Slashdot Mirror


Congress Eyes Whois Crackdown

Decius6i5 writes "The Washington Post is reporting on a Congressional hearing in which it was proposed that putting false or misleading information in your DNS whois record should be a federal crime. Texas Representative Lamar Smith is quoted as saying 'The Government must play a greater role in punishing those who conceal their identities online.' The article claims 'Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries that much of their material is made available for free on Web sites whose owners are impossible to track down because their domain name registrations often contain made-up names.' Its funny, I don't recall the RIAA having any trouble tracking down P2P users whose IP addresses didn't have any DNS names associated with them at all. This isn't the first time the issue has been raised in Congress but apparently Congress hasn't gotten any more clued after several hearings."

18 of 396 comments (clear)

  1. Lesser of two evils? by lukewarmfusion · · Score: 3, Interesting

    Wow. Either the spammers get my info from the Whois database or the RIAA can't track down some pirates.

    Which do I choose?

    Arrr....

  2. It's about time by scumbucket · · Score: 4, Interesting

    The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.

    False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.

    Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.

    --
    CMDRTACO CHECK YOUR EMAIL!
  3. Down the road ... by s20451 · · Score: 3, Interesting

    You know, we're moving towards a world in which computer users and computers themselves are licensed, much as drivers and their cars are licensed.

    Is that a good or bad thing? It has its drawbacks, but on the whole I would say good. Fewer viruses, less spam, a modicum of sense from lusers. Less anonymity, yes, but there are always tradeoffs.

    --
    Toronto-area transit rider? Rate your ride.
  4. what a bunch of bullshit! by JeanBaptiste · · Score: 5, Interesting

    i run a small, non profit politically based website with a chatboard. many people have come on the chatboard and threatened me with physical harm and worse because of my views.

    and now they want me to put my real home phone number and real home address in the DNS records?

    WHAT A BUNCH OF SHIT

  5. Re:I find this idea disturbing. by Endive4Ever · · Score: 5, Interesting

    They don't have to spend a whole lot of time tracking down the false WHOIS record holders.

    Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

    A fully validated WHOIS database would make it trivial to enforce punishment against people who use spammers to promote the websites and scams on said websites registered to them.

    --
    ---
  6. Godaddy.com by teamhasnoi · · Score: 3, Interesting
    provides a service that uses a third party proxy as your whois info.

    When 'whois'ing your domain it gives the company's email, which gets forwarded to you (after a spam filter if you like). Same with any 'real mail' (except for junk mail if you wish).

    Well worth the nominal cost (3 bucks, IIRC) at registration time.

  7. Pointless laws by taustin · · Score: 4, Interesting

    Selling child pornography on the internet (or off it) is a federal crime, but the FBI won't even take a report on ads for it.

    Selling prescription drugs with verifying a valid presecription on the internet (or off it) is a federal crime, but the FBI won't even take a report.

    Using a stolen credit card number on the internet (or off it) is a federal crime, but the FBI won't even take a report, even if you have a name and address for the perp.

    Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

    1. Re:Pointless laws by NoData · · Score: 4, Interesting

      Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

      Because when it's in the interest of big business, you better believe the FBI will act on it and exploit every tool at their disposal. Let's be clear: This bill is not for going after child pornographers, it's for busting that most treacherous of terrorists, the Music File Sharer! One of the sponsors, Howard Berman, is a notorious shill for the music and entertainment industry.

  8. Re:I find this idea disturbing. by RobertB-DC · · Score: 4, Interesting

    I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.

    That's exactly what I did... and had exactly the result you described. Hundreds of spam messages a week to an address used only for domain registrations.

    However, I seem to have found a solution. A poster in the hallowed halls of Slashdot was trying to determine the level of email harvesting, but wasn't getting any bites. But the word "spam" was in his email address... so I tried a new domain registration email address that also has "spam" in it.

    Results after about a month: no spam to the "domspam@..." address. I don't know if perhaps they're sending mail to "dom@...", 'cause I'm not monitoring it. But the only messages I've recieved at "domspam" are valid messages from the registrars.

    Of course, I haven't bothered to update my snail mail address since I moved. I hope the folks who bought our house are enjoying the offers for low-cost hosting and convenient "renewals". I guess I'll have to add that to my growing dossier of criminal activities...

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  9. Hmmm.... by Anonymous Coward · · Score: 3, Interesting

    I agree with the concept of jerking the registration if the information is false, misleading, or utterly out of date (cannot be found). Add a waiting period before anyone else can register it (so someone can step forward and claim their error), and allow for private registration that can be accessed with a warent, and I think it would be a pretty good idea.

    Any other ideas?

  10. Anonymity == illegal? by 3Suns · · Score: 4, Interesting

    It seems like the government, more and more now, is treating anyone who wishes to remain anonymous, or who does things anonymously, as a criminal. Granted there is nothing in our bill of rights or constitution that protects our right to anonymity, but there should be.

    There are plenty of legitimate reasons why one would wish to remain anonymous. Not to mention the fact that the US government should have no control over the internet which in essence represents the international community. Just because anonymity can be inconvenient for law enforcement doesn't mean it must be made illegal.

    Ski masks, pantyhose, and latex gloves are still available for sale in the US. All these are ideal tools for concealing your identity in real life. Wearing them in real life is not illegal either. It is, however, illegal to commit a crime while employing these tools, although no more so than if one does not employ them.

    --

    -3Suns

    ~~~~
    The Revolution will be Slashdotted
  11. Re:I find this idea disturbing. by Zeinfeld · · Score: 4, Interesting
    They don't have to spend a whole lot of time tracking down the false WHOIS record holders. Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

    The current cost of a domain name is about $10. You can't get any type of address verification/authentication lookup from a reliable database for less than $20. If you want the result to be at all reliable it would cost at least $100 and most likely $200 - sound familliar? Thats what SSL certs cost.

    The rule for domain names is quite simple, you use a false address, someone complains, you are likely to never get notice of the complaint, you lose the domain. Or you use a false address, you never get the renewal notice, you lose the domain. You have no idea how many IETF privacy nuts complained about not getting their renewal notices after typing in bogus address data, well DUUHHH!!

    The only reason that WHOIS data is public in the first place is that when ICANN was being set up the competing registrars insisted that the rules should allow them to see Network solution's customer list so they could spam them with transfer offers. The other registrars then did what everyone else has done since, they created nominees to hide the true identities of the holder.

    WHOIS would be best shut down. The spammers are never going to give valid data anyway. Instead use the reverse DNS to advertise a contact address to go to when you have a problem with info comming from an IP record. Nice thing here is that in many cases the delegation of reverse DNS reaches exactly to the level you would want to pick up a phone to talk to someone about a hacker comming from their net.

    Of course you would need to authenticate any use of that data, telephone numbers would only be given out on a need to know basis etc. But we could do a lot better than whois. I have never traced a hacker successfully using whois data.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  12. What about... by Beolach · · Score: 3, Interesting

    Not having any Whois information? I remember a domain name that I wanted to register at one that had already been taken, and when I checked whois to see who had registered it, there was nothing there. Is that going to be illegal, or just having false information? If it's only illegal to falsify info, what's the point; and if no info is also illegal, then this is way too invasive.

    --
    Join moola.com, play games to earn money.
  13. Read the terms and conditions when you register! by www.sorehands.com · · Score: 4, Interesting
    Bull! Just because someone can track you by your car's license place number does not entitle you to cover it.


    When you read the terms and conditions when you register, you are required to put in valid whois information. The problem is many registrars do not enforce it. Then when people complain, the registrar may do someone about it in 6 months, and then update it with invalid information. ICANN investigated some reports who network solutions, but failed to do anything. One address from their investigation, 123 Yellow Brick Road, Oz, Kansas, is still there.


  14. Re:I find this idea disturbing. by muckdog · · Score: 4, Interesting

    Actually this is not the case with the domain register I have delt with so far. Both with Godaddy and Regsiter.com I have give a separate email and mailing address that goes directly to them when signing up for the domain. The InterNIC Admin, Technical and Zone contact information are set to fake mail and phone numbers. The email address I use is real but not actively used, I also change it every once in a while to help keep down the spam hitting my servers.

    When renewal time comes around I get two emails, one to the billing contact email and one to the one I gave register.com/godaddy. I also recieve a letter in the mail to my real address reminding me to pay up.

  15. What is wrong with the government these days? by dougnaka · · Score: 4, Interesting
    Can't they stay out of private life?

    I'm voting libertarian from now on.

    Laws should be based on things that make sense, not 200 years of repressive precedent, or over hyped "concerns" of the day that get legislated to death and stick.

    Congressmen who throw out stupid ideas about taking away freedoms, privacies, or putting government punishments in place where nobody has been hurt, should be fired for violating the basic tenants of freedom, and the constitution.

    The government shouldn't be punishing people who falsify private documents. I believe it's not (currently) a crime to misrepresent yourself, and online there's a lot to be said for the added safeties of misrepresentation, anonymity, and privacy.

    The FCC doesn't need to decide what we watch on TV, we do. If we don't like what we see on channel whatever we don't watch it anymore. The only thing worse than the government trying to control our private lives is the people asking them to. Go to Europe you bunch of repressed whiners.

    I'm sick of this all.

    I don't care how this gets modded, I'm fed up, and /. is a as good a place as any to vent.

    --
    My Linux Command of the Day site : LCOD
  16. Re:I find this idea disturbing. by egburr · · Score: 3, Interesting
    Here is an easy and reasonably cheap way to verify the accuracy of , with no human intervention on the Registrar's side:
    • Request email address, snail mail address, and phone number via a web form.
    • The registrar places the domain on reserve, pending successful verification.
    • Within a few minutes, an email is sent with a unique code to enter or a URL to click on. The user does so.
    • Within 10 minutes, a computer calls the phone number and reads a short list of randomly generated numbers.
    • The user enters those numbers on the form.
    • The computer generates a postcard (or sealed letter) with a different set of random numbers/characters and mails it to the user. The user can elect to pay for faster delivery options.
    • The user receives the letter and enters that data.
    • The registrar activates the domain.

    This may not validate the identity of the user, but it should go a long way toward validating the email address, snail mail address, and phone number that the user provided.

    The registrar could even require this validation to be performed once a year, initiated by sending an email to the given address and a letter to the snail mail address. This would be good incentive for people to keep their information updated.

    Other than the initial setup, this process shouldn't come close to costing $5 for each validation attempt.

    As for identity verification; I have no idea how to do that. In the US, the social security office only wants to see your (or *someone's*) birth certificate before they will issue a replacement card. The department of motor vehicles only wants to see your (or *someone's*) birth certificate or social security card before they will issue a replacement driver's license. Neither the social security card nor the birth cetificate has *ANY* information on it that can be used to even roughly validate my identity. The fact that a driver's license and passport both rely on those documents for verification is absurd.

    After having my wallet stolen and having to get my license replaced, I'm no longer surprised that identity theft is so easy and common. All you have to know is a name, their parent's names, their birthplace, and their birthdate, and with that you can get a birth certificate for $5-$10. You'll find out their social security number after waiting 2 weeks for the social security office to mail you "your" new card. Maybe now that many DMV offices do your license photo electronically, a clerk *might* pull up "your" previous photo and question you if you look too obviously different (oh wow! I used to look even fatter than I thought! This diet is amazing!), but maybe not. After that, and maybe a little research on the web, you've got pretty much all you need to check credit reports (to get credit card numbers, etc) and obtain a passport.

    I had to do all this for myself once, and the ultimate proof that I was me is that I was able to obtain a copy of a birth certificate with my name on it.

    However, I don't know what more they could require and still have validation be possible. Maybe eventually, the social security office or the DMV will start requiring a full set of fingerprints for initial cards or licenses, and a new set for comparison before a replacement is issued.

    Maybe then identity verification could work.

    --

    Edward Burr
    Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
  17. Makes me want to kick somebody... by cshark · · Score: 4, Interesting

    I wonder how this would affect the Godaddy unlisted domain name service they offer. It could be interesting. Even with false information in the whois; surely the FBI or the MPAA or the RIAA can subpoena the information from the registering authority the domain is registered through. I doubt that any of that information would be false. So that brings me to assume that when people are looking at whois information in order to prosecute the owner, and give up on a bad whois, that the issue is either not important enough to pursue further, or that they are too stupid to figure out how to do it. Either way, New laws in this area won't change anything. How would you enforce it? Do we really need more useless tech legislation that can't be enforced? Sheesh.

    --

    This signature has Super Cow Powers