Recommended Draft Policy ARIN-2024-2

Whois Data Requirements Policy for Non-Personal Information

Status: Pending Board of Trustees Review
Shepherds: Leif Sawyer, Daniel Schatte

Current Text (26 August 2024)

AC Assessment of Conformance with the Principles of Internet Number Resource Policy:

Following a review of community feedback, staff and legal recommendations, and AC discussions, Draft Policy ARIN-2024-2: Whois Data Requirements Policy for Non-Personal Information, was found to conform to the principles of the ARIN Policy Development Process. Based on being fair, impartial, and technically sound, this Draft Policy was moved to Recommended Draft state. If adopted by the board, it would further clarify what information is collected and published via ARIN’s public Whois service.

Problem Statement:

ARIN’s mission includes maintaining and distributing registration information about who holds Internet number resources (Internet Protocol (IP) addresses and Autonomous System Numbers (ASNs)) in a public database referred to as Whois. Whois provides network operators, technical troubleshooters, law enforcement, researchers, and other interested parties with information about which organization administers specific Internet number resources. Distributing this non-personal information is very much in the public interest of proper functioning of the Internet.

While ARIN continues to recognize the ongoing relevancy and importance for publicly available Whois information in its control, ARIN must also take stock of evolving regional developments pertaining to data privacy and the cross-border sharing of personally identifying information (PII) which have led to or could lead to redactions among similar Whois resources outside of ARIN’s purview.

In light of such developments, it is important for ARIN to codify its Whois data requirements and disclosure practices in a manner that is both a) respectful of privacy rights pertaining to PII and b) cognizant of the value non-PII data plays in the security of the Internet and the protection of the general public.

Currently there are no ARIN policies that clearly define what organization and associated point of contact information must be provided and registered in the public Whois. This proposal attempts only to clarify and codify ARIN’s existing practice regarding organization and contact data collection and display in Whois.

Policy Statement:

2.12 Organizational Information

Modify 2.12 to read:

Information needed to uniquely identify an Organization.

3.8 Directory Service Records

Modify 3.8.1 to include the following sentence:

All organization registration records will be visible in the public Whois. Organizations that are registered as D/B/A may choose to show the Business name rather than the registered party’s name.

Add 3.8.2

3.8.2 Required Organization Record Information

The following information must be provided to ARIN to register an organization record:

  • Org Name
  • Org Postal Address including country

Add 3.8.3 Point of Contact Record Creation

An organization must register designated Points of Contact to manage its organization and resource registration records to include Administrative, Technical, NOC and Abuse contacts. These Points of Contact shall be representatives of the organization and any information provided to ARIN shall be that contact’s associated organizational information and not personal data.

Point of Contact registration records will generally be visible in the public Whois. Refer to NRPM 3.3 and NRPM 4.2.3.7.3.2 for exceptions to this general rule.

Add 3.8.4 Required Point of Contact Record Information.

The following information must be provided to ARIN to register a Point of Contact:

  • Contact Name (this can be an individual representative of the company or a Role POC)
  • Contact’s Company Name (Required for Role POC)
  • Contact’s Postal Address including country
  • Contact’s Organization Phone Number (optional)
  • Contact’s Organization E-Mail Address

Timetable for Implementation: Immediate.

Staff Understanding:

The last sentence of the problem statement states that this proposal intends to clarify and codify ARIN’s existing practices. However, the policy text as written would result in modification to some of ARIN’s existing business practices. Staff recommends the following changes to be made to ensure that this policy is consistent with the problem statement and current ARIN business practices.

Section 2.12 Organizational Information
We recommend removing the last sentence, “Differing uses within ARIN online, L/RSA, and the NRPM could have different requirements”, as this does not add to policy clarity.

Section 3.8.1 Organization Record Creation
Current ARIN business practice is to allow a D/B/A name to be published rather than the organization’s legal name. Recommend that this Draft Policy be modified to allow for this business practice to continue.

Section 3.8.2 Required Organization Record Information
Under the Org Address bullet point, we recommend changing “Org Address” to “Org Postal Address” and removing the lines with the address information detail. A third bullet point could be added to specify identification of the Org Country.

Section 3.8.3 Point of Contact Record Creation
This section states, “An organization may register designated Points of Contact…” The term “may” would imply that the registration of a Point of Contact is optional, which would be a change to current practice. ARIN recommends changing “may” in the policy text to “must”.

Current text in this Draft Policy seems to allow an Organization Record to be created without Points of Contact listed. ARIN currently requires that at least one contact of each of the following types - Admin, Tech, and Abuse Point of Contact - be designated on an Organization Record. There are three optional POC types (NOC, Routing, and DNS) that may be created if desired.

Section 3.8.4 Required Point of Contact Record Information
We recommend removing “organization or resource” from the first line and changing “an” to “a”.

Contact Name: Current business practice refers to these as Role POCs. We recommend changing “role account” to “Role Point of Contact”.

Company Name is not listed as required information to register a Point of Contact record. ARIN currently requires Company Name for Role POCs. Staff recommends adding the following to the list:

  • Contact’s Company Name (required for Role POC)

Under the Contact’s Address bullet point, recommend changing “Contact’s Address” to “Contact Postal Address” and removing the lines with the address information detail. A fifth bullet point could be added to specify identification of the Contact Country.

In addition, in alignment with ARIN’s current business processes, Contact’s Organization Phone Number should be identified as optional as not all organizations have a business phone number.

Implementable as Written?: Yes

Impact on ARIN Registry Operations and Services: None

Legal Review: While there are no material legal issues with the substance of the proposed policy, we note that the problem statement indicates an effort to help clarify ARIN’s handling of personally identifiable information (PII). ARIN maintains its Privacy Policy that states how ARIN handles and manages PII, and that Privacy Policy can be viewed on ARIN’s website at https://www.arin.net/about/privacy/.

Implementation Timeframe Estimate: 3 Months

Implementation Requirements:

  • Staff Training
  • Updates to public documentation
  • Updates to internal procedures and guidelines

Proposal/Draft Policy Text Assessed: 25 June 2024

History and Earlier Versions

History
Action Date
Proposal 9 February 2024
Draft Policy 26 March 2024
Revised 25 June 2024
Revised 26 August 2024
Recommended Draft Policy 24 September 2024
Last Call 30 October 2024
Advanced to Board of Trustees 26 November 2024

Board of Trustees

ARIN Public Policy Meetings