Re: Whois vs GDPR, latest news

[Jimmy Hess <mysidia () gmail com>]

Perhaps it's time that some would consider  new RBLs  and  Blackhole
feeds  based on.... :
Domains with deliberately unavailable WHOIS data.

Including  domains whose  registrant has failed to cause their domain
registrar and/or registry to
list personally identifiable details for registrant and contacts   on
servers available to
the public using the TCP port 43 WHOIS service.

For any reason,  whether use of a privacy service,  or by a  Default
"Opt-to-Privacy Rule" enforced
by a  local / country-specific regulation such as GPDR.

Stance

* Ultimate burden goes to the REGISTRANT of any Internet Domain to take the
  steps to ensure their domain or IP address registry makes public
contacts appear
  in WHOIS at all times for  their Domain and/or IP address(es) --- including
  a traceable registrant name AND direct Telephone and E-mail contacts
 to a responsible
  party specific to the domain from which a timely response is available and
  are not through a re-mailer or proxy service.

People may have in their country a legal right to secure control of
a domain on a registry
And anonymize  their registration:    "Choose not to have personal
information listed in WHOIS".

HOWEVER,     Making this choice might then result in adverse consequences
towards connectivity AND accessibility to your resources from others
during such times
as you exercise your option to have no identifiable WHOIS data.

The registration of a domain with hidden or anonymous data only ensures
exclusivity of control.      Registration of a domain  with
questionable or unverifiable personal
registrant or contact information does not guarantee that  ISPs  or
other sites connected to the
internet will choose to allow their own users and DNS infrastructure
access to   un-WHOISable domains.

Then have:
-------------------

* Right-hand sided BLs for Internet domains with no direct
WHOIS-listed registrant address and  real-person contacts
including  name, address, direct e-mail and phone number valid for
contact during the domain's operational hours.

* Addons/Extensions for Common Web Browsers  to check the BLs  before
allowing access to a HTTP or HTTPS  URL.  Then display a prominent
"Anonymized Domain:
Probable  Scam/Phishing Site"   within the Web Browser MUA;

And limit or disable high-risk functions for anonymous sites:  such as
 Web Form Submissions,
Scripting,  Cookies,  Etc   to  Non-WHOIS'd domains.

if   the domain's  WHOIS  listing    is  missing  or showed a privacy
service, or had appeared  t
runcated or anonymized.

* IP Address DNSBL for IP Address allocations  with no direct
WHOIS-listed  holder address real-person contacts.
including name, address, direct e-mail and phone number valid for
contact during the hours when that IP address
is connected to the internet.

* DNS response policy zones (for resolver blacklists)  for internet
domains with no WHOIS-listed registrant &
real-person contacts  including name, address, direct e-mail and phone
number valid for contact.


The EU  GDPR   _might_  require  your  registrar to offer you the
ability Opt by default to mask your
personal information and e-mail from domain or IP  WHOIS data,

But  should you  choose  to Not opt to have identifiable contacts and
ownership published:

There may be networks and resources that will refuse access,  Or whose
users  will not be allowed
to resolve your DNS names,  due to your refusal to identify
yourself/provide contacts   for   vetting,
identifying and reporting technical issues, abuse, etc.

Real-Life equivalent  would be....    Directories/Listings of
Recommended businesses that
refuse to accept listings from businesses whose  Owner  wants to stay Anonymous.

Or  people who don't want to buy their groceries from random shady
buildings  that don't even
have a proper sign out.....

--
-JH

On Wed, May 16, 2018 at 4:10 PM, Constantine A. Murenin
<mureninc () gmail com> wrote:
> I think this is the worst of both worlds.  The data is basically still
> public, but you cannot access it unless someone marks you as a
> "friend".
>
> This policy is basically what Facebook is.  And how well it played out
> once folks realised that their shared data wasn't actually private?
>
> C.
>
> On 16 May 2018 at 16:02, Brian Kantor <Brian () ampr org> wrote:
> > A draft of the new ICANN Whois policy was published a few days ago.
> >
> > https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
> >
> > From that document:
> >
> > "This Temporary Specification for gTLD Registration Data (Temporary
> > Specification) establishes temporary requirements to allow ICANN
> > and gTLD registry operators and registrars to continue to comply
> > with existing ICANN contractual requirements and community-developed
> > policies in light of the GDPR. Consistent with ICANN’s stated
> > objective to comply with the GDPR, while maintaining the existing
> > WHOIS system to the greatest extent possible, the Temporary
> > Specification maintains robust collection of Registration Data
> > (including Registrant, Administrative, and Technical contact
> > information), but restricts most Personal Data to layered/tiered
> > access. Users with a legitimate and proportionate purpose for
> > accessing the non-public Personal Data will be able to request
> > such access through Registrars and Registry Operators. Users will
> > also maintain the ability to contact the Registrant or Administrative
> > and Technical contacts through an anonymized email or web form. The
> > Temporary Specification shall be implemented where required by the
> > GDPR, while providing flexibility to Registry Operators and Registrars
> > to choose to apply the requirements on a global basis based on
> > implementation, commercial reasonableness and fairness considerations.
> > The Temporary Specification applies to all registrations, without
> > requiring Registrars to differentiate between registrations of legal
> > and natural persons. It also covers data processing arrangements
> > between and among ICANN, Registry Operators, Registrars, and Data
> > Escrow Agents as necessary for compliance with the GDPR."



-- 
-Mysid