ICANN Thick WHOIS the largest data breach on Earth.

ICANN Thick WHOIS the largest data breach on earth.

  • Ever wondered why you get emails like this?
  • Domain Notification for whatever.com : This is your Final Notice of Domain Listing
  • Or cheap hosting offers out of nowhere
  • Or tons of other spam?

That is because you registered a domain name and your Registrar has to publish your personal information through the so-called Port 43 WHOIS server.

A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received.

So basically it is a server that listens on port 43, in retrospect port 666 would have been more fitting. Every Registry and Registrar runs one.

How does it work? If you use MacOS open up the terminal and do a whois command for thehelper.net

Et voila, you have all the information for the domain name as mandated by ICANN contractual obligations.

Thick WHOIS vs. Thin WHOIS
Still the same WHOIS server listening on port 43. Except the output is different.
A thick WHOIS server also outputs contact data including your personal information.
A thin WHOIS server outputs only the domain name and a few more fields but not contact data as the Registry does not have it and as such cannot display it.

Web interface vs. Whois Port 43 server.
Still, the same server, except you do not use a command line on your MacBook you use a website to look it up. Like http://who.is or check at your Registrars website where the link is. They all have one!

Harvester of data
Every domain name that gets registered is published in a so-called zone file.
Sure enough, ICANN makes those available for everyone who can create an account.

Now those spammers know which domain names are registered, now they simply do an automated form of WHOIS requests and hey presto they got all your personal information.
Put it in a bulk mailer and you are good to go to spam the hell out of everyone.

But why stop there? Sell that information! Monitor it! Use big data to come up with more information.
Information enrichment they call it I think.
Step it up, use it for identity theft! With so much information provided by ICANN, you can easily tap into social media like Facebook and be more creative and set up some more fraudulent schemes.

Some more information on WHOIS, check this blog post, it’s pretty good.

Theo Geurts Former ICANN RDS member.

ICANN 60 The Outcome

Due to ICANN’s community input and careful review, ICANN suggests the following to the CPH’s.

Please comply with your ICANN contracts which clearly state that you should comply with your applicable law or relevant laws from other countries that might be applicable due to your customer base.

Result? Registrars will start to offer privacy protect for “free” and put existing registrations on privacy protect. If you have to build such a system as Registrar? The cost of doing business.

On the bright side, we will finally have a system that allows transfers without the need to drop the privacy service first.

Plus there will be less WHOIS inaccuracy complaints and the syntax of the WHOIS will improve on a global level.

The downside, Registrars will get swamped in requests at first by parties who rely heavily on WHOIS data.

Complying with the EU GDPR? Easy, skip ICANN.

So the preparations for the EU GDPR and Registries and Registrars are in full swing.
This week the Geo gTLD Group released a survey to involved parties, and the results will show us where we are at.

But do we need to do this and do we need to get ICANN in the mix?

Let’s go back in time.
In 2015 the Chinese regulator MIIT announced they were going to enforce the rules, created a decade ago. Now, where did we hear this before? Oh wait, the EU Directives, we ignored them as there was no enforcement.

Back in 2015 the RrSG went to the ICANN board and asked about their view when it came to what some called “draconian” regulations. The board listened, and the board said:”they were very aware, but it was an internal country matter, outside of ICANN.”
And that was that.

What was so “draconian”? For Chinese Registrants to register domain names through Chinese Registrars, the Registries had to jump through a ton of regulation hoops.
Get accredited with MIIT. Setup a presence in China. Escrow data to a Chinese Escrow Provider only. Deal with real name verification procedure.
So what did those non-Chinese Registries do? They looked at a huge market; they figured that these Chinese folks would not use Registrars outside China and most likely go for the Chinese gTLDS and .CN. Not a great prospect for the Registries.
Solution? They jumped through the hoops; some even created real name verification support through EPP to make registrations easy.

Every month I receive a newsletter or read a press release where a Registry proudly announces they are China ready and MIIT accredited. It’s like these guys won the Olympics. Granted going through that process is tough and congrats are in order.

The reality is, the real reality is, Registries are complying with the law in China. Awesome, how cool is that?! How about we go one step further and start complying with EU law?!

If we can do it in China, we can do it Europe right?
Want to do business with Chinese Registrants? Jump through the hoops.
Want to do business with EU Registrants? Jump through the hoops and stop discussing if EU law is a factor within ICANN.
The contracted parties are apparently perfectly capable of dealing with the national country law even if they are labeled as “draconian.”

Now the above carries some load of sarcasm. But if push comes to shove, contracted parties will become EU GDPR compliant no matter how many folks in the ICANN community are in denial.
No matter how hard folks in ICANN the community are trying to ignore the EU and keep on thinking this does not affect ICANN.

But cooperation and coordination with ICANN and within ICANN remains key in my opinion, to steer this and the policies in the right direction. This is a multi-stakeholder model for a bunch of good reasons, and everyone has a stake in this for the right reasons and balance.

Theo Geurts


Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    Crossfield validation

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts