Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Eyes Whois Crackdown

Posted by CmdrTaco on from the that-doesn't-seem-like-a-bad-idea dept.

Decius6i5 writes "The Washington Post is reporting on a Congressional hearing in which it was proposed that putting false or misleading information in your DNS whois record should be a federal crime. Texas Representative Lamar Smith is quoted as saying 'The Government must play a greater role in punishing those who conceal their identities online.' The article claims 'Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries that much of their material is made available for free on Web sites whose owners are impossible to track down because their domain name registrations often contain made-up names.' Its funny, I don't recall the RIAA having any trouble tracking down P2P users whose IP addresses didn't have any DNS names associated with them at all. This isn't the first time the issue has been raised in Congress but apparently Congress hasn't gotten any more clued after several hearings."

33 of 396 comments (clear)

  1. I find this idea disturbing. by The+I+Shing · · Score: 5, Insightful

    Yes, there are criminals with false WHOIS records.

    And, at the same time, the WHOIS database is a feeding trough for spammers and scammers, encouraging otherwise honest people to put false information into their WHOIS records just to keep those spammers and scammers from getting their names, email addresses, snail mail addresses, phone numbers, fax numbers, mothers' maiden names, and whatever else their registrars ask for.

    I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.

    There's an old saying you still see on bumper stickers, "When guns are outlawed, only outlaws will have guns." While that idea might be more accurately stated as "When guns are outlawed, only outlaws will accidentally shoot their own kids," the original sentiment holds for WHOIS, that is to say, "When falsified WHOIS data is outlawed, only outlaws will falsify their WHOIS data."

    If the RIAA and MPAA can't find the fake WHOIS record owners, how is the government going to track down the WHOIS record owners and punish them? Why waste time passing a law that, in the end, only punishes honest people who would rather not give their unlisted home phone numbers out when buying a domain name for their kids?

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
    1. Re:I find this idea disturbing. by Endive4Ever · · Score: 5, Interesting

      They don't have to spend a whole lot of time tracking down the false WHOIS record holders.

      Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

      A fully validated WHOIS database would make it trivial to enforce punishment against people who use spammers to promote the websites and scams on said websites registered to them.

      --
      ---
    2. Re:I find this idea disturbing. by Anonymous Coward · · Score: 5, Insightful

      A realistic solution to it is to allow people to falsify WHOIS records, but require the registries to maintain records of accurate contact information to be provided in the event of a (legitimately issued) subpoena or an investigation by law enforcement, provided they have a warrant for the information. If people choose to put their real contact information in the WHOIS record, it is still their right to do so, and many already choose to do so despite being able to falsify the data.

    3. Re:I find this idea disturbing. by RobertB-DC · · Score: 4, Interesting

      I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.

      That's exactly what I did... and had exactly the result you described. Hundreds of spam messages a week to an address used only for domain registrations.

      However, I seem to have found a solution. A poster in the hallowed halls of Slashdot was trying to determine the level of email harvesting, but wasn't getting any bites. But the word "spam" was in his email address... so I tried a new domain registration email address that also has "spam" in it.

      Results after about a month: no spam to the "domspam@..." address. I don't know if perhaps they're sending mail to "dom@...", 'cause I'm not monitoring it. But the only messages I've recieved at "domspam" are valid messages from the registrars.

      Of course, I haven't bothered to update my snail mail address since I moved. I hope the folks who bought our house are enjoying the offers for low-cost hosting and convenient "renewals". I guess I'll have to add that to my growing dossier of criminal activities...

      --
      Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    4. Re:I find this idea disturbing. by American+AC+in+Paris · · Score: 5, Informative
      If they were talking about criminalizing false WHOIS information, I'd agree with you 100%.

      Trouble is, that's not what they're doing. They're talking about creating harsher penalties for people who commit fraud with a website registered under fake credentials.

      They're not going to go hunting you down for having false information. Rather, if they catch you committing fraud on your website, they'll tack another few years onto your sentence if the site info wasn't accurate.

      You gotta stop believing what they say in the front-page blurbs.

      --

      Obliteracy: Words with explosions

    5. Re:I find this idea disturbing. by pavon · · Score: 4, Informative

      If the RIAA and MPAA can't find the fake WHOIS record owners, how is the government going to track down the WHOIS record owners and punish them?

      Very simple. If the registrar can't contact you because you gave them bogus info then the registration gets dumped. Quite an effective and fair punishment - you are abusing a priviledge so that priviledge gets revoked.

      Although I do understand where you are comming from with regard to address harvesting from public WHOIS records. If you were to implement this policy you would have to provide the option for registrants info to remain private to the registrar. Then it wouldn't be such a burden for honest people to provide the correct information.

    6. Re:I find this idea disturbing. by Zeinfeld · · Score: 4, Interesting
      They don't have to spend a whole lot of time tracking down the false WHOIS record holders. Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

      The current cost of a domain name is about $10. You can't get any type of address verification/authentication lookup from a reliable database for less than $20. If you want the result to be at all reliable it would cost at least $100 and most likely $200 - sound familliar? Thats what SSL certs cost.

      The rule for domain names is quite simple, you use a false address, someone complains, you are likely to never get notice of the complaint, you lose the domain. Or you use a false address, you never get the renewal notice, you lose the domain. You have no idea how many IETF privacy nuts complained about not getting their renewal notices after typing in bogus address data, well DUUHHH!!

      The only reason that WHOIS data is public in the first place is that when ICANN was being set up the competing registrars insisted that the rules should allow them to see Network solution's customer list so they could spam them with transfer offers. The other registrars then did what everyone else has done since, they created nominees to hide the true identities of the holder.

      WHOIS would be best shut down. The spammers are never going to give valid data anyway. Instead use the reverse DNS to advertise a contact address to go to when you have a problem with info comming from an IP record. Nice thing here is that in many cases the delegation of reverse DNS reaches exactly to the level you would want to pick up a phone to talk to someone about a hacker comming from their net.

      Of course you would need to authenticate any use of that data, telephone numbers would only be given out on a need to know basis etc. But we could do a lot better than whois. I have never traced a hacker successfully using whois data.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    7. Re:I find this idea disturbing. by flatt · · Score: 5, Insightful

      That may work until someone claims to be from anywhere but the US.

    8. Re:I find this idea disturbing. by Short+Circuit · · Score: 5, Insightful

      WHOIS would be best shut down.

      That's crazy. If someone's DNS server isn't retiring an old entry that puts my domain at an improper address, I want to be able to reach them with as little hassle as possible. Not demand contact information from my friends in Australia who pointed out that they couldn't get to my site.

      (That's happened to me, BTW... www.grnet.com somehow ended up having an old DNS entry with a fubar'd expiration date, but only on a high-level machine in Australia.)

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    9. Re:I find this idea disturbing. by muckdog · · Score: 4, Interesting

      Actually this is not the case with the domain register I have delt with so far. Both with Godaddy and Regsiter.com I have give a separate email and mailing address that goes directly to them when signing up for the domain. The InterNIC Admin, Technical and Zone contact information are set to fake mail and phone numbers. The email address I use is real but not actively used, I also change it every once in a while to help keep down the spam hitting my servers.

      When renewal time comes around I get two emails, one to the billing contact email and one to the one I gave register.com/godaddy. I also recieve a letter in the mail to my real address reminding me to pay up.

    10. Re:I find this idea disturbing. by orthogonal · · Score: 5, Insightful

      "The Government must play a greater role in punishing those who conceal their identities online - Lamar Smith"

      Excuse me?

      People who are anonymous must be punished?

      Are all Texans as offensive as their elected representative?

      Hey, terrorist boy, Congressman Smith is right.

      Why did you know that once there where these three guys, three anonymous agitators, and they hid behind a fake name, "Publius", and wrote a bunch of stuff that completely changed the government of their country?

      Anyway, these three guys started out as rebels and terrorists and traitors, and once things got settled down again, first thing they done was to get together all anonymous like, and they decided to change things yet again.

      But they figured that people might not be as convinced of their ideas ifin people know'd it was these rebel traitors behind the ideas, so they made up that fake name "Publius" and published under it.

      And what they wrote completely changed the government of their country. It got rid of the Articles of Confederation and made it impossible that the country would ever again be ruled by King George, who they'd rebelled against, and it set up a Constitution and a central government -- actually it was a Federation and them anonymous papers was called The Federalist Papers -- and as a by-product of the debate over them papers, they added ten Amendments to their new Constitution, the first one of which guaranteed, among other things, Freedom of Speech.

      And years later one of them anonymous rebels became the Secretary of Treasury of the new country they'd created with their anonymous papers, and one of the then rebels became the First Chief Justice of the Supreme Court of the country they created with their anonymous papers, and the other one, well, he became the fourth President of their new country which they had created with their anonymous papers, a country they called "The United States of America."

      And I, honest to god this isn't mere rhetoric on my part, I have tears in my eyes right now when I think of all that those three disreputable anonymous rebels created, and the tears are streaming down my cheeks when I think of the Constitution of the United States of America that Alexander Hamilton and John Jay and James Madison agitated for in their anonymous Federalist Papers, and I get a lump in my throat when I think of the glorious First Amendment to that Constitution, which, among other things according to the US Supreme Court, guarantees a right to anonymity to protect our freedom to engage in political discourse and debate.

      And Lamar Alexander -- Lamar Alexander, elected to the Congress planned and created by the same Constitution -- when he says that "The Government must play a greater role in punishing those who conceal their identities", well, I have to ask, when is the last time Lamar Alexander read that fine Constitution, that Constitution created by those three anonymous men publishing under a fake name?

      And by god! I contend that the those who stand up for that Constitution, and for Free Speech, and for a right to anonymity -- those persons -- and not Big Brother's lackeys with their newspeak "Patriot Act" -- are the real American Patriots.

      --
      Opinions on the Twiddler2 hand-held keyboard?
  2. Who controls WHOIS? by Anonymous Coward · · Score: 5, Insightful

    Does Verisign control the WHOIS database? Since they are a US company, is that what gives the US the right to patrol that database? If not Verisign, who? Will the US rules be applied to other countries? This is legislation that will not be enforcable!

    1. Re:Who controls WHOIS? by isa-kuruption · · Score: 4, Informative
      Domain name registrations are controlled by ICANN which is a Congressionally funded organization.

      From their website:
      The Internet Corporation for Assigned Names and Numbers (ICANN) is an internationally organized, non-profit corporation that has responsibility for Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions. These services were originally performed under U.S. Government contract by the Internet Assigned Numbers Authority (IANA) and other entities. ICANN now performs the IANA function.


      ICANN then contracts out services to corporations for manage the DNS registrations. Currently, VeriSign controls .com and .net.

  3. It's about time by scumbucket · · Score: 4, Interesting

    The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.

    False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.

    Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.

    --
    CMDRTACO CHECK YOUR EMAIL!
  4. This is just silly... by bc90021 · · Score: 4, Insightful

    ...all that's going to happen is that people are going to put in correct information, and then make it unlisted. When the people in Congress are given the analogy with the phone system (ie, unlisted numbers) it will become a matter of subpeonas, and then for the courts in the cases of infringement, as it should be.

    --
    libertarianswag.com
  5. Crackdowns we'd like to see... by heironymouscoward · · Score: 4, Funny

    - false WHOIS information
    - false email headers
    - spoofed IP addresses
    - misleading web pop-ups
    - spyware authors
    - technomorons who install spyware
    - coverage of mydoom by the BBC
    - jj's boobs

    --
    Ceci n'est pas une signature
  6. Fun with White Aryans and DNS..... by i_want_you_to_throw_ · · Score: 5, Funny

    About 4 years ago. I registered "whitearyanresistance.com", org and net. I put a nice little cgi in place that sent people to random sites sites like blacksonblondes.com, algore2000.com, NAMBLA and so forth.

    Next step was to modify the cgi to regurgitate the IP address where the user got a message that said..

    Your IP Address: xx.xx.xx.xx has been recorded for forwarding to the proper authorities. Have a nice day



    Then I got tired of picking on Tom Metzger and his retarded ilk and just donated the domains to another group (not the W.A.R.).

    You bet your ass I used fake info in my WHOIS then.

    I do wonder though if there are legitimate cases of where people run sites where it's best to not know the identity. Much in the same way that an abused woman could never call home from a shelter because her husband who beats her would know where she is thanks to caller ID.

    Maybe the Chinese Communists would send goons to whack all the Falun Gong website owners or something (I'm sure you have better examples).

  7. Good grief. by Grrr · · Score: 5, Insightful

    "The Government must play a greater role in punishing those who conceal their identities online, particularly when they do so in furtherance of a serious federal criminal offense or in violation of a federally protected intellectual property right," Smith said...

    So - that sentence can end at the first comma, and be no less accurate in representing his opinion.

    Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries...

    'Of the corporations, by the corporations and for the corporations'

    The bill would not affect people who are trying to safeguard their privacy because it
    only makes it a crime to submit false registration data when it is done to help commit a
    crime...

    Now if we could only keep that pesky concept of what constitutes a "crime" from continually
    expanding...

    <grrr>

    1. Re:Good grief. by ConceptJunkie · · Score: 4, Insightful

      Unfortunately, being suspected of having committed a crime is criminal under the Patriot Act.

      --
      You are in a maze of twisty little passages, all alike.
  8. This story is brought to you by the color "yellow" by American+AC+in+Paris · · Score: 5, Informative
    From the Washington Post article:

    The bill would not affect people who are trying to safeguard their privacy because it only makes it a crime to submit false registration data when it is done to help commit a crime, said Mark Bohannon, senior vice president for public policy at the Software & Information Industry Association, which supports the bill.

    Oh, fer Pete's sake, Taco. Would it really hurt all that much to give a full, accurate blurb on this one?

    This isn't about forcing people to use their real name when registering a domain. This is about increasing the severity of the punishment for committing online fraud. Basically, if you commit fraud using a website with faked credentials, you'll face a stiffer penalty than you would had you committed fraud on a website where you used legitimate credentials to register.

    I'm not saying I've fully researched this, but it sure as hell isn't the rights-trampling orgy the blurb makes it out to be, Taco. Do your homework before posting half-informed diatribes to the front page.

    --

    Obliteracy: Words with explosions

  9. Should be the other way around by Tablizer · · Score: 4, Insightful

    I don't want my physical address available to the world. Domain minders should collect it for billing and security reasons, but NOT for publicly-available databases.

    --
    Table-ized A.I.
  10. Re:spam by ryanjensen · · Score: 5, Funny

    Oh, of course not. Your senator passed CAN-SPAM for that.

    --
    The Ezine Directory
  11. what a bunch of bullshit! by JeanBaptiste · · Score: 5, Interesting

    i run a small, non profit politically based website with a chatboard. many people have come on the chatboard and threatened me with physical harm and worse because of my views.

    and now they want me to put my real home phone number and real home address in the DNS records?

    WHAT A BUNCH OF SHIT

  12. that is ridiculous by cyberwave · · Score: 5, Insightful

    What if I want to setup a domain name criticizing my private school? They censor the newspapers so the internet is the only medium in which that would be possible to do anonymously. Just as I could give out fliers while wearing a mask without breaking the law, I should be able to do the same thing on the internet. Additionally, there are alternatives that you can pay for as well (but costs more than putting in fake information). They shouldn't be legislating against the ways in which people conceal themselves; they should be legislating against the things that they DO while concealed! Being anonymous isn't a crime. Punish the crime, not the anonymity. Wow politicians are so stupid. No wonder the good ones turn into teachers instead.

  13. Pointless laws by taustin · · Score: 4, Interesting

    Selling child pornography on the internet (or off it) is a federal crime, but the FBI won't even take a report on ads for it.

    Selling prescription drugs with verifying a valid presecription on the internet (or off it) is a federal crime, but the FBI won't even take a report.

    Using a stolen credit card number on the internet (or off it) is a federal crime, but the FBI won't even take a report, even if you have a name and address for the perp.

    Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

    1. Re:Pointless laws by NoData · · Score: 4, Interesting

      Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

      Because when it's in the interest of big business, you better believe the FBI will act on it and exploit every tool at their disposal. Let's be clear: This bill is not for going after child pornographers, it's for busting that most treacherous of terrorists, the Music File Sharer! One of the sponsors, Howard Berman, is a notorious shill for the music and entertainment industry.

  14. Newsflash by H8X55 · · Score: 4, Funny

    People on the Internet sometimes pretend to be someone they're not.

    Anyone who is trying to conceal their identity for illegal activities will continue to do so.

    Now we may just get more spam.

  15. Anonymity == illegal? by 3Suns · · Score: 4, Interesting

    It seems like the government, more and more now, is treating anyone who wishes to remain anonymous, or who does things anonymously, as a criminal. Granted there is nothing in our bill of rights or constitution that protects our right to anonymity, but there should be.

    There are plenty of legitimate reasons why one would wish to remain anonymous. Not to mention the fact that the US government should have no control over the internet which in essence represents the international community. Just because anonymity can be inconvenient for law enforcement doesn't mean it must be made illegal.

    Ski masks, pantyhose, and latex gloves are still available for sale in the US. All these are ideal tools for concealing your identity in real life. Wearing them in real life is not illegal either. It is, however, illegal to commit a crime while employing these tools, although no more so than if one does not employ them.

    --

    -3Suns

    ~~~~
    The Revolution will be Slashdotted
  16. Some Canadian registrars have the idea re. privacy by fatwreckfan · · Score: 5, Informative

    Some Canadian registrars, such as Internic.ca offer a service called Privacy.ca that hides your registration information, so random people can't look up your info.

    If it becomes a federal crime to lie in domain records, something similar could be implemented to protect those who want to remain (somewhat) anonymous.

  17. Read the terms and conditions when you register! by www.sorehands.com · · Score: 4, Interesting
    Bull! Just because someone can track you by your car's license place number does not entitle you to cover it.


    When you read the terms and conditions when you register, you are required to put in valid whois information. The problem is many registrars do not enforce it. Then when people complain, the registrar may do someone about it in 6 months, and then update it with invalid information. ICANN investigated some reports who network solutions, but failed to do anything. One address from their investigation, 123 Yellow Brick Road, Oz, Kansas, is still there.


    --
    Fight Spammers!
  18. Once again, US != Internet.... by RedHat+Rocky · · Score: 4, Insightful

    When will they learn? Yet another 'law' proposed to clear up that dirty old Internet.

    Congress, please read: THE INTERNET EXTENDS WAY BEYOND US BORDERS.

    Many scams are perpetrated from sites OUTSIDE the US, how do you think your proposed law helps?

    Please stop bowing to the corporate masters!

    Yes, I am a Citizen of the United States.

    --
    Anything is possible given time and money.
  19. What is wrong with the government these days? by dougnaka · · Score: 4, Interesting
    Can't they stay out of private life?

    I'm voting libertarian from now on.

    Laws should be based on things that make sense, not 200 years of repressive precedent, or over hyped "concerns" of the day that get legislated to death and stick.

    Congressmen who throw out stupid ideas about taking away freedoms, privacies, or putting government punishments in place where nobody has been hurt, should be fired for violating the basic tenants of freedom, and the constitution.

    The government shouldn't be punishing people who falsify private documents. I believe it's not (currently) a crime to misrepresent yourself, and online there's a lot to be said for the added safeties of misrepresentation, anonymity, and privacy.

    The FCC doesn't need to decide what we watch on TV, we do. If we don't like what we see on channel whatever we don't watch it anymore. The only thing worse than the government trying to control our private lives is the people asking them to. Go to Europe you bunch of repressed whiners.

    I'm sick of this all.

    I don't care how this gets modded, I'm fed up, and /. is a as good a place as any to vent.

    --
    My Linux Command of the Day site : LCOD
  20. Makes me want to kick somebody... by cshark · · Score: 4, Interesting

    I wonder how this would affect the Godaddy unlisted domain name service they offer. It could be interesting. Even with false information in the whois; surely the FBI or the MPAA or the RIAA can subpoena the information from the registering authority the domain is registered through. I doubt that any of that information would be false. So that brings me to assume that when people are looking at whois information in order to prosecute the owner, and give up on a bad whois, that the issue is either not important enough to pursue further, or that they are too stupid to figure out how to do it. Either way, New laws in this area won't change anything. How would you enforce it? Do we really need more useless tech legislation that can't be enforced? Sheesh.

    --

    This signature has Super Cow Powers