Privacy Advocates Bemoan the Problems With WHOIS

An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"

Whois is useful?

[morgan_greywolf]

For what? These days, everybody is registering private domains through people like DomainsByProxy. Whois is becoming more and more useless. Might as well chuck it.

Even "Heroes" agrees

[Kelson]

In one episode last season, Ando showed up at Niki's house, having been able to find her because she listed her home address on the WHOIS record for her website.

(The unspoken moral: use a PO Box, or some guy from halfway around the world will drop in on you unexpectedly.)

Re:Whois is useful?

[mwvdlee]

And what kind of method is DomainsByProxy using to check domain name availability?

WHOIS isn't needed today for domain names

[Anonymous Coward]

The main problem is that ICANN wants to use whois for a different purpose than the original one. Originally whois was used for providing techincal and administrative contacts for networks, which back then more or less mapped to 2nd or 3rd level domain names. These days the owners of domain names are mostly individuals who do not manage the networks that serve their domains and would be pretty useless to contact using this method. Nowadays, you would look at the ARIN data to see who is responsible for the network.
What ICANN wants to provide is an easy method for the Lawyers of corporations to go harassing people that hold domain names their companies want to use.

for plenty of us

[CarpetShark]

Speak for yourself. I use whois every day. It's invaluable.

Re:I'd Rather it Be Accurate than Abolished

[Anonymous Coward]

I would rather get rid of it altogether. My privacy is more important than your inconvenience.

For seven years, I administrated a support site for people with mental illnesses. A small minority of these people were very difficult to deal with and were not averse to making threats, accusations, and generally transferring all their difficult feelings onto the most convenient 'authority' figure available. Needless to say, I would not want such people having my telephone number or address.

I'm reachable through email. I've paid to be reachable through a (snail) mail forwarder. That should be enough for anyone.

Re:stalker "found" me thanks to WHOIS

[LiquidCoooled]

Wouldn't it be more likely that the stalker got your address from his girlfriend?
Afterall you just said she came to your house to check out the computer.

Re:stalker "found" me thanks to WHOIS

[InitZero]

> if you think i'll ever give out my information to my actual home or office location

        Don't confuse privacy (or safety) with anonymity.

        Just because you don't give out your address doesn't mean you're safe. A false sense of security is often worse than a real sense of caution or even fear.

        What's the goofy slogan bantered around Slashdot so often? Security through obscurity and all...

        Matt

I own several domains, and agree completely.

[sherriw]

I own a number of domains and I completely agree that the WHOIS system needs a major overhaul. For one or two domains I actually purchase extra whois privacy from GoDaddy, but for the most part this is just added cost for me to patch a broken system. Why can't I pick and choose what info to show?

On top of it, if I own a .ca domain, I'm forced to use my real name not my company name and my .ca registrar does not offer domain privacy on .ca domains.

I get a ton of spam to the email address I use for my domains, so this address has it's anti-spam set WAY up. I even get occasional phone calls about my domains- usually scams, but recently it was a good thing because I sold one of my domains for $5K (though why the person couldn't just use the contact info on the actual website is beyond me).

But, basically I think you should be able to opt for privacy at no cost. Seems like a no-brainer to have a privacy flag as part of the database. Or maybe provide a url of a contact page where you can determine what to show or just provide a contact form box.

Fix it or flush it

[Opportunist]

What is it useful for? To contact a domain owner and inform him about abuse or fraud, or identify someone who is using a domain for criminal activity. So far the theory.

In practice, you can rest assured that not a single domain used for things like ID theft has ever been registered to a real name. Earlier, they registered with registrars who didn't check information (so you had funny entries like some guy whose information was already grabbed in an earlier phish registering a domain for a server in Malaysia), and when registrars felt the pressure, they simply use registrars now that allow you to put their name in instead. Complaining with those registrars results in a "we're looking into it" until the domain is no longer used by the ID thief, so the problem solves itself.

So either require people to put in truthful information and remove registrars that don't comply, or get rid of it altogether. In its current state it serves no useful purpose. The current system only aids criminals, on both ends.

What could be used for business accountability ?

[damn_registrars]

I would say the best use of WHOIS is when you need to contact the owner of a business domain. Like many others I've seen boatloads of complaints from people here about their own private domains and how badly they hate WHOIS.

To those private owners, I could care less if their home information is available through WHOIS, as long as they aren't selling illegal merchandise through said domain and pumping spam for it all over the world.

However, when international criminals register domains to sell pirated software / bogus pills / etc ... I do believe WHOIS is still useful. When you can obtain the WHOIS information for the criminal domain, it gives you someone to contact about that activity. People who care enough to do this have managed to progressively change the policies of registrars who were frequently used by spammers for nefarious purposes.

And further investigation into WHOIS data can lead someone to even more critical information, as well. Being as the WHOIS record contains information on the DNS servers that are resolving the domain, a person who wants to really dig deep can find where those were sold as well. A little hint: the spammers often use only a short list of DNS servers for a large number of their domains.

So in summary, before people rally around ICANN with pitchforks and torches to demand the demise of WHOIS, I ask you please consider a solution for the applications where WHOIS is still useful before insisting that it goes away completely.

Re:for plenty of us

[hackstraw]

Speak for yourself. I use whois every day. It's invaluable.

Really? Can someone elaborate on its usefulness? I gave up on it years ago. (also, I simply don't need to know this info anymore)

When I was a SPAM vigalante, I would do whois lookups, and usually the information was clearly bogus. Often, if the info was not bogus, it was outdated. And I've heard from many people that are legitimate people doing legitimate things with their hostnames that would never give real information for whois lookups because they simply don't want to be the target of SPAMers or whatever else could come from having any personal information laying around for some random person to have fun with.

I would never put accurate or relavant info into a whois lookup, and I don't expect anyone else to do so either. Nothing good can come from it, unless maybe you hold the killer domain and you hope someone will try to buy it from you.

I also lie about any personal info to protect my privacy, unless there is something explicity beneficial for me for someone else to have relevant info. I also tell all of the door to door sales people trying to sell me some crap for my house that I rent. They immediately say "Oh", and walk away. I also pay extra to have my phone number unlisted.

I'm still on some lists, but not that many. And the fewer the better.

Whois is very important, don't scrap it

[guruevi]

I use whois everyday to check domains and IP's from command line. The simplest way to get an IP range is just "whois xxx.xxx.xxx.xxx" and then block/allow the whole range depending on your needs.

It's an invaluable network tool and just like DNS, you can't just scrap it. That there is abuse is always going to be a problem and that can be done with any list you put your data on. Ever wondered why you get so much credit card offers in your mailbox? Yes, it's because your name and address is somewhere on a list and most likely you have put yourself on it by using your address with either a banking institute or a vendor. You can't stop abuse by taking away services just like you can't say that you are going to solve those credit card offers in your mailbox by removing the postal services. If you do, the abuse is just going to shift from whois to your webhosters' site or DNS just like the credit card offers will be carried out by FedEx or UPS.