prop-162: WHOIS Privacy

The proposal suggests eliminating the unnecessary publication of APNIC member organisation contact details in the APNIC Whois database. People with a legitimate need for these contact details can use a service provided by APNIC to obtain them.

Jonathan Brewer

1. APNIC’s Understanding of the Proposed Policy

This Proposed Policy refers to bulk access to WHOIS data as a “Service” rather than a “Policy”, and there is no mention of this Service in the “APNIC Internet Number Resource Policies (apnic-127)”.

The Proposed Policy suggests eliminating the unnecessary publication of APNIC Resource Holder organization contact details (email addresses, telephone numbers, and physical addresses) from any bulk access to WHOIS data. People with a legitimate need for these contact details can use the WHOIS search facilities (website/WHOIS/RDAP) provided by APNIC.

References:
Bulk access to WHOIS data

Acceptable Use Policy (AUP)

APNIC WHOIS data acceptable use agreement

2. Impact of Proposed Policy on Registry and Addressing System

No Impact expected

3. Impact of Proposed Policy on APNIC Operation/Services

The Secretariat would like to highlight a section of the text for clarification from the author:

• Section 4 Mentions “APNIC should cause any existing bulk users of APNIC WHOIS data to remove the Contact Information from their own systems and from the Internet.”

  • APNIC will have limited ability to monitor with respect to previously downloaded and/or published WHOIS data unless a clear breach of the AUA has occurred and it can be tied to a specific party.

As NRTM(Near Real-Time Mirroring) data already filters this information, adding filtering to the WHOIS is a minimal task

4. Legal Impact of Policy

• No legal issues identified with the removal of the contact information from Org, IRT, and role objects, however, desc/remarks fields within the inetnum/inet6num fields will remain visible if they contain such contact information.

• Access to WHOIS data:

  • The current WHOIS data acceptable use agreement (AUA) does not contemplate the revocation of access by APNIC. However, APNIC can implement stronger terms and require accession to them for continued access to the bulk WHOIS data. This would not address prior issues, but may help limit the impact going forward.

• Removal of published contact information:

  • The existing AUA does not contemplate a requirement to delete prior data without evidence of misuse. As noted above with respect to access, APNIC can remove ongoing access until such time as the re-publisher accedes to new terms.

5. Implementation

There is a Medium impact on Software teams, and High impact on The legal team

• Updates to WHOIS Data Acceptable use agreement (AUA) apnic-091

  • In accordance with the current Editorial Policy, all documents with a “document-ref” number must comply with the 4-week call for Editorial comments for any updates.

• Automatic removal after set time period (requires entering into AUA again, interval to be determined)

• Revocation of access to Bulk WHOIS data for current existing users

• Implementation of improved system to record acceptance of new terms for each entity and ensure contact/entity details remain current and accurate (assisted with requirement to renew periodically).

• Filtering the Data Set for Bulk WHOIS consumption

If this proposal reaches consensus, implementation time frame would be approximately 4 months subject to the call for editorial comments period.