Revision 14Tags: |
Revision 15Tags: |
||
Multi-language Versions: "SiZH"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - siZH.doc) "RU"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - RU.doc) "FR"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - FR.doc) "ES"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - ES.doc) "AR"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - AR.doc) |
Multi-language Versions: "SiZH"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - siZH.doc) "RU"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - RU.doc) "FR"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - FR.doc) "ES"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - ES.doc) "AR"(file: AL.ALAC-ST-0908-3 ALAC Statement on WHOIS Hypothesis WG - AR.doc) |
||
|
|
||
---- |
---- |
||
|
|
||
*STATUS OF THIS DOCUMENT:* Available for community comment. |
*STATUS OF THIS DOCUMENT:* Comments incorporated; document in final form. |
||
*NEXT STEP FOR THIS DOCUMENT: Final draft incorporating comments left will be voted on by the ALAC at their 14th October 2008 meeting. |
*NEXT STEP FOR THIS DOCUMENT: Final draft incorporating comments will be voted on by the ALAC at their 14th October 2008 meeting. |
||
---- |
---- |
||
|
|
||
*Preliminary Note* |
*Preliminary Note* |
||
|
|
||
We note there is no clear distinction in the document between whois services, as provided through whois servers compliant to RFC3192 and whois-like services provided through web-based systems. The differences are important in analyzing how the systems can be misused. |
The At-Large Advisory Committee (ALAC) wishes to convey to the GGNSO Council the ALAC's views on the report prepared by the Whois Study Hypothesis Group, which can be found at following URL: The report to which this Statement pertains may be found at http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-council-26aug08.pdf.\\
The ALAC wishes to thank the members of the ALAC community who participated in this statement: Carlton Samuels, Alan Greenberg, Danny Younger, Patrick Vande Walle and anonymous contributors. |
||
|
|
||
The text-based whois service suffers from its simplicity. It makes bulk data download easy. To the contrary, web based whois systems can be better tailored to limit bulk queries through catpcha validations or other techniques. |
The text-based whois service suffers from its simplicity. It makes bulk data download easy. To the contrary, a web based whois systems can be better tailored to limit bulk queries through captcha validations or other techniques. |
||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f91e4adb-52f4-4473-b579-d32d6c4e4e78"><ac:plain-text-body><![CDATA[ |
With regard to the text-based version of whois, we note and agree with the writers of RFC 3912: "The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use. [...] This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol." RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing". |
With regard to the text-based version of whois, we note and agree with the writers of RFC 3912: "The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use. [...] This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol." RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing". |
]]></ac:plain-text-body></ac:structured-macro> |
|
|
||
With the above in mind, the ALAC considers that the text-based whois services do not serve the needs of the community anymore. This includes the support of non-ASCII character sets, granularity of displayed data, access rights and auditing. We urge the GNSO to consider a new whois-like service with would provide granular access rights to registrant information and proper auditing of accesses, as well as the support for non-ASCII character sets. In this respect, we draw the attention of the GNSO to the SSAC recommendation expressed in SSAC-033 http://www.icann.org/en/committees/security/sac033.pdf\\
|
With the above in mind, the ALAC considers that the text-based whois services do not serve the needs of the community anymore. This includes:
|
||
*Area 1 WHOIS Misuse Studies* |
More generally, the ALAC support the GNSO council's definition of the of the purpose of the whois, as expressed at the GNSO council meeting of 12 April 2006: "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver." |
||
|
|
||
Comment 21 and GAC data set 2: Other cases of misuse have been reported, like identifying political opponents and other people persecuted for their opinions. |
Comment 21 and GAC data set 2: Other cases of misuse have been reported, like identifying political opponents and other people persecuted for their opinions. |
||
|
|
||
*Area 2 Compliance with data protection laws and the Registrar Accreditation Agreement* |
*Area 2 Compliance with data protection laws and the Registrar Accreditation Agreement* |
||
|
|
||
If local laws allow a registrant (natural person) to oppose the publication of his/her data in databases like the public whois, he/she should still be allowed to register a domain name. Further analysis is needed to see if: |
If local laws allow a registrant (natural person) to oppose the publication of his/her data in databases like the public whois, he/she should still be allowed to register a domain name. Further analysis is needed to see if: |
||
|
|
||
* Provisions under 3.3.1 and 3.3.6 of the Registrar Accreditation agreement are compatible with the local laws of the Registrar |
* Provisions under 3.3.1 and 3.3.6 of the Registrar Accreditation agreement are compatible with the local laws of the Registrar |
||
* If the failure to comply with these provisions by a Registrar because of local laws can lead to the termination of the RAA for said Registrar. |
* If the failure to comply with these provisions by a Registrar because of local laws can lead to the termination of the RAA for said Registrar. |
||
|
|
||
Further analysis is needed regarding the export of registrant data from one country to another. It may be the case that a registrar located in country X is not allowed by law to export natural persons data to a registry in country Y. This matter is further complicated if the registry subcontracts the technical backend to an operator with its registered address in country Z and its data operations in yet another country. |
Further analysis is needed regarding the export of registrant data from one country to another. It may be the case that a registrar located in country X is not allowed by law to export natural persons data to a registry in country Y. This matter is further complicated if the registry subcontracts the technical backend to an operator with its registered address in country Z and its data operations in yet another country. |
||
|
|
||
*Area 5 Impact of WHOIS data protection on crime and abuse* |
With regard to gTLD registries, the ALAC notes that registry agreements include requirements for whois services which may be incompatible with the legal requirements some registries may be subject to under local law. Further analysis is needed to see if the inability for a registry to comply with ICANN's generally accepted whois requirement could be used as an eliminating criterion in the comparative evaluation process under new gTLD program. If this were the case, the ALAC fears it would distort the evaluation process in favour of registries located in countries or regions with less stringent privacy laws. |
||
|
|
||
Regarding GAC comment 1, it is important to define what is "the legitimate use of gTLD WHOIS data" and who are those entities, who can invoke it and how. |
Regarding GAC comment 1, it is important to define what is "the legitimate use of gTLD WHOIS data" and who are those entities, who can invoke it and how. |
||
|
|
||
*Area 6 Proxy registrar compliance with law enforcement and dispute resolution requests* |
*Area 6 Proxy registrar compliance with law enforcement and dispute resolution requests* |
||
|
|
||
Regarding Metalitz comment: It may be true that some registrars operating proxy/privacy services are not revealing registrant data when requested in a UDRP proceeding. These registrars may be prevented to do so under local law. UDRP is an arbitral, not a legal, process. Different rules may apply, depending on local law. Further analysis is needed to see if the UDRP process is compatible with the laws the registrars have to comply with. |
Regarding Steve Metalitz' comment: It may be true that some registrars operating proxy/privacy services are not revealing registrant data when requested in a UDRP proceeding. These registrars may be prevented to do so under local law. UDRP is an arbitration process, not a legal process. Different rules may apply, depending on local law. Further analysis is needed to see if the UDRP process is compatible with the laws the registrars have to comply with. |
||
*Area 7 WHOIS data accuracy and general considerations* |
*Area 7 WHOIS data accuracy* |
||
As noted in the report, "The use of non-ASCII character sets in Whois records will detract from data accuracy and readability". This matches the comments we made in the preliminary note above. The whois hypotheses study group should investigate if alternative systems would allow better support for non-ASCII character sets, both in the domain names themselves and in the registrant data. |
As noted in the report, "The use of non-ASCII character sets in Whois records will detract from data accuracy and readability". This matches the comments we made in the preliminary note above. The Whois Hypothesis study group should investigate if alternative systems would allow better support for non-ASCII character sets, both in the domain names themselves and in the registrant data. |
||
--- |
---- |
||
|
|
||
Carlton Samuels |
Carlton Samuels |
||
|
|
||
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 13:20:43 GMT)_ |
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 13:20:43 GMT)_ |
||
|
|
||
--- |
--- |
||
A comment such as this would have far more impact if it included somewhere, the lineage of the comment. That is, how was it created and by whom. |
A comment such as this would have far more impact if it included somewhere, the lineage of the comment. That is, how was it created and by whom. |
||
|
|
||
_contributed by (user: alan.greenberg@mcgill.ca) on (date: 2008-10-03 14:54:34 GMT)_ |
_contributed by (user: alan.greenberg@mcgill.ca) on (date: 2008-10-03 14:54:34 GMT)_ |
||
|
|
||
--- |
--- |
||
There are technical and legal methods in reducing the bulk data abuse of whois (port 43). But, what about 'legitimate' bulk access? Ie. I have a bunch of spam, I want to a program to check the whois data on the links so I can identify if it is from the same spammer? By blocking port 43 access, I cannot do that. |
There are technical and legal methods in reducing the bulk data abuse of whois (port 43). But, what about 'legitimate' bulk access? Ie. I have a bunch of spam, I want to a program to check the whois data on the links so I can identify if it is from the same spammer? By blocking port 43 access, I cannot do that. |
||
|
|
||
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 15:19:45 GMT)_ |
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 15:19:45 GMT)_ |
||
|
|
||
--- |
--- |
||
Having participated in the Council's Working Group, allow me to reiterate the conclusion reached: "There was not agreement in the Whois Studies volunteer group regarding whether or not any studies should be conducted." I was part of the contingent opposed to the notion of further studies for the following reasons: |
Having participated in the Council's Working Group, allow me to reiterate the conclusion reached: "There was not agreement in the Whois Studies volunteer group regarding whether or not any studies should be conducted." I was part of the contingent opposed to the notion of further studies for the following reasons: |
||
|
|
||
1. Studies are being used as a delaying tactic by parties unwilling to accept the Council's duly-voted-upon WHOIS definition: "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver." |
1. Studies are being used as a delaying tactic by parties unwilling to accept the Council's duly-voted-upon WHOIS definition: "The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver." |
||
2. We have now wasted 2 1/2 years since the definition was adopted instead of moving forward with policy development. |
2. We have now wasted 2 1/2 years since the definition was adopted instead of moving forward with policy development. |
||
3. Even when the ICANN Board resolves to commence studies (such as via the 18 October 2006 Resolution on Economic Studies), those studies never seem to see the light of day. |
3. Even when the ICANN Board resolves to commence studies (such as via the 18 October 2006 Resolution on Economic Studies), those studies never seem to see the light of day. |
||
|
|
||
Approving more studies is nothing but a poorly-disguised effort to further delay policy development activities. If you are someone who wants no changes in the WHOIS for the next several years, then feel free to ask for more studies that will only tell us what we already know. |
Approving more studies is nothing but a poorly-disguised effort to further delay policy development activities. If you are someone who wants no changes in the WHOIS for the next several years, then feel free to ask for more studies that will only tell us what we already know. |
||
|
|
||
Danny Younger |
Danny Younger |
||
|
|
||
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 20:29:39 GMT)_ |
_contributed by (user: guest@socialtext.net) on (date: 2008-10-03 20:29:39 GMT)_ |
||
|
|
||
--- |
--- |
||
Hypothesis: |
Hypothesis: |
||
|
|
||
With regard to the process to select new gTLD operators, there may be requirements in the RFP that new gTLD operators have to provide whois services similar to those the incumbents already provide. A problem may arise if a potential gTLD operator is based in a country where privacy laws restrict the amount and type of data provided through whois services. |
With regard to the process to select new gTLD operators, there may be requirements in the RFP that new gTLD operators have to provide whois services similar to those the incumbents already provide. A problem may arise if a potential gTLD operator is based in a country where privacy laws restrict the amount and type of data provided through whois services. |
||
|
|
||
Utility: |
Utility: |
||
|
|
||
If the potential operator does not meet the requirements, he could be eliminated during the selection process. This would effectively distort the selection process in favour of those operators located in countries with weak or no privacy laws. |
If the potential operator does not meet the requirements, he could be eliminated during the selection process. This would effectively distort the selection process in favour of those operators located in countries with weak or no privacy laws. |
||
|
|
||
How the hypothesis could be falsified: |
How the hypothesis could be falsified: |
||
|
|
||
If the RFP for new gTLD submissions includes provisions that whois services need to be offered only to the extent allowed by local and international laws, and that this criterion will not be used to eliminate applicants, especially in case of string contention. |
If the RFP for new gTLD submissions includes provisions that whois services need to be offered only to the extent allowed by local and international laws, and that this criterion will not be used to eliminate applicants, especially in case of string contention. |
||
|
|
||
_contributed by (user: patrick@vande-walle.eu) on (date: 2008-10-04 17:20:11 GMT)_ |
_contributed by (user: patrick@vande-walle.eu) on (date: 2008-10-04 17:20:11 GMT)_ |
||
|
|