-----------------------------------------------------------------------------------

prop-162-v003: WHOIS Privacy for Bulk Access

-----------------------------------------------------------------------------------

Proposer: 
Jonathan Brewer (jon@xn--t-0la.nz)


1. Problem statement
--------------------
More than 400 organisations around the world have bulk access to APNIC's 
WHOIS data and may download the complete data set as required. 
Cybersecurity companies, ISPs, universities, researchers, and law 
enforcement agencies are amongst those with access.

Although APNIC does not have evidence of abuse of the data by parties
with current bulk access agreements, it's evident to many members of the
community that APNIC WHOIS contact data is being misused.

In the past three years organisations including the Number Resource 
Society (Casablanca, Morocco), Unique IP Solutions (Faisalabad, 
Pakistan), Aileron IT (Wisconsin,  USA), Cogent Communications 
(Washington DC, USA) and EarnheardData (details suppressed) have 
contacted APNIC members via details published exclusively in APNIC 
WHOIS. None of these contacts have been to do with legitimate networking 
issues.


2. Objective of policy change
-----------------------------
This policy will eliminate the unnecessary distribution and retention of 
APNIC member organisation contact information by third parties. APNIC 
systems will become the only source of obtaining address, phone, fax-no, 
e-mail, and notify data for APNIC members.

This policy change will not prevent APNIC members or other authorised 
users of APNIC WHOIS from obtaining contact information for network 
resources in either ad-hoc or automated queries.

3. Situation in other regions
-----------------------------
I have not found evidence that other RIRs limit access to contact 
details. ICANN has sunsetted the use of WHOIS for Internet Domains as of 
28 January 2025, largely due to concerns around the lack of protection of
personal data.[1]

4. Proposed policy solution
---------------------------
With the exception of abuse contact information, APNIC should remove address, 
phone, fax-no, e-mail, and notify fields (the Contact Information) from Org, 
IRT, and role objects in the Bulk Access dataset.

APNIC should cause any existing bulk users of APNIC WHOIS data to remove 
the Contact Information from their own systems and from the Internet.


5. Advantages / Disadvantages
-----------------------------
Advantages:
This should enhance privacy and data sovereignty, while reducing nuisance contacts.

Disadvantages:

A survey of all users of Bulk WHOIS data made by APNIC in February 2025 found that 
three parties would be impacted. One of the parties was found to be using the data 
for geolocation, which is contrary to the licence agreement - so in effect two 
legitimate users will be inconvenienced.


6. Impact on resource holders
-----------------------------
No impact on resource holders.

7. References
-------------
[1]  https://gac.icann.org/activity/whois-and-data-protection