The long-running attempt by privacy advocates to bin the Whois database will be up for vote at the ICANN meeting in Los Angeles tomorrow. Cheerleaders for the six-year-old "sunset proposal" say people shouldn't be required to give up personal information to the web to register a domain name. It is frequently abused by spammers …
I'm curious what the alternative to the current whois system would be. I work for a hosting company and (unfortunately) have to deal with transferring our clients domains around, and therefore use whois constantly to see where a domain is held, or who the admin contact is or what nameservers it's using.
How would a new system work? Especially in regards to the admin contact of .com domains. Most of clients I deal with are completely clueless about their domain, so a whois can find the address of where a transfer confirmation email has been sent, how would this info be available in a new system, and without handing to spammers on a plate?
What a load of crock...
Consider that the internet is a business.
You want to create a domain, then you need to register the domain.
This means that you need to be identifiable in case of emergencies like you've been hacked and a lot of spam is spewing from your network.
Or if you suspect something suspicious on their network you need to call them rather than try e-mail (like people read e-mail to their admin accounts.... ;-)
Sorry, but the whois database is still a necessary tool. Don't expect privacy unless you want to have more government intervention.
I don't know about this, maybe the privacy guys are right.
But I find it quite useful to be able to check a suspicious email header for the IP (which, I know, can be forged) and do a quick whois to see whether it at least came from where it was supposed to have come. I mean, my people down there in Brazil don't have IP's registered in Shanghai, right?
Same for the weblogs...
Or do I misunderstand the issue?
What replaces whois?
Like 'J', I use whois to verify my suspicions about dodgy looking domains, mostly those used as part of phishing expeditions or to support fraudulent products. I've yet to see a legit domain with non-existent contact details or unexpected ones. Nonexistent, misleading or unexpected contact details seem to be a hallmark of suspicious domains:
- phishing websites tend to be on machines belonging to unrelated domains in unexpected countries
- fraudulent websites compound the lack of on-site contact details by using proxy owners whose only business seems to be that of hiding the actual domain owner's identity.
I know of two proxy owner businesses, one in Arizona and the other in Australia. There are bound to be more that I don't know about. Howinhell am I supposed to make such checks if whois is withdrawn?
Can spammers really use a whois database to extract lists of contact details? Somehow I doubt it. You have to know the exact domain name or IP address before you can retrieve the details, which would seem to make the database fairly useless to a spammer.
I think the privacy wonks are machinegunning their own foot off with this one. If it goes through we'll all loose the ability to track scammers, phishers and dodgy companies. However, you can guarantee that our so-called lords and masters will still be able to use something similar to find us.
In case of emergency ... pull the other one.
"This means that you need to be identifiable in case of emergencies like you've been hacked and a lot of spam is spewing from your network."
Surely, its your web host that needs to be identifiable ... and responsive.
To deal with an emergency, only the web host needs to know how to contact the domain owner.
Indeed, they don't even need to know that ... but it would be polite to let them know they're being disconnected, why, and what they need to do before they can be reconnected.
Criminals and spammers must be dancing with joy. Now they don't have to worry about their domains being shut down or traced back to them. ICANN is often the only authority to shut down criminal domains - because the registration contacts are fake. Chinese and Russian service providers couldn't care any less about what their customers are doing. US service providers might even want a cut of the "we don't know who you are and won't check" business now that one more layer of accountability is gone. Time to dust off that MCI logo.
I believe they want to remove only the requirement that you publish your personal home address, etc. When you register a domain, why does the whole world need to know your home address and phone number? Any technical problems would go to the Technical contact or the hosting company.
There are generally two types of domain owners :
The problem for individuals is that their home address and phone number are freely distributed. If their server is hacked and spewing spam they aren't going to have admin rights to be able to do anything about it - they're users on hosts that serve hundreds of domains.
The registrant details should be hidden, the administrative contact details should not. That means if I register a domain and stick a blog on it about how much I hate X, you can't find my home address and come and beat me up because you love X (or are in fact X). However if you need to contact someone about the domain you can contact my hosting provider who is the administrative contact and has the ability to do something. Capisce?
A domain is simply our "property", our "real estate" on the internet, right? Here in the U.S. (not sure about elsewhere) you have to publicly register your real estate holdings. That means that all houses and businesses have their owners' name and address in public records. Why should the internet be any different?
Pros for whois: Used for domain info/transfers (as stated above), used for finding out the owner of a domain (to see if it's a known "bad guy", or to see if the same company owns two domains, for example), to find contact information for the domain's administrator (to report abuse, spam, problems with their web pages, etc).
Cons for whois: Used by spammers for address harvesting, and "I wanna remain anonymous!".
The pros seriously outweigh the cons, in my opinion. While I understand people's desire to be anonymous on the internet, it'll never happen. You are never anonymous. Give up the illusion now. WHOIS is far too beneficial to simply get rid of it in an attempt to keep up the illusion of anonymity.
UK domain has privacy for individuals
Nominet, who administer the .co.uk domains, have for several years now allowed private individuals (not companies) to remove their contact details (address, email, phone) from public view though not their full name. You can still see details such as nameservers and registrar.
I hope this doens't pass, its a golden ticket for typosquatters, spammers and malware distributers to do what they please with more anonymity.
Er great - NOT
I run a business selling imported stuff over the net. Therefore I use a fair few manufacturers on the other side of the world, and when I'm dealing with a new company I find the whois register VERY helpful. Generally scam-site owners screw something up on their domain registration, whether it be that it's registered to an individual as opposed to a business, or the phone number being based in the wrong part of China (or even a different country altogether). Those phone numbers are bloody useful for calling up sometimes, too!
So what the fuck am I supposed to do as a "quick" scam check? Sure I would normally go and use one of various company registration sites (equivalents of the UK WebCHeck service provided by Companies House), but with WHOIS it's often enough.
domain names, ip allocations, and accountability
It's already possible to find a point of contact for most Internet hosts, whether or not a given host is associated with a domain name, and whether or not that domain is in whois. The IP allocation Whois services run by ARIN, RIPE, RIPN, APNIC, etc., provide this service.
No one is proposing to abolish IP allocation Whois services, so we're not talking about a total loss of accountability. IP Whois records are even somewhat trustworthy, since their records arise directly from IP allocation activities, and projects like Complete Whois actively and successfully hunt down hijacked allocations. Compare this with domain registries, most of which will place in Whois whatever information the domain buyer provides, with little or no interest in its authenticity.
That said, the allocations listed on IP Whois servers are often large, and contacting big providers is generally less effective than contacting their smaller server-operating customers directly. So any legitimate domain owner would I'm sure gladly opt-in to domain name Whois, in the interest of hearing about any problems they're causing before their ISP does. This is the very purpose of domain name Whois. Its total loss would be a setback for communications, but not some disaster for accountability.
I'd be happy to see domain name Whois become an opt-in affair, since nobody trusts it (or should) anyway.
The whole system of whois etc is...
dictated by an underlying wish of the authorities ,whether that be police, government etc etc to remain in 100% control of the ordinary man on the street. Lets not beat about the bush, Governments maintain control over the population by ensuring that they know everything that everyone does as best they can. I personally think that both Nominet and ICANN cowtow to the wishes of the authorities and that is why certain rules are made as regards keeping complete records of people registering domain names and them having access to it.
I dont think that many people realise how this whole system works ,but one can be sure that Nominet in particular do what Government bodies and big business want, even of that means ignoring the man on the street.
how are we going to lookup who already owns a domain to buy it from them...i have bought over 30 domains from people that all had them re-registered and i used whois to get there details as there was no website. how would we get this otherwise?!
I say keep it with an opt-out.
Reputable companies should be displayed. Private individuals with young children shouldn't. How hard is it to work out?
RE: Martin Gregorie
Can spammers really use the WHOIS database to extract information? YES
Do they need detailed hostnames? NO
On Linux/Unix/Mac systems, a whois command line utility is readily available, brute force lookups are very easy to script, and even if the WHOIS utility is not available, it is very (for most) easy to write a script that connects directly to the WHOIS servers to fetch the information.
As others mentioned earlier, this is the really crucial point. I manage a huge website that gets phished or otherwise abused often. It is absolutely imperative that I can look up and contact the owner of the given domain, be it registered in the the States, in the UK or anywhere else in the world. I think there should be a valid email and a valid phone number for each and every domain in the WHOIS databases. And I would make it mandatory for people to check and respond to these addresses 24/7, or else.
Look, if you want to be present somewhere 24/7, that comes with responsibility. I don't care if you're a multinational corporation or an individual, you're on the internet, and please provide a way for your neighbours to contact you. Guess you do want them to put out the fire when you're not at home, right?
...actually a domain is more akin to a mailbox than 'real estate'. All it does is point people to where your actual real estate is, or in the more simplified cases, provides a route for information to be directed to you.
I completely agree with the majority of comments above - as an email/web hosting provider I frequently use whois for a multitude of reasons. There definitely needs to be a certain amount of information about the registrant available. There is no point having a record which identifies only the technical contact - thats often a dead-end in the case of dubious domains. I think I disagree about 'private individuals' - as spammers and fraudsters are not all that often companies or organisations.
How do you deal with cyber squatters?
Here's the situation. Customer makes a mistake (not sure exactly what went on, but that's not the issue) and loses domain. Within minutes, it's registered by someone else. Now, the domain name uses a registered trademark. So our first step is to send a cease and desist letter. Without whois, how do we know who to contact? Not that I believe the contact information to be truthful, but that would make our case at URDP stronger.
But we need whois as a first step.
As a person who currently owns three domains I have not had a single dodgy email to any of the contact addresses in five years. Ever. Nor have I received anything at my home or business mailing addresses. While I do not think that the listing of home addresses is a good thing, especially in the cases of sites that hold opinions of things (good or bad), I can see no reason to withhold administrative and technical contact information, or even nameservers etc. The usefulness of such information can be very valuable. Recently I notified a domain owner that their mailserver was spewing virus-packed spam, and they thanked me for letting them know. The next email I got from that domain was clean by the way...
Changing? Bad thing
They can look me up, I can look them up, I think it's fair trade.
Really, I think it should remain transparent as much as possible to keep domain owners and other competent people responsible. Are you unable to justify/ stand up for actions/content related to your domain? Your bad and YOUR RESPONSIBILITY until proven otherwise....
Young children? I think that's "tad" offtopic, what's the difference between individuals with and without young children regarding this topic?
We're all minions
All the admins who collectively run the internet, via their distributed-computig brains, need whois as a service, to sort out the administrative side of things. Most small/medium website owners are bewildered by even the menton of DNS...
Ditch whois, and it's all a bit buggered really.
don't open a business on main street to be anonymous
someone explain to me again the purpose of registering a domain for yourself.
Obviously you post stuff on the internet to get information out there, but now people have a problem that information is accessible?
whois just just helps identify some who are to dodgy to own up to their stuff directly on their site.
Make it cost for the scammers
Why not use what Companies House (UK) does? Or what company credit check agencies do? Simply give enough info for free and if you really need to know more then you have to pay.
Organisations that need to know information on many domains can benefit from price breaks on quantity or use an agency similar to D&B do for company information. It is the completely free nature of getting what some may call sensitive information that is the root of most of the problems.
It's not a complete solution but solves 90% of the problem.
If you really don't want to pay, then chances are that contact data will be on the www host for the domain.
Let's hope ICANN see sense.... There's no reason to remove these details from public access. It's not like they are that useful to scammers, etc.
So you are a paranoid moron... WTF are you wanting a domain for? If you are so paranoid about things that your street address in a little used database is a concern, why are you not too paranoid about having the internet in the first place?
I would like ICANN to start actually enforcing proper details on the registrant page. Not necessarily publishing them on Whois, but actually pulling the rug from entries that are inexact or incomplete.
But of course, that would mean the ICANN actually checks the stuff - and I seriously doubt that that gets done unless there's a complaint (and even if, it'll be the honest mistake that'll get sanctioned nine times out of ten, while the visibly bogus entry will sail by unscathed).
I have about six domains registered for personal use. Half are "co.uk" domains which i can opt out of showing my details:
The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.
Pipex Communications UK Ltd t/a 123-Reg.co.uk [Tag = 123-REG] URL: http://www.123-reg.co.uk
Whats wrong with doing the same for .com/.net/.org?
If you need to find where i live or contact me then you contact my registrar as they have to keep my details on record for billing purposes
How is this going to affect blocklists and the RIAA ? Will they be allowed to know who you are but not vice versa?
Re: don't open a business on main street to be anonymous
What about private individuals with opinions?
I realise that it is probably possible to find the home addresses or Reg correspondents -- but I'm sure that some will be tough to get. Why? because they don't want every humourless nut-job in the world ordering pizza or builder's skips for them -- or worse.
If you're the owner of a website that's anti-religion, or for animal testing, would you want your home address published for all to see? Honestly?
A lesser example is a forum I happen to be a member of -- where we express out opinions quite strongly on a number of topics. Most of us, the webmaster included, would rather remain relatively untraceable to those reading the site -- this is a site "having a laugh" yet members have received threats of violence, and it is clear that the owner would have had property damaged, at the very least, were his real address published.
and the non-scammers?
I use Whois all the time, most recently to look up a website that was infringing my copyright. If I had to pay every time someone did this I'd be out of pocket for no good reason.
Has anyone bothered to survey domain owners to figure out how much of a problem the Whois details can pose? In practical terms, how many of us are bombarded with spam that comes from the Whois database rather than from other sources? How many of us get stalked by weirdos, and how many get blacklisted by insurance companies or excluded from jobs because our websites give too much away about our lifestyles or our political views, and the Whois details mean that it we can't be anonymous?
Whois has many legitimate uses. How many people are badly affected by the loss of a certain amount of privacy? I want numbers.
"And I would make it mandatory for people to check and respond to these addresses 24/7, or else."
Effectively making it impossible for an individual to run a website unless they are prepared to man a phone line 24/7 - most companies wouldn't even do that.
Also, any individual who wanted to complain about a large company would find themselves inundated with phone calls at all hours of the day and night. The instant they failed to respond to a call, the company would demand that the site be taken down.
If it's OK for individuals to opt-out of .co.uk...
...it should be OK for individuals to opt out of .com domains - my personal home address details are available online for all to see for my .com registered domain, which is a pain in the @rse and something I'm not allowed to supress, yet this is possible if I had a .co.uk domain.
If anyone wishes to contact me they can go through my administrator, they know who I am and there is absolutely no need for my personal details to be available and visible to all. At most, put up my name and an email address but not my home address. For businesses though, a company address should be visible.
@ Make it cost for the scammers
Not very hypothetical situation...
I have maintained the website of a charitable organisation for about 18 months and during this time we have been spammed out of site by the usual Lads, bogus banks and penis pill purveyors. One of the guilty parties appears to be a compromised machine belonging to a .mil domain....
Thanks to whois I can at least take steps to contact a human being..... without whois, who knows..... Given the dearth of budget for things like backup media around here, would I be willing to consider it if there was a cost attached.
Doing away with whois does away with accountability for the usual suspects, and sensible means of contact for compromised innocent (if occasionally careless) parties.
As a person who supports the privacy I appreciate the concerns, but am very much aware that this proposal threatens to chuck out the baby with the bath water, making life much more difficult than it needs to be by removing another level of accountability and yet more contact data.
Ever emailed an abuse@ address for a decent sized org ? Ever received a reply ? In 11 years, I believe I have received precisely two, one from a UK university who were glad to know they had a compromised server, one from an ISP, a customer of whom was using their service to be an anti social script kiddie. The ISP in question shut them down because of the history of complaints. Often though abuse@ appears to simply drop into /dev/null. Polite, honest phone calls tend to yield more immediate results.
The usual suspects don't need their life made any easier, and we don't need ours made any harder.
When I needed to update some details on my domain-name registration, the hosting company insisted that I provide physical ID (driving license etc) with name and address details matching the existing WHOIS record.
While I suspect not all companies are as cautious, it does provide the possibility of ensuring "meddlers" aren't granted easy-access to high-value registrations. Without personal ID in the WHOIS, such verification would be much more difficult.
Whois protects the innocent, too
I've been spending the last couple weeks tracking down spam websites that have been registered using real people's contact info and in at least some cases, paid for using their real credit/debit card numbers. If I had to go through the registrars, I would have gotten nowhere, because I can tell you they aren't terribly quick to respond even when faced with documentation that they have a fraudulent registration.
The spammer got these folks' names, addresses, and phone numbers without the help of a whois database. It's the whois database that allowed a volunteer like me to alert them to the identity theft.
Whois is important
Remember a lot of CA's use the WHOIS records as part of their validation process before issuing SSL certs, to try and confirm the owner of the domain etc
well, this might work
"And I would make it mandatory for people to check and respond to these addresses 24/7, or else."
... if the contact information is that of the hosting company. They can relay communication to the client and, more importantly, are in a way responsible for running the website, or mail server, on behalf of a client.
In other words : technical contact *must* be there available and working. But I do not think there is a good reason to publish personal information, if the domain name is a personal property.
Re: If It's OK for individuals....
opting out yes...but we are discussing the removal of the database all together here. If the whois details are removed we wont be able to find your admin details and secondly your administrator e.g. the registrar or whoever you put won't give personal details out to some randomer needing them
Email and Name is all that is required and SHOULD be required
Privacy & lazy admins
As a private individual, why the hell should I be forced to give out my personal contact details to every muppet on the internet who wants them? Apart from preventing a mass of spam, both electronic and postal, being able to hide my contact details in the WHOIS results of my .co.uk domains helps to prevent fraud. Surely no one here would be stupid enough to go posting their home address and phone number on a website forum somewhere, so why should WHOIS be any different.
For companies it's completely different. The registrant details point generally to a companies head office, probably listing the MD or IT Managers name, but there's no information there that you couldn't find just as easily by checking Companies House. You're not getting the home address and phone number of the MD. Besides, in the UK at least all companies are required to have their company contact details listed on their site(s), so listing them in WHOIS as well makes no difference.
In terms of tracking down dodgy sites, how does WHOIS actually help? Since the information submitted when the domain is registered is never authenticated by the registrar or registry, there's no way to be sure that it is genuine. There's nothing to stop me from registering a domain name with bogus details, hell, if I registered micro5oft.com, and set the registered address as a certain location in Redmond, would that somehow make it legitimately connected with MS?
It sounds to me as if all those people talking against this are just being lazy, and can't be bothered to use the correct tools for the job. If there's an issue with content coming from an IP which a domain points to, it's the ISP responsible for the IP that should be contacted, not the domain owner. In many cases where you're dealing with small companies, contacting the registrant direct would be pointless, especially for something like suspicious network activity, as they wouldn't know what you are talking about. All that would happen is that they would then need to pass on the message to their ISP to deal with, thus taking more time to resolve the issue than if you'd just gone straight to the ISP in the first place.
ICANN should adopt the same method as Nominet, plain and simple. (and while they're at it they should switch to Nominet's method of IPSTAG's which makes far more sense that the alternatives, which require all kinds of domain locks to keep secure!)
Spammers are unlikely to use a personal registered domain if they are trying to sell you something so Opt Out for individuals should still stand as a reasonable solution.
If the registrar is any good you should get a response within a reasonable time scale generally less than 24 hours. if you do not get a response complain to ICANN and get the registrar's license revoked.
It just takes a bit of patience. :-)
Re: Privacy & lazy admins
Or how about dont enter the online BUSINESS world if you want to be a private person. If you are serious about NOT wasting peoples time and have a decent website contact details shouldn't be a problem. Thats the problem with the internet...too many people trying to get a website when they have NO need for it and aren't in proper business.
as said yes contact address should be hidden but lets face it...if people wanted your details people could easily find them from land registry's and other sources so by hidding it...it wont change SPAM, etc to a significant level. email and contact name should be a minimum. its another thing for people in high levels of domain management to sit and argue about over a cup of coffee
Re: In case of emergency ... pull the other one.
I am my own web host, genius. So is IBM. So is AT&T. So is Verizon. So is ... well, pick a business, almost any business, with an Internet-savvy CIO.
It's already damned hard to get in contact with anyone who can do something about a zombie server at a large corporation. You want to make it impossible.
This is one of the most idiotic ideas I've ever seen come down the pike.
And one last thing to yet another anonymous coward: SPAM (in all caps) is a trademark owned by Hormel Corporation. You violated International law by posting it without proper attribution. Spam (in mixed or all-lower case) is junk email. Why don't you learn WTF you're posting about?
Opt-out for individuals would be fine. But if a registrar is processing thousands of registrations per hour, who checks to see whether a domain is registered under the correct category? If you check the whois information for spam sites you will quickly see that in most cases no one is checking anything, and that obviously fake information is being accepted. Even registrars who are seriously trying to avoid spammers still have some domains registered by notorious spam operations slip through despite their best efforts.
As far as registrars being required to be responsive: I notified eNom (via the email address they list with ICANN) of a domain registered with stolen identity information on 10/10/07. Six days later the site was still up, and so I telephoned eNom to explain that I had promised the victim that I would take care of this and I wanted to follow through. The person I spoke with said that they only accepted reports via an online form and that he didn't even know they had any email address for reporting. He assured me that they ignored all email because there was so much spam. When I pointed out that ICANN required a reporting email address, he changed his story and said that they did look at emails but that it would take a long time. He also would not accept any information about the fraud over the phone. (He didn't have to believe me; he just had to call the phone number in the whois information itself.) So I filed the online form. It is now over two weeks later and the site is still up. And eNom is far from the worst registrar. Repeated reports and pleading letters to ICANN about even some of the most egregious offenders get no response except an email from their challenge-response antispam system.
If ICANN won't police anything, and the registrars selling cheap domain names can't afford to police anything at the prices they charge, it is up to the general public to do the best we can to fight criminal activity on the internet. Don't take away one of the few tools we have.
Keep up the good work. I still believe Individuals should be allowed to stay anonymous and believe nominet's Opt Out scheme works very well. They check my domains with me once every two years sending out a form to my home address. I use this to enter the security code onto an online secure form to authenticate my domain. This reduces abuse but nothing can stop it completely. 123-reg have a 24 hour SLA to respond to all email queries and have even been able to resolve conflicts across registrars for me. Perhaps the UK system is better and the WhoIs database should be abolished leaving adequate registrars to manage the system properly! As you say the WhoIs database is invariably incorrect even for the registered businesses.
well, those companies/websites should have a webmaster@ or WORKING abuse@ or similar email address that, if they are unable to monitor it, should go to their ISP or outsourced contractor or whoever runs their site. Again, if you're on 24/7, then it should be your responsibility to be somehow accountable and available the same 24/7.
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst
- Special Report How Britain could have invented the iPhone: And how the Quangocracy cocked it up