<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!--[if gte mso 9]>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
<![endif]-->
<style type="text/css">* a:hover{cursor:pointer;}</style>
<style>body {-webkit-animation:bugfix infinite 1s;}@-webkit-keyframes bugfix {from {position:relative;}to {position:relative;}}</style>
</head>
<body style="word-wrap:normal; word-break:break-word;">
<style>a {word-wrap:normal;word-break:break-word;}.background-contain {background-size:contain;}@media only screen and (max-width:600px) {.container {-webkit-text-size-adjust:none !important;}.container,.palm-one-whole {width:100% !important;min-width:100% !important;}.palm-one-half {width:50% !important;min-width:50% !important;box-sizing:border-box;}blockquote .container,blockquote .container div,blockquote .container table {width:auto !important;min-width:0 !important;position:relative !important;}img {max-width:100%;}.border-outer,.border-middle,.border-inner,.inner,[title="separator"] {width:100% !important;}.innercell {padding:8px !important;}.palm-block {display:block !important;}td.palm-one-whole {display:inline-block !important;padding:0;}td.palm-one-whole:first-child:not(:only-child) {margin-bottom:16px;}td.hostname {padding-top:3px !important;}}@media only screen and (min-width:601px) {.preview-card {max-width:600px !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (max-device-width:640px),only screen and (max-device-width:667px),only screen and (max-width:480px){.container {width:100% !important;min-width:100% !important;}.p,.small,li,font[size="2"],font[size="3"] {font-size:1em !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (min-device-width :1224px) {.message-wrapper {padding-top:6px;}.apple-only[style] {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}.no-apple {display:none !important;}form {font-size:inherit;}input[type="text"] {height:43px;padding-left:4px !important;}button:hover {cursor:pointer;}}@media only screen and (min-device-width :1224px) {.apple-mail-form {display:block !important;background-color:white !important;}}* [office365] .outlook-com-hidden {display:none !important;}* [office365] .outlook-com-button {display:block;}* [office365] .outlook-com-only {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}</style>
<!--[if (gte mso 9)|(IE)]>
<style>a,body {font-family:'Calibri',Arial,sans-serif;}img {border:none !important;-ms-interpolation-mode:bicubic;}td {mso-line-height-rule:exactly !important;}.mso-card-inner table {border-collapse:collapse !important;mso-table-lspace:0pt;mso-table-rspace:0pt;vertical-align:top;}.outlook-com-only {display:none !important;font-size:0 !important;}#mso-one-whole {width:100% !important;}.border-outer,.border-middle,.border-inner {border:none !important;}.border-middle,.border-inner {width:100% !important;}.mso-border-outer,.mso-border-middle,.mso-border-inner {padding:1px;}.mso-border-outer {background-color:rgb(245,255,255);}.mso-border-middle {background-color:rgb(223,246,255);}.mso-border-inner {background-color:rgb(153,176,225);}</style>
<![endif]-->
<table class="container" lang="container" border="0" cellpadding="0" cellspacing="0" valign="top" style="width:100%; margin-top:6px;">
<tr>
<td valign="top" class="message-wrapper" style="line-height: 1.31; color: #222; font-family: arial, sans-serif;">
<!--[if mso]><table border="0" cellpadding="0" cellspacing="0" valign="top" style="border-collapse:separate;"><tr><td valign="top"><![endif]-->
<div>Dear all,</div><div><br></div><div>I would like to introduce another use case, whereby the WHOIS protocol is misused to shame, anger, or scare a domain name registrant with the primary objective of causing the registrant emotional, financial, and/or physical harm.<em class="scribe-marker" style="display: none;"></em></div><div><br></div><div><b>Misuse Case: </b>Doxing is a method of personal intimidation facilitated by the current WHOIS protocol. It involves either an individual or a group of people using the WHOIS service to obtain personally identifiable information on their target, and then posting that information widely across the Internet in the hopes of angering, scaring, or shaming the target. Some reports indicate that <a href="https://links8.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/sbVZ44umCZ05PpAZM?messageId=P8yVQkn68kZy5Leov&rn=&re=icmcv5ibuF2YpB0Z31CckBXLzRmct82cudmI">the targets of doxing are most frequently female</a>. While doxing is not exclusively enabled by WHOIS, it is an instrument frequently misused by attackers and is a tool recommended in a number of doxing handbooks. WHOIS allows the attackers to identify the name, address, and phone number, among other sensitive details, of a domain name registrant in real-time. Armed with this information, the attackers are able to cause emotional, financial, and/or physical harm to the registrant.</div><div><br></div><div><b>Story: </b>A person or group of persons accesses the WHOIS protocol to obtain personally-identifiable information associated with a domain name registrant. This process may then be repeated to obtain information about the registrant’s friends or family. The information obtained is used to build a detailed profile of the victim, which is then published online and circulated widely. Attackers vary widely from case to case, but their goal is usually to use a mob mentality to cause real and substantial harm to the victim (with no discernible benefits or gains to the attackers). Some research<em class="scribe-marker" style="display: none;"></em> suggests that victims of online harassment are disproportionally female, non-white, or LGBT. Armed with information sourced through WHOIS, attackers have swatted domain name registrants (swatting is the practice of calling in false tips to law enforcement agencies so that an armed SWAT team is despatched to an address), mailed Qurans to bully those on the basis of their religious beliefs, and even ordered pizzas to be delivered to the address causing embarrassment to the recipient and financial losses to micro enterprises. This is but a small sample of how real people have been victimised as a result of WHOIS as it stands today. </div><div><br></div><div><b>Data Elements: </b>In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements the RDS requires to operate are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code.</div><div><br></div><div>Thank you for considering the implications of how WHOIS aids in doxing Internet users and chills the exercise of speech by those from the most vulnerable and marginalised communities.</div><div><br></div><div>- Ayden Férdeline</div><div><br></div><div>P.S. I am sure that someone will mention the existence of privacy proxy services, so I would like to pre-emptively reply by saying that personal information protection should be in place by default. If a domain name registrant commits a crime or uses their domain name for malicious purposes, there are legal tools available to enable the authorities to obtain registrant information from the registrar. However, the notion that one must pay to have their privacy protected is the wrong approach to be taken. Aside from the fact that not all consumers are aware such services exist, it places a financial burden onto the individual. Most individuals and small business owners do not pay for bodyguards or other forms of personal protection offline - so why should they have to pay extra to keep their personal details guarded from public view online from cyber bullies, criminals, and those who profit from sending unsolicited communications? </div><img align="left" width="0" height="0" style="border:0; width:0px; height:0px;" src="https://app.mixmax.com/api/track/v2/P8yVQkn68kZy5Leov/i02bj5SZulGblRmclZGQu5WYjlmI/icmcv5ibuF2YpB0Z31CckBXLzRmct82cudmI/?sc=false" alt="">
<!--[if mso]></td></tr></table><![endif]-->
</td>
</tr>
</table>
</body>
</html>