Privacy Advocates Bemoan the Problems With WHOIS

An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"

What is the problem?

[Anonymous Coward]

The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters

Every major domain registrar lets you do a "private domain registration" for a few bucks extra. They replace the WHOIS data with generic info plus a uniqueID, which lets you contact the domain owner through the registrar.

Pretty simple - not rocket science.

I am sure that the registrars will happily hand over the actual domain registration info to duly authorized law enforcement with a court order.

Further, any legitimate business puts a mailing address/phone number/fax number on their website. Having the same information available in whois isn't an issue.

I'd Rather it Be Accurate than Abolished

[InitZero]

It used to be when I had to contact someone, the whois information was accurate, complete and, when I dialed the number, I got a live human being that actually was able to address my issue. And, life was good.

Now, it seems even reputable domains are hiding behind private registrations or have outdated or deliberately incorrect information. Bleh. Problems that used to be able to be solved with a pleasant phone call now require hours of my time if the task is even possible.

So, my first choice would be that whois domain information take a giant step backward to the days when it was useful information. If that isn't an option (and going back in time rarely is possible), get rid of it altogether.

stalker "found" me thanks to WHOIS

[gsfprez]

i sold an old Mac laptop with system 7.5 to a girl for $200 with a printer about 7 years ago. She had little money, and for what she needed - a way to type homework in her dormroom and print it - $200 seemed reasonable - it did what she told me she wanted it to do, and she tested it at my place and everything worked just fine (2 cheers for Word 5.1 on system 7!). I made it clear that this was *not* an internet workhorse, and that if she wanted that, she needed to go to the bookstore and buy a new computer. "No no, i just want to type papers and print them in my dorm room".

So, of course, the first thing she did was attempt to install a bunch of new internet software (browsers, school's First Class server client) on it which of course didn't work. Then she took it to the school helpdesk, and they (rightly) had no idea what to do, so instead of telling her to get jammed, they screwed it up completely. So, she calls and says she wants to return it because it doesn't work. I'm like - yeah, what the hell do i want with a fscked up powerbook and printer? I don't want to buy it - i just sold it to you like two weeks ago.

time passes... and i start getting threatening emails from some guy on a yahoo account with ($myname)fucker@yahoo.com. Then he starts saying that he's going to come after my wife and hes watching her car when she comes home at night. That was fscking it. Its the girl's mental patient boyfriend.

Long story short - he was actually stalking whoever in the hell was in my old apartment - it was pure coincidence that the new tennants also owned a Honda Civic too.

Where, do you think, he got the address? Of course, from my whois entry when i didn't have any money to buy a PO Box.

Yeah, if you think i'll ever give out my information to my actual home or office location - ever - you've gone daisy, my son. ICANN and everyone else can demand all they want that my info be correct - but i don't answer to them, so they can kiss my ass.

In fact, because of this, a guy who started, then stole, the website of a non-profit (they've set the donations address to their address, but the actual non-profit is in Africa, so its hard for them to fight the problem) is going to be getting a legal foot up its ass because i know where he is and where he lives and his work address - all because he's broadcasted it in whois and on his webpage.

ICANN can't make me do anything.

Re:Even "Heroes" agrees

[JK_the_Slacker]

And use an email address you don't use for anything else (which is a good idea anyway.) If you can't be bothered to clean out an inbox every few days, you probably shouldn't be the contact for a domain name, anyway.

Note that I'm not advocating spam by any means, merely acknowledging the reality of it. I firmly believe that spammers should be hit with fines until they don't have any money left, and those fines reinvested into things like improving internet infrastructure in rural areas.

Re:Whois is useful?

[ztransform]

I have to agree.

I've tried to privately register every single one of my domains, and end up paying more for what is effectively "not listing my number in the telephone book", just because I don't want SPAM.

I say scrap whois. But still make registration of e-mail mandatory so the registrar can still contact domain owners.

I would guess the real-world equivalent is car registration (number) plates. In most countries the name and address of the registration plate owner is not publicly available presumably to deter road-rage from translating to home attacks; something a domain name owner may also be wary of.

I am suing Moniker for providing anonymous whois

[www.sorehands.com]

I am suing (http://www.barbieslapp.com/spam/e360/timeline.htm) Moniker for providing anonymous whois to David Linhardt (http://www.spamhaus.org/organization/statement.lasso?ref=3).

Moniker has been providing Linhardt/e360Insight, with hundreds of anonymous domain names. This makes it difficult, if not impossible, to determine which domains are his. With anonymous registration you cannot tell if the 1000 of spam you received today are from 1000 different companies that may have mistakenly added you to their list or from one hardcore spammer.

Legitimate businesses have no reason to hide their identity.

Re:What legitimate business hides their identity?

[kebes]

lets say Microsoft has a pro-windows or anti-Linux blog talking about how their company found that many Linux distros contain trojans. Now lets say these blogs are done with anonymous registration? Is this kosher?

If by 'anonymous' you mean 'not publicly visible, but recorded somewhere' then yes, that's fine. Anyone can use the internet to say what they want. If what they publish on their site becomes a problem (spam, slander, etc.), then obviously there should be a procedure for finding out who owns the domain so that you can contact them with your concerns.

But there's no need for the "default public" policy that WHOIS historically operated on. Moreover, if someone like Microsoft wanted an anti-Linux site, it would be trivial for them to outsource its operation to some other company. The current WHOIS actually doesn't provides a robust mechanism for determining who runs and operates a domain name.

The problem is that WHOIS currently is a very weak system. The data it contains isn't accurate, isn't verified, and what few legitimate uses there are for the system could just as easily be accommodated in an "default private" system where requests for additional information about a domain require a little bit of processing (and notification to the domain owner about who is performing a formal lookup on them, and the stated reason for doing so).

For verifying a domain exists, for example

[wsanders]

In response to customer inquiries about why such-and-such a domain isn't resolving, I do hundreds of checks a month to verify that domains actually exist, since a sizable percentage have non-functioning DNS. I also query to see if domains we are about to drop from our authoritative DNS service are actually gone.

Not to say the whole whois scheme is a mess, but some sort of non-DNS, free service needs to exist to verify that a certain domain either exists or doesn't.

The other thing that irritates people the most, besides the privacy issues, is that there is such inconsistency in how the whois info is made available.

Re:for plenty of us

[CarpetShark]

Are you a spammer?

There would be no other reason to use whois since it is unreliable.

Then why are you asking a question you think you know the answer to, if not that you think you're wrong? As it happens, you're VERY wrong. It's not the be-all-and-end-all of domain details, no, but it's very useful; for quickly finding out the status of a potential customer's domain, for finding out who owns an IP address that's exhibiting abuse, etc.

Reasons to dislike whois

[Tolvor]

I have had a long dislike of whois.

For one it gives people a major way to steal domain names. People look up the domain name that they want in the public record, find the email address, and try to crack the email. If they can get the access to the email then more than likely the domain can be stolen. Then us poor techs get a call several months later from the true customer wondering what happened to their domain. Whois reveals too much information.

Secondly it isn't accurate. People see their name in whois and think that means they get to make decisions on the account/domain. Just because your name appears in whois does not mean you are listed on the account itself. But try explaining that to their ex-(terminated)-webmaster.

And lastly WhoIs is a major pain to explain. Try telling a paranoid customer that all domains appear in whois, and that you can't remove a domain itself from whois. My sup can't remove it from whois. The president of MegaDomainRegistrar can't remove it. Sorry, no, I don't have a phone number for ICANN. We can hide the info, but we can't make it disappear.

But then to be fair, I can't think of an alternative system to keep the domains and websites fair and accountable. Compaining to a registrar/webhoster about a domain/site is next to useless unless it is unquestionably illegal or definately a trademark issue. Most cases get shunted to the legal department which give the unhappy complaintant a copy of the AcceptableUsePolicy and asked to submit proof of infraction (yeah, good luck). Usually it takes a dedicated lawyer to get things done in these cases. So for now, whois stays.

Re:Even "Heroes" agrees

[maitai]

Back around 1996 or so I had someone show up my house after retrieving my address from my domains WHOIS record.

They'd received some bounced emails from an email address they didn't recognize (mine), assumed they're emails were being 'hijacked' (as they put it). They then looked up the WHOIS information for my domain (which included the same email address in the record), realized it was local and drove out to my house.

Of course, I was the system admin for their upstream provider... and they already knew me in person since I was the one who installed the router on their end of the pipe. But at the time it was kind of odd having them show on my doorstep out of the blue like that.

Job-title whois email reduces spamming

[billstewart]

Having some kind of contact methods for the administrative, technical, and billing users is valuable, but there's no need for it to be a personal email address - especially for a domain that belongs to a business, where that information is likely to change or be handled by a group of people. You might as well have generic addresses like domreg_admin@yourdomain.com. Spammers are still going to try to abuse it, but if nothing else you can put an auto-responder that tells the sender to use a web form.

The technical contact is a special case, because it probably shouldn't be based in the domain it's supporting, since a common reason for using it is that something's wrong with the DNS server or the web/email server supporting that domain; and therefore it's most likely to not work when you most need it - so it needs to be handled somewhere else (like a commercial email service, or perhaps even a forwarder at the DNS provider), and it probably should have good spam filtering. At a medium-large company, the phone number should go to a help desk, which isn't a privacy problem either, but for an individual it's annoying but useful to publish the number.

The billing contact is another special case, because the only entity that needs to access it is the DNS registrar that's handling name registration - it should probably be hosted somewhere other than the domain (again because it has a good chance of failing when it's needed), and spam filtering can be a very short whitelist. I don't see a legitimate need for it to be public.

The Trademark Gods want the Owner's True Name

[billstewart]

There are two reasons you'd want the owner's name - you're trying to contact them because of content on their website / email, or you're trying to sue them because you think you should own their domain name due to trademark law. If you want to contact them, use the contact info on their website; if it's not valid, then the whois owner information probably isn't either.

The trademark ownership issue has been a major driver since before ICANN - the IETF Ad-Hoc Committee that was trying to expand the number of global TLDs before ICANN took over were under a lot of pressure from the Trademark Gods to make sure that anybody who registered a name provided their True Name and True ICBM Address (er, process-server address) so that trademark lawsuits could be resolved without needing to drag the DNS registrars into the process. I think that's unnecessary - it's reasonable to have a Uniform Dispute Resolution Process that says that if you don't provide usable contact information then you're presumed to lose a trademark dispute for non-generic names, as opposed to preemptively violating your privacy.

In practice, the main reasons I use the whois owner name are to try to make sure I've got a correct email address for somebody if I'm not sure, or sometimes to see if it'll help me contact somebody whose website doesn't provide useful information (e.g. spam complaints to abuse@ get ignored), but I've found that if somebody's a sleaze, they're usually providing non-useful information in their whois records.

There was one spammer I could have probably sued successfully, but their whois address was a box number in Greenville DE, at the same address as The Company Corporation, which has been the canonical place to set up cheap Delaware corporations for the last 100+ years - so the most I'd get if I successfully sued them for everything they were worth would have been the contents of their file folder, and they'd have had to go pay another $100 to get another shell company. I guess I might have also acquired their intellectual property, like the trademark on ScammersRUs.com or whatever they were called.

Re:for plenty of us

[davebooth]

Really? Can someone elaborate on its usefulness? I gave up on it years ago.

The whois database has one MAJOR use.. Most firewalls dont bother to look up DNS before they filter packets - too much overhead, in most cases. That means when you're creating firewall rules you're working purely in numeric addresses. So, if I determine that a bunch of cracked machines or scriptkiddies is making a nuisance of themselves, how do I blackhole an entire ISPs dynamic allocation block without being able to look up that ISPs address range in whois?

I'm still doing it manually by reviewing the logs every so often but one day I really should finish off the perl script that takes a bunch of IPs out of my firewall logs, flags the domains that own more than one of them and then parses whois output to suggest the most efficient netblocks to ignore in order to make the issue go away. (other than the entirety of .cn, of course!)

Privacy? Abuse?

[PPH]

I've owned a domain name for a number of years now. Other than using a P.O. Box for the contact info. I've never had any problems with fraud or abuse. I get the occasional offer to buy it (its a somewhat popular name) but nothing I'd consider to be a nuisance.

I think hiding the ownership of a domain (or IP address information) opens up opportunities for more fraud and, balancing that against privacy, I'd rather know who I'm communicating with.

If someone needs privacy, there are ways to get it.