There’s a real security issue with ditching public Whois. Do the benefits outweigh the costs?
I’ve written a lot about GDPR and how the domain registrar/registry ecosystem is responding to it. Privacy advocates are using this as an opportunity to push for privacy across the board, and I think this is a bad idea.
Security journalist Brian Krebs wrote an excellent Q&A on Friday explaining the trade-offs that come with no public Whois. He gives concrete examples of how he (and security researchers) have used Whois to track down bad guys. Many people reading this blog have also used Whois for the same purpose, such as tracking down stolen domains.
It’s the last two paragraphs of Kreb’s post that I think are most important:
If opponents of the current WHOIS system are being intellectually honest, they will make the following argument and stick to it: By restricting access to information currently available in the WHOIS system, whatever losses or negative consequences on security we may suffer as a result will be worth the cost in terms of added privacy. That’s an argument I can respect, if not agree with.
But for the most part that’s not the refrain I’m hearing. Instead, what this camp seems to be saying is if you’re not on board with the WHOIS changes that will be brought about by the GDPR, then there must be something wrong with you, and in any case here a bunch of thinly-sourced reasons why the coming changes might not be that bad.
It is frustrating to read advocacy pieces from groups that downplay the damage that hidden Whois will have. It’s true that there will be some good things that come from hiding registrant information. I’d argue the bad outweighs the good.