NZBA wishes to make the following submissions in response to the most recent .nz WHOIS (search) service consultation:
1) Several NZBA members view the WHOIS search service as a very valuable tool to help address cases of cybercrime/cyberattacks, as it enables them to identify and contact website owners and/or their IT support teams. NZBA members often find that legitimate websites (or the computers behind them) are compromised and used to perpetrate cybercrime activities. In such cases, although they have no legal obligation to do so, NZBA members will often contact the owners of the domain and/or servers, using WHOIS information, to notify them of the compromise/malware issue. Any delay introduced to a bank’s ability to identify contact details for a site owner etc. could increase the impact and length of an attack. NZBA does however understand the need to protect privacy when it comes to personal safety, as highlighted by the consultation.
2) NZBA submits that, as there is a need to maintain the register's utility for addressing cybercrime, the proposed policy should be limited so that details are only withheld in exceptional cases, that is where there are concerns about the applicant's personal safety. In such a scenario an alternative contact should be listed (for example, an IT support person) so that there is still someone to contact should the need arise. Furthermore, if the registrant does not wish to provide a personally identifiable email address, they should also have the ability to create one specifically for the DNCL/WHOIS purpose, and be given guidance on how to do this when registering.
3) Furthermore, NZBA submits there should be some approved mechanism by which banks can still readily access withheld information, for example a "whitelist" of vetted/approved users who have access to the withheld details. We note of course that banks will not be the only parties monitoring for issues against their customers or brand perpetrated by compromised sites. As such, members of the "whitelist" could include representatives from NZBA member banks and other members of the national CERT that is being established under New Zealand's Cyber Security Action Plan.