back to article Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire

Like a bad horror movie in which the vampire keeps coming back from certain death, the Whois protocol – which provides information on who owns specific internet addresses – has endured far longer than anyone wanted or expected. But the final act is nigh and the wooden stake is being sharpened. DNS overseer ICANN sent a letter …

  1. RegGuy1
    Pint

    Brexit: a smorgasbord of shit

    GDPR successfully shafts a US org, and we want to leave the EU? I mean, wow, my US employer mandated shed loads of training to make sure no one could point the finger at them. I think their trousers smelled a bit. I smiled (a lot) when I read this article.

    This proves that the EU has teeth -- albeit of the soft power variety. And we want to leave? Good luck with that.

    This is a case study if one were needed why we should revoke. A pint, because I think the EU deserves one. Hopefully Ijwit from Amsterdam.

    (cue the downvotes -- you have to give me more than 50 to beat my previous record)

  2. E 2

    IDK WTH RegGuy1 Is On About...

    But whois often does not contain useful information for a given IP or domain. Otoh it seems to be used as a source of cold leads for hordes of Indian web dev shops.

    I don't think the latter is a good reason to start hiding info: let's hope the former improves with the new scheme.

    1. Qumefox

      Re: IDK WTH RegGuy1 Is On About...

      It gives IP lawyers a name to stick on a lawsuit. Which is all they need to start collecting legal fees. The quality of the information was irrelevant.

      1. Michael Wojcik Silver badge

        Re: IDK WTH RegGuy1 Is On About...

        Yes, without WHOIS, this problem would disappear entirely. Also we'll all get free unicorns.

    2. LDS Silver badge

      "But whois often does not contain useful information"

      Depends on the registrar and the time you registered with. When I registered my domain in 2000 I had to send full identification details - which were duly inscribed in my whois record.

      Which of course it is very different from what many US (and other regions) registrars do now, when they allow spammers and other crooks to register with fully fake data - as long as they pay.

  3. Danny 2 Silver badge

    It's all mixed up

    I spent about five years scaring horrible people by releasing parts of their address, not doxing them, just enough to scare them. I convinced one nasty guy he had to delete his index.dat file, knowing he couldn't and he'd freak. He freaked, but luckily didn't kill anyone.

    I spent another five years warning really nice people how and why to hide their details. Because, people like me. I mean many bad people are like me, nobody likes me.

    We should also ban telephone directories

    1. YetAnotherLocksmith Bronze badge

      Re: It's all mixed up

      To be fair, telephone directories are pretty rare now, off-line, anyway.

      1. Michael Wojcik Silver badge

        Re: It's all mixed up

        I wish. I had two dropped off at my door this month.

    2. GlenP Silver badge

      Re: It's all mixed up

      We should also ban telephone directories

      There has been an option for many years to be ex-directory.

      1. Richard 12 Silver badge

        Re: It's all mixed up

        Ex-directory has been the default for some time.

        You have to actively decide that you do want calls from double glazing salescritters walking the phonebook these days.

        1. Mike 16 Silver badge

          Re: You Decide

          And, at least if you have a landline with AT&T (formerly known as SBC. You know your rep is bad when you buy the deathstar for a better image), you _pay_ to not be listed.

      2. Venerable and Fragrant Wind of Change

        Re: It's all mixed up

        Likewise a privacy guard option on whois.

        1. Danny 2 Silver badge

          Re: It's all mixed up

          I warned an artist that she didn't have to post her home address on WhoIs because she wasn't trading from there. She must've taken it as a threat because she ghosted me. We'd been friendly before that! Weirdly, she didn't remove her address. If I do that in future I'll use an anonymous email account.

  4. rcxb Bronze badge

    Whois on DNS domains has been crud for a long time, but the whois info on blocks of IP addresses is still excellent information, and I sure hope that doesn't go away, or get locked up.

  5. Claverhouse Silver badge

    The Count Was...

    Aren't Vampires invisible in mirrors ?

    1. LDS Silver badge

      Re: The Count Was...

      It was before they wanted to appear in selfies too....

  6. Anonymous Coward
    Anonymous Coward

    Consumer loses

    How, as a consumer, are you now going to check up on a website offering very low prices, but that you havent heard of before ?

    I have used Whois MANY times, to discover the " Established UK eTailer" was actually registered last week to someone in Belarus or Shenzhen, with a fake address or post box address that showed up as a curry house on the high street (for example).

    I also found one (obviously Chinese), ebay seller listing his address as 1 Canary Wharf; I reported him, but last time I looked, ebay were still allowing him to use the site.

    1. Doctor Syntax Silver badge

      Re: Consumer loses

      Yes, for users the issue is not so much on the protocol as on getting the information it contains right. Of course if the "established e-Tailer" is "Nominet was able to match the registrant's name and address against a 3rd party data source" then you can consider it fair warning. If the registrant is a business, tell us because it isn't PII. If it's an individual then comply with GDPR or equivalent legislation elsewhere. Sole traders need to be considered; off hand I'm not sure what GDPR has to say about those as data subjects.

      1. Roland6 Silver badge

        Re: Consumer loses

        Currently it seems NominetUK list nothing; yes it may verify a company given as the registrant has matching records at Companies House, but a whois lookup returns little that is useful in helping to determine the trustworthiness of a website. So it currently seems all registrants: companies or individuals, are being treated as equals under GDPR.

        This is causing problems, for example recently I have had cause to recover control of some domains for a client (staff leaving both client and their IT support provider), for which it was necessary to determine the email address that had been used for the registration. Chatting with support and Nominet was fun as we navigated around GDPR as the registrar wasn't going to give out information that might potentially fall under GDPR. For example, whilst the website might had the same name as the company and list the company's registered address inits registration, the contact email address was that of an named individual and thus was considered to be protected under GDPR. However, we needed to know the contact/registrant email address so that we could identify who needed to do the password reset and so update contact/ownership records...

  7. Venerable and Fragrant Wind of Change
    FAIL

    RIP

    It's been a progressive decline over many years, but whois was once genuinely useful. Want to know if something is genuine or a phisher? Whois was a useful tool: check if $domain is registered to $respectable-co or to $dodgy-geezer, and more crucially whether it's just-registered or has been around far longer than the lifetime of a bare-fraud domain.

    My recollection is that for a brief period, when Verispam bought the Notwork Solutions monopoly, the registrar itself presented a spam problem. The world was able to deal with that, as other registrars behaved better when the monopoly was broken. What a shame the world didn't review whois at or around that time to keep (even perhaps strengthen) the useful parts but protect the spam-vulnerable.

    Add that to things like right-to-be-forgotten helping a fraudster hide exposure, and the 'net just gets friendlier for the seriously-bad-guys.

    Requiescat in Pace.

  8. Pascal Monett Silver badge
    Happy

    So, GDPR has cowed ICANN

    Man, it's good to be alive today.

    After all the times I wanted to personally go to 12025 Waterfront Drive, drag whoever was at the helm of Suite 300 behind the chemical shed and shoot the effin' bastard, finally, finally I can envision my future without a striped shirt and iron bars.

    ICANN is still scum, but now that it has been emasculated I can live with it.

  9. Mike 137 Bronze badge

    Whois & GDPR

    WHOIS need not have been in breach of the GDPR, except for the fact that compliant consent had not been obtained for most of the entries publishing personal data by the time GDPR came into force. It should have been possible to (a) pre-empt the problem given that the GDPR was public knowledge for several years while in the making and (b) obtain consent or arrange for non-publication at domain renewal time. Both these options seem to have been too esoteric for ICANN. So now we lose a very valuable way of detecting online fraudsters, as the hoops we'll have to jump through in the future will be about as fast and effective as UK Action Fraud.

    However the high volume of bogus entries has long made WHOIS quite unreliable anyway.

  10. Richard Cranium

    WHOIS was useful...

    Well it would have been if it had been done properly.

    It was useful to be able to check that an owner was legitimate - but even more useful if the WHOIS data was properly validated so scammers couldn't buy a domain and give fake details.

    It was useful if there was a domain you might be willing to sell or one you might want to buy, easier for the two parties to get in contact.

    If there was an opt-in/out option the domain owner could decide whether they wanted to be listed and possibly what level of detail. Domain name owners could make their own choices and anyone making a whois search could make useful inferences from those choices.

    I used to run an internet business, we would register domain names using the customer's name as "owner" but with our contact details. That meant we got all the spam and, as it usually had fairly predictable content and structure, it was easy to filter the garbage and respond or forward any legitimate messages. Our concern was that end-users were not good at spotting the scams and might respond. Before we started using our contact details the most common queries we got from our customers related to fake domain name renewal emails and the "someone wants to buy [your domain name].cn or .asia, if that's not OK we will secure it for you" scam. We were concerned that some might not check with us first and pay-up.

    1. Roland6 Silver badge

      Re: WHOIS was useful...

      >I used to run an internet business, we would register domain names using the customer's name as "owner" but with our contact details.

      I would hope that for your contact email address you used something of the form:

      nominet@RC-ISP.co.uk and not Richard@RC-ISP.co.uk.

      The first is clear to a human (support agent) that this is a business email address and not an individual's and thus doesn't fall under GDPR.

  11. Rich 2 Silver badge

    RDAP

    Ok, help me here. I know bugger-all about RDAP.

    Will RDAP be "better" than whois? If everyone and his cat has access to RDAP then I'm guessing not.

    So, who's deciding how the RDAP data will be accessed? And by whom? And what (if anything) does GDPR have to say about that?

    Answers on a postcard please. Or an email :-)

    1. Michael Wojcik Silver badge

      Re: RDAP

      RDAP is a protocol; everyone has "access to it". ICANN provides a web client.

      ICANN is trying to make all registrars support it. The article suggests this effort is now pretty well along, though the first two domains I tried to look up failed RDAP lookups. (The third succeeded.)

      Apparently the RDAP agreement restricts access to some PII and allows for further restrictions, but I couldn't be bothered to read the details. The RDAP FAQ does suggest that there may be more information available to "authenticated users" than to anonymous ones. I suspect we'll have to see how it all unfolds.

      1. IT Hack
        Pint

        Re: RDAP web client

        Much to my amusement I was returned the below message when I tried to look up our company domain name -

        "No registry RDAP server was identified for this domain. Attempting lookup using WHOIS service."

        Beer coz its the only solution.

        1. A.P. Veening Silver badge

          Re: RDAP web client

          Nope, both whisky and whiskey are better solutions.

  12. Big_Boomer Bronze badge

    Secure?

    RDAP is a secure database that limits who gets access to the data,..... until someone hacks it and sells it to anyone they can. Then it will be as if Whois never went away, except that we law abiding citizens will not be able to check up on domains and their owners. Shop from unknown websites at your own risk. Amazon must be loving this.

    1. Mike 16 Silver badge

      Re: Secure?

      Precisely! Normal people will be unable to get any relief from unintentional DOS or check the (alleged) provenance of possible scammers, but "authenticated" (either by a secret court or a envelope of cash) users will still be able to stalk you.

      The problems of Whois will not be solved by changing from plain text BS to BS wrapped in a typical modern "don't fall in love with the protocol, as it will break when new emoji are added" protocol.

  13. gnarlymarley Bronze badge

    And the 90-day negotiations will cover a “plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.” Which, in non-policy wonk language, means Whois is finally going to die. And not a decade too soon.

    Technically, you can say I don't care how I get my abuse address, but I still want to get my abuse address. What is the point in killing WHOIS, if the same information will be still available via another protocol? If you say it is to stop bots, then you are lying as bots will change to match the new protocol.

    I am currently working on a design where my firewall blocks IP connections unless I can look up and acquire an abuse contact. (This means that if you want to connect to me then you will provide your information in a public viewable form. Which said idea, I respond and say why get rid of the WHOIS protocol if the new RDAP does EXACTLY the same thing!)

    1. Michael Wojcik Silver badge

      In theory, RDAP provides more granularity, so a registrar can return a subset of the information currently available by WHOIS. I've only given it a cursory look, though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019