ICANN Accepting Public Comments On Whois Privacy

Decius6i5 writes "ICANN is accepting public comments on its three whois privacy and accuracy working groups until July 5th. Some of the proposals from the third working group, on improving whois accuracy, have been described as hostile to internet users. The working group proposes that if DNS Whois registration data for a domain is inaccurate, the domain should be immediately placed on hold, and cancelled if the error is not corrected within 15 days. An article on Circle ID suggests that the DNS Whois system is not the best way to share contact information for networks, and that ICANN should focus its efforts on improving IP Address Whois instead. What do you think?"

Well...

[hookedup]

I use namecheap.com to buy all my domains, for an extra $4.95/year per domain, I get whois guard protection.

Do a whois on a domain of mine, and you get contact info to the registrar. Want my real info? Better have a subpoena ready..

Re:Well...

[CeramicNuts]

I paid Netword Solutions $9 year for private registration and immediately received an increase in spam.

Re:Well...

[Carbonite]

I paid Netword Solutions $9...

There's your problem. You got caught in a phishing scam. The actual registar is Network Solutions.

Re:Well...

[orangesquid]

As long as your ISP won't mind forwarding mail from me to you if I need to get in touch with you regarding your site (this would only be if webmaster@ bounced and no contact info was listed, which is pretty rare and kind of silly... *at least* webmaster@ ought to go somewhere, I say!), that's fine by me.

I've snatched people's personal info (or ISP info after tracerouting) from whois and ARIN:whois databases before a few times, when I've encountered defaced sites, been attacked by malicious traffic, or have tracked down someone spamming against their ISP's TOS.

SOME point of contact is useful IMHO

[xmas2003]

I recently had some scumbags "steal" the entire contents of my web site (text and images) and host it on his own URL (after he changed the Adsense Publisher ID so he could profit from it!)

The contact information on the web site was my own (!) ... so all I could do was take a look at whois data and send 'em a "WTF" note - it did get resolved (whole summary coming shortly), but having at least SOMEONE to contact via whois was helpful.

Having said that, it does suck that the spammers harvest these Email addresses.

Re:SOME point of contact is useful IMHO

[xmas2003]

Just to followup on my own post, part 1 (with detailed log data and whois records) is now posted where I talk about how Graeme stole my web site and tried to profit from it.

whois weirdness

[vijaya_chandra]

This isn't funny or flamebait but when I do 'whois google.com' I get the following


[vijay@vijay vijay]$ whois google.com
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.C OM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGI NE .THAN.SECZY.COM
GOOGLE.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.



I am not sure if my system's connecting to the wrong server or the server itself is screwed up.
But 'whois tachyontech.net' works fine so I guess there's a problem with the server.

Am sure that if results turn up like this no one needs to worry about privacy.
But It would be more than useful for everyone if ICANN or whatever organisation first makes sure that the information that is being provided by different whois servers is atleast proper.

Re:whois weirdness

[linuxkrn]

Wrong server, notice it goes to NSI first (whois.inetnic.net) then is redirected out to the SOA.

$ whois google.com
[Querying whois.internic.net]
[Redirected to whois.alldomains.com]
[Querying whois.alldomains.com]
[whois.alldomains.com]
All domains.com - The Leader in Corporate Domain Management
--
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.alldomains.com/corp/
--

The Data in Alldomains.com's WHOIS database is provided by Alldomains.com
for information purposes, and to assist persons in obtaining information
about or related to a domain name registration record. Alldomains.com
does not guarantee its accuracy. By submitting a WHOIS query, you agree
that you will use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow, enable, or otherwise
support the transmission of mass unsolicited, commercial advertising or
solicitations via e-mail (spam); or (2) enable high volume, automated,
electronic processes that apply to Alldomains.com (or its systems).
Alldomains.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

Registrant:
Google Inc. (DOM-258879)
2400 E. Bayshore Pkwy
Mountain View CA 94043
US

Domain Name: google.com

Registrar Name: Alldomains.com
Registrar Whois: whois.alldomains.com
Registrar Homepage: http://www.alldomains.com

Administrative Contact:
DNS Admin (NIC-1340142) Google Inc.
2400 E. Bayshore Pkwy Mountain View CA 94043
US
dns-admin@google.com
+1.6503300100
Fax- +1.6506181499
Technical Contact, Zone Contact:
DNS Admin (NIC-1340144) Google Inc.
2400 E. Bayshore Pkwy
Mountain View CA 94043
US
dns-admin@google.com
+1.6503300100
Fax- +1.6506181499

Created on..............: 1997-Sep-15.
Expires on..............: 2011-Sep-14.
Record last updated on..: 2003-Apr-07 10:42:46.

Domain servers in listed order:

NS3.GOOGLE.COM 216.239.36.10
NS4.GOOGLE.COM 216.239.38.10
NS1.GOOGLE.COM 216.239.32.10
NS2.GOOGLE.COM 216.239.34.10

Alldomains.com - The Leader in Corporate Domain Management
--
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.alldomains.com/corp/
--

Re:whois weirdness

[Sheetrock]

What's happening is people are registering nameservers with goofy names that start with the same text as an existing host.

For example, the folks at gulli.com have made 'GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.CO M' and registered it as a nameserver so that it shows up when you do a whois search for GOOGLE.COM through whois.crsnic.net or other WHOIS servers that try to be helpful when you enter part of a domain name. Not all WHOIS servers seem to do this, but apparently FreeBSD (at least) defaults to whois.crsnic.net.

It's a cute trick, and I'd hate to see it go. ICANN needs to lighten up with regards to their requirements for WHOIS information; spammers and telemarketers abuse the hell out of it no matter how many warnings are put up next to the data. The contacts are less than useful when nobody answers them because they're bombarded with marketing.

Ok, I admit I didn't read the article,

[HotNeedleOfInquiry]

but one thing that seems important to me is that fraudulant contact information be handled differently than inaccurate information. No sense blackholing honest mistakes and no sense letting spammers and criminals run free

Re:Ok, I admit I didn't read the article,

[base3]

How do you tell what's an honest mistake? Is an "oopsie" transposition of an address or phone number and mispelling of your name, plus maybe a "spam-armored" email address an honest mistake, or a deliberate effort to be unreachable?

Good news

Its such a pain trying to remember the address of Wrigley Stadium.

Double edged sword here

[dacarr]

On one hand, it would help kill domains run by spammers, assuming they haven't gone to get a post office box On the other hand, it would hinder somebody if they change their address - and forget to do so on their whois record. On the third hand...well, as irrelevant as this sounds, you now have to get a DBA or a business license in order to put a business name on a post office box with the USPS, as I recently found out. This is as of 01Jan2004. So it's entirely probable that they won't just get a PO Box.

Require digital IDs/PGP key ?

[scupper]

What about requiring the registrant of a domain name to provide a digital ID or PGP key, and require the same for inquiries?

i vote for improving whois

[Kn0w1]

something has to be done.. most/all of my spam is because of my email was in my domains' whois info (or from NNTP newsgroup from YEARS ago, which didn't get spammed 'til a year or two later) Maybe something that requires human interaction to get the info, so spammers can't run some script and just harvest emails from whois

New sites are the problem

[doodlelogic]

Why doesn't ICANN just take a few months off, stop any new sites coming out while it fixes the old ones.

There seems to be more and more internet every day. At this rate I'll never finish reading it.

valid whois is useful

[Dachannien]

I have found whois information to be useful in helping me determine the validity of several mom-and-pop Internet stores. It's also come in handy for providing leads (sometimes forged, yes, but many times even forged info provides a good lead) for tracking down spammers and their employers.

I'd consider it a loss if the validity requirements on whois degenerated any further than they already have.

Who wrote this, the spammers?

[UnrepentantHarlequin]

I've been reading through the working group papers. It looks to me like the whole thing was written by the goddamn spammers themselves. They want to make it virtually impossible for anyone outside of law enforcement agencies (and we know how good they are at stopping spam) from getting whois information.

We need better whois information, not less of it. We need it available to more people. We need more openness, not more secrecy. Openness cleans up problems -- secrecy nurtures them. Nor is it limited to spam and network abuse.

A random example ... I saw some very convincing looking information from what appeared to be a grassroots organization on an issue I was somewhat interested in. (arguing against a pollution cleanup) Just out of curiousity, I did a whois on the domain, and found out that it was owend by the company that did the polluting ... the "grass" was astroturf.

So people can spam me all they like, they can abuse the resources I depend on, they can attack my servers, they can do whatever they feel like, and with their domain registration information kept an ironclad secret by this new proposal, I can't do a damn thing about it. Oh, wonderful.

Or maybe it was written by the lawyers. One of the criticisms of the current policy by the working group is that it permits person-to-person contact without any lawyers involved. Yes, they actually said that. Gee, how terrible ... you can get in touch with the guy who's got unauthorized copies of your stuff and ask him to take it down, and settle things on friendly terms, without having to pay a lawyer a few hundred dollars to write a letter to say exactly the same thing. Maybe we should all be required to have lawyers walking around with us so that they can pass on anything we might want to say to someone we meet? And lawyers don't like being called "mouthpieces"? Feh!

Re:Who wrote this, the spammers?

[Decius6i5]

Openness cleans up problems -- secrecy nurtures them.

You say this, and then immediately thereafter you say:

Gee, how terrible ... you can get in touch with the guy who's got unauthorized copies of your stuff and ask him to take it down.

So, I should be forced to provide my personal contact information to the general public so that its open, but the threats that you send me, whether by lawyer or by crow bar, ought to be kept private?!

You have a choice, you can force everyones contact information to be public and allow disputes to be resolved in secret, or you can give people the option of keeping their contact information private and require some disputes to be resolved in a public forum. Why would you choose to prevent the secrecy of contact information over preventing the secrecy of volatile (and sometimes violent) disputes?

A future in which everyone speaking on the internet is required to make their personal contact information public is a future in which disputes are resolved through threats and intimidation. A future in which requests for contact information are handled out in the open is a future in which disputes are resolved with due process and justice.

Are you so frustrated by having to delete annoying emails that you are willing to do away with any reasonable balance in society? Are you under the impression that everyone who operates a website is a "potential spammer" and everyone who wishes to obtain the personal contact information of a website operator has good intentions? If so you are surely mistaken.

Try to think outside of your personal experience.

Re:Who wrote this, the spammers?

[UnrepentantHarlequin]

So, I should be forced to provide my personal contact information to the general public so that its open, but the threats [chillingeffects.org] that you send me, whether by lawyer or by crow bar, ought to be kept private?!

You, sir, are delusional. Nowhere in anything I wrote, anywhere, did I say anything of the kind.

For one thing, requiring my lawyer to contact your lawyer to resolve a dispute is no more open or public than me emailing you and saying "hey, that's my stuff, wouldya please take it off your web page." If anything, it's likely to be less public. Plus, if I had to hire a lawyer to deal with the situation, since my IP lawyer charges me $200 an hour, I wouldn't be able to settle for just having the infringing material removed; I'd have to go after you for damages, not because the infringement did me any actual monetary harm, but because I've got to pay my lawyer, who does me entirely too much monetary harm.

Again, you are putting totally bizarre words into my mouth. I never said that "everyone speaking on the Internet is required to make their personal contact information public." I never even implied it. Owning a domain name and "speaking on the Internet" are two totally different things. Nor would keeping the ownership of domain names secret from all but lawyers and their ilk prevent the types of issues that chillingeffects.org is reporting. Note that the C&D letters in question are all sent by, guess who, lawyers.

And no, I'm not frustrated by having to delete annoying emails. I'm frustrated by having to deal with a mailserver groaning under the strain, with customers begging me to make it stop, with things like a business associate not getting a critical email from me because it got lost in literally hundreds of spams he received the same day. We're barely keeping our heads above water as it is. Taking away something that has been one of the few tools available to the victims -- the ability to find out who is bombarding them with the stuff -- and giving the bad guys an impenetrable shield of secrecy will make things much, much worse.

Having to hire a lawyer to tell someone to quit copying my stuff, or to find out who is hammering my mailserver into the ground with a flood of spam for fake Viagra, will only drive up my costs more. It won't help innocent people in any way -- large corporations who want to intimidate the little guy have plenty of staff lawyers, and even tame judges, to do the job for them. But it will sure as hell gut any chance the little guy has of being able to respond or defend himself against that kind of attack or intimidation.

Openness has served the Net well for many years. Throwing that away in favor of secrecy, and a heirarchy of haves and have-nots where only lawyers and big companies have access to that information, will not improve it.

Re:Who wrote this, the spammers?

[Decius6i5]

For one thing, requiring my lawyer to contact your lawyer to resolve a dispute is no more open or public than me emailing you and saying "hey, that's my stuff, wouldya please take it off your web page."

Good job dude, you caught me when I'm drunk at a hacker con in NYC. You are clearly confused. If my DNS information is private, and you have to file a subpoena with a court in order to get my ISP to offer up my billing information and email address to your lawyer, then you have a court (an independent third party and a public record) involved before your lawyer can send my lawyer an email. This is a very simple concept. Do you understand?

I'd have to go after you for damages, not because the infringement did me any actual monetary harm, but because I've got to pay my lawyer, who does me entirely too much monetary harm.

Have you ever sued someone before?

I never said that "everyone speaking on the Internet is required to make their personal contact information public." I never even implied it. Owning a domain name and "speaking on the Internet" are two totally different things.

OIC, people with domain names should be tracked in a public database, but if they want to let someone host some anonymous speech on a subpage thats OK. Anonymous speakers shouldn't be allowed to have primary domains, however, because thats dangerous... Controversial political speech should be relegated to secondary status on the internet where it cannot exist on primary domains.

Nor would keeping the ownership of domain names secret from all but lawyers and their ilk prevent the types of issues that chillingeffects.org is reporting.

Actually, thats exactly what it would do, because if you needed a court's approval to subpoena the contact information before you could make threats you would have to have a claim that has at least a feasible basis in the law.

Taking away something that has been one of the few tools available to the victims -- the ability to find out who is bombarding them with the stuff -- and giving the bad guys an impenetrable shield of secrecy will make things much, much worse.

1. I'm not advocating that the ability to find out who is "bombarding them with the stuff" should be "taken away." I'm advocating that a court ought to be involved when you do this.
2. Are you telling me that criminal spammers just up and stop because you send them a polite email asking them too? Man, the spammers targeting your servers are a hell of a lot cooler then the ones targeting mine!! How do you do it?!

Openness has served the Net well for many years.

Once again, this isn't about openness versus closed. Either everyone with a domain has open contact information and the threats sent to domain holders are closed, OR people with domains can choose to have closed contact information and the threats have to be open. Choose wisely. The future depends on it.

BTW, I'm drunk, and I asked my friends here at HOPE if I'm being too much of a dick here. They said "there is no such thing as being too much of a dick on slashdot." I'm not sure I trust my friends. So, like, maybe when I'm sober I'll be cooler. But my opinions won't be different. Think about it.