• United States



Proposed changes to WHOIS system called ‘extremely disquieting’

Sep 17, 20134 mins
Data and Information SecurityNetwork SecurityPrivacy

ICANN plan for closed domain name record system criticized over putting too much power into one group's hands

A working group for Internet regulators is under severe criticism for a proposal that would put an end to the openness of the current WHOIS system for domain name registration records.

The expert working group of the Internet Corporation for Assigned Names and Numbers (ICANN) has proposed (PDF document) establishing an Aggregated Registration Data Service (ARDS) for storing all records. The system would be closed by default, and people or organizations would have to convince the controlling body of a legitimate need for the data.

Currently, registrants store registration records, and anyone can go to a number of sites  that use the WHOIS query and response protocol to retrieve all the public information. The working group agrees with critics that the system in use today provides too much inaccurate information, and fails to protect the privacy of individuals and entities with a legitimate right to keep the information out of the public domain.

Critics of the working group’s proposal agree that the system is broken, but disagree with the recommendation that the openness of today be replaced with a system that is closed by default. Under the proposed system, individuals or entities that want registration would have to apply to a central authority for “access credentials to the ARDS.”

“What the ARDS proponents fail to realize is that WHOIS data isn’t separate from the Internet — it’s part of the Internet itself, and they are trying to centralize global control over who gets to access that key Internet information, what can be done with it and why,” John Horton, president of LegitScript, told CSOonline on Monday. “It’s extremely disquieting for one organization to be given that much power.”

LegitScript joined DomainTools, G2 Web Services and OpSec Security in sending a letter to the ICANN, listing their objections to the proposed changes (PDF document). The potential problems listed by the group included hampering future innovative uses of the WHOIS data.

“Since its inception the Internet has been a powerful force of innovation and creativity primarily for the reason that there are relatively few barriers to entry,” the letter said.

[Also see: NSA snooping bolsters opponents of U.S. Internet control]

Not everyone disagreed with the working group. The Center for Democracy & Technology said the group did a “good job” in recommending access restrictions to currently available data. Nevertheless, it did not go far enough in determining what data should actually be handed over to registries.

“We question whether registering a domain should automatically publish that registrant’s personal data in the equivalent of an ‘Internet phone book,'” the CDT said in a statement.

While commercial organizations would have to provide WHOIS data, the CDT favored allowing individuals to opt out entirely. The reasoning behind the exception would be to protect political dissidents from government surveillance.

To prevent spammers from gaming the system, the CDT suggested using anti-abuse teams to report suspicious domains to registries, which could decide whether to take legal or administrative action against the sites.

The working group also proposed giving law enforcement access to more registrant data than would be made available to other requestors. That suggestion was called as a “red herring,” by Garth Bruen, principal investigator at Internet security research company Knujon, which is “no junk” spelled backwards.

“Law enforcement already has superior access to registrant data, they always did,” Bruen told the KrebsonSecurity blog. “WHOIS is about ordinary Internet users being able to find out who owns a domain name. The consumer is ultimately being frozen out.”

The expert working group is currently accepting comments on its proposal. The group will eventually hand a final recommendation to the ICANN, but a timetable was not announced.