Whois vs GDPR, latest news
Jimmy Hess
mysidia at gmail.com
Wed May 23 02:07:24 UTC 2018
Perhaps it's time that some would consider new RBLs and Blackhole
feeds based on.... :
Domains with deliberately unavailable WHOIS data.
Including domains whose registrant has failed to cause their domain
registrar and/or registry to
list personally identifiable details for registrant and contacts on
servers available to
the public using the TCP port 43 WHOIS service.
For any reason, whether use of a privacy service, or by a Default
"Opt-to-Privacy Rule" enforced
by a local / country-specific regulation such as GPDR.
Stance
* Ultimate burden goes to the REGISTRANT of any Internet Domain to take the
steps to ensure their domain or IP address registry makes public
contacts appear
in WHOIS at all times for their Domain and/or IP address(es) --- including
a traceable registrant name AND direct Telephone and E-mail contacts
to a responsible
party specific to the domain from which a timely response is available and
are not through a re-mailer or proxy service.
People may have in their country a legal right to secure control of
a domain on a registry
And anonymize their registration: "Choose not to have personal
information listed in WHOIS".
HOWEVER, Making this choice might then result in adverse consequences
towards connectivity AND accessibility to your resources from others
during such times
as you exercise your option to have no identifiable WHOIS data.
The registration of a domain with hidden or anonymous data only ensures
exclusivity of control. Registration of a domain with
questionable or unverifiable personal
registrant or contact information does not guarantee that ISPs or
other sites connected to the
internet will choose to allow their own users and DNS infrastructure
access to un-WHOISable domains.
Then have:
-------------------
* Right-hand sided BLs for Internet domains with no direct
WHOIS-listed registrant address and real-person contacts
including name, address, direct e-mail and phone number valid for
contact during the domain's operational hours.
* Addons/Extensions for Common Web Browsers to check the BLs before
allowing access to a HTTP or HTTPS URL. Then display a prominent
"Anonymized Domain:
Probable Scam/Phishing Site" within the Web Browser MUA;
And limit or disable high-risk functions for anonymous sites: such as
Web Form Submissions,
Scripting, Cookies, Etc to Non-WHOIS'd domains.
if the domain's WHOIS listing is missing or showed a privacy
service, or had appeared t
runcated or anonymized.
* IP Address DNSBL for IP Address allocations with no direct
WHOIS-listed holder address real-person contacts.
including name, address, direct e-mail and phone number valid for
contact during the hours when that IP address
is connected to the internet.
* DNS response policy zones (for resolver blacklists) for internet
domains with no WHOIS-listed registrant &
real-person contacts including name, address, direct e-mail and phone
number valid for contact.
The EU GDPR _might_ require your registrar to offer you the
ability Opt by default to mask your
personal information and e-mail from domain or IP WHOIS data,
But should you choose to Not opt to have identifiable contacts and
ownership published:
There may be networks and resources that will refuse access, Or whose
users will not be allowed
to resolve your DNS names, due to your refusal to identify
yourself/provide contacts for vetting,
identifying and reporting technical issues, abuse, etc.
Real-Life equivalent would be.... Directories/Listings of
Recommended businesses that
refuse to accept listings from businesses whose Owner wants to stay Anonymous.
Or people who don't want to buy their groceries from random shady
buildings that don't even
have a proper sign out.....
--
-JH
On Wed, May 16, 2018 at 4:10 PM, Constantine A. Murenin
<mureninc at gmail.com> wrote:
> I think this is the worst of both worlds. The data is basically still
> public, but you cannot access it unless someone marks you as a
> "friend".
>
> This policy is basically what Facebook is. And how well it played out
> once folks realised that their shared data wasn't actually private?
>
> C.
>
> On 16 May 2018 at 16:02, Brian Kantor <Brian at ampr.org> wrote:
>> A draft of the new ICANN Whois policy was published a few days ago.
>>
>> https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
>>
>> From that document:
>>
>> "This Temporary Specification for gTLD Registration Data (Temporary
>> Specification) establishes temporary requirements to allow ICANN
>> and gTLD registry operators and registrars to continue to comply
>> with existing ICANN contractual requirements and community-developed
>> policies in light of the GDPR. Consistent with ICANN’s stated
>> objective to comply with the GDPR, while maintaining the existing
>> WHOIS system to the greatest extent possible, the Temporary
>> Specification maintains robust collection of Registration Data
>> (including Registrant, Administrative, and Technical contact
>> information), but restricts most Personal Data to layered/tiered
>> access. Users with a legitimate and proportionate purpose for
>> accessing the non-public Personal Data will be able to request
>> such access through Registrars and Registry Operators. Users will
>> also maintain the ability to contact the Registrant or Administrative
>> and Technical contacts through an anonymized email or web form. The
>> Temporary Specification shall be implemented where required by the
>> GDPR, while providing flexibility to Registry Operators and Registrars
>> to choose to apply the requirements on a global basis based on
>> implementation, commercial reasonableness and fairness considerations.
>> The Temporary Specification applies to all registrations, without
>> requiring Registrars to differentiate between registrations of legal
>> and natural persons. It also covers data processing arrangements
>> between and among ICANN, Registry Operators, Registrars, and Data
>> Escrow Agents as necessary for compliance with the GDPR."
--
-Mysid
More information about the NANOG
mailing list