[arin-ppml] Recommended Draft Policy ARIN-2024-2: Whois Data Requirements Policy for Non-Personal Information

ARIN info at arin.net
Tue Sep 24 13:11:57 EDT 2024 

On 19 September 2024, the ARIN Advisory Council (AC) advanced the following Draft Policy to Recommended Draft Policy status: 

*ARIN-2024-2: Whois Data Requirements Policy for Non-Personal Information 

AC Assessment of Conformance with the Principles of Internet Number Resource Policy:

Following a review of community feedback, staff and legal recommendations, and AC discussions, Draft Policy ARIN-2024-2: Whois Data Requirements Policy for Non-Personal Information, was found to conform to the principles of the ARIN Policy Development Process.  Based on being fair, impartial, and technically sound, this Draft Policy was moved to Recommended Draft state. If adopted by the board, it would further clarify what information is collected and published via ARIN's public Whois service.


The text of the Recommended Draft Policy is below, and may also be found at: 

https://www.arin.net/participate/policy/drafts/2024_2/

You are encouraged to discuss all Recommended Draft Policies on PPML prior to their presentation at the next ARIN Public Policy Consultation (PPC). PPML and PPC discussions are invaluable to the AC when determining community consensus. 

The PDP can be found at:

https://www.arin.net/participate/policy/pdp/

Draft Policies and Proposals under discussion can be found at: 

https://www.arin.net/participate/policy/drafts/

Regards,
 
Eddie Diego
Policy Analyst
American Registry for Internet Numbers (ARIN)


Recommended Draft Policy ARIN-2024-2: Whois Data Requirements Policy for Non-Personal Information 

Problem Statement:

ARIN’s mission includes maintaining and distributing registration information about who holds Internet number resources (Internet Protocol (IP) addresses and Autonomous System Numbers (ASNs)) in a public database referred to as Whois.  Whois provides network operators, technical troubleshooters, law enforcement, researchers, and other interested parties with information about which organization administers specific Internet number resources. Distributing this non-personal information is very much in the public interest of proper functioning of the Internet.

While ARIN continues to recognize the ongoing relevancy and importance for publicly available Whois information in its control, ARIN must also take stock of evolving regional developments pertaining to data privacy and the cross-border sharing of personally identifying information (PII) which have led to or could lead to redactions among similar Whois resources outside of ARIN’s purview.

In light of such developments, it is important for ARIN to codify its Whois data requirements and disclosure practices in a manner that is both a) respectful of privacy rights pertaining to PII and b) cognizant of the value non-PII data plays in the security of the Internet and the protection of the general public.

Currently there are no ARIN policies that clearly define what organization and associated point of contact information must be provided and registered in the public Whois. This proposal attempts only to clarify and codify ARIN’s existing practice regarding organization and contact data collection and display in Whois.

Policy Statement:

2.12 Organizational Information

Modify 2.12 to read:

Information needed to uniquely identify an Organization. 

3.8 Directory Service Records

Modify 3.8.1 to include the following sentence:

All organization registration records will be visible in the public Whois.  Organizations that are registered as D/B/A may choose to show the Business name rather than the registered party’s name.

Add 3.8.2

3.8.2 Required Organization Record Information

The following information must be provided to ARIN to register an organization record:
* Org Name
* Org Postal Address including country

Add 3.8.3 Point of Contact Record Creation

An organization must register designated Points of Contact to manage its organization and resource registration records to include Administrative, Technical, NOC and Abuse contacts. These Points of Contact shall be representatives of the organization and any information provided to ARIN shall be that contact’s associated organizational information and not personal data.

Point of Contact registration records will generally be visible in the public Whois. Refer to NRPM 3.3 and NRPM 4.2.3.7.3.2 for exceptions to this general rule.

Add 3.8.4 Required Point of Contact Record Information.

The following information must be provided to ARIN to register a  Point of Contact:
* Contact Name (this can be an individual representative of the company or a Role POC)
* Contact’s Company Name (Required for Role POC)
* Contact’s Postal Address including country
* Contact’s Organization Phone Number (optional)
* Contact’s Organization E-Mail Address

Timetable:  Immediate

More information about the ARIN-PPML mailing list