[arin-ppml] Comments on proposal 2010-3

[Vissers, Pepijn]

On behalf of the Team Internetsafety of the Dutch Telecommunications
Authority OPTA, I'd like to comment on the draft proposal 2010-3.

The Team Internetsafety conducts spam- and malware investigations
related to the Netherlands. All of these investigations have an
international component, some of which require us to use ARIN for WHOIS
information. 

As such, we'd like to comment on three possible problem fields with
anonymizing the public WHOIS and with that plea AGAINST this proposal.

1. Access to public WHOIS service
2. Access to accurate information
3. Some EU WHOIS situations and their impact on investigations

Ad 1.
There is a worldwide trend of anonymizing WHOIS databases. ARIN now
wants to jump on that wagon as well. In general, as pointed out by
previous commenters, WHOIS data is used by good guys as well as bad
guys. That publicly available (reliable) WHOIS data is essential to the
good guys in the private and public sector is evident: NOT having access
to such information, or only through slow mutual legal assistance
treaties, severely hampers or even stops investigations and private
internet security initiatives. This is a cumulative effect of worldwide
anonymisation of WHOIS and is not bound to ARIN data only. However, the
more registries decide to take this path, the worse the effect on the
investigations of the good guys.

A risk with publicly available WHOIS information is the mapping of
sensitive data by bad guys. Whereas the good guys tend to use a sniper
rifle to pinpoint WHOIS data, the scattershot approach is one more often
used by miscreants: get all information and filter out the interesting
bits. Restricting large scale ACCESS to WHOIS data, for instance by
using web access + captcha only and no CLI, would make scattershot
approaches tedious and difficult. Sniper techniques would still be
usable for both parties, but that's the balanced risk then, because
anonymizing ALL public WHOIS data would surely impact the good guys more
than the bad guys.

Ad 2. 
As pointed out by other commenters as well, the reliability of the WHOIS
information is far from optimal. That said, it still proves to be
valuable information in investigations, be it circumstantial or jump
point to other investigative leads, and as such better than no
information at all. So anonymizing it 'because it's not reliable now
anyway' is no valid argument for this policy: it's a completely
different discussion which should be held elsewhere. 

Ad 3.
In the Netherlands, SIDN (the .nl-TLD manager) reduced the WHOIS
information in the same way as proposed by ARIN now. Dutch investigative
organizations have had to form legal contracts with SIDN to still obtain
full .nl-WHOIS data. For other EU countries, access to .nl-WHOIS data is
(very) difficult, but doable. Because sharing of personal information
outside the EU is very very hard due to Safe Harbor principles, access
to .nl-WHOIS for investigative bodies outside the EU is nearly
impossible. Not a desirable situation for investigators and a
questionable protection from the bad guys; after all: given a (reliable)
name, more information is bound to be available on the internet.

In comparison, the .eu-WHOIS information (http://www.whois.eu) is
available behind a captcha, which (if implemented correctly et al)
prevents the scattershot approach but allows the sniper approach. 

Conclusion.
The question of whether or not to anonimize WHOIS data is one that
supersedes the ARIN policy alone. However, we think it's a trend that
severely hampers public and private investigative bodies more that it
does the bad guys. Therefore we  advise AGAINST this proposal.

FYI: OPTA has reacted, by name of our chairman, on the ICANN WHOIS
anonymisation proposal back in 2007. You can find our arguments here:
http://forum.icann.org/lists/whois-services-comments/msg00029.html

Best regards,

Pepijn Vissers
Team Internetsafety
OPTA, NL
 



+++++++++++++++++++++++++++++++++++++++++++++
Disclaimer
Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim.
Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging
of ander gebruik ervan niet is toegestaan.
Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan
direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen.
Dit e-mailbericht is uitsluitend gecontroleerd op virussen.
OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen 
geen rechten aan worden ontleend.


This e-mail message may contain confidential information or information protected by professional privilege.
If it is not intended for you, you should be aware that any distribution, copying or other form of use of
this message is not permitted.
If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500
or e-mail mailto:mail at opta.nl and destroy the message immediately.
This e-mail message has only been checked for viruses.
The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed.
OPTA expressly disclaims any responsibility in relation to the information in this e-mail message.
No rights can be derived from this message.