US government tells internet body to hurry the funk up on privacy The US government has warned the organization that oversees the domain name system that it needs to hurry up and finalize privacy rules for Whois internet addresses or Congress will back replacement legislation. The letter [PDF] from assistant commerce secretary David Redl to ICANN is polite but firm, congratulating a policy …
It was created in the very early days of the internet and the information was published online but, as the internet grew, so did concerns about that information being made freely available.
The intent of this whois setup was to allow everyone on the internet be able to contact a select source for abuse of the internet..
But the recommendations do not address the biggest issue: who is entitled to view the "non public" parts of the system, which means people's phone numbers, email addresses and home addresses.
I don't get it. The past few years "idiots" insist on using personal email addresses for the "abuse" address. Why? When I see a personal address in that field, I automatically think it is a faked address. What ever happened to the good days of the "abuse@example.com" email address formats??? I would even be willing to accept the word abuse translated into your local language. When we had that abuse address as looking like a valid abuse mailbox, there _was no_ personal addresses that were easy to find. If only folks would go back to the original standard....
"When I see a personal address in that field, I automatically think it is a faked address."
Why do you assume this? I assume that the domain name was registered by an ordinary person who isn't' terribly familiar with the customs involved.
I don't think the exposure of the email address is the significant issue here, though. The significant issue is the exposure of phone numbers and physical addresses. I can easily ignore all the spam that I'll get through an exposed email address, but the spam that comes through the phone and physical location is more problematic. Not to mention the real personal risk exposure of physical addresses can pose. The internet is full of crazies, after all.
That's why I have to pay extortion money to my registrar to keep that information private.
Indeed. And as Kieren describes, this is a remnant of the "early days" of the internet. After all, when people we playing around with their Mosaic and Tripod accounts, creating/ registering family websites for their holiday snaps or quirky hobbies, the idea was that the internet was for everybody, connecting people, creating a global village. I clearly remember companies scratching their heads "what to do with this new internet thing". Remarks referring to "abuse@example.com" and such other details show an experience and approach, assuming a "corporate internet", ditching these earlier ideas.
In the end, the only thing that counts is that there is legislation (GDPR) that applies and has to be complied to, something that between continents sometimes is difficult to comprehend (admit?). And for the long run, it is really about time that the global internet is governed by an international/ global in stead of some national institution.
In the early days, especially for individuals, some registrars required ID proofs (ID card, passport, etc.) to register a domain, and put you full information into the records. There was no way to put fake data there (unless using fake documents as well).
That's because there were some stringent rules about domains requests and domain names, especially if one wasn't a registered legal entity - many of them relaxed later.
Once people had no issue to have their name, address and phone number published in phone records, now that robocallers, spammers and other various crazy people multiplied through the internet it became just a risk.
I didn't bother much twenty years ago about having my data published in the whois records, but now I requested to hide them - and after GDPR it was done for free.
I don't get it
Obviously you don't. For decades peoples' private home addresses and personal phone numbers have been online. If you, as a private person, were to register a domain, the registrar would collect these information and hand them over to whois, who would publish them.
The whole "abuse@" is now irrelevant in many cases: either people don't react at all, or the contact information is wrong on purpose anyway. Also, as I understand it, publishing the "abuse@" or technical contact details (webmaster@..?) is still allowed. It is the personal information that should be kept rather more private.
I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops...
How can the US think that allowing parasites/lawyers access to this private information will pass GDPR regulations. They are private individuals, they want my private details then lay a charge and convince a judge to grant a court order to get them. Pile of bollocks if you ask me
I would be more open to this idea if it was tied to laws that allowed me to put cameras in THEIR homes and follow them constantly while muttering Like foul old Ron. BUGGERIT
"I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops..."
Because copyright and a whole bunch of legal issues are not always criminal issues, and even when they are, the cops rarely do anything about them. For example, police in the UK have practically abandoned investigating fraud because they're woefully under resourced and because there's such a gigantic volume of internet-enabled fraud. Cross-border incidents would require at least two sets of underfunded law enforcement to collaborate, and often one of those sets is bent and itself perpetrated the frauds. The ability to effectively anonymously register and use domain names is a real problem for investigating and preventing fraud, money laundering and bribery. That doesn't mean having the data public is a good idea - but it also doesn't mean "only the cops should see it".
El Reg readers dont like to hear this... AC because I actually work in this field all day every day and dont like my despair to be public.
Because copyright and a whole bunch of legal issues are not always criminal issues, and even when they are, the cops rarely do anything about them. For example, police in the UK have practically abandoned investigating fraud because they're woefully under resourced [...] at least two sets of underfunded law enforcement to collaborate
That sounds like a problem your government should fix, shouldn't they? Guess they are some what pre occupied right now, trying collectively to figure out how to spell the words "Plan B", "problem solving", and "TCB"...
"Even in civil cases, you can get a judge to issue a subpoena for the required information..."
Yeah, I know that - I was replying to some guy who said:
"I also have no clue why copyright lawyers should have access, or basically anybody at all, except law enforcement. If there is a legal issue go and get the data from the cops..."
What ever happened to the good days of the "abuse@example.com"
Could you please direct me to the RFC that specifies the provision of an abuse address?
The most recent RFC I can find about whois (3912 from 2004) contains the entry
5. Security Considerations
The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality.
Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone.
The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing.
The most recent I can find which specifies content (RFC 1834 from 1995) lists only admin and tech contacts as required but there's no definition as to who fills these roles so there's nothing to say it couldn't be a registrar.
Perhaps it's time for a new RFC which reflects the requirements of the world as it is now - and takes into account the observation in 3912.
Doesn't GDPR specifically ban handing over any PII to private 3rd parties (Companies or persons) without consent? IE, handing over Whois data to "security researchers" (What does that entail anyway, how does one get the badge? I've used basic google search terms to find open IP cams. Am I now a security researcher?) or to "IP lawyers" (Again, what does this entail? How do they check someone is a both a licensed lawyer and specialized in IP cases AND working on a case that involves those specific records?) would be illegal under GDPR afaik, no matter the processes they spin up for it. The ONLY way it can be legal is handing over the data to law enforcement ONLY with the correct court orders to demand that information. All the others will first have to prove to a court they have a legitimate case and then try to convince the court to provide the correct request for Whois data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
