Whois data, Internet security and law enforcement

Recent outcry around the letter the EU Article 29 Working Party chairman J. Kohnstamm sent to ICANN, shows how difficult it is to keep a clear view on Whois data and the function of Whois data. Let me try and make it clear why Whois is important to the technical community, law enforcement and the company making a registration alike.

Whois data

Whois data is the data that is displayed through a database on the Internet in a database that shows who has registered a domain name or was allocated IP space. Wikipedia explains further. (As we discuss the Art. 29 WP letter to ICANN, we mainly focus on domain names, but the discussion is the same for IP space.) This is important from two points of view.

1. Fees

Registering a domain name costs money, so involves fees that have to be paid on a regular basis. The registry or registrar needs to be able to contact the registrant and have his banking details to be able to collect fees. This is a result of a business relationship like any other.

2. Technical reasons

If something goes wrong with or around a domain name, technical personnel need to be able to contact technical colleagues or abuse personnel at the other end. This is the original function of the Whois data. At first everybody may have known each other personally, but nowadays this is, for obvious reasons, impossible. Also more and more private persons registered domains, something which was unthinkable when the Whois system was started.

In other words there are good reasons why potentially privacy sensitive data is gathered and processed. So the question becomes: what is displayed publicly and what isn’t?

What is/should be in Whois data?
EU privacy laws are what they are. This means that privacy sensitive data can not be displayed and handled in just any way. On the other hand, contact details which are not private, e.g. company addresses, phone numbers and email addresses, in my opinion, can be displayed in the Whois databases. Private addresses and such can’t. At present they often are, which is an obvious violation (of EU law).

Law enforcement and Whois data
Up to a certain extent Whois data contains very useful information for law enforcement as it shows who registered a domain name or was allowed IP space. As online violations of the law go with tremendous speed, the ability to check a Whois database in a swift way can be of the utmost importance to law enforcement and govCERTs, that have to mitigate online attacks.

At best the Whois data shows the investigating officer where to find the suspected perpetrator, usually it is the start of a long investigation. Open access makes investigating easier, tiered access is more or less the same, but may assist registration parties to comply with the law.

It is for this reason that Chris Fonteijn, as chairman of OPTA, the Independent Post and Telecommunication Authority of The Netherlands, presented at ICANN in Marrakesh in 2006 to create a tiered form of access for LEAs to the -to be closed off- Whois databases. Something SIDN, which closed access to most of the Whois .nl data to the general public, created some years back.

Accuracy over openness
When Whois data is not accurate, which it quite often is, as no checks of any form are made by most registrars and registries on registration, it doesn’t help a law enforcement officer any further in his investigation. The need for more accuracy at registration is in the end more important than access.

At present criminals are allowed access to the Internet in all too easy ways if registration of, probably millions of ill-used, domain names can take place without any check. All in all it is a big, multi-million dollar business. (The question may be whether real payment takes place, as this often is made with stolen credit card details.) The stimulus to provide accuracy isn’t very strong at present as governments have no decisive role in policy in ICANN.

Difference in data
It is not only the Whois data a law enforcement officer needs when investigating violations. There are details behind the Whois that are of equal interest which the registrar or registry also holds and not obtainable through the Whois data. Lawful process is needed to obtain these.

Yes, Whois data is important for the running of the Internet. Without it, it becomes very hard to maintain security for the technical people, to alert each other and mitigate problems. So a form of openness is necessary. Otherwise a tiered access system for “members” needs to be devised.

And yes, it is important to law enforcement also, but accuracy is even more important. For reasons that remain very unclear to me, this seems near impossible to obtain.

Wout de Natris, De Natris Consult

Leiderdorp, Monday 1 October 2012


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber awareness, Cyber crime, Cyber ethics, Cyber security, International cooperation: IP resources, Internet governance, Privacy, Self regulation and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s