Slashdot Mirror
Exposing Personal Information in the Whois Database
rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."
...am I going to find phone numbers so I can pick up chicks?
Registrars under their status of registrars are required to HAVE FULL AND PUBLIC CONTACT INFORMATION for anyone who registers. For big biz this ok but for individuals (such as me) it is a big worry.
I certainly getted spamed on the email address I registerd for it.
I'd deem this an issue.
However, how many Heywood Jablowmie's are there in the WHOIS database?
that Google has this information from phone books as well (just google for a phone number or address), and there are many reverse phone books online. I think they should focus on solving identity theft in ways that if someone's info is already available (as it is everywhere) it can't be utilized well.
that, my friends, is why I have a PO Box and why I don't volunteer my real phone number.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
It used to be helpful for looking up abuse information, but that almost always goes ignored nowadays too. Now it's just useful for finding virus writers.
I never vote for anyone. I always vote against.
-- W.C. Fields
While I normally don't like Berman whatsoever, this is a good thing. I have long disliked the practice of putting personally identifiable info in the WHOIS database.
I just hope they don't dumb it down so much where one can't get email addresses for those controlling the domain for reporting purposes.
tinfoilmedia
I get numerous spam from people(?) who have obviously trawled the whois database. Even though there is a strong warning in the whois database against abusing it, how does one report it, or is it just an empty threat?
I've had a domain for 3 years.. Ive gotten 3 pieces of junk mail from it. I was surprised to get it, and thought it more funny than an annoyance.
Here in Denmark, DK Hostmaster A/S is the administrator for the Danish top level domain. You can have your personal contact details hidden from the public WHOIS database - in accordance with Danish Law on protection of personal data, blah blah blah.
I would recommend it!
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
The inventors' home addresses are generally listed which, IMHO, is not something that should be broadcast to the entire world.
Obviously a good solution will weigh the need for contact with the likelihood and degree of abuse of said contact information by others.
I never vote for anyone. I always vote against.
-- W.C. Fields
The UK WHOIS database (run by Nominet UK) has recently considered this too. Now, private individuals who opt-out can have their personal details removed (obviously Nominet still has access to them). I'm not sure that companies are allowed to do this, it's private individuals only.
.NET services as they don't follow EU data laws. To be honest, it's about time the US caught up.
Britain and the EU have always had stronger data protection laws than the rest of the world. This is part of the reason the EU are looking at Microsoft's
I carefully misspelled all the information, plausible deniability baby. Two years and no one the wiser.
T.
Even exposing contact information for a business is questionable. If you're working on penetrating a company, then this is a stop on the highway. But, without that information, then (as one poster stated) the FBI would have to get us the information we need to prosecute spammers or etc.
I don't know what the answer is either; I don't think it's simple either. This may be one (of many) invasions of our privacy we have to deal with. Banks, Mortgage Companies, Credit Cards--these all sell our information to other companies. It's sad, but this is big business, and it makes money. Utilities provide information to Local, State, and Federal Agencies all of the time; and are required to by law.
Our information is not private anymore, and hasn't been for a long time. Everyone has their hand out for it.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
...But i think contact info should be required to register for a domain, and I think there should be some sort of authentication mechanism.
How else can we hold scammers and spammers accountable if they make it super hard to track them down. The majority of those "online pharmacies" have bogus WHOIS info and probably take good peoples money.
Bogus WHOIS info sucks, plain and simple
I lost my concept of community when my community lost all concept of me.
This a major concern to me. I've spent some time at home writing an application that I'd consider distributing as freeware/shareware. Setting up the paypal/P.O Box number payment system is no problem, but as every application nearly always has a website, registering a domain name introduces some hassle, not least of all, distributing my name/home phone number/address.
From reading previous Slashdot articles, being able to seen the domain name/IP address of owners and customers has been extremely useful in detecting all sorts of shenanigans with hyping up new products.
However, for someone trying to augment their basic salary through shareware software, this is a disadvantage.
With broadband internet via cable/satellite/telco, I have a permanent Internet connection, but the companies respect my right for privacy. Surely the same could be done for domains registered by home residences?
I don't really worry about having my personal information in the whois database. As most other individuals, I'm in the phonebook too, which can be accessed from the web nowadays.
Having registered a few domain names, I receive a lot of spam telling me how to register new domains, renew when the old are about to expire and so on. I'm sure the registars make a lot of money on this, which surely makes them want to continue.
My personal information is also included in the IP whois database. This database contains info on what ISP uses which IP numbers, etc. - see www.arin.net for more info.
The interesting thing is that I have not received a single spam to the specific email address I supplied. So right now, I see it more like an econimic problem than a privacy problem.
---
If you're not living on the edge, you're taking up space in the middle
And even if it weren't, by the time the spammer who harvested your email got a slap on the wrists, your email would be on so many other spam lists you'd never get it off.
You can incorporate for under $500, get a p.o. box and a cheesy voicemail account somewhere. You'll then be prepared to moonlight, which you should be anyway, and you can give out the business info.
Vote Quimby!
I imagine for most people who just want to run a regular website without the hassle of spam/telemarketers, this is the way to go.
I never vote for anyone. I always vote against.
-- W.C. Fields
Late yesterday, privacy activists raised the National Privacy Threat level to Purple, citing the public availability of a "Phone Book" which disclosed personal information for hundreds of thousands of individuals, including full name, home address and home phone number.
(end sarcastic rant)
YAWN! Call me when WHOIS data includes SSN. As it is, this info is already widely available for the vast majority of the population.
--
There's a lot of info here too:
Arin
Ripe Ncc
Apnic
Lacnic
If you are concerned about privacy, use a registrar who will anonymize your info in the whois database.
2 B& from%5Fapp=&authGuid=&mscssid=2435121
Is $9 worth it? It's your call. Check this out.
https://registrar.godaddy.com/dbp.asp?isc=&se=%
I use Domains by Proxy so my info isn't displayed in a WHOIS; theirs is in it's place. They keep all my info private and serve as a 'proxy' between me and anyone needed to contact me. They'll email if they need me to do something in regards to my domains, it's so nice not having all of my personal details out there. I buy my domains from GoDaddy, and they've partnered with Domains by Proxy and offer it as an option when you're buying domains, that's how I found out about it, but everyone should check it out.
CB
free ipod and free gmail!
How is it a big worry?
For some of us, it used to be that the real contact information (at least email address) was needed since Internic did all of its renewals and changes via that email address.
Of course, I could go and change it, but the point is, there are many valid contacts in that database for spammers to use.
Is it a big worry? Nah, probably not, but it is a concern.
Sorry, I don't buy it.
A domain name is a publicly accessible object, and a responsibility. As a society, we expect that for certain activities, people be publicly registered (running a company is an obvious example) - reasonable privacy is a right, but anonymity - which is what we are really talking about here - is not.
I can only think of a very small minority of legitimate Internet activities that both require a domain name and for which privacy is likely to be a concern; in those cases there are plenty of registration agents who will act as a proxy for registration and take on the responsibilities associated with being the owner of a domain.
This is also a practical problem, in terms of making it hard to contact domain owners.
I have several domains and I use a separate email address for my whois records (separate from my home and business addresses). But I don't monitor emails to that address because it has become completely filled with spam. I just delete all mail to that address.
But that, of course, means that any legitimate attempts to contact the domain owner are lost as well. I could try and filter it (either manually or with software) but the ratio of legitimate email to spam on domain registry emails is thousands to one, so it's really not worth my time.
So, aside from any privacy concerns, the public availability of email addresses on whois records in effect renders them useless as contact information.
How can you prove that you own the domain (if needed) if the contact information is invalid?
What would you do if your registrar goes bust?
All of this information doesn't need to be exposed in the WHOIS database though.
I should have been more specific. I didn't register it with Register.com. Thanks for the useful comment.
-----
Web Hosting @ HostForADollar.com
1. If its such a problem, how come spammers always manged to hide?
2. In Denmark for instance, you can specify you wanted an "unlisted" address, and the whois server doesn't release your information.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I built a site for a city commission candidate a couple of years ago, and the info on the domain registration was mine - I built the site for free, as a form of campaign contribution. An unwanted side effect of this was late night phone calls to my home number from the supporters of the opposition questioning items posted on the site. I guess next time 'Sudy Nim' will be registering for a domain ...
(And don't tell me that his bank information would have been enough to get his contact information. The Sparkasse would never have given it to me. And no I don't buy things through e-bay any more.)
... it is required by law that anyone who publishes even a single web page on the Web (in Germany) enclose an "Impressum", an imprint that notifies visitors whom to contact or hold accountable for the content. I wish this would also be implemented for Whois as a security measure or a basis for trust.
Anyone who still wants to publish anonymously could still do it abroad, of course, as there will always be registrars who and nations that don't care about trust.
I mention trust here, because I can trust a company's products (i.e. a shop selling goods) if I know where I can go, or what number I can call: currently too many (some) web shops (at least locally) do not even mention a telephone number I can call to have an order confirmed or more product information detailed. The same holds for web sites that provide information: if the e-mail address is left out, how can I get any confirmation, more detailed information, conversation or feedback going?
JeR
I'm sorry, but you have *NO* right to an anonymous domain, nor should you because the opportunity for fraud on the internet is too high. Having everything out front at least keeps a modicum of openness and honesty (although admittadly not a lot).Besides, if I remember properly, you can update the e-mail address to be admin@your-new-domain if you don't want spam going to your personal email.
If you want relative anonymity, get a hotmail or yahoo account.
You could always use GoDaddy for domain registrations, which gives you the option of keeping registration info private. Not to mention their prices are a hell of a lot better than going through Verisign.
Trolls lurk everywhere. Mod them down.
One is using Dotster. They obfuscate your email address, so you won't be spammed so easily, but they can still contact you. A friend of mine nearly lost his domain because he used a fake email address with Network Solutions and he never got the "your domain is expiring" email.
The other is a finding a trustworthy ISP/hosting provider who will manage your domain for you. I've been using HostSector and it's worked well, plus it's less expensive than buying the domain outright. I'd have to jump through some hoops to purchase the domain from them, but I can do it, and I believe their contract specifies that I can purchase it at any time.
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
I don't agree with the author's conclusions. Any person registering a domain name in .com is explicitly saying that they are a commercial organization, hence there should be no expectation of personal privacy. The solution is to set up another TLD explicity for individuals, since .org, .net and so on are not really appropriate either. It is necessary for all .com registrations to have valid and public registration info available, without this the level of fraud would be even worse than it is today. I have no sympathy for anyone who registers a .com domain name, and is not actually representing a business.
Of the 6 major reverse phone number / online phone books, about 4 of them are co-operative about removing info. The other 2 take weeks / months / years to remove an entry, if they bother to do it at all.
For example, I tried to correct a bad entry for my mother-in-law for all 6 of the biggest ones starting 2 months ago. She moved, and went to an unlisted number in another state. I sent multiple e-mails to the ones who have YET to delete this bogus entry, based upon her husband's name (He died 30 years ago).
The biggest and worst offender? Yahoo. I also had trouble with correcting bogus information from the one of the credit services they own part of. They had "tagged" my home address as a business address. Apparently, I got some trade journels at home during that period and that meant that it was a business address. Therefore, I finally had to take it to a federal complaint to get them to change that "tagged" entry so that I could get report, so I could work on the other problems.
What started it? My Dad spent 5 months living with us while building his new house. They changed the entry for my home to my Dad and my wife's name.
So, the moral? None of the information tracked by so-called organizations working for us is worth anything, and in fact may come back to hurt you.
I also used to get calls for someone else with my name, but for the wrong area code. I guess he was a deadbeat and lived 30-40 miles away. When they split the area code, all his banks would look him up on the internet to find him and call me. Another reason I went to an unlisted number.
While they have some valid points, often its taken way too far. So I'll add more fuel to this:
Go check out ARIN. If you have a static IP address+competent (read not RFC-ignorant) ISP, your SWIP record contain your personal information too. That's how it's supposed to work.
That's right, the whole Internet is out to identify you.
Do not fold, spindle or mutilate.
I had a friend who worked in network operations for @home, back when it actually was making money. In their whois record they had the direct line to network operations which made a fair amount of sence as domain related issues should be directed to network operations. Problem is the fact that he always got calls from jarheads of report every ping detected as a hacker attack sort, but not nessicarly even from their domain.
It really is a double edged sword, on the one hand a good reason to have this contact information there in the first place is in the event something needs to be reported like virus/worm infection, system down, open proxy, that sorta thing. On the other hand, there are those who don't respect the fact that info is there for a good reason and it's not for trivial issues or spam.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
I see many posts with support for removing the personal information. I have seven or so domain names registered under my name with my real email address and information, even though it's my second email account to which I expect SPAM. Trust me, I do get spam to that email inbox due to the whois database.
However, I work for a company where it is sometimes necessary to track down owners of domains and report them to the appropriate authorities. Even though a lot of people fake the information, the whois database has come in handy more often than not.
Another good thing, for myself atleast, is that I have gotten offers on some domain names I used to own. I am guessing they got the email address from the whois database, as I hadn't used the domain in question at all. I managed to sell it for quite a bit more than I bought it (it was a four digit sum, but still way more than I paid for it).
I am slightly split on this issue. I don't want my personal information in there (and faking is not an option for me, I want to stick to the rules), but I want to see other peoples information. Guess there is a tradeoff somewhere along the line.
Anyways, just wanted to point out that the WHOIS database can be extremly useful and/or helpful sometimes.
Basically Nominet has types of registrations, one of which is IND (for INDIVIDUAL).
Individuals can opt-out of having their whois information displayed in a whois query by asking their registrar to opt them out (a couple of minute administrative task).
This appears to me to be a simple and logical answer to the entire problem.
Right now, there are thousands of spamming scum who post bogus information in their domain registration in order to foil the wrath of spamfighters.
Ok, maybe Im drunk, maybe im surfing the web naked from my bedroom, maybe i'm a nerd with a attorney, but, i like the fact that you need a contact address to regigister a domain name, hell, if every registrar did verify each adress ,maybee we wouldnt have such a problem with spam. i mean, if your going to provide a public webisite (any website) you should be at least somewhat acountable. I know this will get me moded down, but I do believe some things should not be anonymouse. Yeah, the net uesed to have diffrent ideals, and used mean anonymouse access for all, but, i beleave for the security of the whole net those days should be over. Ok, i dont like this idea, but im tired of spam and hackers, and well, it could go either way, make the internet completly anonymouse (unless yhou opt in) or, make it completly nonoumouse... hum, yeah il get moded down for these views, its ok.
::i visited slashdot and all i got was this lousy sig::
If we used DNS domains like they were designed to be used, this could be an easy-to-correct problem.
.com must clearly be a commercial entity with no problem in giving out their business address, contact number, etc.
.net is a service provider, and should have all sufficient information to contact that provider for connectivity or abuse issues.
.org is a non-profit organization, and should post any contact information that they'd otherwise be required to post as part of their charter.
.com, they need to expect to be treated like a commercial entity.
Any entity registering in
Any entity registering in
Any entity registering in
We have a '.name' now (which personally I think should have been '.nom'), for personal users. I think it's perfectly reasonable to expect that individuals will not want to put any contact information there. I also think it's perfectly reasonable for an ISP's contact information to be exposed in its place, though.
Basically, just apply privacy requirements to the intent of the domain name. If regular Joes want to register a
Subdomains under a country code would need to be addressed by the countries in question.
Just type a US phone number into Google and up comes the name and street address, just like in that local copy of the White Pages. So they might as well be global.
Need the WHOIS info, and here's why...
A few months ago, I purchased quite a bit of money in CD's from an Internet site. It's a business, but it's a proprietorship run by one person. I never received the CD's and the guy stopped returning my emails. I had paid him via PayPal, and the ridiculously short PayPal complaint/insurance period had run out, so I couldn't get my funds back.
The guy has no contact information other than an email on his site. (And don't play me for idiot...This is a big music site and I've successfully purchased there before.)
So...I wanted to send him to a collection agency. Several warnings to him went unheeded, so I went about trying to track down his personal information.
And I ended up on netsol. It referred me to GKG.net, another registration company. I went on the WHOIS and the guy had NO information whatsoever. Every field said nothing.
So I emailed GKG.net and told them that when collection proceedings began, we would be asking them for this guy's info. They emailed me back that it's their policy to have updated and correct information in the WHOIS database. They emailed the guy and gave him 48 hours to provide it, with the threat that his site would be shut down.
A day later, all of his information was up. I had a name/phone/address. I sent him to a collection agency based on the only place I was somewhat easily able to obtain information.
Damn good reason to keep WHOIS info open. If people don't want to give out their home addresses, then they should rent a P.O. box for $20/year. If they don't want their names public, then I can only imagine either a) unwarranted paranoia or b) that the person shouldn't have on the web whatever it is that they have on there.
WHOIS helped, and the guy went to a collection agency.
-SD
Most people here are missing the point of privacy in a personal domain. Lots of people use their own domains for putting up pictures of themselves and their children to share with friends and family. The world is full of sickos who would use the whois information to find out where they live and then proceed to prey on the innocent.
I've used whois as a phonebook often as most of the people I know have a domian. Even way back when slashdot was just starting an CmdrTaco was asking around for a free place to host the images I was able to call him becasue his number was on whois. We were able to get slashdot.wolfenet.com up and running and slashdot was able to continue existance and grow to the point where they were giving out 5 digit user numbers.
I'm strongly in the camp that domain contact information, at least the technical contact, should be public. I've dealt with abuse issues for ISPs too long the think any other way could work. If there is a technical or abuse issue with a domain a network admin needs to be able to contact the person responsible. At least contacts for DNS servers need to be required.
-- I have a private email server in my basement.
From RFC 2050:
-- I have a private email server in my basement.
Whatever happened to the public domain? I am for privacy for the most part, but not total anonymity. in certain areas, total anonymity is wonderful, such as on /., but in others, such as in business, one needs to have a name and real info to be legit. The registration of web domains is a business, and should therefore have all the disclosure of identity rules apply.