Proposed changes to WHOIS system called 'extremely disquieting'

A working group for Internet regulators is under severe criticism for a proposal that would put an end to the openness of the current WHOIS system for domain name registration records.

The expert working group of the Internet Corporation for Assigned Names and Numbers (ICANN)Ã'Â has proposed (PDF document) establishing an Aggregated Registration Data Service (ARDS) for storing all records. The system would be closed by default, and people or organizations would have to convince the controlling body of a legitimate need for the data.

Currently, registrants store registration records, and anyone can go to a number of sites Ã'Â that use the WHOIS query and response protocol to retrieve all the public information. The working group agrees with critics that the system in use today provides too much inaccurate information, and fails to protect the privacy of individuals and entities with a legitimate right to keep the information out of the public domain.

Critics of the working group's proposal agree that the system is broken, but disagree with the recommendation that the openness of today be replaced with a system that is closed by default. Under the proposed system, individuals or entities that want registration would have to apply to a central authority for "access credentials to the ARDS."

"What the ARDS proponents fail to realize is that WHOIS data isn't separate from the Internet -- it's part of the Internet itself, and they are trying to centralize global control over who gets to access that key Internet information, what can be done with it and why," John Horton, president of LegitScript, told CSOonline on Monday. "It's extremely disquieting for one organization to be given that much power."

LegitScript joined DomainTools, G2 Web Services and OpSec Security in sending a letter to the ICANN, listing their objections to the proposed changesÃ'Â (PDF document). The potential problems listed by the group included hampering future innovative uses of the WHOIS data.

"Since its inception the Internet has been a powerful force of innovation and creativity primarily for the reason that there are relatively few barriers to entry," the letter said.

[Also see: NSA snooping bolsters opponents of U.S. Internet control]

Not everyone disagreed with the working group. The Center for Democracy & Technology said the group did a "good job" in recommending access restrictions to currently available data. Nevertheless, it did not go far enough in determining what data should actually be handed over to registries.

"We question whether registering a domain should automatically publish that registrant's personal data in the equivalent of an 'Internet phone book,'" the CDT said in a statement.

While commercial organizations would have to provide WHOIS data, the CDT favored allowing individuals to opt out entirely. The reasoning behind the exception would be to protect political dissidents from government surveillance.

To prevent spammers from gaming the system, the CDT suggested using anti-abuse teams to report suspicious domains to registries, which could decide whether to take legal or administrative action against the sites.

The working group also proposed giving law enforcement access to more registrant data than would be made available to other requestors. That suggestion was called as a "red herring," by Garth Bruen, principal investigator at Internet security research company Knujon, which is "no junk" spelled backwards.

"LawÃ'Â enforcement already has superior access to registrant data, they always did," Bruen told the KrebsonSecurity blog. "WHOIS is about ordinary Internet users being able to find out who owns aÃ'Â domain name. The consumer is ultimately being frozen out."

The expert working group is currently accepting comments on its proposal. The group will eventually hand a final recommendation to the ICANN, but a timetable was not announced.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags ICANNAggregated Registration Data Serviceapplicationswhoisdomain namessoftwaredata protectionData Protection | Data Privacy

More about CDTICANNInternet Corporation for Assigned Names and NumbersNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts