On Thu, Dec 08, 2016 at 12:29:50PM -0500, Stephanie Perrin wrote:
Furthermore, even the datestamp and registrar-generated data may reveal association of domains that leads you to the registrant. Let's say I register ten names one day, with the same registrar, one of which is Stephanieperrin.com, another is canadianconvertstoterrorism.com, is it not possible to find that cluster of registrations, and associate all domains with me?
If this were the only trail you left on the Internet while doing that (and it isn't), I'd say it'd depend on your registrar. If you registered all those on the same day through GoDaddy, then no, I think it'd be a ridiculous association (because GoDaddy is a large and busy registrar and com is a very large zone). If you registered them through Andrew's Registrar and Bait Shop, then I think your terrorist trainers did rather a bad job. And of course, if you're doing this sort of thing and value any sort of privacy, then you'd not use the same registrar anyway.
The data commissioners pointed out many years ago (2003 I think, I can check) that they had a problem with the reverse directory capability of the WHOIS, because it was not at all necessary for the functioning of the domain system, or at least ICANN had never made the argument.
Please don't leap to "the WHOIS", since it isn't plain what that means. We need to stick to specific fields here, please. In particular,
They did not think WHOIS should offer the capability of searching by registrant name. I would argue further, these days, that publication of other data should not make registrant identity reasonably retrievable.
the registrant case is not relevant to the data we're talking about. We'll never make any progress if we keep obliterating the distinctions people are trying to draw.
There is a question that I have in return. I presume that much of the current configuration and policy of WHOIS and its data elements is based on simply building on a flimsy foundation.
Yes. We took a phone book protocol that was perfectly good for a network of 4000 people all under contract to the US DoD, and have used it for more than 20 years on a large Internet involving all kinds of people with all manner of contractual relationships. This is why the question of whether we can ditch whois makes me livid: it should have been replaced approximately forever ago.
concept of tiered access extensively in the EWG, but at least one member of that group (me) never understood whether the tiered access we were specing is something that is technically possible but financially, legally and operationally infeasible.
RDAP is explicitly designed _on purpose_ to make this cheap and easy. It was one of the goals that those of us who got the working group going had. -- Andrew Sullivan ajs@anvilwalrusden.com