Hello Babir, Your comment suggesting "a more balanced approach" including "requiring authentication for sensitive data" indicates you may not have fully understood the policy proposal. I invite you to read it again. That said, I will address the points you made: 1. *Justification for Removal:* The need for removal of contact information from public access has been long established in multiple Internet Governance Forums. A good definition of the problem can be found in ICANN's Expert Working Group on gTLD Directory Services, Initial Report 24 June 2013. This report also covers gated (authenticated) access to contact information. Would it be useful for me to include this reference and others in the Problem Statement? 2. *Impact on Network Operations and Security*: I disagree with your assessment, as the information is not being removed from public access - only from unauthenticated access. I invite you to present some specific cases of how troubleshooting, abuse handling, and incident response for ISPs, security researchers, and CSIRTs would be hindered by requiring users to be logged into a free APNIC account. 3. *Unclear Enforcement Mechanism*: I would like to refer you to APNIC's existing Acceptable use of APNIC WHOIS data: https://www.apnic.net/manage-ip/using-whois/bulk-access/copyright/ APNIC shares WHOIS data on behalf of the owners of the data - its members. The existing enforcement mechanism is prosecution of copyright violation and I don't believe any change or additional information is required here. 4. *Inconsistency with Other RIRs*: RIPE NCC documentation shows that restrictions _are_ imposed on WHOIS data: https://docs.db.ripe.net/Types-of-Queries/Filtering-the-Query-Reponse/ so at the moment APNIC WHOIS and RIPE WHOIS are already inconsistent. 5. *Potential Impact on Transparency*: As the information is available to any authenticated user, there is no impact on transparency. 6. *Increased Operational Burden on APNIC*: This is an issue for APNIC's operational team to address and report on to us, not an issue for policy developers and evaluators to guess about. 7. *No Clear Alternative for Legitimate Users*: I do not believe there is a legitimate reason for researchers, network engineers, or security teams to have anonymous access - whether through bulk FTP or unauthenticated WHOIS queries - to the contact details of APNIC members. If you disagree, please reply back with some cases where such entities must have bulk or unauthenticated access to the contact details that cannot be satisfied through an authenticated method.
Regards, Jon On Wed, Feb 19, 2025, at 20:23, Babir wrote: > Hi Jonathan, > > Thank you for bringing this proposal forward. While the intention to address > privacy concerns is understandable, I would like to highlight several issues > that may arise if this policy is implemented: > > 1. *Lack of Justification for Removal* – The proposal does not provide > sufficient evidence of widespread harm due to public WHOIS data exposure or > assess the impact of removal on legitimate users. > > 2. *Impact on Network Operations and Security* – Restricting access to > contact details could hinder network troubleshooting, abuse handling, and > incident response for ISPs, security researchers, and CSIRTs. > > 3. *Unclear Enforcement Mechanism* – The proposal suggests requiring bulk > WHOIS consumers to remove already obtained data but does not outline how > APNIC will ensure compliance, especially for global entities. > > 4. *Inconsistency with Other RIRs* – No other RIRs impose similar > restrictions on WHOIS data. A unilateral change by APNIC may lead to policy > fragmentation and operational inconsistencies. > > 5. *Potential Impact on Transparency* – Limiting WHOIS data availability may > reduce visibility into IP resource ownership, making it harder to track bad > actors and increasing the risk of fraudulent activities. > > 6. *Increased Operational Burden on APNIC* – Moving contact information > behind authentication may result in an increased number of manual inquiries > and authentication requests, creating an additional workload for APNIC. > > 7. *No Clear Alternative for Legitimate Users* – The proposal does not > provide a viable alternative for researchers, network engineers, and security > teams who rely on WHOIS data for non-abuse-related queries. > > Given these concerns, I recommend exploring a more balanced approach, such as > rate limiting or requiring authentication for sensitive data, instead of > completely removing public WHOIS contact details. > > Looking forward to further discussions on this matter. > > > > BR > > Babir > > _______________________________________________ > SIG-policy - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected] https://jon.brewer.nz/
_______________________________________________ SIG-policy - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
