Hi Jon, Thank you for your detailed response and clarifications. I appreciate the opportunity to further discuss the potential impacts of this policy proposal. Below are my responses to your points:
1. *Justification for Removal* – Including references to established discussions on this issue, such as the ICANN Expert Working Group report, would certainly help strengthen the Problem Statement. If you have additional sources that outline the risks of public WHOIS data exposure, it may be beneficial to include them for context. 2. *Impact on Network Operations and Security* – While I understand that the data will still be available through authentication, some concerns remain regarding emergency access. For instance, real-time abuse mitigation efforts often rely on quick WHOIS lookups without the delay of authentication mechanisms. Additionally, in countries like Bangladesh, which has the second highest number of APNIC members, regulatory authorities enforce strict licensing restrictions on which entities can interconnect. This requires daily manual verification of number resource ownership to ensure compliance. If public WHOIS access is restricted, such verification processes may become significantly more difficult, potentially delaying regulatory enforcement and operational decisions. 3. *Unclear Enforcement Mechanism* – Thank you for pointing out the existing enforcement mechanism. While copyright protection can be used to address unauthorized redistribution, would APNIC have a process for auditing compliance among existing bulk data consumers? Some entities have been using WHOIS data for many years—how will APNIC ensure historical data is removed? 4. *Inconsistency with Other RIRs* – Noted on RIPE NCC’s filtering policies. However, other RIRs, such as ARIN, also provide some level of bulk WHOIS data access. If APNIC implements this change, it could still create divergence in access policies among different regions. A comparison with other RIRs' authentication policies may help clarify how APNIC's proposed model aligns with global best practices. 5. *Potential Impact on Transparency* – If all authenticated users can access the same data as before, then the transparency concern is mitigated. However, will there be any restrictions on who can create an authenticated account (e.g., must be an APNIC member, network operator, or researcher)? Understanding this would help assess whether transparency is fully maintained. 6. *Increased Operational Burden on APNIC* – While this is ultimately an operational concern, policy decisions can impact operational efficiency. If a large number of previously unauthenticated WHOIS queries now require authentication, APNIC may need to scale infrastructure to handle increased login requests and data access. Additionally, in cases like Bangladesh, where regulators and ISPs conduct numerous manual verifications daily, requiring authentication could introduce inefficiencies unless a streamlined verification process is established. Perhaps APNIC staff can provide a technical or operational impact assessment? 7. *No Clear Alternative for Legitimate Users* – Some security researchers and abuse teams rely on automated or bulk access to WHOIS data for threat intelligence and spam mitigation. Would authenticated API access provide the same level of access as current bulk queries, or would additional restrictions apply? If authentication is merely a login requirement with no additional verification, this may be a non-issue. However, if access is limited to specific user types, that could create new barriers for legitimate use cases. BR Babir On Sun, Feb 23, 2025 at 4:26 PM Jonathan Brewer <jon@tō.nz> wrote: > Hello Babir, > > Your comment suggesting "a more balanced approach" including "requiring > authentication for sensitive data" indicates you may not have fully > understood the policy proposal. I invite you to read it again. That said, I > will address the points you made: > > 1. *Justification for Removal:* The need for removal of contact > information from public access has been long established in multiple > Internet Governance Forums. A good definition of the problem can be found > in ICANN's Expert Working Group on gTLD Directory Services, Initial Report > 24 June 2013. This report also covers gated (authenticated) access to > contact information. Would it be useful for me to include this reference > and others in the Problem Statement? > 2. *Impact on Network Operations and Security*: I disagree with your > assessment, as the information is not being removed from public access - > only from unauthenticated access. I invite you to present some specific > cases of how troubleshooting, abuse handling, and incident response for > ISPs, security researchers, and CSIRTs would be hindered by requiring users > to be logged into a free APNIC account. > 3. *Unclear Enforcement Mechanism*: I would like to refer you to > APNIC's existing Acceptable use of APNIC WHOIS data: > https://www.apnic.net/manage-ip/using-whois/bulk-access/copyright/ APNIC > shares WHOIS data on behalf of the owners of the data - its members. The > existing enforcement mechanism is prosecution of copyright violation and I > don't believe any change or additional information is required here. > 4. *Inconsistency with Other RIRs*: RIPE NCC documentation shows that > restrictions _are_ imposed on WHOIS data: > https://docs.db.ripe.net/Types-of-Queries/Filtering-the-Query-Reponse/ so > at the moment APNIC WHOIS and RIPE WHOIS are already inconsistent. > 5. *Potential Impact on Transparency*: As the information is available > to any authenticated user, there is no impact on transparency. > 6. *Increased Operational Burden on APNIC*: This is an issue for > APNIC's operational team to address and report on to us, not an issue for > policy developers and evaluators to guess about. > 7. *No Clear Alternative for Legitimate Users*: I do not believe there > is a legitimate reason for researchers, network engineers, or security > teams to have anonymous access - whether through bulk FTP or > unauthenticated WHOIS queries - to the contact details of APNIC members. If > you disagree, please reply back with some cases where such entities must > have bulk or unauthenticated access to the contact details that cannot be > satisfied through an authenticated method. > > > Regards, > > Jon > > On Wed, Feb 19, 2025, at 20:23, Babir wrote: > > Hi Jonathan, > > Thank you for bringing this proposal forward. While the intention to > address privacy concerns is understandable, I would like to highlight > several issues that may arise if this policy is implemented: > > 1. > > *Lack of Justification for Removal* – The proposal does not provide > sufficient evidence of widespread harm due to public WHOIS data exposure or > assess the impact of removal on legitimate users. > 2. > > *Impact on Network Operations and Security* – Restricting access to > contact details could hinder network troubleshooting, abuse handling, and > incident response for ISPs, security researchers, and CSIRTs. > 3. > > *Unclear Enforcement Mechanism* – The proposal suggests requiring bulk > WHOIS consumers to remove already obtained data but does not outline how > APNIC will ensure compliance, especially for global entities. > 4. > > *Inconsistency with Other RIRs* – No other RIRs impose similar > restrictions on WHOIS data. A unilateral change by APNIC may lead to policy > fragmentation and operational inconsistencies. > 5. > > *Potential Impact on Transparency* – Limiting WHOIS data availability > may reduce visibility into IP resource ownership, making it harder to track > bad actors and increasing the risk of fraudulent activities. > 6. > > *Increased Operational Burden on APNIC* – Moving contact information > behind authentication may result in an increased number of manual inquiries > and authentication requests, creating an additional workload for APNIC. > 7. > > *No Clear Alternative for Legitimate Users* – The proposal does not > provide a viable alternative for researchers, network engineers, and > security teams who rely on WHOIS data for non-abuse-related queries. > > Given these concerns, I recommend exploring a more balanced approach, such > as rate limiting or requiring authentication for sensitive data, instead of > completely removing public WHOIS contact details. > > Looking forward to further discussions on this matter. > > > > BR > > Babir > _______________________________________________ > SIG-policy - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected] > > > https://jon.brewer.nz/ > > _______________________________________________ > SIG-policy - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected] > -- With Regards, Babir
_______________________________________________ SIG-policy - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
