Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire Like a bad horror movie in which the vampire keeps coming back from certain death, the Whois protocol – which provides information on who owns specific internet addresses – has endured far longer than anyone wanted or expected. But the final act is nigh and the wooden stake is being sharpened. DNS overseer ICANN sent a letter …
GDPR successfully shafts a US org, and we want to leave the EU? I mean, wow, my US employer mandated shed loads of training to make sure no one could point the finger at them. I think their trousers smelled a bit. I smiled (a lot) when I read this article.
This proves that the EU has teeth -- albeit of the soft power variety. And we want to leave? Good luck with that.
This is a case study if one were needed why we should revoke. A pint, because I think the EU deserves one. Hopefully Ijwit from Amsterdam.
(cue the downvotes -- you have to give me more than 50 to beat my previous record)
But whois often does not contain useful information for a given IP or domain. Otoh it seems to be used as a source of cold leads for hordes of Indian web dev shops.
I don't think the latter is a good reason to start hiding info: let's hope the former improves with the new scheme.
Depends on the registrar and the time you registered with. When I registered my domain in 2000 I had to send full identification details - which were duly inscribed in my whois record.
Which of course it is very different from what many US (and other regions) registrars do now, when they allow spammers and other crooks to register with fully fake data - as long as they pay.
I spent about five years scaring horrible people by releasing parts of their address, not doxing them, just enough to scare them. I convinced one nasty guy he had to delete his index.dat file, knowing he couldn't and he'd freak. He freaked, but luckily didn't kill anyone.
I spent another five years warning really nice people how and why to hide their details. Because, people like me. I mean many bad people are like me, nobody likes me.
We should also ban telephone directories
I warned an artist that she didn't have to post her home address on WhoIs because she wasn't trading from there. She must've taken it as a threat because she ghosted me. We'd been friendly before that! Weirdly, she didn't remove her address. If I do that in future I'll use an anonymous email account.
How, as a consumer, are you now going to check up on a website offering very low prices, but that you havent heard of before ?
I have used Whois MANY times, to discover the " Established UK eTailer" was actually registered last week to someone in Belarus or Shenzhen, with a fake address or post box address that showed up as a curry house on the high street (for example).
I also found one (obviously Chinese), ebay seller listing his address as 1 Canary Wharf; I reported him, but last time I looked, ebay were still allowing him to use the site.
Yes, for users the issue is not so much on the protocol as on getting the information it contains right. Of course if the "established e-Tailer" is "Nominet was able to match the registrant's name and address against a 3rd party data source" then you can consider it fair warning. If the registrant is a business, tell us because it isn't PII. If it's an individual then comply with GDPR or equivalent legislation elsewhere. Sole traders need to be considered; off hand I'm not sure what GDPR has to say about those as data subjects.
Currently it seems NominetUK list nothing; yes it may verify a company given as the registrant has matching records at Companies House, but a whois lookup returns little that is useful in helping to determine the trustworthiness of a website. So it currently seems all registrants: companies or individuals, are being treated as equals under GDPR.
This is causing problems, for example recently I have had cause to recover control of some domains for a client (staff leaving both client and their IT support provider), for which it was necessary to determine the email address that had been used for the registration. Chatting with support and Nominet was fun as we navigated around GDPR as the registrar wasn't going to give out information that might potentially fall under GDPR. For example, whilst the website might had the same name as the company and list the company's registered address inits registration, the contact email address was that of an named individual and thus was considered to be protected under GDPR. However, we needed to know the contact/registrant email address so that we could identify who needed to do the password reset and so update contact/ownership records...
It's been a progressive decline over many years, but whois was once genuinely useful. Want to know if something is genuine or a phisher? Whois was a useful tool: check if $domain is registered to $respectable-co or to $dodgy-geezer, and more crucially whether it's just-registered or has been around far longer than the lifetime of a bare-fraud domain.
My recollection is that for a brief period, when Verispam bought the Notwork Solutions monopoly, the registrar itself presented a spam problem. The world was able to deal with that, as other registrars behaved better when the monopoly was broken. What a shame the world didn't review whois at or around that time to keep (even perhaps strengthen) the useful parts but protect the spam-vulnerable.
Add that to things like right-to-be-forgotten helping a fraudster hide exposure, and the 'net just gets friendlier for the seriously-bad-guys.
Requiescat in Pace.
Man, it's good to be alive today.
After all the times I wanted to personally go to 12025 Waterfront Drive, drag whoever was at the helm of Suite 300 behind the chemical shed and shoot the effin' bastard, finally, finally I can envision my future without a striped shirt and iron bars.
ICANN is still scum, but now that it has been emasculated I can live with it.
WHOIS need not have been in breach of the GDPR, except for the fact that compliant consent had not been obtained for most of the entries publishing personal data by the time GDPR came into force. It should have been possible to (a) pre-empt the problem given that the GDPR was public knowledge for several years while in the making and (b) obtain consent or arrange for non-publication at domain renewal time. Both these options seem to have been too esoteric for ICANN. So now we lose a very valuable way of detecting online fraudsters, as the hoops we'll have to jump through in the future will be about as fast and effective as UK Action Fraud.
However the high volume of bogus entries has long made WHOIS quite unreliable anyway.
Well it would have been if it had been done properly.
It was useful to be able to check that an owner was legitimate - but even more useful if the WHOIS data was properly validated so scammers couldn't buy a domain and give fake details.
It was useful if there was a domain you might be willing to sell or one you might want to buy, easier for the two parties to get in contact.
If there was an opt-in/out option the domain owner could decide whether they wanted to be listed and possibly what level of detail. Domain name owners could make their own choices and anyone making a whois search could make useful inferences from those choices.
I used to run an internet business, we would register domain names using the customer's name as "owner" but with our contact details. That meant we got all the spam and, as it usually had fairly predictable content and structure, it was easy to filter the garbage and respond or forward any legitimate messages. Our concern was that end-users were not good at spotting the scams and might respond. Before we started using our contact details the most common queries we got from our customers related to fake domain name renewal emails and the "someone wants to buy [your domain name].cn or .asia, if that's not OK we will secure it for you" scam. We were concerned that some might not check with us first and pay-up.
>I used to run an internet business, we would register domain names using the customer's name as "owner" but with our contact details.
I would hope that for your contact email address you used something of the form:
nominet@RC-ISP.co.uk and not Richard@RC-ISP.co.uk.
The first is clear to a human (support agent) that this is a business email address and not an individual's and thus doesn't fall under GDPR.
Ok, help me here. I know bugger-all about RDAP.
Will RDAP be "better" than whois? If everyone and his cat has access to RDAP then I'm guessing not.
So, who's deciding how the RDAP data will be accessed? And by whom? And what (if anything) does GDPR have to say about that?
Answers on a postcard please. Or an email :-)
RDAP is a protocol; everyone has "access to it". ICANN provides a web client.
ICANN is trying to make all registrars support it. The article suggests this effort is now pretty well along, though the first two domains I tried to look up failed RDAP lookups. (The third succeeded.)
Apparently the RDAP agreement restricts access to some PII and allows for further restrictions, but I couldn't be bothered to read the details. The RDAP FAQ does suggest that there may be more information available to "authenticated users" than to anonymous ones. I suspect we'll have to see how it all unfolds.
RDAP is a secure database that limits who gets access to the data,..... until someone hacks it and sells it to anyone they can. Then it will be as if Whois never went away, except that we law abiding citizens will not be able to check up on domains and their owners. Shop from unknown websites at your own risk. Amazon must be loving this.
Precisely! Normal people will be unable to get any relief from unintentional DOS or check the (alleged) provenance of possible scammers, but "authenticated" (either by a secret court or a envelope of cash) users will still be able to stalk you.
The problems of Whois will not be solved by changing from plain text BS to BS wrapped in a typical modern "don't fall in love with the protocol, as it will break when new emoji are added" protocol.
And the 90-day negotiations will cover a “plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.” Which, in non-policy wonk language, means Whois is finally going to die. And not a decade too soon.
Technically, you can say I don't care how I get my abuse address, but I still want to get my abuse address. What is the point in killing WHOIS, if the same information will be still available via another protocol? If you say it is to stop bots, then you are lying as bots will change to match the new protocol.
I am currently working on a design where my firewall blocks IP connections unless I can look up and acquire an abuse contact. (This means that if you want to connect to me then you will provide your information in a public viewable form. Which said idea, I respond and say why get rid of the WHOIS protocol if the new RDAP does EXACTLY the same thing!)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
