http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/
-Dan
In article <Pine.LNX.4.64.1805301436410.25696@yuri.anime.net> you write:
http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/
Elliot said that if he had to choose between fighting ICANN and
fighting governments, he'd fight ICANN. I can't blame him.
http://www.tucows.com/tucows-statement-on-icann-legal-action/
R's,
John
And here is the court decision, https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf
gotta love the German wisdom:
The Application for preliminary injunction of May 25, 2018 is rejected at the expense of the Applicant.
"Insofar as the Applicant bases its claim to relief on a parallel of the so-called "WHOIS" system to international agreements on trade mark registers, the Chamber is unable to follow this. The legal basis for the trademark registers on the basis of international agreements is missing in relation to the "WHOIS" service claimed by the Applicant. The fundamental comparability of the respective general need for protection does not change this."
FWIW a German court has just ruled against ICANN's injunction and in
favor of Tucows/EPAG.
Welcome to contact-free whois?
-Dan
Already been bitten by it and trying to get the contact info reinstated.
whoisnt
The entire whois debacle will only get resolved when some hackers attack
www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the
response they get will be "sorry, we can't determine who is attacking
you since that contravenes GDPR", will the EU light bulb go on that
something in GDPR needs to be tweaked.
-Hank
* hank@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
The entire whois debacle will only get resolved when some hackers attack
www.eugdpr.org, ec.europa.eu and some other key .eu sites.� When the
response they get will be "sorry, we can't determine who is attacking
you since that contravenes GDPR", will the EU light bulb go on that
something in GDPR needs to be tweaked.
Please stop inciting lawbreaking, and stop spreading long debunked talking points. Both are really inappropriate for this list.
-- Niels.
The point was not to encourage law breaking. Sorry if that what was
perceived. The point is that the people who designed GDPR did not take
whois into consideration in the least. And we all will suffer because
of that.
-Hank
OK, then let's talk about something that IS appropriate for this list.
How does your shop, Niels, go about making contact with an operator that
is hijacking one of your netblocks, or is doing something weird with
routing that is causing your customers problems, or has broken BGP?
I will say right now that in large shops, the owner is NOT the right
contact. In fact, if things are broken enough you may not be able to
send email to the owner -- he could be isolated. The registration
authorities want the owner contact for legal reasons. We poor sods in
the trenches need tech contacts, preferably contacts with clue.
In other words, how do you do your job in light of the GDPR restrictions
on accessing contact information for other network operators?
Please be specific. A lot of NOC policies and procedures will need to
be updated.
Right now my policies and procedures book says to use WHOIS. What needs
to change?
$dayjob has approaching 800 domains registered, of which a handful are set up for email and the hostmaster address was on only one of those. We only discovered the problem when a certificate authority attempted to contact us for one of the other domains. At that point I found that Network Solutions had removed all our contact information and trying to find someone with a clue at NetSol is nigh on impossible.
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?"
-- Niels.
Publish role accounts in whois instead of personal information?
Sorry, I don't mean to break up an energetic tirade but a phone number
is not PII when it's attached to "hostmaster" instead of "John Doe".
You and I like knowing that there's a specific person there and it
certainly helps when auditing public policy compliance but as a
technical matter contact doesn't have to work that way.
I noticed that Namecheap solved their GDPR problem by simply making
their "WhoisGuard" product free.
Regards,
Bill Herrin
The whois guard solution seems workable where the registrar just forwards information.
It would be nice if there were corporate phone numbers as GDPR doesn't apply to corporations.
For routing whois information there aren't going to be many individuals and it would seem
that the corporations who employee individuals should be the ones protecting those individuals
work emails by providing a generic contact email forward. Which is good practice anyway
since people leave and go on vacation and problems still happen.
And the routing whois information is a lot more relevant to most of us here.
Of course anyone posting to a public list should be aware that their email address is
part of that information. Which is particularly relevant to this list.
Mack
+1
Perhaps the Right Thing(SM) to do is to update the best practices
documents regarding role e-mail accounts for network operators.
1. Add "networkmaster@example.com" to the list of required role accounts.
2. Require that e-mail sent to role "networkmaster@example.com" be
accessible in some way by all technical people for the network in
question. This can be done using a ticket system, or a simple mail
exploder.
3. Require that e-mail sent to role account "abuse@example.com" by
accessible in some way by all members of the abuse desk. This can be
done using a ticket system, or a simple mail exploder.
4. Require the WHOIS information specify exactly these role accounts
for TECH and ABUSE, not a person. This gets around the GDPR
requirements while maintaining the usefulness of the WHOIS without
having to go through an intermediate party or web site.
ICANN may want to consider this idea when adjusting its contracts with
registrars to eliminate GDPR exposure.
Seriously? You’ve been around long enough to know thats a bull$&^% answer.
Feel free to look through the archives of *this* list and look at how many times some $random handle at some $random privacy protected or generic domain asks for someone from $bignetwork to contact them about a network problem.
Take you for example. You’ve been around for at least 15-20 years that I recall. But I bet you that 80% of the people on NANOG have *no* idea who you are or who you work for, and given the “useful" information on your website, an op would have to take the time to google you - which is way above the threshold of effort most people would take.
And that preassumes that the ops from the tiny little network leaking your routes is actually a) subscribed here, and b) monitoring or filtering appropriately. And before you talk about the fact you stated “ largetelco(dot)com” I would bet that there are large telco’s who don’t have op’s like us who waste their time on NANOG.
So, instead of the suggestion you provided, do you have any other suggestions that are useful? I’m asking seriously, because I really do see this as a problem we all have to be able to solve as operators. I believe this is absolutely on-topic for one of the NANOG lists because this is a 100% operational problem, that has appears to have as its only GDPR acceptable solution alternative, following a manual/email thread from *your* next hop network, requesting contacts/intros all the way down to the dumba$$ BGP speaking edge network with a part-time routing guy/antenna installer.
/rlj
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB.
Owen
Yeah, what Niels is really leaving out here is the open question of
whether or not GDPR will eventually lead to the destruction of Peering DB.Owen
Of course it will not. We just need to accept that only roles not people
are published. Those people will change job anyway and nobody updates whois.
GDPR does not apply to companies, so you can still publish the owner of
domains and IP prefixes as company names with contact information.
Regards
Baldur
If they are hijacking a netblock, it is safe to assume they will also hijack an ASN.
The best method of dealing with hijacking is still deaggregation and contacting
Upstreams providers from a registered whois address which should be a role account.
Mack