My apologies to all for this tardy reply. I am juggling too many alligators. In message <CAKvLzuE+RoNgGXL8TU3r4E5dOtOd3uweB9UzFJhgnOmpBruU+g@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
{... snipped...}
There's a famous line from the classic Paul Newman movie "Cool Hand Luke" (1967) that I am often reminded of: "What we have here iis a failure to communicate." Although I place the odds of my being able to rectify this unfortunate state of affairs at no better than 50/50 I am obliged now to at least make the attempt, which I shall do by providing some brief context about myself and my background which may help to explain my outlook and viewpoint(s). I will then expend a fw electrons also on explaining exactly why the data that is being proposed for redaction is of value to open source researchers, and thus, by implication, why none of it should actually be redacted. Many people on this list, and elsewhere, don't know a thing about me and thus don't know why I tilt so strongly in the direction of transparency and accountability over personal privacy, at least in some contexts. Briefly, I have been on the Internet since before it was the Internet. After graduating MS/CS, in the year 1984 I took a software development job with a small software company in Silicon Valley that was developing educational software for what was then the recently introduced IBM PC. (That company has long since gone bust.) I had several job offers to choose from at that time, but I specifically elected to join that company because they had a shiny new DEC VAX 11/750 _and_ a connection to what was then still called the Arpanet. I had a strong suspicion, even back then, that networking of computers would become an important thing to know about in the future. Fast forward to around 1999/2000 and you'll find me at home in Sunnyvale, California doing contract software development work in the second bedroom of my apartment on my personal Sun workstation which had its own unique node name on what was called USENET, which was somewhat of a forerunner of the Internet, at least for a lot of us who could only afford dial-up connections at that time. At around this time, email spam became a thing. I was horrified. In that era, back before the arrival of the many "instant messenger" apps that we know today, email _was_ our "instant messaging" and I usually responded to incoming emails within seconds. You may all thus understand my irritation at being frequently interrupted from what I was doing by the latest piece of incoming email spam... those frequent interruption producing in me a state of mind that was arguably similar to a type of enraged psychosis. I knew then as I know now that mass email spamming could be the death knell of email as a useful interpersonal communications medium if left unchecked. And indeed, in some of the years since, some estimates have put the percentage of total emails sent that are spam as high as 95%. I resolved way back at the dawn of the new millennium to do all that I could to fight back against this scourge of spam. In the period 2005-2008 I was among the first people in the United States to actually sue spammers under the relatively new state and federal anti-spam laws. This effort was unfortunately hamstrung by my relatively ineffective legal representation at the time, but it did produce at least some deterrent effect, and also at least some positive results in the way of putting some spammers out of business. One of the first lessons my attorney taught me during this time period was one that seems self-evident when you know anything about legal processes: Before you can sue someone you have to know both who they are and where they are... so that you can name them and serve them with papers. Because spammers, both then and now, go to extraordinary lengths to hide both who they are and where they are, it was.. and remains... far more of a challenge to find this information than most people would imagine. And since my lawyer was a relative neophyte at doing what has since become known as "open source research" it fell to me to try to suss out the identities and locations of various spammers so that we could sue them, based mostly on whatever small scraps of information and inference could be had in relation to any given case/spammer. I dove into this task head first and over the years have became pretty good at teasing out the identities of these Internet miscreants to the point where nowadays, due to various data bases I have access to and various software tools I have written, I can positively identify upwards of 90% of all spammer operations, because even though they try their best to obfsucate both who they are and where they are, almost all of them make a number of small mistakes -- small slip-ups in their OPSEC that can be leveraged against them. More recently, I have applied a lot of these same techniques and open source research approaches to finding and outing other type of Internet miscreants, and I have had many good success at this also. But to return to the beginning, as noted above, I started down this path because _my_ privacy was being routinely violated... by email spammers. I am an ardent believer in personal privacy, but I also believe fervently in transparency and accountability, specifically for those Internet miscreants who abuse the privacy of others, as spammers routinely do, as well as any and all criminals on the Internet. They deserve no quarter and I give them none. In the old days, if one was being spammed from some domain name `D', and if one wanted to ind out who was doing this, then one could begin by simply looking at the WHOIS record for domain `D' to find out who registered that domain name. This was, of course, most helpful to any effort to hold the relevant spammer(s) accountable. All that began to change when ICANN, in its infinite wisdom (and under pressure from greedy and unprincipled commercial interests) decided to approve a scheme under which people could use proxy agents to register domain names on their behalf, paying the proxy agent some small fee in return for the proxy agent putting _their_ contact information into the relevant WHOIS records instead of the {name,address,phone,email} info that belonged to the actual domain name registrant. Naturally, this new ICANN- approved "feature" quickly became a huge leap forward and a huge advantage to spammers and other Internet miscreants who wished to hide themselves from any and all public accountability. And vast numbers of them have since leveraged this ICANN-approved "feature" to the hilt. More recently, an even more deleterious and damaging innovation has arisen, this time with only the tacit and implicit blessing of ICANN, which, we should remember, is funded 100% via domain registration fees. In a nutshell, the arrival of GDPR has allowed most domain name registrars, both large and small, to make two claims, only the first of which is even arguably true: *) GDPR compels us to redact out of the domain name WHOIS records that we publish the normal contact information in cases where the domain name registrant is a natural person. *) It is too hard for us to figure out which domain names are registered to entities other than natural persons, so we're just going to redact out ALL information from ALL of the WHOIS records that we publish (and if ICANN doesn't like the fact that this is a clear breach of our accreditation agreement then they can sue us). The result of these two claims, and of ICANN's reluctance to actually hold any of the accredited registrar companies that send them fat checks every month accountable means that today, and for some several years now, many/most domain name registrars have redacted out all or nearly all useful information from all or essentially all domain name WHOIS records. This is true for GoDaddy, for Enom, and for many many others. Quite obviously, this makes the task of holding domain name registrants publicly accountable essentially impossible, short of a full blown lawsuit, and expensive _preliminary_ discovery, just to find out who the hell the real domain name registrant even is. In effect, any small-time crime associated with a given domain name is not worth anyone going to court over unless the loss involved amounts to at least a five figure sum, in either dollars or euros. All of the small time crooks and all spammers thus get what amounts to a free pass, all courtesy of reg domain registrars and their lapdog/lobbyist, ICANN. (Note that the one and only party that has legal "standing" to sue over these gross breaches of written and signed ICANN accreditation agreements is ICANN. None of us mere mortals can do a damn thing about any of this crap if ICAAN itself donesn't feel like doing anything about it. And ICANN clearly doesn't. It quite sensibly has elected not to bite the hands that feed it, i.e. the domain name registrar companies.) For years the domain name registrar companies have all wanted to make WHOIS records... which to them represent their customer lists... private. The reason is both simple and obvious. They don't want their competitors poaching their customers from them... something that might be possible if domain name WHOIS records were not redacted. And indeed, domain name registrars became a LOT more interested in the idea of suppressing the traditional domain name WHOIS records after one company among them (Verio) was caught red handed, poaching customers from a competing domain name registrar (Register.com) back in 2000: https://www.whoisfinder.com/news/200007/verio-poach-customers.html The bottom line is that for anyone doing "open source" research, the greed of the for-profit domain name registration industry, coupled with the obvious connivance of ICANN has rendered the entire WHOIS system for domain names utterly useless. And it has been in that state for several years already. The whole damn thing is just one big joke now... a sad and moribund echo of a forgotten era when people people of good will who believed in accountability made the rules on the Internet, rather than corporations, jelously guarding what they feel are their proprietary corporate secrets and interests. This... the utter destruction of the entire global WHOIS system for domain names... was all done using GDPR as a convenient and readily available excuse, even though by its clear terms GDPR only applies to the personal information of natural persons and _not_ to the contact information for corporate entities, or academic or government institutions. The dmain name registrar companies don't care. They happliy threw out the baby with the bathwater and have redacted _all_ domain name WHOIS records, regardless of the type of legal entity (natural or non-natural) of the associated registrant. (Meanwhile, ICANN stands around with its thumb firmly up its backside, because it suits ICANN's obvious financial interests not to make any waves about any of this.) The above is the backdrop against which everyone should consider these recent proposals to redact stuff out of the RIR WHOIS data bases. There is history and there is precedent to be mindful of, i.e. the global WHOIS system for domain names. That has ended as badly as possible, as any fair-minded and neutral observer with open eyes can readily see. The entire system was whittled away, little by little, until it was rendered entirely useless by the purely commercial interests that had an agenda to kill it by any means necessary (and GDPR became their convenient excuse to do exactly that). This end result may serve those narrow commercial interests. I would argue however that by reducing public accountability, this final death of the domain name WHOIS system has _not_ served the interests of the broader worldwide community of Internet end users, and that quite the opposite, we all got screwed. But let's get down to brass tacks and look at the specific claims that have been made in defense of these recent RIPE WHOIS redaction proposals. The easiest claim to dispense with is denis' claim that I have some sort of secret unspoken agenda. I have none. My only agenda is the same one that I have been quite publicly pursuing for more than 20 years now, i.e. transparency and public accountability for public acts. (And I should clarify that as far as I am concerned, ownership of a domain name or a block of IP addreses on the global Internet is inherently a very public act. Anyone wishing anonymity can easily obtain that by availing themselves of the ample opportunities for anonymous speech provided by any number of existing services and/or web sites on the Internet that cater to exactly that, and anyone who claims that they can't speak or interact freely on the Internet without owning their own domain name or IP block is simply lying in defense of an inherently and provably indefensible position.) Conversely, I believe that it is more than a little appropriate to raise the question of the unstated and private political agendas of the only two people who seem to be pushing these redaction proposals. I believe that their views on these matters may be rightly considered to be out of the mainstream, and perhaps even motivated by personal rather than public interests. Denis goes on to argue that because no one will ever physically visit any mailing address that is present in any RIPE WHOIS record, that these things are thus, and by definition, useless. He further argues that since any address or any other member-specific field in any RIPE WHOIS record may have been entered, by the member, with malice aforethought and to be intentionally and deliberately wrong and misleading, that this information cannot be either used or useful. Speaking as one who has twenty+ years of open source research to his credit I assert most adamantly that both of these contentions on Denis' part are not only wrong, but provably so. It is not necessary to physically visit a given mailing address in order for that address to be useful to a researcher. Through the wonders of modern technology, it is now possible, courtesy of Google Street Views to virtually stand outside of the (alleged) place of business of the vast majority of RIPE members no matter where on planet earth they claim to be. And I myself have done so innumerable times -- an exercize which can be quite enlightening in many cases. For example, if you find yourself virttually standing out in front of what should be a web hosting company, but are instead face to face with a plastics recycling plant, then that fact alone can and does speak volumes about the honesty, or lack thereof, of the web hosting company in question. Seprately and additionally, just by googling the alleged street address of a given member, or a given member's purported admin or tech contact, you can often learn things that can be of much interest to a legitimate open source researcher. One such case arose recently in connection with an ARIN member, designated by the symbolic handle SL-206, whose purported mailing address in the Caribbean nation of Nevis & St. Kitts turns out to be one that is inhabited by a veritable plethora of corporate entities, all apparently doing businss out of the same single tiny mailbox on the island of Nevis. (For more info on this case, see the recent large thread about this on the ARIN Public Policy mailing list -- arin-ppml.) Finally, and perhaps somewhat counter-intutively to those who are not in the habit of doing open source research, it is not necessary for the mailing address of any given person or entity to be _either_ correct / accurate _or_ even real in order for the address itself to be useful to researchers. As noted in the preceeding paragraphs, one of the first things that any researcher worthy of the name will do when given an address, either real or fictitious, is simply to google it. I cannot count the number of times that this extremely simple-minded and obvious step has led to a wealth of other relevant and useful information, even if the address in question is totally fictitious. (A lot of spammers and cybercriminals are just lazy, and once they have selected and begun to use a given mailing address, even if it is totally fake, like "1 North Pole", they quite often will use it over and over again, in connection withy other Internet resources they have registered and/or on various web sites, including but not limited to social media web sites.) In addition to all the points above, I should also note, for completness, that sometime it isn't even the specific text of a mailing address that is of significants to the researcher. Sometimes it can even be just the form or format of the address that represents a telltale sine qua non of a particular Bad Actor. I know of at least one case where I have already found this to be true, some time ago, in relation to one specific Bad Actor in the RIPE region, specifically. But I shall not discuss that case at all here or now. For now, I will just mention a different case that I worked of a spamming enterprise that almost invariably registered its multitudes of domain names with Register.com and which invariably did use mailing addresses that all ended with some specific box number. I can't go into this case in too much depth either, but suffice it to say that although the number and street name and the box number were always different, the lexical syntax in which these three address elements appeared in all of the relevant domain name WHOIS records was both somewhat unique, and also always the same. Here again, even though I would indeed never physically visit any of these P.O. boxes, and even though none of them may have even really existed, the mere presence of the lexically/sytlistically consistant mailing addresses was useful when it came to being able to associate multiple (domain name) assets with a single specific Bad Actor. The bottom line is that asumptions about what may or what may not be useful, e.g. to open source researchers, should probably not be made by people who are not themselves actively engaged in doing this often difficult work. For us, *all* information is potentially useful, and this fact alone explains why I personally hold the opinion that I do with respect to current proposals to perform what would seem to be unnecessary data redactions... redactions that are being pushed by just two individuals, apparently based on (a) misunderstandings of applicable law and also (b) personal preferences and prejudices that value privacy above either transparency or accountability. Regards, rfg