----------------------------------------------------------------------------------- prop-167-v001: Published Statistics on Directory Service Usage ----------------------------------------------------------------------------------- Proposer: Jonathan Brewer (jon@xn--t-0la.nz) 1. Problem statement ------------------------- The WHOIS protocol was first documented forty three years ago by RFC 812. At the time the authors of the protocol expected every individual user with a directory on an ARPANET host (later an Internet host) to be registered in the database. Registration details required included full name, middle initial, U.S. mailing address, ZIP code, telephone, and email. [1] By 2004 when RFC 3912 was published, WHOIS was "widely used to provide information services to Internet users" but was considered flawed due to its lack of security and internationalisation support. Due to an absence of security, it was noted then that "WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone." [2] Today the APNIC WHOIS and RDAP services are critical components of the Internet Number Registry System. WHOIS still has no security, and RDAP as implemented by APNIC has no controls on privacy. The data collected and distributed has not changed in more than 40 years. The system still contains full names, mailing addresses, telephone numbers, and email addresses. What has changed is the ease of collecting and exploiting this kind of data. In 2015 the United Nations Human Rights Commission Resolution 28/16 recognised that the same rights people have offline should be protected online, including the right to privacy. [3] It's possible that APNIC's directory systems now contravene that right. Traffic to APNIC's directory services systems appears to have grown beyond levels consistent with intended operational use. An analysis of WHOIS and RDAP query logs provided by APNIC covering the period 1 April to 30 June 2025 showed that APNIC responded to approximately 5.5 billion directory queries in that period. In some hours, the RDAP service alone received queries from more than 365,000 unique IP addresses. [4] Such patterns suggest that APNIC's directory services are being used for purposes beyond their original scope — potentially including data mining, bulk harvesting, or automated analysis by parties outside the network operator community. Without visibility into these usage patterns, APNIC members lack the information necessary to develop appropriate policy responses. 2. Objective of policy change ------------------------- To provide APNIC members and stakeholders with visibility into the use of WHOIS and RDAP services, enabling: - Greater transparency around system usage - Informed policy discussions about acceptable use and system sustainability - Identification of possible abuse or anomalous usage patterns 3. Situation in other regions ------------------------ To date, no other Regional Internet Registry (RIR) is known to publish real-time or near-real-time usage statistics for WHOIS or RDAP services, although historical or aggregate statistics are sometimes provided upon request or as part of research efforts. This proposal may therefore serve as a model for other RIRs, and similar proposals may be considered in those regions depending on interest. 4. Proposed policy solution ------------------------- APNIC will publicly publish real-time or near-real-time statistics about its directory services usage. This publication should: - Be updated hourly. - Include the number of queries received by the WHOIS and RDAP services, broken down by: - Source Autonomous System Number (ASN) (for at least the top 1,000 ASNs) - Source IP address count per ASN - Service (WHOIS vs. RDAP) - Include metadata such as query type and method - Be published in machine-readable formats such as JSON or CSV. 5. Advantages / Disadvantages ------------------------- Advantages: - Improves transparency and member insight into a core APNIC function. - Helps identify abnormal or potentially abusive usage patterns. - Informs future policy proposals on RDAP/WHOIS rate limiting, access control, or acceptable use. Disadvantages: - Requires development effort by APNIC to publish and maintain reporting systems. 6. Impact on APNIC ------------------------- APNIC would need to implement data collection, processing, and publication pipelines. Resource holders are unlikely to be directly affected, though insights gained may shape future policies affecting query rate limits or service design. References ------------------------- [1] RFC 812: NICNAME/WHOIS [2] RFC 3912: WHOIS Protocol Specification [3] A/HRC/RES/28/16 General Assembly [4] APNIC RDAP and WHOIS Statistics (internal data, April–June 2025