the whois: security and privacy issues - iscom - istituto

The WHOIS: security and privacy issues

Giovanni SeppiaCENTR General Manager

[email protected]

Network and Information security: political and technical challenges

Rome, 2-4 November 2005

Introducing CENTR

Network and Information security: political and technical challengesRome, 2-4 November 2005

What is CENTR?

Council of European National Top Level Domain RegistriesForum for TLD managers

– Primarily ccTLDsAlso includes gTLDs

– Mainly EuropeanMembership from 5 continentsDeveloped and emerging TLD markets, like .AF, .IR

Open to all Top Level Domain Registries in the world


CENTR’s MembershipAFGNIC Afghanistan (.af)STA Andorra (.ad)ISOC.AM Armenia (.am)NIC.AC Ascension Is. (.ac), Diego Garcia (.io), St Helena (.sh)NIC.AT Austria (.at)DNS Belgium Belgium (.be)Digital Systems Bulgaria (.bg)CIRA Canada (.ca)CARNet Croatia (.hr)UCY-DNS Cyprus (.cy)CZ.NIC Czech Republic (.cz)DENIC Germany (.de)Dansk Internet Forum (.dk)FICORA Finland (.fi)AFNIC France (.fr), Mayotte (.yt), Reunion (.re), St. Pierre & Miquelon (.pm), Wallis & Futuna Is. (.wf )GibNet Gibraltar (.gi)GR-Hostmaster Greece (.gr)Island Networks Guernsey (.gg), Jersey (.je)CHIP Hungary (.hu)IEDR Ireland (.ie)IPM Iran (.ir)ISNIC Iceland (.is)ISOC-IL Israel (.il)IT-NIC Italy (.it)JPRS Japan (.jp)

•LITNET NOC Lithuania (.lt)•LATNET, Latvia (.lv)•RESTENA DNS-LU Luxembourg (.lu)•NIC Malta Malta (.mt)•NIC-Mexico Mexico (.mx)•SIDN Netherlands (.nl)•ISOCNZ New Zealand (.nz)•NORID Norway (.no), Bouvet Is. (.bv), Svalbard & Jan MayenIs. (.sj)•Palestinian Registry Palestine (.ps)•NASK Poland (.pl)•FCCN Portugal (.pt)•RNC Romania (.ro)•Ros-NIIROS Russia (.ru)•RED.ES Spain (.es)•ARNES Slovenia (.si)•IIS Sweden (.se)•SWITCH Switzerland (.ch), Lichtenstein (.li)•SITA (.aero)•Vatican – Holy See (.va)•Nominet UK United Kingdom (.uk)•NeuStar United States of America (.us)•VeriSign (.com, .net)•Afilias (.info)•Public Interest Registry (.org)


CENTR’s structure

Executive Committee– 5 members to steer the organisation in accordance

to members wishes

Secretariat– 4 people to develop the work as requested by

members


CENTR’s outputNewsletter, “Domain Wire”, 2 issues a year

Surveys– A-level survey, covering the registries management main aspects– B-survey, covering legal issues related to registries– Other surveys upon request of our members

Comments and positions on several topics that may have an impact on our members

Outreach programme, providing registries of developing countries with financial and technical support


CENTR in the international arenaThe European Commission participates in CENTR as an observer. Government reps may also attend…Regular meetings with: DG INFSO & Media, including the GAC Secretariat, the Cabinet of the Commissioner RedingAt present, co-operation with the data protection Unit of DG Justice, Freedom and Security for the WHOIS related topicsAssociate member of the European Internet FoundationRegular participation in all the international Internet fora and meetings


CENTR’s long term visionExpanding the dialogue among registries, governments and international bodies

Developing best practice by encouraging exchange amongst registries

Improving the reliability and stability of Internet through improved DNS practices

Working closely with other Internet organisations


CENTR and the WSIS-WGIG process

Fundamental to distinguish between:– Those issues that may require restructuring of the present

arrangements– Those that can be (and are expected to be) resolved within

the existing frameworks

Most issues are local and regional: best solved within countries, not globally

The “free spirit” of the Internet crucial for any future development

Industry statistics


Domain name base growth 2001 – Q2 2005*

At the end of the second quarter 2005, there were 82,9 million domain names registered worldwide. This represents a nearly 8% growth over the first quarter of 2005 and a 28% increase over last year.

.com remains the largest Top Level Domain (TLD) in terms of its total base of registrations.

Followed by .de (Germany), .net and .uk (United Kingdom)

*courtesy of VeriSign


Industry growth and composition*


Over 8 million new domain names were registered in the second quarter of 2005.

The ccTLDs as a group count for 35% followed by .net at 7%.


ccTLD breakdown 2002 – Q1 2005*


Out of the more than 240 ccTLDs, the top ten account for 71% of all ccTLDregistrations.

ccTLDs compete with gTLDs and each other.


Top ccTLD registries by domain name base, Q2 2005

1. .de (Germany)2. .uk (United Kingdom)3. .ar (Argentina)4. .nl (Netherlands)5. .it (Italy)6. .us (United States)7. .br (Brazil)8. .ch (Switzerland)9. .cn (China)10. .jp (Japan)

WHOIS and security issues


CENTR and WHOIS

In 2004, CENTR members started to work on a document that was meant to provide information on:– WHOIS– Policies on WHOIS services– Administrative and technical aspects of WHOIS

services– WHOIS checklist


What is WHOIS?Originally:

– A simple network protocol for sharing contact information relating to a domain

– Designed to aid network engineers in contacting domain administrators to maintain the stability of the Internet

Over time, taken on a second meaning:– The database of contact information relating to domains, no

matter how it is presentedi.e. over WHOIS, via a web page, using other methods

Now there are over 80 millions domain names registered worldwide– Uses for WHOIS services has expanded


WHOIS and ccTLDsCountry Code Top Level Domain registries are accountable to the local communities they serveRelations between ccTLDs and their registrars are generally made through bilateral agreementsEach ccTLD must establish and enforce any privacy policy in accordance with applicable laws


Who uses WHOIS?The OECD stated that “WHOIS data is a critical source of information that assists in accurately identifying the registrants of domain names”WHOIS is generally used by:– Network operators– Registries and registrars– Registrants (i.e. consumers)– Business users– Law enforcement personnel


Information availabilityFor gTLDs, public availability is requested by ICANN through the Registrar Accreditation Agreement, which require registrars to collect data directly from the registrantsInformation to be available:

– Name of authoritative name servers– Identity of the registrar– Date of initial registration– Current expiration date– Name and postal address of the name holder– Name, postal address, e-mail address, telephone and fax numbers of

the technical contact for the registered name– Name, postal address, e-mail address, telephone and fax number of the

administrative contact for the registered name


Data accuracy

The survey undertaken by the WHOIS taskforce of ICANN in 2002 revealed that a high percentage of the WHOIS data is incomplete, inaccurate or outdated

The ccTLDs have established some methods to improve the accuracy of the WHOIS data


Administrative aspects of a WHOIS service

Registries and registrars need to consider the impact of complying with relevant data protection requirements

– Declarations of data collection and usage– Source for legislation about data protection– The “controller” of the data– Usage of personal data– Transfer of data to third parties– Information on the rights of the registrant and its ability to enforce them– The right to refuse data to be displayed on the WHOIS– The possibility to access its own data– Ability to correct or delete held data


Technical aspects of a WHOIS service

Registries may have put in place some technical measures to run a WHOIS service in compliance with administrative requirements:

– Data security– Access to data– Tiered access– Opt-in/opt-out provisions– Searchability


Security issues summary

Level of data in the databaseControls on queriesIndirect vectors to get into WHOIS

Primary goal: Run the service, protecting the rights of the registrant


CENTR WHOIS paper

Developed as a reference document of guidelinesNot mandatory for CENTR membersProvides a framework to help them develop suitable policies and procedures that comply with international legislation and regulationsHighlights some basic aspects of the WHOIS services, offering a checklist


WHOIS checklistCreate a privacy policyMake the privacy policy available at all timesEnsure that you can get a specific consent from the registrantGive the registrant the possibility to read, rectify or remove personal data contained in the registry databaseUse the data strictly in accordance with the policyThird party accessMaintaining the database

Questions?Thank you for your attention

Giovanni SeppiaCENTR General Manager

[email protected]

the whois: security and privacy issues - iscom - istituto

Documents