The complete mess the WHOIS created, a Registrar perspective.

The public directory we call a WHOIS, where we publish registrant data of domain name owners, is a MESS.

 

Sure LEA’s and other crimefighters have a different opinion, and it is one I share in the sense, that abuse is a huge problem and abuse must be taken down. Often in these discussions, when we talk about the unlimited access to registrant data and that it also has to comply with privacy laws the discussion, usually goes the wrong way and often we can hear or read, the Registrars are pro-crime, or worse they condone child porn. Arguments to remain the current status quo, wich is understandable, but the reality is Registrars are mostly companies who try to run a business in a responsible manner. And now and then this becomes acknowledged by parties who know we hate abuse just as everyone else.

So let me post some facts and leave the LEA arguments outside of this scope.

Publishing personal data or registrant info in a public directory creates the following issues we deal with on a daily basis.

To understand this better you have to realize that ICANN publishes zone files that contain newly registered domain names. There are folks who scrape this info and scrape WHOIS info on a fully automated basis and resell this info or use it for their shady practices. Yes, this includes personal information. And no, they have no right, but they ignore every privacy law that there is out there and every disclaimer a Registrar has in place about the terms of usage.

When you register a domain name and get yourself some hosting and other services not much later, you will get the following in your email box.

Domain name renewal notice. This is not a renewal notice at all; it is a shady SEO company that urges you to pay them money to get listed in some vague directory to boost your SEO. The result, confused registrant, calling their Registrar support desk. We are losing money here.

Hosting notice. Within a few hours, our customers get an email from a shady hosting company that offers 99 Cent Hosting with an uptime of 100%. Our support teams have endless discussions with our customers explaining why we charge more, why we have better service, and it is just unreal when you hear these conversations. Again money down the drain.

Spam lists. Your information will be resold, spammers will gladly scrape your info, and a day later your email box contains emails ranging from Viagra to shady investment deals and marriage proposals from Russia.

Phone calls. Later in the week, you will get robot calls from companies trying to sell you whatever. Fake Microsoft employees are trying to trick you and a lot worse. And let’s not forget SMS messages.

Viri, malware, phishing. Enough said, hope you have a good virus scanner and let’s hope you do not get hit by some crypto locker ransomware.  If your computer gets infected by ransomware it is best to pay according to the FBI.

ICANN and policies and the current issues.

  • As a Registrar, we have to verify your email address.
  • As a Registrar, we have to email you an FOA when you want to transfer your domain name.
  • As a Registrar, we need to email you if you want to change the ownership of your domain name for whatever reason.

In November 2015 Registrars were hit hard by phishing emails. These emails looked like real emails Registrars send for the above reason. However, these emails carried a payload in the form of Ransomware.

For years we, been educating our customers not to click the cute teddy bear in emails and throw away email if it looks suspicious.

Since November 2015 our means of communication have taken a huge hit, processes come to a total standstill, our support desks are dealing with increased overhead. And the phishing continues, and every few months some Registrar takes a hit from these targetted phishing attacks. Domain names get suspended as our communication is longer trusted. Mass frustration.

We implemented DKIM, we use PGP to sign our emails, but it is simply not working as most folks have no idea what PGP is.

I understand the LEA arguments, but the above is also a reality, and it is bad, it is ugly, and it is all due to the fact we have WHOIS system that shouldn’t have existed in the first place.

Perhaps ICANN should throw some money towards the abuse problem. As it is now, we have huge discussions, over what is, in my opinion, a penny war. But it is pennies what we earn, so let us take that issue out of the equation, and I am pretty sure the discussion with LEA’s and other parties will go much smoother.

 

 

 

 

EU GDPR and the WHOIS, Radiation Fallout

So during ICANN 58 in Copenhagen, it became crystal clear, the WHOIS is a “nice to have” but not a “must have” for sure.

Sure there are folks that did not see the mushroom cloud, nor did they hear the thunder of the nuclear explosion, and being in denial is an option, but if you are hit with the radiation and fallout, denial is not a good option.

 

What is the WHOIS and what are Registrars doing? If you register a domain name say: yourname.biz, then Registrars register the domain name for you and the Registry for .biz publishes your personal information in a public directory/database; we call the WHOIS.

This was handy back in 1990 or so. Now the EU GDPR is coming in May 2018 and enforcement is most likely to happen (read huge fines). ICANN managed to ignore the problem and wanted to ignore the privacy problems even longer, but after ICANN 58 this is no longer an option.

The EU GDPR is global, every Registrar and Registry on this world who deals with European citizens have to comply with the EU GDPR. This makes the solution problematic.

In my opinion, there is only one solution. Shutdown all WHOIS servers and replace it with RDAP. In addition to this, storing personal info at the Registry to register a domain name should be not required, it serves no purpose.

RDAP will have two functions. It will serve as an internal network to make sure existing ICANN policies will remain to function, though policies like IRTP A-D and much more will need to re-written or scrapped.

The public output for RDAP should be very minimal; this is function two. The output will contain the Registry, Registrar, Reseller (if applicable), email alias of the Registrant and the name servers. The rest should be removed as there is no purpose.

As simple as this sounds, it requires a lot of work and there will be moments when things will be in freefall, and we need to adjust procedures on the fly.

Registrars if applicable by law should display the Registrant in full when it is a company. The EU privacy is pretty clear about that.

All in all, this requires some out of the box thinking, but we should stop thinking regarding thin or thick, we must be aware on what we collect data wise and careful what we publish publicly and keep asking what the purpose is.

The current setup will create a huge problem when it comes to abuse. Not only will LEA’s be frustrated, but it will also create tons of overhead on the Registrar side and as such cost money and worse, abuse levels might even skyrocket.

RDAP allows for gated access. LEA’s must get access through a global framework to combat abuse. This also extends to these companies who are not LEA’s but fight spam and other nasty things that happen on the internet. This will require some heavy consulting with the EU Data Commissioners to set up a framework that has a purpose. I think this is doable, though it will require heavy monitoring when it comes to access to justify such access. Given the current levels of abuse, again I think it is warranted, not to mention the extremely short timeframe we have to get EU GDPR compliant.

Will this work? Most likely not. ICANN is a bottom-up driven community and not top down organized. Before we have everyone on board, we are most likely two years further in the process.

The alternative and there is no alternative, privacy is a right, it cannot cost money, it is not a service, as such I expect most Registrars will start offering privacy protect for free, send out a mailing informing everyone, they have done their duty. This will be a colossal mess and I am not sure how we should deal with domain transfers, this issue does not exist with most ccTLD’s as they have a more clean transfer process that does not rely on a system created by ancient Egyptians.

This article is work in progress.

Theo Geurts

Why the Thick WHOIS Migration will not happen.

UPDATE

Perhaps the migration is a means to an end after all.

As a wholesale Registrar our Resellers could request the following under the GDPR from the registrants, something like “I agree with the provision of my personal data being transferred to the US company XXX acting as Registry for this domain name category”. That does not solve the problem for a Registry. The only thing I am not sure of is who the hell should obtain the consent., the reseller, or the Registry? The GDPR says the party that is responsible…. that door could swing both ways in this scenario.

 

 

Well most likely, but this headline is not clickbait.
So now that the Registrars have been informed about the 1 August deadline when they should start implementing the Thick WHOIS policy, it gives me freedom to give some feedback here. I was one of the original IRT members who drafted this policy.

Thick WHOIS Migration. Registrars need to migrate 140+ million WHOIS records to Verisign for .com and .net. Including personal registrant data.

 

First of all, does a registry require registrant data to register a domain name? The answer is no.
This also shows that thick WHOIS Registries giving the current political and legal changing landscape is a no go. This also applies for ccTLDs.
Shooting personal information all over the globe to register a domain name is simply insane.

Moving registrant data from the EU to the USA, how legal is that?
Currently, it is legal under privacy shield.
Privacy Shield? According to the website, this is what PS does.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Sounds simple enough, and it is. If it weren’t for a few problems.
First of all Privacy Shield is currently being reviewed by the Irish Data Commissioner. Most likely Privacy Shield will be invalidated.

Privacy Shield is also up for its annual review.
Giving Presidents Trump actions over the last few months, it ticked off a lot of people. As such, this also will be a political review.

The review will NOT go smoothly.
In short, this migration hinges on the fact that Privacy Shield will stay up and running till the end of days, and it won’t.

Then there is the issue of self-certification.
To migrate the data to the Verisign servers, Verisign needs to be Privacy Shield certified.
As it is a self-certification, that is pretty simple, tick the boxes, and you are on your way.

However, the EU expects you offer an adequate level of data protection. Now that is pretty vague on what that requirement is. But we can be sure that publishing personal info into a public directory/database with zero protection is not an adequate level of protection.

So Verisign cannot even certify itself without exposing itself to major privacy issues. The EU GDPR contains some pretty hefty fines; you can be sure that Verisign will not expose itself to this.
Privacy Shield requires you to uphold the directives not just on paper but also in reality.

Then there is the other issue.
The IRT did not want to check all the privacy laws that are out there. Currently, 100 countries have privacy laws, so that was an impossible task. So the IRT recommended, Registrars, figure it out yourselves.
But, we should have realized that most of those privacy laws are modeled around the EU directives 95/46/ec. Most likely these countries will demand contracts with Registries that offer a decent level of data protection. So we can semi assume this is not the case.

In addition to this, currently 39 countries are drafting privacy laws modeled towards the EU GDPR.

Please raise your hand if you think this Thick WHOIS Migration to the USA will still be a go?

We really need to re-think this Thick WHOIS server strategy on a global level.
Today it’s Trump, last year it was the Brexit creating a lot of issues that still need resolving. Next week we will have another crisis on our hands that blocks us from sending data.

Theo Geurts ICANN Thick WHOIS IRT Member.

The law is the law.

Yoda says:”purpose you shall have.”

Or when I returned from Copenhagen ICANN 58, you shall have a purpose.

I have been struggling with the upcoming EU GDPR for a year now. Read the GDPR, read a few books and it just didn’t sink in, let alone I could figure out how to attack this thing on ICANN level or at the Registrar I work for.

For more than a year the RDS WG, the group that is working on a replacement for the WHOIS, has been collecting requirements on what is required for this RDS. The number of requirements we gathered is insane, over 1000 requirements.

We heard from about every stakeholder what they need, and in every discussion, privacy would come up, and how that should work, usually such discussion would look more like a trench war, as most folks think privacy does not equal the abuse problems we are facing.
But ICANN 58 a group of EU Data Commissioners assisted us, including the U.N. Special Rapporteur on the right to privacy and Caroline Goemans-Dorny INTERPOL’s data protection officer.

During the RDS session on Wednesday, something happened that provided me with total clarity. We were running out of time, and we did not really get into the question session we prepared. At one point the Chair of the RDS WG fired off like four questions at once, related to a thin WHOIS output that was shown on the slides.

The U.N. Special Rapporteur said:”I will answer all your questions, with one question,” what is the purpose?
This almost Yoda-like response gave me a real sense of clarity.
Why do we put an expiry date in the WHOIS?
Why do put a create date in the WHOIS?
Why do we put an update date in the WHOIS?

My cell phone subscription is not being published in a public directory, nor is it mentioned when I upgraded my cell phone subscription in a public directory. At that point, it was clear to me that this was not about thin or thick WHOIS, we put the cart before the horse.
I expressed my gratitude in public to the U.N. Special Rapporteur.
After the session I was having a smoke and saw the U.N. Special Rapporteur leave the building real quick, rushing to a taxi (busy person) and just when he hailed a taxi he spotted me, walked up to me, shook my hand and said:”Thank you for the support, and I have the feeling you now have a clear vision on what purpose is”.

I have it for sure, and the entire EU GDPR makes sense now. The EU GDPR is Europe setting a very high ambition trying to create logic in how you process or collect data. The EU GDPR text itself does not provide clear answers; it just shows ambition.

All your current processes need to be re-evaluated, and you have to ask what the purpose is? If you have a clear purpose and you can motivate it, then most likely you are on the right track. The EU GDPR can provide more guidance.
If however you encounter a situation and you ask what the purpose is, and the answer is dodgy, shady or not clear, or the answer is, it is nice to have, then you are most likely on the wrong track.

How does this guide me when it comes to the RDS and the WHOIS?
Simple, the WHOIS is a “nice to have,” that completely spiraled out of control and has no place in this day and age.

RDS? Even though we are still in its early stages, it seems we are working on a compromise to keep everyone happy. Keeping everyone happy and yet complying with the law, is not possible, so the current purpose of RDS will turn into a failure.

Later this week I will go more into detail why RDS will never work and what is required and how we should combat abuse, though I did not figure out the abuse part, yet.

Theo Geurts ICANN RDS WG member.

This blog post was created while listening to: