In message <D4BA4569-D818-4218-BC57-E62AB53773EF@ripe.net>, Edward Shryane <eshryane@ripe.net> wrote:
The two changes we recently implemented were:
(1) Do not include personal data in historical queries (notify, e-mail, address attributes). ... (2) Do not include person/role references in historical queries (admin-c, tech-c, ping-hdl, zone-c). ... I hope the Labs article clarifies why we made these changes.
Not entirely, but that's rather besides the point. I didn't actually ask -why- you had made the changes you made. I asked what the changes were. And the above quotes from what you wrote do go a long way towards answering that question, so I thank you for that. I would like to reiterate again that, based on the changes as you have now described them, it is my concerted opinion that by these changes, NCC has effectively engaged in massive overkill in this blunderbuss attempt to reasonably comply with GDPR, much to the detriment of legitimate historical research and legitimate historical researchers. Not that this is anything new. The past 15 years or so have been a long slow march towards hiding everything from everyone, most especially in the domain name space, and the records for IP space allocations are, with sad predictability, now being burried in obscurity by lawyers also. I suppose that it is necessary to continue along this gradual downhill slope, even though the ultimate endpoint is utterly predictable. I have never been one for either mincing words or for half measures, and I would actually prefer it if those behind GDPR, and thus, indirectly, behind these changes would at least display the intellectual honesty to admit that the ultimate goal is to kill WHOIS entirely, both for the domain name space and for the IP address spaces. I would also have a bit more respect for those ultimately behind these changes if they would just get it over with, right now, and in one fell swoop. But I suppose that the politics of the situation demand this continued slow grinding down towards the ultimate endpoint, lest there be some popular outcry against a sudden rapid shift towards that obviously intended outcome. Regards, rfg P.S. The act of delving into WHOIS records, either historical or current, on the part of researchers is often motivated by a desire not to locate personal information but rather a desire to locate correlations. It is a reaosnable basis for some suspicion, and perhaps even further exploration, if a given party or entity, regardless of their specific identity, is seen to be claiming to simultaneously operate networks in, for example, Belize and also the Seychelles Islands. The changes that have been made, ostensibly for GDPR compliance, unambiguously and demonstrably destroy many opportunities to make or notice such important correlations. They need not have done so in order to be in full compliance with GDPR. The data that has now been made utterly unavailable could instead have been subjected to a one-way irreversable hash, along with some additional secret string, known only within NCC, and the results of such hashes could have been substituted for the actual data values. This would not by any means have been technically challenging, and it would have preserved the ability of reserchers to note potentially meaningful correlations, even while providing complete GDPR conformance. Instead however, as is routinely the case in the domain name space, those tasked with insuring GDPR conformance elected instead to pursue the most expedient method of achieving this conformance, which they evidently did by throwing the baby out with the bathwater and just willy-nilly making all data utterly unavailable in any form. While this may have lightened the load modestly within NCC, it is not and should not be a cause for celebration elsewhere, except of course in and among the online cybercriminal community.