Privacy Advocates Bemoan the Problems With WHOIS 174
An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"
The Domain Registry of America (Score:2, Informative)
Soon after one of our clients register a domain with us, these lovely people will send a very convincing snail-mail to the customer based on their whois data with a payslip attached, saying words to the effect of "Your domain will expire unless you register with us!"
In the UK, the Office of Fair Trading seem to have turned a blind eye to this despite numerous complaints.
-daedalusblond
Re:What legitimate business hides their identity? (Score:3, Informative)
The ability to outsource slander is a problem and not just with Whois. Look at political ads - they carry a tagline that's supposed to say who produced it but they can make up a name like "Save the Children Foundation" as a front for whichever political party they want. Tracking down who says what for whom is hard enough in that arena but outside of politics (in tech, drug, clothing, car or whatever industries) is next to impossible.
We need to be able to see who's saying what more easily, not just when there's a problem.
I definitely agree about contact information though. My whois is private to stop the junk mail and junk email, not to hide my name. Seeing who wrote something or supported the writing of something should be easy for people who want to know. Sending them an advert for your registrar doesn't need to be. Of course if Whois cost money to view, which of those interests do you think would be the ones paying to read?
Re:For verifying a domain exists, for example (Score:3, Informative)
What WHOIS is really good for is getting the registration date of a domain, which is a nice indicator of whether a domain is actually a throwaway spam domain or an established site. It'd be nice if the dates actually came back in a consistent format, but at least it's usually human-readable. IP whois is also nice when you're looking at an ISP that actually bothers to fill out SWIPS records for allocations. I've been going more to BGP4 ASNs to determine ownership of IPs instead, but those only come into play for larger allocations.
RIPE is the only RIR that has its shit together when it comes to WHOIS, everywhere else is a complete mess. I say ICANN drops the requirement for WHOIS to return personal data in public queries, and also mandates a migration to the RIPE formats, which are actually consistent.
Businesses are not entitled to "privacy". (Score:3, Informative)
The actual ICANN report, [icann.org] shows they're deadlocked, all right. See this timeline. [ncdnhc.org]
Most of the privacy advocates are referring to the European Directive on Privacy. That only applies to individuals not engaged in business. For businesses, the The European Electronic Commerce Directive (2000/31/EC) [sitetruth.com] applies. And it's very clear. Any "natural or legal person providing an information society service" must disclose name, real-world address, and E-mail address. No exceptions.
California has a similar law. It's more narrowly drawn, only applying to sites that take credit cards, but it's a criminal law - six months in jail for not disclosing the "actual name and address" of the business.
WHOIS policy should take that into account. There's a legal obligation to disclose name and address information for businesses. It's not optional.
Our SiteTruth [sitetruth.com] system is based on these laws. If a web site is selling or advertising something, and we can't find a business name and address for it, its rating is toast. We scan each site for human-readable postal addresses (some people would call this "semantic web" technology). We check commercial business databases. We check SSL certificates. We look at Open Directory. If we can't find a business name and address after doing all that, the site's rating is a red "do not enter" sign, and we kick them down to the bottom of search results. Once we have a business name and address, we have something to look up in business databases, corporation records, business license records, credit ratings, criminal records, etc. Plenty of data is available about businesses once you have a name and address. No more "on the Internet, no one knows if you're a dog". We know.
We haven't found WHOIS data very useful in doing this. WHOIS data quality is awful. Many entries are phony. Mailing addresses on the web site itself tend to be more accurate. Using a phony business address is felony fraud in most jurisdictions, so that's relatively rare, and mostly shows up on phishing sites. So we cross-check with anti-phishing databases to kick those sites out.
It's quite possible to use this approach to check WHOIS information in bulk. If ICANN actually cared about WHOIS data quality, they'd check the data against postal databases and business databases. They don't.
Re:For verifying a domain exists, for example (Score:3, Informative)
There are cases where e.g. name server changes or domain name transfers results in a loss of name server data in the root servers. The domain still exists, but it is or will quickly be in an unusable state.
So, to reiterate:
DNS shows you whether the domain works.
WHOIS currently shows you whether the domain exists, as well as domain ownership information.
If ICANN wants to get rid of whois for domain names, it needs to replace it with something else.
Functional EPP implementations would do fine for those of us who are registrars, but leaves the public with no practical way of yielding ownership information.