Exposing Personal Information in the Whois Database 323
rocketjam writes "In a letter to U.S. Representatives Lamar S. Smith and Howard L. Berman, the Center for Democracy and Technology has raised the issue of privacy problems with the Whois Database. Acknowledging the database is uncontroversial for commercial registrations, the letter points that private individuals who register a domain name expose their names, home addresses, home phone numbers, and home e-mail addresses to the world. The letter warns, 'The current Whois regime is on a collision course with public sensitivities and international law. In an era of concern about identity theft and online security, it is unwise to require millions of individual registrants to place their home phone numbers, home addresses, and personal email accounts into a publicly available database that places no restrictions on the use of that data.' Additionally, the letter points out the current policy violates the privacy laws of some nations."
How else... (Score:3, Funny)
Re:How else... (Score:5, Funny)
Re:How else... (Score:2, Insightful)
But (Score:2)
Re:But (Score:2)
Re:How else... (Score:4, Funny)
Everybody knows that WHOIS lists plenty [whois.net] of chicks.
Re:How else... (Score:3, Insightful)
Re:How else... (Score:4, Interesting)
Phone books are on Google (Score:3, Informative)
Re:How else... (Score:5, Insightful)
There is nothing to say you need to put clues to your gender into the domain info. Put in a fake name if you want.. use your work email address.. use a PO BOX and a pager as long as you can be contacted without too much trouble it's all good.
Anyone who thinks this info needs to be removed from the public needs to have their head examined.
Re:How else... (Score:3, Informative)
Yeah.. I get spam on my contact info.. but I get a lot more from people finding my domains and emailing all possible addresse.
Do I disconnect abuse and postmaster too? Or do I go install spamassassin to catch most of it.
Spamassasin works btw... it filters over a hundered junk mails a day leaving only 4 or 5 for me to deal with.
Works for me correctly and I have both mine and the emails of several customers all set to my email address.
amen (Score:5, Insightful)
Re:amen (Score:2)
Nobody Important
1234 Nothing St.
Nowhere NA
(123)456-7890
so whats this story about? think I'll go rtfa
Re:amen (Score:2, Informative)
Re:amen (Score:5, Insightful)
Or, sometimes you get people who register domains through some co-hosting service and then launch attacks against your box/network through the service. Usually, the e-mail for the domain registration will be someone in charge who can give the asshole due justice.
It is not a frequent thing when I must resort to WHOIS to contact a site owner, but sometimes it happens and it's fairly important.
Re:amen (Score:5, Insightful)
Re:amen (Score:4, Insightful)
False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.
Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.
Remember when... (Score:4, Insightful)
For some of us, it used to be that the real contact information (at least email address) was needed since Internic did all of its renewals and changes via that email address.
Of course, I could go and change it, but the point is, there are many valid contacts in that database for spammers to use.
Is it a big worry? Nah, probably not, but it is a concern.
Re:Remember when... (Score:3, Insightful)
That information needs to be valid in case someone needs to contact the admin in a hurry.
Nothing has been more of a pain in the past when trying to deal with infected/rooted servers and trying to find the admin via the domain owner only to find out the contact info is invalid.
Makes me have to go to the isp(the slow route) rather than either getting the box owner or the box owner.
Mind you that doesn't apply as much if the domain is simply hosted on
Re:amen (Score:5, Insightful)
All it'll take is some blowhard out on the net (and you know from being on Slashdot that there are plenty of them) to get pissed off at something someone posts on their web page. It might not even be anything really bad, people get pissed off over the stupidest things. Joe Blowhard decides to look up Jane Somebody's home address on whois, then goes over her house and kills her. Or kicks her ass. Or rapes her. Or robs her. But you get the idea.
Currently, the anonymity you have on the web is the only thing protecting you from all the crazies out there. Put your address on a website, and you take your chances. Not wanting to risk possible red death should NOT ban you from having a website, and that's what this is really all about.
Identity theft is one thing. Getting your ass beaten by some lunatic who didn't like your website (maybe he thinks you're not religious enough, maybe he doesn't like your politics, whatever) is quite another.
Re:amen (Score:3, Insightful)
These are every day events that happen locally. The person you piss of on the internet my be your neighbor, but more than likely they are hundreds of miles away.
Could the
Re:amen (Score:3, Insightful)
Indeed you do have an odd view on privacy. This sort of view on privacy puts free speech, freedom of religion, and even democracy at great risk.
A key element of freedom is some level of privacy. Like all things this is a continuum, but the privacy needs to be there.
Take the extreme case. Your vote is private. It's absolutely esse
Spammer source (Score:4, Interesting)
Re:Spammer source (Score:2, Informative)
Re:Spammer source (Score:3, Interesting)
Thankfully she asked me first before paying it and was quite relieved to know it was a scam.
If there were strong checking (Score:2, Insightful)
However, how many Heywood Jablowmie's are there in the WHOIS database?
Re:If there were strong checking (Score:2)
Re:If there were strong checking (Score:3, Insightful)
also doesn't take a whole lot of common sense when your filling out a form for an online comic strip registration and its asking you for your home address and phone number. I mean unless your buying something why would you give this info out? people that give out personal info simply because some form is asking for it.. dummies, period
Re:If there were strong checking (Score:2)
I agree that the "dummy" factor is the main culprit....but then I have to give them some slack here as well...they are buying something, the domain name, and since it's all "official" and on the internet, and they "own" the domain name now, they feel obligied to answer, it's assumed on their part,
And as Benny Hill said, "Never assume...."
Re:If there were strong checking (Score:2)
which, I think, there already is? depends on the service
Re:If there were strong checking (Score:5, Interesting)
Or they do and realize an enemy could use that to his advantage to snatch away your domain. Providing false information is reason to lose your domain... or at least used to be in the carefree days when .edu domains were actually educational institutions, .com were businesses, .org were non-profit orgs and individuals, and .net were ISPs. *sigh* The good old days 10 years ago.
Re:If there were strong checking (Score:3, Interesting)
Two years ago after the whole WTC thing some idiot had a pro terrorist website he was spamming on ICQ from his university's computer lab.. imagine my supprise when I discovered it was his real name and address in his info...
He was supprised too when he got busted and the University called the police. When be brought the website back up a year later all of his info was set to garbage. Guess he didn't know we could all read that.
Re:If there were strong checking (Score:2, Insightful)
Heywood must not care much to keep his domain. I recently received a letter from NetSol asking me to verify the information in my registration and reminding that incomplete or bogus records could result in the registration being invalidated.
Also, I think someone else mentioned this, but it might be hard to defend yourself against a hijack case if you don't have accurate records in your registration "paper" trail.
Re:If there were strong checking (Score:2, Insightful)
If you've ever seen the movie Maverick, where Mel Gibson is talking to the Indian chief, the Chief states that the next place he's going to move is going to be a real dump so the white man won't kick him off of it. That's the way to pick domain names
After all, aren't we all just little Indians?
let's not forget... (Score:5, Insightful)
Re:let's not forget... (Score:5, Insightful)
Whois gives you no such option, and would probably actively resist if you even asked.
Guess again(+) (Score:2, Insightful)
For example, I tried to correct a bad entry for my mother-in-law for all 6 of the biggest ones starting 2 months ago. She moved, and went to an unlisted number in another state. I sent multiple e-mails to the ones who have YET to delete this bogus entry, based upon her husband's name (He died 30 years ago).
PO Box (Score:3, Interesting)
Re:PO Box (Score:2)
Just something to be aware of, people have lost their domains under similar circumstances.
To keep everything nice and bonified, there's always the 'privacy' domain registrations that companys such as GoDaddy [godaddy.com] offer (basically a proxy registration).
Re:PO Box (Score:2)
Re:PO Box (Score:2)
Re:PO Box (Score:4, Informative)
Their response summarised:
(a) We don't care
(b) We don't care
(c) Domain registration is done in america anyway, where they don't have data-protection law
(d) It's not up to Nominet to inform its customers of their lack of data protection
I could probably find the actual letter somewhere...
(Nominet should have got into trouble because (a) they unilaterally changed their terms and conditions, leaving people with a choice of publishing their home address, or losing their domain name, (b) they have monopoly on UK domain names, (c) anybody who's running a business is obliged by business law to publish their address anyway, and (d) any accusation of illegal activity associated with the domain should wait upon a court-order to disclose a person's home address.
Information commissioner doesn't seem to think so. Some might wonder what he does do.
Re:PO Box (Score:2, Informative)
UK2 have a pretty clear policy on disclosing personal data: from the page listing their generic response to domain name disputes, I found the following:
"UNDER THE DATA PROTECTION ACT 1984 WE CANNOT DISCLOSE INFORMATION ABOUT OUR CLIENTS WITHOUT BEING LEGALLY OBLIGED TO DO SO. UK DOMAIN NAMES HAVE NO REGI
Re:PO Box (Score:2)
You're very out of date. The nominet T&Cs conditions did at one stage talk about releasing everyone's address, business or personal, however you will notice now that when registered or updating your *.uk domains you have the option to mark yourself as an individual and so stop your details being released to who
Re:PO Box - another approach (Score:2)
Re:PO Box (Score:2)
It is kind of irritating. (Score:2, Insightful)
It used to be helpful for looking up abuse information, but that almost always goes ignored nowadays too. Now it's just useful for finding virus writers.
Call me big brother... (Score:3, Interesting)
How else can we hold scammers and spammers accountable if they make it super hard to track them down. The majority of those "online pharmacies" have bogus WHOIS info and probably take good peoples money.
Bogus WHOIS info sucks, plain and simple
Re:Call me big brother... (Score:4, Insightful)
Caught a scammer with the help of whois (Score:3, Interesting)
(And don't tell me that his bank information would have been enough to get his contact information. The Sparkass
A long time coming. (Score:5, Interesting)
I just hope they don't dumb it down so much where one can't get email addresses for those controlling the domain for reporting purposes.
Reporting WHOIS abuse? (Score:5, Interesting)
Re:Reporting WHOIS abuse? (Score:5, Insightful)
It's an empty threat.
And even if it weren't... (Score:2, Insightful)
And even if it weren't, by the time the spammer who harvested your email got a slap on the wrists, your email would be on so many other spam lists you'd never get it off.
Its rare to get junk mail from Whois (Score:3, Informative)
Here in Denmark ... (Score:5, Informative)
Here in Denmark, DK Hostmaster A/S is the administrator for the Danish top level domain. You can have your personal contact details hidden from the public WHOIS database - in accordance with Danish Law on protection of personal data, blah blah blah.
I would recommend it!
zRe:Here in Denmark ... (Score:2, Informative)
Re:Here in Denmark ... (Score:3, Informative)
click here [dk.] (it should work without the dot at the end as well, but I don't get that to work often on my windows box).
AI is the only other TLD I've discovered so far which scores coolpoints for this as well.
Same applies to Patent Databases as well... (Score:3, Informative)
Re:Same applies to Patent Databases as well... (Score:2)
hell yea... (Score:2)
that info is wide open, man...
RB
UK WhoIS (Score:5, Informative)
Britain and the EU have always had stronger data protection laws than the rest of the world. This is part of the reason the EU are looking at Microsoft's
Re:UK WhoIS (Score:4, Insightful)
We have always taken the view that private individuals have a right to secrecy, and that those individuals should make an effort if they want some data published. The USA has taken the opposite stance; people have a right to reveal information, while keeping it secret should take effort.
In an age where data processing is always manual, the USA had it right; stopping gossip is hard, and there's lots of work involved in revealing information. Further, the more you wish to reveal about someone, the more work you have to perform. Automated data processing has pushed the cost of this work down to the point where it is easy to reveal lots of potentially harmful information in one go.
Basically, it's wrong to look at the Americans as catching up on this one; they took a fundamentally opposed view to us, and it's still not clear who's got the better system (although I prefer the European one).
Fake information (Score:3, Interesting)
T.
Exposing Data on the Whois database (Score:5, Interesting)
Even exposing contact information for a business is questionable. If you're working on penetrating a company, then this is a stop on the highway. But, without that information, then (as one poster stated) the FBI would have to get us the information we need to prosecute spammers or etc.
I don't know what the answer is either; I don't think it's simple either. This may be one (of many) invasions of our privacy we have to deal with. Banks, Mortgage Companies, Credit Cards--these all sell our information to other companies. It's sad, but this is big business, and it makes money. Utilities provide information to Local, State, and Federal Agencies all of the time; and are required to by law.
Our information is not private anymore, and hasn't been for a long time. Everyone has their hand out for it.
Obstacle to distributing a shareware application (Score:5, Interesting)
From reading previous Slashdot articles, being able to seen the domain name/IP address of owners and customers has been extremely useful in detecting all sorts of shenanigans with hyping up new products.
However, for someone trying to augment their basic salary through shareware software, this is a disadvantage.
With broadband internet via cable/satellite/telco, I have a permanent Internet connection, but the companies respect my right for privacy. Surely the same could be done for domains registered by home residences?
More of an economic problem than privacy problem (Score:5, Interesting)
Having registered a few domain names, I receive a lot of spam telling me how to register new domains, renew when the old are about to expire and so on. I'm sure the registars make a lot of money on this, which surely makes them want to continue.
My personal information is also included in the IP whois database. This database contains info on what ISP uses which IP numbers, etc. - see www.arin.net for more info.
The interesting thing is that I have not received a single spam to the specific email address I supplied. So right now, I see it more like an econimic problem than a privacy problem.
---
If you're not living on the edge, you're taking up space in the middle
Go ahead and start a business. (Score:2, Informative)
And in other news, (Score:5, Insightful)
(end sarcastic rant)
YAWN! Call me when WHOIS data includes SSN. As it is, this info is already widely available for the vast majority of the population.
--
don't for get about arin... (Score:3, Informative)
Arin [arin.net]
Ripe Ncc [ripe.net]
Apnic [apnic.net]
Lacnic [lacnic.net]
Anonymized registrations (Score:3, Informative)
Is $9 worth it? It's your call. Check this out.
https://registrar.godaddy.com/dbp.asp?isc=&se=%
Domains by Proxy -solves the problem (Score:5, Informative)
CB
Privacy (Score:3, Insightful)
A domain name is a publicly accessible object, and a responsibility. As a society, we expect that for certain activities, people be publicly registered (running a company is an obvious example) - reasonable privacy is a right, but anonymity - which is what we are really talking about here - is not.
I can only think of a very small minority of legitimate Internet activities that both require a domain name and for which privacy is likely to be a concern; in those cases there are plenty of registration agents who will act as a proxy for registration and take on the responsibilities associated with being the owner of a domain.
Practical Contact Problem (Score:5, Insightful)
I have several domains and I use a separate email address for my whois records (separate from my home and business addresses). But I don't monitor emails to that address because it has become completely filled with spam. I just delete all mail to that address.
But that, of course, means that any legitimate attempts to contact the domain owner are lost as well. I could try and filter it (either manually or with software) but the ratio of legitimate email to spam on domain registry emails is thousands to one, so it's really not worth my time.
So, aside from any privacy concerns, the public availability of email addresses on whois records in effect renders them useless as contact information.
Correct contact information is required (Score:3, Insightful)
What would you do if your registrar goes bust?
All of this information doesn't need to be exposed in the WHOIS database though.
Two things: (Score:3, Insightful)
2. In Denmark for instance, you can specify you wanted an "unlisted" address, and the whois server doesn't release your information.
More privacy is necessary (Score:3, Interesting)
Re:More privacy is necessary (Score:2, Troll)
Your lack of forethought and/or lack of understanding of how politics work are your own problem, not that of the registries.
Just because you can operate a computer does not make you, nor should it make you an expert on publishing and every vertical market you may touch. If you don't learn about what y
In the mean time, in Germany... (Score:5, Informative)
Anyone who still wants to publish anonymously could still do it abroad, of course, as there will always be registrars who and nations that don't care about trust.
I mention trust here, because I can trust a company's products (i.e. a shop selling goods) if I know where I can go, or what number I can call: currently too many (some) web shops (at least locally) do not even mention a telephone number I can call to have an order confirmed or more product information detailed. The same holds for web sites that provide information: if the e-mail address is left out, how can I get any confirmation, more detailed information, conversation or feedback going?
As it should be (Score:5, Informative)
If you want relative anonymity, get a hotmail or yahoo account.
Re:As it should be (Score:4, Interesting)
I don't use it for business purposes, which would be a different story. It's my own personal site on my server on my T1. I have every right to hide my private information!
I've had fake information (invalid address, phone, name, etc) and a yahoo account as my email for the past 3 years.
"How can someone contact you then," you ask? Well, that's the point. No one needs to contact me. They can do so via my yahoo account.
Maybe I'm missing something, but I don't see a single thing wrong w/ that.
Re:As it should be (Score:3, Insightful)
The internet is part of the public sphere. Courts in the USA (and everywhere else AFAIK) have held that when you leave your house and enter the public sphere (or in this case operate a sever connected to the internet), you volunatarily give up some of your privacy.
Use GoDaddy (Score:3, Informative)
A Few Solutions (Score:5, Interesting)
One is using Dotster [dotster.com]. They obfuscate your email address, so you won't be spammed so easily, but they can still contact you. A friend of mine nearly lost his domain because he used a fake email address with Network Solutions and he never got the "your domain is expiring" email.
The other is a finding a trustworthy ISP/hosting provider who will manage your domain for you. I've been using HostSector [hostsector.com] and it's worked well, plus it's less expensive than buying the domain outright. I'd have to jump through some hoops to purchase the domain from them, but I can do it, and I believe their contract specifies that I can purchase it at any time.
Thinly-hidden spammer protection (Score:2)
Set up TLD for individuals (Score:5, Insightful)
A few general comments to your privacy freaks (Score:3, Interesting)
Go check out ARIN. If you have a static IP address+competent (read not RFC-ignorant) ISP, your SWIP record contain your personal information too. That's how it's supposed to work.
That's right, the whole Internet is out to identify you.
Remembering @home (Score:4, Interesting)
It really is a double edged sword, on the one hand a good reason to have this contact information there in the first place is in the event something needs to be reported like virus/worm infection, system down, open proxy, that sorta thing. On the other hand, there are those who don't respect the fact that info is there for a good reason and it's not for trivial issues or spam.
I use mailboxes etc. (Score:2)
only the cops can come in and say "who the hell owns this box?"
Can be useful... (Score:5, Insightful)
However, I work for a company where it is sometimes necessary to track down owners of domains and report them to the appropriate authorities. Even though a lot of people fake the information, the whois database has come in handy more often than not.
Another good thing, for myself atleast, is that I have gotten offers on some domain names I used to own. I am guessing they got the email address from the whois database, as I hadn't used the domain in question at all. I managed to sell it for quite a bit more than I bought it (it was a four digit sum, but still way more than I paid for it).
I am slightly split on this issue. I don't want my personal information in there (and faking is not an option for me, I want to stick to the rules), but I want to see other peoples information. Guess there is a tradeoff somewhere along the line.
Anyways, just wanted to point out that the WHOIS database can be extremly useful and/or helpful sometimes.
UK Solution (Score:5, Interesting)
Individuals can opt-out of having their whois information displayed in a whois query by asking their registrar to opt them out (a couple of minute administrative task).
This appears to me to be a simple and logical answer to the entire problem.
Bullshit. (Score:5, Interesting)
Right now, there are thousands of spamming scum who post bogus information in their domain registration in order to foil the wrath of spamfighters.
Different domains for different purposes (Score:3, Insightful)
Any entity registering in
Any entity registering in
Any entity registering in
We have a '.name' now (which personally I think should have been '.nom'), for personal users. I think it's perfectly reasonable to expect that individuals will not want to put any contact information there. I also think it's perfectly reasonable for an ISP's contact information to be exposed in its place, though.
Basically, just apply privacy requirements to the intent of the domain name. If regular Joes want to register a
Subdomains under a country code would need to be addressed by the countries in question.
A good reason to need public WHOIS info... (Score:3, Insightful)
Need the WHOIS info, and here's why...
A few months ago, I purchased quite a bit of money in CD's from an Internet site. It's a business, but it's a proprietorship run by one person. I never received the CD's and the guy stopped returning my emails. I had paid him via PayPal, and the ridiculously short PayPal complaint/insurance period had run out, so I couldn't get my funds back.
The guy has no contact information other than an email on his site. (And don't play me for idiot...This is a big music site and I've successfully purchased there before.)
So...I wanted to send him to a collection agency. Several warnings to him went unheeded, so I went about trying to track down his personal information.
And I ended up on netsol. It referred me to GKG.net, another registration company. I went on the WHOIS and the guy had NO information whatsoever. Every field said nothing.
So I emailed GKG.net and told them that when collection proceedings began, we would be asking them for this guy's info. They emailed me back that it's their policy to have updated and correct information in the WHOIS database. They emailed the guy and gave him 48 hours to provide it, with the threat that his site would be shut down.
A day later, all of his information was up. I had a name/phone/address. I sent him to a collection agency based on the only place I was somewhat easily able to obtain information.
Damn good reason to keep WHOIS info open. If people don't want to give out their home addresses, then they should rent a P.O. box for $20/year. If they don't want their names public, then I can only imagine either a) unwarranted paranoia or b) that the person shouldn't have on the web whatever it is that they have on there.
WHOIS helped, and the guy went to a collection agency.
-SD
It's my phonebook (Score:3, Insightful)
I'm strongly in the camp that domain contact information, at least the technical contact, should be public. I've dealt with abuse issues for ISPs too long the think any other way could work. If there is a technical or abuse issue with a domain a network admin needs to be able to contact the person responsible. At least contacts for DNS servers need to be required.
Re:Perhaps we should take this even farther (Score:3, Informative)
From RFC 2050:
Re:knock knock? (Score:2, Interesting)
Obviously a good solution will weigh the need for contact with the likelihood and degree of abuse of said contact information
Re:excessive exposition (Score:3, Informative)
I imagine for most people who just want to run a regular website without the hassle of spam/telemarketers, this is the way to go.
Re:excessive exposition (Score:2)
Certainly it looks from their site like it would be theirs, with a contract with you to give you control of it.
That's all very well, but what happens if they go bust?
I use my work address as the contact for all my domains - sure, it's not exactly private, but a lot more so than listing my house.
Course, I'll have to think of something else if I decide to go freelance...
Re:Junk Mail (Score:2, Informative)