back to article US government tells internet body to hurry the funk up on privacy

The US government has warned the organization that oversees the domain name system that it needs to hurry up and finalize privacy rules for Whois internet addresses or Congress will back replacement legislation. The letter [PDF] from assistant commerce secretary David Redl to ICANN is polite but firm, congratulating a policy …

  1. gnarlymarley

    It was created in the very early days of the internet and the information was published online but, as the internet grew, so did concerns about that information being made freely available.

    The intent of this whois setup was to allow everyone on the internet be able to contact a select source for abuse of the internet..

    But the recommendations do not address the biggest issue: who is entitled to view the "non public" parts of the system, which means people's phone numbers, email addresses and home addresses.

    I don't get it. The past few years "idiots" insist on using personal email addresses for the "abuse" address. Why? When I see a personal address in that field, I automatically think it is a faked address. What ever happened to the good days of the "abuse@example.com" email address formats??? I would even be willing to accept the word abuse translated into your local language. When we had that abuse address as looking like a valid abuse mailbox, there _was no_ personal addresses that were easy to find. If only folks would go back to the original standard....

    1. JohnFen

      "When I see a personal address in that field, I automatically think it is a faked address."

      Why do you assume this? I assume that the domain name was registered by an ordinary person who isn't' terribly familiar with the customs involved.

      I don't think the exposure of the email address is the significant issue here, though. The significant issue is the exposure of phone numbers and physical addresses. I can easily ignore all the spam that I'll get through an exposed email address, but the spam that comes through the phone and physical location is more problematic. Not to mention the real personal risk exposure of physical addresses can pose. The internet is full of crazies, after all.

      That's why I have to pay extortion money to my registrar to keep that information private.

      1. NATTtrash Silver badge

        Indeed. And as Kieren describes, this is a remnant of the "early days" of the internet. After all, when people we playing around with their Mosaic and Tripod accounts, creating/ registering family websites for their holiday snaps or quirky hobbies, the idea was that the internet was for everybody, connecting people, creating a global village. I clearly remember companies scratching their heads "what to do with this new internet thing". Remarks referring to "abuse@example.com" and such other details show an experience and approach, assuming a "corporate internet", ditching these earlier ideas.

        In the end, the only thing that counts is that there is legislation (GDPR) that applies and has to be complied to, something that between continents sometimes is difficult to comprehend (admit?). And for the long run, it is really about time that the global internet is governed by an international/ global in stead of some national institution.

      2. Doctor Syntax Silver badge

        "I have to pay extortion money to my registrar to keep that information private."

        Maybe you need to shop around for another registrar.

        1. JohnFen

          Yeah, I can't argue against that! The only reason that I haven't yet is because of inertia.

      3. LDS Silver badge

        In the early days, especially for individuals, some registrars required ID proofs (ID card, passport, etc.) to register a domain, and put you full information into the records. There was no way to put fake data there (unless using fake documents as well).

        That's because there were some stringent rules about domains requests and domain names, especially if one wasn't a registered legal entity - many of them relaxed later.

        Once people had no issue to have their name, address and phone number published in phone records, now that robocallers, spammers and other various crazy people multiplied through the internet it became just a risk.

        I didn't bother much twenty years ago about having my data published in the whois records, but now I requested to hide them - and after GDPR it was done for free.

    2. Joe W Silver badge

      I don't get it

      Obviously you don't. For decades peoples' private home addresses and personal phone numbers have been online. If you, as a private person, were to register a domain, the registrar would collect these information and hand them over to whois, who would publish them.

      The whole "abuse@" is now irrelevant in many cases: either people don't react at all, or the contact information is wrong on purpose anyway. Also, as I understand it, publishing the "abuse@" or technical contact details (webmaster@..?) is still allowed. It is the personal information that should be kept rather more private.

      I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops...

      1. don't you hate it when you lose your account Silver badge

        Agree

        How can the US think that allowing parasites/lawyers access to this private information will pass GDPR regulations. They are private individuals, they want my private details then lay a charge and convince a judge to grant a court order to get them. Pile of bollocks if you ask me

        I would be more open to this idea if it was tied to laws that allowed me to put cameras in THEIR homes and follow them constantly while muttering Like foul old Ron. BUGGERIT

      2. Anonymous Coward
        Anonymous Coward

        "I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops..."

        Because copyright and a whole bunch of legal issues are not always criminal issues, and even when they are, the cops rarely do anything about them. For example, police in the UK have practically abandoned investigating fraud because they're woefully under resourced and because there's such a gigantic volume of internet-enabled fraud. Cross-border incidents would require at least two sets of underfunded law enforcement to collaborate, and often one of those sets is bent and itself perpetrated the frauds. The ability to effectively anonymously register and use domain names is a real problem for investigating and preventing fraud, money laundering and bribery. That doesn't mean having the data public is a good idea - but it also doesn't mean "only the cops should see it".

        El Reg readers dont like to hear this... AC because I actually work in this field all day every day and dont like my despair to be public.

        1. Paul Crawford Silver badge

          You don't need the cops to treat it as a criminal case, you go to court as a civil case and get the judge to grant access to specific data.

          1. Lakanal

            Not very practical, even in countries which have pre-action discovery processes. Anonymity is at the root of many internet harms.

            1. LDS Silver badge

              Actually, "reserved" != "anonymous". The data are there, just not available to dogs+pigs. A valid reason should be necessary to access them.

        2. Anonymous Coward
          Anonymous Coward

          Because copyright and a whole bunch of legal issues are not always criminal issues, and even when they are, the cops rarely do anything about them. For example, police in the UK have practically abandoned investigating fraud because they're woefully under resourced [...] at least two sets of underfunded law enforcement to collaborate

          That sounds like a problem your government should fix, shouldn't they? Guess they are some what pre occupied right now, trying collectively to figure out how to spell the words "Plan B", "problem solving", and "TCB"...

        3. Trollslayer

          Why the down votes? Don't people want to know what really goes on?

        4. JohnFen

          "Because copyright and a whole bunch of legal issues are not always criminal issues"

          Even in civil cases, you can get a judge to issue a subpoena for the required information.

          1. Anonymous Coward
            Anonymous Coward

            "Even in civil cases, you can get a judge to issue a subpoena for the required information..."

            Yeah, I know that - I was replying to some guy who said:

            "I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops..."

    3. big_D Silver badge

      Have you ever tried to send an email to abuse@google.com?

      They DOSed our IP (I assume an incorrectly configured server in their data center). Sending an email to the abuse address got an automated reply "we get so many emails to this address, that we simply ignore it."

      1. VikiAi
        Unhappy

        I imagine that the modern average internet user assumes abuse@ addresses are for /sending/ abuse, not reporting it!

      2. Version 1.0 Silver badge
        Unhappy

        I abandoned emailing all abuse addresses years ago - nobody ever responded. These days I just hit delete.

    4. Nick Kew

      If only folks would go back to the original standard....

      Which "original standard" is that? My memory is hazy in my old age, but as I recollect it, none of these addresses other than postmaster@ was ever anything more than informal convention.

    5. Doctor Syntax Silver badge

      What ever happened to the good days of the "abuse@example.com"

      Could you please direct me to the RFC that specifies the provision of an abuse address?

      The most recent RFC I can find about whois (3912 from 2004) contains the entry

      5. Security Considerations

      The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality.

      Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone.

      The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing.

      The most recent I can find which specifies content (RFC 1834 from 1995) lists only admin and tech contacts as required but there's no definition as to who fills these roles so there's nothing to say it couldn't be a registrar.

      Perhaps it's time for a new RFC which reflects the requirements of the world as it is now - and takes into account the observation in 3912.

    6. Anonymous Coward
      Anonymous Coward

      Wait, that's the intended purpose of that mailbox?

      Guess I should turn off the autoresponders that belittle the sender, on my domains. Sorry, I thought that's what they were asking for.

      But can I leave argument@ and contradiction@ alone?

    7. Glen 1 Silver badge

      "The past few years "idiots" insist on using personal email addresses for the "abuse" address. Why?"

      The same reason you don't put your "system status" tracker on the same systems as the ones you're tracking.

  2. imanidiot Silver badge

    Correct me if I'm wrong but,

    Doesn't GDPR specifically ban handing over any PII to private 3rd parties (Companies or persons) without consent? IE, handing over Whois data to "security researchers" (What does that entail anyway, how does one get the badge? I've used basic google search terms to find open IP cams. Am I now a security researcher?) or to "IP lawyers" (Again, what does this entail? How do they check someone is a both a licensed lawyer and specialized in IP cases AND working on a case that involves those specific records?) would be illegal under GDPR afaik, no matter the processes they spin up for it. The ONLY way it can be legal is handing over the data to law enforcement ONLY with the correct court orders to demand that information. All the others will first have to prove to a court they have a legitimate case and then try to convince the court to provide the correct request for Whois data.

    1. don't you hate it when you lose your account Silver badge

      Yip

      Have an upvote. I was focusing on the parasites but nobody should have access to this info without a court order

  3. Doctor Syntax Silver badge

    "That led to a scramble to develop new rules that proved highly embarrassing for the organization."

    Embarrassing? ICANN? Far too much brass neck to be embarrassed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021