reside in the privacy-sensitive country. If they are
> liable to having the US government force them to reveal the real
> registration data, they would have been just as liable to the demand if
> the TLD was still thin.
>
> Let's look at a concrete example, I will pick on our friend Michele
> Neylon's company Blacknight (I have not asked his permission nor do I
> know if he espouses the same views as I do - it was just an easy example
> to look up).
>
> The attachment "Blacknight WHOIS Server.pdf" is the Whois record for
> blacknight.com from their own registrar (Blacknight - a registrar
> subject to Irish and EU privacy laws), the only "official" source of
> this Whois data. But the other attachments are the same data available
> from several other sources, one of whom just queries Blacknight, one is
> a private copy in the US, and the third I am not sure. And as you know,
> there are many more copies and access sources for this same data.
>
> I do understand that this registration is for a company and not a
> private individual, and was not done through a privacy or proxy service,
> but I will get to that next.
>
> How would (or better still how COULD) this data be MORE available if
> .com were a thick registry?
>
> If this registration had been done through an Irish Proxy service, it
> would be subject to Irish laws. Even if the "authoritative" version of
> the data resided at the registry, it would still just contain the
> details about the proxy service. Getting them to open their books would
> presumably be an issue of Irish law. But if there were some way the US
> could force them to disclose, why would that be any easier if the
> registry were thick?
>
> Perhaps I am just not sufficiently imaginative to come up with the
> danger scenarios. Can someone help?
>
> Alan
--


Frédéric Guillemaut
fg@xxxxxxxxxxx
Tel : +33 (0)4 88 66 22 07
COO

Mailclub
Pôle Média de la Belle de Mai
37, rue Guibal
13356 Marseille Cedex 03
www.mailclub.fr
Fax : +33 (0)4 88 66 22 20



IMPORTANT :
Pensez toujours à nous communiquer une adresse email valide tout au long 
de votre abonnement, l'email étant notre principal moyen de 
communication avec vous.
Si vous changez d'adresse email n'oubliez pas de modifier votre profil, 
accessible à partir de l'Espace Client.