Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exposing Personal Information in the Whois Database

Posted by CowboyNeal on from the a-better-way dept.

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

33 of 323 comments (clear)

  1. amen by Neophytus · · Score: 5, Insightful

    Registrars under their status of registrars are required to HAVE FULL AND PUBLIC CONTACT INFORMATION for anyone who registers. For big biz this ok but for individuals (such as me) it is a big worry.

    1. Re:amen by orangesquid · · Score: 5, Insightful

      And when the owner of a domain is running an open relay, or has a glaringly obvious security problem, or has a problem with their site (and webmaster@ bounces), the courteous thing to do, e-mailing them to inform them of the problem, can no longer be done if there is no e-mail address available.

      Or, sometimes you get people who register domains through some co-hosting service and then launch attacks against your box/network through the service. Usually, the e-mail for the domain registration will be someone in charge who can give the asshole due justice.

      It is not a frequent thing when I must resort to WHOIS to contact a site owner, but sometimes it happens and it's fairly important.

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    2. Re:amen by afniv · · Score: 4, Insightful

      Well, why can't the WHOIS owner provide a method of writing a non-HTML message, limited to say 400 characters, and e-mailing the message to the non-public e-mail address on record for the desired domain name owner? Forums software do this.... Do I really need to be contacted by phone or snail mail by the general population regarding my domain name? I've only been contacted by the registrar to renew.

      --
      ~afniv
      "Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
      Richard von Weizs
    3. Re:amen by drakaan · · Score: 4, Insightful
      The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.

      False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.

      Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
    4. Re:amen by crazyphilman · · Score: 4, Insightful

      The point you're missing is, all they need is CONTACT info. Contact info is email address and maybe phone number. There is no reason whatsoever for them to have your home address publicly displayed. In fact, it is very dangerous and sooner or later there will be some kind of tragedy and/or lawsuit, and this whole situation will come to a head.

      All it'll take is some blowhard out on the net (and you know from being on Slashdot that there are plenty of them) to get pissed off at something someone posts on their web page. It might not even be anything really bad, people get pissed off over the stupidest things. Joe Blowhard decides to look up Jane Somebody's home address on whois, then goes over her house and kills her. Or kicks her ass. Or rapes her. Or robs her. But you get the idea.

      Currently, the anonymity you have on the web is the only thing protecting you from all the crazies out there. Put your address on a website, and you take your chances. Not wanting to risk possible red death should NOT ban you from having a website, and that's what this is really all about.

      Identity theft is one thing. Getting your ass beaten by some lunatic who didn't like your website (maybe he thinks you're not religious enough, maybe he doesn't like your politics, whatever) is quite another.

      --
      Farewell! It's been a fine buncha years!
  2. Spammer source by alecbrown · · Score: 4, Interesting

    I certainly getted spamed on the email address I registerd for it.

  3. let's not forget... by I+Want+GNU! · · Score: 4, Insightful

    that Google has this information from phone books as well (just google for a phone number or address), and there are many reverse phone books online. I think they should focus on solving identity theft in ways that if someone's info is already available (as it is everywhere) it can't be utilized well.

    1. Re:let's not forget... by mblase · · Score: 5, Insightful

      Yes, but Google also gives you the option to remove your information from their searchable database -- there's a link right next to your results if you do a search for your own information. So do most other reverse-phone-lookup sites.

      Whois gives you no such option, and would probably actively resist if you even asked.

  4. A long time coming. by Tinfoil · · Score: 4, Interesting

    While I normally don't like Berman whatsoever, this is a good thing. I have long disliked the practice of putting personally identifiable info in the WHOIS database.

    I just hope they don't dumb it down so much where one can't get email addresses for those controlling the domain for reporting purposes.

    --

    tinfoilmedia
  5. Re:How else... by march · · Score: 5, Funny

    If you are looking for chicks in the whois database, it's no wonder you haven't had a date in a while....

  6. Reporting WHOIS abuse? by Anonymous Coward · · Score: 5, Interesting

    I get numerous spam from people(?) who have obviously trawled the whois database. Even though there is a strong warning in the whois database against abusing it, how does one report it, or is it just an empty threat?

    1. Re:Reporting WHOIS abuse? by Future+Man+3000 · · Score: 5, Insightful
      Proving that a spammer took source addresses from WHOIS would be problematic. Taking a spammer to court over it wouldn't be cost-effective for the maintainers of any WHOIS server. Spammers have already shown themselves as a group to not be overly concerned about warnings, standards, or laws.

      It's an empty threat.

      --

      I never vote for anyone. I always vote against.
      -- W.C. Fields

  7. Here in Denmark ... by zonix · · Score: 4, Informative

    Here in Denmark, DK Hostmaster A/S is the administrator for the Danish top level domain. You can have your personal contact details hidden from the public WHOIS database - in accordance with Danish Law on protection of personal data, blah blah blah.

    I would recommend it!

    z
    --
    What would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
  8. UK WhoIS by ledow · · Score: 5, Informative

    The UK WHOIS database (run by Nominet UK) has recently considered this too. Now, private individuals who opt-out can have their personal details removed (obviously Nominet still has access to them). I'm not sure that companies are allowed to do this, it's private individuals only.

    Britain and the EU have always had stronger data protection laws than the rest of the world. This is part of the reason the EU are looking at Microsoft's .NET services as they don't follow EU data laws. To be honest, it's about time the US caught up.

    1. Re:UK WhoIS by farnz · · Score: 4, Insightful
      I know that American bashing is fun for us Europeans, but it's not so much about catching up, as about taking a different view.

      We have always taken the view that private individuals have a right to secrecy, and that those individuals should make an effort if they want some data published. The USA has taken the opposite stance; people have a right to reveal information, while keeping it secret should take effort.

      In an age where data processing is always manual, the USA had it right; stopping gossip is hard, and there's lots of work involved in revealing information. Further, the more you wish to reveal about someone, the more work you have to perform. Automated data processing has pushed the cost of this work down to the point where it is easy to reveal lots of potentially harmful information in one go.

      Basically, it's wrong to look at the Americans as catching up on this one; they took a fundamentally opposed view to us, and it's still not clear who's got the better system (although I prefer the European one).

      --
      I appear to have a blog. Odd.
  9. Exposing Data on the Whois database by knghtrider · · Score: 5, Interesting

    Even exposing contact information for a business is questionable. If you're working on penetrating a company, then this is a stop on the highway. But, without that information, then (as one poster stated) the FBI would have to get us the information we need to prosecute spammers or etc.

    I don't know what the answer is either; I don't think it's simple either. This may be one (of many) invasions of our privacy we have to deal with. Banks, Mortgage Companies, Credit Cards--these all sell our information to other companies. It's sad, but this is big business, and it makes money. Utilities provide information to Local, State, and Federal Agencies all of the time; and are required to by law.

    Our information is not private anymore, and hasn't been for a long time. Everyone has their hand out for it.

    --
    In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
  10. Obstacle to distributing a shareware application by SmackCrackandPot · · Score: 4, Interesting

    This a major concern to me. I've spent some time at home writing an application that I'd consider distributing as freeware/shareware. Setting up the paypal/P.O Box number payment system is no problem, but as every application nearly always has a website, registering a domain name introduces some hassle, not least of all, distributing my name/home phone number/address.

    From reading previous Slashdot articles, being able to seen the domain name/IP address of owners and customers has been extremely useful in detecting all sorts of shenanigans with hyping up new products.

    However, for someone trying to augment their basic salary through shareware software, this is a disadvantage.

    With broadband internet via cable/satellite/telco, I have a permanent Internet connection, but the companies respect my right for privacy. Surely the same could be done for domains registered by home residences?

  11. More of an economic problem than privacy problem by snowtigger · · Score: 4, Interesting

    I don't really worry about having my personal information in the whois database. As most other individuals, I'm in the phonebook too, which can be accessed from the web nowadays.

    Having registered a few domain names, I receive a lot of spam telling me how to register new domains, renew when the old are about to expire and so on. I'm sure the registars make a lot of money on this, which surely makes them want to continue.

    My personal information is also included in the IP whois database. This database contains info on what ISP uses which IP numbers, etc. - see www.arin.net for more info.

    The interesting thing is that I have not received a single spam to the specific email address I supplied. So right now, I see it more like an econimic problem than a privacy problem.
    ---
    If you're not living on the edge, you're taking up space in the middle

  12. Re:If there were strong checking by AKnightCowboy · · Score: 5, Interesting
    Any domain setups that I've done allows you free reign to type in anything you like. I think most people don't realize that

    Or they do and realize an enemy could use that to his advantage to snatch away your domain. Providing false information is reason to lose your domain... or at least used to be in the carefree days when .edu domains were actually educational institutions, .com were businesses, .org were non-profit orgs and individuals, and .net were ISPs. *sigh* The good old days 10 years ago.

  13. And in other news, by JUSTONEMORELATTE · · Score: 4, Insightful

    Late yesterday, privacy activists raised the National Privacy Threat level to Purple, citing the public availability of a "Phone Book" which disclosed personal information for hundreds of thousands of individuals, including full name, home address and home phone number.

    (end sarcastic rant)
    YAWN! Call me when WHOIS data includes SSN. As it is, this info is already widely available for the vast majority of the population.

    --

  14. Re:Call me big brother... by Future+Man+3000 · · Score: 4, Insightful

    Something like this, where contact information is available if you violate best Internet practices (such as by spamming) and people can get in touch with you if they need to let you know that your server has been taken over by a Russian junior high student, but if you are a good netizen you can get by without being hassled.

    --

    I never vote for anyone. I always vote against.
    -- W.C. Fields

  15. Domains by Proxy -solves the problem by Chuck+Bucket · · Score: 4, Informative

    I use Domains by Proxy so my info isn't displayed in a WHOIS; theirs is in it's place. They keep all my info private and serve as a 'proxy' between me and anyone needed to contact me. They'll email if they need me to do something in regards to my domains, it's so nice not having all of my personal details out there. I buy my domains from GoDaddy, and they've partnered with Domains by Proxy and offer it as an option when you're buying domains, that's how I found out about it, but everyone should check it out.

    CB

    --
    free ipod and free gmail!
  16. Practical Contact Problem by billtom · · Score: 4, Insightful

    This is also a practical problem, in terms of making it hard to contact domain owners.

    I have several domains and I use a separate email address for my whois records (separate from my home and business addresses). But I don't monitor emails to that address because it has become completely filled with spam. I just delete all mail to that address.

    But that, of course, means that any legitimate attempts to contact the domain owner are lost as well. I could try and filter it (either manually or with software) but the ratio of legitimate email to spam on domain registry emails is thousands to one, so it's really not worth my time.

    So, aside from any privacy concerns, the public availability of email addresses on whois records in effect renders them useless as contact information.

  17. Re:How else... by The+Old+Burke · · Score: 4, Funny
    The Internet is new thing for you huh?

    Everybody knows that WHOIS lists plenty of chicks.

    --
    Proud patriot and republican voter.
  18. In the mean time, in Germany... by yourruinreverse · · Score: 5, Informative

    ... it is required by law that anyone who publishes even a single web page on the Web (in Germany) enclose an "Impressum", an imprint that notifies visitors whom to contact or hold accountable for the content. I wish this would also be implemented for Whois as a security measure or a basis for trust.

    Anyone who still wants to publish anonymously could still do it abroad, of course, as there will always be registrars who and nations that don't care about trust.

    I mention trust here, because I can trust a company's products (i.e. a shop selling goods) if I know where I can go, or what number I can call: currently too many (some) web shops (at least locally) do not even mention a telephone number I can call to have an order confirmed or more product information detailed. The same holds for web sites that provide information: if the e-mail address is left out, how can I get any confirmation, more detailed information, conversation or feedback going?

    --
    JeR
  19. As it should be by HighOrbit · · Score: 5, Informative

    I'm sorry, but you have *NO* right to an anonymous domain, nor should you because the opportunity for fraud on the internet is too high. Having everything out front at least keeps a modicum of openness and honesty (although admittadly not a lot).Besides, if I remember properly, you can update the e-mail address to be admin@your-new-domain if you don't want spam going to your personal email.

    If you want relative anonymity, get a hotmail or yahoo account.

    1. Re:As it should be by DroopyStonx · · Score: 4, Interesting

      Not sure what you're talking about. *I* have the right to a private domain as does anyone else.

      I don't use it for business purposes, which would be a different story. It's my own personal site on my server on my T1. I have every right to hide my private information!

      I've had fake information (invalid address, phone, name, etc) and a yahoo account as my email for the past 3 years.

      "How can someone contact you then," you ask? Well, that's the point. No one needs to contact me. They can do so via my yahoo account.

      Maybe I'm missing something, but I don't see a single thing wrong w/ that.

      --
      We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
  20. A Few Solutions by bmj · · Score: 4, Interesting

    One is using Dotster. They obfuscate your email address, so you won't be spammed so easily, but they can still contact you. A friend of mine nearly lost his domain because he used a fake email address with Network Solutions and he never got the "your domain is expiring" email.

    The other is a finding a trustworthy ISP/hosting provider who will manage your domain for you. I've been using HostSector and it's worked well, plus it's less expensive than buying the domain outright. I'd have to jump through some hoops to purchase the domain from them, but I can do it, and I believe their contract specifies that I can purchase it at any time.

    --
    Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
  21. Set up TLD for individuals by flakac · · Score: 5, Insightful

    I don't agree with the author's conclusions. Any person registering a domain name in .com is explicitly saying that they are a commercial organization, hence there should be no expectation of personal privacy. The solution is to set up another TLD explicity for individuals, since .org, .net and so on are not really appropriate either. It is necessary for all .com registrations to have valid and public registration info available, without this the level of fraud would be even worse than it is today. I have no sympathy for anyone who registers a .com domain name, and is not actually representing a business.

  22. Can be useful... by muffen · · Score: 4, Insightful

    I see many posts with support for removing the personal information. I have seven or so domain names registered under my name with my real email address and information, even though it's my second email account to which I expect SPAM. Trust me, I do get spam to that email inbox due to the whois database.

    However, I work for a company where it is sometimes necessary to track down owners of domains and report them to the appropriate authorities. Even though a lot of people fake the information, the whois database has come in handy more often than not.

    Another good thing, for myself atleast, is that I have gotten offers on some domain names I used to own. I am guessing they got the email address from the whois database, as I hadn't used the domain in question at all. I managed to sell it for quite a bit more than I bought it (it was a four digit sum, but still way more than I paid for it).

    I am slightly split on this issue. I don't want my personal information in there (and faking is not an option for me, I want to stick to the rules), but I want to see other peoples information. Guess there is a tradeoff somewhere along the line.

    Anyways, just wanted to point out that the WHOIS database can be extremly useful and/or helpful sometimes.

  23. UK Solution by hattig · · Score: 4, Interesting

    Basically Nominet has types of registrations, one of which is IND (for INDIVIDUAL).

    Individuals can opt-out of having their whois information displayed in a whois query by asking their registrar to opt them out (a couple of minute administrative task).

    This appears to me to be a simple and logical answer to the entire problem.

  24. Bullshit. by Pig+Hogger · · Score: 4, Interesting
    Whenever you have an internet presence through a domain, you have a public presence. And there is no reason why there should be no traceability towards your domain.

    Right now, there are thousands of spamming scum who post bogus information in their domain registration in order to foil the wrath of spamfighters.

  25. Re:How else... by gmack · · Score: 4, Insightful

    Uhh No changing this would cause problems for those who actually USE this information.

    There is nothing to say you need to put clues to your gender into the domain info. Put in a fake name if you want.. use your work email address.. use a PO BOX and a pager as long as you can be contacted without too much trouble it's all good.

    Anyone who thinks this info needs to be removed from the public needs to have their head examined.