Slashdot Mirror
ICANN Punts on WHOIS Privacy Proposal
An anonymous reader writes "The Internet Corporation for Assigned Names and Numbers (ICANN) has essentially put off consideration of a proposal that would have dissolved a requirement that domain name registrars collect and display personal information about people who register Web site names. Privacy activists said the WHOIS database has become a data-mining dream for marketers and spammers, to say nothing of stalkers and harassers. Companies representing some of the world's biggest brand names appear to have prevailed, arguing that any change to the current system would interfere with law enforcement investigations and trademark disputes. In the end, ICANN voted 7-17 to table the issue in favor of further studies on the privacy impact of the WHOIS database."
Isn't this what most jocks call "Third and out"? How fitting.
Dedicated Cthulhu Cultist since 4523 BC.
to be able to see who controls a domain, so you can contact them if there's an issue? (eg they're typosquatting)
Well, that would have saved me the annual $9 that I spend for the anonymous option with my registrar.
WHOIS is rather lame because of fake data, and most who fake data do usually do so because they don't want to give worthwhile contact details to the whole world. However, a lame WHOIS is better than no WHOIS in my opinion. I think it's valuable to have at least a registrant name provided in WHOIS, at the very least to serve as some record of who originally registered a given domain name in the unlikely but not unheard of issue of hijacking. I think perhaps ICANN should build and maintain a private contact database and fund it through an additional $1.50 fee on registrations. ICANN would provide a special privreg@icann.org address that one could email to contact the registrant (with strong spam filtering). I administer a fairly high profile site, but my webmaster address really doesn't get that much spam - that's why I think my proposed solution would work well in most cases. A person get a valid email address to contact and not much else. Finally, if the person wishing to contact the registrant wants a physical address of the registration, ICANN should require nothing less than a court order. That's my initial idea.
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
First it says ICANN, then it says I can't
Which is it?
Karma: Excellent. 15 moderator points expire sometime.
Just what kind of further study to they need to do to figure out the privacy concerns? They know what information is made available, and they know the potential consequences (both positive and negative) of having that information in the public domain. Making a yes or no decision based on that is hardly rocket science.
To update the Registerfly Fiasco which they have failed to do so. This organization is incompetent and worse than a bowl of noodles when it comes to domain names.
Whois is (can be) a great resource for tracking down the admin of a network (which is what it was INTENDED for). When i see a machine trying to guess default password to my FTP and its obviously a bot, whois makes it really easy to determine if it is some kid sitting on a cable modem, or if its a real domain. It its a real life domain, then it makes things much easier, there is a phone number i can call and complain to (UN-BOT YOUR FREAKING MACHINES!).
:)....lots and lots of addresses that end in .asu.edu means that somebody broke the first rule of fightclub.
Also, when i look through apache2/access_log I can see who is looking at my cartoons
Basically my point is, if your hosting some website to show the world pictures of your cat, then use a private WHOIS registration service, if you're an actual company, with a big honkin' domain, then people grabbing information from whois probably isn't MUCH of a concern to you.
This just sounds like a bunch of people with a solution who are looking for a problem to me.
NewslilySocial News. No lolcats allowed.
I would like to see more privacy involved in the WHOIS database. I've been the target of not only marketing garbage, but also some threatening letters. That isn't fun at all.
Luckily, some companies will 'obsfucate' the WHOIS information to an extent, by offering a contact address to the company that will forward mail to you. You still get the mail, it just gets shuffled around a bit so that the sender doesn't see your real address. They do the same with email addresses, setting up a forward account. All of this, of course, for a fee.
I can understand why people would want contact information for domains - and I agree. It can be very useful and in some cases it is necessary for legal process. It is just too easy to abuse in many cases. I'm not sure what a good solution would be, though.
Love sees no species.
You get a domain... As in something that allows the world to see you. But you want the world not to see who you are? This is not even part of an anonymity debate. You have to pay to be seen. Why would you not want it to be seen who you are then?
Any guest worker system is indistinguishable from indentured servitude.
UK's Nominet (responsible for *.uk) let you opt-out of displaying contact details for domains. Why not other TLDs?
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
To correctly do whois, there must be some changes to the Whois to work.
For those people who use Fake information, they need to lose their domain names. 3.7.7.2 states that a registrar may cancel a registration when there is intentionally false information given. This is rarely enforced. (see http://www.icann.org/correspondence/touton-letter-to-beckwith-03sep02.htm). In fact, I was told by a person at ICANN (I shall allow her to remain nameless, for now -- but for those who were at the IP meeting on Tuesday, she was sitting next to me) that there is no provision for punishing a registrar, except by terminating them and ICANN does not want to terminate registrars because all of them do not have a good data escrow in place. (think registerfly). I believe this is incorrect. I believe that suspending a registrar's ability to prevent NEW registrations by a registrar would be within the ability of the contract and not harm any domain registrant.
Many registrars give 15 days (the period for mistakenly false information, ie. typo, aged, etc.). What needs to be done is to suspend the domain name, for intentionally false false information, for this 15 day period. And then when they provide updated information, this updated information MUST be proven to be correct (ie. don't change 123 Yellow brick Road to 123 Main Street, Oz, Kansas.) and allow the registrar to charge a reasonable administrative fee.
By allowing registrars to ignore invalid whois and complaints regarding such leads to the argument that since the all data is not correct, that the Whois should be scrapped.
Fight Spammers!
I'm all in favor of leaving WHOIS alone for the time. As I've said before, the WHOIS records are very useful when dealing with people who use domain names for nefarious purposes. A large portion of the domains that sell discount v!@gra and pirated s0ftwar3 are sold to a small number of big-name crooks (Leo Kuvayev and company). If we leave the WHOIS data open we can at least find out who they are in cahoots with. This is a good thing, because it can lead to taking action against the registrars and ISPs that are keeping them up and running (and likely getting a cut of the action themselves).
I wish the privacy advocates would just settle down and be willing to negotiate a compromise. Frankly, I could care less about getting the data on domains that exist to host peoples blogs and pages about their dogs or whatever. But if you want a domain so you can sell something, you should be willing to let the world know who you really are.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Recently to my pleasant surprise, my host let me in on a new feature (for them) recently: optional WHOIS privacy (to your domain name registration, specifically). Even before reading all about this absolution of WHOIS,which, from the reasons provided, are sound, but I still think the overall usage of WHOIS is useful, despite the potential as a data mine, I'm glad I ordered it, as I'm just a tad bit more paranoid than the average person about internet privacy.
However, the internet shouldn't have any training wheels (thankfully, AOL has been dead for some time, although now we have Comcast...), and it should be common sense concerning WHOIS and it's uses, as well as the whole spamming thing (which there are plenty of tools out there to combat, such as simple .htaccess tricks made easy to come by via Google, etc. etc.). It should definitely be discussed though, but there shouldn't be any rash moves to just abandon WHOIS.
It is possible to maintain privacy and to make the information available to anyone who has a legitimate need.
For example, the owner and physical address of anyone who has a government PO Box is not freely available, but anyone with a legitimate need can get the Post Office to release this information.
Why can't before the ownership of a domain name be released that the requester be required to identify himself and for him to state the reason he needs this information?
There's not a big abuse problem with addresses and phone numbers in whois, but there is a big problem with the email addresses. Simply removing the email addresses would be a huge benefit.
If people didn't want privacy, they wouldn't own curtains.
If companies wanted privacy, they wouldn't advertise.
(And don't talk to me about 'corporate secrets' that is a different argument.)
"All sweeping generalisations are false, including this one."
Personally I would like to see less privacy on domain registrations, not more. I would like to see the elimination of "private" registrations and masking services. I feel that someone should be responsible for each domain. If you want to be anonymous, make a deal with someone who has a domain and is willing to maintain your anonymity.
I would like to require that annually the registrar 1) sends an email to the registered contacts, and 2) sends a postal letter to the registered mailing addresses, and 3) places a phone call to the registered contact phone numbers. If either the email, the postal mail, or the phone call goes unanswered after a couple of attempts, you forfeit the domain.
This would 1) make sure that WHOIS contact data leads to someone and 2) significantly reduce the amount of bogus registrations and cybersquatting because there would be a physical process cost in addition to a financial cost in hosting a domain.
Of course, people could supply bogus information, but at least the information would lead to someone that is willing to answer for the bogus name. I really don't care so much if someone uses an alias, but I want to make sure that I can contact a person about domain related issues.
To cover the cost of performing communication with the domain owner, the registrar would charge a couple of extra dollars per year. (It is not hard as there are plenty of existing automatic emailing engines, paper mailers, and auto dialers with IVR.)
It's all my opinion, take it or leave it.
Focus on the abusive actions themselves, instead of just asking how they did it. Spam sucks regardless of whois, and needs to be dealt with somehow. Assholes threaten, and they're still going to be assholes without whois. Obscurity of the address does help, but at the same time, it's not a serious solution to the overall problem.
If you want a domain name, then somebody has to be contactable about problems, take responsibility for abuses by the domain, etc. Maybe it's not you, and having a proxy to take care of it is ok. A lot of people just have domains so that they can have an easily-remembered website URL, and perhaps the network gurus at the actual hosting facility really should be the technical contact. But the trademark issue is legitimate, I think; if I pretend to be you (i.e. register a domain using your business' name), is it really so bad that you have a a way to talk to me about that?
There has to be somebody reachable, if you're going to advertise a name-to-address translation on servers all over the world. whois can't go.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
First you don't define what you mean by a large number. You apparently don't understand legal process. You get a subpoena some time AFTER filing a lawsuit, in Federal Court, it is a rule 16 conference. Lets say I am in California and you are in Florida, and your registrar is Godaddy (if your registrar is overseas, they may not even respond). On your blog, you falsely post that I was drunk, crashed into your car, offered you cocaine, and pushed you into a ditch and drove off. I filed suit here in California, then have to file a special motion for early discovery so that I can issue a subpoena upon Godaddy. Now Godaddy charges me $150 for responding to the subpoena. Now, I served you with the complaint, and you file a motion to dismiss claiming that you are in Florida so that the California Court has no jurisdiction over you.
If you own a house, this ownership information is public. I can walk into the county recorder (in most places in the USA) and find out who owns that house.
The people with bad intentions should quickly lose their domains. This is an enforcement issue and I have been talking about it with the RAA group.
Fight Spammers!
What we need is an OPEN solution, where for a single low administrative cost fee I can have my WHOIS data private for all of my domains - not the per domain fees being charged by for-profit companies now.
Someone like the EFF should step forward and provide us the solution ICANN will not.
While it is true that there is a potential for "private" information (name, address, etc.) to be publicly visible to spammers and marketers, it works the other way as well. If someone spams me, or someone else on my network, AND it's not a bot-net source, I find whois to be invaluable in terms of finding out where the stuff came from. If it's a mainstream company, they get a phone call (using the number in their whois record) and an earful about it, in that order.
As others have pointed out, this sounds like a lot of kerfuffle over nothing. If you're truly worried about privacy in your domain records, there are already a couple of options.
--Get a PO box, as I did, and use it for your registration address. ICANN regs don't prohibit it, and it's useful for stuff beyond domain registration.
--Use a whois-anonymizing registrar for your domain. ICANN doesn't prohibit this either, just as long as there is some way for said registrar to forward messages from the outside world to you.
Leave whois alone. It's too useful a tool. The fact that some few abuse it should not be cause to eliminate it (after all, to use an analogy, people abuse telephones all the time -- junk calls, junk FAXes -- and we still have them).
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies
I sued Moniker for providing WHOIS privacy for e360 and Linhardt (http://www.barbieslapp.com/spam/e360/timeline.htm) along with e360 and Linhardt for illegal spamming.
Not only does this hide the information on the spammer, it also prevents you from determining if the 1000s of domains are one spammer to 1000 different spammers. That can be avoid by saying, Moniker Privacy Services, Client 12. Where 12 is some form of account number that says that may not relate to the actual system account number, but enable to the viewer to determine that there are XX domains by the same person.
Now lets take this out of the spam arena. I have a business of selling widgets. I also have a blog that 'reviews' widgets, and I have three blogs pretending to be 3 separate people bitching about X Widgets where X is one of my three competitors.
Fight Spammers!
One, the phone numbers 555-555-5555 or 111-111-1111 and that ilk. Two, a corporation name that is not listed in that state's corporate database (where that is available online). Three, the registrar does have the billing information on the credit card that may not match. Four, Mapquest for invalid addresses, ie. 725 Border St, E. Boston, MA 02128 (street number does not exist, or state name not in that city). And the USPS.gov site for zipcodes being wrong.
Fight Spammers!
The Board of ICANN discussed this issue about an hour ago in their public Board meeting (it's still going on as I write this here: http://media1.icann.org/ramgen/broadcast/international.rm). The meeting has its own webpage - http://losangeles2007.icann.org/node/75.
http://www.directnic.com/whois/?query=line9.com
Administrative Contact:
This domain was reported to, ICANN for invalid WHOIS info.
customer-must-correct-the-info@or-the-domain-will-be-deleted.com
invalid WHOIS, domain disabled
invalid WHOIS, domain disabled
invalid WHOIS, domain disabled
invalid WHOIS domain disabled, WY 99999
US
9990000000
Fax:9980000000
This is after, they wait 2 weeks. What would be even better, is to put their real information -- from the billing (if not a stolen credit card) and have the domain name suspended.
Fight Spammers!
I guess it's fine that ICANN doesn't really care about protecting potentially private information. Where the focus should really be pointed is toward domain registrars.
When you register a domain, you give them your address so they can charge you their yearly fee. Which is acceptable.
However, what always struck me as unacceptable is that they take your address and slap it directly in to the WHOIS database without telling you or informing you that this is being done. I've been shocked and also appalled a number of times to see my address, apartment and telephone numbers all printed right out in the open. Because of that, I supply them with bogus information for the WHOIS. (1234 Main St. Anytown, USA 12345 (555) 555-1234)
Registrars should at least give people an explicit FYI about what information they're making public.
/* No Comment */
This discussion is heavily slanted toward the pro-regulation crowd. The moderators seem to be modding up posts based on the position they take in the debate rather than the value of the points they are making. I would think that a community for geeks would have a better understanding of this issue, and would have more people who are sympathetic to the interests of private individuals who have domain names for non-commercial reasons.
There are a large number of straw men that are raised constantly by supporters of whois accuracy regulation. Not one holds up to objective analysis.
1. No one is talking about getting rid of Whois. Whois was originally voluntary. You could publish as much or as little information as you wanted in it. Later, it was changed to make publication of names, addresses, and telephone numbers mandatory. If this vote was successful it would become voluntary again. This is not the same thing as taking down the service.
2. Criminals and spammers are not going to publish accurate information in whois. There is no way to force the data to be accurate regardless of what the regulations are. So the regulations mostly impact well meaning, honest people, not criminal groups.
3. Businesses want you to know how to contact them. No legitimate business is going to keep it's whois information private. The regulations do not effect businesses or organizations, who would publish contact information regardless of whether or not they were required to, they effect individual, non-commercial domain holders.
4. You do not need DNS Whois to resolve technical, security, or legal issues with a domain. Its convenient, but if the data is wrong or not present, you can contact the ISP that is responsible for the IP address the computer in question is using. DNS Whois is never necessary. Most kinds of Internet crimes can be committed without a domain name, and so DNS whois is obviously not sufficient to investigate those cases. How does the RIAA prosecute P2P users, who are publishing on the Internet without a domain name? The argument that its ok to have an anonymous sub domain but its not ok to have an anonymous primary domain also does not make sense. If you have a problem with an anonymous primary domain you can contact the ISP responsible for the IP address the computer in question is using, just as you are forced to do if there is no domain name being used.
5. Yes, proxy services are available, but they are expensive, and this expense ought to serve some sort of legitimate purpose. If the purpose of this regulation isn't fighting spammers or criminals or making sure businesses disclose their locations, than what is it and are we willing to spend $9 per domain to serve it?
6. Individuals who use the Internet for noncommercial reasons are not interested in eating cake. We don't want dymanic dns records hosted on a sub-domain. We don't want to use hosting services. We want domains, and we've been able to use domains for non commercial purposes without publishing personal contact information for most of the history of the Internet! The response "if you don't like it use XYZ" is not acceptable. The people who advocate that people be required to publish their personal information in the whois database must defend the need for and value of that regulation, and not simply offer that those who disagree go somewhere else!
The bottom line is that supporters of these rules are motivated by misinformation, private interests, or outright authoritarianism.
The misinformed are those who like doing whois lookups on domains and assume that this information should always be required to be there in a form they expect simply because it is often there and often useful. This is a bit like assuming that personal homepages should have a terms of service agreement and a "contact us" page because lots of sites do and they like to use them.
The private interests are those like the RIAA and other IP interests, who wish to ensure that honest, well meaning private individuals who use d
Yesterday the Internet was a way for well-meaning polite academics to communicate. There were no commercial uses of the Internet and nobody had to worry about malicious attacks, fraud, or much of anything else. Except flame wars. WHOIS information was optional and pretty meaningless except in a very few cases.
Today the Internet is composed to fraud, copyright infringement, theft and all manner of people doing malicious things. If you aren't trying to hurt someone a significant portion of your time is either defending or recovering from attacks. WHOIS information isn't very accurate today either. The people doing malicious things aren't using their right names and addresses when they register phishing domains.
Tomorrow can't look like yesterday. Sorry, that period is over. It can look like today with domain registration being used as a weapon against everyone else while irresponsible registrars happily take money for registering domains like "ebay1.com". Surely the intent is clear - why can't the registrars do something about this? And the registrars, without identity confirmation, just help these folks along.
Tomorrow can look like today or worse. Or it could be better. Choose.
I've never seen a domain registration company that does anything to authenticate the domain ownership information it asks for. Generally this information is to be taken with a grain of salt, because much of it is false.
For all the non-seppos out there in /. land. "Punts" refers to a point in the game of american football where the attacking team decides that further running or passing plays will not benefit them. At this point they kick ("punt") the ball and go on the defense.
Hence "punting" in this sense referred to by the OP means "it's all too hard, let's do something else".
For all the americans that care, "punting" in the rest of the english speaking world refers to betting (on horse races etc). In this sense it means "having a go" or "giving it a shot". ie., the exact opposite of the meaning in the article title.
Carry on.