Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exposing Personal Information in the Whois Database

Posted by CowboyNeal on from the a-better-way dept.

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

40 of 323 comments (clear)

  1. amen by Neophytus · · Score: 5, Insightful

    Registrars under their status of registrars are required to HAVE FULL AND PUBLIC CONTACT INFORMATION for anyone who registers. For big biz this ok but for individuals (such as me) it is a big worry.

    1. Re:amen by orangesquid · · Score: 5, Insightful

      And when the owner of a domain is running an open relay, or has a glaringly obvious security problem, or has a problem with their site (and webmaster@ bounces), the courteous thing to do, e-mailing them to inform them of the problem, can no longer be done if there is no e-mail address available.

      Or, sometimes you get people who register domains through some co-hosting service and then launch attacks against your box/network through the service. Usually, the e-mail for the domain registration will be someone in charge who can give the asshole due justice.

      It is not a frequent thing when I must resort to WHOIS to contact a site owner, but sometimes it happens and it's fairly important.

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    2. Re:amen by afniv · · Score: 4, Insightful

      Well, why can't the WHOIS owner provide a method of writing a non-HTML message, limited to say 400 characters, and e-mailing the message to the non-public e-mail address on record for the desired domain name owner? Forums software do this.... Do I really need to be contacted by phone or snail mail by the general population regarding my domain name? I've only been contacted by the registrar to renew.

      --
      ~afniv
      "Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
      Richard von Weizs
    3. Re:amen by drakaan · · Score: 4, Insightful
      The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.

      False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.

      Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
    4. Re:amen by crazyphilman · · Score: 4, Insightful

      The point you're missing is, all they need is CONTACT info. Contact info is email address and maybe phone number. There is no reason whatsoever for them to have your home address publicly displayed. In fact, it is very dangerous and sooner or later there will be some kind of tragedy and/or lawsuit, and this whole situation will come to a head.

      All it'll take is some blowhard out on the net (and you know from being on Slashdot that there are plenty of them) to get pissed off at something someone posts on their web page. It might not even be anything really bad, people get pissed off over the stupidest things. Joe Blowhard decides to look up Jane Somebody's home address on whois, then goes over her house and kills her. Or kicks her ass. Or rapes her. Or robs her. But you get the idea.

      Currently, the anonymity you have on the web is the only thing protecting you from all the crazies out there. Put your address on a website, and you take your chances. Not wanting to risk possible red death should NOT ban you from having a website, and that's what this is really all about.

      Identity theft is one thing. Getting your ass beaten by some lunatic who didn't like your website (maybe he thinks you're not religious enough, maybe he doesn't like your politics, whatever) is quite another.

      --
      Farewell! It's been a fine buncha years!
    5. Re:amen by hoagieslapper · · Score: 2, Insightful

      And driving down the street you cut someone off and they now have your license plate number or they follow you home. You get in an argument over the price of coffee at the local grocery store. You write the store a check, which usually has your address on it. The clerk comes after you. Did you forget to tip the pizza delivery person?

      These are every day events that happen locally. The person you piss of on the internet my be your neighbor, but more than likely they are hundreds of miles away.

      Could the above scenerios happen? Yes, but I will not let fear of possible lunatics affect my day to day actions.

    6. Re:amen by dumpster_dave · · Score: 2, Insightful

      The proposed solution, then, is NOT to get rid of WHOIS. It's simply to add an anonymity layer to it. The _actual_ contact info would be available to the registrar, and contacts/complaints would be handled through them.

      If you want to complain to the CEO of AT&T, you call him at work--not at home.

      If the target registrant is using false information, the registrar itself [AS IS REQUIRED] would still find out--really, it's actually a non-change for them.

      There are plenty of allegories to this in existing systems--this shouldn't be a big deal.

    7. Re:amen by ChaosDiscord · · Score: 2, Insightful
      I've got kind of an odd view on privacy. If you don't want someone to know you did something, don't do it. If you don't want someone to know you smoke pot, don't smoke it.

      Indeed you do have an odd view on privacy. This sort of view on privacy puts free speech, freedom of religion, and even democracy at great risk.

      A key element of freedom is some level of privacy. Like all things this is a continuum, but the privacy needs to be there.

      Take the extreme case. Your vote is private. It's absolutely essential that it be private. If it wasn't private, some local "Honest Businessman" might want by each household in a distict saying, "You've got yourselves a nice house here. It would be shame if something happened to it. If you don't vote for Sentator Gimmebribes, something might happen. That would be very unfortunate." Thanks to the privacy of your vote, you can go vote out the creep, then return home and say, "I have no idea how he lost the election, I sure voted for him!"

      On a more historic level, support for the United States revolution was built up by anonymous pamphleteering. If the publishers had put their names on it the British would have strung them up. By working anonymously they could continue to spread their message and do more good than if they were quietly executed early in their campaign.

      To take a still fairly extreme case, say you're in a strongly racist community, one in which violence occasionally erupts against one race and people defending that race. This might be South Africa of the past or parts of the United States in the past. I'm sure it still goes on in other countries right now. You feel that the racism is wrong, but you've got a family. If you speak out against it publically there is a real risk you'll be lynched, or your children attacked. But you can secretly spread pamphlets or other media exposing the evil.

      This applies in many other areas. Is your preferred religion unpopular, perhaps even dangerous? If you're not in the mood to be a martyr (or perhaps make your children martyrs), quietly, privately practice your religion. Hopefully this isn't something that happens anywhere, but in some parts of the world it's a risk.

      Want to speak out against a group that you feel is criminal and willing to harm you? (Perhaps a large cult?) The police don't agree it's a threat and won't protect you, but you want to warn the world? Well, privacy in the form of anonymous speech may be your tool.

      Getting a domain (typically to run a web site) can be a great way to get your message our inexpensively. To declare that you can't be private while doing so is to limit potentially important speech.

      --
      Search 2010 Gen Con events
  2. If there were strong checking by Trigun · · Score: 2, Insightful

    I'd deem this an issue.

    However, how many Heywood Jablowmie's are there in the WHOIS database?

    1. Re:If there were strong checking by gfody · · Score: 2, Insightful

      a lot of "optin" email lists go thru my system.. and judging by the percentage of asdf@asdf.coms and blah@blah.coms I would say most people realize this.

      also doesn't take a whole lot of common sense when your filling out a form for an online comic strip registration and its asking you for your home address and phone number. I mean unless your buying something why would you give this info out? people that give out personal info simply because some form is asking for it.. dummies, period

      --

      bite my glorious golden ass.
    2. Re:If there were strong checking by aborchers · · Score: 2, Insightful
      However, how many Heywood Jablowmie's are there in the WHOIS database?


      Heywood must not care much to keep his domain. I recently received a letter from NetSol asking me to verify the information in my registration and reminding that incomplete or bogus records could result in the registration being invalidated.

      Also, I think someone else mentioned this, but it might be hard to defend yourself against a hijack case if you don't have accurate records in your registration "paper" trail.

      --
      Trouble making decisions? Just flip for it.
    3. Re:If there were strong checking by Trigun · · Score: 2, Insightful

      And the whole sex.com boondoggle which used real contact information assures that my domains will not get ripped off either.

      If you've ever seen the movie Maverick, where Mel Gibson is talking to the Indian chief, the Chief states that the next place he's going to move is going to be a real dump so the white man won't kick him off of it. That's the way to pick domain names :)

      After all, aren't we all just little Indians?

    4. Re:If there were strong checking by kaigeX · · Score: 2, Insightful

      Excuse me, but it is required, by law, to put accurate information in the WHOIS database. If that information is false you can have your domain name registration revoked. If your registrar refuses to do it then the registrar can be reported to ICANN.

  3. let's not forget... by I+Want+GNU! · · Score: 4, Insightful

    that Google has this information from phone books as well (just google for a phone number or address), and there are many reverse phone books online. I think they should focus on solving identity theft in ways that if someone's info is already available (as it is everywhere) it can't be utilized well.

    1. Re:let's not forget... by mblase · · Score: 5, Insightful

      Yes, but Google also gives you the option to remove your information from their searchable database -- there's a link right next to your results if you do a search for your own information. So do most other reverse-phone-lookup sites.

      Whois gives you no such option, and would probably actively resist if you even asked.

  4. It is kind of irritating. by Future+Man+3000 · · Score: 2, Insightful
    If you just want to hook a system to the Internet with DNS, it shouldn't take dumping your information out. The cases where this type of information would be useful it always seems to be faked by the domain holder, and for everybody else we get dumped on by every spammer and telemarketer in the book.

    It used to be helpful for looking up abuse information, but that almost always goes ignored nowadays too. Now it's just useful for finding virus writers.

    --

    I never vote for anyone. I always vote against.
    -- W.C. Fields

  5. Re:Reporting WHOIS abuse? by Future+Man+3000 · · Score: 5, Insightful
    Proving that a spammer took source addresses from WHOIS would be problematic. Taking a spammer to court over it wouldn't be cost-effective for the maintainers of any WHOIS server. Spammers have already shown themselves as a group to not be overly concerned about warnings, standards, or laws.

    It's an empty threat.

    --

    I never vote for anyone. I always vote against.
    -- W.C. Fields

  6. Re:How else... by erf007 · · Score: 2, Insightful

    Well it's better than being confronted by asl every time you logon to a chat room.

  7. And even if it weren't... by Channard · · Score: 2, Insightful
    It's an empty threat.

    And even if it weren't, by the time the spammer who harvested your email got a slap on the wrists, your email would be on so many other spam lists you'd never get it off.

  8. And in other news, by JUSTONEMORELATTE · · Score: 4, Insightful

    Late yesterday, privacy activists raised the National Privacy Threat level to Purple, citing the public availability of a "Phone Book" which disclosed personal information for hundreds of thousands of individuals, including full name, home address and home phone number.

    (end sarcastic rant)
    YAWN! Call me when WHOIS data includes SSN. As it is, this info is already widely available for the vast majority of the population.

    --

  9. Re:Call me big brother... by Future+Man+3000 · · Score: 4, Insightful

    Something like this, where contact information is available if you violate best Internet practices (such as by spamming) and people can get in touch with you if they need to let you know that your server has been taken over by a Russian junior high student, but if you are a good netizen you can get by without being hassled.

    --

    I never vote for anyone. I always vote against.
    -- W.C. Fields

  10. Remember when... by march · · Score: 3, Insightful

    How is it a big worry?

    For some of us, it used to be that the real contact information (at least email address) was needed since Internic did all of its renewals and changes via that email address.

    Of course, I could go and change it, but the point is, there are many valid contacts in that database for spammers to use.

    Is it a big worry? Nah, probably not, but it is a concern.

    1. Re:Remember when... by gmack · · Score: 2, Insightful

      If it bothers you then get a postoffice box and a pager.

      That information needs to be valid in case someone needs to contact the admin in a hurry.

      Nothing has been more of a pain in the past when trying to deal with infected/rooted servers and trying to find the admin via the domain owner only to find out the contact info is invalid.

      Makes me have to go to the isp(the slow route) rather than either getting the box owner or the box owner.

      Mind you that doesn't apply as much if the domain is simply hosted on a sever somewhere and your not the admin.

  11. Privacy by wulfhound · · Score: 3, Insightful

    Sorry, I don't buy it.

    A domain name is a publicly accessible object, and a responsibility. As a society, we expect that for certain activities, people be publicly registered (running a company is an obvious example) - reasonable privacy is a right, but anonymity - which is what we are really talking about here - is not.

    I can only think of a very small minority of legitimate Internet activities that both require a domain name and for which privacy is likely to be a concern; in those cases there are plenty of registration agents who will act as a proxy for registration and take on the responsibilities associated with being the owner of a domain.

  12. Practical Contact Problem by billtom · · Score: 4, Insightful

    This is also a practical problem, in terms of making it hard to contact domain owners.

    I have several domains and I use a separate email address for my whois records (separate from my home and business addresses). But I don't monitor emails to that address because it has become completely filled with spam. I just delete all mail to that address.

    But that, of course, means that any legitimate attempts to contact the domain owner are lost as well. I could try and filter it (either manually or with software) but the ratio of legitimate email to spam on domain registry emails is thousands to one, so it's really not worth my time.

    So, aside from any privacy concerns, the public availability of email addresses on whois records in effect renders them useless as contact information.

  13. Correct contact information is required by sa3 · · Score: 3, Insightful

    How can you prove that you own the domain (if needed) if the contact information is invalid?

    What would you do if your registrar goes bust?

    All of this information doesn't need to be exposed in the WHOIS database though.

  14. Two things: by Snaller · · Score: 2, Insightful

    1. If its such a problem, how come spammers always manged to hide?

    2. In Denmark for instance, you can specify you wanted an "unlisted" address, and the whois server doesn't release your information.

    --
    If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
  15. Set up TLD for individuals by flakac · · Score: 5, Insightful

    I don't agree with the author's conclusions. Any person registering a domain name in .com is explicitly saying that they are a commercial organization, hence there should be no expectation of personal privacy. The solution is to set up another TLD explicity for individuals, since .org, .net and so on are not really appropriate either. It is necessary for all .com registrations to have valid and public registration info available, without this the level of fraud would be even worse than it is today. I have no sympathy for anyone who registers a .com domain name, and is not actually representing a business.

  16. Guess again(+) by Mycroft_514 · · Score: 2, Insightful

    Of the 6 major reverse phone number / online phone books, about 4 of them are co-operative about removing info. The other 2 take weeks / months / years to remove an entry, if they bother to do it at all.

    For example, I tried to correct a bad entry for my mother-in-law for all 6 of the biggest ones starting 2 months ago. She moved, and went to an unlisted number in another state. I sent multiple e-mails to the ones who have YET to delete this bogus entry, based upon her husband's name (He died 30 years ago).

    The biggest and worst offender? Yahoo. I also had trouble with correcting bogus information from the one of the credit services they own part of. They had "tagged" my home address as a business address. Apparently, I got some trade journels at home during that period and that meant that it was a business address. Therefore, I finally had to take it to a federal complaint to get them to change that "tagged" entry so that I could get report, so I could work on the other problems.

    What started it? My Dad spent 5 months living with us while building his new house. They changed the entry for my home to my Dad and my wife's name.

    So, the moral? None of the information tracked by so-called organizations working for us is worth anything, and in fact may come back to hurt you.

    I also used to get calls for someone else with my name, but for the wrong area code. I guess he was a deadbeat and lived 30-40 miles away. When they split the area code, all his banks would look him up on the internet to find him and call me. Another reason I went to an unlisted number.

  17. Can be useful... by muffen · · Score: 4, Insightful

    I see many posts with support for removing the personal information. I have seven or so domain names registered under my name with my real email address and information, even though it's my second email account to which I expect SPAM. Trust me, I do get spam to that email inbox due to the whois database.

    However, I work for a company where it is sometimes necessary to track down owners of domains and report them to the appropriate authorities. Even though a lot of people fake the information, the whois database has come in handy more often than not.

    Another good thing, for myself atleast, is that I have gotten offers on some domain names I used to own. I am guessing they got the email address from the whois database, as I hadn't used the domain in question at all. I managed to sell it for quite a bit more than I bought it (it was a four digit sum, but still way more than I paid for it).

    I am slightly split on this issue. I don't want my personal information in there (and faking is not an option for me, I want to stick to the rules), but I want to see other peoples information. Guess there is a tradeoff somewhere along the line.

    Anyways, just wanted to point out that the WHOIS database can be extremly useful and/or helpful sometimes.

  18. Re:Obstacle to distributing a shareware applicatio by Anonymous Coward · · Score: 1, Insightful

    Er, you have a P.O. Box ... why not use it for DNS?

  19. Re:How else... by gmack · · Score: 4, Insightful

    Uhh No changing this would cause problems for those who actually USE this information.

    There is nothing to say you need to put clues to your gender into the domain info. Put in a fake name if you want.. use your work email address.. use a PO BOX and a pager as long as you can be contacted without too much trouble it's all good.

    Anyone who thinks this info needs to be removed from the public needs to have their head examined.

  20. Re:How else... by einer · · Score: 2, Insightful

    Actually. That's a good question. ;) If the WHOIS database violates privacy concerns, then how can the phonebook be seen as any different? You have to pay to be unlisted (in the US, not sure about elsewhere).

  21. Re:UK WhoIS by farnz · · Score: 4, Insightful
    I know that American bashing is fun for us Europeans, but it's not so much about catching up, as about taking a different view.

    We have always taken the view that private individuals have a right to secrecy, and that those individuals should make an effort if they want some data published. The USA has taken the opposite stance; people have a right to reveal information, while keeping it secret should take effort.

    In an age where data processing is always manual, the USA had it right; stopping gossip is hard, and there's lots of work involved in revealing information. Further, the more you wish to reveal about someone, the more work you have to perform. Automated data processing has pushed the cost of this work down to the point where it is easy to reveal lots of potentially harmful information in one go.

    Basically, it's wrong to look at the Americans as catching up on this one; they took a fundamentally opposed view to us, and it's still not clear who's got the better system (although I prefer the European one).

    --
    I appear to have a blog. Odd.
  22. Different domains for different purposes by Fastolfe · · Score: 2, Insightful

    If we used DNS domains like they were designed to be used, this could be an easy-to-correct problem.

    Any entity registering in .com must clearly be a commercial entity with no problem in giving out their business address, contact number, etc.

    Any entity registering in .net is a service provider, and should have all sufficient information to contact that provider for connectivity or abuse issues.

    Any entity registering in .org is a non-profit organization, and should post any contact information that they'd otherwise be required to post as part of their charter.

    We have a '.name' now (which personally I think should have been '.nom'), for personal users. I think it's perfectly reasonable to expect that individuals will not want to put any contact information there. I also think it's perfectly reasonable for an ISP's contact information to be exposed in its place, though.

    Basically, just apply privacy requirements to the intent of the domain name. If regular Joes want to register a .com, they need to expect to be treated like a commercial entity.

    Subdomains under a country code would need to be addressed by the countries in question.

  23. A good reason to need public WHOIS info... by waxdaddy · · Score: 3, Insightful

    Need the WHOIS info, and here's why...

    A few months ago, I purchased quite a bit of money in CD's from an Internet site. It's a business, but it's a proprietorship run by one person. I never received the CD's and the guy stopped returning my emails. I had paid him via PayPal, and the ridiculously short PayPal complaint/insurance period had run out, so I couldn't get my funds back.

    The guy has no contact information other than an email on his site. (And don't play me for idiot...This is a big music site and I've successfully purchased there before.)

    So...I wanted to send him to a collection agency. Several warnings to him went unheeded, so I went about trying to track down his personal information.

    And I ended up on netsol. It referred me to GKG.net, another registration company. I went on the WHOIS and the guy had NO information whatsoever. Every field said nothing.

    So I emailed GKG.net and told them that when collection proceedings began, we would be asking them for this guy's info. They emailed me back that it's their policy to have updated and correct information in the WHOIS database. They emailed the guy and gave him 48 hours to provide it, with the threat that his site would be shut down.

    A day later, all of his information was up. I had a name/phone/address. I sent him to a collection agency based on the only place I was somewhat easily able to obtain information.

    Damn good reason to keep WHOIS info open. If people don't want to give out their home addresses, then they should rent a P.O. box for $20/year. If they don't want their names public, then I can only imagine either a) unwarranted paranoia or b) that the person shouldn't have on the web whatever it is that they have on there.

    WHOIS helped, and the guy went to a collection agency.

    -SD

  24. Re:As it should be by HighOrbit · · Score: 2, Insightful

    And so if your server is compromised and becomes a spam-spewer, DDOS zombie, cracker relay, or other public menace, its going to be hard contacting you because of the bogus information and a potentially dormant yahoo account.

    The internet is part of the public sphere. Courts in the USA (and everywhere else AFAIK) have held that when you leave your house and enter the public sphere (or in this case operate a sever connected to the internet), you volunatarily give up some of your privacy.

  25. Missing the point: Stalkers, Child Predators by Anonymous Coward · · Score: 2, Insightful

    Most people here are missing the point of privacy in a personal domain. Lots of people use their own domains for putting up pictures of themselves and their children to share with friends and family. The world is full of sickos who would use the whois information to find out where they live and then proceed to prey on the innocent.

  26. It's my phonebook by Nethead · · Score: 2, Insightful

    I've used whois as a phonebook often as most of the people I know have a domian. Even way back when slashdot was just starting an CmdrTaco was asking around for a free place to host the images I was able to call him becasue his number was on whois. We were able to get slashdot.wolfenet.com up and running and slashdot was able to continue existance and grow to the point where they were giving out 5 digit user numbers.

    I'm strongly in the camp that domain contact information, at least the technical contact, should be public. I've dealt with abuse issues for ISPs too long the think any other way could work. If there is a technical or abuse issue with a domain a network admin needs to be able to contact the person responsible. At least contacts for DNS servers need to be required.

    --
    -- I have a private email server in my basement.
  27. Public Domain by Armbrust84 · · Score: 2, Insightful

    Whatever happened to the public domain? I am for privacy for the most part, but not total anonymity. in certain areas, total anonymity is wonderful, such as on /., but in others, such as in business, one needs to have a name and real info to be legit. The registration of web domains is a business, and should therefore have all the disclosure of identity rules apply.