ICANN Punts on WHOIS Privacy Proposal

An anonymous reader writes "The Internet Corporation for Assigned Names and Numbers (ICANN) has essentially put off consideration of a proposal that would have dissolved a requirement that domain name registrars collect and display personal information about people who register Web site names. Privacy activists said the WHOIS database has become a data-mining dream for marketers and spammers, to say nothing of stalkers and harassers. Companies representing some of the world's biggest brand names appear to have prevailed, arguing that any change to the current system would interfere with law enforcement investigations and trademark disputes. In the end, ICANN voted 7-17 to table the issue in favor of further studies on the privacy impact of the WHOIS database."

Punts?

Isn't this what most jocks call "Third and out"? How fitting.

Isn't it a good thing

to be able to see who controls a domain, so you can contact them if there's an issue? (eg they're typosquatting)

Re:Isn't it a good thing

Agreed... I can find out who owns any house/building in the U.S. and I can find out who owns any company because it's a matter of public record.

T.V. and radio stations have to identify themselves... I can't think of any good reason a domain owner shouldn't have to.

Individuals have a right to privacy... companies and organizations do not.

Re:Isn't it a good thing

I can have a privately listed phone number, why can't I have a privately listed domain? I can speak anonymously by publishing pamphlets, why can't I speak anonymously by publishing to the internet? More importantly, why is your need to 'track down the owners' more important than the owners' privacy?

Try running a non-profit from your home to offer mental health support. Death threats on the internet may be a dime a dozen, but when it comes to mental health issues... well, some of those threats are more genuine than others. Do you think $5 is going to keep someone from calling me on the phone 50 times a day or coming to my house and stalking me?

The registrar has a business relationship with me and needs to know who I am. You don't. If you need to contact me, I have an email and mail forwarding set up with my registrar.

Would have saved a fee

Well, that would have saved me the annual $9 that I spend for the anonymous option with my registrar.

Further study?

Just what kind of further study to they need to do to figure out the privacy concerns? They know what information is made available, and they know the potential consequences (both positive and negative) of having that information in the public domain. Making a yes or no decision based on that is hardly rocket science.

WHOIS useful

Whois is (can be) a great resource for tracking down the admin of a network (which is what it was INTENDED for). When i see a machine trying to guess default password to my FTP and its obviously a bot, whois makes it really easy to determine if it is some kid sitting on a cable modem, or if its a real domain. It its a real life domain, then it makes things much easier, there is a phone number i can call and complain to (UN-BOT YOUR FREAKING MACHINES!).

Also, when i look through apache2/access_log I can see who is looking at my cartoons :)....lots and lots of addresses that end in .asu.edu means that somebody broke the first rule of fightclub.

Basically my point is, if your hosting some website to show the world pictures of your cat, then use a private WHOIS registration service, if you're an actual company, with a big honkin' domain, then people grabbing information from whois probably isn't MUCH of a concern to you.

This just sounds like a bunch of people with a solution who are looking for a problem to me.

I'd Like To See More Privacy

I would like to see more privacy involved in the WHOIS database. I've been the target of not only marketing garbage, but also some threatening letters. That isn't fun at all.

Luckily, some companies will 'obsfucate' the WHOIS information to an extent, by offering a contact address to the company that will forward mail to you. You still get the mail, it just gets shuffled around a bit so that the sender doesn't see your real address. They do the same with email addresses, setting up a forward account. All of this, of course, for a fee.

I can understand why people would want contact information for domains - and I agree. It can be very useful and in some cases it is necessary for legal process. It is just too easy to abuse in many cases. I'm not sure what a good solution would be, though.

What privacy?

You get a domain... As in something that allows the world to see you. But you want the world not to see who you are? This is not even part of an anonymity debate. You have to pay to be seen. Why would you not want it to be seen who you are then?

Nominet let you opt out

UK's Nominet (responsible for *.uk) let you opt-out of displaying contact details for domains. Why not other TLDs?

Registrar contracts MUST BE enforced for whois

To correctly do whois, there must be some changes to the Whois to work.

For those people who use Fake information, they need to lose their domain names. 3.7.7.2 states that a registrar may cancel a registration when there is intentionally false information given. This is rarely enforced. (see http://www.icann.org/correspondence/touton-letter-to-beckwith-03sep02.htm [icann.org]). In fact, I was told by a person at ICANN (I shall allow her to remain nameless, for now -- but for those who were at the IP meeting on Tuesday, she was sitting next to me) that there is no provision for punishing a registrar, except by terminating them and ICANN does not want to terminate registrars because all of them do not have a good data escrow in place. (think registerfly). I believe this is incorrect. I believe that suspending a registrar's ability to prevent NEW registrations by a registrar would be within the ability of the contract and not harm any domain registrant.

Many registrars give 15 days (the period for mistakenly false information, ie. typo, aged, etc.). What needs to be done is to suspend the domain name, for intentionally false false information, for this 15 day period. And then when they provide updated information, this updated information MUST be proven to be correct (ie. don't change 123 Yellow brick Road to 123 Main Street, Oz, Kansas.) and allow the registrar to charge a reasonable administrative fee.

By allowing registrars to ignore invalid whois and complaints regarding such leads to the argument that since the all data is not correct, that the Whois should be scrapped.

The best ICANN news I've heard in a while

I'm all in favor of leaving WHOIS alone for the time. As I've said before, the WHOIS records are very useful when dealing with people who use domain names for nefarious purposes. A large portion of the domains that sell discount v!@gra and pirated s0ftwar3 are sold to a small number of big-name crooks (Leo Kuvayev and company). If we leave the WHOIS data open we can at least find out who they are in cahoots with. This is a good thing, because it can lead to taking action against the registrars and ISPs that are keeping them up and running (and likely getting a cut of the action themselves).

I wish the privacy advocates would just settle down and be willing to negotiate a compromise. Frankly, I could care less about getting the data on domains that exist to host peoples blogs and pages about their dogs or whatever. But if you want a domain so you can sell something, you should be willing to let the world know who you really are.

WHOIS Privacy has been available for a while...

Recently to my pleasant surprise, my host let me in on a new feature (for them) recently: optional WHOIS privacy (to your domain name registration, specifically). Even before reading all about this absolution of WHOIS,which, from the reasons provided, are sound, but I still think the overall usage of WHOIS is useful, despite the potential as a data mine, I'm glad I ordered it, as I'm just a tad bit more paranoid than the average person about internet privacy.

However, the internet shouldn't have any training wheels (thankfully, AOL has been dead for some time, although now we have Comcast...), and it should be common sense concerning WHOIS and it's uses, as well as the whole spamming thing (which there are plenty of tools out there to combat, such as simple .htaccess tricks made easy to come by via Google, etc. etc.). It should definitely be discussed though, but there shouldn't be any rash moves to just abandon WHOIS.

privacy and public information

It is possible to maintain privacy and to make the information available to anyone who has a legitimate need.

For example, the owner and physical address of anyone who has a government PO Box is not freely available, but anyone with a legitimate need can get the Post Office to release this information.

Why can't before the ownership of a domain name be released that the requester be required to identify himself and for him to state the reason he needs this information?

Just remove email addresses

There's not a big abuse problem with addresses and phone numbers in whois, but there is a big problem with the email addresses. Simply removing the email addresses would be a huge benefit.

Privacy

If people didn't want privacy, they wouldn't own curtains.

If companies wanted privacy, they wouldn't advertise.
(And don't talk to me about 'corporate secrets' that is a different argument.)

"All sweeping generalisations are false, including this one."

Less domain privacy, not more

Personally I would like to see less privacy on domain registrations, not more. I would like to see the elimination of "private" registrations and masking services. I feel that someone should be responsible for each domain. If you want to be anonymous, make a deal with someone who has a domain and is willing to maintain your anonymity.

I would like to require that annually the registrar 1) sends an email to the registered contacts, and 2) sends a postal letter to the registered mailing addresses, and 3) places a phone call to the registered contact phone numbers. If either the email, the postal mail, or the phone call goes unanswered after a couple of attempts, you forfeit the domain.

This would 1) make sure that WHOIS contact data leads to someone and 2) significantly reduce the amount of bogus registrations and cybersquatting because there would be a physical process cost in addition to a financial cost in hosting a domain.

Of course, people could supply bogus information, but at least the information would lead to someone that is willing to answer for the bogus name. I really don't care so much if someone uses an alias, but I want to make sure that I can contact a person about domain related issues.

To cover the cost of performing communication with the domain owner, the registrar would charge a couple of extra dollars per year. (It is not hard as there are plenty of existing automatic emailing engines, paper mailers, and auto dialers with IVR.)

It's all my opinion, take it or leave it.

Time for an OPEN solution to WHOIS privacy

ICANN acted to protect the financial interests of those companies who charge us extra for PRIVACY. If privacy is a problem, then why are we able to buy it, but not get it for free?

What we need is an OPEN solution, where for a single low administrative cost fee I can have my WHOIS data private for all of my domains - not the per domain fees being charged by for-profit companies now.

Someone like the EFF should step forward and provide us the solution ICANN will not.

It works both ways...

While it is true that there is a potential for "private" information (name, address, etc.) to be publicly visible to spammers and marketers, it works the other way as well. If someone spams me, or someone else on my network, AND it's not a bot-net source, I find whois to be invaluable in terms of finding out where the stuff came from. If it's a mainstream company, they get a phone call (using the number in their whois record) and an earful about it, in that order.

As others have pointed out, this sounds like a lot of kerfuffle over nothing. If you're truly worried about privacy in your domain records, there are already a couple of options.

--Get a PO box, as I did, and use it for your registration address. ICANN regs don't prohibit it, and it's useful for stuff beyond domain registration.

--Use a whois-anonymizing registrar for your domain. ICANN doesn't prohibit this either, just as long as there is some way for said registrar to forward messages from the outside world to you.

Leave whois alone. It's too useful a tool. The fact that some few abuse it should not be cause to eliminate it (after all, to use an analogy, people abuse telephones all the time -- junk calls, junk FAXes -- and we still have them).

Keep the peace(es).

We're focused on the wrong people

I guess it's fine that ICANN doesn't really care about protecting potentially private information. Where the focus should really be pointed is toward domain registrars.

When you register a domain, you give them your address so they can charge you their yearly fee. Which is acceptable.
However, what always struck me as unacceptable is that they take your address and slap it directly in to the WHOIS database without telling you or informing you that this is being done. I've been shocked and also appalled a number of times to see my address, apartment and telephone numbers all printed right out in the open. Because of that, I supply them with bogus information for the WHOIS. (1234 Main St. Anytown, USA 12345 (555) 555-1234)

Registrars should at least give people an explicit FYI about what information they're making public.

What a disappointing Slashtdot discussion...

This discussion is heavily slanted toward the pro-regulation crowd. The moderators seem to be modding up posts based on the position they take in the debate rather than the value of the points they are making. I would think that a community for geeks would have a better understanding of this issue, and would have more people who are sympathetic to the interests of private individuals who have domain names for non-commercial reasons.

There are a large number of straw men that are raised constantly by supporters of whois accuracy regulation. Not one holds up to objective analysis.

1. No one is talking about getting rid of Whois. Whois was originally voluntary. You could publish as much or as little information as you wanted in it. Later, it was changed to make publication of names, addresses, and telephone numbers mandatory. If this vote was successful it would become voluntary again. This is not the same thing as taking down the service.

2. Criminals and spammers are not going to publish accurate information in whois. There is no way to force the data to be accurate regardless of what the regulations are. So the regulations mostly impact well meaning, honest people, not criminal groups.

3. Businesses want you to know how to contact them. No legitimate business is going to keep it's whois information private. The regulations do not effect businesses or organizations, who would publish contact information regardless of whether or not they were required to, they effect individual, non-commercial domain holders.

4. You do not need DNS Whois to resolve technical, security, or legal issues with a domain. Its convenient, but if the data is wrong or not present, you can contact the ISP that is responsible for the IP address the computer in question is using. DNS Whois is never necessary. Most kinds of Internet crimes can be committed without a domain name, and so DNS whois is obviously not sufficient to investigate those cases. How does the RIAA prosecute P2P users, who are publishing on the Internet without a domain name? The argument that its ok to have an anonymous sub domain but its not ok to have an anonymous primary domain also does not make sense. If you have a problem with an anonymous primary domain you can contact the ISP responsible for the IP address the computer in question is using, just as you are forced to do if there is no domain name being used.

5. Yes, proxy services are available, but they are expensive, and this expense ought to serve some sort of legitimate purpose. If the purpose of this regulation isn't fighting spammers or criminals or making sure businesses disclose their locations, than what is it and are we willing to spend $9 per domain to serve it?

6. Individuals who use the Internet for noncommercial reasons are not interested in eating cake. We don't want dymanic dns records hosted on a sub-domain. We don't want to use hosting services. We want domains, and we've been able to use domains for non commercial purposes without publishing personal contact information for most of the history of the Internet! The response "if you don't like it use XYZ" is not acceptable. The people who advocate that people be required to publish their personal information in the whois database must defend the need for and value of that regulation, and not simply offer that those who disagree go somewhere else!

The bottom line is that supporters of these rules are motivated by misinformation, private interests, or outright authoritarianism.

The misinformed are those who like doing whois lookups on domains and assume that this information should always be required to be there in a form they expect simply because it is often there and often useful. This is a bit like assuming that personal homepages should have a terms of service agreement and a "contact us" page because lots of sites do and they like to use them.

The private interests are those like the RIAA and other IP interests, who wish to ensure that honest, well meaning private individuals who use domains have an address attached to everything they do soley so that these organizations can prosecute them less expensively. These organizations have to prosecute people on p2p networks who are publishing information online without domain names, and they successfully do it all the time, so obviously they do not need DNS whois, but it saves them money, so they want to keep the regulations in place.

The authoritarian interests are those that simply like the idea that people have contact information attached to their domains "for enforcement reasons." They want to ensure that someone is directly accountable to them simply because they like the idea of accountability.

It is that latter group that I find the most peculiar, but I reject the attitudes of all three. Operating a website at a domain name is no different from operating one from an IP address without a domain name, in terms of the kinds of illegal things you could do from that website. As various authorities obviously have to be able to track down the later case (and they do all the time) why should the former require that users publicly publish their name, address, and telephone number? Not every person who is interested in that kind of information has a legitimate reason to ask or good motives!

What these regulations ultimately do is make it harder and more expensive for private individuals to use the internet for noncommerical purposes, and they mostly benefit the large commercial IP interests. I think, frankly, the Internet would benefit if the incentives were balanced more toward the former and less toward the later.

Yesterday, today and tomorrow

Yesterday the Internet was a way for well-meaning polite academics to communicate. There were no commercial uses of the Internet and nobody had to worry about malicious attacks, fraud, or much of anything else. Except flame wars. WHOIS information was optional and pretty meaningless except in a very few cases.

Today the Internet is composed to fraud, copyright infringement, theft and all manner of people doing malicious things. If you aren't trying to hurt someone a significant portion of your time is either defending or recovering from attacks. WHOIS information isn't very accurate today either. The people doing malicious things aren't using their right names and addresses when they register phishing domains.

Tomorrow can't look like yesterday. Sorry, that period is over. It can look like today with domain registration being used as a weapon against everyone else while irresponsible registrars happily take money for registering domains like "ebay1.com". Surely the intent is clear - why can't the registrars do something about this? And the registrars, without identity confirmation, just help these folks along.

Tomorrow can look like today or worse. Or it could be better. Choose.

Lack of authentication

I've never seen a domain registration company that does anything to authenticate the domain ownership information it asks for. Generally this information is to be taken with a grain of salt, because much of it is false.