I've been reading the latest round of postings on domain WHOIS info and privacy. This topic is by no means new and no new brilliant suggestions have been forthcoming. In fact I have a sense of deja vu. As such some references to comments and my response thereto. If you would like any evidence for what I'm saying, feel free to contact me off list. Everything here is based on actual incidents and not some hypothetical possibility. Apologies for the long email. But the below needs to be said on behalf of everyday innocent internet users who have as much right as anybody else. Likewise on behalf of hard working, dedicated LE who wish to protect those they were tasked to protect and serve. * Domain WHOIS details are being likened to gun registration details and the assertion made that guns are dangerous, domains are not. Domains are as much part and parcel of the cyber criminal's toolkit as a gun in the hands of an dangerous criminal. In either case it takes take a person/persons behind that tool with ill intentions to use it in a harmful way. Gun legislation is local to a country. Domains have international reach. Abused domains have been used to set up fraudulent web presences in which victims have not only been defrauded, but lured into strange countries which they were not familiar with, where the have been kidnapped and held to ransom, tortured, raped and even murdered. Furthermore some of these syndicates have been linked to the drug trade, money laundering, human trafficking, prostitution and even the funding of terrorism. Guns and domains are both tools. I could turn around and say the gun does not kill, it's the bullet .... which would be petty and not constructive. It needs to be accepted that domains can be used to deceive internet users and in some cases that deceit can lead to mortal danger. Search government websites, newspapers etc as well. * The American constitution, European privacy laws etc have been quoted. That's great for local issues. However in the cyber criminal's case he hardly ever discloses his real location. Privacy is also abused to gain anonymity. All too often in these cases a party living in one country may claim a fake address in another country, the decision of claimed residence simply being what an anonymous proxy shows in many cases. Does the fact that he paid $10 to a offshore registrar suddenly put him out of reach of his local LE and does it provide him the protection of that offshore jurisdiction or the fake claimed address? This is happening. Applying local law to a global issue could also lead to further consequences; if you are not willing to respect our laws regarding issues by using your laws, why should we respect yours? How many internet users and/or registrants (really) live in the USA? How many Europe? Using these as an absolute in terms of this issue will lead to fragmentation and an chaos on the net. Imagine the UK and the USA using the same highway, each using their own rules of the road. Neither is wrong, but not appropriate at the same time on the same highway either. * Whois details was not designed to combat crime, infringements etc Neither was the internet designed for crime. However why should we suddenly limit ourselves to mechanisms other than whois details, if despite being fake, whois details show the extent of an issue by trending and can lead to uncovering the larger extent of fraud/spamming/whatever? Whois details and accuracy have become more important than ever. Right now whois details are used to protect innocent internet users proactively which is more than any suggestion I have heard, which is reactive and too late. * Whois details should be private and only disclosed to recognized LE or their agents. How do you identify those LE or agents. How do you stop abuse by those parties? How would you recognize abuse of any kind? I'm sure certain American registrars would have and issue with certain East Asia countries. And vice versa. At best some tokenism would be present, at worst no cooperation. However we find registrars deliberately setting up mechanisms to frustrate such attempts - a lawyer in Hong Kong, one in the Sudan that will not disclose your details. In fact it's not even asked, only your money which can be done anonymously as they point out. This also does not scale in terms of emergency situations. The international nature of domain registrations would dictate that that a system is available that can be queried 24 x 7. Currently we find that international queries can take weeks. Yet the lifetime of logs on the internet can be measured in days if we are lucky (on that front there is clamoring for no logs in many cases). We also find that an emergency situation in one country does not constitute a crisis in another. This is frustrating to both LE and private parties. Also imagine the frustration of those waiting out the undue long period and receiving something that equates to "Yogi Bear, Yellowstone Park". It happens and has been discussed before. * the law enforcement boogyman and eastern European crime syndicate. I wish it was a boogeyman. It is not. Read up on Heihachi on Webalta, fake whois was manipulated by a criminal domain and hosting reseller serving other criminals (the term criminal qualified by competent LE and courts), the unwillingness of a large American registrar to act despite proven fake whois and proven harm etc. This led to Germany's largest incident of cyber crime in history in terms of financial loss (as per German authorities). In turn part and parcel of this was botnet, ddos'ing and malware hosting operation. The owner of Heihachi had been in trouble with LE before regarding the self same issue, but became a reseller to an offshore American registrar using fake details to do it all again. * no curious parties/"vigilantes" should have WHOIS access / their details should be sent to the registrant with proof of a crime being committed. The very same incident mentioned and similar to the previous point was uncovered by technical savvy non-LE people looking at incidents, connecting the dots and who had to do a lot of hard work to present evidence of organized crime to the authorities for them to start looking into it. These same "curious" parties may also incidentally do a lot of the legwork for overburdened LE in issues such as spamming, botnets, malware, 419 and other forms of cyber-crime. As for a crime being committed as a qualifier - that implies after the fact and a victim. This would be a step in the wrong direction. Many times with sufficient evidence, whois being part of that evidence currently, a crime can be prevented. I would also like to know whose laws will be used as a qualifier? Already we find disparate laws regarding certain issues being exploited in cross jurisdictional discrepancies. * Each domain exposure request should go via a court of law or other relevant due process. Courts tend to be notoriously slow. The crime can last a day, a week a month or however long. Many times the issue continues until someone reports it with evidence of harm being done. There would be no element of prevention. Also which counties court should be considered authoritative? "A five minute crime can take 3.5 years to fully investigate and prosecute" - quoting a comment by a hard working LE party recognized and respected by his peers internationally, expressing his frustrations. At whose cost? As it is currently, a $10 transfer to a registrar grants you a free a domain, SSL certificate, domain privacy and unverified registration details, all thanks to a the likes of anonymous money transfer mechanisms, anonymous proxies and less than honorable resellers. We are assuming that the relevant skills will be available in each country. This seems a bit like the tail wagging the dogs. This is also ridiculous considering the absolute amount of domain abuse going on. This solution simply does not scale. Who has to foot the bill for it? The victim - victimize the victim further? Tax payers in a distant country? Here is news to some of you that may cause a stir: LE tosses a lot of these issues into the corner. Right now as an example 419 fraud is a can of worms and for the bulk does not get investigated apart from tokenism. The amounts Americans are conned out of is staggering. Likewise victims in other countries. Education fails as these scams are forever evolving. 419 fraud proceeds are the 2nd largest income for Nigeria after oil. Domains are part and parcel of 419 fraud and links incidents beautifully for investigations. Ironically these 419 gangs are not that difficult to track, trace or arrest. Yet it does not happen. This is known and the impunity of these gangs grows day by day. Yet as an American citizen, try and get your 419 case investigated in the USA? Changes are great you are doomed to become stats at IC3. Why, even the IC3, FBI, CIA etc has been spoofed many times in 419 fraud. * Disclosure to registrant of accurate details of anyone inquiring to an unverified registrant. Great! This will alert anyone committing crime that someone is on to him and he will immediately morph into a new identity giving him a free next round at harming internet users. Not bad for an unverified $10 domain registration. Additionally in some countries a life is cheap. * private persons vs public persons and privacy The UK's Nominet has this option as an example for private parties. All too many times we find spoofs of banks or other real or imagined companies used in fraud and registered as private. Would this qualify for an immediate suspension until investigated and then either unsuspended or cancelled depending on the outcome, if implemented? Why else have the qualifier? There are many more comments I can make, but what is clear to me is that a lot of suggestions are made well intentioned, but with no real exposure to the total spectrum of domain abuse. Nor the issues facing anyone wishing to investigate, be it LE, a private person or a corporation. The internet was initially built on trust. Today there is very little of it left. Unless verification can be established at all levels, we have zero chance of ever resolving serious issues affecting each and every one of us mentioned in the group and we are at a stalemate. Simply covering the mess that makes up the whois database with privacy, will affect each and every internet use negatively. We should also be careful to not make suggestions that negatively affects the ability of those legally put there to protect us or investigate when harm is done, yet by the same token hold them responsible for protecting us. We are dooming them to failure. The tendency to label LE in general terms as loose cannons should also be measured against the tendency to start off with the registrant being innocent. Why this unbalanced outlook? It's easier to take LE to task than a rouge registrant. We also need to ask where the greater/lesser harm is being done. Think international as well. The internet has created it's own ecosystems and has seen unintentional (or perhaps not?) opportunities being created daily to harm innocent internet users. Derek PS: I still believe the Heihachi / fake German shopkeeper issue should be turned into a case study as to show how the domain system can be manipulated to harm innocent netizens. This would be a great opportunity for many people to learn how cyber crime can affect each of us, also how it could have been avoided and who the role players are. Quite frankly this is a missed opportunity.