PFIR - People For Internet Responsibility
PFIR Statement on Access to WHOIS Data

June 16, 2004

PFIR Home Page

We are extremely concerned that restricting non-bulk access to detailed WHOIS contact data could potentially have dramatic negative impacts on the security, stability, and reliability of the Internet. These concerns extend to "ad hoc" proxy registration and other obscuring techniques now being deployed by individual registrars, and to any changes proposed by ICANN or other authorities that would impact non-bulk access to WHOIS data. We are not addressing issues of WHOIS data accuracy in these comments, except to note that we believe that reasonable accuracy in this data is also crucial to Internet stability, security, and reliability.

While it is true that privacy-related problems can and do occur in relation to WHOIS -- and we have a long history working to promote privacy issues -- it is also true that the domain name system was not designed as a means of obscuring responsible parties participating in the cooperative that is the Internet.

The lack of formal centralized control over Internet operations (a situation that many would be loath to change even if it were technically possible to do so) means that in most cases of problems relating to Internet operations, site administrators are frequently on their own to track down often serious problems. Access to WHOIS data -- especially including contact telephone numbers but often physical addresses as well -- can be critical in such situations.

In our own direct experience, immediate access to WHOIS data has proven invaluable and irreplaceable in tracking down and solving both technical and non-technical operational problems relating to hackers, spams, serious network traffic congestion and related problems (both intentional in the forms of denials of service and other attacks, and unintentional in the form of remote site misconfigurations), forged e-mails, libelous statements, false postings, dishonest merchants, and on and on. Access to WHOIS data has also proven important on numerous occasions to solving problems related to personal privacy abuses brought to the attention of the PRIVACY Forum, such as libelous or otherwise falsified e-mail or postings, fraudulent merchants, credit card crimes, and a wide range of other abuses that require immediate action to contain a rapidly expanding sphere of damage.

Without straightforward and immediate access to detailed WHOIS registration and technical data, made available without having to jump through delaying hoops, many such problems can rapidly escalate in ways that are impossible to put back into the proverbial bottle.

We do agree that bulk access to such data should be highly restricted if permitted at all to non-registrars. Reasonable mechanisms (e.g., frequency-based usage "throttles") to limit the ability of a single user to rapidly extract large numbers of WHOIS entries over a short period of time also make sense. Audit trails detailing access to WHOIS data also would seem reasonable, but we do not agree that this implies that automatic notification to a domain holder every time their WHOIS information is accessed necessarily makes sense (under some scenarios, unscrupulous domain holders might use such information for retaliatory purposes). However, notifications in cases of query abuse would seem appropriate.

We do not believe that limiting access to detailed WHOIS registration and technical contact data to holders of identity certifications is practical, unless it is planned to make the purchase and maintenance of such certificates a requirement for all Internet users -- a concept that at the present time would be both controversial and unworkable from a practical standpoint.

Also, we strongly feel that making access to WHOIS registration data more limited than access to WHOIS technical data for domains would be a huge error. Both forms of data need to be readily and quickly available to deal with network security and reliability issues of all sorts.

All too often, the technical contact data shown for a domain is the main telephone number and name for a very large ISP -- often a generic low-tier ISP customer service number is the only one listed along with a low-tier ISP customer service e-mail address. Attempts to deal with important network issues on a timely basis through such contacts is unlikely to succeed. It's crucial that it be possible to have access to the registrant data which provides contacts for the entity actually operating and/or using the computers and systems in question.

Given the immediate availability of accurate registration and technical WHOIS data for a domain, it may be sensible to allow for the routine masking only of "billing address" data -- if and only if the billing address data differs from the listed registration data.

It is important to remember that virtually all network operations can technically be performed without an individually-registered domain name. It's relatively easy to postulate individual cases where someone might desire the convenience of a domain name, and simultaneously wish to protect their identity. However, just as businesses cannot operate using fictitious names without full disclosure of address and other information in the public record, domain names should not become widely seen as an obscuring mechanism, regardless of whether or not they are being used for business purposes.

Time is often of great essence when network-related problems appear. If a site starts flooding other sites with unwanted data (either purposely or through configuration error), the targeted organizations and/or individuals may be utterly unable to conduct normal Internet traffic, including basic functions such as e-mail and Web access. For many entities, such a situation may be devastating and even dangerous. It's critical to have the ability to use other facilities to rapidly track down the source of the problems -- often by using the phone to call the listed WHOIS contacts for the offending site -- especially when network connectivity has been disrupted by those very problems.

On the non-technical front, how much time should be required between, for example, the appearance of forged e-mails or wider Internet postings containing libelous materials, false accusations aimed at ruining reputations or causing massive financial loss, vs. the ability of the aggrieved party to start discovering who is behind the attack before reputations or even entire organizations are massively damaged? Timely access to registrant WHOIS data can be crucial in such cases, because as a practical matter there is nowhere else to go for all but the most well-heeled of Internet users.

WHOIS data is also critical in avoiding misunderstandings over similar sounding or appearing domain names, often purposely chosen to foster user confusion. This class of problem has becoming increasingly severe with the massive proliferation of domain names, and will be exacerbated with the internationalization of domain name character sets.

In numerous cases, upset individuals have assumed that one domain that appears similar to another is the source of their aggrievements -- even to the level of threatening immediate legal or police action. Often a quick reference to WHOIS, showing that the two domains are not affiliated and are at different locations, is enough to prevent such situations from blowing completely out of control unnecessarily. Without the WHOIS data, such situations would be much more difficult and time consuming to clear up. While some lawyers might well relish this prospect, most of the rest of us would not.

The sorts of cases described above, among many others, represent situations we've already seen where immediate and complete WHOIS access was key to fixing the situation -- or at least limiting or preventing further damage.

Certainly nobody conducting any sort of commercial or non-commercial financial transactions relating to their domain names should be permitted to mask any portion of their registration data in any manner. One would think that this point would be obvious to all observers. But as the examples above demonstrate, the potential security, reliability, and other risks from unavailable, delayed, or partial access to complete WHOIS data for any domain -- even ones not engaged in financial transactions or business operations -- can be extremely serious.

When an attack on your systems is occurring, whether purposeful or accidental, it doesn't matter if the perpetrator is a multi-billion dollar transnational conglomerate or a nice suburban family using the Net strictly for fun. A way is needed to immediately find out who is behind the trouble and contact them as quickly as possible. Again, many of these problems can be cleared up with a single phone call.

We recognize that there may be an extremely limited set of cases where domain holders might demonstrate a clear public safety or other critical need that may possibly justify masking of some WHOIS data related to their domains. However, even in this narrowly circumscribed context we would object to such masking on stability, security, and reliability grounds unless a third-party entity -- reachable by phone on a 24/7/365 basis, and in possession of all contact information for such domains, existed to act as a "go-between" to immediately reach those domain holders in the kinds of situations we have described above, while still protecting those domain holders' identity information to an appropriate extent.

Again, such a third-party service should be extremely limited in scope to only handling queries regarding domains that have shown a demonstrated, justifiable need for masking.

For all but a relatively few domains, WHOIS technical contact and registration data should be directly and immediately available from WHOIS for non-bulk access by any Internet users. In the globally distributed, non-centrally-controlled Internet, this is crucial to the continued operation of the Internet itself.

- - - - -

Lauren Weinstein
lauren@vortex.com or lauren@privacyforum.org
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, URIICA - Union for Representative International Internet
     Cooperation and Analysis - www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
http://www.pfir.org/lauren

Peter G. Neumann
neumann@pfir.org or neumann@csl.sri.com or neumann@risks.org
Tel: +1 (650) 859-2375
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, URIICA - Union for Representative International Internet
     Cooperation and Analysis - www.uriica.org
Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks or http://www.risks.org
Chairman, ACM Committee on Computers and Public Policy - http://www.csl.sri.com/neumann
Principal Scientist, SRI International Computer Science Laboratory - http://www.csl.sri.com/neumann

David J. Farber
dave@farber.net
Tel: +1 (412) 726-9889
Distinguished Career Professor of Computer Science and Public Policy,
     Carnegie Mellon University, School of Computer Science
Member of the Board of Trustees EFF - www.eff.org
Member of the Advisory Board -- EPIC - www.epic.org
Member of the Advisory Board -- CDT - www.cdt.org
Member of Board of Directors -- PFIR - www.pfir.org
Co-Founder, URIICA - Union for Representative International Internet
     Cooperation and Analysis - www.uriica.org
Member of the Executive Committee USACM
www.cis.upenn.edu/~farber

(Affiliations shown for identification only.)