Exposing Personal Information in the Whois Database

rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."

Spammer source

[alecbrown]

I certainly getted spamed on the email address I registerd for it.

PO Box

[intermodal]

that, my friends, is why I have a PO Box and why I don't volunteer my real phone number.

A long time coming.

[Tinfoil]

While I normally don't like Berman whatsoever, this is a good thing. I have long disliked the practice of putting personally identifiable info in the WHOIS database.

I just hope they don't dumb it down so much where one can't get email addresses for those controlling the domain for reporting purposes.

RFC-ignorant

[Anonymous Coward]

So, if a domain is misbehaving, where else should we send complaints other than the info which is available from the whois database? I think the whois.rfc-igorant.org [rfc-ignorant.org]database is going to grow a bit...

Reporting WHOIS abuse?

[Anonymous Coward]

I get numerous spam from people(?) who have obviously trawled the whois database. Even though there is a strong warning in the whois database against abusing it, how does one report it, or is it just an empty threat?

Re:knock knock?

[Future Man 3000]

Maybe the rules shouldn't be relaxed for people leasing bandwidth... if you could always get at the ISP that's upstream from the attacking computer, it's likely your situation could be resolved while allowing others who want to host their family's webpage (or whatever) without releasing their address and home phone number into the general pool of IT telemarketing customers to do so.

Obviously a good solution will weigh the need for contact with the likelihood and degree of abuse of said contact information by others.

Fake information

[Anonymous Coward]

I carefully misspelled all the information, plausible deniability baby. Two years and no one the wiser.

T.

Exposing Data on the Whois database

[knghtrider]

Even exposing contact information for a business is questionable. If you're working on penetrating a company, then this is a stop on the highway. But, without that information, then (as one poster stated) the FBI would have to get us the information we need to prosecute spammers or etc.

I don't know what the answer is either; I don't think it's simple either. This may be one (of many) invasions of our privacy we have to deal with. Banks, Mortgage Companies, Credit Cards--these all sell our information to other companies. It's sad, but this is big business, and it makes money. Utilities provide information to Local, State, and Federal Agencies all of the time; and are required to by law.

Our information is not private anymore, and hasn't been for a long time. Everyone has their hand out for it.

Call me big brother...

[xtermz]

...But i think contact info should be required to register for a domain, and I think there should be some sort of authentication mechanism.

How else can we hold scammers and spammers accountable if they make it super hard to track them down. The majority of those "online pharmacies" have bogus WHOIS info and probably take good peoples money.

Bogus WHOIS info sucks, plain and simple

Obstacle to distributing a shareware application

[SmackCrackandPot]

This a major concern to me. I've spent some time at home writing an application that I'd consider distributing as freeware/shareware. Setting up the paypal/P.O Box number payment system is no problem, but as every application nearly always has a website, registering a domain name introduces some hassle, not least of all, distributing my name/home phone number/address.

From reading previous Slashdot articles, being able to seen the domain name/IP address of owners and customers has been extremely useful in detecting all sorts of shenanigans with hyping up new products.

However, for someone trying to augment their basic salary through shareware software, this is a disadvantage.

With broadband internet via cable/satellite/telco, I have a permanent Internet connection, but the companies respect my right for privacy. Surely the same could be done for domains registered by home residences?

More of an economic problem than privacy problem

[snowtigger]

I don't really worry about having my personal information in the whois database. As most other individuals, I'm in the phonebook too, which can be accessed from the web nowadays.

Having registered a few domain names, I receive a lot of spam telling me how to register new domains, renew when the old are about to expire and so on. I'm sure the registars make a lot of money on this, which surely makes them want to continue.

My personal information is also included in the IP whois database. This database contains info on what ISP uses which IP numbers, etc. - see www.arin.net for more info.

The interesting thing is that I have not received a single spam to the specific email address I supplied. So right now, I see it more like an econimic problem than a privacy problem.
---
If you're not living on the edge, you're taking up space in the middle

Re:If there were strong checking

[AKnightCowboy]

Any domain setups that I've done allows you free reign to type in anything you like. I think most people don't realize that

Or they do and realize an enemy could use that to his advantage to snatch away your domain. Providing false information is reason to lose your domain... or at least used to be in the carefree days when .edu domains were actually educational institutions, .com were businesses, .org were non-profit orgs and individuals, and .net were ISPs. *sigh* The good old days 10 years ago.

More privacy is necessary

[Pelakh]

I built a site for a city commission candidate a couple of years ago, and the info on the domain registration was mine - I built the site for free, as a form of campaign contribution. An unwanted side effect of this was late night phone calls to my home number from the supporters of the opposition questioning items posted on the site. I guess next time 'Sudy Nim' will be registering for a domain ...

Caught a scammer with the help of whois

[ojQj]

I ordered and payed 100euros for something over ebay.de which never arrived. E-mails to this idiot didn't help. Fortunately, the e-mail address had a domain adwelt.de. Whois, gave me the info I needed to call this guy (Norman Potzsch) and threaten him verbally with reporting him to the police. After that I got the money back. Probably he wasn't a real scanner, just criminally disorganized.

(And don't tell me that his bank information would have been enough to get his contact information. The Sparkasse would never have given it to me. And no I don't buy things through e-bay any more.)

A Few Solutions

[bmj]

One is using Dotster [dotster.com]. They obfuscate your email address, so you won't be spammed so easily, but they can still contact you. A friend of mine nearly lost his domain because he used a fake email address with Network Solutions and he never got the "your domain is expiring" email.

The other is a finding a trustworthy ISP/hosting provider who will manage your domain for you. I've been using HostSector [hostsector.com] and it's worked well, plus it's less expensive than buying the domain outright. I'd have to jump through some hoops to purchase the domain from them, but I can do it, and I believe their contract specifies that I can purchase it at any time.

A few general comments to your privacy freaks

[lucifuge31337]

While they have some valid points, often its taken way too far. So I'll add more fuel to this:
Go check out ARIN. If you have a static IP address+competent (read not RFC-ignorant) ISP, your SWIP record contain your personal information too. That's how it's supposed to work.

That's right, the whole Internet is out to identify you.

Remembering @home

[zakezuke]

I had a friend who worked in network operations for @home, back when it actually was making money. In their whois record they had the direct line to network operations which made a fair amount of sence as domain related issues should be directed to network operations. Problem is the fact that he always got calls from jarheads of report every ping detected as a hacker attack sort, but not nessicarly even from their domain.

It really is a double edged sword, on the one hand a good reason to have this contact information there in the first place is in the event something needs to be reported like virus/worm infection, system down, open proxy, that sorta thing. On the other hand, there are those who don't respect the fact that info is there for a good reason and it's not for trivial issues or spam.

Re:Spammer source

[gmack]

I've seen it happen with snail mail. A client of mine showed me a "bill" from the domain registry of Canada demanding she renew her domain with them.

Thankfully she asked me first before paying it and was quite relieved to know it was a scam.

Re:If there were strong checking

[gmack]

Your right they don't and the result can be down right hillarious.

Two years ago after the whole WTC thing some idiot had a pro terrorist website he was spamming on ICQ from his university's computer lab.. imagine my supprise when I discovered it was his real name and address in his info...

He was supprised too when he got busted and the University called the police. When be brought the website back up a year later all of his info was set to garbage. Guess he didn't know we could all read that.

UK Solution

[hattig]

Basically Nominet has types of registrations, one of which is IND (for INDIVIDUAL).

Individuals can opt-out of having their whois information displayed in a whois query by asking their registrar to opt them out (a couple of minute administrative task).

This appears to me to be a simple and logical answer to the entire problem.

Bullshit.

[Pig Hogger]

Whenever you have an internet presence through a domain, you have a public presence. And there is no reason why there should be no traceability towards your domain.

Right now, there are thousands of spamming scum who post bogus information in their domain registration in order to foil the wrath of spamfighters.

Re:How else...

[fenix down]

The phonebook is local. WHOIS releases the same information no matter where you are, and no matter where the person looking you up is. If it's illegal to collect some kind of information in Taiwan, the Taiwan phone books won't collect that, and there's no problem.

Re:As it should be

[DroopyStonx]

Not sure what you're talking about. *I* have the right to a private domain as does anyone else.

I don't use it for business purposes, which would be a different story. It's my own personal site on my server on my T1. I have every right to hide my private information!

I've had fake information (invalid address, phone, name, etc) and a yahoo account as my email for the past 3 years.

"How can someone contact you then," you ask? Well, that's the point. No one needs to contact me. They can do so via my yahoo account.

Maybe I'm missing something, but I don't see a single thing wrong w/ that.