This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!
Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.
This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.
I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.
With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.
Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?
From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.
I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.