US and EU Clash Over Whois Data

itwbennett writes "ICANN wants to store more data (including credit card information) about domain name registrations in its Whois database, wants to hold on to that data for two years after registration ends, and wants to force registrant contact information to be re-verified annually — moves that are applauded by David Vladeck, director of the FTC's Bureau of Consumer Protection. The E.U.'s Article 29 Working Group is markedly less enthusiastic, saying ICANN's plans trample on citizens' right to privacy."

Solution

Well, I guess I'll have to get a temporary phone number, address AND anonymous "gift card" credit card now for my domain now

Re:Solution

Well, I guess I'll have to get a temporary phone number, address AND anonymous "gift card" credit card now for my domain now

What do they need a credit card for anyways?

Re:Solution

[Nrrqshrr]

Track your purchases and credit flow, I guess..

Re:Solution

[NJRoadfan]

What the many folks who use Paypal? I have a feeling registrars are going to push back big on this one.

Re:Solution

[Mr+Europe]

Credit card seems to be the identification certificate in the US.

Re:Solution

[gl4ss]

Well, I guess I'll have to get a temporary phone number, address AND anonymous "gift card" credit card now for my domain now

What do they need a credit card for anyways?

what do you need it for? to buy stuff, doh. budgets are being cut etc.

Re:Solution

[TheSpoom]

Gandi includes private whois with all registrations. There are a number of other registrars who will do it for a fee.

(Solely in my opinion) you should stay away from GoDaddy though. They charge $20 every time they discover that your whois information is fake, probably to get you to buy their private registration service. Instead, I transferred all my domains to Gandi. Everybody wins, right?

Want to get rid of spam or not?

Pretty much what it comes down to.

Balancing right to anonymous domain hosting vs everyone else's right to live without torrents of spam

Re:Want to get rid of spam or not?

[ilsaloving]

How could this possibly stop spam? Most spam comes from botnets anyway, which are going through their companies and/or ISPs mail server. The last thing a spammer would do is use a proper domain.

Re:Want to get rid of spam or not?

[Kaenneth]

You don't need a DNS entry to spam or even host a website (it probably helps though...)

Re:Want to get rid of spam or not?

[epyT-R]

Actually, neither the right to privacy (unless you count 'secure in your person' in the 4th amendment) nor the right to not get spam are defined.. given a choice, I'd rather get spam than lose my privacy..and if marketing was opt in in the first place, spam would hardly be a problem in the first place.

Re:Want to get rid of spam or not?

[rs79]

It's nothing to do with spam. It's so the intellectual property crowd can sue the right person.

Think! Who else in the domain ecosystem needs to know exactly who you are?

Re:Want to get rid of spam or not?

[Joce640k]

Not the senders, the receivers. Many people regard the whois database as a big list of email addresses to spam.

Time for the anti UN comments...

[xaxa]

Time for the anti UN comments, as usual around here. But how can you defend the USA on this case?

(My .uk domain's public whois looks like this:

        Registrant:
                [My real name]

        Registrant type:
                UK Individual

        Registrant's address:
                The registrant is a non-trading individual who has opted to have their
                address omitted from the WHOIS service.

And that's the way I like it!)

Re:Time for the anti UN comments...

Mine is something to the effect of -
Registrant: WHOIS PRIVACY DEFENDER
Registrant Type: WHOIS PRIVACY DEFENDER
Registrants...

Why show anything when you don't have to?

Re:Time for the anti UN comments...

[Hentes]

Care to explain how does the UN come into this? This is between the USA and the EU.

Re:Time for the anti UN comments...

[DigiShaman]

Not good enough. I want the UN completely dismantled and eliminated! The idea of a "UN" sounds nice, but now it's just a "StarWars Bar Scene" full of corrupt bureaucrats. It's like a form of democracy that votes in favor of tyranny. Freedom at the lowest common denominator.

Re:Time for the anti UN comments...

[xaxa]

Care to explain how does the UN come into this? This is between the USA and the EU.

My apologies, I read the article but had already assumed it was another item from the ITU meeting.

There were two articles earlier today mentioning the ITU:
http://politics.slashdot.org/story/12/10/10/1855223/is-mobile-broadband-a-luxury-or-a-human-right
http://tech.slashdot.org/story/12/10/10/1330218/following-huawei-report-us-rejects-un-telecom-proposals

Re:Time for the anti UN comments...

It's like the US Federal government? That is an impressive slur.

Re:Time for the anti UN comments...

[AdamWill]

"Why show anything when you don't have to?"

Because lots of blacklists of various types frown on domains that use those services, as they're often used by spammers and fraudsters. Hope you're not hosting a site or sending mail from that domain with the expectation that everyone will be able to see / receive it without trouble.

Re:Time for the anti UN comments...

[AdamWill]

Because Slashdot is forever banging on about how ICANN is great and the UN is threatening to take over the internet and should be stopped at all costs. About the fourteenth hilariously inaccurate article along these lines was posted earlier today.

Re:Time for the anti UN comments...

[Hentes]

But unless the UN indicates that it will respect whois privacy there is no reason to believe they would be better.

Re:Time for the anti UN comments...

Dear Matthew from London,

Although your .uk domain shows only your name, your .eu domain whois query returns full address and even phone number.

So much for EU privacy rights.

Re:Time for the anti UN comments...

"Hope you're not hosting a site or sending mail from that domain with the expectation that everyone will be able to see / receive it without trouble."

Not my experience. I own a (Whois Privacy Protection Service, Inc.) domain and host my own mail server since around 2000; not a single problem that I know of yet.

Re:Time for the anti UN comments...

Thanks for pointing that out.

I changed my address recently, and the registrar has also changed the organisation to "n/a", which has removed the privacy settings.

Re:Time for the anti UN comments...

[Stalks]

That's FUD. I've also hosted a mail server with domains using the WHOIS privacy feature for 10+ years and not had a single problem in sending or receiving mail.

Re:Time for the anti UN comments...

He's probably just pre-empting the fact that most Americans don't know what the difference between the two is and will rant on about both in their usual ignorant manner anyway.

Won't "private registrations" still continue?

[hawguy]

What's to stop companies from continuing the "private registration" feature that they already offer (often for a significant fee) to hide the domain owners name, address and other personal details? If the "owner" of the domain has to have their real contact info on file with the domain, then for customers that want to remain private GoDaddy and other registrars can "own" the domain with a contract giving exclusive use of the domain to whoever paid for the domain.

Re:Won't "private registrations" still continue?

[mysidia]

What's to stop companies from continuing the "private registration" feature that they already offer (often for a significant fee) to hide the domain owners name, address and other personal details?

Are you aware of the requirements that apply to domain registrars, including ones that implement that function?

Every domain registrar is Required to retain the WHOIS data, and all the pertinent details for all their customers, and make all that information available to organizations designated by ICANN.

Buying a private registration gets you a public WHOIS listing, but all your information is still available.

Unless you have a 3rd party registrar-unaffiliated proxy service, register the domain, own the domain in place of you, and provide their information to the registrar, instead of yours.

Then there's a risk, however, if the proxy service goes bankrupt: ownership of the domain could get included in the proxy services' assets and liquidated to pay creditors of the proxy service.

Re:Won't "private registrations" still continue?

[mrbester]

GANDI.NET doesn't charge. They provide a tick box to remove your details from public WHOIS and even encourage you to tick it. To hell with the nickel and dimers gouging you for basic functionality.

Re:Won't "private registrations" still continue?

[slashmojo]

often for a significant fee

Actually these days it is often provided free with the domain registration. See namecheap.com and internetbs.net for example.

Why would this get rid of spam?

[Anonymous+Brave+Guy]

That makes no sense, because many people can and routinely do send e-mail from the same domain.

This move is fairly directly contrary to the basic rules of privacy in the EU, and after the negative press that European governments have had over things like airline passenger and banking information recently, I don't see this getting very far. There's no compelling "fear the terrorists" or "catch the tax evaders" kind of argument with popular appeal here. The US authorities have no need to know my credit card number, and certainly no need to keep it for years, assuming it's even still valid by that time.

Make It Private

I personally don't mind having legitimate data associated to domains I own, but I don't like that my name, address, phone number, and email address is visible to everyone. I don't really think ICANN needs my credit card number, but it seems like just making only, say, the name, available publicly would be a better first step.

Re:Make It Private

[Alain+Williams]

Mod parent up I wonder who has lent on ICANN to ask for this ? Time for ICANN to be truly independent of any government.

Credit Card Information?

[Jason+Levine]

Why would you store credit card information in WHOIS? I already get mail from registrars wanting me to "renew" my domains (read Transfer them to them) for a "reduced rate" of $30 (I pay $12 a year). If the credit card information was in there as well, what would stop shady organizations from using that information for other scams? WHOIS certainly doesn't keep my physical address safe from scammers.

Re:Credit Card Information?

[MtHuurne]

There is no need at all to have a credit card associated with a domain. For example, I don't pay for my .org domain by credit card. In fact, here in the Netherlands a lot of people don't even have a credit card, since we have other payment systems that are cheaper and buying stuff on credit is not as common as in the US or UK.

Re:Credit Card Information?

[WaffleMonster]

Why would you store credit card information in WHOIS? I already get mail from registrars wanting me to "renew" my domains (read Transfer them to them) for a "reduced rate" of $30 (I pay $12 a year).

This is just another intentionally misleading headline. Card data is not going into whois.

The issue is requiring registrars to hang on to CC data so that governments would be able to "lawfully" request from the registrar if that registrar is operating within jurisdiction of said goverment.

Rather than addressing data retention standards with legislation as decided by each countries government...such as thru a billing passed by congress and signed by the president they are essentially attempting an end run around democractic process to get a desired outcome.

None if it is defensible...both ICANN and FTC are in the wrong regardless of what you feel about the issue of data retention.

Visa rules

[OldGunner]

I believe storing consumer credit/debit card data over 90 days is a direct violation of Visa International rules. I've been away for that stuff for a couple of years now, so I could be wrong.

Re:Visa rules

I've been away for that stuff for a couple of years now

I see you're allowed to use a computer again.

Re:Visa rules

Who says you have to use Visa or Mastercard? I think Quest sounds nice.

Read the truth about ICANN and the DNS

The rotten and corrupt Domain Name System.

It's a ruse

[damn_registrars]

ICANN doesn't give a rat's ass about the validity of data in WHOIS, and hasn't for a long time. Someone (perhaps in law enforcement?) probably put a little pressure on them something recently and now they are putting on a show. It will blow over soon enough and we'll be back to business as usual, with ever-increasingly-more-meaningless WHOIS data.

From my own experience I would say at least 80% of the records I have looked up in the past several months for extant domain names have had obfuscated information, protected by registrars who don't give a damn that their customers are conducting illegal activities (fraud, selling drugs, selling pirated software, sending spam, etc) through the domains that they sold them. ICANN doesn't give a shit about "protected" obfuscated domain names, and doesn't care about ones with blatantly false data, either.

ICANN just wants to make money. They'll either find a way to make more money with this, or - more likely - they will give it up once the pressure is off.

Re:It's a ruse

[tlhIngan]

ICANN doesn't give a rat's ass about the validity of data in WHOIS, and hasn't for a long time. Someone (perhaps in law enforcement?) probably put a little pressure on them something recently and now they are putting on a show.

Not law enforcement - they don't really care because if they need to, they can just ask and most registrars will just gladly hand it over. May take a warrant or so.

No, this would be for those who want that information but cannot obtain it like that - think the **AAs for that. Find a domain that if you follow this sort of path here through to this other site and this new host, eventually points to a 1 second sample of something that maybe possibly could be a piece of music - piracy! Just look up the contact information in WHOIS and sue them for copyright infringement!

No law enforcement needed - makes it all much easier and cheaper.

Plus think of who owns those pesky domains like "thepiratebay" or "wikileaks" - just have to make them do something that'll force them to turn over their domains...

Re:It's a ruse

ICANN doesn't give a rat's ass about the validity of data in WHOIS, and hasn't for a long time. Someone (perhaps in law enforcement?) probably put a little pressure on them something recently and now they are putting on a show.

Not law enforcement - they don't really care because if they need to, they can just ask and most registrars will just gladly hand it over. May take a warrant or so.

No, this would be for those who want that information but cannot obtain it like that - think the **AAs for that. Find a domain that if you follow this sort of path here through to this other site and this new host, eventually points to a 1 second sample of something that maybe possibly could be a piece of music - piracy! Just look up the contact information in WHOIS and sue them for copyright infringement!

No law enforcement needed - makes it all much easier and cheaper.

Plus think of who owns those pesky domains like "thepiratebay" or "wikileaks" - just have to make them do something that'll force them to turn over their domains...

You forget governments - including that pesky UN.

The UN and the two-bit dictators that control it have been pushing for quite a while to outlaw thought crimes like "blasphemy" - but of course only if Islam is the target.

Re:It's a ruse

The UN and the two-bit dictators that control it have been pushing for quite a while to outlaw thought crimes like "blasphemy"

No, they haven't.

Re:It's a ruse

Didn't they just collect a couple of million from their TLD expansion fiasco?

Re:It's a ruse

[damn_registrars]

Not law enforcement - they don't really care because if they need to, they can just ask and most registrars will just gladly hand it over. May take a warrant or so.

I disagree with you on this one. Registrars don't fear warrants from law enforcement in most cases, because in most cases the registrars who sell domains to people who are out to do things that violate (for example) US laws will be set up in countries where such laws do not exist. If the registrar is located in, say, China, and the warrant comes from the US, it goes right into the trash. Interpol doesn't give a damn either, they have bigger fish to fry.

A great example is the "Canadian Pharmacy" scam that we see all the time. The domains are usually .com, registered to an address in Russia (if the address isn't obfuscated by a service), by way of a registrar in Asia. The ISP for the IP address is generally in another former soviet country. Sure, they are breaking American laws (and probably laws in many other countries, too), but the American warrant doesn't mean shit to the registrar, ISP, or the owner of the web site.

Likely some group in law enforcement wants to see if there are any illegal domains that are registered to American addresses, so ICANN is pretending to care about the problem for a little while. By the end of the month they'll be back to their old game.

Stupid Question

[vga_init]

But isn't it technically possible for people to set up a free DNS or functionally equivalent service of their own, without any government or private regulations, and without necessarily charging [exorbitant] fees to use it? Everything else related to the web is open source...

Re:Stupid Question

[silas_moeckel]

Yup it's trivially easy to do on the technical side getting people to use it is another matter.

Re:Stupid Question

These exist today. Do a web search for "alternative root dns".

ICANN going batshit just in time for halloween

[WaffleMonster]

I love ICANN.. They require real contact information be stored in a public database or else your domain can be taken and resold and oh by the way registrars get to charge extra just to keep your identity in the public database safe.

All they are doing to address the sespool of automated domain capture, phishing and extortion activities upon expiration is truely amazing and inspiring.

I'm having trouble finding the words to express my appreciation for their infinite TLD program which has opened up new and exciting opportunities for name protection extortion, phishing and additional layers of government involvement.

ICANN is the only Internet body who consistantly errors on the side of unmitigated greed and selling out to governments. It has no soul and does not deserve to exist.

ICANN't stand USA take over the internet

This answers why EU wants less control of USA over the internet.
EU cares (more) about privacy that USA.

Hopefully we don't have to disclose (that much) information to register a domain and I hope it'll stay that way.

It'll be even better if (at your choice) you can hide all your personal information and only display a certificate proving that you're owning the domain.
=> You don't disclose your personal info (they're kept private by registrar) => no spam
=> But registrar can't fuck you ( = pretends he owns the domain) because he doesn't know the private key of certificate. And you'll have public whois info to track the certificate attached to the domain and if needed you'll be able to prove the certifcate is yours (and so is the domain)

> moves that are applauded by David Vladeck, director of the FTC's Bureau of Consumer Protection.

Consumer Protection's Director applauded ? Is he dumb ?

Re:ICANN't stand USA take over the internet

[bobbied]

This answers why EU wants less control of USA over the internet. EU cares (more) about privacy that USA.

Privacy on the internet? You can't be serious.... If you expect privacy on the internet you are fooling yourself. Data passes though too many hands and too many servers and too many countries to remain private every time you expect it. You can encrypt the payloads and use proxies to make it hard to track you, but the information is still bouncing around out there and somebody could, if they wanted too bad enough, find you or decrypt your data.

Privacy online is an illusion, even if a law claims privacy online is a right.

Re:ICANN't stand USA take over the internet

> Privacy on the internet? You can't be serious...

You may want to run a domain without being a facebook dumbass.

> You can encrypt the payloads and use proxies to make it hard to track you, but the information is still bouncing around out there and somebody could, if they wanted too bad enough, find you or decrypt your data.

I asked about privacy. I don't ask about "running a darknet in a unfriendly country so that NSA can't find me".

Why the hell should that much information go into the whois ? So that anybody can spam you ?

Because it's difficult doesn't mean one should not do its best to enforce privacy.

Insecure

[Alioth]

Credit cards are fundamentally insecure (the fact you can get money off one by merely knowing the number on the front and the expiry date and a couple of other trivially easy to find bits of information - all of which will be in the whois database). ICANN should think hard - do they really want to be held responsible when the inevitable breach occurs? Do they really want to have to implement PCI-DSS for the networks and systems holding whois data? The decision to hold credit card data in whois is likely to be something that is regretted fairly quickly.

Real Solution?

[bobbied]

If you really don't want to give up all this data to the whois directory, just forgo having a domain... Simple as that.

If you really *must* have a domain and you are worried about privacy, prepaid credit cards, prepaid phones, a P.O. box and throw away E-mail account are pretty easy to obtain these days, but that is only necessary if you don't trust who you buy the domain from and they refuse to be the whois contacts for you.

If anybody really is still worried about their privacy, I'll be happy to proxy their registrations for costs plus a fee and if you want I can arrange to accept cash and/or money orders. Of course, I'll have to know who you are and I'll be the one who officially owns the domain....

Re:Real Solution?

[Gonoff]

If you really don't want to give up all this data to the whois directory, just forgo having a domain... Simple as that

Or alternatively, use a registrar in Europe. Not proof against a warrant. That is fine. Just a little less of my info where the spammers MAFIAA and other criminal organisations can easily see it. No doubt, there is still plenty out there but "every little helps".

Re:Real Solution?

[bobbied]

Doesn't SeaLand register domains?

Re:Real Solution?

[Gonoff]

They be undergoing national mourning. Their king just died...

WhoCares

[PPH]

All the domains are owned (on behalf of their customers) by GoDaddy anyway.

WTB "EUANN" PST

Enough of "pew pew pew 'merica"...

holding credit card

isn't holding credit card number after transaction a violation of ifc? or something?

isn't that what cause sony to apologize to milions?

what is this uselss idea?

Re:holding credit card

[gl4ss]

isn't holding credit card number after transaction a violation of ifc? or something?

isn't that what cause sony to apologize to milions?

what is this uselss idea?

yeah. but why do you think ftc is aware of such?

Well screw them....

[3seas]

... for I can think... Therefor I AM! And that is who is I.

The most hacked database on earth

[Big+Hairy+Ian]

Do we really want it holding CC details when best practices are not to store them unless you are the bank involved in the transaction!!