ICANN Punts on WHOIS Privacy Proposal

An anonymous reader writes "The Internet Corporation for Assigned Names and Numbers (ICANN) has essentially put off consideration of a proposal that would have dissolved a requirement that domain name registrars collect and display personal information about people who register Web site names. Privacy activists said the WHOIS database has become a data-mining dream for marketers and spammers, to say nothing of stalkers and harassers. Companies representing some of the world's biggest brand names appear to have prevailed, arguing that any change to the current system would interfere with law enforcement investigations and trademark disputes. In the end, ICANN voted 7-17 to table the issue in favor of further studies on the privacy impact of the WHOIS database."

Isn't it a good thing

[rustalot42684]

to be able to see who controls a domain, so you can contact them if there's an issue? (eg they're typosquatting)

Re:Isn't it a good thing

[Billosaur]

Yes it is, but privacy pundits would have you believe we need to live behind brick walls coated with tin foil. Look, this information can be vital for tracking down the owners of web sites or at least providing a starting place when someone is trying to contact a web site owner and cannot reach them through other channels. If they are truly worried about the fact that scammers and spammers are going to rake the WHOIS database for suckers, then charge $5 for a look-up. No spammer is going to lay out 5 million dollars to scrape up a million email addresses.

Re:Isn't it a good thing

[vidarh]

However a large number of domains ARE owned by private individuals, and the whois requirements means you either pony up for "protection" (third party services that put their name and address in whois and forward any requests to you) or leave your personal details available for anyone.

I can't see ANY reason why these details should be required to be public. It ought to be sufficient that the registrar has the details so they can be subpoeaned, and optionally request them to forward requests.

With the current system, nothing stops people with bad intentions from lying anyway - the current system only harms those who wants to stay honest.

Re:Isn't it a good thing

I can have a privately listed phone number, why can't I have a privately listed domain? I can speak anonymously by publishing pamphlets, why can't I speak anonymously by publishing to the internet? More importantly, why is your need to 'track down the owners' more important than the owners' privacy?

Try running a non-profit from your home to offer mental health support. Death threats on the internet may be a dime a dozen, but when it comes to mental health issues... well, some of those threats are more genuine than others. Do you think $5 is going to keep someone from calling me on the phone 50 times a day or coming to my house and stalking me?

The registrar has a business relationship with me and needs to know who I am. You don't. If you need to contact me, I have an email and mail forwarding set up with my registrar.

Re:Isn't it a good thing

[poetmatt]

Any reasons?

See above to the post above your own. How else can you email for abuse, etc if there is no email address? Lots of bogus sites are forced to register an email address for whois but don't have an email on their website anywhere. Face it, people can make it tougher and tougher to reach someone but if you can't find aways to contact someone at all that can be real problems (such as when people use like a shadow corporation for all their addresses - Kazaa style anyone? Beyond incompetence of investigators it was hard for them to even find kazaa in the first place)

There are ways to deal with bad intentions, use mailfilters, etc. However, if you can't contact someone that will cause rediculously rampant amounts of abuse (how can you prove someone is typosquatting 20 domain names to block something if you can't see who owns them). Say someone gets google.com, but its squatted, and you cannot even find out who to contact because the info isn't there. So instead of contacting them immediately with contact information provided, you have to go through a legal process and get approval, etc. And with the number of websites on the web, don't you think such a process MIGHT become a bottleneck? So instead of getting your site back in 3 days, you get it back in a week?

Or lets say you want to let the host know of a DNS problem, to help them out...well who are you going to let know now?

WHOIS useful

[blhack]

Whois is (can be) a great resource for tracking down the admin of a network (which is what it was INTENDED for). When i see a machine trying to guess default password to my FTP and its obviously a bot, whois makes it really easy to determine if it is some kid sitting on a cable modem, or if its a real domain. It its a real life domain, then it makes things much easier, there is a phone number i can call and complain to (UN-BOT YOUR FREAKING MACHINES!).

Also, when i look through apache2/access_log I can see who is looking at my cartoons :)....lots and lots of addresses that end in .asu.edu means that somebody broke the first rule of fightclub.

Basically my point is, if your hosting some website to show the world pictures of your cat, then use a private WHOIS registration service, if you're an actual company, with a big honkin' domain, then people grabbing information from whois probably isn't MUCH of a concern to you.

This just sounds like a bunch of people with a solution who are looking for a problem to me.

Can't see why????

[www.sorehands.com]

First you don't define what you mean by a large number. You apparently don't understand legal process. You get a subpoena some time AFTER filing a lawsuit, in Federal Court, it is a rule 16 conference. Lets say I am in California and you are in Florida, and your registrar is Godaddy (if your registrar is overseas, they may not even respond). On your blog, you falsely post that I was drunk, crashed into your car, offered you cocaine, and pushed you into a ditch and drove off. I filed suit here in California, then have to file a special motion for early discovery so that I can issue a subpoena upon Godaddy. Now Godaddy charges me $150 for responding to the subpoena. Now, I served you with the complaint, and you file a motion to dismiss claiming that you are in Florida so that the California Court has no jurisdiction over you.

If you own a house, this ownership information is public. I can walk into the county recorder (in most places in the USA) and find out who owns that house.

The people with bad intentions should quickly lose their domains. This is an enforcement issue and I have been talking about it with the RAA group.

It works both ways...

[KC7GR]

While it is true that there is a potential for "private" information (name, address, etc.) to be publicly visible to spammers and marketers, it works the other way as well. If someone spams me, or someone else on my network, AND it's not a bot-net source, I find whois to be invaluable in terms of finding out where the stuff came from. If it's a mainstream company, they get a phone call (using the number in their whois record) and an earful about it, in that order.

As others have pointed out, this sounds like a lot of kerfuffle over nothing. If you're truly worried about privacy in your domain records, there are already a couple of options.

--Get a PO box, as I did, and use it for your registration address. ICANN regs don't prohibit it, and it's useful for stuff beyond domain registration.

--Use a whois-anonymizing registrar for your domain. ICANN doesn't prohibit this either, just as long as there is some way for said registrar to forward messages from the outside world to you.

Leave whois alone. It's too useful a tool. The fact that some few abuse it should not be cause to eliminate it (after all, to use an analogy, people abuse telephones all the time -- junk calls, junk FAXes -- and we still have them).

Keep the peace(es).

What a disappointing Slashtdot discussion...

[Decius6i5]

This discussion is heavily slanted toward the pro-regulation crowd. The moderators seem to be modding up posts based on the position they take in the debate rather than the value of the points they are making. I would think that a community for geeks would have a better understanding of this issue, and would have more people who are sympathetic to the interests of private individuals who have domain names for non-commercial reasons.

There are a large number of straw men that are raised constantly by supporters of whois accuracy regulation. Not one holds up to objective analysis.

1. No one is talking about getting rid of Whois. Whois was originally voluntary. You could publish as much or as little information as you wanted in it. Later, it was changed to make publication of names, addresses, and telephone numbers mandatory. If this vote was successful it would become voluntary again. This is not the same thing as taking down the service.

2. Criminals and spammers are not going to publish accurate information in whois. There is no way to force the data to be accurate regardless of what the regulations are. So the regulations mostly impact well meaning, honest people, not criminal groups.

3. Businesses want you to know how to contact them. No legitimate business is going to keep it's whois information private. The regulations do not effect businesses or organizations, who would publish contact information regardless of whether or not they were required to, they effect individual, non-commercial domain holders.

4. You do not need DNS Whois to resolve technical, security, or legal issues with a domain. Its convenient, but if the data is wrong or not present, you can contact the ISP that is responsible for the IP address the computer in question is using. DNS Whois is never necessary. Most kinds of Internet crimes can be committed without a domain name, and so DNS whois is obviously not sufficient to investigate those cases. How does the RIAA prosecute P2P users, who are publishing on the Internet without a domain name? The argument that its ok to have an anonymous sub domain but its not ok to have an anonymous primary domain also does not make sense. If you have a problem with an anonymous primary domain you can contact the ISP responsible for the IP address the computer in question is using, just as you are forced to do if there is no domain name being used.

5. Yes, proxy services are available, but they are expensive, and this expense ought to serve some sort of legitimate purpose. If the purpose of this regulation isn't fighting spammers or criminals or making sure businesses disclose their locations, than what is it and are we willing to spend $9 per domain to serve it?

6. Individuals who use the Internet for noncommercial reasons are not interested in eating cake. We don't want dymanic dns records hosted on a sub-domain. We don't want to use hosting services. We want domains, and we've been able to use domains for non commercial purposes without publishing personal contact information for most of the history of the Internet! The response "if you don't like it use XYZ" is not acceptable. The people who advocate that people be required to publish their personal information in the whois database must defend the need for and value of that regulation, and not simply offer that those who disagree go somewhere else!

The bottom line is that supporters of these rules are motivated by misinformation, private interests, or outright authoritarianism.

The misinformed are those who like doing whois lookups on domains and assume that this information should always be required to be there in a form they expect simply because it is often there and often useful. This is a bit like assuming that personal homepages should have a terms of service agreement and a "contact us" page because lots of sites do and they like to use them.

The private interests are those like the RIAA and other IP interests, who wish to ensure that honest, well meaning private individuals who use d