[swinog] GDPR / DSGVO and 'whois' domain data

Discussion:

Benoit Panizzon

2018-07-02 07:45:38 UTC

Dear Swinogers.

I run a couple of .com and .ch domains, which are registered via
Gandi.net

About one week ago, Gandi activated 'privacy protect' on my .com
domains, hiding all my contact data in the whois output, without me
asking them to do so. They sent an email though, that they would do
so because of the GDPR.

I asked them how GDPR entitles them to do so, in my opinion the GDPR
aims for more transparency and thus, this is contra productive.

Also, such domains usually quite quickly get a bad reputation as hiding
the whois data is something the 'bad guys' do. Also it becomes a bit
more difficult, to verify if a domain is legit or not to decide upon
well crafted phishing emails. Or to contact the owner in case of
security incidents.

I told Gandi about my concerns, but only got the reply that they
were forced to hide whois contact information on all domains registered
via their service because of GDPR. Having the contact data published
now is optional and has to be activated manually by the domain owner.

This surely is not the case, as my .ch domains registered with gandi
still show my complete contact.

So I asked Gandi for how the GDPR exactly forces them to hide their
customer's whois data. I haven't got a reply to this yet.

So I wonder if somebody on this list knows the background why gandi acts
this way and if other registrars do the same.

If I get the whois data for some well known domains like:

microsoft.com
google.com
swiss.com
credit-suisse.com

NONE has 'privacy protect' activated.

Mit freundlichen Grüssen

-Benoît Panizzon-

--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________

Jeroen Massar

2018-07-02 08:21:06 UTC

Permalink

On 2018-07-02 09:45, Benoit Panizzon wrote:
[..]

Post by Benoit Panizzon
Also, such domains usually quite quickly get a bad reputation as hiding
the whois data is something the 'bad guys' do. Also it becomes a bit
more difficult, to verify if a domain is legit or not to decide upon
well crafted phishing emails. Or to contact the owner in case of
security incidents.

Bad guys just provide false data (and the privacy hiding things)

Hence, whois is mostly useless, even though that false data might be
able to correlate multiple domains (which is a feature that is lost now)

As RIPE is clearly demonstrating though, throwaway addresses and emails
are totally okay to have in RIPE whois....

Currently "good guys" will publish one of these:
https://<domain>/.well-known/security.txt

e.g.:
https://www.google.com/.well-known/security.txt
https://unfix.org/.well-known/security.txt
etc.

as per the _draft_:
https://tools.ietf.org/html/draft-foudil-securitytxt-03
https://github.com/securitytxt/security-txt
and (as usual)not everybody is happy with it:
https://news.ycombinator.com/item?id=15416198

Many folks also publish it directly as /security.txt; I have a default
location in nginx to cover them and put it everywhere (with try_files
one can try to per-vhost edition and then fall back to a generic one).

.oO(Yes, the Internet is HTTPS now, everything else is futile...
new Internet users on the block do not know what whois is, let
alone what it was useful for; problem reports are automated
nowadays, few still actually read/act upon abuse@ or security@
addresses...)

[..]

Post by Benoit Panizzon
So I asked Gandi for how the GDPR exactly forces them to hide their
customer's whois data. I haven't got a reply to this yet.

Nothing forces them to do so, they are just covering their behinds.

By blocking it they do not have to deal too much with GDPR, thus it is
the path of least difficulty (read: money).

[..]

Post by Benoit Panizzon
microsoft.com
google.com
swiss.com
credit-suisse.com
NONE has 'privacy protect' activated.

None of those are private individuals.

Greets,
Jeroen

Michael Hausding

2018-07-02 18:29:05 UTC

Permalink

Hi Benoit

As far as I see, the common understanding of the GDPR of most registrars is that they need to protect the personal data if the domain holder is a private person.
If the domain holder is an organization, the holder and tech-c can be published, but most registrars are paranoid because of the fines in the GDPR and donât publish anything.
ICANN sued one registrar (EPAG) for not publishing, but lost the initial court case:

https://www.icann.org/resources/pages/litigation-icann-v-epag-2018-05-25-en

For .ch there is still the VID that requests the whois data to be published:

Art. 46 Ãffentlich zugÃ€ngliche Daten

1 Folgende Angaben mÃŒssen in der WHOIS-Datenbank abrufbar sein:

a.
Bezeichnung des zugeteilten Domain-Namens und entsprechenden ACE-String;
b.1
Name und Postadresse der Halterin oder des Halters des betreffenden Domain-Namens;
c.2
bei einem aktivierten Domain-Namen: die Daten der zugeteilten Namensserver;
d. und e.3
âŠ
f.4
Name und Postadresse der technisch verantwortlichen Person;
g.
die Angabe, ob ein Domain-Name durch das DNSSEC-System gesichert ist;
h.
Datum der ersten Zuteilung des Domain-Namens;
i.
der vollstÃ€ndige Name des Registrars, der im Auftrag der Halterin oder des Halters des betreffenden Domain-Namens handelt.
2 Die Registerbetreiberin trifft geeignete, namentlich technische, Massnahmen, um eine missbrÃ€uchliche Verwendung der Ã¶ffentlich zugÃ€nglichen Angaben, insbesondere ihre Verwendung zu Werbe- oder VerkaufsfÃ¶rderungszwecken, zu verhindern.

Best regards

Michael

------------------------------------
Michael Hausding,
Competence Lead DNS & Domain Abuse
SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 77, incident phone +41 44 268 15 40
***@switch.ch
http://securityblog.switch.ch

Post by Benoit Panizzon
Dear Swinogers.
I run a couple of .com and .ch domains, which are registered via
Gandi.net
About one week ago, Gandi activated 'privacy protect' on my .com
domains, hiding all my contact data in the whois output, without me
asking them to do so. They sent an email though, that they would do
so because of the GDPR.
I asked them how GDPR entitles them to do so, in my opinion the GDPR
aims for more transparency and thus, this is contra productive.
Also, such domains usually quite quickly get a bad reputation as hiding
the whois data is something the 'bad guys' do. Also it becomes a bit
more difficult, to verify if a domain is legit or not to decide upon
well crafted phishing emails. Or to contact the owner in case of
security incidents.
I told Gandi about my concerns, but only got the reply that they
were forced to hide whois contact information on all domains registered
via their service because of GDPR. Having the contact data published
now is optional and has to be activated manually by the domain owner.
This surely is not the case, as my .ch domains registered with gandi
still show my complete contact.
So I asked Gandi for how the GDPR exactly forces them to hide their
customer's whois data. I haven't got a reply to this yet.
So I wonder if somebody on this list knows the background why gandi acts
this way and if other registrars do the same.
microsoft.com
google.com
swiss.com
credit-suisse.com
NONE has 'privacy protect' activated.
Mit freundlichen GrÃŒssen
-BenoÃ®t Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
_______________________________________________
swinog mailing list
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog