----------------------------------------------------------------------------------- prop-162-v002: WHOIS Privacy ----------------------------------------------------------------------------------- Proposer: Jonathan Brewer (jon@xn--t-0la.nz) 1. Problem statement ------------------------- More than 400 organisations around the world have bulk access to APNIC's WHOIS data and may download the complete data set as required. Cybersecurity companies, ISPs, universities, researchers, and law enforcement agencies are amongst those with access. Several organisations including Hurricane Electric and RecordedFuture republish this data as part of their applications and online systems, including physical addresses, email addresses, and telephone numbers of APNIC members. These contact details are freely available on the web and available for mass harvesting through the use of screen scraping technology. It is apparent that some third parties have used this data in a manner contrary to the APNIC whois data acceptable use agreement. In the past three years organisations including the Number Resource Society (Casablanca, Morocco), Unique IP Solutions (Faisalabad, Pakistan), Aileron IT (Wisconsin, USA), Cogent Communications (Washington DC, USA) and EarnheardData (details suppressed) have contacted APNIC members via details published exclusively in APNIC WHOIS. None of these contacts have been to do with legitimate networking issues. 2. Objective of policy change ---------------------------------- This policy will eliminate the unnecessary distribution and retention of APNIC member organisation contact information by third parties. APNIC systems will become the only source of obtaining address, phone, fax-no, e-mail, and notify data for APNIC members. This policy change will not prevent APNIC members or other authorised users of APNIC WHOIS from obtaining contact information for network resources in either ad-hoc or automated queries. 3. Situation in other regions -------------------------------- I have not found evidence that other RIRs limit access to contact details. Multiple ccTLDs have implemented WHOIS privacy for domain names, including Australia [1] and Germany [2]. 4. Proposed policy solution -------------------------------- APNIC should remove address, phone, fax-no, e-mail, and notify fields (the Contact Information) from Org, IRT, abuse-c and role objects from public access WHOIS. Responses to unauthenticated API queries should no longer display the Contact Information. The Contact Information should be removed from the dataset distributed to bulk consumers. APNIC should cause any existing bulk users of APNIC WHOIS data to remove the Contact Information from their own systems and from the Internet. MyAPNIC and authenticated API access should be the only way of obtaining the Contact Information of APNIC users. APNIC should publish a list of all authenticated API users with access to the Contact Information. APNIC should publish statistics on requests for the Contact Information by requestor. 5. Advantages / Disadvantages ------------------------------------ Advantages: This should enhance privacy and data sovereignty, while reducing nuisance contacts. Disadvantages: None. The information will still be available via APNIC-controlled WHOIS services which presumably are protected against illegitimate data harvesting. 6. Impact on resource holders ----------------------------------- No impact on resource holders. 7. References ---------------- [1] https://www.domainregistration.com.au/infocentre/info-private-registration.php [2] https://www.denic.de/en/whats-new/press-releases/article/extensive-innovations-planned-for-denic-whois-domain-query-proactive-approach-for-data-economy-and/