On 2007-02-09 08:11:55 -0500, Neil Schwartzman wrote:
Investigators, both LEA and non-LEA have been able to track the origins of the botnet controllers to a specific place in Eastern Europe, and tie it to a group of people. WHOIS doubtlessly aided in those investigations.
I don't dispute that tracking down domain names to their owners can be a useful tool. I don't dispute that online crime is a serious problem, and that botnets are making it worse all the time. What I do dispute is that public WHOIS plays the role some people claim it plays. When I ask about WHOIS's real value, what I mostly hear is somewhere between "the sky is falling", "there are patterns", "don't you dare to question us", and "we need to fight online crime at all cost." And that really doesn't cut it as an argument and makes me respond sarcastically. I remember having heard people who advocated for open access to WHOIS data tell war stories in which, essentially, following the WHOIS trace was a pure distraction and a dead end; the great success they touted was to find out that the registrant data pointed to a real person who had nothing at all to do with the scam. They then went on to follow the payment trail and were much more successful there, if I recall correctly. I remember other war stories in which whois helped law enforcement to find contact information at a major ISP, and therefore was deemed indispensable. Of course, that was really a fine example of "wrong tool for the job." So: Explain what impact obfuscating WHOIS further would really have. Assume you have to jump through some hoop to convince a registrar that you're a good-faith private investigator. Assume you don't have access at all. Assume there's some rule that makes domains which don't have contact information much easier to take down. What happens? How do these options *really* shift the balance?
do you REALLY want to hinder investigations by obfuscating a valuable investigative tool?
That is the "we need to fight this war at all cost" style of argument. It is utterly misplaced in this discussion. Cheers, -- Thomas Roessler <roessler@does-not-exist.org>