Slashdot Mirror
Congress Eyes Whois Crackdown
Decius6i5 writes "The Washington Post is reporting on a Congressional hearing in which it was proposed that putting false or misleading information in your DNS whois record should be a federal crime. Texas Representative Lamar Smith is quoted as saying 'The Government must play a greater role in punishing those who conceal their identities online.' The article claims 'Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries that much of their material is made available for free on Web sites whose owners are impossible to track down because their domain name registrations often contain made-up names.' Its funny, I don't recall the RIAA having any trouble tracking down P2P users whose IP addresses didn't have any DNS names associated with them at all. This isn't the first time the issue has been raised in Congress but apparently Congress hasn't gotten any more clued after several hearings."
Wow. Either the spammers get my info from the Whois database or the RIAA can't track down some pirates.
Which do I choose?
Arrr....
The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.
False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.
Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.
CMDRTACO CHECK YOUR EMAIL!
You know, we're moving towards a world in which computer users and computers themselves are licensed, much as drivers and their cars are licensed.
Is that a good or bad thing? It has its drawbacks, but on the whole I would say good. Fewer viruses, less spam, a modicum of sense from lusers. Less anonymity, yes, but there are always tradeoffs.
Toronto-area transit rider? Rate your ride.
i run a small, non profit politically based website with a chatboard. many people have come on the chatboard and threatened me with physical harm and worse because of my views.
and now they want me to put my real home phone number and real home address in the DNS records?
WHAT A BUNCH OF SHIT
They don't have to spend a whole lot of time tracking down the false WHOIS record holders.
Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.
A fully validated WHOIS database would make it trivial to enforce punishment against people who use spammers to promote the websites and scams on said websites registered to them.
---
When 'whois'ing your domain it gives the company's email, which gets forwarded to you (after a spam filter if you like). Same with any 'real mail' (except for junk mail if you wish).
Well worth the nominal cost (3 bucks, IIRC) at registration time.
Selling child pornography on the internet (or off it) is a federal crime, but the FBI won't even take a report on ads for it.
Selling prescription drugs with verifying a valid presecription on the internet (or off it) is a federal crime, but the FBI won't even take a report.
Using a stolen credit card number on the internet (or off it) is a federal crime, but the FBI won't even take a report, even if you have a name and address for the perp.
Who cares if Congress enacts more federal laws that the FBI won't even take a report on?
I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.
That's exactly what I did... and had exactly the result you described. Hundreds of spam messages a week to an address used only for domain registrations.
However, I seem to have found a solution. A poster in the hallowed halls of Slashdot was trying to determine the level of email harvesting, but wasn't getting any bites. But the word "spam" was in his email address... so I tried a new domain registration email address that also has "spam" in it.
Results after about a month: no spam to the "domspam@..." address. I don't know if perhaps they're sending mail to "dom@...", 'cause I'm not monitoring it. But the only messages I've recieved at "domspam" are valid messages from the registrars.
Of course, I haven't bothered to update my snail mail address since I moved. I hope the folks who bought our house are enjoying the offers for low-cost hosting and convenient "renewals". I guess I'll have to add that to my growing dossier of criminal activities...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I'm so sick of our government coming through like a steamroller driven by a pack of drunken angry midgets.
Lord knows, I might wind up in a Federal Buttslammer for having my fax number listed as 999.999.9999 in my whois db entry... of coourse that would be taking it to the extreme, but after the DMCA and the US govt's persistant display of ignorance and money grabbing from lobbyists, I have come only to expect the worst.
And the irony here is that a country that calls itself the land of the free seems to want to put anyone and everyone into it's butt-parlours for just about anything it can think up.
My rant aside, isn't there a better contribution our government could make for the sake of the internet?
Like education, so the next generation of lawmakers might actually have a shred of a clue?
Or an international council like the UN in which an open forum could be made that is a bit beyond the corporate lobbyists, if not banned from talking to corporate representitives entirely?
I agree with the concept of jerking the registration if the information is false, misleading, or utterly out of date (cannot be found). Add a waiting period before anyone else can register it (so someone can step forward and claim their error), and allow for private registration that can be accessed with a warent, and I think it would be a pretty good idea.
Any other ideas?
Yes, of course, because law enforcement NEVER abuses its power to detain citizens. No innocent person could possibly be charged, held, jailed or put to death for a crime they didn't commit. And before anyone says you'd never be put to death because of domiain information, realize that treason is a capital offense.
_/\ - Sturgeon's Law: 90% of everything is crud.
It seems like the government, more and more now, is treating anyone who wishes to remain anonymous, or who does things anonymously, as a criminal. Granted there is nothing in our bill of rights or constitution that protects our right to anonymity, but there should be.
There are plenty of legitimate reasons why one would wish to remain anonymous. Not to mention the fact that the US government should have no control over the internet which in essence represents the international community. Just because anonymity can be inconvenient for law enforcement doesn't mean it must be made illegal.
Ski masks, pantyhose, and latex gloves are still available for sale in the US. All these are ideal tools for concealing your identity in real life. Wearing them in real life is not illegal either. It is, however, illegal to commit a crime while employing these tools, although no more so than if one does not employ them.
-3Suns
~~~~
The Revolution will be Slashdotted
The current cost of a domain name is about $10. You can't get any type of address verification/authentication lookup from a reliable database for less than $20. If you want the result to be at all reliable it would cost at least $100 and most likely $200 - sound familliar? Thats what SSL certs cost.
The rule for domain names is quite simple, you use a false address, someone complains, you are likely to never get notice of the complaint, you lose the domain. Or you use a false address, you never get the renewal notice, you lose the domain. You have no idea how many IETF privacy nuts complained about not getting their renewal notices after typing in bogus address data, well DUUHHH!!
The only reason that WHOIS data is public in the first place is that when ICANN was being set up the competing registrars insisted that the rules should allow them to see Network solution's customer list so they could spam them with transfer offers. The other registrars then did what everyone else has done since, they created nominees to hide the true identities of the holder.
WHOIS would be best shut down. The spammers are never going to give valid data anyway. Instead use the reverse DNS to advertise a contact address to go to when you have a problem with info comming from an IP record. Nice thing here is that in many cases the delegation of reverse DNS reaches exactly to the level you would want to pick up a phone to talk to someone about a hacker comming from their net.
Of course you would need to authenticate any use of that data, telephone numbers would only be given out on a need to know basis etc. But we could do a lot better than whois. I have never traced a hacker successfully using whois data.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Not having any Whois information? I remember a domain name that I wanted to register at one that had already been taken, and when I checked whois to see who had registered it, there was nothing there. Is that going to be illegal, or just having false information? If it's only illegal to falsify info, what's the point; and if no info is also illegal, then this is way too invasive.
Join moola.com, play games to earn money.
A realistic solution to it is to allow people to falsify WHOIS records, but require the registries to maintain records of accurate contact information to be provided in the event of a (legitimately issued) subpoena or an investigation by law enforcement, provided they have a warrant for the information.
You mean like this? The whois record for my domain does not list my info.
Yoda of Borg am I! Assimilated shall you be! Futile resistance is, hmm?
Bye Bye Karma but ...
... probably :-)
So registering incorrect DNS data becomes illegal in the US.
Does that mean a US citizen/company will be unable to register DNS entries outside the US coz then they could register incorrect data which'd be illegal under the proposed law?
Does anyone care?
Will I get modded troll
Worst
Especially with some VERY good Overseas Registrars. (12 Euros a year, with great services, tech support, etc. In Paris, France). We have to get it into the politicians heads that it's not DARPANet, and it really shouldn't be under Congressional control or oversight.
Lamar Smith is also co-sponsor of the "Clean Airwaves Act" (HR 3687) that wants to eliminate the Safe-Haven distinction. You won't be able to use dirty words at all on the public airwaves, 24 hours a day, if Smith gets his way. Off topic, I know, but of general interest perhaps. http://lamarsmith.house.gov/news.asp?FormMode=Deta il&ID=344
When you read the terms and conditions when you register, you are required to put in valid whois information. The problem is many registrars do not enforce it. Then when people complain, the registrar may do someone about it in 6 months, and then update it with invalid information. ICANN investigated some reports who network solutions, but failed to do anything. One address from their investigation, 123 Yellow Brick Road, Oz, Kansas, is still there.
Fight Spammers!
Actually this is not the case with the domain register I have delt with so far. Both with Godaddy and Regsiter.com I have give a separate email and mailing address that goes directly to them when signing up for the domain. The InterNIC Admin, Technical and Zone contact information are set to fake mail and phone numbers. The email address I use is real but not actively used, I also change it every once in a while to help keep down the spam hitting my servers.
When renewal time comes around I get two emails, one to the billing contact email and one to the one I gave register.com/godaddy. I also recieve a letter in the mail to my real address reminding me to pay up.
So I helped my neighbor set up a domain name for their new business. I put myself in as the technical contact. Phone solicitors snarfed my phone number from the whois information and started calling ME trying to sell me stuff for my NEIGHBOR's business. (I'm also getting snail mail for them as well.) So, to at least cut down on the phone calls, I changed the tech contact in the whois to the following number:
617-861-9507
"The Telemarketer's Nightmare", from the fine folks that brought you "The Rejection Hotline".
Now, it's not really MY phone number, but it IS the phone I want them to have, since I don't want them calling me. My email and home address are valid, so I can still be contacted... just not while I'm sitting down to eat dinner with my family. It's a real phone number, and it doesn't mislead anyone - the message tells someone that I don't want them calling me.
Come to the University of Mars! Classes starting soon!
I'm really straddling the fence on this issue. Sure, I see the merits for having legimit information in a whois database. I've used it many times when conducting business on the net with smaller entities to "verifiy" their identity. Also used it numerous times to research companies while responding to employment ads. On the other hand, its a spammers dream come true. Look at all the e-mail addresses you can collect in one spot. Granted some registrars are taking up some counter measures against harvesting, I sincerly applaud their efforts. I think a compromise needs to take place here. REQUIRE people to submit truthful data. In this day and age how many registrars will accept blatently bogus information, especially if there are credit cards involved. However registrars should need to give their customers the option to display their information publicly. I know of no other industry that would publicize their customers personal data on the internet. Sure some of the info should stay public (nameserver records, technical contact) but does the average person need to know who owns and pays invoices for the domain? I think not.
Yea, I'm gonna steal your identity, commit credit card fraud, steal stock options from your company, distribute illegal information and media online, an wire car-bombs on 60 vehicles in Manhattan. Then im going to leave you a red flag on my website with my name on it. Come on, I hope US intelligence does not rely on laws like this to reeduce crime, because this guy is basically asking people ot turnthemselves in, so they can serve 15 years and rat out their friends! In that case cyber criminals have a 100/1 odds of making it big in their field. Why do they think it's anonymous anyway. One way to track this would be billing. But then again, Russians obtain credit card numbers so easily they come in bundles of 1000 on the black market nowadays. I hope the other Representatives get a good laugh at this bill if it ever gets heard in Congress.
[Please sign here]
I'm voting libertarian from now on.
Laws should be based on things that make sense, not 200 years of repressive precedent, or over hyped "concerns" of the day that get legislated to death and stick.
Congressmen who throw out stupid ideas about taking away freedoms, privacies, or putting government punishments in place where nobody has been hurt, should be fired for violating the basic tenants of freedom, and the constitution.
The government shouldn't be punishing people who falsify private documents. I believe it's not (currently) a crime to misrepresent yourself, and online there's a lot to be said for the added safeties of misrepresentation, anonymity, and privacy.
The FCC doesn't need to decide what we watch on TV, we do. If we don't like what we see on channel whatever we don't watch it anymore. The only thing worse than the government trying to control our private lives is the people asking them to. Go to Europe you bunch of repressed whiners.
I'm sick of this all.
I don't care how this gets modded, I'm fed up, and /. is a as good a place as any to vent.
My Linux Command of the Day site : LCOD
This may not validate the identity of the user, but it should go a long way toward validating the email address, snail mail address, and phone number that the user provided.
The registrar could even require this validation to be performed once a year, initiated by sending an email to the given address and a letter to the snail mail address. This would be good incentive for people to keep their information updated.
Other than the initial setup, this process shouldn't come close to costing $5 for each validation attempt.
As for identity verification; I have no idea how to do that. In the US, the social security office only wants to see your (or *someone's*) birth certificate before they will issue a replacement card. The department of motor vehicles only wants to see your (or *someone's*) birth certificate or social security card before they will issue a replacement driver's license. Neither the social security card nor the birth cetificate has *ANY* information on it that can be used to even roughly validate my identity. The fact that a driver's license and passport both rely on those documents for verification is absurd.
After having my wallet stolen and having to get my license replaced, I'm no longer surprised that identity theft is so easy and common. All you have to know is a name, their parent's names, their birthplace, and their birthdate, and with that you can get a birth certificate for $5-$10. You'll find out their social security number after waiting 2 weeks for the social security office to mail you "your" new card. Maybe now that many DMV offices do your license photo electronically, a clerk *might* pull up "your" previous photo and question you if you look too obviously different (oh wow! I used to look even fatter than I thought! This diet is amazing!), but maybe not. After that, and maybe a little research on the web, you've got pretty much all you need to check credit reports (to get credit card numbers, etc) and obtain a passport.
I had to do all this for myself once, and the ultimate proof that I was me is that I was able to obtain a copy of a birth certificate with my name on it.
However, I don't know what more they could require and still have validation be possible. Maybe eventually, the social security office or the DMV will start requiring a full set of fingerprints for initial cards or licenses, and a new set for comparison before a replacement is issued.
Maybe then identity verification could work.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
I wonder how this would affect the Godaddy unlisted domain name service they offer. It could be interesting. Even with false information in the whois; surely the FBI or the MPAA or the RIAA can subpoena the information from the registering authority the domain is registered through. I doubt that any of that information would be false. So that brings me to assume that when people are looking at whois information in order to prosecute the owner, and give up on a bad whois, that the issue is either not important enough to pursue further, or that they are too stupid to figure out how to do it. Either way, New laws in this area won't change anything. How would you enforce it? Do we really need more useless tech legislation that can't be enforced? Sheesh.
This signature has Super Cow Powers
You bet your ass I used fake info in my WHOIS then [when registering "whitearyanresistance.com"].
So basically you want all the benefits of free speech, but none of the responsibilities. All the latitude, none of the culpability. You are afraid to stand behind your words and actions.
Ever notice how on Slashdot, Anonymous Cowards rarely get modded up past +2?
DNS is a way to identify computers on a network. We don't need a better more secure identd to associate names with numbers.
Need Mercedes parts ?
Just last week they added their own DNS servers to my WHOIS data which pointed my web site and all my email to their search page. Because I registered through my hosting company (who in turn registered through Register.com) Register.com's tech support refuse to help me. They say I have to do everything through my hosting company. But when XO communications asked them to make a change they just said "No".
I mean, I'd love to have an accurate phone number and email in my WHOIS. I'd REALLY love to change the registrar of record to anybody except Register.com. But they're holding my domain hostage and won't give me a way (short of sueing) to maintain my own domain.
So don't make it a crime for ME to have false information in my WHOIS. I'd love to change the information. The jerks at Register.com won't let me.
I was waiting for someone to point out that having your information on a WHOIS may not be such a good thing if you're running a website that may be the target of persecution: Pro-Choice, Islam, Homosexual, Justin Timberlake Fansite, etc.
A fully validated WHOIS database would also make it trivial to enforce punishment against those who express politically dissident views. It would no longer be possible to create a domain for political discussion without the government knowing who you are and where you are.
But I guess you're okay with that scenario as long as it stops spam, right?
Am I really seeing a slashdot full of anti-privacy zealots?
Whois is a government regulated collection of information about private individuals. Since when is someone having some privacy on the web a BAD THING???
I thought we all agreed on a few common principles here, free speech, free code and RIGHT TO PRIVACY (ESPECIALLY in our digital world here on the web), and that slashdot needs a built in spellchecker?!!
The government has no damn business either collecting, and especially not publishing the details of domain owners to begin with!