Collaboration

Whois service to be decommisioned?

The Whois service that maintains a database on owners of Internet domain names may be dismantled, if the "sunset" proposal before the Internet Corporation for Assigned Names and Numbers (ICANN) is approved.

The Whois service that maintains a database on owners of Internet domain names may be dismantled, if the "sunset" proposal before the Internet Corporation for Assigned Names and Numbers (ICANN) is approved.

An excerpt from Associated Press:

Like a "411" for the Internet, Whois contains information such as names and phone numbers on the owners of millions of ".com" and other Internet addresses. Bohannon and his staff at the Software and Information Industry Association rely on the free databases daily in their efforts to combat theft and fraud.

The service is a vital source for tracking down owners of domain names, but it also is used by spammers, and many people contend that in its present form, Whois is a threat to privacy (P2Pnet).

As the NY Times aptly states, it's a question of accountability vs. anonymity on the Web. What side do you think is more relevant?

53 comments
deepsand
deepsand

[b]WHOIS Remains--For Now ICANN committee will consider privacy measures for domain owners, but retains the existing system.[/b] Linda Rosencrance, Computerworld Saturday, November 03, 2007 09:00 AM PDT A committee of the Internet Corporation for Assigned Names and Numbers (ICANN) , the organization that manages the Internet domain name system, has decided to leave the WHOIS database as it is, at least for now. The committee, which has been discussing changes to the WHOIS database for seven years, voted 17-7 Wednesday to continue studying the issue. The committee, called the Generic Names Supporting Organization, also voted 17-7 against a proposal that would have allowed "natural persons," people who register domain names for purposes other than conducting business over the Internet, to list the contact information of designated third parties in the WHOIS database, rather than their own. The WHOIS registry is the legacy database of the domain name system. It contains the names and contact information of those who register Internet domains. Currently, anyone is able to access the data contained in the database. Privacy advocates have argued that the information contained in the WHOIS database should be shielded from the public to protect the privacy of individual registrants. However, businesses, intellectual property holders and members of law enforcement have argued for open access to the WHOIS database, saying it helps them go after phishers, trademark infringers, copyright violators and scammers. By a 13-10 vote, the committee also voted down the "sunset" option that would have let domain name registrars make their own decisions about whether to allow public access to the information in the WHOIS database. Currently, their contracts with ICANN require them to make this information public.

Jaqui
Jaqui

I just started reading a "Guide to e business" for companies in Canada. They have a link to privacy atc specifically for e-business operations: [ http://www.privcom.gc.ca/information/guide_e.asp ] The Relevant section: What is not Covered by the Act? * The collection, use or disclosure of personal information by federal government organizations listed under the Privacy Act * Provincial or territorial governments and their agents [b]* An employee's name, title, business address or telephone number[/b] * An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list) * An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes * Employee information ??? except in the federally-regulated sector The bold being the data disclosed by the whois service.

JCitizen
JCitizen

site. Although certain social workers were excluded because of the sensitive nature of the work they did. So there you go - if those folks needed privacy; maybe we all did; as long as we weren't CIO as least.

deepsand
deepsand

A business using a fictitious name is legally & ethically obliged to disclose the name(s) of the individuals who own and/or operate the business. That it may be a "virtual" enterprise, as opposed to a "brick-and-mortar" one, is of no import. However, that the principals must be identifiable does not carry with it the obligation to publicly disclose the identities, positions/titles, responsibilities, etal., of each and every person in their employ.

deepsand
deepsand

with "private" domains meaning those which are used soley for personal purposes. However, such anonymity would still need to be easily piercable in order to prosecute instances of libel, copyright/trademark infringement, etal..

JCitizen
JCitizen

because I was the local public IT contact man, and it was my business location. However the social workers were into a sensitive type of work that required them to work with dangerous scumbags; so it was sufficient to list their supervisors. I hope I'm not off topic - this just illustrates an example of how some domain registrants might feel anonymity would be/should be mandatory. I don't feel it is an issue though; for reasons you and others have given. Not as the system stands now. Junking the WHOIS data base is unacceptable to me unless they come up with a sufficient replacement.

deepsand
deepsand

Personally, were it up to me, even those options wouldn't be available. The web is a public forum. To expect to operate in public while remaining anonymous is absurd.

Absolutely
Absolutely

The majority of the web's users are finding diminishing motive to do business on the Internet until such expectation is not absurd, and private communications are standard. If there is a reasonable suspicion I committed a crime, and surreptitious access to the data on it can assist the investigation, good. It will be discovered more quickly that the reasonable suspicion is erroneous, perhaps without even having to knock on my actual door nor disrupt me in any other way. But there are fewer honest investigators, it seems, than script kiddies and big league crackers. Consider the types of computer crimes being successfully prosecuted, and by whom: Microsoft, Sony, [i]et al[/i]. Is your life better or worse than it was before the Internet? It certainly has not improved my life.

JCitizen
JCitizen

at policing miscreants than the internet service providers; from what I've seen in news stories. They are going to have to keep adjusting the law to cover privacy and cyber crime. Congress is way behind on this and has a way to go. If there was no internet I would probably lose 85% of my clients; as almost all of them use their computer to access the internet as apposed to local machine applications. So I would have to say I wouldn't have a life without the internet. Besides I have 250 channels of satellite junk to watch and almost all of it is boring compared to what is available on the internet.

deepsand
deepsand

No maybe about it; far too many "reporters" and bloggers no far too little of that about which they speak. And, in so doing, they frequently get peoples "bowels in an uproar" for naught, causing those unfairly depicted to have to unnecessarily give effort toward defending themselves.

JCitizen
JCitizen

I was trying to make the point that (from what I read in the news) some of these sites track the originator of the communication session and can back track, and end the contract for abusers, and help authorities in abuse cases. Maybe I am just muddying up the water even worse? Or maybe the news services are even more ignorant than I. (Edited) I hadn't heard of proxy domain registration before; so I will have to bone up on that. Thanks again deep!

deepsand
deepsand

The former shields the identity of the User; the latter, that of the Domain Owner.

deepsand
deepsand

WHOIS has to do with the Registration of Domains, [b]not[/b] IP Addresses. WHOIS data includes the Owner of the Domain, along with certain contact information, as well as the current DNS Servers & currently assigned IP Address. The purpose of such is to identify who owns and/or is responsible for a Domain, not who is active at a particular IP Address. When I register a domain, it's [u]my choice[/u] as to whether to have a Public, Private or Proxy Registration.

MISDude-E
MISDude-E

The whois service is great to see where your Internet traffic is going to. Most IPs do not have domain names associated to them, so a whois can tell you the company associated with the IP block. When I need to allow web traffic TO certain Internet web sites, I need to know their IPs so I often use whois to see if an IP is part of a reserved block for a respected company versus an ad server. Also if I see traffic from the Internet trying to hack my systems I can use whois to find who owns that IP and if need be contact them. For instance if it is to a college then I could call up the college and have them put an end to the dorm room hacker. This is a useful tool. If you don't want your information broadcasted then use a registrar's privacy service for your personal web sites. It's just a couple more bucks per domain renewal. That way I don't have my phone number or address listed in my whois.

TonyNg
TonyNg

If we are going to destroy all the knife just because somebody use it to kill people. Imagine what would be the impact to our life? Unless there is an alternative, that makes the knife no longer a necessity.

deepsand
deepsand

Are there any of meritorious consequence?

Jaqui
Jaqui

that accountability should be supported. whois only displays data that is required, by law, to be publicly available. ohhh, look, the main plaintiff you mention, P2P.net, a peer to peer file sharing site I bet.

JCitizen
JCitizen

I would have to sit on it awhile to figure how much information should be listed.. BTW - Give that meatball on the soapbox a cigarette! Poor guy's suffering! :p

JCitizen
JCitizen

If you have a static IP then you just better be prepared to face the public. Just like putting a sign out on the highway to open business. If you want your privacy get behind an ISP with a dynamic address and be happy. It only makes sense. Whois is the only way we as administrators or security consultants can catch the bad guys. This is a bad idea!

Absolutely
Absolutely

"Whois is the only way we as administrators or security consultants can catch the bad guys." So catch them. I'm not keeping an exhaustive database, but my recollection of news stories are that the plurality of successful prosecutions have been about copyright infractions, and if you can use a computer to transmit kiddie porn, steal identities, and it only [b]catches[/b] software pirates and kids trading mp3's, what's it worth? To whom? Even if you're right, that whois is the "only way" to "catch the bad guys", it's not much of an argument, considering which bad guys are being caught, and which aren't.

deepsand
deepsand

You seem to be saying that WHOIS data has no sufficiently meritorious qualities to justify its being publicly accessible. Is this a correct assessment?

deepsand
deepsand

Given that much of the world was once colonized by France, Spain & Portugal, it should not surprise us to know that the extent of Codified Law is great indeed. Even within the confines of the U.S. such can still be found in various States which were formerly within French & Spanish Territories. However, no matter the type of Law, there will always be imperfections in the constructions of such, owing to both the limitations inherent in any language, and the inability to perfectly anticipate future needs, such that there will always be a need for lawyers.

JCitizen
JCitizen

deepsand said: {Both our Federal Constitution and the majority of States's Constitutions, and hence the resulting Statutory Laws, are grounded in English Common Law, as opposed to Codified Law, as exemplified by the Napoleonic Code. The latter is frequently described as being based on the principle that "that which is not expressly forbidden is allowed;" the latter, "that which is not expressly allowed is forbidden." Given the choice, I'll take the former} ------------------------------------------------------------------------------------------ From what little I know about international law, we are supposedly one of the few that still practices this simple principle. However when you see the walls it takes to hold the Federal Code, you begin to wonder. Of course they could rewrite it in it's entirety and condense it to the size of an Encylopedia; if they took command of the Enlish language and tradition to common law. But then we wouldn't need lawyers anymore would we?

deepsand
deepsand

Both our Federal Constitution and the majority of States's Constitutions, and hence the resulting Statutory Laws, are grounded in English Common Law, as opposed to Codified Law, as exemplified by the Napoleonic Code. The latter is frequently described as being based on the principle that "that which is not expressly forbidden is allowed;" the latter, "that which is not expressly allowed is forbidden." Given the choice, I'll take the former.

Absolutely
Absolutely

[i]I fail to see it as a matter of privacy "rights."[/i] Such is described less accurately as a "failure", IMO, than as a result of strict construction of the Constitution, which provides such rights, if at all, only as a consequence of other rights, such as property, freedom from undue search & seizure, [i]etc[/i]. It really is too bad the Framers didn't codify all our rights in hierarchical fashion, or perhaps it was a gift of Providence that they didn't. It would undoubtedly simplify positive determination of complex legal issues -- either for the better or for the worse, depending on the hierarchy that's established. However, the magnitude and growth rate of the national population of lawyers does tend to mandate such an undertaking, and soon, if they are to have any subjects over whom to rule, much longer.

deepsand
deepsand

If one engages in business under a name other than ones own, such information must, as a matter of Law, be available to the public. When one undertakes to do business online, the Domain Name becomes a DBA, no different from that of, for example, the name and/or telephone no. of a legally chartered corporation. That the media happens to be of a particular form does not convey any inherent rights over and above those enjoyed elsewhere. Furthermore, as the web has made it ever so much easier and profitable to disquise ones self as another and/or to wear multiple disquises, all the more important that such be easily detectable by all.

Absolutely
Absolutely

I have personally seen some technical merit, but not meritorious enough [u]use[/u] of 'whois' to defend it passionately. My point is that corporate interests in protecting copyright cannot be expected to carry much weight in a public discussion, if this ever gets to the attention of the general public, as seems at least possible where 'privacy rights' are invoked.

JCitizen
JCitizen

Perhaps I should have said,"It is the only way I know how to capture the bad guys" I have received cooperation from some ISPs on nefarious activities within their address range. Of course I will never know who did this activity; I was only concerned at stopping it, and it did. There was once a company up in Alaska that had some of the worst violators and I don't receive cracking attempts from them anymore. But alas, trying to get the Asia Pacific people to do anything about their problems is a lost cause probably. If you know a better way to resolve IP to domain name I'm all ears(eyes actually) :-\

deepsand
deepsand

Resolving an IP Address to a Domain Name does not, in and of itself, provide the information about the registrant of the Domain that WHOIS does.

seanferd
seanferd

Reverse DNS lookup / DNS lookup (NS lookup)

deepsand
deepsand

While a valid IP Address does of course resolve to a Domain Name, WHOIS data is maintained for the Domain Name, [b]not[/b] for any IP Addresses. And, that you may have a Static IP Address does not mean that you are personally identifiable via a WHOIS look-up; at best, only the Registrant of the Domain Name is identifiable.

seanferd
seanferd

I was kind of wondering about those particular facts. You're always a fount of good info, Deepsand.

deepsand
deepsand

The trick to appearing to "always be right" is to avoid being wrong; this is achieved simply by making no statements the veracity of which you are uncertain. Of course, even for one who is diligent in this regard, in a sufficiently emotionally charged moment, that rule may be violated. "[i]Better to be silent, and be thought the fool, than to speak and remove all doubt.[/i]" - Variously attributed to both Abraham Lincoln & Mark Twain

JCitizen
JCitizen

when it comes to relating what point I am trying to make. I tend to blurt it out and let the chips fall where they may. Thanks Deep!

deepsand
deepsand

It's overlooked by many that the relationship between Domains & IP Addresses is [u]many-to-one[/u] [b]or[/b] [u]one-to-many[/u] depending on the direction.

ralahinn1
ralahinn1

I run a very small web site, and I use"who is" to help me keep my board secure. I have already survived one"hacking", I think it would be much harder to keep the hackers and spambots off if "who is" was no longer available

seanferd
seanferd

either. As a private citizen, a Whois on my IP address gets me the geograhical address of AT&T Internet Services in Texas. And of course the IP of my router is not the IP of my computer. What private citizens have there privacy threatened by Whois? (That is not rhetorical, I'm asking.) I mean, if, for instance, a stalker could get a map to some unsuspecting persons home from Whois (assuming the stalker got an IP address in the first place), then maybe a modification might be a good thing. Whois is too useful to too many professionals to dismantle. I even use it occasionally. This whole thing sounds like some weird bargaining chip anyway. It also sounds like the antagonists may not really understand what Whois does, either. Why not go after all the reverse lookup phone directories if privacy is a concern to them?

JCitizen
JCitizen

in my other posts. I don't do domain lookups though; so I don't know how much information is given out on private websites: be they static or dynamic IP addresses is perhaps non sequitur.

JCitizen
JCitizen

If people want privacy then get off the internet; security enforcement takes precedence. In some states it is illegal to block caller ID; correct me if I am wrong. What is the difference? If you want to use the phone you should ID yourself as a courtesy to the person you call. I don't answer calls that have no ID on them. Shoot, all you have to do is google someone's name, address, or phone number and you get a load of information already. If you live in a small town everybody knows where you live and all about your private business. I think big city thinking has gone too far with this privacy thing. It's not like they can get your SSN# or something. If they want to block home addresses why don't the get ICANN to do that instead of gutting the system.

deepsand
deepsand

Nowhere is it illegal to block Caller ID. A telephone call is private communication, not public. If one does not wish to receive calls from those using eithe Line Blocking or Call Blocking, they have such option available. ANI, on the other hand, cannot be blocked, as it is needed for billing purposes. It is ANI that is by Law Enforcement and Emergency Responders using E-911.

deepsand
deepsand

Now, if only I could find stuff in my own house with half the ease of finding that form.

JCitizen
JCitizen

I definitely saved that form for my friends that have a vitriolic hatred of all things smacking of telemarketing.

deepsand
deepsand

by way of mention of the charge for incoming calls to cell phones, I've a vague recollection of a proposal to extend the Federal ban on junk faxes having been to junk phone calls to cell phones as well, as both consume resources at the expense of the recipient. A quick bit of research shows that at least certain kinds of messages to wireless devices are now prohibited by FCC Regulation. See http://www.fcc.gov/cgb/consumerfacts/1088G-R.pdf .

JCitizen
JCitizen

The block all feature in most cell phones makes the contemplation of exploitation even more unnattractive; let alone the screaming they would get in the ear for making a charge call to the customer. Only thing worse than telemarketer calls is being CHARGED to receive a telemarketer call. I'm sure the suits would fly if they were stupid enough to venture into this area. I'm suprised attorneys with international tort experience haven't promoted a class action law suit against at least the biggest spammers or their client companies. Athough, in my experience most lawyers have a hard enough time figuring out the difference between state and federal law, let alone the vagaries of the world internet and technology.

deepsand
deepsand

Cell phone number databases are not publicly accessible. As best I recall, cell carriers took the stance that such data is their private property, so that anyone seeking access to such would need to pay for it. Additionally, cell phone carriers were assigned entire exchanges, with a large percentage of the 10000 subscriber nos. within each exchange never having been used, such that the entire universe of possible cell nos. is sparsely populated. With no way to determine the population density of the nos. actually assigned & active within a given exchange, the telemarketers may have determined that calls to random nos. within cell exchanges resulted in an unacceptably low hit rate, and that their efforts were better spent on land lines.

JCitizen
JCitizen

I can just imagine the fury of an owner of a cell phone or unlisted number if they received a telemarket call to such a phone. Regardless of the legalities. It has never happened to me on my cell phone; but most have blocking built in. I've never been unlisted or known anyone who uses unlisted numbers.

deepsand
deepsand

Law Enforcement can always, assuming warrant requirments are met, obtained teleco records, which contain ANI information; and, as noted above, ANI data is [b]always[/s] present. As for unlisted/unpublished nos., which include nearly all cell nos., they enjoy no special protection. Most telemarketing to those with the marketer or marketer's client does not have a qualified relationship, as defined by the FTC, are made by way of calls to randomly selected nos., with no prior knowledge as to whether or not such no. is currently assigned to any subscriber. And, regardless of whether or not ones no. is listed/published, the subscriber is entitled to demand that the telemarketer refrain from future calls.

JCitizen
JCitizen

I have a buddy that is a ferocious opponent of telemarketing, and is always doing battle with them over such details. He stated that he has lodged complaints with the police, ATT, and the FTC over unidentified calls and claimed to have successfully gained warnings and prosecutions over the issue, in his state. But this is second hand information; and although he seems reliable I can't attest to how accurate his information is. I assumed his information was fact and that misidentified calls were considered harassment or something similar over there. At the last contract I worked, I helped provide information to prosecutors on unidentified calls to people who were under court protection on domestic violence cases. But that is a specific legal catagory of course. Unlisted phones and cell phones may also fall into that catagory in that state .

deepsand
deepsand

you're probably thinking of the FTC's regulations re. Telemarketers, which can be viewed at http://www.ftc.gov/os/2003/01/tsrfrn.pdf . Once opened, do a search for the string "caller id," and you'll find various references to requirements that Telemarketers disclose their identity by various means.

JCitizen
JCitizen

I was sure an SBC hand book I was reading from a relative of mine stated that one could lodge complaints about receiving blocked caller ID calls. Most people never follow through with phone harassment complaints. ATT will kick butt if you file a police report however. In fact I thought the home page of the government "do not call" stated that it is illegal to block the ID of the caller. Perhaps it only applies to telemarketers. I appologize for making wide sweeping distinctions.