Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Error Leaks Website Owners' Personal Information

Posted by Soulskill on from the users-registering-their-unhappiness dept.

itwbennett writes: A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private. The privacy breach involves whois, a database that contains contact information for people who've bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee. But Craig Williams, senior technical leader for Cisco's Talos research group, discovered that the privacy settings for domain names registered through the company eNom were being turned off right at the time when the domains were up for renewal, starting around mid-2013. Williams contacted Google, and in about six days the privacy settings had been restored. In a notice, Google blamed a "software defect." Cisco said in a blog post that some 282,867 domains were affected.

42 comments

  1. They want to by Anonymous Coward · · Score: -1

    watch you kill yourself

  2. Typical Blame game by eedwardsjr · · Score: 2

    "Google blamed a “software defect.” Company officials could not immediately be reached". That sounds about right.

    1. Re:Typical Blame game by OverlordQ · · Score: 2

      Of course Google couldn't be reached, have you ever tried getting support for anything?

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Typical Blame game by Anonymous Coward · · Score: 4, Funny

      Obviously this is a defect! Why in the world would Google make all that personal information available for free?

    3. Re:Typical Blame game by Anonymous Coward · · Score: 1

      Yeah. I pay for my gmail service. I an talk to someone in about 5 minutes.

    4. Re:Typical Blame game by MagickalMyst · · Score: 1

      "Software defect" aka NSA exploit?

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    5. Re:Typical Blame game by krept · · Score: 1

      For WHOIS info?

      --
      None of us know everything. Therefore we're all naïve.
    6. Re:Typical Blame game by Anonymous Coward · · Score: 0

      Heh, you never know.

    7. Re:Typical Blame game by snowgirl · · Score: 1

      In other news, the phone book has released hojillions of people's names, addresses and phone numbers.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  3. Leak? by pooh666 · · Score: 1

    You shouldn't even be allowed to hide who you are when you own a domain.

    1. Re:Leak? by Anonymous Coward · · Score: -1

      Please kill yourself

    2. Re:Leak? by Richard_at_work · · Score: 3, Interesting

      And why not? Why shouldn't domain owners have privacy?

    3. Re:Leak? by Anonymous Coward · · Score: 0

      He told us he was hardcore.

    4. Re:Leak? by Anonymous Coward · · Score: 0

      True. This *could* literally get people killed. Privacy protections exist for a reason.

    5. Re:Leak? by Anonymous Coward · · Score: -1

      you cant use domains for art without privacy.i have no idea ppl who think like OP, please be troll or dumb nigger

    6. Re:Leak? by Akili · · Score: 3, Insightful

      I've certainly had the same thought.

      There are times I actually try to find the owner of a domain, only to find them hidden behind a proxy registration. Some owners have forgotten their info to manage their proxied domains, leaving me unable to trivially verify if the site is still theirs when helping them.

      There is a risk involved with having a valid address on file for domain ownership, though. Can't ignore that. I have a private domain and my information is not protected, and I have yet to be antagonized by crazed axe murderers, but it's a risk I'm choosing to take. I can say that other than a snail mail scam letter once or twice a year, all the other email crap gets filtered with the rest of my generic email spam.

      If someone wants to commercialize registering domains by proxy... well, that's free enterprise. The proxy owner might find a way to claim the domain is theirs if they want to be jerks later, but contract law might cover those situations, since the actual owner is likely to have documentation indicating the proxy arrangement.

      Here's another scenario... if the original owner accidentally allows the domain to expire, can the proxy site choose to register the name itself, and only sell it back to the owner at whatever price they want to ask? The registrar itself (generally) doesn't care, but the domain proxy service now knows the name was valuable enough to someone to pay for protecting it.

      Anyway. I'd still prefer to leave it public, but I can understand those that are reluctant to do the same.

    7. Re:Leak? by sumdumass · · Score: 4, Informative

      Yup. They should have as much privacy as any home owner, car owner, anyone who has been party of a court case, holds a business license, contributes to political actions in the state of california and i'm sure a lot of other activities subject to public records searches.

      But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

    8. Re:Leak? by Anonymous Coward · · Score: 0

      And you shouldn't be able to hide who you are when browsing the internet.

    9. Re:Leak? by Zedrick · · Score: 1

      It's not (not for the gTLD's). People who are anonymous either uses fake information in the whois, or (more likely) doesn't actually own the domain. Which can cause some interesting situations when they want to transfer the domain, and the proxy-service that actually owns it doesn't cooperate.

    10. Re:Leak? by Obfuscant · · Score: 1

      Here's another scenario... if the original owner accidentally allows the domain to expire, can the proxy site choose to register the name itself, and only sell it back to the owner at whatever price they want to ask?

      Why not? If private individuals can do that, why not a company? I let a domain I wasn't using expire. It was snapped up by a speculator who sent me a couple of emails or letters (I forget) offering me the name back for a fee. I ignored him and he eventually went away.

    11. Re:Leak? by Akili · · Score: 1

      It certainly helps if you don't care to get the domain back!

      If someone is watching a given domain to pounce it as soon as it expires, there's really nothing to be done aside from not allowing it to expire. But the proxy company could potentially do so as a matter of automation, since they already have the domain on file along with other information about it. So while you may ordinarily have a grace period of a few days before anyone notices - purely by chance, of course - you might not have it in this case.

      Anyway, the question wasn't really meant to have an answer as such, because - as you pretty much point out - the answer is 'yes, they totally can, as can anyone else'. It's more an advisory phrasing of 'if you use a proxy domain service, be aware that this is something they could legally do, as they already know you and the value of the domain to you'.

    12. Re:Leak? by ShaunC · · Score: 4, Insightful

      But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

      Maybe I'm reading you wrong, but my understanding is you feel that a domain owner's personal information should be clearly available in WHOIS. I disagree.

      If you as the owner of a domain are party to a court case involving that domain, whether due to your operation of a business using that domain or for any other cause of action, your ownership will become public record during the legal proceedings, regardless of your domain registration preferences. It's not as if WHOIS privacy protection somehow makes the registered owner truly anonymous.

      Do you drive a car? If so, I presume it displays a license plate. The license plate doesn't contain your name, your address, your phone number, or any other personally identifying information (unless perhaps you've volunteered the info by registering a vanity tag). Suppose one day you do something in traffic which another driver perceives as an asshole move, and they become enraged. Like, "I want to kill that person" enraged. They can't just go home and type `whois [your tag]` and get all of your personal information. That's a good thing, right?

      If you've committed a crime, the police have access to that data and are able to unmask you in order to enforce the law. But Joe Random, who has become upset at you for some reason and wishes to do you harm, isn't readily able to derive your personal information from your car's license plate. Why should your domain name be any different? If you make a post on your blog that offends someone, should that person be able to look up your full name and address and do who-knows-what?

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    13. Re:Leak? by Richard_at_work · · Score: 1

      Tell me where I can submit a free request and get back full ownership details for either a building or a vehicle - both of those are restricted in the UK.

    14. Re:Leak? by sumdumass · · Score: 2

      In the USA, the county auditors office will give you a listing of the homes, owners, purchase price, current tax appraised value and much more. Often this is online and available from anywhere in the world. For instance, you can go to

      http://property.franklincounty...

      which is the county auditors office property page for Franklin county Ohio (Columbus Ohio area). You can select search, then by any means you have and gain access to the property records. For instance, I searched for willis under the search by owner, then double clicked the first one that popped up, selected detailed and saw lot size, number of buildings, assessed value, taxes paid, taxes owned, owner's name and address, number of buildings and so on.

      For vehicles, it's a little less easy and you need a reason. You need to know the V.I.N number and I have yet to find an automated system that doesn't require an access fee. But you can go to the title office for the county and search the vin number to get a copy of the title information. On it, it will list the current owner of record, previous owner of record, the last mileage reading when it was transferred to the current owner, type and style including color of the vehicle when registered and the last license plate number issued to the car.

      I guess you can get the information from the state DMV also. This article shows the claims on that.

      http://www.ehow.com/how_731172...

      I have never went to the DMV directly for this information and it has been probably more than 10 years since I needed to (Used to repossess cars). With the new camers in use, this information is easier to collect but it still costs a fee.

    15. Re:Leak? by CyprusBlue113 · · Score: 1

      But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

      Maybe I'm reading you wrong, but my understanding is you feel that a domain owner's personal information should be clearly available in WHOIS. I disagree.

      If you as the owner of a domain are party to a court case involving that domain, whether due to your operation of a business using that domain or for any other cause of action, your ownership will become public record during the legal proceedings, regardless of your domain registration preferences. It's not as if WHOIS privacy protection somehow makes the registered owner truly anonymous.

      Do you drive a car? If so, I presume it displays a license plate. The license plate doesn't contain your name, your address, your phone number, or any other personally identifying information (unless perhaps you've volunteered the info by registering a vanity tag). Suppose one day you do something in traffic which another driver perceives as an asshole move, and they become enraged. Like, "I want to kill that person" enraged. They can't just go home and type `whois [your tag]` and get all of your personal information. That's a good thing, right?

      If you've committed a crime, the police have access to that data and are able to unmask you in order to enforce the law. But Joe Random, who has become upset at you for some reason and wishes to do you harm, isn't readily able to derive your personal information from your car's license plate. Why should your domain name be any different? If you make a post on your blog that offends someone, should that person be able to look up your full name and address and do who-knows-what?

      What? All of those things that person listed are public records that can be looked up if you go to the clerk's office and spend about $20. That was the point. You can even just look some of them up now on the web, although it usually is behind a small paywall.

      --
      a handful of selfish greedy people are no match for millions of selfish, greedy people -u4ya
  4. About hiding whois info by The_Informant · · Score: -1, Flamebait

    This should not be private info for a business. Unless it's a large well-known company, I wouldn't do business with a small company that hides their identity. Not even sure if you are allowed to hide registration info in .org non-profit domains.

    1. Re:About hiding whois info by phantomfive · · Score: 2

      Not even sure if you are allowed to hide registration info in .org non-profit domains.

      You aren't allowed to hide registration info for any standard domain. If you want to hide it, you have to hire a company (or someone) to register the name for you, to receive all mail, and forward all email to you. Of course, there are plenty of companies who are happy to do this for anyone.....for a fee. And that's how it works.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:About hiding whois info by Roman+Mamedov · · Score: 1

      You aren't allowed to hide registration info for any standard domain

      .ru is not a standard enough domain I guess? It is enforced by law that the real name or any other details of a person registering the domain must not be public. I believe there are some other TLDs are like that too.

  5. Once again by Anonymous Coward · · Score: 0

    We have one more reason to abolish DNS and find and alternative that nobody can control like this. We must free the internet from corporate control, at all costs!

    1. Re:Once again by Anonymous Coward · · Score: 0

      Life or limb? Go get started buddy. Ill keep my $30 a year po box :)

  6. Number affected by Anonymous Coward · · Score: 2, Funny

    So it's like 4 people then?

  7. So is Google gonna pay back the "extra fee"? by Anonymous Coward · · Score: 0

    and maybe even other damages?

    1. Re:So is Google gonna pay back the "extra fee"? by Anonymous Coward · · Score: 0

      Free drive space a special beta invite to a new, premium google+ account!

    2. Re: So is Google gonna pay back the "extra fee"? by Anonymous Coward · · Score: 0

      They have already contacted everyone affected.

  8. I saw this coming by Anonymous Coward · · Score: -1

    I saw it cumming with my Gewgle Glassez, folks.

  9. Whoops by Anonymous Coward · · Score: 0

    Another brick goes from the crumbling trust-wall.

  10. Google the once great? by Anonymous Coward · · Score: -1

    Another slip up, failure from these bloated dolts

  11. Yes you should by Anonymous Coward · · Score: 0

    You shouldn't even be allowed to hide who you are when you own a domain.

    I once owned a domain and someone posted something anonymously. A couple of "geniuses" did a whois and concluded that I was the author - and posted that I was the author.

    It wasn't very controversial - luckily for me! - but it taught me a valuable lesson: if I am going to own a domain, I'm gonna hide behind corporate entities.

    YES - I DO understand where you are coming from since there are so many assholes on the web who SHOULD be outed.

    All I'm saying is that people do not know the difference between the website owner and editorial content or any content.

    I don't blame Dice for your comment and why should you blame them for mine?

    Then again, I do blame Rupert Murdoch for the content on Fox.com

    Well, then. This shows that I have no clue what I am talking about.

    Go after CowboyNeal - he is at fault and on the lamb!

  12. Sure, sure, it was an accident by Anonymous Coward · · Score: 0

    Bull$#!t

  13. Well, how bad could it be? by Actually,+I+do+RTFA · · Score: 1

    There's not much scary here. I mean, it's not like Google has more sensitive information than domain registrations about every person ever. I'm glad that such information is so secure it only takes a minor bug to reveal it to the world. I feel so safe.

    --
    Your ad here. Ask me how!
  14. Mother’s Day Flower Delivery in Seoul by Anonymous Coward · · Score: -1

    Astonish your mother by sending these exquisite arrangements of Flowers and Gifts on this Mother’s Day. Send Mother's Day Gift to Seoul and gain appreciation for your choice. You can also order for Mother’s Day Flower Delivery in Seoul and spread the aura of your affection and warm regards.

  15. Dont get it. by Anonymous Coward · · Score: 0

    So enom is exposing the data. How does Google come into all this?