Dear SIG members,
A new version of the proposal "prop-162-v003: WHOIS Privacy"
has been sent to the Policy SIG for review.
Information about earlier versions is available from:
http://www.apnic.net/policy/proposals/prop-162
You are encouraged to express your views on the proposal:
- Do you support or oppose the proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more effective?
Please find the text of the proposal below.
Regards,
Bertrand, Shaila, and Ching-Heng
APNIC Policy SIG Chairs
-----------------------------------------------------------------------------------
prop-162-v003: WHOIS Privacy
-----------------------------------------------------------------------------------
Proposer:
Jonathan Brewer ([email protected])
1. Problem statement
--------------------
More than 400 organisations around the world have bulk access to APNIC's
WHOIS data and may download the complete data set as required.
Cybersecurity companies, ISPs, universities, researchers, and law
enforcement agencies are amongst those with access.
Although APNIC does not have evidence of abuse of the data by parties
with current bulk access agreements, it's evident to many members of the
community that APNIC WHOIS contact data is being misused.
In the past three years organisations including the Number Resource
Society (Casablanca, Morocco), Unique IP Solutions (Faisalabad,
Pakistan), Aileron IT (Wisconsin, USA), Cogent Communications
(Washington DC, USA) and EarnheardData (details suppressed) have
contacted APNIC members via details published exclusively in APNIC
WHOIS. None of these contacts have been to do with legitimate networking
issues.
2. Objective of policy change
-----------------------------
This policy will eliminate the unnecessary distribution and retention of
APNIC member organisation contact information by third parties. APNIC
systems will become the only source of obtaining address, phone, fax-no,
e-mail, and notify data for APNIC members.
This policy change will not prevent APNIC members or other authorised
users of APNIC WHOIS from obtaining contact information for network
resources in either ad-hoc or automated queries.
3. Situation in other regions
-----------------------------
I have not found evidence that other RIRs limit access to contact
details. ICANN has sunsetted the use of WHOIS for Internet Domains as of
28 January 2025, largely due to concerns around the lack of protection of
personal data.[1]
4. Proposed policy solution
---------------------------
With the exception of abuse contact information, APNIC should remove address,
phone, fax-no, e-mail, and notify fields (the Contact Information) from Org,
IRT, and role objects in the Bulk Access dataset.
APNIC should cause any existing bulk users of APNIC WHOIS data to remove
the Contact Information from their own systems and from the Internet.
5. Advantages / Disadvantages
-----------------------------
Advantages:
This should enhance privacy and data sovereignty, while reducing nuisance
contacts.
Disadvantages:
A survey of all users of Bulk WHOIS data made by APNIC in February 2025 found
that
three parties would be impacted. One of the parties was found to be using the
data
for geolocation, which is contrary to the licence agreement - so in effect two
legitimate users will be inconvenienced.
6. Impact on resource holders
-----------------------------
No impact on resource holders.
7. References
-------------
[1] https://gac.icann.org/activity/whois-and-data-protection
_______________________________________________
SIG-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
