Slashdot Mirror
Privacy Advocates Bemoan the Problems With WHOIS
An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"
For what? These days, everybody is registering private domains through people like DomainsByProxy. Whois is becoming more and more useless. Might as well chuck it.
My blog
http://privacy.ca/info.asp
In one episode last season, Ando showed up at Niki's house, having been able to find her because she listed her home address on the WHOIS record for her website.
(The unspoken moral: use a PO Box, or some guy from halfway around the world will drop in on you unexpectedly.)
The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters
Every major domain registrar lets you do a "private domain registration" for a few bucks extra. They replace the WHOIS data with generic info plus a uniqueID, which lets you contact the domain owner through the registrar.
Pretty simple - not rocket science.
I am sure that the registrars will happily hand over the actual domain registration info to duly authorized law enforcement with a court order.
Further, any legitimate business puts a mailing address/phone number/fax number on their website. Having the same information available in whois isn't an issue.
Identification information is going to be kept for each domain, whether whois exists or not. It's just a question of whether it will be open to everyone, or just to the registrar, their employees, your hosting provider, your ISPs, credit card companies, data thieves, third parties the data is sold to, people with court orders, and warrantless government surveillance programs.
Whether whois exists or not you have no privacy - but with whois at least you know it.
I've been dealing with something like this for years now. I had a domain squatted out from under me by the same people that are written about at www.rootfest.net/squatters.html
When I first purchased a domain back in 1997 (for $75/yr) I was under the age of 18. I used bogus information because I did not want people to be able to retrieve my personal information. Since then, I have continued to use bogus contact into on almost every registrar.. Well, not too long ago I started getting contacted by various OpenSRS registrars saying my information was incorrect and that I needed to update it. I replied saying that if they supply a service that hides my information from public WHOIS servers I will happily give them my info, most of them did no offer this.
I have to agree that the WHOIS system is a nightmare. More registrars need to support cloaking of email and contact info. I AM NOT A BUSINESS. I do not want my information being public..
And actually, the same thing goes for HAM handles.. I hate the fact that you can lookup the home address of anyone who talk to on the radio.. That also needs some kind of "opt-out" option for those who don't want their info public.
It used to be when I had to contact someone, the whois information was accurate, complete and, when I dialed the number, I got a live human being that actually was able to address my issue. And, life was good.
Now, it seems even reputable domains are hiding behind private registrations or have outdated or deliberately incorrect information. Bleh. Problems that used to be able to be solved with a pleasant phone call now require hours of my time if the task is even possible.
So, my first choice would be that whois domain information take a giant step backward to the days when it was useful information. If that isn't an option (and going back in time rarely is possible), get rid of it altogether.
The main problem is that ICANN wants to use whois for a different purpose than the original one. Originally whois was used for providing techincal and administrative contacts for networks, which back then more or less mapped to 2nd or 3rd level domain names. These days the owners of domain names are mostly individuals who do not manage the networks that serve their domains and would be pretty useless to contact using this method. Nowadays, you would look at the ARIN data to see who is responsible for the network.
What ICANN wants to provide is an easy method for the Lawyers of corporations to go harassing people that hold domain names their companies want to use.
i sold an old Mac laptop with system 7.5 to a girl for $200 with a printer about 7 years ago. She had little money, and for what she needed - a way to type homework in her dormroom and print it - $200 seemed reasonable - it did what she told me she wanted it to do, and she tested it at my place and everything worked just fine (2 cheers for Word 5.1 on system 7!). I made it clear that this was *not* an internet workhorse, and that if she wanted that, she needed to go to the bookstore and buy a new computer. "No no, i just want to type papers and print them in my dorm room".
So, of course, the first thing she did was attempt to install a bunch of new internet software (browsers, school's First Class server client) on it which of course didn't work. Then she took it to the school helpdesk, and they (rightly) had no idea what to do, so instead of telling her to get jammed, they screwed it up completely. So, she calls and says she wants to return it because it doesn't work. I'm like - yeah, what the hell do i want with a fscked up powerbook and printer? I don't want to buy it - i just sold it to you like two weeks ago.
time passes... and i start getting threatening emails from some guy on a yahoo account with ($myname)fucker@yahoo.com. Then he starts saying that he's going to come after my wife and hes watching her car when she comes home at night. That was fscking it. Its the girl's mental patient boyfriend.
Long story short - he was actually stalking whoever in the hell was in my old apartment - it was pure coincidence that the new tennants also owned a Honda Civic too.
Where, do you think, he got the address? Of course, from my whois entry when i didn't have any money to buy a PO Box.
Yeah, if you think i'll ever give out my information to my actual home or office location - ever - you've gone daisy, my son. ICANN and everyone else can demand all they want that my info be correct - but i don't answer to them, so they can kiss my ass.
In fact, because of this, a guy who started, then stole, the website of a non-profit (they've set the donations address to their address, but the actual non-profit is in Africa, so its hard for them to fight the problem) is going to be getting a legal foot up its ass because i know where he is and where he lives and his work address - all because he's broadcasted it in whois and on his webpage.
ICANN can't make me do anything.
guns kill people like spoons make Rosie O'Donnell fat.
It does me no good to try to contact someone through WHOIS with their nonexistent email address, their disconnected phone number, and their fake shell company. In those instances where I can work out a networking problem with a legitimate company, university, or ISP based on accurate WHOIS info, it makes life much easier than calling a techno-peasant receptionist and explaining who it might be int what possible department that might handle the kind of thing I need to talk to someone about, only to find out that the network is provided by someone entirely different.
In all, I'd say that ARIN's, RIPE's, and APNIC's IP-based WHOIS are much more useful than any of the domain registrars' collective WHOIS systems. If I'm contacting someone about a site and there's no contact info on the site itself, the WHOIS is probably useless anyway. If I'm working on a problem of wacky routing, mysterious traffic origination, packet loss, or the source of an attempted security breach, contacting the IT people in charge of the network in question directly is often the fastest and easiest way to get things resolved. There is no other reliable place to find solid information on who to contact about the IP space, which is different from a website that usually has that information in-band. Reverse DNS can be useful, but it's far from reliable and still doesn't give me the contact info.
Private domain registration is a pain, but it does solve the spam problem of public WHOIS information. I can think of alternatives, but none of them are clearly much better. However, as I already said, I think the domain name WHOIS services are less useful and less important than network WHOIS anyway. For network WHOIS, private registration shouldn't even be considered.
The internet is a venue for free speech, and any discussion of privacy concerns need to keep that in mind. From the American perspective, free speech is sancrosact, and one guarantor of free speech is anonymity. WHOIS (in theory) removes the ability to publish anonymous content via a self-owned website.
Most of the people clamoring for WHOIS to remain are those who have intellectual property to protect (especially trademarks). Without getting into a debate about whether trademarks should exist (please! that's for another discussion), something like WHOIS is necessary for people to protect their trademarks -- and the current law in the US requires this.
So the basic discussion is to weigh the interests of IP holders against any free speech infringement that WHOIS creates.
In my thinking, there are plenty of other ways to publish anonymously on the internet. Registering a website is not required; therefore, identification requirements for registering a website don't really infringe upon free speech -- especially considering that it is trivial to enter fake information for WHOIS registration.
One possible solution would be to require registration information, but then to not allow public access to the information. Those who wish to pursue action against potential trademark violators could then get a court order for the registration information to be unsealed. While this would in theory help safeguard privacy, it's only as safe as the court system (and by extension, the laws that guide the court system) that applies. It also runs into problems with international registrations, and if ICANN is in theory an independent body, hands too much power over to a particular government. Finally, it adds even more bureacracy to what should be a free flow of information.
In the long run, I think the only mutually beneficial solution is to require information to be registered, but find a way to limit access to that information to legitimate requests. This may be an impossible task, in which case we should all just throw up our hands in despair and let anarchy reign in the tubes.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Anyone who has had to deal with the Domain Registry of America will understand this.
Soon after one of our clients register a domain with us, these lovely people will send a very convincing snail-mail to the customer based on their whois data with a payslip attached, saying words to the effect of "Your domain will expire unless you register with us!"
In the UK, the Office of Fair Trading seem to have turned a blind eye to this despite numerous complaints.
-daedalusblond
Speak for yourself. I use whois every day. It's invaluable.
OK. WHOIS is being used as a source for marketers for use use all over the World.
I don't have the time or resources to take calls from Joe in Seattle who wants to sell me his company's ASP.NET expertise (especially when I'm a LAMP operation)!
I prefer Flambe as apposed flamebait.
So when are we going to replace email with Internet Mail 2000?
The masses are the crack whores of religion.
But, if you scrap Whois, you remove a nice money earner from registrars from people / sole trader businesses, that pay extra for their domains / renewals to be protected against their personal data from appearing in Whois.
It'd be nice for Whois to not exist, but I doubt it ever will be scrapped.
Take Nobody's Word For It.
Whatever, they can make a new "WHOIS" that doesnt give out your address, phone number, email address, and basically all your private contact information - on the internet. Before someone can get whois information, they should be questioned to make sure they have a legitimate claim - and then the questioner should forward that complaint/information to the site owner, and allow the site owner to decide whether to divulge their information to that person or not. Basically, its what a lot of domain services already do, only that should be the DEFAULT for WHOIS - not an extra, expensive option.
If you do business, people have a right to know who they are doing business with!
Two things, lets say Microsoft has a pro-windows or anti-Linux blog talking about how their company found that many Linux distros contain trojans. Now lets say these blogs are done with anonymous registration?
Is this kosher?
Fight Spammers!
Considering how ICANN doesn't seem to get anything done, or done well, they should probably become ICANT.
The way I see it, you have two choices here:
* you could use it as a lesson in being secretive and hiding.
* you could use this as a lesson in treating people more compassionately
Note that the first option is completely unnatural: in the normal social interactions we all evolved for, you can't talk to someone while keeping everything about you secret. Sooner or later, you have to face the responsibilities that come with being able to affect other people's lives.
I own a number of domains and I completely agree that the WHOIS system needs a major overhaul. For one or two domains I actually purchase extra whois privacy from GoDaddy, but for the most part this is just added cost for me to patch a broken system. Why can't I pick and choose what info to show?
.ca domain, I'm forced to use my real name not my company name and my .ca registrar does not offer domain privacy on .ca domains.
On top of it, if I own a
I get a ton of spam to the email address I use for my domains, so this address has it's anti-spam set WAY up. I even get occasional phone calls about my domains- usually scams, but recently it was a good thing because I sold one of my domains for $5K (though why the person couldn't just use the contact info on the actual website is beyond me).
But, basically I think you should be able to opt for privacy at no cost. Seems like a no-brainer to have a privacy flag as part of the database. Or maybe provide a url of a contact page where you can determine what to show or just provide a contact form box.
I am suing (http://www.barbieslapp.com/spam/e360/timeline.htm) Moniker for providing anonymous whois to David Linhardt (http://www.spamhaus.org/organization/statement.lasso?ref=3).
Moniker has been providing Linhardt/e360Insight, with hundreds of anonymous domain names. This makes it difficult, if not impossible, to determine which domains are his. With anonymous registration you cannot tell if the 1000 of spam you received today are from 1000 different companies that may have mistakenly added you to their list or from one hardcore spammer.
Legitimate businesses have no reason to hide their identity.
Fight Spammers!
What is it useful for? To contact a domain owner and inform him about abuse or fraud, or identify someone who is using a domain for criminal activity. So far the theory.
In practice, you can rest assured that not a single domain used for things like ID theft has ever been registered to a real name. Earlier, they registered with registrars who didn't check information (so you had funny entries like some guy whose information was already grabbed in an earlier phish registering a domain for a server in Malaysia), and when registrars felt the pressure, they simply use registrars now that allow you to put their name in instead. Complaining with those registrars results in a "we're looking into it" until the domain is no longer used by the ID thief, so the problem solves itself.
So either require people to put in truthful information and remove registrars that don't comply, or get rid of it altogether. In its current state it serves no useful purpose. The current system only aids criminals, on both ends.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"hello?"
"hi, this is some random yahoo you don't know who is looking at your website. i have my own agenda about what needs to be 'fixed' on your website. whenever i go to your website it doesn't do x, and i want that done"
"oh, ok sir, we'll get right on that, give me a few hours"
when was that ever a valid scenario for you
i hope you're talking about fighting email spam or worms from rogue domains
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
WHOIS is rather lame because of fake data, and most who fake data do usually do so because they don't want to give worthwhile contact details to the whole world. However, a lame WHOIS is better than no WHOIS in my opinion. I think it's valuable to have at least a registrant name provided in WHOIS, at the very least to serve as some record of who originally registered a given domain name in the unlikely but not unheard of issue of hijacking. I think perhaps ICANN should build and maintain a private contact database and fund it through an additional $1.50 fee on registrations. ICANN would provide a special privreg@icann.org address that one could email to contact the registrant (with strong spam filtering). I administer a fairly high profile site, but my webmaster address really doesn't get that much spam - that's why I think my proposed solution would work well in most cases. A person get a valid email address to contact and not much else. Finally, if the person wishing to contact the registrant wants a physical address of the registration, ICANN should require nothing less than a court order. That's my initial idea - how do you like it?
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
I would say the best use of WHOIS is when you need to contact the owner of a business domain. Like many others I've seen boatloads of complaints from people here about their own private domains and how badly they hate WHOIS.
... I do believe WHOIS is still useful. When you can obtain the WHOIS information for the criminal domain, it gives you someone to contact about that activity. People who care enough to do this have managed to progressively change the policies of registrars who were frequently used by spammers for nefarious purposes.
To those private owners, I could care less if their home information is available through WHOIS, as long as they aren't selling illegal merchandise through said domain and pumping spam for it all over the world.
However, when international criminals register domains to sell pirated software / bogus pills / etc
And further investigation into WHOIS data can lead someone to even more critical information, as well. Being as the WHOIS record contains information on the DNS servers that are resolving the domain, a person who wants to really dig deep can find where those were sold as well. A little hint: the spammers often use only a short list of DNS servers for a large number of their domains.
So in summary, before people rally around ICANN with pitchforks and torches to demand the demise of WHOIS, I ask you please consider a solution for the applications where WHOIS is still useful before insisting that it goes away completely.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I wish you good luck with that. Far too many registrars have intentionally sold WHOIS obfuscation services to known spammers. I encountered the same thing with "Leo Kuvayev / Alex Rodrigez / BadCow", who took advantage of those services from several registrars (pacnames.com comes to mind immediately).
At least you found a registrar that you can sue over that. Most of the ones I have encountered thus far have been based in other countries (or at least claiming to be), which of course makes a lawsuit pretty well worthless.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
In response to customer inquiries about why such-and-such a domain isn't resolving, I do hundreds of checks a month to verify that domains actually exist, since a sizable percentage have non-functioning DNS. I also query to see if domains we are about to drop from our authoritative DNS service are actually gone.
Not to say the whole whois scheme is a mess, but some sort of non-DNS, free service needs to exist to verify that a certain domain either exists or doesn't.
The other thing that irritates people the most, besides the privacy issues, is that there is such inconsistency in how the whois info is made available.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
I think that WHOIS should be required to keep an accurate, legit database of domain registrants. Registrants of domains should be required to have at the least a verified mailing address and phone number, and logically an email address as well so they can communicate with the registrar.
Compare having a domain to purchasing real estate. You would never get anywhere trying to rent or purchase a retail location with a bogus name, address, phone number, email address, etc. I think domain registrants should have the same level of accountability as the brick and mortar establishment. This is where it would be advantageous to have personal domains as a separate top-level domain for which private information would be kept private.
The parent post said snail-mail, I misread it and thought they said email - I Should have double checked before I posted my bad.
I believe there should be NO PROXIES for domain name info. I think having such feeds into SPAMMERS. I'd rather be able to go to a WHOIS and find out who the heck is SPAMMING me and get them to stop. (I've done this on a couple of occasions.)
- Saj
I use whois everyday to check domains and IP's from command line. The simplest way to get an IP range is just "whois xxx.xxx.xxx.xxx" and then block/allow the whole range depending on your needs.
It's an invaluable network tool and just like DNS, you can't just scrap it. That there is abuse is always going to be a problem and that can be done with any list you put your data on. Ever wondered why you get so much credit card offers in your mailbox? Yes, it's because your name and address is somewhere on a list and most likely you have put yourself on it by using your address with either a banking institute or a vendor. You can't stop abuse by taking away services just like you can't say that you are going to solve those credit card offers in your mailbox by removing the postal services. If you do, the abuse is just going to shift from whois to your webhosters' site or DNS just like the credit card offers will be carried out by FedEx or UPS.
Custom electronics and digital signage for your business: www.evcircuits.com
Simply require accurate information be input. If it cannot be verified, delete the domain
:P
and make it available. Dis-allow secondary 'registrars' from using false information. Cut
them out of the picture.
Everyone who has a domain name, needs to be held accountable. Simple. No big deal, unless
you are a low life asshole. THEN you need stopped from ever registering ANYTHING ever.
www.zoomshorts.com WHOIS pulls my info up just fine.
The actual ICANN report, shows they're deadlocked, all right. See this timeline.
Most of the privacy advocates are referring to the European Directive on Privacy. That only applies to individuals not engaged in business. For businesses, the The European Electronic Commerce Directive (2000/31/EC) applies. And it's very clear. Any "natural or legal person providing an information society service" must disclose name, real-world address, and E-mail address. No exceptions.
California has a similar law. It's more narrowly drawn, only applying to sites that take credit cards, but it's a criminal law - six months in jail for not disclosing the "actual name and address" of the business.
WHOIS policy should take that into account. There's a legal obligation to disclose name and address information for businesses. It's not optional.
Our SiteTruth system is based on these laws. If a web site is selling or advertising something, and we can't find a business name and address for it, its rating is toast. We scan each site for human-readable postal addresses (some people would call this "semantic web" technology). We check commercial business databases. We check SSL certificates. We look at Open Directory. If we can't find a business name and address after doing all that, the site's rating is a red "do not enter" sign, and we kick them down to the bottom of search results. Once we have a business name and address, we have something to look up in business databases, corporation records, business license records, credit ratings, criminal records, etc. Plenty of data is available about businesses once you have a name and address. No more "on the Internet, no one knows if you're a dog". We know.
We haven't found WHOIS data very useful in doing this. WHOIS data quality is awful. Many entries are phony. Mailing addresses on the web site itself tend to be more accurate. Using a phony business address is felony fraud in most jurisdictions, so that's relatively rare, and mostly shows up on phishing sites. So we cross-check with anti-phishing databases to kick those sites out.
It's quite possible to use this approach to check WHOIS information in bulk. If ICANN actually cared about WHOIS data quality, they'd check the data against postal databases and business databases. They don't.
...at my last job I would use it a lot to lookup the full range of netblocks for mail servers that did not behave well with greylisting. Mail farms with greylisting when the other end treats 4xx's like 5xx's is annoying.
It's also the method I used to stop abusive networks (usually in china) from hitting ours. You know one address, you can find the full range assigned to them using whois.
"hello?"
... ... Steee-faaan. Stee-faan, I found your resume online and I think I have a job opportunity you might be interested in. Do you work with ... ... Inter-web?"
"Hi Sir, this is Jack from DomainsRus. We want to warn you that your domain will expire 'real soon now' (9 months) and that you better register your domain IMMEDIATELY or you will lose your website. Registration only costs $159.99! Can I have your credit card number?"
-- or --
"Hi Sir, this is Jack from DomainScam.com. I want to BUY your domain!"
-- or --
"Hi. I was calling for
"Can of worms? The can is open... the worms are everywhere."
I remember years back when I first got DSL and, for a lark, ran a whois lookup on my IP address. I nearly shit my pants when my private customer info with SBC appeared. So much for anonymity on the internet, I thought.
For anyone who does have DSL, or otherwise is spending their time pretending to be a 16yo girl on usenet, this link might be helpful to get yourself a more appropriate "Private Customer" designation. I'm sure cable users have a similar option available to them.
The lesson I took away for the experience is even if you want your own domain and you're just an individual, get a lawyer to set up things for you and have his name and address appear on everything. It may be worth the extra few hundred bucks a year.
I have had a long dislike of whois.
For one it gives people a major way to steal domain names. People look up the domain name that they want in the public record, find the email address, and try to crack the email. If they can get the access to the email then more than likely the domain can be stolen. Then us poor techs get a call several months later from the true customer wondering what happened to their domain. Whois reveals too much information.
Secondly it isn't accurate. People see their name in whois and think that means they get to make decisions on the account/domain. Just because your name appears in whois does not mean you are listed on the account itself. But try explaining that to their ex-(terminated)-webmaster.
And lastly WhoIs is a major pain to explain. Try telling a paranoid customer that all domains appear in whois, and that you can't remove a domain itself from whois. My sup can't remove it from whois. The president of MegaDomainRegistrar can't remove it. Sorry, no, I don't have a phone number for ICANN. We can hide the info, but we can't make it disappear.
But then to be fair, I can't think of an alternative system to keep the domains and websites fair and accountable. Compaining to a registrar/webhoster about a domain/site is next to useless unless it is unquestionably illegal or definately a trademark issue. Most cases get shunted to the legal department which give the unhappy complaintant a copy of the AcceptableUsePolicy and asked to submit proof of infraction (yeah, good luck). Usually it takes a dedicated lawyer to get things done in these cases. So for now, whois stays.
I think this is crazy. The whole point of having a domain name, is so that people can look you up and contact you. If you don't like that some of them do contact you, or that some of them contact you for purposes other than what you intended (they send you a Viagra ad instead of a HTTP request) then get over it. Or tell people to use your IP address instead of a name, or live within someone else's domain (there isn't really anything wrong with your personal web page being at http://someisp.com/~yourname).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I agree with you, up to a point. I really have come to feel that if a domain exists for a non-profit purpose (ie they are not selling anything), then I don't care who owns it.
But if you open a website and you want to sell something, then you damn well better be willing to be held 100% accountable. I think the process of opening a business (in most US states) is a good parallel. Most states require you register your business information with the state. Otherwise most places don't require you to list your home address in the phone book.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
GoDaddy is usually about $8 for a domain, and another $8 for privacy service (this goes up and down all the time, I know, based on sales, quantity, and whatnot). I got tired of not knowing if my domain would cost me $5 one year, $18 the next, and so on, since I manage multiple domains with different TLDs. Then, if you ever have to contact their tech support, well... lets just say I hate phone trees. I'm not trying to advocate any one company, but I did my research and found a registrar that charges a flat $15 period, and provides privacy service at no charge to TLDs that allow privacy. Better yet, if you call, you don't get a phone tree, you get a person! They may not be a billion dollar company, and they may not be able to register practically every tld in existence, but they work really well for what they do. GoDaddy otoh is an extremely large company, and can get away with charging double to get private service, and then to be treated like a number and not a customer. I'd prefer to give my money to the smaller guy that provides better service.
For arguments sake, though, I suppose you could argue that since GoDaddy charges $8 for the domain and $8 for privacy, and the company I'm referring to charges $15 for both, you could easily say they're just including the privacy fee in their base fee. They still charge $15 for domains that don't even offer privacy service... So, if you look at it that way, GoDaddy is providing service by allowing you to not pay for this if you don't need it. So, while I prefer getting the service, its not really that bad of a thing that GoDaddy charges that much for it, I just wish they made it a little less painful (say, managing the privacy through godaddy.com and not their third party website).
Overall, I agree with what the parent said about opting out. Having the whois data is not a bad thing, its just that not everyone in the world needs to have access to every detail. I believe the term "principle of least priviledge" applies here.
Overall, I would say that the current system would work in general if the data were restricted as far back as the registry itself, and not just by inputting address forwarding values by the registrar. If you want the rest of the information, I'd say that the registry (or 3rd party registrar) should only give the information out via a request that is mailed in. Or if you're doing it online, require a very small charge to view the full data (say, $0.50, since most CC processors want at least that much, and restrict the amount you can charge to per card for this, to prevent mass inputs of stolen card info). For that matter, you could even have a system in place to accept the requests in online, but require a valid phone number and have the system call back to provide the information. If this were the option that were implemented, I'd say that a recording would even be acceptable; no additional jobs then to staff a call-center, just staff to keep the equipment running. I'd just suggest not having it call immediately (say, 24 hour period?), and only provide so many lookups to a number per month. All of these things are still beatable, but at the very least make it much more difficult to get to the information. Basically, at this point, almost anything would be better than the current system if the information could be blocked if the user wants it. I also would say that at that point, perhaps something could be worked out to verify the whois data IS correct. If someone pays via credit card (paypal does this too), get the contact address/phone from the credit card company. It would block check payments, but that can be done through Paypal too.
Obviously none of my ideas are perfect, and may not be an improvement overall, but I do hate all the junk mail/telemarketing calls/junk email I've gotten in the past due to my info being out there.
The technical contact is a special case, because it probably shouldn't be based in the domain it's supporting, since a common reason for using it is that something's wrong with the DNS server or the web/email server supporting that domain; and therefore it's most likely to not work when you most need it - so it needs to be handled somewhere else (like a commercial email service, or perhaps even a forwarder at the DNS provider), and it probably should have good spam filtering. At a medium-large company, the phone number should go to a help desk, which isn't a privacy problem either, but for an individual it's annoying but useful to publish the number.
The billing contact is another special case, because the only entity that needs to access it is the DNS registrar that's handling name registration - it should probably be hosted somewhere other than the domain (again because it has a good chance of failing when it's needed), and spam filtering can be a very short whitelist. I don't see a legitimate need for it to be public.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The Canadian Internet Registration Authority (CIRA) will implement a new WHOIS policy in March to comply with Canadian privacy laws (particularly PIPEDA).
I've been following the additional-TLDs issue since before ICANN existed, when the IETF Ad-Hoc Committee was trying to do that. Even back then, they were under sufficient pressure from the Trademark Gods to make sure that anybody who registered a TLD provided a True Name and True ICBM (er,process-server) Address, because the Trademark Gods wanted to be sure anybody who owned a potentially infringing domain name could easily be sued. The IAHC had some concerns about privacy issues with that; ICANN, of course, has no such scruples, since the only "IP" they care about is "Intellectual Property", not the "Internet Protocol".
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> Legitimate businesses have no reason to hide their identity.
Ordinary PEOPLE, however, do.
After I got harassed online, I never gave out my real name again until I knew the other party enough to trust them. And so far, I've yet to regret doing things that way.
Don't tear down the protections ordinary people need in order to go after true villains, please. We've had quite enough of that already with the War on Terror.
The trademark ownership issue has been a major driver since before ICANN - the IETF Ad-Hoc Committee that was trying to expand the number of global TLDs before ICANN took over were under a lot of pressure from the Trademark Gods to make sure that anybody who registered a name provided their True Name and True ICBM Address (er, process-server address) so that trademark lawsuits could be resolved without needing to drag the DNS registrars into the process. I think that's unnecessary - it's reasonable to have a Uniform Dispute Resolution Process that says that if you don't provide usable contact information then you're presumed to lose a trademark dispute for non-generic names, as opposed to preemptively violating your privacy.
In practice, the main reasons I use the whois owner name are to try to make sure I've got a correct email address for somebody if I'm not sure, or sometimes to see if it'll help me contact somebody whose website doesn't provide useful information (e.g. spam complaints to abuse@ get ignored), but I've found that if somebody's a sleaze, they're usually providing non-useful information in their whois records.
There was one spammer I could have probably sued successfully, but their whois address was a box number in Greenville DE, at the same address as The Company Corporation, which has been the canonical place to set up cheap Delaware corporations for the last 100+ years - so the most I'd get if I successfully sued them for everything they were worth would have been the contents of their file folder, and they'd have had to go pay another $100 to get another shell company. I guess I might have also acquired their intellectual property, like the trademark on ScammersRUs.com or whatever they were called.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's unfortunate that we live in a world where interests groups can set up 'grass-roots' web-sites to give their cause a fake air of respectability / newsworthiness / gravitas. Without WHOIS, the layman would have one less tool to find connections and follow the money.
I've been modded down before for citing one example (Flaimbait), but I believe the example is warranted. In the US 2004 Elections, the Swift Boat movement was portrayed in parts of the media as just a bunch of Vietnam Vets that wanted to get their opinion out there. WHOIS tied their websites to a think-tank named The Donatell Group, and gave SourceWatch.org the ability to show how orchestrated this 'grass-roots' effort really was.
I'd be interested to see exactly WHO is pushing for this curbing of WHOIS...
Shiny. Let's be bad guys...
I have owned domains for around 8 years now, and have used WHOIS even longer. Sure there is fake information out there, but legitimate domains will have working contact information 99.99% of the time. These days, I've mainly been looking up information for abuse contacts at large e-mail provider domains, but generally it's been useful just to find some sort of live contact for website problems, or any other failed or crippled service.
Back in '99, I planned ahead before I registered my domains. I rented a P.O. box. When I registered, I gave my P.O. box number and the telephone number of the company I worked for. The work number doesn't give complete privacy, but at least it wasn't my residential line. With the advent of Skype, I bought a Skype-In telephone number with voicemail. Now I don't even have to worry about disconnected or company phone numbers. The e-mail address for the domain contact is a special one I set aside. All of my information is correct, and all of my personal details are hidden. I don't care who sees my name.
No one has ever had a problem with my contact details. My e-mail and box addresses have always been live, and, now my telephone number is also live and direct. I may not answer a message right away, but I'll get it eventually. And I don't really care about spam. My domain contact's inbox is not linked to my personal inbox, so I don't see it everyday, but it's not like I'm going to run out of space. Deleting is easy too. As far as my P.O. box address, I hardly ever get junk mail. I have more problems getting the post office to stop delivering mail addressed to the guy who had the box several years ago. And now with the new Skype number, I can just deal with the voicemail like e-mail.
For those who say they couldn't afford a P.O. box (and now a voicemail number), I say they can't afford their own vanity domain. And today some registrars even offer private registration for a small fee. If you want privacy, there are options. Sure it will cost a bit extra, but why buy a house if you can't afford to maintain it? For all the rest, free e-mail accounts are being offered. And if you're running a business, there's no excuse for not having correct information.
Those who are complaining about the privacy of WHOIS are just complaining. The root of the problem lies elsewhere.
What ever happened to the battle cry of /. "Information wants to be free."?
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
Anyone who wants to scrap whois servers just for domain ownership privacy reasons obviously doesn't know about its usefulness for getting assignee of record for IP blocks. That's much more useful when dealing with spam or security issues. Instead of getting the domain name owner, you're getting the info for the people who actually use that specific block, as well as the info for whoever assigned them that block. Very important in case you're getting hit by someone who won't respond to your complaints, because you can take it up with their immediate service provider. It's also used for looking up AS (Autonomous System) number information, which is a whole topic itself.
That exactly the problem.
Today we get all the "Whois revealed my home addressee and my kid got a rude talk from some strange one arm guy because of my "SaveTheGators.com"
Tomorrows it will be "All these pedophile hides behind anonymous Whois services, think about the childrens".
I guess a PO box is the way to go for now, legal authorities can always get it thru due process (usually).
IMHO WhoIs should be handled by whoever handles your domain (godaddy and others) and be subject to the same privacy as you billing address.
A Scam in Canada (The same people that did this is the US, Australia and Europe) are sending "federal authority looking" (flag and all) snail-mail envolopes, "Urgent! Pay now or you might loose your domain" at 40$ per domain. (Check Domain Registry of Canada). They (my guess) use the WhoIs and send letters to all Canadian address registrants. Numerous vendors are loosing clients.
Friends are getting calls from clients "I paid you, what is this gov stuff?", others pays but no domain transfer occurs so they think it's your fault, they paid the federal gov, you deal with it.
Perhaps we should change our charity of choice.
Seriously, I hate articles like this that tar us all with the same brush.
"Ooh look the liberals are fighting- I guess you just better trust Big Republican Daddy Government to do what's right for you."
y'all gon troll me, aint'ya?
The problem with this is that you cannot be served with a lawsuit at a P.O. Box. Furthermore, if you are not using a real name, how do I know you are a hardcore spammer sending spam using bunches of anonymously registered domain names as opposed to one misguided business owner that typed in my e-mail address from a web site that I posted a comment on?
Fight Spammers!
The .name registry charges for WHOIS contact details already.
https://whois.nic.name/
I really appreciated that, because it showed that, like most of Hollywood, these writers only know enough to be dangerous -- but unlike most of Hollywood, they're stopping with what they know.
This after losing all respect for Law & Order: "He's using an encrypted IP address, so I can't trace him directly, but I can put up a trace program, so that the next time he goes online, visits a website, we'll see the same encrypted IP address, and be able to trace him." (This is almost certainly filtered through my own understanding to make somewhat more sense. Trust me, the real one was much worse.)
Don't thank God, thank a doctor!
I think hiding the ownership of a domain (or IP address information) opens up opportunities for more fraud and, balancing that against privacy, I'd rather know who I'm communicating with.
If someone needs privacy, there are ways to get it.
Have gnu, will travel.
WHOCARES?
guns kill people like spoons make Rosie O'Donnell fat.
...OK, parents feeding 6-18 month-olds maybe.
True enough, but pretty limited as an analogy. I haven't heard anything about the wide availability of spoons making it easier for random people to force feed Rosie O'Donnell with a spoon.
Besides, everybody knows it's usually the holes caused by the bullets that kills people. Otherwise I found your post entertaining, in that "it's funny to look back at now, but I would have hated it if it was happening to me" way.
Legitimate businesses have no reason to hide their identity.
That's not always accurate. My mother runs a housing information web site (talking about the Housing Bubble). People doing this can, and do, receive death threats. Anonymity is crucial when saying things people don't want to hear. Sometimes, it's spam, sometimes it's political or speech that others want to shut up. Besides, what's to stop someone from joe-jobbing someone to get their contact information - be it to intimidate, kill, or harass them?
People should be free to say what they want on their sites, even if it's something others consider "spammy". It's only when they connect to other servers (spam) the problem starts to be a problem. If that's the case, block the IPs, and go after the money trail (transaction processors, banks, etc). It may not be as easy as a whois and a lawsuit, but it's necessary to protect religious, political, and otherwise risky speech.
Furthermore, web sites aren't always ran by corporations - if one of my personal software development domains is down, or busted, or whatever, oh well. You shouldn't be calling me.
I also used to keep my personal cell number and email on all my business-related domains - if there was a problem, people would call or email, and all was good. Between the solicitors (no-call list doesn't apply to companies) and spammers, I've had to change my email and switch the phone to a voicemail system. It's not that I'm hiding, but rather that if I dealt with all the spam I received by hand, I would never get anything done.
At least with the on-domain contact pages, people have to exert a little bit of effort to talk to me - the captcha keeps the bots out, and it's redirected to my push email on the phone, ensuring I get it near instantly.
Kill WHOIS already. It's outlived it's usefulness.
Milton Mueller's mention of some people about to have a big surprise probably refers to the likes of IP weenies like Marilyn Cade, quoted in the article, who have probably slowed down rational management of the namespace much more than all other factors put together (and banked more billable hours from rich newbie megacorps). They are so technically cluefscked that I once had to show Ms. Cade how to read the header on an email to trace it to its source IP, and she's wielded more power for years over the DNS via ICANN than almost anyone, including the ICANN (unelected) board.
Just recently I wrote about what the .name gTLD is now doing. They're charging $2 per 5 WHOIS snoop. Like I say in the article it's all about money, so let the folks who want a public WHOIS pay for it for a change. I also mention in my first link that repurposed ccTLD .ws (western samoa) was acting as a cutout proxy for its registrants for years without the world coming to an end. -g
- Contacting the domain owner whose website is in disrepair, who forgets to put his working email on the site, or doesn't want to, as is the case with well-known people who get more personal email that they can handle. This is typically the last resort for me, but it has often worked.
- Contacting the domain name owner or organization who should remove my photos published on their website without permission. The email address listed in WHOIS more often than not leads to the right person to handle this stuff (admittedly, a cc: to the abuse email of their webhosting company has also proven to be very useful in these removal request).
I publish my correct contact info in WHOIS, and has not been abused once. What sort of abuse, precisely, are you talking about? Spam I do get anyway and filter it, this is the reality of email. I could list fake contact info in WHOIS if I wanted to. I've seen WHOIS records that hide it behind a third-party proxy. So this is possible for those few who need it. But why make this a policy for everyone?As a side note, I observe that most requests to ICANN are fueled not by needs of domain owners but by desire of those in the registrar business to make more money (in expense of everyone else). I wonder is this request is one of these.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
Quit bemoaning and begroaning.
If a business is large enough to have to register with the equivalent of Companies House in the country it's based in then it must make some contact information available through that registration. However, small businesses (e.g. sole traders) which don't have to register with the government shouldn't have to invite spam.
If you run a business in most USA jurisdictions, not under your own name you are required to list the name and your information with the government. If you are a corporation, you are required file with the Secretary of State. If you operating as a DBA (doing business as, or fictitious name) you are required to at least register with your city or County with that name. Typically, you are required to place an announcement in the newspaper prior to using the name,
Fight Spammers!
[...]
www.zoomshorts.com WHOIS pulls my info up just fine.
There is a typographical error in the street address portion of your WHOIS information. As a result, we are revoking your domain, effective immediately.
Love,
ICANN