WHOIS Review: "Cart before the horse?" and other ramblings
Personally, I am approaching this discussion as a tabla rasa. I am ignorant of most of what has come before, and not ashamed to admit it. I've tried, admittedly without either much effort or much success, to seek out documents, available on the web, that would give me some more context to start from on what would seem to be the topics at hand, but from where I am sitting there does appear to be dearth of such. Nontheless, I'd like to offer the following modest observations, which may perhaps be worth what you paid for them. It appears to me that the Review Team, as well as the Internet community as whole, is grappling with two overriding questions/ issues, to wit: 1) What are the intended uses of domain name WHOIS service? 2) What are the best means by which domain name WHOIS service can be made to fulfill its intended uses? Although, as I have said, I am ignorant of much of what has either discussed or decided already, it does appear to to me that there are, at present, a number of open questions with repect to (1) above. Certainly, that can be inferred from the mere fact that one of the questions that has been put to the community by the review team is one concerning the proper defintion of "law enforcement". Such a definition can only, and will only be useful if it has been decided (pre-decided?) that the domain name WHOIS service will have (or does have) some special and particular intended uses which are unique to "law enforcement". Having myself been unable to find, after an altogether and admittedly minimal and modest search, any document(s) wherein such a decision either was or might have been codified, I have been left wondering about a larger and more all-encompassing question: Where is the _charter_ for the domain name WHOIS service? Where is the single document that codifies, for the benefit of all users and producers of domain name WHOIS information, its formally anticipated and for- mally accepted uses? If anyone can point me to such a document, I would greatly appreciate it, becaues as I say, I have been unable to find it. Obviously, and as we all know, WHOIS service dates from the very early days of the Internet, back when things were far smaller, often far less formal, and back when the things that were considered as most important to commit to writing were descriptions of how things were supposed to work, technically (e.g. protocols), as opposed to precise descriptions of what things were intended to be used for. (Nobody, I suspect, ever felt that it was either necessary or useful to elaborate at length about what, e.g., e-mail was useful for. Most folks who ever got a taste of it were able to figure out that part on their own.) I've briefly reviewed various RFCs relating to WHOIS services, i.e. 812, 954, 1834, and 3912, and although some of these provide some not terribly specific hints as to the orginally intended uses of domain name WHOIS service, these documents spend far more of their bulk on technical specification of the protocol. In the early days of the Internet, this was undoubtedly what was needed, but we are not there anymore, and it appears to me that it is now high time that someone, perhaps the WRT, should being drafting a formal charter for domain name WHOIS services. I suppose that by raising such questions as "What is `law enforcement'?" outside observers such as myself might conclude that the WRT is in fact wending its way, however circuitously, towards a kind of a formal charter for domain name WHOIS service, but my simple suggestion would be to for- mally and explicitly assert and acknowledge that the development of a formal charter for domain name WHOIS service is in fact a goal and in- tended work product of the WRT. I would argue that it is only within the framework of exactly such a formal goal do questions such as "What is law enforcement?" even make any sense. The definition, even if one can be agreed, is utterly superfluous in the absence of context. Historically, domain name WHOIS service has served the following purposes: 1) As a source of information for "good samaritans" and/or tangentially affected parties which could be used to make contact with other network, system, or domain administrators, e.g. to inform them of technical issues such as unanticipated outtages. (This was, as I understand it, the one and only ``original intent'' of all WHOIS services.) 2) As a source of information for affected and/or other interested parties which could be used to make contact with network, system, or domain administrators, e.g. to inform them of security and/or network abuse issues. 3) As a source of information for affected parties which could be used as either ordinary contact information or legal Service Of Process infor- mation, specifically by intellectual property rights holders, either to request assistance in enforcing intellectual property rights or, in other cases, to actually begin legal proceedings necessary (e.g. via SoP) to legally enforce intellectual property rights. 4) As a source of information for law enforcement which could be used as either ordinary contact information, e.g. during an investigation, to request additional information about specific end-customers, or directly, as perpetrator identifying information. 5) As a source of information for network abuse researchers seeking after simple correlations and/or patterns of network abuse that might be evident from clues contained in domain name WHOIS records that are either know or suspected of being involved with various acts of network abuse. (If I have missed any other common uses of domain name WHOIS data, by all means, please do let me know.) Clearly, each of the five historical uses of domain name WHOIS data lised above has its own separate constituency and thus its own separate advocates. I personally happen to represent constituency (5) from the list above, as do some of the other persons and organizations that have already submitted comments to the WRT relating to the current review process. Although all five constituencies share a common interest in the completness, timeliness, and accuracy of domain name WHOIS information, the views of these groups of WHOIS client/customers may, I sense, begin to diverge when it comes to the issue of (universal?) availability. Based upon my own admittedly limited knowledge of typical law enforcement entities, I do spscet that they, in particular, would be perfectly happy to have utterly exclusive access to any & all WHOIS information, while shutting everyone else out and leaving the rest of us fumbling around in the dark. While an argument could perhaps be mustered in support of the view that LE should henceforth be the sole authorized consumers of WHOIS information, both my personal beliefs and my personal biases lead me to the entirely opposite viewpoint. In any case, one man's personal opinions are neither here nor there, and the real issue, I believe, is whether or not item (5) from the list above is or is not, currently (or shall or shall not be in future) an accepted, formally authorized, and fully ``intended'' use of domain WHOIS data. I believe that it is, and should be, going forward, and further, that such uses of WHOIS data, along with the others listed above, should all now be formally enshrined into a single unifying and defining document, a for- mal charter for WHOIS. What I personally am most definitely NOT in favor of is a whole lot of nibbling around the edges without ever getting to the heart of the matter. I have no opinion of the best or most proper defi- nition of the term ``law enforcement'' until I am presented with at least a draft of the over-arching document into which said definition is intended to fit. (And if that over-arching document asserts that henceforth only ``law enforcement'' shall be granted access to certain types of WHOIS information, then everyone may be assured that any definition of ``law enforcement'' that _I_ would likely espouse would most assuredly be drafted so broadly as to include myself.) The second question that, it seems to me, is being raised within these present discussions is the question of how best to make domain name WHOIS service as useful as possible, i.e. for all of its ``intended'' (and as yet to be formally defined?) uses. On this point, I have a few modest suggestions. The completness and accuracy of domain name WHOIS data is unambiguously of value to all of the separate WHOIS client/customer constituencies listed above. Unfortuantely, at the present time, and as most close observers already know, the accurancy of the current WHOIS data base is nothing short of abysmal. Anyone who has studied my work, or that of KnujOn, or even much of the material on th Spamhaus web site knows that already. What is even more troubling is that ICANN, at present, has neither the means nor even, apparently, the interest in doing anything about it. (I myself offered a list of over 50,000 gTLD second-level domain names, all with utterly bogus WHOIS information, to an official @ ICANN recently, and was turned down cold. The officuial in question would not even take the data from me! This sort of information, i.e. the names of domains having bogus WHOIS information is, quite obviously, considered only an unwelcomed technical and administrative burden within ICANN. That is both a cultural and a technical problem, both of which need fixing, and desperately.) (I am running out of UTC time before the end of the 2011-04-17 cuttoff for comments, so the rest of this message will be hurried.) How to fix the accurance problems of teh WHOIS data base, going forward, presented -NO- insurmountable technical challenges. This is NOT a moon shot. Solving the problem is either prohibitively complex nor prohibitively costly, even though any such hidebound, self-serving and profit maximizing entities such as ICANN and its constituent registrars always can (and always will) attempt to make it appear so. (For further information, consult Sir Humphrey Appleby.) Recently, in preparation for sale, I registered one of my domain names with Sedo's domain name marketplace. This company knows what it is doing and has a _positive_ financial interest in insuring that they can verify the true ownership of any given domain name, unlike ICANN and its registrars, all of which have a clear _negative_ incentive to look to closely at anything that some paying customer ants to put into his or her WHOIS record(s). Anyway, Sedo has a system that actually calls the phone number listed n the domain name WHOIS record. The owner is then read a magic five digit code that must be entered at a particular URL to complete the registration process. Simple and obvious question: Why can Sedo do this for registering domains into its "marketplace", but no other registrars can do it for original domain registrations? Lots of fully-automated various on this general scheme are possible. and also for e-mail addresses. This could be done. There is no will or willingness to do it. And THAT is the REAL problem with the WHOIS data base.