This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security
Internet regulators are pushing a controversial plan to restrict public access to WHOIS Web site registration records. Proponents of the proposal say it would improve the accuracy of WHOIS data and better protect the privacy of people who register domain names. Critics argue that such a shift would be unworkable and make it more difficult to combat phishers, spammers and scammers.
A working group within The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s domain name system, has proposed scrapping the current WHOIS system — which is inconsistently managed by hundreds of domain registrars and allows anyone to query Web site registration records. To replace the current system, the group proposes creating a more centralized WHOIS lookup system that is closed by default.
According to an interim report (PDF) by the ICANN working group, the WHOIS data would be accessible only to “authenticated requestors that are held accountable for appropriate use” of the information.
“After working through a broad array of use cases, and the myriad of issues they raised, [ICANN's working group] concluded that today’s WHOIS model—giving every user the same anonymous public access to (too often inaccurate) registration data—should be abandoned,” ICANN’s “expert working group” wrote. The group said it “recognizes the need for accuracy, along with the need to protect the privacy of those registrants who may require heightened protections of their personal information.”
The working group’s current plan envisions creating what it calls an “aggregated registration directory service” (ARDS) to serve as a clearinghouse that contains a non-authoritative copy of all of the collected data elements. The registrars and registries that operate the hundreds of different generic top-level domains (gTLDs, like dot-biz, dot-name, e.g.) would be responsible for maintaining the authoritative sources of WHOIS data for domains in their gTLDs. Those who wish to query WHOIS domain registration data from the system would have to apply for access credentials to the ARDS, which would be responsible for handling data accuracy complaints, auditing access to the system to minimize abuse, and managing the licensing arrangement for access to the WHOIS data.
The plan acknowledges that creating a “one-stop shop” for registration data also might well paint a giant target on the group for hackers, but it holds that such a system would nevertheless allow for greater accountability for validating registration data.
Unsurprisingly, the interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan’s potential for harm to consumers and cybercrime investigators.
“Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers – including prior authorization, disclosure obligations, payment of fees, etc. – in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.
“Internet users have the right to know who is operating a website they are visiting (or, the fact that it is registered anonymously),” the letter continues. “Today, individuals review full WHOIS records and, based on any one of the fields, identify and report fraud and other abusive behaviors; journalists and academics use WHOIS data to conduct research and expose miscreant behavior; and parents use WHOIS data to better understand who they (or their children) are dealing with online. These and other uses improve the security and stability of the Internet and should be encouraged not burdened by barriers of a closed by default system.”
Other public comments submitted so far reflect angst over the geopolitical ramifications of the proposed changes. For example, Afnic, which is the registry for the domain names in the geographical area of France (.fr) among others, notes that the ARDS would have to be legally established in at least one country, and its technical infrastructure would also have to be under at least one jurisdiction.
“We are concerned that the ARDS would use ‘one size fits all’ rules to assess request validity. With approximately 1500 TLDs in the root several of them will be highly local, and should not be subject to the same rules as .com or .net in terms of which Law Enforcement Agencies can request access to data,” wrote Afnic’s Pierre Bonis. “Should Chinese LEAs be granted access to private data for .berlin domain names for instance? We believe this issue is insufficiently taken into account so far.”
The Center for Democracy & Technology (CDT), a nonprofit policy think tank based in Washington, D.C., maintains that the current system is broken and raises serious privacy and free expression concerns by revealing sensitive information to the public.
“According to the OECD’s privacy guidelines, personal data should be relevant to its intended purpose and should be protected from unreasonable or unauthorized disclosure,” CDT wrote in its official comments (PDF) on the proposal. “The WHOIS system needlessly exposes registrants’ sensitive data to anonymous queries, granting easy access to malicious users.”
CDT has proposed a hybrid system that would allow individual, noncommercial registrants to choose to keep their sensitive information private, but maintain public access to commercial Web site registration information. CDT said it favors an approach similar to that adopted by Nominet — the registrar that handles the dot-uk gTLD.
“This policy properly balances the interests and obligations of commercial and non-commercial entities in the internet ecosystem: entities offering services or engaged in trade should necessarily disclose more contact information as part of WHOIS, such that the public can access details needed for commercial and legal activities,” the CDT argues. “Nominet also employs a simple but clever method of dealing with those that abuse this distinction: if Nominet determines that a commercial entity has improperly self-identified as an individual, they can change the setting on that registry entry such that more detailed commercial-entity contact information is publicly shared through WHOIS.”
Garth Bruen, principal investigator at Knujon (“no junk” spelled backwards) and a longtime, vocal critic of ICANN’s lack of progress on WHOIS data accuracy, said the working group’s interim recommendations are about burying — not fixing — the WHOIS problem.
“For 14 years now, ICANN has been criticized for not dealing with this issue directly, and now they want to bury WHOIS records behind a wall so that nobody can criticize them anymore,” Bruen said. “The offering of tiered access with higher access for law enforcement and security operations should not be seen as some kind of positive development, it is actually a red herring. Law enforcement already has superior access to registrant data, they always did. WHOIS is about ordinary Internet users being able to find out who owns a domain name. The consumer is ultimately being frozen out, now having to go to the police or some for-pay security service to get information about a domain name.”
As a journalist and cybercrime researcher, I tend to side with those who favor maintaining the status quo on WHOIS records. As the numerous stories in my Breadcrumbs series make clear, WHOIS records are extremely useful for finding and exposing fraudsters and cybercrooks. Even when spammers or scammers quite obviously put false identity and address information into WHOIS records, they still very often leave behind clues that can be used to draw important connections and correlations, such as the re-use of the same email address or phony phone number. Also, WHOIS records are extremely important means of reaching Web site owners whose sites are infected and being used to spread malicious software.
Finally, the working group’s interim report leaves open in my mind the question of how exactly the ARDS would achieve more accurate and complete WHOIS records. Current accreditation agreements that registrars/registries must sign with ICANN already require the registrars/registries to validate WHOIS data and to correct inaccurate records, but these contracts have long been shown to be ineffective at producing much more accurate records.
Dozens of comments on ICANN’s plan have been posted here and here. What do you think about it? Sound off in the comments below.