Are Public WHOIS Records Necessary?

Logic Bomb writes: "CNN is hosting an interesting article from the Associated Press about WHOIS records. Privacy advocates do not like that the owner of a domain name, along with personal contact information, must be made public. It's an interesting issue embodying some larger debates, like whether one truly "owns" a domain name. A justification for public databases of registrants, given by one person quoted in the article, is that the domain name system is a public resource, and therefore you only own the right to use a domain name, not the name itself. People have a right to know who is controlling elements of a public resource, so whois records should be open to all."

Re:WHOIS should stay.

[Zocalo]

Precisely my view - I couldn't have put it better, and since I am in the same situation, I would have probably have made an almost identical post if you hadn't got there first! The only people who use WHOIS properly are probably in it, and if you use it properly I really can't see you wanting it removed.

I always check WHOIS for a domain before sending out those "abuse@" and "...master@" type emails, just in case. We recently had a major series of alerts on our firewall from a host in another ISP's address pool, and it looked very much like we had been compromised. Ran WHOIS against the offending domain and it turns out to be the personal domain of a consultant we were using who had locked himself out of our system and was trying to get back in to fix the problem. The matter was "discussed". Without WHOIS though, the guy would have got a napalm enema from his ISP because he tried to avoid getting us out of bed in the early hours or the morning.

Let's face it; the only people who really stand to gain from removal of the WHOIS database are the companies that have something to hide and generate most of the negative press the Internet receives. Or can someone provide an example of a genuine, non-privacy, reason to withhold details from WHOIS that cannot be worked around? We are talking about a technical contact here; an employee who's views may not reflect that of the employer, and may even work for a different company remember.

And as for spam, I use a dedicated email address for this type of thing anyway, which means you can really tighten up the email filters... Or alternatively, has anyone tried submitting a fred@NOSPAM.domain.com type email to WHOIS to break the spammer's scripts?

Missing the point - admins need whois info

[chrome]

Working for an ISP in the UK, if whois info was confidential, this would seriously impact our ability to handle abuse.

Suddenly, we'd have to ask some "third party" to handle abuse queries for us, as we wouldn't be able to contact the registrants of particular domains directly.

Whats the bet that this third party would a) charge for this service and b) only operate in US time??

This situation would be untenable, and if anyone seriously proposes that this be done, I don't think any ISP would actually back it.

chrome.

An ounce of prevention

[CaptainZapp]

Basically, the WHOIS database should stay public, period. (Hey, it's one of the most valuable get that spammer tools after all).

However, some measures should be implemented that make address harvesting totally unprofitable.

For example: The web accessible database only reveals the name (or company) that owns the domain. To get all the information you have to request that by e-mail. This would allow the following scenario:

Only one request per e-mail

A maximum of three requests per day, per e-mail address. Alternatively: only one request per e-mail address can be pending. All other requests are trashed

A three hour delay between the request and the response

Known spammer domains are not eligible to retrieve the information

This would have to be applied on a world wide scale, meaning that all registrars and all country nics must adhere to those rules or have their registration privileges yanked.

Would this make abuses of whois impossible? Probably not. But it would make address harvesting very uneconomic. Considering that spammers are gread freeks by default they would try different attempts to gather mail addresses.

Public WHOIS

[octalman]

There are two sides to this coin, and each is important. I see a couple of references to land record registrations, but a more accurate analogy, which many of us may not even be aware of, is the requirement for anyone engaging in business to register any name used in the business (known in some states as legal alias, assumed name in others) which differs from the person's name. This is so shysters (and others) can't hide.

The other side is the desire, even the need for anonymity in some cases. In no event should any corporation, or other business entity, ever need, or be allowed to act anonymously. That should be reserved to individuals only, and used wisely and with discretion.

That said, ALL commercial URL's should be required to comply with legal alias/assumed name registration. The rest of us, well, leave it to our individual discretion, but please do respect the need for occasional complete anonymity.

WHOIS should stay.

[Greg@RageNet]

Speaking as a network administrator, whois records perform a vital function. It allows admins from one site to be able to find and contact admins at another site when network problems occur. Problems such as routing issues security compromises and open mail relays. There is no better way to find out how to contact the maintainers of a network for operational problems than WHOIS.

OTOH, I dispise the commercial abuse of the whois database to spam those listed.

WHOIS should stay, with strict penalties for those proven to data-mine and spam listees; Without involving the legal system it could simply be ruled that anyone guilty of wholesale mining of WHOIS would be effectively removed from the internet by putting all of their registered domains on hold.

-- Greg

No more Network Solutions

[Yardley]

The WHOIS database should be the way it was when it was first created, an open, free, non-commercial registry of domain names. Can we please get Network Solutions (or Versign now) out of the drivers seat and then consider whether WHOIS info should be kept confidential. I'm thinking it shouldn't, but it doesn't matter to me at this step since having Network Solution (or Versign) in control means I don't use it.

--

Is this really such a big deal?

[vheissu]

I'm really having trouble seeing this as something to get worked up over. If I build a house, it is possible for anyone to go to the deeds office and find out that I own the land, and even how much the county thinks it is worth. If it is a commercial building, they may even give out the blueprints and results of code inspections. How is a domain name different? If your message is so important that you are willing to pay a regular fee and obtain the appropriate resources to make it available, it should be worth making it possible to contact you. If whois is really such an anathema, there are many other options available: the free nameserver pages (cjb.net, et al), free pages hosted on geocities, I suppose freenet if that ever becomes functional. Aside from that, being able to be contacted in case of an emergency is important--when script kiddies take your machine and use it to DoS someone on your day off, wouldn't you appreciate a phone call? Or can you depend on someone getting your e-mail address when your pipe is full? IMHO, the best option is a central database for this kind of thing.

I "abuse" it

[Frymaster]

Wow, am I going to be unpopular...

Tansparency and openess is essential to a (socially) functioning internet, and that can only be acheived if the source of all information is public record. In British Columbia four or five years ago, it was uncovered (after a lot of investigative work) that a pro-forestry "citizens group" that did a lot of pro-job/anti-hippie lobbying of the government had in fact been set up, funded and controlled by a joint effort of Interfor and MacMillan Bloedell (two forestry companies). A massive abuse of public trust and gross misrepresentation to the public that put a whole pile of egg on both corporations faces.... the bottom line is that this organization masqueraded as a "citizen's group" for several years before being exposed, and only after a very exhaustive investigation by several media outlets and environmental groups...

... and I might be wrong, but I think they got 'em with a domain registration...

Don't want your name in the DB? Use a Role.

[Cardinal]

It's not exactly a new thing in the whois database. Rather than post information about Bob Woodward, the Account Rep who pays the NSI bill, assign your billing contact to "Internet Accounting".

Technical contact should almost always be a role anyway, to save great amounts of trouble when your IT guy with his name on all your domains leaves. Any self-respecting ISP that registers domain names frequently will have a generic internic@isp.com or something similar for interfacing with domain registration.

just another sign of the times

[fluxrad]

sorry, this might be considered off topic, but i earnestly believe it's a sign of trouble when questions like this even have to be asked. Happenings like this prove that the internet is turning away from what it once was, a microcasm(sp) of the world, but one that was open and free(ish). There was etiquite, and those who abused the system were shunned. Not necessarily punished by "societal" standars, but certainly avoided and black-listed to a certain extent.

It seems to me that this is changing. The whois database used to be just a simple means of finding out who owned a website, getting their contact information, and then contacting them. Now-a-days, it's become a means of grabbing more email for spam, or for offers to buy the domain from them, or (in a worst case scenario) it helps people figure out who to sue.

Idunno, i look back and i think, when i started on the 'net, i saw it catching on and i thought this would be a great way for people to change their ways; learn to live in a communal environment where everyone played by the rules and those who didn't were swiftly and effectively dealt with...

seems to me rather than the internet changing us, we're changing the 'net.


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

Home address

[GCP]

I REALLY don't want disgruntled customers to have access to my home address. I can't give the registrars a phony address, though, because I can't risk losing my domain name because the renewal notice doesn't reach me. I also don't want to have to shell out the money for an outside mailbox service just for one letter a year. (With that volume of mail, I might miss my letter anyway.)

Add that to the registrar's claim that *they* really own my domain name anyway, and if they take it from me or accidentally "lose" it ("oops, well too bad for you") I'm out of business.

What can you say about a company that claims ownership of your property, can cost you your job, and puts your family's lives at risk?

What are they going to do next? Poison our water supply?

Net::ParseWhois

[aberoham]

After getting frustrated with the perl module Net::Whois (or more, the guy who maintains it), I rewrote it with an extensible registrar and parsing system that follows Whois referrals as currently delivered by NSI Registry. If you're interested in perl modules and whois, please check out the beta Net::ParseWhois module, and help me extend it to correctly parse your favorite ICANT accredited registrar.

Abe

Why display the data? Look at Nominet's solution.

[matthew.thompson]

In the UK Nominet are in charge of the .uk name space. They do have a public whois server, whois.nic.uk, but it does not divulge personal contact details. It does however tell you who the domain is registered for and which ISP/Name broker is currently in charge of the name.

The WHOIS data publically available looks as follows:-

Domain Name: FAKEDOMAINNAME.CO.UK

Registered For: My Company Inc.

Domain Registered By: TAGHOLDER

Registered on 29-Feb-2000.

Domain servers listed in order:

DNS.YOURDOM.CO.UK 211.31.21.131
NS0.YOURISP.NET 191.171.161.31
NS1.YOURISP.NET 191.171.171.31

WHOIS database last updated at 04:10:01 16-Nov-2000

All companies who wish to administer and register domains apply to become members of Nominet, with membership you get a , this can be looked up and tell you who is technically responsible for the domain. Each domain registered is tagged with this and this allows me, with the correct PGP signature, to change any of the details on the domain.

It's up to the registering company to decide how their customers specify changes and many have automated systems of their own. And if you're wondering wether this would work for large domain spaces like .com, .org and .net then the answer is almost definately a yes - .uk is the largest country specific domain space - thanks to Nominet fees being just £5 (Thats $7.20) for two years. Some companies charge this and nothing else and many ISPs give domain names away simply for using their dial-up service.

Watch it. sonny. I know where you live.

[Paul+Crowley]

Is your home address and telephone number on your website?

No? Why not? It's not *terifically* private information; in most cases, anyone really determined could find it out. It could be useful to let people call you or send you gifts, or so that your friends can look it up to come to parties after you've moved house. But it's usual for people to be a little bit circumspect with their home address, and with good reason: "I know where you live" is a threat.

The bias here is basically that .com/.org/.net domains (gTLDs) should only be owned by legitimate businesses, who can afford premises and separate phone numbers. These provide a buffer between you and the disgruntled public. If you can't afford those, the message goes, stay off the gTLDs - or open yourself up to potential physical attack, abuse and harrasment.
--

ICANN conflating True Names and Contact Needs

[billstewart]

ICANN has done a minor power grab in their insistence on getting and publishing True Names in the whois records. They're mixing several very different uses of that information, which have different requirements and appropriatenesses:

• Technical Contact When Things Go Wrong: Sometimes the DNS provider needs a technical contact when things go wrong. A working email address is good enough (it helps to have it on some machine not in the domain, because you're most likely to need to contact the Tech when it's broken.) Phone numbers and names are nice too, but not critical. It's nice if this is also available to the public, because sometimes other people have technical issues that need to be addressed, like machines spewing bad bits.
  
• Administrative Address - This needs to be a workable contact, to deal with policy issues, name ownership disputes, spammer complaints, etc. Again, no need for True Names, but working contacts are important.
  
• Billing contact for the DNS registrar to contact the owner of the name. Again, this doesn't need to be a True Name, and a working email is fine, though it's nice to provide the registrar with enough contact information that your name doesn't just vanish some day because of a billing problem. When NSI was the only DNS Registrar, they should have kept this private, not public, and it was only their own convenience that justified publishing it. With multiple registrars I suspect the same is still true, though perhaps there's a good reason I haven't thought of for doing otherwise.
  
• Owner's True Name, ICBM Address, and Subpoena-Serving Address - IMHO, this is Nobody's Business*, but ICANN strongly believes otherwise - they want to be able to deal with legal disputes like trademark conflicts over domain names by suing or subpoenaing the owner. This one's outright wrong, and the most serious privacy violation of the lot. The alternative is that if the dispute can't be resolved using the Administrative Contact (email or whatever), that the plaintiff should deal with the Name Registrar to see about seizing the name, and if the current user (whether Wrongfully Accused Legitimate Owner or Sleazy Cybersquatter) prefers to remain more private and not respond, then they're at more risk of losing their name, but that should be their choice. Again, IMHO, ICANN's positiion is a combination of control-freakism by some members and wanting to keep the name registrar out of disputes that they don't want to be involved with (and I sympathize - a $50 or $10 name registration fee doesn't leave lots of spare money for lawsuit defenses or even clerical dispute resolution, but that's just tough.)
  

In practice, ICANN's Data Grabbing isn't accomplishing its positive goals - When I've wanted to hunt down a spammer using Whois, it's generally not very practical - the Supposed True Name info is bogus, or it's a mailbox from a mailbox vendor, or it's outside the US in some jurisdiction where I don't know the alphabet, much less the legal code, and the email contract addresses either get you a black hole, or bounce, or sell your email to other spammers. On the other hand, people have supposedly been stalked, and lots of people have been spammed using this information, and it's Nobody's Business.

* Technically, I'm probably not allowed to use the phrase "Nobody's Business" here in California, because there's a store by that name in Mendocino County, so it'd be name-squatting or trademark dilution or something :-). It's owned by Wavy Gravy, aka Hugh Romney, who runs the "Nobody For President" campaign. So far, Nobody's winning the election, Nobody's leading the country, and Nobody's going to do a great job!