The DBTF needs your feedback!
I am attempting to fill out this apparently endless survey, and it's obvious from the get-go that this whole thing was designed as an artificial device to justify the deep-sixing of critical WHOIS information which has traditionally been kept open and public. I mean seriously, who designed these questions? The way the questions are framed, they are all quite obviously pushing one particular point of view, and one specific political agenda, namely to excuse the hiding of information which has never before been hidden... and which does not need to be hidden, except for the benefit of criminals. Here's an example of how to frame a question in a way that pre- supposes one specific outcome: *) QUESTION: What would you prefer? 1) To be beaten and strangled to death? 2) To die of a horrible communicable infectious disease? 3) To be mercifully euthanized in your sleep? How about (4) NONE OF THE ABOVE? I'd actually like to go on living, if it's all the same to you. The survey questionare is positively jam packed with questions that are framed in this same manner... questions that, in effect, ask "How much information should we hide?" How about NONE OF THE ABOVE? Here is a concrete example from the questionaire: * 16. Rank this contact information from most (1) to least (3) important to facilitate Internet operations in the RIPE Database: Email address Phone number Fax number Well, hardly anyone ever sends FAXes anymore, so that one is a no-brainer. But the way the question has been formulated, it is obvious that *someone* wants to get rid of either phone numbers or email addresses in the contact data for various assigned resources, and that answers to this carefully crafted (and methodologically bogus) questionare are going to be used as a lame excuse to do that. I, for one, have seen this movie before... https://www.youtube.com/watch?v=ic6c3WvwbAw This kind of too-clever-by-half way of formulating questions in a way so as to get some desired set of pre-determined answers is both shameful and really beneath the dignity of RIPE. I suggest that the whole thing should be thrown out and replaced by the following single question: "Are you in favor of hiding the traditionally open WHOIS infornmation?" Then the folks who are in favor of allowing criminals in the RIPE region to hide behind GDPR can simply out-vote the rest of us and we can then wrpa up this entire sham process far more quickly and efficiently, saving time for all concerned, since the outcome has already been determined. Regards, rfg P.S. Whoever designed this survey form also does not believe, apparently, that any participant has the right to NOT have an opinion on any single one of the myriad of questions set forth. Do not pass GO and do not collect $200 UNLESS you have given answers even to the questions for which you have no opinion. P.P.S. Apparently, there is no constraint whatsoever on anyone who wishes to skew the results of this "survey" by simply filling in the form several thousand times. It's 2021. People are still running online surveys that can be trivially gamed?? <<me -- shakes head>>
Hi Ronald Although I have nothing to do with the questionnaire, I am curious what information you believe 'someone' wants to hide, or maybe you think has already been hidden, that has never before been hidden in this traditionally open whois? btw nothing is decided by voting. Like other working groups we work on consensus based on arguments. cheers denis co-chair DB-WG On Thu, 4 Feb 2021 at 02:22, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
I am attempting to fill out this apparently endless survey, and it's obvious from the get-go that this whole thing was designed as an artificial device to justify the deep-sixing of critical WHOIS information which has traditionally been kept open and public.
I mean seriously, who designed these questions?
The way the questions are framed, they are all quite obviously pushing one particular point of view, and one specific political agenda, namely to excuse the hiding of information which has never before been hidden... and which does not need to be hidden, except for the benefit of criminals.
Here's an example of how to frame a question in a way that pre- supposes one specific outcome:
*) QUESTION: What would you prefer?
1) To be beaten and strangled to death? 2) To die of a horrible communicable infectious disease? 3) To be mercifully euthanized in your sleep?
How about (4) NONE OF THE ABOVE? I'd actually like to go on living, if it's all the same to you.
The survey questionare is positively jam packed with questions that are framed in this same manner... questions that, in effect, ask "How much information should we hide?"
How about NONE OF THE ABOVE?
Here is a concrete example from the questionaire:
* 16. Rank this contact information from most (1) to least (3) important to facilitate Internet operations in the RIPE Database:
Email address Phone number Fax number
Well, hardly anyone ever sends FAXes anymore, so that one is a no-brainer. But the way the question has been formulated, it is obvious that *someone* wants to get rid of either phone numbers or email addresses in the contact data for various assigned resources, and that answers to this carefully crafted (and methodologically bogus) questionare are going to be used as a lame excuse to do that.
I, for one, have seen this movie before...
https://www.youtube.com/watch?v=ic6c3WvwbAw
This kind of too-clever-by-half way of formulating questions in a way so as to get some desired set of pre-determined answers is both shameful and really beneath the dignity of RIPE.
I suggest that the whole thing should be thrown out and replaced by the following single question: "Are you in favor of hiding the traditionally open WHOIS infornmation?" Then the folks who are in favor of allowing criminals in the RIPE region to hide behind GDPR can simply out-vote the rest of us and we can then wrpa up this entire sham process far more quickly and efficiently, saving time for all concerned, since the outcome has already been determined.
Regards, rfg
P.S. Whoever designed this survey form also does not believe, apparently, that any participant has the right to NOT have an opinion on any single one of the myriad of questions set forth. Do not pass GO and do not collect $200 UNLESS you have given answers even to the questions for which you have no opinion.
P.P.S. Apparently, there is no constraint whatsoever on anyone who wishes to skew the results of this "survey" by simply filling in the form several thousand times.
It's 2021. People are still running online surveys that can be trivially gamed??
<<me -- shakes head>>
In message <CAKvLzuHcgqrbZC_1r6_ziJz0NKrSWAVYk4VQJWZ+ut+6Cey8iQ@mail.gmail.com>, denis walker <ripedenis@gmail.com> wrote:
Although I have nothing to do with the questionnaire, I am curious what information you believe 'someone' wants to hide, or maybe you think has already been hidden, that has never before been hidden in this traditionally open whois?
It is quite clear and apparent that some people in the RIPE community, and perhaps even some people in this WG, want to bend over backwards to accomodate -alleged- concerns that -ostensibly- spring from GDPR. I'm sorry to have to say this, but you Europeans have grossly over-reacted to the avarice and greed of what are admittedly mostly American social media companies, including but not limited to Facebook, and their rapacious and never ending quest for yet more personal data and yet more ways to monetize that. Their actions are and were totally egregious, but the pendulum has now swung in the entire opposite directly, and by so doing is daily hampering legitimate investigations of law enforcement and others. In short the over-compensation for the illness called Facebook had given us GDPR, and with the same predictability as night following day, we are now in a situation where WHOIS records for -domain names- are by and large useless for -any- purpose, because greedy and self-seving domain name registrars around the world have used GDPR as a convenient excuse to do what they all have wanted to do for a long long time and for their own selfish business reasons, i.e. redacting literally EVERYTHING from domain name WHOIS records, with total disregard for the dividing line between personal information and non-personal information. Now I see this same sickness and over-compensation starting to influence and affect the WHOIS records for IP blocks and ASNs. I was hoping that it would not come to this, but the privacy-at-all-costs maniacs have now teamed up with the cyber-criminal interests to try to erase ALL of the historical vestiges of WHOIS, even for IP space. I can and will provide concrete evidence and examples of the erosion of the validity of IP block WHOIS records. I know of plenty such in the RIPE region, in the ARIN region, and in the AFRINIC region. But I'll save those examples for subsequent messages. In the meantime, to answer your question more directly, you asked what is it that I fear may be hidden that was previously open. I call your attention to what I had already noted about the unambiguously biased way in which the survey questions were formulated so as to produce the (apparently desired) result of creating a seeming consdensus to discard, delete, and redact various parts of what we have historically known to be "WHOIS". Here again is Exhibit A in support of my point:
*) QUESTION: What would you prefer?
1) To be beaten and strangled to death? 2) To die of a horrible communicable infectious disease? 3) To be mercifully euthanized in your sleep?
How about (4) NONE OF THE ABOVE?... ... Here is a concrete example from the questionaire:
* 16. Rank this contact information from most (1) to least (3) important to facilitate Internet operations in the RIPE Database:
Email address Phone number Fax number
Well, hardly anyone ever sends FAXes anymore, so that one is a no-brainer. But the way the question has been formulated, it is obvious that *someone* wants to get rid of either phone numbers or email addresses in the contact data for various assigned resources, and that answers to this carefully crafted (and methodologically bogus) questionare are going to be used as a lame excuse to do that.
Clearly if there had been a desire to *maintain* *both* email addresses *and* phone numbers (often useful for out-of-band communications) then this survey question should *not* have asked the participant to rate one over the other. THEY ARE BOTH ESSENTIAL AND BOTH MUST BE PRESERVED. The very fact that so many of the survey questions were formulated in this same fashion... where the question itself seems to imply some foregone conclusion about stuff that will in future be *deleted* from WHOIS... makes the motives and intentions of this entire survey enterprise and the people who formulated it suspect. Yes, if forced to make a choice, I would prefer to be mercifully euthanized in my sleep, rather that being strangled to death or dying of some horrible disease. But my first choice... just continuing to live and be well... doesn't even seem to be offered on the menu of choices in this survey! Nor does the option of just leaving well enough alone when it comes to the data that is currently present, and that has historically been present, within the RIPE WHOIS data base. Regards, rfg P.S. The old saying is "If it ain't broke, don't fix it." What problem, specifically were the people who designed this survey trying to solve?
Hi Ronald,
I can and will provide concrete evidence and examples of the erosion of the validity of IP block WHOIS records. I know of plenty such in the RIPE region
- I believe the RIPE NCC will investigate cases of incorrect / false IP ownership information on the RIPE Database if you email them with the details (maybe you have done this already anyway). Regarding GDPR I believe the RIPE NCC and RIPE Database are under Dutch and EU law. RIPE NCC has a legal team. How far GDPR goes in practice with the RIPE Database needs a lawyer I expect. Kind regards Scott Donald ________________________________ From: db-wg <db-wg-bounces@ripe.net> on behalf of Ronald F. Guilmette via db-wg <db-wg@ripe.net> Sent: 04 February 2021 03:43 To: denis walker <ripedenis@gmail.com> Cc: Database WG <db-wg@ripe.net> Subject: Re: [db-wg] The DBTF needs your feedback! In message <CAKvLzuHcgqrbZC_1r6_ziJz0NKrSWAVYk4VQJWZ+ut+6Cey8iQ@mail.gmail.com>, denis walker <ripedenis@gmail.com> wrote:
Although I have nothing to do with the questionnaire, I am curious what information you believe 'someone' wants to hide, or maybe you think has already been hidden, that has never before been hidden in this traditionally open whois?
It is quite clear and apparent that some people in the RIPE community, and perhaps even some people in this WG, want to bend over backwards to accomodate -alleged- concerns that -ostensibly- spring from GDPR. I'm sorry to have to say this, but you Europeans have grossly over-reacted to the avarice and greed of what are admittedly mostly American social media companies, including but not limited to Facebook, and their rapacious and never ending quest for yet more personal data and yet more ways to monetize that. Their actions are and were totally egregious, but the pendulum has now swung in the entire opposite directly, and by so doing is daily hampering legitimate investigations of law enforcement and others. In short the over-compensation for the illness called Facebook had given us GDPR, and with the same predictability as night following day, we are now in a situation where WHOIS records for -domain names- are by and large useless for -any- purpose, because greedy and self-seving domain name registrars around the world have used GDPR as a convenient excuse to do what they all have wanted to do for a long long time and for their own selfish business reasons, i.e. redacting literally EVERYTHING from domain name WHOIS records, with total disregard for the dividing line between personal information and non-personal information. Now I see this same sickness and over-compensation starting to influence and affect the WHOIS records for IP blocks and ASNs. I was hoping that it would not come to this, but the privacy-at-all-costs maniacs have now teamed up with the cyber-criminal interests to try to erase ALL of the historical vestiges of WHOIS, even for IP space. I can and will provide concrete evidence and examples of the erosion of the validity of IP block WHOIS records. I know of plenty such in the RIPE region, in the ARIN region, and in the AFRINIC region. But I'll save those examples for subsequent messages. In the meantime, to answer your question more directly, you asked what is it that I fear may be hidden that was previously open. I call your attention to what I had already noted about the unambiguously biased way in which the survey questions were formulated so as to produce the (apparently desired) result of creating a seeming consdensus to discard, delete, and redact various parts of what we have historically known to be "WHOIS". Here again is Exhibit A in support of my point:
*) QUESTION: What would you prefer?
1) To be beaten and strangled to death? 2) To die of a horrible communicable infectious disease? 3) To be mercifully euthanized in your sleep?
How about (4) NONE OF THE ABOVE?... ... Here is a concrete example from the questionaire:
* 16. Rank this contact information from most (1) to least (3) important to facilitate Internet operations in the RIPE Database:
Email address Phone number Fax number
Well, hardly anyone ever sends FAXes anymore, so that one is a no-brainer. But the way the question has been formulated, it is obvious that *someone* wants to get rid of either phone numbers or email addresses in the contact data for various assigned resources, and that answers to this carefully crafted (and methodologically bogus) questionare are going to be used as a lame excuse to do that.
Clearly if there had been a desire to *maintain* *both* email addresses *and* phone numbers (often useful for out-of-band communications) then this survey question should *not* have asked the participant to rate one over the other. THEY ARE BOTH ESSENTIAL AND BOTH MUST BE PRESERVED. The very fact that so many of the survey questions were formulated in this same fashion... where the question itself seems to imply some foregone conclusion about stuff that will in future be *deleted* from WHOIS... makes the motives and intentions of this entire survey enterprise and the people who formulated it suspect. Yes, if forced to make a choice, I would prefer to be mercifully euthanized in my sleep, rather that being strangled to death or dying of some horrible disease. But my first choice... just continuing to live and be well... doesn't even seem to be offered on the menu of choices in this survey! Nor does the option of just leaving well enough alone when it comes to the data that is currently present, and that has historically been present, within the RIPE WHOIS data base. Regards, rfg P.S. The old saying is "If it ain't broke, don't fix it." What problem, specifically were the people who designed this survey trying to solve?
HI Ronald As Shane pointed out, the task force will make recommendations. Nothing will change without discussion and consensus or through legal necessity. One of the concerns with the RIPE Database is that it contains far too much 'personal' data. 'Personal' means 'who' the data relates to, not the type of data. All email addresses and phone numbers contained within the RIPE Database can and should be business related data. They should not be personal related data. There are no concerns with business data in the database, only unnecessary personal data. No one is suggesting that either email addresses or phone numbers (not even fax numbers) are to be deprecated. cheers denis co-chair DB-WG On Thu, 4 Feb 2021 at 04:43, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <CAKvLzuHcgqrbZC_1r6_ziJz0NKrSWAVYk4VQJWZ+ut+6Cey8iQ@mail.gmail.com>, denis walker <ripedenis@gmail.com> wrote:
Although I have nothing to do with the questionnaire, I am curious what information you believe 'someone' wants to hide, or maybe you think has already been hidden, that has never before been hidden in this traditionally open whois?
It is quite clear and apparent that some people in the RIPE community, and perhaps even some people in this WG, want to bend over backwards to accomodate -alleged- concerns that -ostensibly- spring from GDPR.
I'm sorry to have to say this, but you Europeans have grossly over-reacted to the avarice and greed of what are admittedly mostly American social media companies, including but not limited to Facebook, and their rapacious and never ending quest for yet more personal data and yet more ways to monetize that. Their actions are and were totally egregious, but the pendulum has now swung in the entire opposite directly, and by so doing is daily hampering legitimate investigations of law enforcement and others.
In short the over-compensation for the illness called Facebook had given us GDPR, and with the same predictability as night following day, we are now in a situation where WHOIS records for -domain names- are by and large useless for -any- purpose, because greedy and self-seving domain name registrars around the world have used GDPR as a convenient excuse to do what they all have wanted to do for a long long time and for their own selfish business reasons, i.e. redacting literally EVERYTHING from domain name WHOIS records, with total disregard for the dividing line between personal information and non-personal information.
Now I see this same sickness and over-compensation starting to influence and affect the WHOIS records for IP blocks and ASNs. I was hoping that it would not come to this, but the privacy-at-all-costs maniacs have now teamed up with the cyber-criminal interests to try to erase ALL of the historical vestiges of WHOIS, even for IP space.
I can and will provide concrete evidence and examples of the erosion of the validity of IP block WHOIS records. I know of plenty such in the RIPE region, in the ARIN region, and in the AFRINIC region. But I'll save those examples for subsequent messages. In the meantime, to answer your question more directly, you asked what is it that I fear may be hidden that was previously open. I call your attention to what I had already noted about the unambiguously biased way in which the survey questions were formulated so as to produce the (apparently desired) result of creating a seeming consdensus to discard, delete, and redact various parts of what we have historically known to be "WHOIS". Here again is Exhibit A in support of my point:
*) QUESTION: What would you prefer?
1) To be beaten and strangled to death? 2) To die of a horrible communicable infectious disease? 3) To be mercifully euthanized in your sleep?
How about (4) NONE OF THE ABOVE?... ... Here is a concrete example from the questionaire:
* 16. Rank this contact information from most (1) to least (3) important to facilitate Internet operations in the RIPE Database:
Email address Phone number Fax number
Well, hardly anyone ever sends FAXes anymore, so that one is a no-brainer. But the way the question has been formulated, it is obvious that *someone* wants to get rid of either phone numbers or email addresses in the contact data for various assigned resources, and that answers to this carefully crafted (and methodologically bogus) questionare are going to be used as a lame excuse to do that.
Clearly if there had been a desire to *maintain* *both* email addresses *and* phone numbers (often useful for out-of-band communications) then this survey question should *not* have asked the participant to rate one over the other. THEY ARE BOTH ESSENTIAL AND BOTH MUST BE PRESERVED.
The very fact that so many of the survey questions were formulated in this same fashion... where the question itself seems to imply some foregone conclusion about stuff that will in future be *deleted* from WHOIS... makes the motives and intentions of this entire survey enterprise and the people who formulated it suspect.
Yes, if forced to make a choice, I would prefer to be mercifully euthanized in my sleep, rather that being strangled to death or dying of some horrible disease. But my first choice... just continuing to live and be well... doesn't even seem to be offered on the menu of choices in this survey! Nor does the option of just leaving well enough alone when it comes to the data that is currently present, and that has historically been present, within the RIPE WHOIS data base.
Regards, rfg
P.S. The old saying is "If it ain't broke, don't fix it." What problem, specifically were the people who designed this survey trying to solve?
Ronald, On 04/02/2021 02.22, Ronald F. Guilmette via db-wg wrote:
I mean seriously, who designed these questions?
The RIPE Database Requirements Task Force, with support from the RIPE NCC. This task force includes me, although I am speaking only for myself here. My feeling is that any set of good requirements is the minimal set of functionality needed to do something. As such, everything that we put forward as a requirement needs to be justified. The survey is an attempt to understand how important - if at all - various things that are currently stored and published in the RIPE Database are to the RIPE community. Your opinion that the RIPE Database should contain and make public lots of information is clear. I think that our job as the task force is to try to understand and document what your use cases are and whether or not those reach the level of one or more requirements for what should be in the database and whether it should be public. Every tightening of security or privacy makes life more difficult for someone. Several years ago the shift from unencrypted HTTP to encrypted HTTPS was problematic for vendors who sold products or services that analyzed this traffic to help companies secure or otherwise understand their networks. The current shift from unencrypted DNS to DNS-over-TLS or DNS-over-HTTPS is problematic for companies that snoop on DNS traffic to check for bots or other hacked systems accessing their command-and-control networks. So I recognize that the parts of your work that involve getting data out of WHOIS databases is going to be harder if that information is not there. Possibly your work will be impossible. It is understandable that this would make you a bit angry or afraid. Even so, not every current use or potential use of the RIPE Database is necessarily something that must be supported going forward. Note that the task force has already published an incomplete draft of the requirements, so you can see what we have in mind: https://www.ripe.net/resolveuid/ec75a6eb21684150bbcf6cd53917629c Also note that this is the *beginning* of the process of changing the database, so nothing the task force recommends is to be considered the final word. Any changes will go through the usual RIPE policy development process (PDP) in an appropriate working group (probably either Database or Routing, but possibly Address Policy), so there will be plenty of time to discuss specific proposals. Cheers, -- Shane
Note that the task force has already published an incomplete draft of the requirements, so you can see what we have in mind:
https://www.ripe.net/resolveuid/ec75a6eb21684150bbcf6cd53917629c
I've read this with interest and also the discussion in this thread. I wish to make a comment in this context. The above quoted document doesn't really discuss what tools should be available to discourage undesireable actions on "the fringes" of our environment, typically actions which don't enjoy the light of day. One aspect to discourage such actions is "transparency", and that's hardly mentioned or discussed as a goal. I would dislike for the usefullness of the RIPE DB to devolve to the same state of affairs the domain registry business has done. As a random example: Domain Name: WHOISTHAT.COM Registry Domain ID: 85429666_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: http://www.enom.com Updated Date: 2020-03-31T08:22:02Z Creation Date: 2002-04-09T21:59:54Z Registry Expiry Date: 2021-04-09T21:59:54Z Registrar: eNom, LLC Registrar IANA ID: 48 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS1.DSREDIRECTION.COM Name Server: NS2.DSREDIRECTION.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2021-02-04T13:22:21Z <<<
There's not exactly many hooks to grab onto in this information to know who or which organization actually stands behind this domain. There also isn't a lot of discussion about what tools are already available if one wants to "hide in plain sight" in the RIPE DB. E.g. a "role" only has the following mandatory elements: role: [mandatory] [single] [lookup key] address: [mandatory] [multiple] [ ] e-mail: [mandatory] [multiple] [lookup key] nic-hdl: [mandatory] [single] [primary/lookup key] mnt-by: [mandatory] [multiple] [inverse key] created: [generated] [single] [ ] last-modified: [generated] [single] [ ] source: [mandatory] [single] [ ] ...and... I guess the e-mail address isn't validated as being a working e-mail address, or leading to "the right place" either; and phone and fax# are both optional, and quite a bit of the other information isn't really verified either, so could very well be falsified. And ... for an inetnum, all the mandatory fields are: inetnum: [mandatory] [single] [primary/lookup key] netname: [mandatory] [single] [lookup key] country: [mandatory] [multiple] [ ] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] status: [mandatory] [single] [ ] mnt-by: [mandatory] [multiple] [inverse key] created: [generated] [single] [ ] last-modified: [generated] [single] [ ] source: [mandatory] [single] [ ] If the admin-c and tech-c can all be populated with a reference to a role with more-or-less anonymized contents, we're really not very far from the awful domain whois listing above. In other words, a bad-faith actor could already very well hide in plain sight, using the RIPE DB as a "privacy tax haven". I miss a discussion of what impact this push for ever more privacy has on transparency, and whether it is relevant to discuss the weighing of transparency on the one hand and privacy on the other. Regards, - Håvard
Hi DB-WG, (Disclaimer: I can only speak on behalf of one CSIRT, the CSIRT i work for. I would like to read views from other CSIRTs on this) Havard has precisely touched the issues that a CSIRT often faces -- the whois information is a dead-end. And most of the time everyone knows the information was "cooked" to be a dead-end. Quoting Havard: "In other words, a bad-faith actor could already very well hide in plain sight, using the RIPE DB as a "privacy tax haven"." I don't think the correct word is "could": They do it as part of their "process" and everyone knows about it. Some do it poorly. Some do it to be obvious to everyone that the data is bogus. These actors shouldn't even be inside the system to start with!!!!!!! I'm pessimistic about the current level of abuse on the numbers registration ecosystem. If we want to be optimistic, then OK, the domain regitration ecosystem is a lot worse. But that dirt on the other side doesn't mean our side is clean. How to solve or improve this? No magic here! But focusing on "transparency" would be a good start, and if people really worry about "privacy" and "personal data", then a new rule about "only insert professional data on the RIPEdb" comes to mind. If one doesn't have any professional data, well, maybe that person shouldn't be part of the ecosystem. Regards, Carlos On Thu, 4 Feb 2021, Havard Eidnes via db-wg wrote:
Note that the task force has already published an incomplete draft of the requirements, so you can see what we have in mind:
https://www.ripe.net/resolveuid/ec75a6eb21684150bbcf6cd53917629c
I've read this with interest and also the discussion in this thread.
I wish to make a comment in this context.
The above quoted document doesn't really discuss what tools should be available to discourage undesireable actions on "the fringes" of our environment, typically actions which don't enjoy the light of day. One aspect to discourage such actions is "transparency", and that's hardly mentioned or discussed as a goal.
I would dislike for the usefullness of the RIPE DB to devolve to the same state of affairs the domain registry business has done. As a random example:
Domain Name: WHOISTHAT.COM Registry Domain ID: 85429666_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: http://www.enom.com Updated Date: 2020-03-31T08:22:02Z Creation Date: 2002-04-09T21:59:54Z Registry Expiry Date: 2021-04-09T21:59:54Z Registrar: eNom, LLC Registrar IANA ID: 48 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS1.DSREDIRECTION.COM Name Server: NS2.DSREDIRECTION.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2021-02-04T13:22:21Z <<<
There's not exactly many hooks to grab onto in this information to know who or which organization actually stands behind this domain.
There also isn't a lot of discussion about what tools are already available if one wants to "hide in plain sight" in the RIPE DB. E.g. a "role" only has the following mandatory elements:
role: [mandatory] [single] [lookup key] address: [mandatory] [multiple] [ ] e-mail: [mandatory] [multiple] [lookup key] nic-hdl: [mandatory] [single] [primary/lookup key] mnt-by: [mandatory] [multiple] [inverse key] created: [generated] [single] [ ] last-modified: [generated] [single] [ ] source: [mandatory] [single] [ ]
...and... I guess the e-mail address isn't validated as being a working e-mail address, or leading to "the right place" either; and phone and fax# are both optional, and quite a bit of the other information isn't really verified either, so could very well be falsified.
And ... for an inetnum, all the mandatory fields are:
inetnum: [mandatory] [single] [primary/lookup key] netname: [mandatory] [single] [lookup key] country: [mandatory] [multiple] [ ] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] status: [mandatory] [single] [ ] mnt-by: [mandatory] [multiple] [inverse key] created: [generated] [single] [ ] last-modified: [generated] [single] [ ] source: [mandatory] [single] [ ]
If the admin-c and tech-c can all be populated with a reference to a role with more-or-less anonymized contents, we're really not very far from the awful domain whois listing above.
In other words, a bad-faith actor could already very well hide in plain sight, using the RIPE DB as a "privacy tax haven".
I miss a discussion of what impact this push for ever more privacy has on transparency, and whether it is relevant to discuss the weighing of transparency on the one hand and privacy on the other.
Regards,
- Håvard
participants (6)
-
Carlos Friaças -
denis walker -
Havard Eidnes -
Ronald F. Guilmette -
scott donald -
Shane Kerr