Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois

[Alan Greenberg <alan.greenberg@xxxxxxxxx>]

At 29/01/2013 07:45 AM, Amr Elsadr wrote:
> Hi Alan,
>
> Thanks for starting this discussion. Definitely 
> one we need to have. I've made some comments 
> below, and appreciate any further insight you could offer.
> On Jan 29, 2013, at 6:04 AM, Alan Greenberg wrote:
>
> > Several of the statements we are receiving have 
> > warned of potential dangers of moving from a 
> > thin to thick Whois. I would really like to 
> > understand more about these, and have some 
> > concrete examples. Such examples or preferably 
> > situations that have actually existed with the 
> > many TLDs that use a thick Whois are necessary 
> > if we are going to do fact-based policy development.
> > The ALAC statement attempted to head off these 
> > concerns, but I feel it is necessary to address some of these issues directly.
> > Data integrity and security: It is quite true 
> > that having more repositories means that any 
> > one is more likely to be penetrated or altered 
> > maliciously. However, that very replication 
> > makes it much less likely that any such change 
> > will be un-noticed or unrecoverable. In the 
> > particular cases we are looking for. I am quite 
> > comfortable that Verisign is able to build and 
> > support a more robust repository than many of the smaller registrars.
> > If we posit that Verisign is a better target 
> > than a small registrar, and conceivably they 
> > could have a security lapse (which I am *not* 
> > predicting), having a copy of the data at the 
> > registrar adds an extra level of security. If 
> > both of them get hacked simultaneously, then 
> > the registrar alone would have been an even easier target.
> Not sure how I could provide any concrete 
> details to argue on behalf of any concerns 
> regarding data integrity and security, but 
> honestly…, I don't see how anyone could provide 
> concrete details denying the risk either. My 
> understanding is that there has never been a 
> precedent on migrating the vast amount of 
> registration data, such as is the case with 
> ".com", from multiple registrars to a single 
> registry. That certainly wasn't the case with 
> ".org"…, but IMHO addressing VeriSign's 
> competence in securing this data takes the concern out of context.
> When considering a policy position on data 
> integrity and security (especially with privacy 
> concerns being my main issue of concern), my 
> opinion is not based on VeriSign's competencies, 
> but on any registry for any gTLD with a large 
> number registrations like ".com". Even in the 
> case of ".com", VeriSign is not the first 
> registry for this specific TLD, and I don't see 
> how we can guarantee that it will be the last. 
> So even if we share a sense of confidence in 
> their competence, we cannot now claim the same 
> for future registries, and would prefer not to 
> advocate for policy without taking that into consideration.
Given the contractual terms, the .com registry is 
not likely to move anyway. Bit if it were to, 
this whole discussion would likely be moot, since 
the last time it happened (for .org), ICANN 
required the new registry to be thick.


> > Impact on Privacy: I completely understand the 
> > many concerns that have been raised with Whois 
> > with respect to privacy, but I fail to 
> > understand how the transition from a thin to a 
> > thick registry impacts this. *ALL* of the 
> > information that we are talking about sending 
> > to the registry is public. Not only is it 
> > public and freely accessible, but it is already 
> > replicated in untold repositories around the 
> > world, and particularly in repositories in the 
> > country where the registries in question 
> > reside. I agree that if data is sitting on a 
> > server in the US, managed by a US company, that 
> > company may be subject to US law and demands 
> > from US law enforcement or governments. But all 
> > they can reveal is information that is already 
> > public. Where is the additional harm?
> > Once of the scenarios that I have heard 
> > reglates to a person in some privacy-sensitive 
> > country using a registrar and a proxy service 
> > in that country. All that is in Whois is the 
> > contact information for the proxy service (I am 
> > using the definitions that the AoC Whoius 
> > Review used: A privacy service replaces some of 
> > the contact information with their own, a proxy 
> > service replaces the complete identity of the 
> > beneficial owner with their own). There is 
> > nothing that the registry now has about the 
> > registrant that is not already public. If a US 
> > agency wants to know who the beneficial owner 
> > is (that is, who is hiding behind the proxy), 
> > they will have to go to the proxy provider 
> > (which may or may not also be the registrar). 
> > Those reside in the privacy-sensitive country. 
> > If they are liable to having the US government 
> > force them to reveal the real registration 
> > data, they would have been just as liable to 
> > the demand if the TLD was still thin.
> > Let's look at a concrete example, I will pick 
> > on our friend Michele Neylon's company 
> > Blacknight (I have not asked his permission nor 
> > do I know if he espouses the same views as I do 
> > - it was just an easy example to look up).
> > The attachment "Blacknight WHOIS Server.pdf" is 
> > the Whois record for 
> > <http://blacknight.com>blacknight.com from 
> > their own registrar (Blacknight - a registrar 
> > subject to Irish and EU privacy laws), the only 
> > "official" source of this Whois data. But the 
> > other attachments are the same data available 
> > from several other sources, one of whom just 
> > queries Blacknight, one is a private copy in 
> > the US, and the third I am not sure. And as you 
> > know, there are many more copies and access sources for this same data.
> > I do understand that this registration is for a 
> > company and not a private individual, and was 
> > not done through a privacy or proxy service, but I will get to that next.
> > How would (or better still how COULD) this data 
> > be MORE available if .com were a thick registry?
> > If this registration had been done through an 
> > Irish Proxy service, it would be subject to 
> > Irish laws. Even if the "authoritative" version 
> > of the data resided at the registry, it would 
> > still just contain the details about the proxy 
> > service. Getting them to open their books would 
> > presumably be an issue of Irish law. But if 
> > there were some way the US could force them to 
> > disclose, why would that be any easier if the registry were thick?
> > Perhaps I am just not sufficiently imaginative 
> > to come up with the danger scenarios. Can someone help?
> Apart from agreeing with Frédéric's response, I 
> feel that online anonymity is in some 
> circumstances an important measure that needs to 
> be taken to avoid danger scenarios. It is true 
> that almost all registrant information is 
> publicly accessible despite registering domain 
> names with registrars in countries/jurisdictions 
> with data privacy laws. Being an Egyptian, I 
> have a very personal perspective on the issue of 
> online anonymity and feel that a policy for all 
> existing and future gTLDs registries using 
> "thick" Whois is a step backwards for practicing freedom of expression.
> I personally know several individuals who have 
> registered domain names with bogus information 
> to maintain anonymity while blogging against 
> Mubarak's repressive regime prior to and during 
> the uprising in Egypt in 2011 (and who continue 
> to do so now with the Muslim Brotherhood in 
> power). Although these are a small number of 
> registrants, the social impact they (and others 
> like them) have is considerable in determining 
> the future of a population. One of these fellas 
> (a friend of mine) had his identity discovered 
> early in the uprising and disappeared for a day. 
> When I saw him next, he had a pretty scary story 
> about being picked up by state security and 
> beaten ruthlessly for several hours.
> I don't doubt that this sort of scenario exists 
> (or will exist) concerning registrants in other 
> parts of the world. I understand that a 
> transition of registries from "thin" to "thick" 
> Whois will not make registration data of 
> registrants in this scenario any less public, 
> however, I imagine that getting more active 
> enforcement of data privacy laws is an issue to 
> be picked up elsewhere (not in this WG). In the 
> meantime, recommending that ICANN show a healthy 
> respect for registrants' basic human rights, if 
> they opt to take advantage of legal 
> jurisdictions in which these rights are 
> afforded, is something I would hope we would all aspire to.
I have no problem with all of that, and I share 
concerns over personal privacy and Whois. These 
are issues that must be addressed. But so far I 
see nothing that changes in the thin to thick transition.
Alan


> Does that make any sense at all?
>
> Thanks.
>
> Amr
>
> > Alan
> >
> >
> >
> > <Blacknight WHOIS 
> > Server.pdf><Blacknight-Whois.net.pdf><DT-BlacKnight.pdf><Blacknight-easyWhois.pdf>