At ICANN - once again - the discussion about whois is boiling over. Especially with the requirements of the DSGVO in the EU, ICANN has run into massive problems. But there is probably a solution: Ultra-Thin-Whois.
What's this all about?
Whois is the service that provides information about who has ordered which Internet resource. Usually these are IP addresses or domain names.
IP addresses are needed to participate in the Internet at all. The computer or mobile phone is assigned an address during registration in the network with which it can receive data packets from all over the world. The IP address is thus a kind of telephone number of the computer in the network. When you talk to a server, you send a packet to its address with the request and its own address as sender. The server replies to the given address.
Of course you cannot know all addresses of all services in the network by heart. Domain names are used to enter the services under an easily remembered name into an entry in a kind of phone book. The phonebook is called DNS and returns an IP address to a name. With this you can also address the server of the service.
In order to avoid duplicates that keep addresses and names unambiguous, there is a need for coordination, a kind of Internet governance. ICANN is the organization that sets the rules and contracts by which namespaces are managed.
All resources are initially managed by IANA, and under ICANN contracts, different registries are assigned a block or portion of the namespace for administration. Those who need a resource contact the registry through a registrar, a kind of reseller, to register the resource on themselves. After registration, the registrant can then use the resource.
The Whois Dilemma
In practice, it happens that you want to know who is currently responsible for a particular service. This may be because something is not working (e-mail does not arrive) and you need help from the other side to troubleshoot the problem. Be it because it has a legal problem (with the contents of a website). Be it because criminal abuse (spam, DoS) is done with the resource.
In the early days of the Internet, the Whois service was invented primarily for the elimination of technical errors. You ask a special service who is responsible for the resource and get the name, phone number and e-mail of a competent contact person back. This was also quite simple, because there were only a few places that allocated the resources directly. All the things like registry and registrar didn't exist as independent institutions. If you operate everything from a single source, the information is of course very easy.
So how do you build such a service when the allocation process is spread across many levels? The preferred approach is still to collect the data centrally and thus operate a thick-whois service centrally. There are some advantages to this:
- All requests can be placed in the same place. Access is immediate.
- You can make mass queries, e.g. what resources does the registrant still have?
- One can limit oneself to one place when securing the data against attacks and thus protect more effectively.
Over time, the concept of data protection changed as well. Many people are now using the Internet and utilizing resources which are not engineers. Should their data also be visible in the Whois? There are some cases where it makes sense to determine the registrant, e.g. criminal activities. But you can't put all users under this initial suspicion and proactively publish their data.
The introduction of the European Data Protection Regulation (GDPR) brings it to a really high level. Even ICANN is now urged to comply with the laws now in force, at least for European partners. But other countries will also have their own data protection regulations, some of which differ considerably from the European regulations.
How can ICANN meet all these requirements at the same time?
- A user in India registers a domain with an Indian registrar and uses it to create a website.
- A report has been filed in Pakistan against content on this website.
- The Pakistani police wants to determine the owner of the domain and asks the whois server about the Indian data.
- According to which law should the service return an answer? The current discussion demands that ICANN comply with European law in order to respond to the request.
Accepting the fact that there are different legal systems in the world and also the hierarchical structure of resource allocation, there are not many options to solve the problem.
Common sense recommends to stop the Whois service completely. It can be justified by the fact that it has outlived itself. The protest from law enforcement, the legal industry and the security community is certain.
The obvious technical solution is to strive for a unified global legal system. That sounds stranger than it is. The proposal of an Internet state was made earlier. Again, there is blatant protest.
A closer look at the problem reveals that central data storage really is problematic. This central database requires the data of the registrants to be moved out of their legal systems in order to make them available elsewhere under different legal conditions. This naturally gives rise to the following proposal:
- The Whois service is also structured hierarchically.
- Each participant in the allocation hierarchy operates its own Whois service.
- By querying a Whois service, a reference to the contract through which the registration was made and the next Whois server is displayed.
- If you follow the chain, you will gradually query the contract data, whereby each query will be answered according to the local law of the respective operator.
If you stop after the first steps, it's called Thin-Whois. Each participant can decide whether to run the Whois service himself or hand it over to the registry. This model has been used before and was not pursued further in this imprecise implementation.
However, if you contractually obligate all participants to offer the Whois services and to disclose the contracts there, you get Ultra-Thin-Whois. The new name should clearly state the contractual basis up to the registrar (and the reseller chain).
Does this work?
It's already working. The central registry is - we remember - IANA. So let's ask their Whois-Server:
$ whois -h whois.iana.org icann.org refer: whois.pir.org domain: ORG organisation: Public Interest Registry (PIR) address: 1775 Wiehle Avenue address: Suite 102A address: Reston Virginia 20190 address: United States
The output is much more extensive and contains the contact persons of this contractual partner.
In essence, IANA is saying that the part of the namespace "ORG" has been delegated to the registry. One should inquire there. So let's do that:
$ whois -h whois.pir.org icann.org Domain Name: ICANN.ORG Registry Domain ID: D2347548-LROR Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.whois.godaddy.com Updated Date: 2017-12-08T16:40:01Z Creation Date: 1998-09-14T04:00:00Z Registry Expiry Date: 2027-12-07T17:04:26Z Registrar Registration Expiration Date: Registrar: GoDaddy.com, LLC Registrar IANA ID: 146
The registry now refers us to the registrar. We should ask there. Let's do that:
$ whois -h whois.godaddy.com icann.org Domain Name: ICANN.ORG Registry Domain ID: D2347548-LROR Registrant Organization: ICANN Registrant State/Province: California Registrant Country: US
We have reached our goal.
Each request was made to a different institution and was answered under the applicable national law.
Returning to our example, the Pakistani police must consult an Indian service to obtain details. The Indian provider now takes Indian law into account when providing information about his Indian customer.
Why shouldn't we try that?