Hi Christopher, I understand the overall process; I was more concerned with the impact this policy proposal would have on network operators, providers, law enforcement groups, researchers, etc. in other regions, who currently find the contact details of resource holders in the APNIC region by performing a Whois lookup. What you are suggesting would require every single one of those entities to establish a MyAPNIC account. My query to Vivek may provide a very rough order of magnitude of users that might be impacted.
Migrating to an authenticated system may be simple for some, but it will be more difficult for others who have complex internal system interdependencies. Also, the impact to APNIC may be considerable, depending on the number of users around the globe that use this service. As an example, our Abuse team receive emails from various entities (from every region) requesting abuse investigations. I believe these entities use the Contact Information from the Whois data. Whilst our Abuse team would probably enjoy a reprieve from these emails, it’s not really in anyone’s interest to not investigate these abuse issues. Regards, Liam General From: Christopher Hawker <ch...@thesysadmin.au> Sent: Monday, 24 February 2025 12:48 PM To: Stephens, Liam <liam.r.steph...@team.telstra.com>; Jonathan Brewer <jon@tō.nz>; sig-policy <sig-policy@lists.apnic.net> Subject: Re: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. Hi Liam, I was having a brief conversation with a few people this morning, and a potential way to mitigate such issues as to who can access authenticated data, is to establish a MyAPNIC account, go through an identity verification process and then they’ll be granted access. This process wouldn’t be hard to do and could even be automated to an extent to reduce the operational workload. Regards, Christopher Hawker Get Outlook for iOS<https://aka.ms/o0ukef> General ________________________________ From: Stephens, Liam via SIG-policy <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Sent: Monday, February 24, 2025 9:19:24 AM To: Jonathan Brewer <j...@xn--t-0la.nz<mailto:j...@xn--t-0la.nz>>; sig-policy <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Subject: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 Hi Jon, Thanks very much for the feedback. I understand the desire to migrate to, and encourage the use of, RDAP. However, that is a separate, albeit related, topic to the impact of the removal of Contact Information from the data, which appears to be the focus of this and potentially other policy changes that you are considering. One of my biggest concerns is how operators and providers from other regions will contact resource owners in the APNIC region. Do you envisage that they will be impacted? If so, can you explain how this will be overcome? If you agree that there will be operational impact, you should add this as a disadvantage in your proposal (both section 5 and 6). I have also asked Vivek to provide some data on the potential number of users of whois.apnic.net, so that you could add those details in your advantage/disadvantage section (based on the answer). At a higher level, what is the point of registration data that only has Contact Information available to operators, law enforcement groups, research groups (of the technical kind), etc. in the APNIC region? Regards, Liam General From: Jonathan Brewer <jon@tō.nz<mailto:jon@tō.nz>> Sent: Sunday, 23 February 2025 8:37 PM To: Stephens, Liam <liam.r.steph...@team.telstra.com<mailto:liam.r.steph...@team.telstra.com>>; sig-policy <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Subject: Re: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 You don't often get email from j...@xn--t-0la.nz<mailto:j...@xn--t-0la.nz>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. Hello Liam, Yes. Based on feedback from the community I received directly from multiple providers, the intent of prop-162 v002 is to remove the Contact Information from unauthenticated queries made to whois.apnic.net. I suggest that providers using WHOIS in systems migrate to RDAP, and that if three months is not enough time for this, APNIC could delay implementation of this policy by up to a year. APNIC's unauthenticated RDAP service does not have redaction of Contact Information right now. That said, the RDAP RFCs (links available at https://about.rdap.org/) clearly identify: 1. the problem I am trying to address with prop-162 2. solutions for contact information redaction, 3. methods for federated authentication of RDAP users via OpenID Connect I intend to introduce a separate policy proposal related to implementation federated authentication and contact information redaction in unauthenticated RDAP queries in the future. Regards, Jon On Wed, Feb 19, 2025, at 19:39, Stephens, Liam wrote: Thanks Vivek, On reading v002 of the policy it seems that the scope has broadened from the 400 users of the *bulk* Whois service to include all queries using unauthenticated access to whois.apnic.net from a Whois client. @Jonathan Brewer<mailto:j...@xn--t-0la.nz>, can you please confirm if this is the case? If you are now including unauthenticated access in your scope, this could have significant impact on providers who use the Contact Information (primarily email address) in automated approval systems of customer routing requests. Implementation of this policy will require these providers to migrate to an authenticated access method, which could take more than three months to establish. Many more months in some cases, such as large ISP’s where the wheels turn ever-so-slightly slower! Significant resources may also be required. Are you (or APNIC/@Vivek Nigam<mailto:vi...@apnic.net>) able to provide more information about the authenticated access request process (if it exists), such as how it is requested, will an AUP apply, can larger entities request access for multiple users and are there limits, whether source IP’s need to be whitelisted, details on how it is used, etc. Thanks. Regards, Liam General From: Vivek Nigam <vi...@apnic.net<mailto:vi...@apnic.net>> Sent: Wednesday, 19 February 2025 2:39 PM To: Stephens, Liam <liam.r.steph...@team.telstra.com<mailto:liam.r.steph...@team.telstra.com>>; Christopher Hawker <ch...@thesysadmin.au<mailto:ch...@thesysadmin.au>>; Tsurumaki, Satoru <stsur...@bbix.net<mailto:stsur...@bbix.net>>; sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net> Subject: Re: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 Hi Liam, We will contact these entities to inform them of the proposal and request their input on any potential impacts it may have. Thanks Vivek From: Stephens, Liam via SIG-policy <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Date: Wednesday, 19 February 2025 at 11:28 am To: Christopher Hawker <ch...@thesysadmin.au<mailto:ch...@thesysadmin.au>>, Tsurumaki, Satoru <stsur...@bbix.net<mailto:stsur...@bbix.net>>, sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net> <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Subject: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 Hi All, I agree with Chris’s statement about a fundamental misunderstanding, and I believe it may be due to the lack of awareness of the *bulk* Whois service offered by APNIC. This bulk service offering is an option (akin to being given a hardcopy of a Whitepages telephone directory), whereby the user has the entire Whois database in their possession. This bulk Whois offering is separate to the Whois query services that, I imagine, most of us use, namely whois.apnic.net (via a Whois client) and the web version at https://whois.apnic.net. Would it be worthwhile adding more clarity on the existing Whois offerings, and which ones are impacted, into the proposal? I do agree with Satoru-san that some law enforcement agencies may be impacted by the change, as they may use the bulk data in their own systems for their non-networking teams to consume. It would be great if APNIC, as the provider of the service, could contact the 400 entities to advise them that changes may be coming, and confirm whether it would impact them. Regards, Liam Stephens General From: Christopher Hawker <ch...@thesysadmin.au<mailto:ch...@thesysadmin.au>> Sent: Wednesday, 19 February 2025 11:53 AM To: Tsurumaki, Satoru <stsur...@bbix.net<mailto:stsur...@bbix.net>>; sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net> Subject: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. Hello Satoru, [Speaking for myself and based on my own observations, and not that of the proposal author.] I believe there has been a fundamental misunderstanding of the proposal. The proposal does not discuss the complete removal of all contact information from the Whois system, rather it only discusses the removal of contact information from bulk Whois data. People will still be able to go to https://whois.apnic.net and lookup contact information for INRs where required, if there's a need to contact the network operator. Therefore, the examples you've provided will still be able to access the contact information that they may require, they just won't be able to download it in bulk. I agree with this, as the primary purpose for contact information is for network operators to be able to contact each other should there be a need. There's no technical requirement for bulk data to contain contact information. If there's a legitimate business case for bulk contact info I'm happy to hear about it. Regards, Christopher Hawker ________________________________ From: Tsurumaki, Satoru <stsur...@bbix.net<mailto:stsur...@bbix.net>> Sent: Wednesday, February 19, 2025 11:09 AM To: sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net> <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>> Subject: [sig-policy] Re: New version : prop-162: WHOIS Privacy v002 Dear Colleagues, I am Satoru Tsurumaki from the Japan Open Policy Forum Steering Team. On February 12, we held a meeting to discuss prop-162. Based on this discussion, I would like to share key feedback from our community. While this feedback is sent on my behalf, it summarizes the opinions of the 14 Japanese community members who attended the meeting. Many participants expressed serious concerns and strong opposition to removing contact information from public whois access. There is an opinion that the discussion of which information to disclose to the user with what qualification have long been done in ICANN for gTLD policy hence it may need a substantial community-wide discussion to carefully design that. (comment details) - There is a major concern that whois will no longer serve its original purpose of helping internet operations by providing contact information. - Police, lawyers, and other professionals use whois for criminal investigations and other purposes. However, it is unrealistic to expect all such organizations worldwide to sign individual contracts to access this information. - The removal of contact information from whois should be discussed with all potentially affected stakeholders. Regards, Satoru Tsurumaki JPOPF Steeling Team 2025年2月10日(月) 9:17 Bertrand Cherrier via SIG-policy <sig-policy@lists.apnic.net<mailto:sig-policy@lists.apnic.net>>: > > Dear SIG members, > > A new version of the proposal "prop-162: WHOIS Privacy" has been sent to > the Policy SIG for review. > > It will be presented at the Open Policy Meeting (OPM) at APNIC 59 on > Wednesday, 26 February 2025. > > https://conference.apnic.net/59/programme/programme/index.html#/day/8/ > > We invite you to review and comment on the proposal on the mailing list > before the OPM. > > The comment period on the mailing list before the OPM is an important > part of the Policy Development Process (PDP). We encourage you to > express your views on the proposal: > > - Do you support or oppose this proposal? > - Does this proposal solve a problem you are experiencing? If so, > tell the community about your situation. > - Do you see any disadvantages in this proposal? > - Is there anything in the proposal that is not clear? > - What changes could be made to this proposal to make it more effective? > > Information about this proposal is appended below as well as available at: > > http://www.apnic.net/policy/proposals/prop-162 > > Regards, > Bertrand, Shaila, and Ching-Heng > APNIC Policy SIG Chairs > > > ----------------------------------------------------------------------------------- > > prop-162-v002: WHOIS Privacy > > ----------------------------------------------------------------------------------- > > Proposer: > Jonathan Brewer (j...@xn--t-0la.nz<mailto:j...@xn--t-0la.nz>) > > > 1. Problem statement > ------------------------- > More than 400 organisations around the world have bulk access to APNIC's > WHOIS data and may download the complete data set as required. > Cybersecurity companies, ISPs, universities, researchers, and law > enforcement agencies are amongst those with access. > > Several organisations including Hurricane Electric and RecordedFuture > republish this data as part of their applications and online systems, > including physical addresses, email addresses, and telephone numbers of > APNIC members. > > These contact details are freely available on the web and available for > mass harvesting through the use of screen scraping technology. It is > apparent that some third parties have used this data in a manner > contrary to the APNIC whois data acceptable use agreement. > > In the past three years organisations including the Number Resource > Society (Casablanca, Morocco), Unique IP Solutions (Faisalabad, > Pakistan), Aileron IT (Wisconsin, USA), Cogent Communications > (Washington DC, USA) and EarnheardData (details suppressed) have > contacted APNIC members via details published exclusively in APNIC > WHOIS. None of these contacts have been to do with legitimate networking > issues. > > > 2. Objective of policy change > ---------------------------------- > This policy will eliminate the unnecessary distribution and retention of > APNIC member organisation contact information by third parties. APNIC > systems will become the only source of obtaining address, phone, fax-no, > e-mail, and notify data for APNIC members. > > This policy change will not prevent APNIC members or other authorised > users of APNIC WHOIS from obtaining contact information for network > resources in either ad-hoc or automated queries. > > > 3. Situation in other regions > -------------------------------- > I have not found evidence that other RIRs limit access to contact > details. Multiple ccTLDs have implemented WHOIS privacy for domain > names, including Australia [1] and Germany [2]. > > > 4. Proposed policy solution > -------------------------------- > APNIC should remove address, phone, fax-no, e-mail, and notify fields > (the Contact Information) from Org, IRT, abuse-c and role objects from > public access WHOIS. > > Responses to unauthenticated API queries should no longer display the > Contact Information. > > The Contact Information should be removed from the dataset distributed > to bulk consumers. > > APNIC should cause any existing bulk users of APNIC WHOIS data to remove > the Contact Information from their own systems and from the Internet. > > MyAPNIC and authenticated API access should be the only way of obtaining > the Contact Information of APNIC users. > > APNIC should publish a list of all authenticated API users with access > to the Contact Information. APNIC should publish statistics on requests > for the Contact Information by requestor. > > > 5. Advantages / Disadvantages > ------------------------------------ > Advantages: > This should enhance privacy and data sovereignty, while reducing > nuisance contacts. > > Disadvantages: > None. The information will still be available via APNIC-controlled WHOIS > services which presumably are protected against illegitimate data > harvesting. > > 6. Impact on resource holders > ----------------------------------- > No impact on resource holders. > > 7. References > ---------------- > [1] > https://www.domainregistration.com.au/infocentre/info-private-registration.php > [2] > https://www.denic.de/en/whats-new/press-releases/article/extensive-innovations-planned-for-denic-whois-domain-query-proactive-approach-for-data-economy-and/ > _______________________________________________ > SIG-policy - https://mailman.apnic.net/sig-policy@lists.apnic.net/ > To unsubscribe send an email to > sig-policy-le...@lists.apnic.net<mailto:sig-policy-le...@lists.apnic.net> -- -- Satoru Tsurumaki BBIX, Inc _______________________________________________ SIG-policy - https://mailman.apnic.net/sig-policy@lists.apnic.net/ To unsubscribe send an email to sig-policy-le...@lists.apnic.net<mailto:sig-policy-le...@lists.apnic.net> https://jon.brewer.nz/
_______________________________________________ SIG-policy - https://mailman.apnic.net/sig-policy@lists.apnic.net/ To unsubscribe send an email to sig-policy-le...@lists.apnic.net
