ARIN-prop-329: WHOIS Data Requirements Policy for Non-Personal Information

Date: 9 February 2024

Proposal Originator: Gabriel Andrews

Problem Statement:

ARIN’s mission includes maintaining and distributing registration information about who holds Internet number resources (Internet Protocol (IP) addresses and Autonomous System Numbers (ASNs)) in a public database referred to as Whois. Whois provides network operators, technical troubleshooters, law enforcement, researchers, and other interested parties with information about which organization administers specific Internet number resources. Distributing this non-personal information is very much in the public interest of proper functioning of the Internet.

While ARIN continues to recognize the ongoing relevancy and importance for publicly available WHOIS information in its control, ARIN must also take stock of evolving regional developments pertaining to data privacy and the cross-border sharing of personally identifying information (PII) which have led to or could lead to redactions among similar WHOIS resources outside of ARIN’s purview.

In light of such developments, it is important for ARIN to codify its WHOIS data requirements and disclosure practices in a manner that is both a) respectful of privacy rights pertaining to PII and b) cognizant of the value non-PII data plays in the security of the Internet and the protection of the general public.

Currently there are no ARIN policies that clearly define what organization and associated point of contact information must be provided and registered in the public Whois. This proposal attempts only to clarify and codify ARIN’s existing practice regarding organization and contact data collection and display in Whois.

Policy Statement:

3.8 Directory Service Records

Modify 3.8.1 to include the following sentence:

All organization registration records will be visible in the public Whois.

Add 3.8.2

3.8.2 Required Organization Record Information

The following information must be provided to ARIN to register an organization record:

  • Org Name
  • Org Street Address, City, State and Zip code (or equivalent)
  • Org Country

Add 3.8.3 Point of Contact Record Creation

An organization may register designated Points of Contact to manage its organization and resource registration records to include Administrative, Technical, NOC and Abuse contacts. These Points of Contact shall be representatives of the organization and any information provided to ARIN shall be that contact’s associated organizational information and not personal data.

Point of Contact registration records will generally be visible in the public Whois. Refer to NRPM 3.3 and NRPM for exceptions to this general rule.

Add 3.8.4 Required Point of Contact Record Information

The following information must be provided to ARIN to register an organization or resource Point of Contact:

  • Contact Name (this can be an individual representative of the company or a role account)
  • Contact’s Organization Street Address, City, State and Zip code (or equivalent)
  • Contact’s Organization Phone Number
  • Contact’s Organization E-Mail Address
  • Contact’s Organization Country

Timetable for Implementation: Immediate.

Comments: None