Slashdot Mirror
Exposing Personal Information in the Whois Database
rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."
...am I going to find phone numbers so I can pick up chicks?
Registrars under their status of registrars are required to HAVE FULL AND PUBLIC CONTACT INFORMATION for anyone who registers. For big biz this ok but for individuals (such as me) it is a big worry.
I certainly getted spamed on the email address I registerd for it.
I'd deem this an issue.
However, how many Heywood Jablowmie's are there in the WHOIS database?
that Google has this information from phone books as well (just google for a phone number or address), and there are many reverse phone books online. I think they should focus on solving identity theft in ways that if someone's info is already available (as it is everywhere) it can't be utilized well.
that, my friends, is why I have a PO Box and why I don't volunteer my real phone number.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
It used to be helpful for looking up abuse information, but that almost always goes ignored nowadays too. Now it's just useful for finding virus writers.
I never vote for anyone. I always vote against.
-- W.C. Fields
While I normally don't like Berman whatsoever, this is a good thing. I have long disliked the practice of putting personally identifiable info in the WHOIS database.
I just hope they don't dumb it down so much where one can't get email addresses for those controlling the domain for reporting purposes.
tinfoilmedia
Yes, my name and address appears in the whois database for my domains. It can be a concern to some people obviously.
But I also like to have real names and phone numbers to use when I get hacked. I wouldn't want to have to ask the FBI to get that info from the registrars for me.
imagine a company like microsoft using it for windows registration or something everybody needs (safe me the "there is linux speech"). than your privacy would be lost.
So, if a domain is misbehaving, where else should we send complaints other than the info which is available from the whois database? I think the whois.rfc-igorant.org database is going to grow a bit...
You mean I can check out more than just pr0n? Actually, more than these two are concerned. The GAO, as part of a recent "investigation into security related matters" sent letters to various cabinet-level agencies saying that they have determined that it's possible to get access to public information via the Internet, stuff like where people live... Better get Ashcroft on this whole "electronic white pages" thing ....
Bark less. Wag more.
I get numerous spam from people(?) who have obviously trawled the whois database. Even though there is a strong warning in the whois database against abusing it, how does one report it, or is it just an empty threat?
I've had a domain for 3 years.. Ive gotten 3 pieces of junk mail from it. I was surprised to get it, and thought it more funny than an annoyance.
Yeah ... I actually get more junk snail mail than spam. Mostly it's Register.com telling me my domain is about to expires (4 months from now) and I need to call them to stop it. Jerks.
-----
Web Hosting @ HostForADollar.com
Here in Denmark, DK Hostmaster A/S is the administrator for the Danish top level domain. You can have your personal contact details hidden from the public WHOIS database - in accordance with Danish Law on protection of personal data, blah blah blah.
I would recommend it!
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
The inventors' home addresses are generally listed which, IMHO, is not something that should be broadcast to the entire world.
if you run a WHOIS query on the domain of Jeff Parson (the guy who modified the BLASTER virus here in Hopkins, MN) - you'll get his home address...
that info is wide open, man...
RB
----------
ah honey, we're all resplendent - Bill Mallonee
The UK WHOIS database (run by Nominet UK) has recently considered this too. Now, private individuals who opt-out can have their personal details removed (obviously Nominet still has access to them). I'm not sure that companies are allowed to do this, it's private individuals only.
.NET services as they don't follow EU data laws. To be honest, it's about time the US caught up.
Britain and the EU have always had stronger data protection laws than the rest of the world. This is part of the reason the EU are looking at Microsoft's
they would do well by providing just an email address, a url, or some sort of PIN #, & let the registrant decide how much inf. they are willing to part with.
conversely, somebody needs to know whois registrants really are, just in case they're running some nefarious scammage.
nsi cannot be trusted to behave morally/ethically in any case, as they are falling off/DOWn, on a similar payper liesense stock markup scam, to va lairIE's.
poor J. Public. gets to be both the sucker & the sucked, in all cases. lookout bullow.
I carefully misspelled all the information, plausible deniability baby. Two years and no one the wiser.
T.
Even exposing contact information for a business is questionable. If you're working on penetrating a company, then this is a stop on the highway. But, without that information, then (as one poster stated) the FBI would have to get us the information we need to prosecute spammers or etc.
I don't know what the answer is either; I don't think it's simple either. This may be one (of many) invasions of our privacy we have to deal with. Banks, Mortgage Companies, Credit Cards--these all sell our information to other companies. It's sad, but this is big business, and it makes money. Utilities provide information to Local, State, and Federal Agencies all of the time; and are required to by law.
Our information is not private anymore, and hasn't been for a long time. Everyone has their hand out for it.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
...But i think contact info should be required to register for a domain, and I think there should be some sort of authentication mechanism.
How else can we hold scammers and spammers accountable if they make it super hard to track them down. The majority of those "online pharmacies" have bogus WHOIS info and probably take good peoples money.
Bogus WHOIS info sucks, plain and simple
I lost my concept of community when my community lost all concept of me.
This a major concern to me. I've spent some time at home writing an application that I'd consider distributing as freeware/shareware. Setting up the paypal/P.O Box number payment system is no problem, but as every application nearly always has a website, registering a domain name introduces some hassle, not least of all, distributing my name/home phone number/address.
From reading previous Slashdot articles, being able to seen the domain name/IP address of owners and customers has been extremely useful in detecting all sorts of shenanigans with hyping up new products.
However, for someone trying to augment their basic salary through shareware software, this is a disadvantage.
With broadband internet via cable/satellite/telco, I have a permanent Internet connection, but the companies respect my right for privacy. Surely the same could be done for domains registered by home residences?
I don't really worry about having my personal information in the whois database. As most other individuals, I'm in the phonebook too, which can be accessed from the web nowadays.
Having registered a few domain names, I receive a lot of spam telling me how to register new domains, renew when the old are about to expire and so on. I'm sure the registars make a lot of money on this, which surely makes them want to continue.
My personal information is also included in the IP whois database. This database contains info on what ISP uses which IP numbers, etc. - see www.arin.net for more info.
The interesting thing is that I have not received a single spam to the specific email address I supplied. So right now, I see it more like an econimic problem than a privacy problem.
---
If you're not living on the edge, you're taking up space in the middle
I think with real estate records, court documents and such being available online to anyone we have MUCH more to worry about than a simlpe address dataabse. In many places I can retrieve building plans, pictures and detailed information online. The first thing I thought when I saw that was: wow... if I would be a burglar then my job would now be much easier....
And even if it weren't, by the time the spammer who harvested your email got a slap on the wrists, your email would be on so many other spam lists you'd never get it off.
You can incorporate for under $500, get a p.o. box and a cheesy voicemail account somewhere. You'll then be prepared to moonlight, which you should be anyway, and you can give out the business info.
Vote Quimby!
Late yesterday, privacy activists raised the National Privacy Threat level to Purple, citing the public availability of a "Phone Book" which disclosed personal information for hundreds of thousands of individuals, including full name, home address and home phone number.
(end sarcastic rant)
YAWN! Call me when WHOIS data includes SSN. As it is, this info is already widely available for the vast majority of the population.
--
Ever had to try and track down some company you bought something from on ebay, or the internet in general? It is pretty damn nice to be able to find the contact info in whois, since general practice is NOT to include addresses or phone numbers for contact, for many of the internet based businesses.
"Sheep just follow the easiest path and run from scary noises and intimidating creatures." - Me
There's a lot of info here too:
Arin
Ripe Ncc
Apnic
Lacnic
If you are concerned about privacy, use a registrar who will anonymize your info in the whois database.
2 B& from%5Fapp=&authGuid=&mscssid=2435121
Is $9 worth it? It's your call. Check this out.
https://registrar.godaddy.com/dbp.asp?isc=&se=%
I use Domains by Proxy so my info isn't displayed in a WHOIS; theirs is in it's place. They keep all my info private and serve as a 'proxy' between me and anyone needed to contact me. They'll email if they need me to do something in regards to my domains, it's so nice not having all of my personal details out there. I buy my domains from GoDaddy, and they've partnered with Domains by Proxy and offer it as an option when you're buying domains, that's how I found out about it, but everyone should check it out.
CB
free ipod and free gmail!
You can change your contact info easily there, while they have true contact info privatley. It is what i do to protect my privacy.
isn't everyone 25/F/NYC? That's what I always put!
Yeah, right.
How is it a big worry?
For some of us, it used to be that the real contact information (at least email address) was needed since Internic did all of its renewals and changes via that email address.
Of course, I could go and change it, but the point is, there are many valid contacts in that database for spammers to use.
Is it a big worry? Nah, probably not, but it is a concern.
Hey, Ladies who are looking for nice, knowledgable dot.com'ers... you know where to look!
And to blonds who may need some guidance: First you look at the whois facts, then the site. If both look good - call him.
(It would be even better, of course, if Whois contained fields such as "married" (not that it matters), "income" (matters big time!), "interests" (err, redundant).
Having several (~10) domains myself, I would agree that my whois contact email recieves little or no spam directly attributable to the domain registration.
However, where I *DO* see spam is the "generic" addresses at my domains: 'sales', 'info', 'webmaster', etc. I can't really see a dictionary attack on the DNS system (some of my domain names are pretty long) and some of them are not in search engines (yet)... The only logical thing I can think of is the Registry's domain list itself is somehow exploitable...
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.
Sorry, I don't buy it.
A domain name is a publicly accessible object, and a responsibility. As a society, we expect that for certain activities, people be publicly registered (running a company is an obvious example) - reasonable privacy is a right, but anonymity - which is what we are really talking about here - is not.
I can only think of a very small minority of legitimate Internet activities that both require a domain name and for which privacy is likely to be a concern; in those cases there are plenty of registration agents who will act as a proxy for registration and take on the responsibilities associated with being the owner of a domain.
but, for example: you buy 'the next big thing' from tnbt.con, & never get it, or your money back. it may be difficult to locate the purveyors of tnbt.con, if they follow your advise about supplying phoney inf., in the whois.
.com stocks.
it becomes a trust issue, which is one commodity, the 'net/ecommerce is currently lacking in. you could further trace this to the raping J. took/is still taking, from the felons over at wall street of deceit, dissguised as
just so you know, they're still living large (albiet looking over their shoulders more often now) on what could/should have been yOUR future/dough J..
'nuff said.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
I own two domains and I have all my records using my work address & phone number, not my home ones. No need to rent a PO box or anything else.
This is also a practical problem, in terms of making it hard to contact domain owners.
I have several domains and I use a separate email address for my whois records (separate from my home and business addresses). But I don't monitor emails to that address because it has become completely filled with spam. I just delete all mail to that address.
But that, of course, means that any legitimate attempts to contact the domain owner are lost as well. I could try and filter it (either manually or with software) but the ratio of legitimate email to spam on domain registry emails is thousands to one, so it's really not worth my time.
So, aside from any privacy concerns, the public availability of email addresses on whois records in effect renders them useless as contact information.
How can you prove that you own the domain (if needed) if the contact information is invalid?
What would you do if your registrar goes bust?
All of this information doesn't need to be exposed in the WHOIS database though.
this has been a known problem for many years.
this just in, they also noticed that the world
is round not flat as previously indicated.
1. If its such a problem, how come spammers always manged to hide?
2. In Denmark for instance, you can specify you wanted an "unlisted" address, and the whois server doesn't release your information.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Nominet, the UK NIC, don't publish contact details in whois for domains registered by individuals unless you explicitly ask them to. If you are a business, however, you may not remove your details. This seems to be the best solution?
if i had steady work i'd do that, but i'm an out of work contractor
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I built a site for a city commission candidate a couple of years ago, and the info on the domain registration was mine - I built the site for free, as a form of campaign contribution. An unwanted side effect of this was late night phone calls to my home number from the supporters of the opposition questioning items posted on the site. I guess next time 'Sudy Nim' will be registering for a domain ...
(And don't tell me that his bank information would have been enough to get his contact information. The Sparkasse would never have given it to me. And no I don't buy things through e-bay any more.)
... it is required by law that anyone who publishes even a single web page on the Web (in Germany) enclose an "Impressum", an imprint that notifies visitors whom to contact or hold accountable for the content. I wish this would also be implemented for Whois as a security measure or a basis for trust.
Anyone who still wants to publish anonymously could still do it abroad, of course, as there will always be registrars who and nations that don't care about trust.
I mention trust here, because I can trust a company's products (i.e. a shop selling goods) if I know where I can go, or what number I can call: currently too many (some) web shops (at least locally) do not even mention a telephone number I can call to have an order confirmed or more product information detailed. The same holds for web sites that provide information: if the e-mail address is left out, how can I get any confirmation, more detailed information, conversation or feedback going?
JeR
I'm sorry, but you have *NO* right to an anonymous domain, nor should you because the opportunity for fraud on the internet is too high. Having everything out front at least keeps a modicum of openness and honesty (although admittadly not a lot).Besides, if I remember properly, you can update the e-mail address to be admin@your-new-domain if you don't want spam going to your personal email.
If you want relative anonymity, get a hotmail or yahoo account.
You could always use GoDaddy for domain registrations, which gives you the option of keeping registration info private. Not to mention their prices are a hell of a lot better than going through Verisign.
Trolls lurk everywhere. Mod them down.
One is using Dotster. They obfuscate your email address, so you won't be spammed so easily, but they can still contact you. A friend of mine nearly lost his domain because he used a fake email address with Network Solutions and he never got the "your domain is expiring" email.
The other is a finding a trustworthy ISP/hosting provider who will manage your domain for you. I've been using HostSector and it's worked well, plus it's less expensive than buying the domain outright. I'd have to jump through some hoops to purchase the domain from them, but I can do it, and I believe their contract specifies that I can purchase it at any time.
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
A frind of mine have had 2 cars stolen and one attempt because of this information. He had published some information about them on his site like pictures, track times, races he had won.
The third time when they got caught, the claimed that they had gotten his address from the internet where. Someone had seen the cars there and "ordered" them to get it.
The attempt to hide domain registration information is clearly an attempt by spammers to hide in their caves while continuing to launch massive strikes against the rest of the world.
I don't agree with the author's conclusions. Any person registering a domain name in .com is explicitly saying that they are a commercial organization, hence there should be no expectation of personal privacy. The solution is to set up another TLD explicity for individuals, since .org, .net and so on are not really appropriate either. It is necessary for all .com registrations to have valid and public registration info available, without this the level of fraud would be even worse than it is today. I have no sympathy for anyone who registers a .com domain name, and is not actually representing a business.
This is the usual bla-bla for an organization, with the only reason, than people remember about them. His objective is not to take care of privacy problems but just to bring teh attention to himself. So, he was succesful, /. has posted the article.
Please correct me if I'm wrong - but I was under the impression that if you register a domain via domains-by-proxy, or any other similar service, you are trusting the good will of the service to let you use your domain - and nothing more!
i.e. you have absolutely no right to the domain; everything that you can do is done with the consent of domains-by-proxy - and they can shut your domain or sell it on, or do whatever they want
Basically the paypal of the domain registration world
But, as I said, please correct me if I'm wrong
Of the 6 major reverse phone number / online phone books, about 4 of them are co-operative about removing info. The other 2 take weeks / months / years to remove an entry, if they bother to do it at all.
For example, I tried to correct a bad entry for my mother-in-law for all 6 of the biggest ones starting 2 months ago. She moved, and went to an unlisted number in another state. I sent multiple e-mails to the ones who have YET to delete this bogus entry, based upon her husband's name (He died 30 years ago).
The biggest and worst offender? Yahoo. I also had trouble with correcting bogus information from the one of the credit services they own part of. They had "tagged" my home address as a business address. Apparently, I got some trade journels at home during that period and that meant that it was a business address. Therefore, I finally had to take it to a federal complaint to get them to change that "tagged" entry so that I could get report, so I could work on the other problems.
What started it? My Dad spent 5 months living with us while building his new house. They changed the entry for my home to my Dad and my wife's name.
So, the moral? None of the information tracked by so-called organizations working for us is worth anything, and in fact may come back to hurt you.
I also used to get calls for someone else with my name, but for the wrong area code. I guess he was a deadbeat and lived 30-40 miles away. When they split the area code, all his banks would look him up on the internet to find him and call me. Another reason I went to an unlisted number.
It's been a long week and forgive me if I'm being overly stupid... I don't think I follow. I understanding not wanting your personal data available on the WHOIS for general privacy reasons/SPAM etc. If you are marketing shareware/freeware etc specifically, what are the extra implications. Is this simply for tax reasons? Cheers
I know, I know... I need to learn a little English.
While they have some valid points, often its taken way too far. So I'll add more fuel to this:
Go check out ARIN. If you have a static IP address+competent (read not RFC-ignorant) ISP, your SWIP record contain your personal information too. That's how it's supposed to work.
That's right, the whole Internet is out to identify you.
Do not fold, spindle or mutilate.
I had a friend who worked in network operations for @home, back when it actually was making money. In their whois record they had the direct line to network operations which made a fair amount of sence as domain related issues should be directed to network operations. Problem is the fact that he always got calls from jarheads of report every ping detected as a hacker attack sort, but not nessicarly even from their domain.
It really is a double edged sword, on the one hand a good reason to have this contact information there in the first place is in the event something needs to be reported like virus/worm infection, system down, open proxy, that sorta thing. On the other hand, there are those who don't respect the fact that info is there for a good reason and it's not for trivial issues or spam.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
just get a mail boxes etc. po box
only the cops can come in and say "who the hell owns this box?"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I see many posts with support for removing the personal information. I have seven or so domain names registered under my name with my real email address and information, even though it's my second email account to which I expect SPAM. Trust me, I do get spam to that email inbox due to the whois database.
However, I work for a company where it is sometimes necessary to track down owners of domains and report them to the appropriate authorities. Even though a lot of people fake the information, the whois database has come in handy more often than not.
Another good thing, for myself atleast, is that I have gotten offers on some domain names I used to own. I am guessing they got the email address from the whois database, as I hadn't used the domain in question at all. I managed to sell it for quite a bit more than I bought it (it was a four digit sum, but still way more than I paid for it).
I am slightly split on this issue. I don't want my personal information in there (and faking is not an option for me, I want to stick to the rules), but I want to see other peoples information. Guess there is a tradeoff somewhere along the line.
Anyways, just wanted to point out that the WHOIS database can be extremly useful and/or helpful sometimes.
Any domain name has a real value, depending on the coverage of the particular name. We all remember a few years ago that some domain names traded in the millions of dollars. A check of Great Domains shows numerous domain names for sale in a wide spread of prices.
I believe that the Domains by Proxy model could be used by all Registrars, similar to having an unlisted telephone numbers. Allow the option to hide from public view personal information, but allow that information to be retrieved by law enforcement and the various court systems. We seem to forget that the Internet is in its infancy, with laws just now being written to cover this new medium. In a few more years, as domain owners pass away, legal issues regarding ownership of domains will come up. There is the potential for loss of a valuable domain name, simply because the owner had no concrete proof of ownership. In my own case, I've incuded my domain names in my will so that they will pass on to my children (and no, I don't need more kids, so don't ask me to adopt you).
Pete Carr Owner Chatmag.com
Er, you have a P.O. Box ... why not use it for DNS?
...if only SCO took the same option of the Linux community.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
"If you are marketing shareware/freeware etc specifically, what are the extra implications. Is this simply for tax reasons? Cheers"
Perhaps he doesn't want people who don't need to know knowing where he lives so that he doesn't get people turning up and stealing from him?
Why does someone who releases software on the net need to have their address published? It doesn't make the software work any better.
Since when does the US Congress decide what's in the whois database? As far as I know ARIN does whois for North America, Caribbean and Africa.
If you don't want to run a public server, don't get a public IP address, run behind NAT. If you want to connect to my server, then I should be able to contact you if someone on your system does something wrong.
Verisign (NetworkSolutions) started verification using an text embedded in an image before giving out the registrant information to stop the bots. But still, the most spam I have received on my registered domains is at the email address specified for registration.
I hope they do something or keep a database of people with a verifiable email address of who wish to view your information.
Something like this:
Let's say person A wants to view registration information of my domain. First they have to give a verifiable email address on which the WhoIS system will send an email that will have the link. Clicking on that link from the inbox will give them the option to either:
* View the registration information
OR
* Send an email out to me with their information like name and phone number. If I click on the approval email, they can view my information !!
Basically Nominet has types of registrations, one of which is IND (for INDIVIDUAL).
Individuals can opt-out of having their whois information displayed in a whois query by asking their registrar to opt them out (a couple of minute administrative task).
This appears to me to be a simple and logical answer to the entire problem.
So? I admit its a serious problem if the information is abused, but there are so many ways around it - the way I choose: I registered through GoDaddy.Com to have them put their info into the registry. I still own the domain and I can modify or transfer it without any problem, but the information in the WHOIS reports GoDaddy. Its a privacy option listed on their page. - And I don't work for GoDaddy.Com
I believe that the WHOIS database should at most just list an email and possibly a tech contact address to report abuse.. as someone has mentioned, it's entirely too easy to register with fake information, or to do it in someone else's name and all. So in the end, only small faithful entities that register domains that generate controversy get the short stick with the current situation
Right now, there are thousands of spamming scum who post bogus information in their domain registration in order to foil the wrath of spamfighters.
Ok, maybe Im drunk, maybe im surfing the web naked from my bedroom, maybe i'm a nerd with a attorney, but, i like the fact that you need a contact address to regigister a domain name, hell, if every registrar did verify each adress ,maybee we wouldnt have such a problem with spam. i mean, if your going to provide a public webisite (any website) you should be at least somewhat acountable. I know this will get me moded down, but I do believe some things should not be anonymouse. Yeah, the net uesed to have diffrent ideals, and used mean anonymouse access for all, but, i beleave for the security of the whole net those days should be over. Ok, i dont like this idea, but im tired of spam and hackers, and well, it could go either way, make the internet completly anonymouse (unless yhou opt in) or, make it completly nonoumouse... hum, yeah il get moded down for these views, its ok.
::i visited slashdot and all i got was this lousy sig::
Who said you have to provide accurate information to your registrar. Just use a fake name, address, and phone number.
Wow, this guy just figured this out? I've been looking up whois information JUST for that kind of information since 1994. I'm sure there are other people who have been doing it way before I have. It is pretty nifty though!
If someone puts something on their web site that is defamatory, then I want to know who they are and where they live so that I can take them to court. So the whois data has to be public.
I've been putting this off for a long time - it used to be cool to have your address and info listed in WHOIS back in 1994, but these days it's just bait for telemarketers or (worse) identity thiefs.
So I just went and changed my WHOIS info to a bogus address...
SG.
grisha.org
I definately agree with the letter to U.S. Representatives Lamar S. Smith and Howard L. Berman about this. When I first looked into registering a domain, I looked for a company that would list their contact details in the WHOIS database, and they would hold my records, keeping them off the public domain. This seemed like a good idea until I wanted to change companies, and they were basically uncontactable (always had their machine on, never returned calls or emails (10+ of each)) and they wanted to charge 3-4 years worth to drop my details so I could register with another.
/., and the webmaster had these words on the site,
On another side note, I remember once reading a site that was linked on
"This site is owned and operated by myself, a veteran of the US Navy. I'm not giving out my name any more BECAUSE the cops harass me, not the criminals. Nice huh! At least it gives my site credibility..
Funny thing was, if you went to the WHOIS database, all of his personal details were there to be seen, and he even lived not too far away, could have dropped by and said hi or something.
"...the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world..."
I can get most of that information from a phone book.
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
That's not quite what I was getting at. I understand the personal privacy implications, I just thought I was missing something (I guess not).
Like I said, it's been a long week.
I know, I know... I need to learn a little English.
Whether or not this was an ethical thing to do, I couldn't find the number of someone who'd been harrassing me in any of my logs or emails. I took a chance and checked out the whois info for one of their domains. I now have their home phone number, home address, and email address for when their next bout of stalking occurs and something needs to be done.....
I relied on the WhoIs contact database when my work got slammed with SoBig virii/viruses. It was so bad that our mail queue was delayed as much as 2 days at points. Tracking infected computers that were hammering us by IP, then contacting them via the phone number listed in WhoIs was *VERY* successful. In a 3 day span, I had notified over 100 infected users that were unaware of their virus problems. All cleaned their machines and work returned to it's usual humdrum routine.
-Ab
Nothing fails quite like prayer.
A lot of registrars offer WHOIS Privacy Protection, but this usually costs almost as much as the domain it self. However, Personal Names (a registrar specializing in .name), does WHOIS Privacy Protection as part of the standard service (ie. no extra charge) and I think this should be the default of all registrars. But I doubt that will happen any time soon.
Disclaimer: I work for Personal Names.
My address and phone number are incorrect (they used to be right a few years ago). Since refreshing the domain registration can be done through most ISPs or directly using a credit card, there is no reason to deal with dead-tree mail to keep a domain.
.com address!
Just to eliminate the yearly hassle, though, I've extended my domain registration for another 5 years. It must irk the other companies with the same name as I've got the
Except that YOU were not specifically spammed, but people ARE. I recieved phone calls to the number I had on there (a cell phone) from a scammer who was trying to get my credit card # by saying they were going to renew my domain name. I stopped receiving calls as soon as I had my domain supplier change my number to unlisted.
I agree. My sister had here picture on a website, and some jerk copied the picture and put it on his web site after defacing it and making very rude and insulting comments about it. He had completely falsified all of information in the WHOIS database and we had to complain to the company that hosted his DNS records. A WHOIS lookup on the DNS server. Even then they weren't too much help.
If you purchase a domain name, then in my opinion, you've have certain obligatons which includes some reliable and legally binding means of someone getting in touch with you. (i.e. someplace that I can send registered mail). An email address by itself is not sufficient. Privacy issues are not relevant in this case.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Yeah well your bank can refuse to give you back all your money, but they rarely do that. Problems like you describe are with the business, not the business model.
"If you create user accounts, by default, they will have an account type of Administrator with no password." KB Q293834
If the e-mail address is not "admin@yourdomain", you probably use that e-mail for other things too. So I think there is a higher probability that the spammers harvested your address from one of those other uses, instead of WHOIS. Claiming that spammers got your address off from WHOIS would only be valid logic if the WHOIS email address is unique and there was no other opportunity for a spammer to stumble upon it elsewhere.
Just don't use your real contact information. It's not rocket science.
My info is something like:
Mr. Roboto
123 Street
City, CA 90505
555-555-5555
Absolutely nothing wrong w/ doing that either.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
How will we punish spammers otherwise???
You don't HAVE to have a domain, therefore if you're vain enough to get one expect a little trade-off.
Geez I swear people are taking things too far these days. I'm all for privacy but for pete's sake you people CHOSE to get a domain!
I have filed a lawsuit against Sobonito Investments, the people who have the domains sexaffair.org, fantasymatch.com, xxxdate.com, bangmatch.com, for spamming. By not having entirely truthful information in the whois database, it makes it much more difficult to effect service against these spammers.
Fight Spammers!
I think it's important to establish responsibility for a domain name. A domain is an important entity on the modern Internet -- a top level domain occupies precious space in a root server's database; increases the time and bandwidth required for zone transfers; and provides a potential new destination for tons of e-mail. I think it's important to require transparent "residency" identification on domains.
I've owned my domain since 1998 and have been bothered on the phone very little. However I have purchased a P.O. box to list, since giving out my home address does seem risky. I would like to remove my phone number from the listing -- so I appreciate these privacy concerns, but how can we protect peoples' privacy and also have domain ownership clear? And accomplish it without establishing a decision-making authority such as Verisign (yikes!), governments, etc?
If we used DNS domains like they were designed to be used, this could be an easy-to-correct problem.
.com must clearly be a commercial entity with no problem in giving out their business address, contact number, etc.
.net is a service provider, and should have all sufficient information to contact that provider for connectivity or abuse issues.
.org is a non-profit organization, and should post any contact information that they'd otherwise be required to post as part of their charter.
.com, they need to expect to be treated like a commercial entity.
Any entity registering in
Any entity registering in
Any entity registering in
We have a '.name' now (which personally I think should have been '.nom'), for personal users. I think it's perfectly reasonable to expect that individuals will not want to put any contact information there. I also think it's perfectly reasonable for an ISP's contact information to be exposed in its place, though.
Basically, just apply privacy requirements to the intent of the domain name. If regular Joes want to register a
Subdomains under a country code would need to be addressed by the countries in question.
I have helped friends who were defrauded find out who the person defrauding them was from info in whois. Sometimes, it is a dead-end, but it is a start. I think this info is very valuable in this case.
Just type a US phone number into Google and up comes the name and street address, just like in that local copy of the White Pages. So they might as well be global.
"Such potentially sensitive personal information, released publicly, can be abused for purposes ranging from unwelcome marketing to identity theft, fraud, stalking, and other criminal activities."
To paraphrase James Randi, if you're using the WHOIS database for marketing, ID theft, fraud, and stalking, you're doing it the hard way.
Golly, I just launch Watson on OSX and get name, address, phone number, punch in the info to Google and get a map and aerial photo of their house on MapQuest.
Not to mention picking up a freaking phone book in any public building in any location in the US...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
matter for .com, .net, or .org registrations? Whereas anyone could register one, their primary purpose is for registration of US entities. If country XY has privacy laws then they can be concerned with domains registered through nic.xy. Otherwise, if they have concerns with information being made public then they can make laws against registering a domain for a US based TLD.
...what is the point of keeping phone numbers and the like "secret" when there are so many other social engineering methods to obtain them?
Phone numbers, addresses, and the like should never be considered secure in the first place.
Need the WHOIS info, and here's why...
A few months ago, I purchased quite a bit of money in CD's from an Internet site. It's a business, but it's a proprietorship run by one person. I never received the CD's and the guy stopped returning my emails. I had paid him via PayPal, and the ridiculously short PayPal complaint/insurance period had run out, so I couldn't get my funds back.
The guy has no contact information other than an email on his site. (And don't play me for idiot...This is a big music site and I've successfully purchased there before.)
So...I wanted to send him to a collection agency. Several warnings to him went unheeded, so I went about trying to track down his personal information.
And I ended up on netsol. It referred me to GKG.net, another registration company. I went on the WHOIS and the guy had NO information whatsoever. Every field said nothing.
So I emailed GKG.net and told them that when collection proceedings began, we would be asking them for this guy's info. They emailed me back that it's their policy to have updated and correct information in the WHOIS database. They emailed the guy and gave him 48 hours to provide it, with the threat that his site would be shut down.
A day later, all of his information was up. I had a name/phone/address. I sent him to a collection agency based on the only place I was somewhat easily able to obtain information.
Damn good reason to keep WHOIS info open. If people don't want to give out their home addresses, then they should rent a P.O. box for $20/year. If they don't want their names public, then I can only imagine either a) unwarranted paranoia or b) that the person shouldn't have on the web whatever it is that they have on there.
WHOIS helped, and the guy went to a collection agency.
-SD
That being a bit contradictory to things like the homeland security act, it sound as if some spammers were trying to lobby. Nothing can be better for spammers than that. Conspiracy theory? I think not.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
Now his credit report gets dinged at least once a month. Lucky him. I can tell you that sending our merch or refunding our money would cost him 5000% less than this is going to. And that kind of makes me laugh when I put it into perspective.
-SD
Here at Texas A&M University, we have a central IP registry called NIM (Network Information Manager). Until about a year ago, anyone with access to NIM could look up any IP on campus.
Then, citing privacy concerns, administrators restricted lookups in NIM to systems associated with the searcher's group (in other words, I can look up any system in my department, but can not look up other IPs or (what I more frequently need) mac addresses, even if they are in one of the buildings I administer systems in. Even folks in the campus-wide Computing and Information Services can not look things up unless they are part of the small group permitted to do so. Amazingingly enough, the same folks who decided to restrict access are the ones who can still look anything up.
Of course, what concerned me at the time, and continues to be a problem is the ability to trace a hijacked IP or an infected system. If I have to go through the priviledged few who can look up the IP, it takes more time and it escalates issues which could probably be solved quickly.
While WHOIS entries have information that could prove troublesome from a privacy standpoint, NIM should not. Usually it has the name of the administrator and some notes about the system. Some admins (like me) also add info to better identify the system, but should not have info that would cross the privacy line.
In truth, once the suits set their sites on a matter and start waving the privacy flag, it is too late. We need to start figuring out an alternative now, because WHOIS is doomed. Logic and need will not save it, and reason will not prevail.
GoDaddy.com offers a registration-by-proxy service of some sort, where they'll forward legal correspondence to your home address and only list their info in whois. Costs an extra $10/year or so, I believe.
You aren't kings of the world, kings of morality, or kings of anything else. Conceited bastards.
The solution is simple. If you want WHOIS contact information, you must make a request through snail mail. This would prevent mass harvesting of the information while still keeping it public.
Really this has nothing to do with realy privacy. It's to protect spammers from having their names and addresses exposed so they don't get inundated with mail spam. That it. No more. No less.
-- DuckWing
The WHOIS data is a problem because it ties personal information to information that may not be very popular on the web. If you run an anti-DMCA site, for instance, or anti-anything for that matter, and your personal information is tied to that site, then it leaves you open to harrassment by organizations or individuals that you're campaigning against. This is just one example that demonstrates the differences between the WHOIS database and the phone book. The phone book doesn't expose your potentially unpopular ideology, and the phone company does give the people the option to be unlisted.
On the other hand, it's very easy to get around publishing personal info in the WHOIS database:
whois -h whois.melbourneit.com stallman.org shows Richard M. Stallman as being based in the UK, which is obviously not accurate.
I don't claim to be an expert in this area, but I know that Dotster offers a service to hide this information. Well, it doesn't hide this information exactly, but you can't get it without querying their specific whois server. When you try something like this:
whois example.org
you get information that looks like this:
Registrant Name:SEE SPONSORING REGISTRAR
Registrant Street1:Whois Server:whois.dotster.com
Registrant Street2:Referral URL:www.dotster.com/help/whois
Registrant City:N/A
Registrant Postal Code:N/A
Registrant Country:CA
Registrant Email:not@available.org
The Admin, Billing, and Tech entries are the same. If you, however, do this:
whois example.org@whois.dotster.com
you get all of the personal information like normal.
Can someone explain to me how you would query a WHOIS database for a registrant or business name? Most of the WHOIS utilities I have seen only allow a user to search for a domain name, not other strings such as registrant name or business name. I'm wondering if this is how I've gotten spam to multiple accounts from different WHOIS records? (Sometimes with details about my websites, e.g. URL's from my sites.)
Most people here are missing the point of privacy in a personal domain. Lots of people use their own domains for putting up pictures of themselves and their children to share with friends and family. The world is full of sickos who would use the whois information to find out where they live and then proceed to prey on the innocent.
On the one hand, public information is needed to track down scammers, spammers, and thieves.
On the other hand, if you're a small-business owner/operator (without the layers of protection and anonymity provided in a large company) you really are right out there, address and all.
I've been hit both ways; first by some lunatic who took images of my work and represented them as his own (and who routinely does that to artisans). He's safe and comfy behind an impenetrable wall of bullshit in his registry entry. But until I figured out I needed a "junk" e-mail address in my registrations, I was entirely open to spammers. And I'm now getting "opt in" spams that say, "The person who opted-in for this crap is at n.n.n.n"
Anne
DUCT TAPE: The Election Supervisors' Secret Weapon
It used to be possible to obtain the address of any owner of a post office box by sending a request to the appropriate postmaster, along with some trivial fee. That was changed a few years ago. Now it's easier to run a scam from a PO box.
Too many people are wound up about "stalking", which is usually an ex-boyfriend problem, not a stranger issue.
If we're going to have anonymous domain registrations, it must be illegal to conduct any kind of a business through them. I'd take a hard line - if you have an anonymous domain registration, and any link leads to accepting a credit card, or filling in a form that requests personal information, it's a felony.
This has all the marks of spammers trying to find one more way of obscuring their information from those who would seek to control their activities.
It seems too convenient that this is being pressed now, when spammers are under the greatest pressure to stop their activities.
I've used whois as a phonebook often as most of the people I know have a domian. Even way back when slashdot was just starting an CmdrTaco was asking around for a free place to host the images I was able to call him becasue his number was on whois. We were able to get slashdot.wolfenet.com up and running and slashdot was able to continue existance and grow to the point where they were giving out 5 digit user numbers.
I'm strongly in the camp that domain contact information, at least the technical contact, should be public. I've dealt with abuse issues for ISPs too long the think any other way could work. If there is a technical or abuse issue with a domain a network admin needs to be able to contact the person responsible. At least contacts for DNS servers need to be required.
-- I have a private email server in my basement.
Comment removed based on user account deletion
So if you don't want your name and address listed, just put in a phony one. You can use a unique email address if you want to check messages relating to the registration.
Geez, it's not that hard to be virtually unlisted.
M
-- SYS 64738 --
From RFC 2050:
-- I have a private email server in my basement.
The comment is right on. LATTE made a rather poor analogy, which is sad because he's usually a more thoughtful poster.
As most other individuals, I'm in the phonebook too, which can be accessed from the web nowadays.
Come on. The phone book does not say that you own liberalsarestupid.com, or isupportchoice.com. If you have a business that is controversial to some and list it in the yellow pages, fine. But you have to put it there. I'd like to put this "phone book" analogy to sleep.
So long, michael. Don't let the door hit you...
Comment removed based on user account deletion
Why not just require that all personal registrants provide and maintain a valid e-mail address?
Phone numbers aren't dynamic. And a good ISP will be able to check the logs and find out who was assigned what IP at what time.
-- I have a private email server in my basement.
Coming across my personal info in the WHOIS database [2 entries] is what clued me into the fact that I was a victim of identity theft [via stolen mail].
However, I agree--it's not cool to post personal information [at least for non companies]. What if someone wants to run a controversial site? They should be able to do so without fear of physical repercussions, right? Or, God forbid, kids who register a domain . . . if I had a family website with pictures of my kids on it, I sure as Hell wouldn't want my home address available to the public.
Remember, some small percentage of humanity is fully deranged. The internet exposes you to all of them.
These internat based companies, spammers, and anti-privacy web sites post nothing on their site aboiut how to get rid of their applications or combat them. The Whois is the only way I have been able to track these "people" to the source. I had a recent runin with a with a application that hooked into IE. There was no way to find out how this application was driving IE. I did the un-install (logically) from add / remove. This of course failed. The popup continued adn the user Partner Attorney) gets extreamly frustrated. The software originators web site had nothing.. no phone.. no e-mail.. not fax.. NADA. Off to WHOIS i went... http://networksolutions.com Oops.. registered with http://registrar.com BOOYA!!!! One quick phonecall and a lot of cusing later the applicaiton is quickly removed! Without WHOIS this would have been a PC shipped back to another office to be re-imaged, setup, software loaded and shipped back. I see how it CAN be abused but the information can be vital to the right person when there is no other means. Let WHOIS not become another way for non-legitimate people hide. Thanks, J
You mean to say, you actually give factual information during registration?
I'm wavering a bit on this issue. When you make your personal website publicly accessible, shouldn't you expect some of your personal information to be publicly accessible as well?
After all, when you get a telephone, your name and (new) phone number gets listed in the phone book for all to see. Merely listing a phone number in a phone book without the corresponding name is absurd.
You can of course, choose to keep your phone number unlisted, and give it only to your friends and relatives. Well, you can do the same thing with your website! Don't list it in WHOIS. Give your friends and family your static IP address and you never have to worry about a thing.
Don't blame me, I didn't vote for either of them!
Whatever happened to the public domain? I am for privacy for the most part, but not total anonymity. in certain areas, total anonymity is wonderful, such as on /., but in others, such as in business, one needs to have a name and real info to be legit. The registration of web domains is a business, and should therefore have all the disclosure of identity rules apply.
Not clear on what you mean.
People have followed the admin links to your home address and stopped by to say hello? Is this what you mean? They actually physically came to your home address?
Would you be OK with that? Or would you be as weirded out by that as I would be?
Some time back, I lost an important package sent via registered mail to me in the US from the UK. We asked both the UK post office and the USPS to investigate:
Within 2 days, the UK Post Office told me that they had tracked the letter to the airport nearest me (in the US).
After six months, the USPS told me they had no clue about the letter. Nothing. And it took six months.
The real "Libtards" are the Libertarians!
I get bazillions of emails to the address I use only for registrar information, so I know they got the info from there. And I get a ton of snail mail from other regsitrars, pitching for business. At this stage I simply keep changing the email address for registration until it starts to get fifty offers a day for a larger chap. Can't go changing my home address though....
Let's see.. you want to be responsible for a name that is globally reachable in the DNS, and you want control as close to the root zone as possible.. is it wrong for the public to want to know who you are? After all.. this is humanity. I can just see how things go when we CANT find out who owns what..
I got a post office box. If they need to send me snail mail, they can send me snail mail.
This sig no verb.
Any time you use these, you give away your contact information so people can verify you, send you stuff, get to your house, etc. When you sign up for a web site, it's assumed that you WANT TO BE CONTACTED! After all, isn't that what the web is about...There's no assumtion of annonimity for those who have web sites...that's an urban myth. There's no privacy in business dealings because it's assumed the parties want or need to be contacted if things go awry. Watch what you put in those if you don't like it!
I'm sorry but the telephone directory now only contains their first and last initial. You will have to find their number somewhere else...
Why should you be able to look up someone responsible for a particular website?
Lets see. Maybe what he/she/it is posting is an out and out lie. Maybe it is treason. Maybe it is perfectly true.
For whatever reason, if you publish something you are responsible for your actions and must held accountable.
If you are a coward then either dont host a website or stay away from controversy.
Everybody knows registrars dont care if what you list as your home address or phone # is true or not. The registrars are negligent in their duties by allowing such activity, IMHO.
If you publish anywhere you should be as easily accessable as your website.
Lots of folks posting to just use fake or special information when registering a domain as the way to go. Having the have the real and correct contact information for your domain is required. False or incorrect information is cause for loosing your domain.
Not having the correct information would allow those who want to get away with illegal acts to be free of the consequences of those acts. Accuracy and public access to that information is needed.
The other issue is privacy. Actually this is no big deal. Your personal information is available many more places than you can imagine. If you want to live your life protected and paranoid stay an AC don't have any domains and never register for anything. It's pretty simple. If you want a domain you have to be able to be got hold of. Your risk of having your mail box emptied out by criminals wanting to steal you identity is a greater danger than having your contact info readable from a whois look up or some web form at Namesecure or Register.com.
As you can see I don't care about my karma.
As so many spammers have shown us, you don't have to provide real data for the whois database.
I'd like to see registrars required to verify the contact information, maybe once a year.
-Rich
If you are marketing shareware/freeware etc specifically, what are the extra implications. Is this simply for tax reasons?
Tax reasons are no problem, as I'm a full-time student in the UK. The first 5000 pounds of income is tax free. I'd be lucky to exceed that amount.
However, things do get tricky when renting a flat, as the rental agreement states that the property "cannot be used as a place of business". More than likely that means people can't convert the property into offices, use it as a warehouse, a call-answering centre or as a mail-sorting centre. For this reason I don't want to disclose the address, since it is only temporary.
If I lived in student accomodation, things are even worse, as the college claims ownership of all technology developed on university land and buildings.
www.domainsbyproxy.com
This is a non-problem. Spend $10 a year for a DBP account if it really bothers you.