Changes to .NZ privacy settings

Feedback to DNC public consulting process for WHOIS changes

Source: https://dnc.org.nz/consultation-whois-review-process

Note: I am publishing my feedback here publicly as well as submitting it to the required email address to encourage open discussion on an important issue. This is the same wording as the email.

For the attention of the DNC proposals team

I am writing to provide feedback under the public consultation process for the .nz registry whois review.

I realise there has been a lot of focus so far in this process about the protection of individuals at risk and the proposed ‘privacy on demand’ process. This is well documented and while I agree with these statements, this is not the basis for this feedback.

My feedback instead focuses more practical and operational matters that I have yet to see raised and I think worth some consideration.

Consistency, Security and Evidence

The published proposal features a number of strong claims regarding the security provided by the current, open first approach. Amongst these are

Part of the reason the .nz register experiences very low levels of malicious activity, for example, is because registrations cannot be made anonymously and that registrants are identifiable. This allows people to see who is associated with a particular website or email.

This is an interesting claim for such a new registry. Can the DNC please provide data about how this compares to other registries of the same age. The .nz TLD is new and therefore doesn’t have the public awareness that other more established TLD’s enjoy.

This is also an interesting statement when linked to your guidance in the FAQ section (https://dnc.org.nz/node/1043).

For your postal address you could use a PO Box, a work address or any other address that reaches you if you need to be contacted about your domain name. You don’t need to use your residential address.

As we can see here, the address and personal details provided are not validated to ensure they are correct or actually legally associated with an individual. As a security professional with a background in social engineering and online human-centric attack, I can assure you that a public register is no real deterrent to a motivated attacker if they are able to provide fake details at registration.

A public registry also helps to reduce some of the harms that some submitters are concerned about. For example, a WHOIS search is frequently used by law enforcement agencies, lawyers and other individuals within the justice system to identify who is behind a website or email address that has been used in respect of inappropriate content or emails such as doxing (broadcasting someone’s personal information).

While I have no doubt that many moral and reasonable uses for WHOIS records exist in the criminal and justice systems, this is by no means the only access they have to this information. This information could be directly, privately requested from the DNC and registry by these groups. This would not only meet their needs but provide additional clarity of the nature and frequency of enquiries made.

Let us not forget however the other groups that use this information, such as letter based domain renewal scams that aim for credit card details (definitely in operation in New Zealand for .co.nz).

Use of WHOIS records is standard practice for social engineering reconnaissance. This activity would not trigger rate limits as it is normally target specific and not against entire registries or large lists of domains. A range of free to use, open source tools are available to do this and are in active use.

Operations, Privacy and Business

In addition to the security claims made in the proposal, it is the proposed operating model that concerns me from an operational level.

The DNC and registry service are not a government organisation and as such are required to provide and protect all of their own processes, people and systems to service their customer base. They do not qualify (as far as I am aware) as needing to follow or certify under the NZISM or similar standard.

They are however held to relevant privacy law (such as the New Zealand Privacy Act).

If you believe that having your details published in the WHOIS puts you at risk or is an invasion of your privacy you would need to show you could be compromised by the information being displayed and provide evidence that your contact information is not otherwise easily publicly available.

The types of evidence listed across the public information for this proposal include but I assume are not limited to protection and trespass orders as well as documented evidence of threatening behaviour and harassment.

While in simple cases a single document would suffice for this, there are range of circumstances where the documentation requirements would include a range of very sensitive documents that may or may not contain objectionable material.

The storage and processing of this kind of material is a serious responsibility that requires a high duty of care. This includes but is not limited to:

  • Staff training on the subjects of sensitive material handling, confidentiality, communications with at risk people, escalation routes and handling offensive materials

  • Reviews and regular audits of this process and document storage to ensure that the rights of the at risk users are protected and applicable privacy law is followed

  • Background checks on staff to ensure that they are fit for this kind of role (not everyone has the right personality to deal with this information everyday)

While all of these are possible on a technical level, operationally they come at a cost (both financially and resources).

If handling these requests is rare, organisations often find themselves unprepared when they do come in. As a result, regular training and reviews are needed to ensure and test preparedness.

If handling these requests proves to be common, the cost of ongoing support and care for the processing staff must be considered (as well as training and reviews).

Are these costs that the DNC are willing and prepared to accept? Will the DNC be willing to submit to external audit and review to ensure that the duty of care for this information is met?

There are no legal requirements that could enforce this within New Zealand but if the justification for this approach is openness, then we should expect openness in the assessment and ongoing operation of these processes.

My Suggestion

You have a good team of people and I have no doubt that your intentions with this are in line with your published values.

I would suggest however you consider the following:

  1. Make only an email address public if contact information has to be released and query-able. This will maintain the ability to contact the owner in a less personal way.

  2. Make publishing (public records) opt-in.

  3. Review the operational requirements for the safe operation of this proposal and publish your planned approach.

Thanks for your time

Laura Bell

Director, SafeStack Limited