North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: no whois info ?

  • From: Janet Sullivan
  • Date: Sun Dec 12 00:07:19 2004

Rich Kulawiec wrote:

 > 1. Anyone controlling an operational resource (such as a domain) can't
be anonymous.  This _in no way_ prevents anyone from doing things
anonymously on the Internet: it just means that they can't control an
operational resource, because that way lies madness.
As long as that person is contactable, why should it matter if they are anonymous? If you get a quick response to [email protected]_anonymous_domain.net, does it REALLY matter to you if the person's name is Tom, John, or Susan?

There seem to be two definitions of "anonymous" floating around here. One seems to equal "no working contact information", and one seems to equal "private registration ala domainsbyproxy.net". I can understand why people might want to take non-existent whois records into account, but I just don't see the argument against anonymous records.

Killing anonymous records won't stop spammers. It can however harm a vulnerable section of the Internet.

2. If someone wants to remain anonymous -- say, as in the example Janet
cited, of sexual abuse victims -- then one of the very LAST things they
should do is register a domain.  Doing so creates a record (in the
registrar's billing department if nowhere else) that clearly traces
back to them.  Further, an anonymously-registered domain isn't much
good without services such as DNS and web hosting: and those, of course,
represent still more potential information leaks.
There are layers of privacy. Let's say a person has a restraining order against an ex-husband, ex-girlfriend, etc. That person has moved and doesn't want to be easily found. Now, which will be easier for the ex - typing in whois, or somehow getting the billing records from the registrar?

As for DNS & web hosting - there are sites out there that offer anonymous hosting & DNS to groups like abuse survivors, etc.

It's much better, if anonymity is the goal, not to begin by causing
this data to exist.
Great! So, if you are a vulnerable minority, don't use the internet. Don't have political free speech in your country? Don't talk. You have an abusive ex? Sorry, can't help you. Whistle blower? The hell with you. Pissed off a drug dealer by turning them in? Good for you! Sorry, we have to take away your internet access now.

100% Anonymity is not possible, true. Neither is 100% security. But does that mean you give up running any kind of firewall?

3. Anonymous domain registration, like free email services, is an
abuse magnet.  [Almost] nobody offering either has yet demonstrated the
ability to properly deal with the ensuing abuse: they've simply forced
the costs of doing so onto the entire rest of the Internet.
OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact? Real numbers, please. I'm not talking about missing or false whois records.

It's thus not surprising that a pretty good working hypothesis is to
presume that any domain which either (a) has anonymous registration or
(b) has contact addresses at freemail providers is owned by people
intent on abusing the Internet. No, it's not always true, but as a
first-cut approximation it works quite well.
I'm sorry, I guess I'm still one of those "innocent until proven guilty" folks. Yes, it means first run spammers get me. That's a price I'm willing to pay. If, as an end user, you want more aggressive filtering, that should be up to you. I have no problem with that.

If decisions start impacting innocents on the Internet at large, THAT's a problem.

4. Spammers have a myriad of ways of "harvesting" mail addresses that
yield the same data but without requiring WHOIS output.
Yes, they do. But, I get less spam, and MUCH less snail mail, with anonymous registrations.

6. Spam is a problem for everyone, and so it's everyone's responsibility
to fight it.  Those who want the privilege of controlling operational
resources must also accept the responsibility of doing their part.
I agree. But why should it matter if you know the name of the person controlling an operational resource if they are responsible net citizens?