There’s a real security issue with ditching public Whois. Do the benefits outweigh the costs?
I’ve written a lot about GDPR and how the domain registrar/registry ecosystem is responding to it. Privacy advocates are using this as an opportunity to push for privacy across the board, and I think this is a bad idea.
Security journalist Brian Krebs wrote an excellent Q&A on Friday explaining the trade-offs that come with no public Whois. He gives concrete examples of how he (and security researchers) have used Whois to track down bad guys. Many people reading this blog have also used Whois for the same purpose, such as tracking down stolen domains.
It’s the last two paragraphs of Kreb’s post that I think are most important:
If opponents of the current WHOIS system are being intellectually honest, they will make the following argument and stick to it: By restricting access to information currently available in the WHOIS system, whatever losses or negative consequences on security we may suffer as a result will be worth the cost in terms of added privacy. That’s an argument I can respect, if not agree with.
But for the most part that’s not the refrain I’m hearing. Instead, what this camp seems to be saying is if you’re not on board with the WHOIS changes that will be brought about by the GDPR, then there must be something wrong with you, and in any case here a bunch of thinly-sourced reasons why the coming changes might not be that bad.
It is frustrating to read advocacy pieces from groups that downplay the damage that hidden Whois will have. It’s true that there will be some good things that come from hiding registrant information. I’d argue the bad outweighs the good.
The internet is ever evolving. For domainers that don’t use private whois the new privacy rules might not be interesting but for end-users it is. So we shouldn’t look for trade-offs but instead focus on trying to allow the kind of outdated processes in our industry to evolve, including WHOIS.
In the best case scenario you’d have Security and Privacy combined without having an trade-offs.
One solution to accomplish that is what we’re now implementing on our Domain Automation Network (DAN). We’re assigning a user ID to every domain owner and the domains attached to his ID are stored on our blockchain. Every transaction around the domains is tracked and stored on the ledger. So in our system, if a domain would get stolen there would be irrefutable proof and the traces would lead directly to the party that obtained the domain illegally.
So registries, registrars and marketplace for example, could easily instantly verify domain ownership without accessing or viewing the private and or sensitive data of the user. This way we solve the GDPR issue while keeping the ownership verification infrastructure in tact.
And that’s just the start. We’re also introducing a new layer where we store information about who the current rentee/rentor of a domain is. This is also something that’s lacking in current WHOIS which prevents the rental market for domains to lift off.
What’s really wrong in our industry is the lack of consensus between all stakeholders and a lack of leadership in terms of moving forward as a collective. It’s really not that hard to solve the problems that our industry face if we start working together better.
The correlation activities described in Brian Krebs’s article only requires a one-way transformation of the private information fields, or a central repository where you ask one object and gets the other correlated objects. It’s very different from showing the need for the actual private information.
Most domainers will be happy when true GDPR-compliant consent (opt-in, default off, not required for registering or keeping a domain) allows them to publish contact data; that won’t be ready by May 25th, but will take less than the accreditation model.
But as you concluded, there will be both harm and good coming out of this. The optimal balance is in the eye of the beholder, but this is not the point being discussed, since everything that is lawful will still be required by ICANN contracts. The only question is what the law allows to be done; the optimal balance can be discussed in the law arena.
Read Q& A from Journalist Brian Krebs other day, that was good read.