The Messaging Malware and Mobile Anti-Abuse Working Group (M³AAWG) urged the National Telecommunications and Information Administration (NTIA) to maintain the current system of open access to data on people who have registered “.us” top-level domains (usTLDs) in comments submitted in May 2023.

NTIA is considering increasing privacy protections for usTLD registrants by introducing accountability measures regarding access to personal information maintained by NTIA through its contractor, Registry Services. M³AAWG acknowledged that NTIA has legitimate concerns driving the proposed policy change, but in the absence of clear federal privacy legislation, the interests of both end users and anti-abuse actors are better served by an open WHOIS system. M³AAWG noted that knowing who is responsible for a domain is a deterrent, as abusers avoid the public scrutiny enabled by full access to WHOIS data. The transparency of an open WHOIS also serves end users’ legitimate interests in avoiding spam, scams, abuse, and phishing. The attribution enabled by the current WHOIS leads to proactive mitigation efforts that stop abuse before it happens.

Before making any adjustments, M³AAWG believes that the NTIA should provide a more complete proposal for a future WHOIS, and assess the potential impact of proposed changes.

The Current System

Registry Services currently supplies a WHOIS directory service that allows users to retrieve usTLD domain name registration data directly, and without any form of authentication, from its registrant database.  A WHOIS directory is a database of all the registered domains in a particular zone. It has information about the domain name registrant like address, email, phone number, and other administrative and contact information. 

The Proposed System

NTIA noted that privacy protection for registrants has become the standard, particularly since the European Union General Data Protection Regulation (GDPR) took effect in 2018. NTIA stated their proposal looks to bring the usTLD registry up to speed with industry, while also meeting the needs of those who have legitimate requests for data.

NTIA seeks to provide greater protections by eliminating anonymous and unaccountable access. The proposed new system would require those seeking access to supply their name and email address. The user would also agree not to misuse data by accepting Terms of Service (TOS). And users would also have to name, from a pre-selected list, a legitimate, non-marketing purpose for accessing the information. Unredacted WHOIS data would then automatically be returned to the user via email. Queries would be rejected only if the user did not supply a name and email address, name a legitimate purpose, or accept the TOS.

M³AAWG’s Views on the Proposed System: Data Delivery and Verification Problems

• Returning WHOIS queries via email is ill-advised. Email is a poor medium for the exchange of structured data. It can be spoofed and intercepted. It would also be incompatible with every other WHOIS provider system. Tested solutions such as the Registration Data Access Protocol (RDAP) represent a better approach.
• The requirement to supply an email address will not produce accountability for misusers, since there is no accompanying verification of the requester. And without that verification, effective action against TOS violators is difficult at best, if not practically impossible at scale.
• A clear and comprehensive policy is needed to decide what constitutes a legitimate purpose for accessing information. It’s also unclear if the proposal includes avenues for appeals of any denials. Maintaining an expanding list of legitimate purposes would create administrative burdens. A better approach may be to consider all uses appropriate outside of a narrowly drawn list of inappropriate uses, such as “marketing,” “spam,” “data harvesting,” and “abuse.”
• The accountability sought by NTIA focuses exclusively on the requester of the data and does not address the accuracy of data received from the registrant. NTIA should also consider verification rules from the data subjects that submit WHOIS data to be registered.
• When abuse occurs, it’s critical that cybersecurity investigators have real-time, high-volume access to WHOIS data. The proposal includes giving special access to recognized and authenticated law enforcement officers (LEOs) and similar entities. This excludes non-LEOs like internet service providers, commercial security companies, private individuals, academics, and journalists who work to combat internet abuse. Non-LEOs conduct the majority of anti-abuse activities.
• Crucially, to fully assess a potential, future approach to WHOIS, it would be useful to comment on a full process and access concept. As often, the workability of such a system can only be determined if sufficient detail is provided. 

More Studies Are Needed

 M³AAWG encouraged NTIA to conduct further study of the proposed changes and specific implementation methods and conduct a Privacy and Security Impact Assessment. M³AAWG suggested NTIA publish more data supporting the nature and extent of the problems seen with the current system and arrange multiple, more detailed public comment periods to address implementation challenges before any changes are made.

Additional recommendations can be found in the full report, M3AAWG Comments on the NTIA's Introduction of Accountable Measures Regarding Access to Personal Information of .us Registrants available on the website.

M³AAWG has previously offered comments on various Public Policy initiatives. Visit the Public Policy page on the M³AAWG website for more.