back to article Web domain owners paid EasyDNS to cloak their contact info from sight. It was blabbed via public Whois anyway

Domain name registrar EasyDNS has 'fessed up to accidentally leaking cloaked contact details for about 1,500 domain owners in Whois query results for just over 24 hours. Those records – such as names, phone numbers, email addresses, and postal addresses – should have been kept private, and not disclosed in Whois searches, due …

  1. Anonymous Coward
    Anonymous Coward

    Registered private domain owners.

    Domain name registrar EasyDNS has 'fessed up to accidentally leaking cloaked contact details for about 1,500 domain owners in Whois query results for just over 24 hours .. Those details – such as names, phone numbers, email addresses, and postal addresses – should have been kept private, and not disclosed in Whois searches.”

    Actually from the beginning the regulations regarding the registration of domain names required a real name, contact email and phone number be provided. These privacy registrars were devised to get round this and in the process breaking Whois.

    1. diodesign (Written by Reg staff) Silver badge

      Re: tachyonhorse

      Actually that's explained in the article. The affected domain owners paid to have their personal info obscured, but it was revealed anyway. See the linked-to EasyDNS page for more information on domain owner privacy protections.

      C.

    2. katrinab Silver badge

      Re: Registered private domain owners.

      Actually, the GDPR says you can’t do that anymore unless you opt in to having your details disclosed. Some big companies opt in, most don’t.

      1. Snorlax Silver badge

        Re: Registered private domain owners.

        @katrinab:"Actually, the GDPR says you can’t do that anymore unless you opt in to having your details disclosed. Some big companies opt in, most don’t."

        GDPR only protects EU citizens and their data. Someone in the US or Canada for example has no recourse to GDPR.

        Why are registrars still publishing this info anyway? Most of us opt not to have our name/address/phone number in a phone book, yet we're fine with our personally identifiable info being published to a much larger audience online?

        1. Big John Silver badge

          Re: Registered private domain owners.

          > "Why are registrars still publishing this info anyway?"

          Good question.I went wiki on this, and it seems that once upon a time, all WHOIS info was held on a single server run by DARPA. It was set up to allow even wildcard searches! Loose as a goose.

          That was apparently fine when the entire Internet could have met in one building, but now it's at least a million times larger. WHOIS outlived its desirability long ago, but inertia retards reform.

          https://en.wikipedia.org/wiki/WHOIS

        2. Halfmad

          Re: Registered private domain owners.

          GDPR only protects EU citizens and their data. Someone in the US or Canada for example has no recourse to GDPR.

          Incorrect, GDPR is about the data, irrespective of who's data it is.

      2. LDS Silver badge

        Re: Registered private domain owners.

        The Italian registry utterly ignored GDPR and still delivers full WHOIS information - especially for domains registered long ago when there was no opt-in or opt-out. Its main privacy document is still dated 2016...

        1. Snorlax Silver badge

          Re: Registered private domain owners.

          @LDS:"The Italian registry utterly ignored GDPR..."

          In Italy, the legislation to facilitate GDPR apparently only came into effect at the end of September. There's still some legal fannying about to be done to finalise matters...

          Fines issued since May will be subject to certain provisions (i.e. ignored) from what I can make out.

          **alza le spalle**

          1. LDS Silver badge

            Re: Registered private domain owners.

            I contacted my registrar that indicated me a module I had to fill and send them to ask my data to become "private" (no fees) - just, it's opt-out and not opt-in. I've registered my domain 19 years ago - it was still done via fax, and there were no options back then...

  2. Anonymous Coward
    Anonymous Coward

    GDPR users were less exposed

    I had an update from EasyDNS, telling me that they discovered that the redactions they made under GDPR actually blocked some exposure, so that acted as an extra shield.

    They were also able to tell me that the domain had received one query during exposure, and the IP address from where it came from.

    My personal lesson here is that even in so-called private registrations it is better to use a specific alias (say, easydns.external@mydomian) so that I can change it when these things happen. EasyDNS is IMHO one of the better companies out there but mistakes can always happen (and in this case it was a subcontracted service which screwed up, which illustrates what happens when data wanders out of the door..

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR users were less exposed

      > My personal lesson here is that even in so-called private registrations it is better to use a specific alias ..

      The question is, why would someone want to hide the true owner of a Domain Name, especially a commercial entity?

      Unmasking the Mask-Maker: Domain Privacy Services and Contributory Copyright Infringement

      1. Snorlax Silver badge

        Re: GDPR users were less exposed

        @tachyonhorse:"The question is, why would someone want to hide the true owner of a Domain Name, especially a commercial entity?"

        Because they don't want crazy people visiting, or pipe bombs in the mail, or so on...

        A lot of so-called "security analysts" spent months bitching about GDPR, and how it was going to impact on their work (Looking at you Brian Krebs), but the bottom line is that you can get the law involved if you have a legitimate reason to need somebody's registration info.

        Why do you feel the right to know certain information outweighs the other party's right to privacy?

        1. Nick.

          Re: GDPR users were less exposed

          Why do you feel the right to know certain information outweighs the other party's right to privacy?

          Ohhhh, for no particular reason other than that being able to directly contact the "owner" or "admin" of any machine on the network is the infrastructure-level security model of the networking protocol set that the internet is built on...

          If you don't want to run an internet-connected host because you don't want to be readily identifiable and contactable, then this internet is the wrong internet for you. ICANN et al. screwed this all up many years ago when they handed over management of ccTLDs to other jurisdictions without requiring those jurisdictions adhere to such central internet "security protocols" in the first place. If, say, Germany had not liked that because it conflicted with German privacy laws, then .de should not have been able to be put under the control of a German entity, at least until Germany exempted "(certain parts of) participating in the internet" from (certain parts of) Germany's privacy laws, etc, etc.

          1. Snorlax Silver badge
            FAIL

            Re: GDPR users were less exposed

            @Nick."If you don't want to run an internet-connected host because you don't want to be readily identifiable and contactable, then this internet is the wrong internet for you."

            It's 2018 and data protection/privacy is a valid concern. if you don't realise this then this internet is the wrong internet for you.

            "ICANN et al. screwed this all up many years ago when they handed over management of ccTLDs to other jurisdictions without requiring those jurisdictions adhere to such central internet "security protocols" in the first place."

            Tell me more about these central internet "security protocols". Did you make that up yourself just now? ICANN's been fighting a losing battle on the GDPR front - they made zero preparation because they assumed they were too big to fail, and the EU would just cave in to their demands

      2. doublelayer

        Re: GDPR users were less exposed

        I have a website, and I've opted out of having the details in whois. I don't need automated systems collecting my mail address and phone number; if someone really wants to know who owns the site or to contact me, they can fire up their browsers and read the pages or use the contact form. Given that I don't maintain any infrastructure that someone might need to ask me to fix (the original purpose of whois), what benefit does it have for my site?

        In addition, I've never found whois particularly useful in other cases. For example, I had a domain name that I wanted, but someone else had. However, they were not using it for anything. In the whois details, I found that it had been registered twenty years earlier and that the owners were not a domain squatter, so maybe I could convince them to let me have it. But the contact details were the generic ones for the company that owned it. If I contacted them, I'd have ended up talking to people who probably don't know they have the domain name, let alone who I could talk to to ask for it. So what utility does it have for other domain names?

        Finally, it has no use in security, because nobody verifies the data that's entered. If I was running a scam, I could put plausible data in there with no problem because the registrar is not going to verify it, which means that I can't use whois lookups to verify if something is trustworthy or not.

      3. Pascal Monett Silver badge

        @tachyonhorse

        You wouldn't happen to be a copyright lawyer, would you ?

        1. Snorlax Silver badge

          Re: @tachyonhorse

          @Pascal Monett:"You wouldn't happen to be a copyright lawyer, would you ?"

          In the event of a private registration the lawyer writes a letter to the domain registrar, saying "Please advise me of the registration details of xyz.com. If you fail to provide the details, your organisation will become party to the proceedings as I'll assume you own the domain."

  3. Barry Rueger Silver badge

    EasyDNS

    Not highlighted specifically in the story: EasyDNS shut down access, then almost immediately contacted the affected domain owners, including information about any IPs that accessed the data.

    How often does that happen? Usually the company that's been hacked tries to hide it, or releases a vague statement days or weeks later. I can't recall a recent case where a company was this proactive.

    Good guys at EasyDNS.

    1. Anonymous Coward
      Anonymous Coward

      Re: EasyDNS

      Good guys at EasyDNS.

      I switched to them, coming from GoDaddy. I don't think it's possible to find a bigger contrast in quality, support and service on the Net. They just "get" what running a good service is all about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019