My experiences with the WHOIS database and why I would abolish it

[Markus Hanauska <hanauska@xxxxxxxxxx>]

I have spent many years with actively fighting spammers during the nineties and 
the WHOIS database was always a valuable source of information during that 
time. Things have changed, though. Already near the end of my spam fighting 
career the WHOIS database became increasingly less valuable because of fake 
address entries  and proxy services. No matter how much effort the ICANN puts 
into the WHOIS database, it is not possible to restore its early stage, too 
many things have changed within the last ten years. This is a fight that costs 
only plenty of time, resources and money, and the outcome is clear before it 
has even started: The ICANN is going to lose it.

They are going to lose it because even I used faked WHOIS data for my domains 
and nobody ever noticed that. You might say, I should know better, after all I 
had to work with WHOIS data on a daily basis, but I'm also a human being and 
thus I have privacy concerns like anyone else in the world. Some people are 
more concerned with privacy than other people, however, when you do things like 
fighting spam, you offend a lot of people and thus you have to take measures to 
protect yourself and your family from harassment (and if it is only to avoid 
that somebody calls you 50 times a night). I gave up fighting spam long ago 
because this fight was equally lost as the fight for an error free WHOIS 
database; but that is a different matter.

I understand that having something like a central registry of domain owners (or 
multiple separated by country or by TLD) might be important in some cases, the 
question is, does it rally have to be a public one? Let me throw in an analogy 
that has been used thousands of times the past years: "cars".  There are very 
little topics most countries of the world can agree on, but one of those topics 
is the use of "vehicle registration plates". Most countries on earth require 
that cars (and other traffic vehicles) must have a license plate. What for? 
Among many possible reasons, one of the main reasons certainly is to determine 
the car owner. Why not just writing the name of the car owner onto the plate? 
Names are not unique. Why not writing name and full street address onto it? I 
don't know, but I know that license plates haven been around for longer than 
cars. The first plates were used for horse-drawn hackney carriages (1884) and 
already at that time the name hasn't been used.

Of course having license plates is pointless if there is no (central?) database 
that stores the owner information behind a specific plate. Whether the 
government needs to find the owner for collecting taxes or whether the police 
needs to find the owner because the car was used in a criminal offense, those 
institutions can have access to this database if necessary. However, how many 
of these database allow public, free access to every interested party in the 
world? I know that certain cantons of Switzerland allow that (sometimes for 
free, sometimes only for a fee, and sometimes only after a registration and the 
number of lookups per certain time period limited), but I claim in most parts 
of the world this is not possible and also not necessary.

If WHOIS gets abolished by tomorrow, the decentralized database of today still 
exists; it's just not public any longer. Nobody can tell me there is a domain 
registrar that has no such database of their customers. How are they going to 
contact their customers or collect their annual fees otherwise? And of course 
could the police get access to those data in case of a criminal investigation, 
either only through court order or possibly even without; this is question of 
local law and nothing the ICANN has to worry about. Another major concern is 
usually how can a normal Internet user contact a domain owner without public 
WHOIS access? The question must rather be: Why would a normal Internet user 
have to do that in the first place and why couldn't registrars offer a form on 
their web page to contact domain owners, without revealing any data about them 
and internally forward the requests to the e-mail address they know of their 
customers? Such a form would be sufficient in 99.9% of all cases and if it is 
only used to ask the domain owner for a postal address or phone number, if 
e-mail may not be the right communication medium for the matter.

The days where quick domain owner contact was necessary to quickly resolve 
technical difficulties of the Internet are long over. If a domain points to a 
server offering any (public?) services, the company hosting the server (which 
might be another company than the domain registrar) also has the full contact 
information of their customer. And network admins of two peering networks 
certainly have exchanged their contact information a long time ago and will not 
make a WHOIS lookup if there is a routing problem between the networks to find 
out whom to contact.

My personal opinion is that by making all WHOIS data private, the quality of 
the data will improve dramatically and it will improve much more than any 
attempt of the ICANN to strictly enforce the current policies ever will improve 
it. The majority of domain owners are neither spammers nor criminals and this 
holds true for the majority of domain owners with fake WHOIS address data, too. 
They are just people worried about their privacy and the reason for not using 
their real contact data is not that they don't want "anyone" in the world to 
know those data, they just don't want the whole world to know it; this is a 
huge difference. If they get assured that their contact data will be protected 
as much possible and only when absolutely unavoidable that data might ever be 
revealed to a third party, a lot more people will be willing to refrain from 
using fake address data. 

Even services like Facebook had to learn that users want control over their 
private data and it is one thing to share this data with the world after asking 
the user explicitly for their agreement and sharing the data unasked. Revealing 
one of my many e-mail address in the WHOIS database wouldn't even be a private 
concern to me, but already my full name is nothing that the world needs to 
know, since WHOIS data has also been collected and copied to other databases 
over the years and those make reverse look-ups possible (e.g. not who is the 
owner of a domain, but which domains does a certain person own) and I 
absolutely see no reason why the world has to know which domains I have 
registered; I consider this equally private as the world doesn't have to know 
which car I drive, at which supermarket I buy food, or which company has 
produced the underwear I currently wear. Having secrets and keeping certain 
information private doesn't make you criminal or a bad person, does it? And as 
long as the ICANN plays Facebook in its early years, people will fight back 
their privacy by faked names, faked address data, and proxy services where 
available and the number of those people will rather increase than decrease in 
the years to come.

-- 
Markus Hanauska, Senior Software Developer
equinux AG  / equinux USA, Inc.