[gnso-rds-pdp-wg] Misuse Case: Misusing the WHOIS protocol to shame, anger, or scare an individual

[Ayden Férdeline]

Dear all,
I would like to introduce another use case, whereby the WHOIS protocol is
misused to shame, anger, or scare a domain name registrant with the primary
objective of causing the registrant emotional, financial, and/or physical harm.
Misuse Case: Doxing is a method of personal intimidation facilitated by the current WHOIS
protocol. It involves either an individual or a group of people using the WHOIS
service to obtain personally identifiable information on their target, and then
posting that information widely across the Internet in the hopes of angering,
scaring, or shaming the target. Some reports indicate that the targets of doxing are most frequently female . While doxing is not exclusively enabled by WHOIS, it is an instrument
frequently misused by attackers and is a tool recommended in a number of doxing
handbooks. WHOIS allows the attackers to identify the name, address, and phone
number, among other sensitive details, of a domain name registrant in real-time.
Armed with this information, the attackers are able to cause emotional,
financial, and/or physical harm to the registrant.
Story: A person or group of persons accesses the WHOIS protocol to obtain
personally-identifiable information associated with a domain name registrant.
This process may then be repeated to obtain information about the registrant’s
friends or family. The information obtained is used to build a detailed profile
of the victim, which is then published online and circulated widely. Attackers
vary widely from case to case, but their goal is usually to use a mob mentality
to cause real and substantial harm to the victim (with no discernible benefits
or gains to the attackers). Some research suggests that victims of online harassment are disproportionally female,
non-white, or LGBT. Armed with information sourced through WHOIS, attackers have
swatted domain name registrants (swatting is the practice of calling in false
tips to law enforcement agencies so that an armed SWAT team is despatched to an
address), mailed Qurans to bully those on the basis of their religious beliefs,
and even ordered pizzas to be delivered to the address causing embarrassment to
the recipient and financial losses to micro enterprises. This is but a small
sample of how real people have been victimised as a result of WHOIS as it stands
today.
Data Elements: In order to prevent misuse by another actor, no personally identifiable
information should be stored in the RDS whatsoever. The only data elements the
RDS requires to operate are: the domain name itself, the registrar, the domain
name’s expiry date, and its status (registered / not registered). For it to be
of functional use, there are two optional fields: name servers, and the
auth-code.
Thank you for considering the implications of how WHOIS aids in doxing Internet
users and chills the exercise of speech by those from the most vulnerable and
marginalised communities.
- Ayden Férdeline
P.S. I am sure that someone will mention the existence of privacy proxy
services, so I would like to pre-emptively reply by saying that personal
information protection should be in place by default. If a domain name
registrant commits a crime or uses their domain name for malicious purposes,
there are legal tools available to enable the authorities to obtain registrant
information from the registrar. However, the notion that one must pay to have
their privacy protected is the wrong approach to be taken. Aside from the fact
that not all consumers are aware such services exist, it places a financial
burden onto the individual. Most individuals and small business owners do not
pay for bodyguards or other forms of personal protection offline - so why should
they have to pay extra to keep their personal details guarded from public view
online from cyber bullies, criminals, and those who profit from sending
unsolicited communications?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160731/2107ea27/attachment.html>