[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is WHOIS going to go away?

On Wed, Apr 18, 2018 at 5:51 PM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Filip Hruska:
> > On 04/14/2018 07:29 PM, Florian Weimer wrote:
> >> * Filip Hruska:
> >>
> >>> EURID (.eu) WHOIS already works on a basis that no information about
> the
> >>> registrant is available via standard WHOIS.
> >>> In order to get any useful information you have to go to
> >>> https://whois.eurid.eu and make a request there.
> >>>
> >>> Seems like a reasonable solution.
> >> Why?  How does the protocol matter?
> >>
> >> Either you may publish individual personal information for use by the
> >> general public, or you may not.  Adding a 4 to the port number doesn't
> >> change that.
> >>
> >
> > The EURID webwhois cannot be scraped, there are anti-bot measures in
> > place (captcha, throttling, all information displayed in images).
> > Scraping WHOIS systems for thousands domains at once using the WHOIS
> > protocol is easy though. There are "WHOIS History" sites which scrape
> > all domains and then publish the data along with the date of retrieval.
> >
> > GDPR contains this in relation to the right to erasure:
> >
> >  1. Where the controller has made the personal data public and is
> >     obliged pursuant to paragraph 1 to erase the personal data, *the
> >     controller, taking account of available technology and the cost of
> >     implementation, shall take reasonable steps, including technical
> >     measures, to inform controllers which are processing the personal
> >     data that the data subject has requested the erasure* by such
> >     controllers of any links to, or*copy or replication of, those
> >     personal data*.
> Wouldn't that require a channel to the recipient of WHOIS data, so
> that the controller can notify those who have accessed it once erasure
> is requested?
> A simple webform doesn't achieve that because it's not much different
> from the way traditional WHOIS works.

A simple webform doesn't provide the personal data, just relay a message.
Anyways, I heard registrars mentioning a double form where the e-mail
address of the party sending the message to the domain owner is first
confirmed before relaying the message.
That would provide accountability for who sent what, if the message turns
out to be harassment, threatening or alike.