What flag y’er sailin’ under?


Wendy Seltzer (who is, like me, an ALAC liaison to WHOIS Task Forces 1 and 2) points to one of the many catches with whois policy.Registrars and registrants face various kinds of problems caused by massive abuse of WHOIS data. An easy answer to this consists in attempting to limit consumers of query-based WHOIS to human beings. The practical implementation is believed to consist in shutting down port 43 whois, and adding a poor imitation of a Turing Test to the web interfaces. Legitimate consumers of massive amounts of WHOIS data are then expected to make use of registrars’ dedicated bulk access mechanism.Wendy raises two issues with this approach: One, common poor imitations of Turing tests are cumbersome to use; “reading ability tests” can be a serious accessibility problem for, e.g., visually impaired data users. They are also not effective, as they essentially lead to an arms race between illegitimate data users and registrars — and it is not clear at all that registrars will win that race. Two, bulk access is expensive, which means that non-commercial legitimate data users (like researchers) rely on mass queries to port 43. Also, since whois data are a weapon in legal battles, making mass access to whois data expensive shifts the balance in these battles even more towards the wealthier party. Put more aggressively, if WHOIS is used by IP owners as a tool to harass the public, then the public should be entitled to harass back.These are persuasive arguments for keeping public access to WHOIS data unencumbered — if it wasn’t for the privacy problem: Address data — and, with thick registries on the rise, even home phone numbers — of registrants are up for grabs, for arbitrary purposes. Wendy’s answer to this is elegant (and I agree with it as a “perfect world” scenario): Give registrants the option not to supply contact data, and keep open access to all the data supplied.In the imperfect world we live in, though, there are strong incentives for registrars to collect at least some contact data, and to make that easily accessible to IP owners and law enforcement. What could a balanced imperfect world solution look like, then?

  • Strike as many data elements as possible from the WHOIS policy. There is, for instance, little non-harassing use for the registrant phone and fax numbers outside existing business relations; at the same time, these are guaranteed to infringe on individual registrants’ privacy. Administrative Contact phone and fax numbers are only marginally better. Registrars should not have to collect this information, and if they chose to collect it, they should not publish it online.
  • Ask data users to return the favor and (1) prove their identity — e.g., using a certificate in an appropriate public key infrastructure –, and (2) indicate their purpose. Make that information available to registrants and other data subjects. As a side effect, this makes it easier to prevent mass queries without resorting to bad imitations of Turing tests.

Thoughts and comments welcome.