Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
EU The Internet Privacy

WHATIS Going To Happen To WHOIS? (vice.com) 66

dmoberhaus writes: A European data privacy law goes into effect in May, but it's already having far reaching consequences, especially when it comes to publicly available WHOIS data. Motherboard spoke to a domain registrar, ICANN and some security researchers about how anticipation of the EU privacy laws implementation has already gutted WHOIS data, why this is dangerous and what the future of WHOIS looks like.
ICANN requires registars to make data on their customers publicly available -- but registrars would be more than happy to stop, according to Tim Chen, the CEO of a WHOIS data analytics firm. Besides hiding their customer lists, it would also address complaints about spammers harvesting email addresses. So registars like GoDaddy "are taking this opportunity to see how far they can push things."

But the article has some sympathy for ICANN. "On the one hand, the organization is under pressure from law enforcement officials and security researchers who depend on WHOIS data to investigate possible crimes or mitigate devastating malware attacks. On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

"The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."
This discussion has been archived. No new comments can be posted.

WHATIS Going To Happen To WHOIS?

Comments Filter:
  • This is total nonsense. GDRP is about disclosing how you handle data and giving people handles when they want to be removed from your system. In no way does it stop you from creating a phone book for domains holders.

    • by Anonymous Coward

      Ironic that you call it nonsense and then give a nonsense summary yourself. Data access and portability are two of the many areas you ignored. I could certainly see hosting companies making decisions to change how they present WHOIS based on GDPR, for example keeping logs of what is displayed and to whom given their responsibility to record processing of relevant data.

      • by Njovich ( 553857 )

        You misunderstand data access if you think I didn't cover it. As far as portability is concerned, that's the whole point of WHOIS, they have that covered.

    • by zifn4b ( 1040588 )
      Before you post, do a 5 second Google search and locate this nice, easy to parse GDPR Key Changes document [eugdpr.org]
      • by Njovich ( 553857 )

        Nothing here contradicts what I said. Which part would ban WHOIS?

        • by zifn4b ( 1040588 )

          Which part would ban WHOIS?

          Where is the claim that GDPR would ban WHOIS? Are you making things up? The part of the summary that is related to GDPR is that the current WHOIS service is not compatible with GDPR:

          On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals' data by internet giants like Google and Facebook." In 2014 ICANN suggested a "gated" registry that would only authorize access to people who identified themselves and their purpose for accessing the data. But progress has been slow, according to the article, which adds "It's uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue.

          • by Njovich ( 553857 )

            I didn't say you claimed that. Are *you* making things up? I just asked two questions, where your page contradicts my statement, and which part of GDPR forbids WHOIS. You answered neither question (your quote certainly doesn't point it out).

            • by zifn4b ( 1040588 )
              I asked you what this is in reference to and you failed to respond.

              Which part would ban WHOIS?

              I didn't claim anything of this nature and I don't see where anyone or anything did. Why would i continue to talk with someone who is making shit up? There is no way to have a conversation with someone who is doing that. If you want to continue, tell me what this statement YOU made is in reference to, otherwise, have a nice day because I don't talk with irrational people that just make things up.

  • by Camel Pilot ( 78781 ) on Saturday February 03, 2018 @02:03PM (#56062621) Homepage Journal

    Anyone who has a registered domain or ssl certificate is familiar with the perennial scam of getting a fraudulent letter or emailing informing them that their domain is about to expire please send money now.

  • Molehill (Score:5, Insightful)

    by bidule ( 173941 ) on Saturday February 03, 2018 @02:04PM (#56062625) Homepage

    What's wrong with having WHOIS point to a middleman who must forward to the owner?

    There's no privacy issue that way.

    • This - or some variant of this - is how Dreamhost has handled WHOIS for years. Currently if you look up my hobby site, the admin contact is {domain name}@proxy.dreamhost.com .

    • by davecb ( 6526 )

      I was peripheral to the discussion, and a customer bid on the "new whois" proposal: this is how it was supposed to work. A domain name in .com was supposed to be just like a business, and it was expected that the business contact could be your marketing department or in-house counsel. In .net and .org it was the same.

      In .ca, the registrant name is the registrar, and when contacted they will contact me.

    • As long as there's a mechanism where all domains from the same entity point to the same something so that I can find which domains have a common owner. I've found such _very_ handy in blocking/rejecting certain types of spammers.
  • by scripts, running methodically and slowly on various machinery, scrape whois. then spread the result beyond control.
  • by ZorinLynx ( 31751 ) on Saturday February 03, 2018 @02:07PM (#56062645) Homepage

    Most domains are owned by proxy anyway, so if you do a whois you're just going to get the name of the proxy.

    The days of using whois to hold domain owners responsible for anything have been long over for a long time; anyone doing anything shady (or just wanting basic privacy) is using a proxy.

  • by Anonymous Coward

    But I do know this much: trump will hang for treason.

  • People tend to focus on domains when it comes to WHOIS usage; however I've found myself using it more to see who administrates/SWIPP'd a given block of IPs rather than looking up often inaccurate or obfuscated info on domain ownership.

    • by sjwest ( 948274 )

      I agree - any whois that says do not block me, or "I AM NOT SPAMMING YOU" is worthy of a mallet

    • Yep. I'm not really interested in the contact details. What I want to know is where an IP originates and what subnet it is part of. I would be happy for my contact details to be held somewhere and only passed on in accordance to local laws.

      When I find that somebody has scanned my address, resulting in firewall drop messages, then I will assume that all addresses in the subnet containing that address could also be compromised. WHOIS tells me that info, and which country it is. Based on that, I'll drop the wh

  • My registrar offered to make my personal information private something like 18 months ago, an offer which I immediately accepted. As a result I've had no more scam letters from assholes telling me I owe them money to renew my domain.

    Typing a domain name into a computer without proper authority should never ever reveal the name, address and phone number of the owner for the very same reasons that in the UK you can't type the registration number of a car into a computer to obtain the name address and phone nu

  • My domain registrar (Hover.com, based in Canada) offers WHOIS obfuscation for free. I'd be an idiot not to take advantage of it.

  • The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work.

    I am going to create a piece of legislation that states "all citizens have a right to be able to time travel". I guess since it's the law we have to invent the time machine. Apparently the best approach to decision making is to shoot first and aim later.

  • My home address doesn't need to be public. I list the address of the local post office, and my real name. Mail sent there will reach me. And of course a unique email address with very strong spam filters on it. Been doing it this way more than 10 years - no problems yet.
  • The data will always find a way out. Just allow registrars to salt records, like what is done with political donations.

  • WHATIS Going To Happen To WHOIS?

    Namely [wikipedia.org]: WHEREIS, WHYIS, WHENIS and HOWIS ?

  • Just wondering if this is common. :) Its not like you have to show ID or anything. A 99 cent godaddy domain... WTF do I want to give real info anyways....
  • https://en.wikipedia.org/wiki/... [wikipedia.org]
    "Brin argues that it will be good for society if the powers of surveillance are shared with the citizenry, allowing "sousveillance" or "viewing from below," enabling the public to watch the watchers. According to Brin, this only continues the same trend promoted by Adam Smith, John Locke, the US Constitutionalists and the western enlightenment, who held that any elite (whether commercial, governmental, or aristocratic) should experience constraints upon its power. And there is no power-equalizer greater than knowledge."

    From the article: "The notion that individual data should require a requester to also provide their own data is both equitable and intuitive -- the only remaining question is how to make it work."

    • That would never happen, it would deprive our journalist class of their power to define what should be paid attention to. We saw citizen journalism explode in 2016 and Google/Facebook/Twitter spent all of 2017 smacking it down and putting it on page 146 of the search results.
  • by Anonymous Coward

    So you have a problem with leaking "personally identifyable information" ("PII").

    So your solution is an identification-wall that requires more identification, thus more PII, and "justification" data.

    Syeah, that's gonna work.

    Why do we publish all that whois data anyway? It's a hold-over from the early days. The useful bits of info are the registration date, the organisation behind it so you can match various domains to the same owner, and (should it still have been reliable), an easy contact point for abuse

  • Every time I tried to use it to look someone up, the address was always held by some corporation clearly designed to hide that information. I don't think the database has actually been useful for at least a couple of decades.
    • I've found it still somewhat useful, in that a couple of those masking companies, like "Whois Guard" in particular on my system(1), are so bad that I can reject email for purely being from a domain that uses their services.

      (1) My current stats have >2300 unique domains using their service that I've rejected email from.

  • When I buy a domain, I can always find a coupon for free or 99 cent WHOIS privacy.
  • WHOIS is the internet-equivalent of a property registry. If I want to know who owns that building over there, I can go to the township, look in the public records, and find out. This is important, whether it's because you want to buy the building, or perhaps you have a problem with something that is happening there. Sure, in some cases, ownership will be obscured through some intermediate legal entity, but that will still be the responsible legal entity.

    WHOIS should be exactly the same thing. If you are int

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...