Dear SIG members,
A new version of the proposal "prop-162: WHOIS Privacy" has been sent to
the Policy SIG for review.
It will be presented at the Open Policy Meeting (OPM) at APNIC 59 on
Wednesday, 26 February 2025.
https://conference.apnic.net/59/programme/programme/index.html#/day/8/
We invite you to review and comment on the proposal on the mailing list
before the OPM.
The comment period on the mailing list before the OPM is an important
part of the Policy Development Process (PDP). We encourage you to
express your views on the proposal:
- Do you support or oppose this proposal?
- Does this proposal solve a problem you are experiencing? If so,
tell the community about your situation.
- Do you see any disadvantages in this proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more effective?
Information about this proposal is appended below as well as available at:
http://www.apnic.net/policy/proposals/prop-162
Regards,
Bertrand, Shaila, and Ching-Heng
APNIC Policy SIG Chairs
-----------------------------------------------------------------------------------
prop-162-v002: WHOIS Privacy
-----------------------------------------------------------------------------------
Proposer:
Jonathan Brewer ([email protected])
1. Problem statement
-------------------------
More than 400 organisations around the world have bulk access to APNIC's
WHOIS data and may download the complete data set as required.
Cybersecurity companies, ISPs, universities, researchers, and law
enforcement agencies are amongst those with access.
Several organisations including Hurricane Electric and RecordedFuture
republish this data as part of their applications and online systems,
including physical addresses, email addresses, and telephone numbers of
APNIC members.
These contact details are freely available on the web and available for
mass harvesting through the use of screen scraping technology. It is
apparent that some third parties have used this data in a manner
contrary to the APNIC whois data acceptable use agreement.
In the past three years organisations including the Number Resource
Society (Casablanca, Morocco), Unique IP Solutions (Faisalabad,
Pakistan), Aileron IT (Wisconsin, USA), Cogent Communications
(Washington DC, USA) and EarnheardData (details suppressed) have
contacted APNIC members via details published exclusively in APNIC
WHOIS. None of these contacts have been to do with legitimate networking
issues.
2. Objective of policy change
----------------------------------
This policy will eliminate the unnecessary distribution and retention of
APNIC member organisation contact information by third parties. APNIC
systems will become the only source of obtaining address, phone, fax-no,
e-mail, and notify data for APNIC members.
This policy change will not prevent APNIC members or other authorised
users of APNIC WHOIS from obtaining contact information for network
resources in either ad-hoc or automated queries.
3. Situation in other regions
--------------------------------
I have not found evidence that other RIRs limit access to contact
details. Multiple ccTLDs have implemented WHOIS privacy for domain
names, including Australia [1] and Germany [2].
4. Proposed policy solution
--------------------------------
APNIC should remove address, phone, fax-no, e-mail, and notify fields
(the Contact Information) from Org, IRT, abuse-c and role objects from
public access WHOIS.
Responses to unauthenticated API queries should no longer display the
Contact Information.
The Contact Information should be removed from the dataset distributed
to bulk consumers.
APNIC should cause any existing bulk users of APNIC WHOIS data to remove
the Contact Information from their own systems and from the Internet.
MyAPNIC and authenticated API access should be the only way of obtaining
the Contact Information of APNIC users.
APNIC should publish a list of all authenticated API users with access
to the Contact Information. APNIC should publish statistics on requests
for the Contact Information by requestor.
5. Advantages / Disadvantages
------------------------------------
Advantages:
This should enhance privacy and data sovereignty, while reducing
nuisance contacts.
Disadvantages:
None. The information will still be available via APNIC-controlled WHOIS
services which presumably are protected against illegitimate data
harvesting.
6. Impact on resource holders
-----------------------------------
No impact on resource holders.
7. References
----------------
[1]
https://www.domainregistration.com.au/infocentre/info-private-registration.php
[2]
https://www.denic.de/en/whats-new/press-releases/article/extensive-innovations-planned-for-denic-whois-domain-query-proactive-approach-for-data-economy-and/_______________________________________________
SIG-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
