Re: [gnso-thickwhoispdp-wg] Dangers and risks of thick Whois

[Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx>]

There are about 5M organizations that were similarly effected by the
move from thick-thin with the .ORG transition.

Proxy registrations were not effected allowing for privacy protection.

5 million registrations operating for years as a thick-whois model
with not one demonstrable complaint should offer reasonable assurance
that the move for .NET and .COM would succeed as well.

Privacy can be maintained through a proxy as intended.

-rick


On Mon, Jan 28, 2013 at 8:04 PM, Alan Greenberg
<alan.greenberg@xxxxxxxxx> wrote:
> Several of the statements we are receiving have warned of potential dangers
> of moving from a thin to thick Whois. I would really like to understand more
> about these, and have some concrete examples. Such examples or preferably
> situations that have actually existed with the many TLDs that use a thick
> Whois are necessary if we are going to do fact-based policy development.
>
> The ALAC statement attempted to head off these concerns, but I feel it is
> necessary to address some of these issues directly.
>
> Data integrity and security: It is quite true that having more repositories
> means that any one is more likely to be penetrated or altered maliciously.
> However, that very replication makes it much less likely that any such
> change will be un-noticed or unrecoverable. In the particular cases we are
> looking for. I am quite comfortable that Verisign is able to build and
> support a more robust repository than many of the smaller registrars.
>
> If we posit that Verisign is a better target than a small registrar, and
> conceivably they could have a security lapse (which I am *not* predicting),
> having a copy of the data at the registrar adds an extra level of security.
> If both of them get hacked simultaneously, then the registrar alone would
> have been an even easier target.
>
> Impact on Privacy: I completely understand the many concerns that have been
> raised with Whois with respect to privacy, but I fail to understand how the
> transition from a thin to a thick registry impacts this. *ALL* of the
> information that we are talking about sending to the registry is public. Not
> only is it public and freely accessible, but it is already replicated in
> untold repositories around the world, and particularly in repositories in
> the country where the registries in question reside. I agree that if data is
> sitting on a server in the US, managed by a US company, that company may be
> subject to US law and demands from US law enforcement or governments. But
> all they can reveal is information that is already public. Where is the
> additional harm?
>
> Once of the scenarios that I have heard reglates to a person in some
> privacy-sensitive country using a registrar and a proxy service in that
> country. All that is in Whois is the contact information for the proxy
> service (I am using the definitions that the AoC Whoius Review used: A
> privacy service replaces some of the contact information with their own, a
> proxy service replaces the complete identity of the beneficial owner with
> their own). There is nothing that the registry now has about the registrant
> that is not already public. If a US agency wants to know who the beneficial
> owner is (that is, who is hiding behind the proxy), they will have to go to
> the proxy provider (which may or may not also be the registrar). Those
> reside in the privacy-sensitive country. If they are liable to having the US
> government force them to reveal the real registration data, they would have
> been just as liable to the demand if the TLD was still thin.
>
> Let's look at a concrete example, I will pick on our friend Michele Neylon's
> company Blacknight (I have not asked his permission nor do I know if he
> espouses the same views as I do - it was just an easy example to look up).
>
> The attachment "Blacknight WHOIS Server.pdf" is the Whois record for
> blacknight.com from their own registrar (Blacknight - a registrar subject to
> Irish and EU privacy laws), the only "official" source of this Whois data.
> But the other attachments are the same data available from several other
> sources, one of whom just queries Blacknight, one is a private copy in the
> US, and the third I am not sure. And as you know, there are many more copies
> and access sources for this same data.
>
> I do understand that this registration is for a company and not a private
> individual, and was not done through a privacy or proxy service, but I will
> get to that next.
>
> How would (or better still how COULD) this data be MORE available if .com
> were a thick registry?
>
> If this registration had been done through an Irish Proxy service, it would
> be subject to Irish laws. Even if the "authoritative" version of the data
> resided at the registry, it would still just contain the details about the
> proxy service. Getting them to open their books would presumably be an issue
> of Irish law. But if there were some way the US could force them to
> disclose, why would that be any easier if the registry were thick?
>
> Perhaps I am just not sufficiently imaginative to come up with the danger
> scenarios. Can someone help?
>
> Alan
>
>
>