Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois

[Amr Elsadr <aelsadr@xxxxxxxxxxx>]

Hi Alan,

Thanks for starting this discussion. Definitely one we need to have. I've made 
some comments below, and appreciate any further insight you could offer.

On Jan 29, 2013, at 6:04 AM, Alan Greenberg wrote:

> Several of the statements we are receiving have warned of potential dangers 
> of moving from a thin to thick Whois. I would really like to understand more 
> about these, and have some concrete examples. Such examples or preferably 
> situations that have actually existed with the many TLDs that use a thick 
> Whois are necessary if we are going to do fact-based policy development.
> 
> The ALAC statement attempted to head off these concerns, but I feel it is 
> necessary to address some of these issues directly.
> 
> Data integrity and security: It is quite true that having more repositories 
> means that any one is more likely to be penetrated or altered maliciously. 
> However, that very replication makes it much less likely that any such change 
> will be un-noticed or unrecoverable. In the particular cases we are looking 
> for. I am quite comfortable that Verisign is able to build and support a more 
> robust repository than many of the smaller registrars.
> 
> If we posit that Verisign is a better target than a small registrar, and 
> conceivably they could have a security lapse (which I am *not* predicting), 
> having a copy of the data at the registrar adds an extra level of security. 
> If both of them get hacked simultaneously, then the registrar alone would 
> have been an even easier target.

Not sure how I could provide any concrete details to argue on behalf of any 
concerns regarding data integrity and security, but honestly…, I don't see how 
anyone could provide concrete details denying the risk either. My understanding 
is that there has never been a precedent on migrating the vast amount of 
registration data, such as is the case with ".com", from multiple registrars to 
a single registry. That certainly wasn't the case with ".org"…, but IMHO 
addressing VeriSign's competence in securing this data takes the concern out of 
context.

When considering a policy position on data integrity and security (especially 
with privacy concerns being my main issue of concern), my opinion is not based 
on VeriSign's competencies, but on any registry for any gTLD with a large 
number registrations like ".com". Even in the case of ".com", VeriSign is not 
the first registry for this specific TLD, and I don't see how we can guarantee 
that it will be the last. So even if we share a sense of confidence in their 
competence, we cannot now claim the same for future registries, and would 
prefer not to advocate for policy without taking that into consideration.

> 
> Impact on Privacy: I completely understand the many concerns that have been 
> raised with Whois with respect to privacy, but I fail to understand how the 
> transition from a thin to a thick registry impacts this. *ALL* of the 
> information that we are talking about sending to the registry is public. Not 
> only is it public and freely accessible, but it is already replicated in 
> untold repositories around the world, and particularly in repositories in the 
> country where the registries in question reside. I agree that if data is 
> sitting on a server in the US, managed by a US company, that company may be 
> subject to US law and demands from US law enforcement or governments. But all 
> they can reveal is information that is already public. Where is the 
> additional harm?
> 
> Once of the scenarios that I have heard reglates to a person in some 
> privacy-sensitive country using a registrar and a proxy service in that 
> country. All that is in Whois is the contact information for the proxy 
> service (I am using the definitions that the AoC Whoius Review used: A 
> privacy service replaces some of the contact information with their own, a 
> proxy service replaces the complete identity of the beneficial owner with 
> their own). There is nothing that the registry now has about the registrant 
> that is not already public. If a US agency wants to know who the beneficial 
> owner is (that is, who is hiding behind the proxy), they will have to go to 
> the proxy provider (which may or may not also be the registrar). Those reside 
> in the privacy-sensitive country. If they are liable to having the US 
> government force them to reveal the real registration data, they would have 
> been just as liable to the demand if the TLD was still thin.
> 
> Let's look at a concrete example, I will pick on our friend Michele Neylon's 
> company Blacknight (I have not asked his permission nor do I know if he 
> espouses the same views as I do - it was just an easy example to look up).
> 
> The attachment "Blacknight WHOIS Server.pdf" is the Whois record for 
> blacknight.com from their own registrar (Blacknight - a registrar subject to 
> Irish and EU privacy laws), the only "official" source of this Whois data. 
> But the other attachments are the same data available from several other 
> sources, one of whom just queries Blacknight, one is a private copy in the 
> US, and the third I am not sure. And as you know, there are many more copies 
> and access sources for this same data. 
> 
> I do understand that this registration is for a company and not a private 
> individual, and was not done through a privacy or proxy service, but I will 
> get to that next.
> 
> How would (or better still how COULD) this data be MORE available if .com 
> were a thick registry? 
> 
> If this registration had been done through an Irish Proxy service, it would 
> be subject to Irish laws. Even if the "authoritative" version of the data 
> resided at the registry, it would still just contain the details about the 
> proxy service. Getting them to open their books would presumably be an issue 
> of Irish law. But if there were some way the US could force them to disclose, 
> why would that be any easier if the registry were thick?
> 
> Perhaps I am just not sufficiently imaginative to come up with the danger 
> scenarios. Can someone help?

Apart from agreeing with Frédéric's response, I feel that online anonymity is 
in some circumstances an important measure that needs to be taken to avoid 
danger scenarios. It is true that almost all registrant information is publicly 
accessible despite registering domain names with registrars in 
countries/jurisdictions with data privacy laws. Being an Egyptian, I have a 
very personal perspective on the issue of online anonymity and feel that a 
policy for all existing and future gTLDs registries using "thick" Whois is a 
step backwards for practicing freedom of expression.

I personally know several individuals who have registered domain names with 
bogus information to maintain anonymity while blogging against Mubarak's 
repressive regime prior to and during the uprising in Egypt in 2011 (and who 
continue to do so now with the Muslim Brotherhood in power). Although these are 
a small number of registrants, the social impact they (and others like them) 
have is considerable in determining the future of a population. One of these 
fellas (a friend of mine) had his identity discovered early in the uprising and 
disappeared for a day. When I saw him next, he had a pretty scary story about 
being picked up by state security and beaten ruthlessly for several hours.

I don't doubt that this sort of scenario exists (or will exist) concerning 
registrants in other parts of the world. I understand that a transition of 
registries from "thin" to "thick" Whois will not make registration data of 
registrants in this scenario any less public, however, I imagine that getting 
more active enforcement of data privacy laws is an issue to be picked up 
elsewhere (not in this WG). In the meantime, recommending that ICANN show a 
healthy respect for registrants' basic human rights, if they opt to take 
advantage of legal jurisdictions in which these rights are afforded, is 
something I would hope we would all aspire to.

Does that make any sense at all?

Thanks.

Amr

> 
> Alan
> 
> 
> 
> <Blacknight WHOIS 
> Server.pdf><Blacknight-Whois.net.pdf><DT-BlacKnight.pdf><Blacknight-easyWhois.pdf>