ICANN's Pre-emptive Attack On The GDPR Thrown Out By Court In Germany
from the who-is-whois-for? dept
The EU's General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems's formal GDPR complaints against Google and Facebook over "forced consent" (pdf). That hardly came as a shock -- he's been flagging up the move on Twitter for some time. But there's another saga underway that may have escaped people's notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet's namespace. Back in 2015, Mike memorably described the organization as "a total freaking mess", in an article about ICANN's "war against basic privacy". Given that history, it's perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world's registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:
We realized that the domain name registration process, as outlined in ICANN's 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so. What's more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].
All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with "consent management processes", and a data flow "aligned with the GDPR's principles". ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to "preserve Whois data" -- that is, to force EPAG to collect those administrative and technical contacts. A post on the Internet Governance Project site explains why those extra Whois contacts matter, and what the real issue here is:
The filing by ICANN's Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. "The technical contact and the administrative contact have important functions," the brief asserts. "Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content."
As the tell-tale word "content" there reveals, the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material. This is precisely the same ICANN overreach that Techdirt reported on back in 2015: the organization is supposed to be running the Internet's domain name system, not acting as a private copyright police force. The difference is that now the GDPR provides good legal and financial reasons to ignore ICANN's demands, as EPAG has noted.
In a surprisingly swift decision, the German court hearing ICANN's request for an injunction against EPAG has already turned it down:
the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
However, as ICANN rightly notes, that still leaves unanswered the key question: would collecting the administrative and technical contact information contravene the GDPR? ICANN says it is "continuing to pursue the ongoing discussions" with the EU on this, and a clarification of the legal situation here would certainly be in everyone's interests. But there is another important angle to this. As the security researcher Brian Krebs wrote on his blog back in February:
For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.
There's no reason to doubt the importance of Whois information to Krebs's work. But the central issue is which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information? It's an important discussion that is likely to rage for some time, along with many others now being brought into sharper focus thanks to the arrival of the GDPR.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, domain registrars, enforcement, gdpr, germany, privacy, whois
Companies: epag, icann, tucows
Reader Comments
The First Word
“Tell that to Shiva Ayyadurai.
Subscribe: RSS
View by: Time | Thread
Having worked for a domain name registrar and having dealt with ICANN on a regular basis in that capacity... the above statement is hogwash.
Does the copyright industry benefit from the information publicly available in whois? Sure it does. But that's not why the engineers the created the whois specification 40 years ago set up the requirements. They just thought it would be a good idea for other engineers to know who to contact if you wanted to talk directly to who owned a domain, who managed the domain, or who managed the servers.
I'm no fan of copyright overreach, and ICANN has its issues, but really, come on. Not everything is a content industry conspiracy.
[ link to this | view in thread ]
"leaves unanswered the key question" -- Whether ICANN is right!
Do you even notice that after quoting: 'Mike memorably described the organization as "a total freaking mess"', you THEN quote Krebs and argue the opposite, that ICANN should get the info because important for security?
So you then recast the story from the first "key question" into "the central issue is which is more important for society" -- which you don't even attempt to answer! I assume because noticed yourself muddled. And you left behind all of Masnick's folderol about Jane Blogger having to supply personal info.
Anyhoo. On this, "the court" may be right, but it's still not invasive if Admin and Tech make three people in all. You're not required to have a web-site in order to publish your views. (You COULD usefully compare ICANN's demands to Facebook's, but you give no context.) In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can't easily remain anonymous, even though apparent intent is to publish to the entire world.
[ link to this | view in thread ]
Here's my prior for Techdirt "free speechers" to censor AGAIN:
You'd be slightly more credible if didn't support Google surveilling everyone everywhere on the net.
But since Techdirt has tons of Google's javascript (just save a complete page and look!), with the purported bad enough purpose of targeting advertising, which in fact is collated and used to identify persons everywhere on the net, and which gives NSA "direct access", then as usual you have zero credibility to rail about "privacy" for commercial interests. Since when does Google respect MY privacy? It's unavoidable. You can't even "opt out" unless Google can identify you! -- Or Techdirt? You claim can do anything you want with names and other info!
Oh, but requiring businesses to fill out an email, that's tyranny!
As ever for Masnick, he only worries that commercial interests might be a little incovenienced, with no concern for the public, let alone for scams and other known problems.
Every time "business" comes up seems Masnick never heard of commercial law and that businesses are licensed entities that have intrinsic NO rights, are NOT persons, are subject to vast number of constraints and requirements. Masnick comes across like Mitt Romney, simply doesn't understand that ordinary people rightly regard businesses as predatory.
https://www.techdirt.com/articles/20150623/17321931439/icanns-war-whois-privacy.shtml#c88
[ link to this | view in thread ]
Re: engineers the created the whois specification 40 years ago?
There was no Whois in 1978 and, even once it was created, it was more likely to be a list of research institutions - not private individuals. The hucksters, the lawyers and the spammers didn't get to run roughshod to destroy the network until the 1990's. Frivolous libel suit threats still had to be directed at printed newspapers as no one had heard of WWW - and even then "all the news that doesn't offend the advertisers" was more of a constraint than spurious litigation. Newspapers were pillars of the community and took their role seriously. By contrast, any dang fool can register a domain today, get space on a shared webserver and become a blogger... and it's silencing these people through frivolous and vexatious legal threats which is the bread and butter of too many "reputational management" ambulance chasers. Whois gives them a list of people to harass. All a recent phenomenon. Whatever existed 40 years ago is irrelevant today.
[ link to this | view in thread ]
Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
[ link to this | view in thread ]
Re: Re:
Tell that to Shiva Ayyadurai.
[ link to this | view in thread ]
Re:
Have a SESTA vote.
[ link to this | view in thread ]
Re: Re: engineers the created the whois specification 40 years ago?
OK fine, RFC 812 was in 1982. So, 36 years.
True, and that perfectly illustrates my point. The people who created whois weren't thinking "we need to protect Hollywood's copyrights."
Whois is part of the infrastructure of the Internet. It's always hard to update infrastructure (whether due to expense or resistance), even if you had consensus that whois was obsolete. That's why there are some places that still need COBOL and FORTRAN programmers, why fiber-to-the-home isn't everywhere.
One of the documents I read at ICANN about GDPR wasn't an attack on it, it was more a case of "uh, guys? you aren't exactly giving us a lot of time to update things that have been part of the Internet for decades. Can you maybe give us a little extension so we don't have to worry about being in violation of EU law?"
[ link to this | view in thread ]
Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Are you stupid enough to think that only businesses own domain names? Of course you are...
[ link to this | view in thread ]
Re: "leaves unanswered the key question" -- Whether ICANN is right!
I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.
"You're not required to have a web-site in order to publish your views"
No, you crap over other peoples' sites instead.
"In the 2015 piece, Masnick is clearly most concerned that persons (and pirates) can't easily remain anonymous"
He supports anonymity for anyone who wishes it, even the tossers who pollute his site.
[ link to this | view in thread ]
Re:
A lot of things made 40 years ago are used for far different purposes than their inventors originally intended.
[ link to this | view in thread ]
Well, almost
I love this argument from someone who resolutely refuses to identify himself when spouting his ignorant nonsense.
Not quite, they refuse to comment under a name, but they clearly identify themself anyway whether they want to or not given their plethora of tells.
[ link to this | view in thread ]
Remember you have to take your meds everyday or they don’t work.
[ link to this | view in thread ]
Re: Re: Re: engineers the created the whois specification 40 years ago?
It doesn't mean it can't be used/misused/abused for that aspect. If nothing else, Hollywood is good at perverting things for their own gain.
[ link to this | view in thread ]
Re: Re: Re: engineers the created the whois specification 40 years ago?
OTOH, they had two years to do it.
[ link to this | view in thread ]
Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Also, email would be perfectly fine. It's phone numbers and home addresses of private individuals that are problematic.
Of course, you can already get around registering those by using one of the paid WHOIS-anonimyzing services. The very existence of those services means the entire rationale behind the system is bullshit.
[ link to this | view in thread ]
In other words, it hurts Krebs income stream, therefore he is complaining about it.
I respect Kreb's work. However, he is a private individual who has no particular mandate - or right - to do the work he does. If things change to make his self-employed job less lucrative, a shame for him personally, but not really a societal issue.
It's like saying that some of the recent judgements and law changes to make patent/copyright trolling harder are bad because they make life harder for, or are putting these trolling lawyers out of work, therefore we should roll them back. Or like cord-cutting is making cable less profitable, downsizing and firing people. Should we ban cord-cutting?
Shit happens, trends change to make some jobs less valuable (or less easy), while new opportunities arise.
[ link to this | view in thread ]
Hands Off WHOIS!
I use what's called a reverse firewall on my computers. It catches all calls out of my computers to IP addresses on the Internet and allows me to choose to allow them or not. Reverse firewalls are crucial for stopping malware bots and nefarious software from sending and gathering data to and from nefarious sources. The most common of these 'phone home' events is sending my personal, private data to Google Analytics, which I never allow.
But what happens when my reverse firewall can't resolve who owns a particular IP address when a process on my computer is attempting to call out to the Internet? What happens is that I am left with NO RESOURCES I can use to decide whether the call out to the net is legitimate or abusive.
Today, when I run into this problem, my recourse is WHOIS and only WHOIS. I use it at least weekly for specifically this purpose. It let's me know that an obscure IP address a process is attempting to access is only Akamai, or it's only Apple's servers, or instead it's some place I've never heard of in Russia, or the EU for that matter. With this WHOIS data I am able to CHOOSE what connections my computer makes to the Internet. I am able to DEFEND MY PRIVACY and the integrity of my computer systems.
GDPR takes ALL of that away, unless I play elaborate and annoying bureaucratic games that no mere human wants to endure. Instead, GDPR enables anonymous cowards and criminals to get away with Internet user abuse from which Internet users have only meagre recourse and redress. That's not acceptable! What we have no works for the benefit of all. If an IP address owner wants to be entirely anonymous, I say NO!
Therefore: Hands Off WHOIS! Get rid of that aspect of GDPR.
[ link to this | view in thread ]
Re: Hands Off WHOIS!
I want caffeine, now! ;-)
[ link to this | view in thread ]
Re: Re: Re: Re: engineers the created the whois specification 40 years ago?
And ICANN knew the EU's position with regards to Whois for at least thirteen years before that:
Opinion 2/2003 on the application of the data protection principles to the Whois directories, June 2003 http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en. pdf
Of course, if you've ignored someone saying something for that long, you might not notice that the message has changed...
[ link to this | view in thread ]
Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
No-ip sends me notices every so often to update my info but I just ignore those.
[ link to this | view in thread ]
Re: Hands Off WHOIS!
So, what do you do currently when the WHOIS data is private and not available for you to view? Does everything collapse around you, or do you find a different solution?
"It let's me know that an obscure IP address..."
What do IP addresses have to do with the domain name WHOIS information that this case deals with?
"If an IP address owner wants to be entirely anonymous, I say NO!|"
Then, fight the current system that allows that. You don't even get accurate geolocation data at the moment, let alone who the ISP responsible has assigned it to.
Unless, again, you're getting confused between IP and domain lookups, in which case you surely have a problem with the fact that anyone can pay extra to have their information hidden from your public lookup? What do you do in cases where false information has been provided, or ICANN's records have not been updated since the domain was registered?
[ link to this | view in thread ]
Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re: Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re: Hands Off WHOIS!
Sorry kiddies, but this is a serious conversation. Get along home now and do some relevant research of WHOIS and how it is used daily by those of us who understand the importance of computer security and privacy. Silly replies are not appreciated.
[ link to this | view in thread ]
Re:
Krebs's other point is that he uses the information to contact victims of crime. That might be a good reason for people to opt in to WHOIS listings, but no reason to force it. It's already a solved problem BTW: the registrar publishes an email address like 4ca484183f7871bf66e27377382e08a6@registrar.example and forwards whatever people send there. That's been around for years.
[ link to this | view in thread ]
Re: Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
If omitting the details will cause some cyber-apocalypse, where are the problems from these existing privacy services? Where's the crime wave emanating from .de and other domains that already provide the privacy that people are now trying to add to the ICANN roots?
[ link to this | view in thread ]
Re: Re: Hands Off WHOIS!
Neither is ignorance.
>Sorry kiddies
Fuck you.
[ link to this | view in thread ]
Re: Re: Hands Off WHOIS!
For someone so concerned about security, you seem rather averse to facts, but offended when people mention them. Your network must be a mess, if this is the data you use to manage it.
[ link to this | view in thread ]
Re:
Not everything is a content industry conspiracy
On the other hand, it's not like it's a secret that they haven't already tried. Jim Hood anyone?
[ link to this | view in thread ]
A List Of Every Process This Hurts
Transfers of Registrars
Transfers of Registrants
SSL Validations (DV, CV, and EV)
Ownership Disputes
Domain Auction
Domain Redemption
"A murr murr murr [above item X] is an artifact of internet usage and should go away anyway!" you say. That might be true but it's not the kind of this that can go away quickly or easily. As annoying of an org that ICANN is, I really stand by there side on this fight.
[ link to this | view in thread ]
Re: A List Of Every Process This Hurts
I see a lot of talk, but all seem to pretend that the voluntary private system doesn't exist in order to make their points.
[ link to this | view in thread ]
Re: Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re:
Source needed.
[ link to this | view in thread ]
Re: Re: Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re: Re: Re: Re: Hands Off WHOIS!
First, IP addresses are typically not provided to individuals. They will be sold in blocks to companies like the aforementioned Akamai, or to ISPs who then sell the IPs on, or use for dynamic hosting. They have historically also been sold as single purchases, but the vast majority of the time to businesses, not individuals (whereas a great many individuals own domain names). If you want a static IP nowadays, you'll get it from an ISP, n ot the source of the whois information.
If I do a search on RIPE for my IP address, it will tell me that it's provided by Telefonica, it won't identify me as an individual. You *can* provide personally identifiable reverse lookup information if you're running your own domain on there of course, but it's not necessary and on your own head if you make that decision.
The second is that, largely due to the above, the only information that's available in the whois will in the vast majority of cases be corporate information, which is not needed to be protected by the GDRP. There is little similarity between the two for the purposes of privacy.
The reason why the GDRP applies to domain name whois information is that people have given personal information that's searchable from anywhere in the world with an internet connection on a single public database. Millions of individuals in the EU likely own domain names without paying the extra fee for privacy. That's generally not the case with IP whois information, so the same rules aren't really applicable.
If someone would like to explain where I'm wrong, I'm all ears, but what I'm seeing is someone freaking out because they don't know what they're talking about and confusing 2 very different subjects.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Hands Off WHOIS!
Is that always the case, or is it up to your ISP whether to provide the granular details?
[ link to this | view in thread ]
Re: A List Of Every Process This Hurts
No one here said any of those things should go away. And none of those things requires the personal information the article is about to be available via whois.
And your attempt to make dishonest claims is duly noted.
[ link to this | view in thread ]
Re: Re: A List Of Every Process This Hurts
So private-by-default is fine I guess but GDPR would imply this information isn't allowed to even be recorded in the first place. It turns the whole domain registration business on it's head.
And that's just the .com world. PIR, the .org registry, doesn't even record contact data any more. This means most registrars can't sucessfully register a .org domain until the dust settles on all of this.
[ link to this | view in thread ]
Re: Re: Re: Re: Here's my prior for Techdirt "free speechers" to censor AGAIN:
Everyone wins except the registrars, and this would be relatively easy to implement; many consumer registrars already do it.
[ link to this | view in thread ]
Re: Well, almost
[ link to this | view in thread ]
Re: Re: Re: A List Of Every Process This Hurts
Do they need to? Why not just send a message to the masked email address? The registrar should then forward it to the correct person. Or is even the masked address disallowed by GDPR?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Hands Off WHOIS!
This works for more or less shady corporations, like advertising companies. I don't expect to find the home address of an attacker though.
[ link to this | view in thread ]
Re:
I agree this is garbage. Domain name registrars sell a feature called "whois privacy" for anywhere from $5 to $20/month. It costs them absolutely nothing to provide that privacy and amounts to their most profitable feature, available only to private persons and not companies. Vast numbers of domain names are thus protected and the associated personal info is not available to the public. The only way to get that personal info is to contact the registrar and petition for it; If you're not in law enforcement you can pretty much forget about getting that info.
This article was going great up to that point. After that it's just witch hunt material.
[ link to this | view in thread ]
Whois technical contact
I'm sure that there are nefarious uses, but I found the technical contact info to be critical to unwinding bot attacks.
jerry
[ link to this | view in thread ]
Re: Re: Re: Hands Off WHOIS!
Move along. This is too complicated for you. Propagandist exaggeration, confabulation and insults have no use here. Back under the bridge with you.
[ link to this | view in thread ]
Re: Re: Well, almost
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Hands Off WHOIS!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Anonymous Coward
[ link to this | view in thread ]
Re: Hands Off WHOIS!
Firewalls do, and always have, worked in both directions.
Most home users tend to ignore the outbound configuration and allow unrestricted outbound requests. This means the user has chosen to hobble their firewall.
By enabling outbound request filtering as well is nothing special, it's how a firewall is supposed to be used.
[ link to this | view in thread ]
Re: Re: Hands Off WHOIS!
But you all couldn't be bothered to consider these possibilities and just riduculed DerekCurrie for his caution.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Hands Off WHOIS!
Do you have any idea what you are talking about? possibly WHOIS query - obviously you don't, otherwise the word possibly wouldn't be being used.
OK, here's the way any properly configured firewall works.
It blocks all requests, either incoming or outgoing. Then the user configures to allow specific source and destination IP:port sets - both incoming and outgoing.
Host-based software firewalls (including the standard inbuilt Microsoft Windows one) can be configured to pop up a warning (or question) each time an un-approved IP address access is attempted, whether incoming or outgoing. If it's a question, you can be given options such as block, allow once, allow (some other period of time), allow permanently.
This is nothing special, it is not a 'reverse' firewall, it is 'a' firewall, and doesn't use WHOIS. It does it entirely based on the list of pre-approved addresses already configured. i.e. the addresses you've already 'accepeted' by having previously chosen an 'allow' answer to the question.
[ link to this | view in thread ]
Re: Re: Re: Re: Hands Off WHOIS!
For those interested: A 'reverse' firewall monitors outbound rather than inbound computer data traffic. Regular firewalls do NOT commonly stop outgoing queries to the Internet.
Have a read about the 'reverse' firewall I use on macOS:
Little Snitch
https://www.obdev.at/products/littlesnitch/index.html
It presents the IP address being queried by specific running processes. It also provides, if it can find it (using a reverse DNS look up), the domain name that matches the IP address. But if there is no such domain name, its listed in Little Snitch as unavailable. At that point, the user has to turn to a WHOIS query for information. This is where WHOIS is, IMHO, a crucial service on and of the Internet that must never be censored.
A simple example is being presented with an IP address beginning with 17, as in 17.xxx.xxx.xxx. Little Snitch has no idea who owns that IP. If one didn't know better, one would worry it's the server address of a botnet wrangler, a place malware bots go to get their orders. Perform a WHOIS on that IP and you learn that 17.anything belongs to Apple. They own the lot! Therefore, if some new or obscure process you've never seen before is making that querie, you know it's looking to Apple servers for something or sending something to Apple servers.
As for WHOIS querie results having to give away phone numbers or email addresses or physical addresses, that's not what's crucial in the simple case I'm describing. What one wants to know is whether the questionable call out to the Internet by the mysterious process is to a legitimate location or not! If there is no WHOIS data available from any of the WHOIS services, I DENY the querie! If the resulting WHOIS data names some company or person I've never heard of and I can't connect them to the process calling out to that IP address, I DENY the querie.
Apparently, 'reverse' firewalls aren't used or understood by some people here. They are NOT part of common computer or router firewalls, which only filter queries coming INTO a computer or its LAN. The firewalls built into Windows and macOS, for instance, offer only crude blocking of queries out the Internet, typically based upon applications being run within the client's account. If I install and run an application that gathers and sends my client data to Google Analytics, for example, an OS level firewall is perfectly happy to allow that to happen! But I am not! Because I'm running a 'reverse' firewall, those queries to Google Analytics are caught and presented to me for approval or denial. I DENY them.
There is a lot of documentation about 'reverse' firewalls out on the net. Here are a few:
http://qa.answers.com/Q/What_is_reverse_firewall
https://askubuntu.com/questions/274237/reverse-f irewall-or-application-firewalls
https://patents.google.com/patent/US8453227B2/en
Thank you to those who've posted thoughtful replies to my post.
[ link to this | view in thread ]
Disappointing
For example, in my experience, most small-to-medium organizations that own domain names (namely: those that aren't large enough to have in-house IT staff) are hopeless when it comes to managing their domains. E.g. you get a request to transfer someone's domain name, but it was registered by an employee who hasn't worked there for 3 years, and who registered in their name, with a personal Hotmail address that no one else in the company has access to (not for malicious reasons, but simply because they didn't know any better). Step 1 in sorting out that kind of mess is looking at the WHOIS, because without that you often don't know basic things like "when I submit the registrar transfer request, WHERE will the EMail to authorize the transfer go" - ditto for getting the EPP/transfer code, or resetting the login with the current registrar in order to unlock the domain to allow transfer, etc. In those situations, without being able to get that info from the WHOIS records, you're basically screwed - or at the very least, you're stuck going through MCAC (manual change of admin contact) process, which will probably cost the customer 4-5 times the actual transfer fee.
And that's not speculative, I've personally run into that sort of thing with both GTLDs that had privacy enabled, and .CA domains that were registered to individuals (CIRA, the body that controls the .CA CCTLD, requires that you specify a "legal category" when registering a .CA - and if you specify that the domain is owned by individual rather than an organization, the registration info is automatically hidden in the WHOIS output). Speaking of which, if major changes are going to made to the way WHOIS has worked for more than 2 decades, I think the CIRA approach (described above) would at least be a less-bad compromise - as opposed to hiding WHOIS information for ALL domains.
The rationale that I'm familiar (and agree) with goes: if I own a domain name, then it's essential that it be possible to hold me accountable for things done with that domain name. Though I don't really see a problem doing away with the tech & billing contacts (or at least not making those public), if only for practical reasons: most organizations that actually use the tech/billing/etc contact info the way it's intended are also large enough to have their IPs, so the same information found in the tech contact should also be present in their ARIN (or equivalent) records for their IP. And in my experience, organizations smaller than that typically just enter the same info for tech/billing contacts that they enter for the registrant/admin contact (or at most, they just enter their registrar/hosting provider's info for the tech contact).
*I say that's arguable in the case of copyright trolling because, if the biggest push to keep WHOIS info public really DOES come from the *PAAs of the world, then probably a waste of effort on their part. Most of the people running sites that would be targets of copyright trolls have enough sense to hide behind WHOIS privacy and/or CloudFlare.
[ link to this | view in thread ]