ICANN Punts on WHOIS Privacy Proposal

An anonymous reader writes "The Internet Corporation for Assigned Names and Numbers (ICANN) has essentially put off consideration of a proposal that would have dissolved a requirement that domain name registrars collect and display personal information about people who register Web site names. Privacy activists said the WHOIS database has become a data-mining dream for marketers and spammers, to say nothing of stalkers and harassers. Companies representing some of the world's biggest brand names appear to have prevailed, arguing that any change to the current system would interfere with law enforcement investigations and trademark disputes. In the end, ICANN voted 7-17 to table the issue in favor of further studies on the privacy impact of the WHOIS database."

Punts?

[east coast (590680)]

Isn't this what most jocks call "Third and out"? How fitting.

Isn't it a good thing

[rustalot42684 (1055008)]

to be able to see who controls a domain, so you can contact them if there's an issue? (eg they're typosquatting)

Re:Isn't it a good thing

[ivanmarsh (634711)]

Agreed... I can find out who owns any house/building in the U.S. and I can find out who owns any company because it's a matter of public record.

T.V. and radio stations have to identify themselves... I can't think of any good reason a domain owner shouldn't have to.

Individuals have a right to privacy... companies and organizations do not.

Re:

[vidarh (309115)]

However a large number of domains ARE owned by private individuals, and the whois requirements means you either pony up for "protection" (third party services that put their name and address in whois and forward any requests to you) or leave your personal details available for anyone.

I can't see ANY reason why these details should be required to be public. It ought to be sufficient that the registrar has the details so they can be subpoeaned, and optionally request them to forward requests.

With the curr

Can't see why????

[www.sorehands.com (142825)]

First you don't define what you mean by a large number. You apparently don't understand legal process. You get a subpoena some time AFTER filing a lawsuit, in Federal Court, it is a rule 16 conference. Lets say I am in California and you are in Florida, and your registrar is Godaddy (if your registrar is overseas, they may not even respond). On your blog, you falsely post that I was drunk, crashed into your car, offered you cocaine, and pushed you into a ditch and drove off. I filed suit here in Californi

Re:

[ivanmarsh (634711)]

I'll start worrying about SPAM and unwanted telephone calls just as soon as someone can solve the problem of a pound of unsolicited printed materials being delivered to my home mailbox every week.

Even in a system operated and regulated by the government they can't inact laws that benefit the end-user or the environment.

Don't trust anyone to protect you from electronic marketing outside of your own I.T. guys.

Re:

[rs79 (71822)]

Spam is the least of your worries. I know women who were stalked from their info in whois back in the old days when people were honest and put real information there.

Re:

[poetmatt (793785)]

Any reasons?

See above to the post above your own. How else can you email for abuse, etc if there is no email address? Lots of bogus sites are forced to register an email address for whois but don't have an email on their website anywhere. Face it, people can make it tougher and tougher to reach someone but if you can't find aways to contact someone at all that can be real problems (such as when people use like a shadow corporation for all their addresses - Kazaa style anyone? Beyond incompetence of investig

Re:

[Antique Geekmeister (740220)]

Because third-party domains are so very often abused and abusive. Domain squatting, slightly misnamed names for fraudulent bank sites, and spammer-hosting ISP's all need to be trackable back to whoever signed the checks for them.

Re:

[sm62704 (957197)]

The trouble is, you can't own a domain. If I owned my domain [mcgrew.info] I wouldn't have to pay registration fees to a registrar; I would register it once and it would be mine, to pass to my heirs forever, like the aformentioned house. But the reality is I forgot to renew it one year and paid hell getting it back!

That is my domain (not the only one I posess, either), why can't I have the right to privacy? I'm no business or corporation, just some average schmuck with a website. Personally, I don't believe corporations

Re:

[Billosaur (927319)]

Yes it is, but privacy pundits would have you believe we need to live behind brick walls coated with tin foil. Look, this information can be vital for tracking down the owners of web sites or at least providing a starting place when someone is trying to contact a web site owner and cannot reach them through other channels. If they are truly worried about the fact that scammers and spammers are going to rake the WHOIS database for suckers, then charge $5 for a look-up. No spammer is going to lay out 5 millio

Re:Isn't it a good thing

[by Anonymous Coward]

I can have a privately listed phone number, why can't I have a privately listed domain? I can speak anonymously by publishing pamphlets, why can't I speak anonymously by publishing to the internet? More importantly, why is your need to 'track down the owners' more important than the owners' privacy?

Try running a non-profit from your home to offer mental health support. Death threats on the internet may be a dime a dozen, but when it comes to mental health issues... well, some of those threats are more genuine than others. Do you think $5 is going to keep someone from calling me on the phone 50 times a day or coming to my house and stalking me?

The registrar has a business relationship with me and needs to know who I am. You don't. If you need to contact me, I have an email and mail forwarding set up with my registrar.

Re:

[rizzo420 (136707)]

comparing your phone number to your domain is apples and oranges. a better comparison would be your email address, which can still be private (use a separate one to register the domain, have a personal one that you don't post anywhere public). i don't know about your phone company, but any phone company i've been in business with (at least landlines), you have to pay to keep your phone number unlisted.

you can be private on the internet, there are tons of free services that allow you to post your anonymous

Re:

[Jherek Carnelian (831679)]

i don't know about your phone company, but any phone company i've been in business with (at least landlines), you have to pay to keep your phone number unlisted.

Not true. You can have your number listed under the name of anyone at that residence, including your imaginary friend Paco or your cat Larry. For the last two decades I have listed my phone numbers in about 10 different states under a false name with absolutely zero hassle or cost. Billing is still in my name, but the listing is not.

Re:

[Like2Byte (542992)]

No spammer is going to lay out 5 million dollars to scrape up a million email addresses.

They will if they're using someone else's credit card illegally. Most of us /.'rs believe that spammers are not of the highest moral calibre - I'm sure that a little identity theft isn't going to deter their activities for long while we spammees incur the cost of their activities.

Re:

[Jeff DeMaagd (2015)]

Can't typo squaters hide behind existing means of obfuscation anyway? So they can register as a Cayman Islands business and be anyone for all we know. They have a bigger interest in hiding themselves and are more likely to do so anyway.

Re:

[sm62704 (957197)]

Only if they want to. Say, for instance you want to open a porn site [porn.com] (NSFW!!!!). That can cause problems with a certain demographic, e.g., radical Christians.

Or say you wanted to open an online King James Bible with no advertising [holy-bible.us]. That can cause problems with a certain demographic, e.g., slashdotters. Whois isn't going to tell you who owns the Bible site; the tome itself says to do your alms in secret. You are going to unmask the fellow who's paying to put the Bible online?

Oh right, this is slashdot. Holy

Would have saved a fee

[by Anonymous Coward]

Well, that would have saved me the annual $9 that I spend for the anonymous option with my registrar.

WHOIS useful

[blhack (921171)]

Whois is (can be) a great resource for tracking down the admin of a network (which is what it was INTENDED for). When i see a machine trying to guess default password to my FTP and its obviously a bot, whois makes it really easy to determine if it is some kid sitting on a cable modem, or if its a real domain. It its a real life domain, then it makes things much easier, there is a phone number i can call and complain to (UN-BOT YOUR FREAKING MACHINES!).

Also, when i look through apache2/access_log I can see who is looking at my cartoons :)....lots and lots of addresses that end in .asu.edu means that somebody broke the first rule of fightclub.

Basically my point is, if your hosting some website to show the world pictures of your cat, then use a private WHOIS registration service, if you're an actual company, with a big honkin' domain, then people grabbing information from whois probably isn't MUCH of a concern to you.

This just sounds like a bunch of people with a solution who are looking for a problem to me.

I'd Like To See More Privacy

[KermodeBear (738243)]

I would like to see more privacy involved in the WHOIS database. I've been the target of not only marketing garbage, but also some threatening letters. That isn't fun at all.

Luckily, some companies will 'obsfucate' the WHOIS information to an extent, by offering a contact address to the company that will forward mail to you. You still get the mail, it just gets shuffled around a bit so that the sender doesn't see your real address. They do the same with email addresses, setting up a forward account. All of

Treat the abuse, not the means

[Sloppy (14984)]

It can be very useful and in some cases it is necessary for legal process. It is just too easy to abuse in many cases. I'm not sure what a good solution would be, though.

Focus on the abusive actions themselves, instead of just asking how they did it. Spam sucks regardless of whois, and needs to be dealt with somehow. Assholes threaten, and they're still going to be assholes without whois. Obscurity of the address does help, but at the same time, it's not a serious solution to the overall problem.

If y

Re:

[rs79 (71822)]

"I've been the target of not only marketing garbage "

Me too. I used to use silly names like "the masonic order of the mango" for names like mango.net way back when. That name/address existed only in whois. Almost immediatley I got marketing snail mail spam from IBM, HP, Cisco and the likes. This was about a decade ago.

Every now and then I get another.

What privacy?

[superwiz (655733)]

You get a domain... As in something that allows the world to see you. But you want the world not to see who you are? This is not even part of an anonymity debate. You have to pay to be seen. Why would you not want it to be seen who you are then?

Re:

[vidarh (309115)]

Hey, you're posting on Slashdot, so obviously you want to be seen. Why aren't you posting your real name, your home address, your phone number and your e-mail address?

Why would you not want it to be seen you you are, since you're posting in public?

Re:

[superwiz (655733)]

Having an anonymous discussion is not the same thing as having what essentially amounts to a store front... No, I don't mean that every website is commercial, but a domain is just differnt... I can't quite put my finger on it. I guess, the view is that a domain is more like a door sign naming an organization and an internet discussion board is more like a conversation one has with strangers standing on a corner. And it just seems odd to put a sign on your door saying that there is such and such behind thi

Re:

[Billosaur (927319)]

Although you could use the unlisted number analogy to argue the reverse. I pay for a phone, so that people can get in touch with me, but I don't want just anyone to be able to contact me, so I pay extra to have it unlisted. It goes back to what I said in a another post -- if you're worried about this, then charge for WHOIS lookups. As soon as it isn't worth someone's while to fork over millions of dollars just to look up some email addresses, the scammer and spammers will find other ways and leave the WHOIS

Re:

[Rary (566291)]

"As in something that allows the world to see you."

No. As in something that allows the world to see a document that I created which may not actually be about me in any way. Why does the world need to know my home address and home phone number simply because I posted this document online? You, too, have posted online. I can't help but notice that you didn't include your full real name, home address, email address, and telephone number in your post.

Nominet let you opt out

[tttonyyy (726776)]

UK's Nominet (responsible for *.uk) let you opt-out of displaying contact details for domains. Why not other TLDs?

Re:

[tttonyyy (726776)]

Just had a quick dig - Nominet's opt-out policy:

Only domain name holders that are non-trading individuals can opt-out of having their address details published. In other words, if you do not use or plan to use your domain name for business, trade or professional transactions you will be entitled to opt-out of having your address displayed.

There are also WHOIS query limits to help reduce data mining.

Registrar contracts MUST BE enforced for whois

[www.sorehands.com (142825)]

To correctly do whois, there must be some changes to the Whois to work.

For those people who use Fake information, they need to lose their domain names. 3.7.7.2 states that a registrar may cancel a registration when there is intentionally false information given. This is rarely enforced. (see http://www.icann.org/correspondence/touton-letter-to-beckwith-03sep02.htm [icann.org]). In fact, I was told by a person at ICANN (I shall allow her to remain nameless, for now -- but for those who were at the IP meeting on Tuesday, she was sitting next to me) that there is no provision for punishing a registrar, except by terminating them and ICANN does not want to terminate registrars because all of them do not have a good data escrow in place. (think registerfly). I believe this is incorrect. I believe that suspending a registrar's ability to prevent NEW registrations by a registrar would be within the ability of the contract and not harm any domain registrant.

Many registrars give 15 days (the period for mistakenly false information, ie. typo, aged, etc.). What needs to be done is to suspend the domain name, for intentionally false false information, for this 15 day period. And then when they provide updated information, this updated information MUST be proven to be correct (ie. don't change 123 Yellow brick Road to 123 Main Street, Oz, Kansas.) and allow the registrar to charge a reasonable administrative fee.

By allowing registrars to ignore invalid whois and complaints regarding such leads to the argument that since the all data is not correct, that the Whois should be scrapped.

Re:

[damn_registrars (1103043)]

that there is no provision for punishing a registrar, except by terminating them and ICANN does not want to terminate registrars because all of them do not have a good data escrow in place. (think registerfly).

I believe I have seen temporary termination happen before, where a certain registrar who claims to be in New Zealand (yet has a phone number and IP address in Colorado) lost their accreditation for some period of time. They have since become an accredited registrar again. I don't know what all brought that to happen, but I like to think I had something to do with it when I showed that they were intentionally obfuscating registration data for a known criminal who loved their services.

a registrar may cancel a registration when there is intentionally false information given.

Of course, thi

A few ways to show information is false.

[www.sorehands.com (142825)]

One, the phone numbers 555-555-5555 or 111-111-1111 and that ilk. Two, a corporation name that is not listed in that state's corporate database (where that is available online). Three, the registrar does have the billing information on the credit card that may not match. Four, Mapquest for invalid addresses, ie. 725 Border St, E. Boston, MA 02128 (street number does not exist, or state name not in that city). And the USPS.gov site for zipcodes being wrong.

Re:

[www.sorehands.com (142825)]

This is after, they wait 2 weeks. What would be even better, is to put their real information -- from the billing (if not a stolen credit card) and have the domain name suspended.

The best ICANN news I've heard in a while

[damn_registrars (1103043)]

I'm all in favor of leaving WHOIS alone for the time. As I've said before, the WHOIS records are very useful when dealing with people who use domain names for nefarious purposes. A large portion of the domains that sell discount v!@gra and pirated s0ftwar3 are sold to a small number of big-name crooks (Leo Kuvayev and company). If we leave the WHOIS data open we can at least find out who they are in cahoots with. This is a good thing, because it can lead to taking action against the registrars and ISPs

Re:

[Animats (122034)]

Agreed. "If you want a domain so you can sell something, you should be willing to let the world know who you really are." says it all.

Anonymous registration for individuals could be allowed in ".name", to satisfy the need for individual privacy. If you need to publish political rants anonymously, register, say, "china-dissident-99.name" But you can't pretend to be a business in ".name".

Re:

[damn_registrars (1103043)]

Anonymous registration for individuals could be allowed in ".name"

I don't think I would advise sorting by TLD. I recall at one point seeing an obscene deluge of spam for domains that were in .info. And of course each TLD can have its own criteria for who can sell domains in it, which of course would further muck the waters.

Exactly how to discern between for-profit and non-profit domains so that the WHOIS data could be fairly released would be tricky to say the least. But I do believe it would be the most fair compromise for the situation.

Perhaps we need some

Just remove email addresses

[crow (16139)]

There's not a big abuse problem with addresses and phone numbers in whois, but there is a big problem with the email addresses. Simply removing the email addresses would be a huge benefit.

Re:

[sherriw (794536)]

Don't speak too soon. I get a phone call every few months regarding my domain. Granted that's not a lot, but it's disconcerting that these people are calling me from my whois info.

Also, there are many people using a website to try and get a small business off the ground. These often start off in someone's home. Not all of us want people knowing that our business is home-based. There are privacy issues for all the info on the WHOIS list. We don't even have such a PUBLIC and easily searchable listing for guns

Re:

[Antique Geekmeister (740220)]

I do it regularly with spammers' and scammers' and virus senders' hosting domains. Actually getting a human on the phone, rather than sending a complaint to the bitbucket that is "abuse@domain.com" is much more effective in getting the abuse stopped.

Privacy

[styryx (952942)]

If people didn't want privacy, they wouldn't own curtains.

If companies wanted privacy, they wouldn't advertise.
(And don't talk to me about 'corporate secrets' that is a different argument.)

"All sweeping generalisations are false, including this one."

Less domain privacy, not more

[Nkwe (604125)]

Personally I would like to see less privacy on domain registrations, not more. I would like to see the elimination of "private" registrations and masking services. I feel that someone should be responsible for each domain. If you want to be anonymous, make a deal with someone who has a domain and is willing to maintain your anonymity.

I would like to require that annually the registrar 1) sends an email to the registered contacts, and 2) sends a postal letter to the registered mailing addresses, and 3) pl

Re:

[sherriw (794536)]

That doesn't make any sense. Why force people to be revealed in the WHOIS listings just because they own a domain? This isn't like owning a firearm. There isn't a publicly viewable list matching vehicle license plates to owners is there? I'm not force to put my name, phone and email on my house am I? Even for purposes of a phone number I can opt to be unlisted.

Time for an OPEN solution to WHOIS privacy

[Old.UNIX.Nut (306040)]

ICANN acted to protect the financial interests of those companies who charge us extra for PRIVACY. If privacy is a problem, then why are we able to buy it, but not get it for free?

What we need is an OPEN solution, where for a single low administrative cost fee I can have my WHOIS data private for all of my domains - not the per domain fees being charged by for-profit companies now.

Someone like the EFF should step forward and provide us the solution ICANN will not.

Re:

[Antique Geekmeister (740220)]

Oh, my. You've clearly not followed the history of the EFF. Their ability to do real work, versus their ability to sell their name for corporate sponsors, depends greatly on who is in charge. (I remember when Mr. Berman ran the place: that was nasty.)

But this isn't a clear-cut issue for them. The privacy of domain holders, versus the ability to track abusers back to someone actually responsible for the registration, is a clear policy argument that does not involve the sort of clearly cruel and abusive that

It works both ways...

[KC7GR (473279)]

While it is true that there is a potential for "private" information (name, address, etc.) to be publicly visible to spammers and marketers, it works the other way as well. If someone spams me, or someone else on my network, AND it's not a bot-net source, I find whois to be invaluable in terms of finding out where the stuff came from. If it's a mainstream company, they get a phone call (using the number in their whois record) and an earful about it, in that order.

As others have pointed out, this sounds like a lot of kerfuffle over nothing. If you're truly worried about privacy in your domain records, there are already a couple of options.

--Get a PO box, as I did, and use it for your registration address. ICANN regs don't prohibit it, and it's useful for stuff beyond domain registration.

--Use a whois-anonymizing registrar for your domain. ICANN doesn't prohibit this either, just as long as there is some way for said registrar to forward messages from the outside world to you.

Leave whois alone. It's too useful a tool. The fact that some few abuse it should not be cause to eliminate it (after all, to use an analogy, people abuse telephones all the time -- junk calls, junk FAXes -- and we still have them).

Keep the peace(es).

We're focused on the wrong people

[Tarlus (1000874)]

I guess it's fine that ICANN doesn't really care about protecting potentially private information. Where the focus should really be pointed is toward domain registrars.

When you register a domain, you give them your address so they can charge you their yearly fee. Which is acceptable.
However, what always struck me as unacceptable is that they take your address and slap it directly in to the WHOIS database without telling you or informing you that this is being done. I've been shocked and also appalled a numb

What a disappointing Slashtdot discussion...

[Decius6i5 (650884)]

This discussion is heavily slanted toward the pro-regulation crowd. The moderators seem to be modding up posts based on the position they take in the debate rather than the value of the points they are making. I would think that a community for geeks would have a better understanding of this issue, and would have more people who are sympathetic to the interests of private individuals who have domain names for non-commercial reasons.

There are a large number of straw men that are raised constantly by supporters of whois accuracy regulation. Not one holds up to objective analysis.

1. No one is talking about getting rid of Whois. Whois was originally voluntary. You could publish as much or as little information as you wanted in it. Later, it was changed to make publication of names, addresses, and telephone numbers mandatory. If this vote was successful it would become voluntary again. This is not the same thing as taking down the service.

2. Criminals and spammers are not going to publish accurate information in whois. There is no way to force the data to be accurate regardless of what the regulations are. So the regulations mostly impact well meaning, honest people, not criminal groups.

3. Businesses want you to know how to contact them. No legitimate business is going to keep it's whois information private. The regulations do not effect businesses or organizations, who would publish contact information regardless of whether or not they were required to, they effect individual, non-commercial domain holders.

4. You do not need DNS Whois to resolve technical, security, or legal issues with a domain. Its convenient, but if the data is wrong or not present, you can contact the ISP that is responsible for the IP address the computer in question is using. DNS Whois is never necessary. Most kinds of Internet crimes can be committed without a domain name, and so DNS whois is obviously not sufficient to investigate those cases. How does the RIAA prosecute P2P users, who are publishing on the Internet without a domain name? The argument that its ok to have an anonymous sub domain but its not ok to have an anonymous primary domain also does not make sense. If you have a problem with an anonymous primary domain you can contact the ISP responsible for the IP address the computer in question is using, just as you are forced to do if there is no domain name being used.

5. Yes, proxy services are available, but they are expensive, and this expense ought to serve some sort of legitimate purpose. If the purpose of this regulation isn't fighting spammers or criminals or making sure businesses disclose their locations, than what is it and are we willing to spend $9 per domain to serve it?

6. Individuals who use the Internet for noncommercial reasons are not interested in eating cake. We don't want dymanic dns records hosted on a sub-domain. We don't want to use hosting services. We want domains, and we've been able to use domains for non commercial purposes without publishing personal contact information for most of the history of the Internet! The response "if you don't like it use XYZ" is not acceptable. The people who advocate that people be required to publish their personal information in the whois database must defend the need for and value of that regulation, and not simply offer that those who disagree go somewhere else!

The bottom line is that supporters of these rules are motivated by misinformation, private interests, or outright authoritarianism.

The misinformed are those who like doing whois lookups on domains and assume that this information should always be required to be there in a form they expect simply because it is often there and often useful. This is a bit like assuming that personal homepages should have a terms of service agreement and a "contact us" page because lots of sites do and they like to use them.

The private interests are those like the RIAA and other IP interests, who wish to ensure that honest, well meaning private individuals who use d

Re:

[4solarisinfo (941037)]

"Further study" probably means "Legal liability disucssion"

Re:

[rs79 (71822)]

As if.

"Just what kind of further study to they need to do to figure out the privacy concerns?"

They get paid to study and can't be judged right or wrong. They love to study things. To death. Not that it does any damn good.

Remember when they took $50K for ".biz" and the 50K was for "studying the proposal" by their legal staff to which they said "ok your plan looks sound" then almost instantly a judge said it was an illegal lottery and shut it down [news.com]?

I am suing Moniker for WHOIS Privacy

[www.sorehands.com (142825)]

I sued Moniker for providing WHOIS privacy for e360 and Linhardt (http://www.barbieslapp.com/spam/e360/timeline.htm) along with e360 and Linhardt for illegal spamming.

Not only does this hide the information on the spammer, it also prevents you from determining if the 1000s of domains are one spammer to 1000 different spammers. That can be avoid by saying, Moniker Privacy Services, Client 12. Where 12 is some form of account number that says that may not relate to the actual system account number, but enable