Exposing Personal Information in the Whois Database

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

Its rare to get junk mail from Whois

[acomj]

I've had a domain for 3 years.. Ive gotten 3 pieces of junk mail from it. I was surprised to get it, and thought it more funny than an annoyance.

Here in Denmark ...

[zonix]

Here in Denmark, DK Hostmaster A/S is the administrator for the Danish top level domain. You can have your personal contact details hidden from the public WHOIS database - in accordance with Danish Law on protection of personal data, blah blah blah.

I would recommend it!

z

Same applies to Patent Databases as well...

[N Monkey]

The inventors' home addresses are generally listed which, IMHO, is not something that should be broadcast to the entire world.

Re:amen

[Anonymous Coward]

Yeah, but the spammers harvest those email addresses.

UK WhoIS

[ledow]

The UK WHOIS database (run by Nominet UK) has recently considered this too. Now, private individuals who opt-out can have their personal details removed (obviously Nominet still has access to them). I'm not sure that companies are allowed to do this, it's private individuals only.

Britain and the EU have always had stronger data protection laws than the rest of the world. This is part of the reason the EU are looking at Microsoft's .NET services as they don't follow EU data laws. To be honest, it's about time the US caught up.

Go ahead and start a business.

[g0hare]

You can incorporate for under $500, get a p.o. box and a cheesy voicemail account somewhere. You'll then be prepared to moonlight, which you should be anyway, and you can give out the business info.

Re:excessive exposition

[Future Man 3000]

This site [domainsbyproxy.com] has the most enlightened approach, I think. You give them your information, they register the domain for you filling the contact information with their info, and only turn over your information if the law requires it. They'll also forward stuff sent to your contact information to you.

I imagine for most people who just want to run a regular website without the hassle of spam/telemarketers, this is the way to go.

Re:Here in Denmark ...

[Arioch of Chaos]

The same applies to the Swedish .se. Only my my name and the regdate shows up for my domain.

don't for get about arin...

[Peartree]

There's a lot of info here too:
Arin [arin.net]
Ripe Ncc [ripe.net]
Apnic [apnic.net]
Lacnic [lacnic.net]

Anonymized registrations

[berkeleyjunk]

If you are concerned about privacy, use a registrar who will anonymize your info in the whois database.
Is $9 worth it? It's your call. Check this out.

https://registrar.godaddy.com/dbp.asp?isc=&se=%2 B& from%5Fapp=&authGuid=&mscssid=2435121

Domains by Proxy -solves the problem

[Chuck Bucket]

I use Domains by Proxy [domainsbyproxy.com] so my info isn't displayed in a WHOIS; theirs is in it's place. They keep all my info private and serve as a 'proxy' between me and anyone needed to contact me. They'll email if they need me to do something in regards to my domains, it's so nice not having all of my personal details out there. I buy my domains from GoDaddy, and they've partnered with Domains by Proxy and offer it as an option when you're buying domains, that's how I found out about it, but everyone should check it out.

CB

Re:Spammer source

[AchmedHabib]

Placing your email address in your whois information will ensure that you get at least 100 penis enlargement mails pr day to that account. Which is why all email adr. that I need to publish like in the whois or on websites, are on mail servers that use just about every rbl list and antispam program available.

Re:PO Box

[blibbleblobble]

If anyone's interested, I wrote to the Information Commissioner (formerly the data protection office) in the UK about this, since our data protection laws forbid sharing information with countries with incompatible data protection laws

Their response summarised:
(a) We don't care
(b) We don't care
(c) Domain registration is done in america anyway, where they don't have data-protection law
(d) It's not up to Nominet to inform its customers of their lack of data protection

I could probably find the actual letter somewhere...

(Nominet should have got into trouble because (a) they unilaterally changed their terms and conditions, leaving people with a choice of publishing their home address, or losing their domain name, (b) they have monopoly on UK domain names, (c) anybody who's running a business is obliged by business law to publish their address anyway, and (d) any accusation of illegal activity associated with the domain should wait upon a court-order to disclose a person's home address.

Information commissioner doesn't seem to think so. Some might wonder what he does do.

Re:Junk Mail

[JAgostoni]

I should have been more specific. I didn't register it with Register.com. Thanks for the useful comment.

In the mean time, in Germany...

[yourruinreverse]

... it is required by law that anyone who publishes even a single web page on the Web (in Germany) enclose an "Impressum", an imprint that notifies visitors whom to contact or hold accountable for the content. I wish this would also be implemented for Whois as a security measure or a basis for trust.

Anyone who still wants to publish anonymously could still do it abroad, of course, as there will always be registrars who and nations that don't care about trust.

I mention trust here, because I can trust a company's products (i.e. a shop selling goods) if I know where I can go, or what number I can call: currently too many (some) web shops (at least locally) do not even mention a telephone number I can call to have an order confirmed or more product information detailed. The same holds for web sites that provide information: if the e-mail address is left out, how can I get any confirmation, more detailed information, conversation or feedback going?

As it should be

[HighOrbit]

I'm sorry, but you have *NO* right to an anonymous domain, nor should you because the opportunity for fraud on the internet is too high. Having everything out front at least keeps a modicum of openness and honesty (although admittadly not a lot).Besides, if I remember properly, you can update the e-mail address to be admin@your-new-domain if you don't want spam going to your personal email.

If you want relative anonymity, get a hotmail or yahoo account.

Use GoDaddy

[Gudlyf]

You could always use GoDaddy [godaddy.com] for domain registrations, which gives you the option of keeping registration info private. Not to mention their prices are a hell of a lot better than going through Verisign.

Re:PO Box

[Geeky]

I'm in the UK, and I have a couple of domain names registered through uk2.net. A whois search reveals my name as registrant, but "UK2 Limited" is listed as the "Registrant's Agent". Hence no personal data.

UK2 have a pretty clear policy on disclosing personal data: from the page listing their generic response to domain name disputes, I found the following:

"UNDER THE DATA PROTECTION ACT 1984 WE CANNOT DISCLOSE INFORMATION ABOUT OUR CLIENTS WITHOUT BEING LEGALLY OBLIGED TO DO SO. UK DOMAIN NAMES HAVE NO REGISTRANT ADDRESS LISTED IN THE NOMINET DATABASE AND UK2 LTD APPEARS AS THE ADMIN/TECH/BILLING CONTACT. WE WILL DISCLOSE THE REGISTRANT DETAILS IF A WRIT IS FILED WITH THE HIGH COURT AGAINST THE REGISTRANT ON OUR ADDRESS"

Re:If there were strong checking

[Anonymous Coward]

om were businesses, .org were non-profit orgs and individuals, and .net were ISPs. *sigh* The good old days 10 years ago.

Sorry, that "ideal" never existed (fortunately). You obviously don't understand the original intentions behind each of the original gTLDS.

Read the RFC [sunsite.dk]. .net was intended for services necessary to the internet - things like the root servers and internic. .org was "intended as the miscellaneous TLD for organizations that didn't fit anywhere else.", not, as it is so often claimed, for non-profits.

Where did the myth of the non-profit .org come from? It has no basis in reality, as anyone who had bothered to read the standards would know.

Re:Here in Denmark ...

[wfberg]

Additional coolpoints voor DK hostmaster:
click here [dk.] (it should work without the dot at the end as well, but I don't get that to work often on my windows box).

AI is the only other TLD I've discovered so far which scores coolpoints for this as well.

Phone books are on Google

[JohnQPublic]

Just type a US phone number into Google and up comes the name and street address, just like in that local copy of the White Pages. So they might as well be global.

Re:How else...

[gmack]

No I get it.. I administrate quite a few domains.

Yeah.. I get spam on my contact info.. but I get a lot more from people finding my domains and emailing all possible addresse.

Do I disconnect abuse and postmaster too? Or do I go install spamassassin to catch most of it.

Spamassasin works btw... it filters over a hundered junk mails a day leaving only 4 or 5 for me to deal with.

Works for me correctly and I have both mine and the emails of several customers all set to my email address.

Re:Perhaps we should take this even farther

[Nethead]

Read RFC 2050, INTERNET REGISTRY IP ALLOCATION GUIDELINES [faqs.org]. Every IP is required to have contact information available. It's called swipping a block and responsible providers do it. (Swip is Shared WhoIs Project.) At least with ARIN if you want to get or expand your netblock you need to have you swippage in order.

From RFC 2050:

2.2 Submission of Reassignment Information

It is imperative that reassignment information be submitted in a prompt and efficient manner to facilitate database maintenance and ensure database integrity. Therefore, assignment information must be submitted to the regional registry immediately upon making the assignment. The following reasons necessitate transmission of the reassignment information:

a) to provide operational staff with information on who is using the network number and to provide a contact in case of operational/security problems,

b) to ensure that a provider has exhausted a majority of its current CIDR allocation, thereby justifying an additional allocation,

c) to assist in IP allocation studies.