Privacy Advocates Bemoan the Problems With WHOIS

An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"

Whois is useful?

[morgan_greywolf]

For what? These days, everybody is registering private domains through people like DomainsByProxy. Whois is becoming more and more useless. Might as well chuck it.

Re:Whois is useful?

[mwvdlee]

And what kind of method is DomainsByProxy using to check domain name availability?

Re:Whois is useful?

[ztransform]

I have to agree.

I've tried to privately register every single one of my domains, and end up paying more for what is effectively "not listing my number in the telephone book", just because I don't want SPAM.

I say scrap whois. But still make registration of e-mail mandatory so the registrar can still contact domain owners.

I would guess the real-world equivalent is car registration (number) plates. In most countries the name and address of the registration plate owner is not publicly available presumably to deter road-rage from translating to home attacks; something a domain name owner may also be wary of.

Even "Heroes" agrees

[Kelson]

In one episode last season, Ando showed up at Niki's house, having been able to find her because she listed her home address on the WHOIS record for her website.

(The unspoken moral: use a PO Box, or some guy from halfway around the world will drop in on you unexpectedly.)

Re:Even "Heroes" agrees

[maitai]

Back around 1996 or so I had someone show up my house after retrieving my address from my domains WHOIS record.

They'd received some bounced emails from an email address they didn't recognize (mine), assumed they're emails were being 'hijacked' (as they put it). They then looked up the WHOIS information for my domain (which included the same email address in the record), realized it was local and drove out to my house.

Of course, I was the system admin for their upstream provider... and they already knew me in person since I was the one who installed the router on their end of the pipe. But at the time it was kind of odd having them show on my doorstep out of the blue like that.

What is the problem?

The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters

Every major domain registrar lets you do a "private domain registration" for a few bucks extra. They replace the WHOIS data with generic info plus a uniqueID, which lets you contact the domain owner through the registrar.

Pretty simple - not rocket science.

I am sure that the registrars will happily hand over the actual domain registration info to duly authorized law enforcement with a court order.

Further, any legitimate business puts a mailing address/phone number/fax number on their website. Having the same information available in whois isn't an issue.

I'd Rather it Be Accurate than Abolished

[InitZero]

It used to be when I had to contact someone, the whois information was accurate, complete and, when I dialed the number, I got a live human being that actually was able to address my issue. And, life was good.

Now, it seems even reputable domains are hiding behind private registrations or have outdated or deliberately incorrect information. Bleh. Problems that used to be able to be solved with a pleasant phone call now require hours of my time if the task is even possible.

So, my first choice would be that whois domain information take a giant step backward to the days when it was useful information. If that isn't an option (and going back in time rarely is possible), get rid of it altogether.

stalker "found" me thanks to WHOIS

[gsfprez]

i sold an old Mac laptop with system 7.5 to a girl for $200 with a printer about 7 years ago. She had little money, and for what she needed - a way to type homework in her dormroom and print it - $200 seemed reasonable - it did what she told me she wanted it to do, and she tested it at my place and everything worked just fine (2 cheers for Word 5.1 on system 7!). I made it clear that this was *not* an internet workhorse, and that if she wanted that, she needed to go to the bookstore and buy a new computer. "No no, i just want to type papers and print them in my dorm room".

So, of course, the first thing she did was attempt to install a bunch of new internet software (browsers, school's First Class server client) on it which of course didn't work. Then she took it to the school helpdesk, and they (rightly) had no idea what to do, so instead of telling her to get jammed, they screwed it up completely. So, she calls and says she wants to return it because it doesn't work. I'm like - yeah, what the hell do i want with a fscked up powerbook and printer? I don't want to buy it - i just sold it to you like two weeks ago.

time passes... and i start getting threatening emails from some guy on a yahoo account with ($myname)fucker@yahoo.com. Then he starts saying that he's going to come after my wife and hes watching her car when she comes home at night. That was fscking it. Its the girl's mental patient boyfriend.

Long story short - he was actually stalking whoever in the hell was in my old apartment - it was pure coincidence that the new tennants also owned a Honda Civic too.

Where, do you think, he got the address? Of course, from my whois entry when i didn't have any money to buy a PO Box.

Yeah, if you think i'll ever give out my information to my actual home or office location - ever - you've gone daisy, my son. ICANN and everyone else can demand all they want that my info be correct - but i don't answer to them, so they can kiss my ass.

In fact, because of this, a guy who started, then stole, the website of a non-profit (they've set the donations address to their address, but the actual non-profit is in Africa, so its hard for them to fight the problem) is going to be getting a legal foot up its ass because i know where he is and where he lives and his work address - all because he's broadcasted it in whois and on his webpage.

ICANN can't make me do anything.

Re:stalker "found" me thanks to WHOIS

[LiquidCoooled]

Wouldn't it be more likely that the stalker got your address from his girlfriend?
Afterall you just said she came to your house to check out the computer.

Re:stalker "found" me thanks to WHOIS

[InitZero]

> if you think i'll ever give out my information to my actual home or office location

        Don't confuse privacy (or safety) with anonymity.

        Just because you don't give out your address doesn't mean you're safe. A false sense of security is often worse than a real sense of caution or even fear.

        What's the goofy slogan bantered around Slashdot so often? Security through obscurity and all...

        Matt

The Domain Registry of America

[daedalusblond]

Anyone who has had to deal with the Domain Registry of America will understand this.

Soon after one of our clients register a domain with us, these lovely people will send a very convincing snail-mail to the customer based on their whois data with a payslip attached, saying words to the effect of "Your domain will expire unless you register with us!"

In the UK, the Office of Fair Trading seem to have turned a blind eye to this despite numerous complaints.

-daedalusblond

for plenty of us

[CarpetShark]

Speak for yourself. I use whois every day. It's invaluable.

Re:for plenty of us

[hackstraw]

Speak for yourself. I use whois every day. It's invaluable.

Really? Can someone elaborate on its usefulness? I gave up on it years ago. (also, I simply don't need to know this info anymore)

When I was a SPAM vigalante, I would do whois lookups, and usually the information was clearly bogus. Often, if the info was not bogus, it was outdated. And I've heard from many people that are legitimate people doing legitimate things with their hostnames that would never give real information for whois lookups because they simply don't want to be the target of SPAMers or whatever else could come from having any personal information laying around for some random person to have fun with.

I would never put accurate or relavant info into a whois lookup, and I don't expect anyone else to do so either. Nothing good can come from it, unless maybe you hold the killer domain and you hope someone will try to buy it from you.

I also lie about any personal info to protect my privacy, unless there is something explicity beneficial for me for someone else to have relevant info. I also tell all of the door to door sales people trying to sell me some crap for my house that I rent. They immediately say "Oh", and walk away. I also pay extra to have my phone number unlisted.

I'm still on some lists, but not that many. And the fewer the better.

Re:for plenty of us

[CarpetShark]

Are you a spammer?

There would be no other reason to use whois since it is unreliable.

Then why are you asking a question you think you know the answer to, if not that you think you're wrong? As it happens, you're VERY wrong. It's not the be-all-and-end-all of domain details, no, but it's very useful; for quickly finding out the status of a potential customer's domain, for finding out who owns an IP address that's exhibiting abuse, etc.

Re:for plenty of us

[davebooth]

Really? Can someone elaborate on its usefulness? I gave up on it years ago.

The whois database has one MAJOR use.. Most firewalls dont bother to look up DNS before they filter packets - too much overhead, in most cases. That means when you're creating firewall rules you're working purely in numeric addresses. So, if I determine that a bunch of cracked machines or scriptkiddies is making a nuisance of themselves, how do I blackhole an entire ISPs dynamic allocation block without being able to look up that ISPs address range in whois?

I'm still doing it manually by reviewing the logs every so often but one day I really should finish off the perl script that takes a bunch of IPs out of my firewall logs, flags the domains that own more than one of them and then parses whois output to suggest the most efficient netblocks to ignore in order to make the issue go away. (other than the entirety of .cn, of course!)

I own several domains, and agree completely.

[sherriw]

I own a number of domains and I completely agree that the WHOIS system needs a major overhaul. For one or two domains I actually purchase extra whois privacy from GoDaddy, but for the most part this is just added cost for me to patch a broken system. Why can't I pick and choose what info to show?

On top of it, if I own a .ca domain, I'm forced to use my real name not my company name and my .ca registrar does not offer domain privacy on .ca domains.

I get a ton of spam to the email address I use for my domains, so this address has it's anti-spam set WAY up. I even get occasional phone calls about my domains- usually scams, but recently it was a good thing because I sold one of my domains for $5K (though why the person couldn't just use the contact info on the actual website is beyond me).

But, basically I think you should be able to opt for privacy at no cost. Seems like a no-brainer to have a privacy flag as part of the database. Or maybe provide a url of a contact page where you can determine what to show or just provide a contact form box.

I am suing Moniker for providing anonymous whois

[www.sorehands.com]

I am suing (http://www.barbieslapp.com/spam/e360/timeline.htm) Moniker for providing anonymous whois to David Linhardt (http://www.spamhaus.org/organization/statement.lasso?ref=3).

Moniker has been providing Linhardt/e360Insight, with hundreds of anonymous domain names. This makes it difficult, if not impossible, to determine which domains are his. With anonymous registration you cannot tell if the 1000 of spam you received today are from 1000 different companies that may have mistakenly added you to their list or from one hardcore spammer.

Legitimate businesses have no reason to hide their identity.

Fix it or flush it

[Opportunist]

What is it useful for? To contact a domain owner and inform him about abuse or fraud, or identify someone who is using a domain for criminal activity. So far the theory.

In practice, you can rest assured that not a single domain used for things like ID theft has ever been registered to a real name. Earlier, they registered with registrars who didn't check information (so you had funny entries like some guy whose information was already grabbed in an earlier phish registering a domain for a server in Malaysia), and when registrars felt the pressure, they simply use registrars now that allow you to put their name in instead. Complaining with those registrars results in a "we're looking into it" until the domain is no longer used by the ID thief, so the problem solves itself.

So either require people to put in truthful information and remove registrars that don't comply, or get rid of it altogether. In its current state it serves no useful purpose. The current system only aids criminals, on both ends.

Re:What legitimate business hides their identity?

[kebes]

lets say Microsoft has a pro-windows or anti-Linux blog talking about how their company found that many Linux distros contain trojans. Now lets say these blogs are done with anonymous registration? Is this kosher? If by 'anonymous' you mean 'not publicly visible, but recorded somewhere' then yes, that's fine. Anyone can use the internet to say what they want. If what they publish on their site becomes a problem (spam, slander, etc.), then obviously there should be a procedure for finding out who owns the domain so that you can contact them with your concerns.

But there's no need for the "default public" policy that WHOIS historically operated on. Moreover, if someone like Microsoft wanted an anti-Linux site, it would be trivial for them to outsource its operation to some other company. The current WHOIS actually doesn't provides a robust mechanism for determining who runs and operates a domain name.

The problem is that WHOIS currently is a very weak system. The data it contains isn't accurate, isn't verified, and what few legitimate uses there are for the system could just as easily be accommodated in an "default private" system where requests for additional information about a domain require a little bit of processing (and notification to the domain owner about who is performing a formal lookup on them, and the stated reason for doing so).

What could be used for business accountability ?

[damn_registrars]

I would say the best use of WHOIS is when you need to contact the owner of a business domain. Like many others I've seen boatloads of complaints from people here about their own private domains and how badly they hate WHOIS.

To those private owners, I could care less if their home information is available through WHOIS, as long as they aren't selling illegal merchandise through said domain and pumping spam for it all over the world.

However, when international criminals register domains to sell pirated software / bogus pills / etc ... I do believe WHOIS is still useful. When you can obtain the WHOIS information for the criminal domain, it gives you someone to contact about that activity. People who care enough to do this have managed to progressively change the policies of registrars who were frequently used by spammers for nefarious purposes.

And further investigation into WHOIS data can lead someone to even more critical information, as well. Being as the WHOIS record contains information on the DNS servers that are resolving the domain, a person who wants to really dig deep can find where those were sold as well. A little hint: the spammers often use only a short list of DNS servers for a large number of their domains.

So in summary, before people rally around ICANN with pitchforks and torches to demand the demise of WHOIS, I ask you please consider a solution for the applications where WHOIS is still useful before insisting that it goes away completely.

For verifying a domain exists, for example

[wsanders]

In response to customer inquiries about why such-and-such a domain isn't resolving, I do hundreds of checks a month to verify that domains actually exist, since a sizable percentage have non-functioning DNS. I also query to see if domains we are about to drop from our authoritative DNS service are actually gone.

Not to say the whole whois scheme is a mess, but some sort of non-DNS, free service needs to exist to verify that a certain domain either exists or doesn't.

The other thing that irritates people the most, besides the privacy issues, is that there is such inconsistency in how the whois info is made available.

Re:For verifying a domain exists, for example

[nuzak]

You don't need whois to check for the existence of a domain. Just look up its NS glue record.

What WHOIS is really good for is getting the registration date of a domain, which is a nice indicator of whether a domain is actually a throwaway spam domain or an established site. It'd be nice if the dates actually came back in a consistent format, but at least it's usually human-readable. IP whois is also nice when you're looking at an ISP that actually bothers to fill out SWIPS records for allocations. I've been going more to BGP4 ASNs to determine ownership of IPs instead, but those only come into play for larger allocations.

RIPE is the only RIR that has its shit together when it comes to WHOIS, everywhere else is a complete mess. I say ICANN drops the requirement for WHOIS to return personal data in public queries, and also mandates a migration to the RIPE formats, which are actually consistent.

Re:For verifying a domain exists, for example

[jani]

Name server records are not what "defines the domain's very existence", it only defines whether the domain exists in DNS.

There are cases where e.g. name server changes or domain name transfers results in a loss of name server data in the root servers. The domain still exists, but it is or will quickly be in an unusable state.

So, to reiterate:

DNS shows you whether the domain works.
WHOIS currently shows you whether the domain exists, as well as domain ownership information.

If ICANN wants to get rid of whois for domain names, it needs to replace it with something else.

Functional EPP implementations would do fine for those of us who are registrars, but leaves the public with no practical way of yielding ownership information.

Re:What legitimate business hides their identity?

[Metaphorically]

But there's no need for the "default public" policy that WHOIS historically operated on. Moreover, if someone like Microsoft wanted an anti-Linux site, it would be trivial for them to outsource its operation to some other company. The current WHOIS actually doesn't provides a robust mechanism for determining who runs and operates a domain name. You've got a good point that it's trivial to dodge the name requirement in Whois now. I think that should be a reason to fix it though, not drop it. Pro-MS/Anti-Linux or whatever is one example where astroturfing means big dollars but there are worse ones like political blogs and medical stuff.

The ability to outsource slander is a problem and not just with Whois. Look at political ads - they carry a tagline that's supposed to say who produced it but they can make up a name like "Save the Children Foundation" as a front for whichever political party they want. Tracking down who says what for whom is hard enough in that arena but outside of politics (in tech, drug, clothing, car or whatever industries) is next to impossible.

We need to be able to see who's saying what more easily, not just when there's a problem.

I definitely agree about contact information though. My whois is private to stop the junk mail and junk email, not to hide my name. Seeing who wrote something or supported the writing of something should be easy for people who want to know. Sending them an advert for your registrar doesn't need to be. Of course if Whois cost money to view, which of those interests do you think would be the ones paying to read?

Whois is very important, don't scrap it

[guruevi]

I use whois everyday to check domains and IP's from command line. The simplest way to get an IP range is just "whois xxx.xxx.xxx.xxx" and then block/allow the whole range depending on your needs.

It's an invaluable network tool and just like DNS, you can't just scrap it. That there is abuse is always going to be a problem and that can be done with any list you put your data on. Ever wondered why you get so much credit card offers in your mailbox? Yes, it's because your name and address is somewhere on a list and most likely you have put yourself on it by using your address with either a banking institute or a vendor. You can't stop abuse by taking away services just like you can't say that you are going to solve those credit card offers in your mailbox by removing the postal services. If you do, the abuse is just going to shift from whois to your webhosters' site or DNS just like the credit card offers will be carried out by FedEx or UPS.

Businesses are not entitled to "privacy".

[Animats]

The actual ICANN report, shows they're deadlocked, all right. See this timeline.

Most of the privacy advocates are referring to the European Directive on Privacy. That only applies to individuals not engaged in business. For businesses, the The European Electronic Commerce Directive (2000/31/EC) applies. And it's very clear. Any "natural or legal person providing an information society service" must disclose name, real-world address, and E-mail address. No exceptions.

California has a similar law. It's more narrowly drawn, only applying to sites that take credit cards, but it's a criminal law - six months in jail for not disclosing the "actual name and address" of the business.

WHOIS policy should take that into account. There's a legal obligation to disclose name and address information for businesses. It's not optional.

Our SiteTruth system is based on these laws. If a web site is selling or advertising something, and we can't find a business name and address for it, its rating is toast. We scan each site for human-readable postal addresses (some people would call this "semantic web" technology). We check commercial business databases. We check SSL certificates. We look at Open Directory. If we can't find a business name and address after doing all that, the site's rating is a red "do not enter" sign, and we kick them down to the bottom of search results. Once we have a business name and address, we have something to look up in business databases, corporation records, business license records, credit ratings, criminal records, etc. Plenty of data is available about businesses once you have a name and address. No more "on the Internet, no one knows if you're a dog". We know.

We haven't found WHOIS data very useful in doing this. WHOIS data quality is awful. Many entries are phony. Mailing addresses on the web site itself tend to be more accurate. Using a phony business address is felony fraud in most jurisdictions, so that's relatively rare, and mostly shows up on phishing sites. So we cross-check with anti-phishing databases to kick those sites out.

It's quite possible to use this approach to check WHOIS information in bulk. If ICANN actually cared about WHOIS data quality, they'd check the data against postal databases and business databases. They don't.

Re:*ring ring*

[InitZero]

I know that interpersonal voice communications conducted over an old fashion telephone line between peers is the antithesis of all that is the tech world and Slashdot. Still, it can be rather effective at times.

True story...

I was the IT Director for a mergers and acquisitions company. We were a couple days away from closing on a mid-sized ($72 million) transaction. Money had already been wired into escrow. We are in the United States but the company's owner was vacationing in South Africa. The company we were buying was based in the Dominican Republic so there was local counsel there. The company from which we were buying the Dominican company was based in the Cook Islands. The law firm -- a fairly large international firm -- coordinating everything was out of the Netherlands. Documents were zipping back and forth by email pretty much around the clock given the time zones involved.

Then, for some reason, the email stopped. Test messages when through from all the parties but all the documents failed. We thought it might be file-size related but large test documents went through fine. The lawyers we were working with out of the Netherlands didn't know who did their network/email support -- it was handled out of another office. They couldn't come up with anyone who knew anything about the problem in hours of trying to track someone down. Without a complete set of documents (several hundred pages) executed by all parties, the transaction would be delayed.

(Delaying the closing even by hours is a massive and costly pain given the number of people and amount of money involved. Homework: calculate the amount of interest $72m throws off ever hour.)

Faxing large quantities of documents for review was out of the question. FedEx or another overnight carrier would delay the closing. Not to mention, it would slow the final revision processing.

Using whois, I called the technical contact for the domain. He immediately handed me off to their mail guru. After I explained the problem, he checked his change log and found a half dozen new regular expressions were added to their spam filter about the time we started having problem. Seven characters of the eight-character transaction code we were using in the filenames on all the documents happened to be the same as a banned regex that had been added. Once the regex had been removed, everything worked and we closed on time.

Total time from 'whois domain' to problem resolution: less than half an hour.

Had I not been able to get the mail guru on the phone or by email, we would have delayed the closing. We would have had to come up with an alternate document transport. We would have had to notify and train all parties in the alternate document transport. It would have been ugly.

So, in short, if I have a problem with your domain, I'd like a number I can dial to speak with a competent human being.

Reasons to dislike whois

[Tolvor]

I have had a long dislike of whois.

For one it gives people a major way to steal domain names. People look up the domain name that they want in the public record, find the email address, and try to crack the email. If they can get the access to the email then more than likely the domain can be stolen. Then us poor techs get a call several months later from the true customer wondering what happened to their domain. Whois reveals too much information.

Secondly it isn't accurate. People see their name in whois and think that means they get to make decisions on the account/domain. Just because your name appears in whois does not mean you are listed on the account itself. But try explaining that to their ex-(terminated)-webmaster.

And lastly WhoIs is a major pain to explain. Try telling a paranoid customer that all domains appear in whois, and that you can't remove a domain itself from whois. My sup can't remove it from whois. The president of MegaDomainRegistrar can't remove it. Sorry, no, I don't have a phone number for ICANN. We can hide the info, but we can't make it disappear.

But then to be fair, I can't think of an alternative system to keep the domains and websites fair and accountable. Compaining to a registrar/webhoster about a domain/site is next to useless unless it is unquestionably illegal or definately a trademark issue. Most cases get shunted to the legal department which give the unhappy complaintant a copy of the AcceptableUsePolicy and asked to submit proof of infraction (yeah, good luck). Usually it takes a dedicated lawyer to get things done in these cases. So for now, whois stays.

Job-title whois email reduces spamming

[billstewart]

Having some kind of contact methods for the administrative, technical, and billing users is valuable, but there's no need for it to be a personal email address - especially for a domain that belongs to a business, where that information is likely to change or be handled by a group of people. You might as well have generic addresses like domreg_admin@yourdomain.com. Spammers are still going to try to abuse it, but if nothing else you can put an auto-responder that tells the sender to use a web form.

The technical contact is a special case, because it probably shouldn't be based in the domain it's supporting, since a common reason for using it is that something's wrong with the DNS server or the web/email server supporting that domain; and therefore it's most likely to not work when you most need it - so it needs to be handled somewhere else (like a commercial email service, or perhaps even a forwarder at the DNS provider), and it probably should have good spam filtering. At a medium-large company, the phone number should go to a help desk, which isn't a privacy problem either, but for an individual it's annoying but useful to publish the number.

The billing contact is another special case, because the only entity that needs to access it is the DNS registrar that's handling name registration - it should probably be hosted somewhere other than the domain (again because it has a good chance of failing when it's needed), and spam filtering can be a very short whitelist. I don't see a legitimate need for it to be public.

The Trademark Gods want the Owner's True Name

[billstewart]

There are two reasons you'd want the owner's name - you're trying to contact them because of content on their website / email, or you're trying to sue them because you think you should own their domain name due to trademark law. If you want to contact them, use the contact info on their website; if it's not valid, then the whois owner information probably isn't either.

The trademark ownership issue has been a major driver since before ICANN - the IETF Ad-Hoc Committee that was trying to expand the number of global TLDs before ICANN took over were under a lot of pressure from the Trademark Gods to make sure that anybody who registered a name provided their True Name and True ICBM Address (er, process-server address) so that trademark lawsuits could be resolved without needing to drag the DNS registrars into the process. I think that's unnecessary - it's reasonable to have a Uniform Dispute Resolution Process that says that if you don't provide usable contact information then you're presumed to lose a trademark dispute for non-generic names, as opposed to preemptively violating your privacy.

In practice, the main reasons I use the whois owner name are to try to make sure I've got a correct email address for somebody if I'm not sure, or sometimes to see if it'll help me contact somebody whose website doesn't provide useful information (e.g. spam complaints to abuse@ get ignored), but I've found that if somebody's a sleaze, they're usually providing non-useful information in their whois records.

There was one spammer I could have probably sued successfully, but their whois address was a box number in Greenville DE, at the same address as The Company Corporation, which has been the canonical place to set up cheap Delaware corporations for the last 100+ years - so the most I'd get if I successfully sued them for everything they were worth would have been the contents of their file folder, and they'd have had to go pay another $100 to get another shell company. I guess I might have also acquired their intellectual property, like the trademark on ScammersRUs.com or whatever they were called.

Privacy? Abuse?

[PPH]

I've owned a domain name for a number of years now. Other than using a P.O. Box for the contact info. I've never had any problems with fraud or abuse. I get the occasional offer to buy it (its a somewhat popular name) but nothing I'd consider to be a nuisance.

I think hiding the ownership of a domain (or IP address information) opens up opportunities for more fraud and, balancing that against privacy, I'd rather know who I'm communicating with.

If someone needs privacy, there are ways to get it.