Congress Eyes Whois Crackdown

Decius6i5 writes "The Washington Post is reporting on a Congressional hearing in which it was proposed that putting false or misleading information in your DNS whois record should be a federal crime. Texas Representative Lamar Smith is quoted as saying 'The Government must play a greater role in punishing those who conceal their identities online.' The article claims 'Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries that much of their material is made available for free on Web sites whose owners are impossible to track down because their domain name registrations often contain made-up names.' Its funny, I don't recall the RIAA having any trouble tracking down P2P users whose IP addresses didn't have any DNS names associated with them at all. This isn't the first time the issue has been raised in Congress but apparently Congress hasn't gotten any more clued after several hearings."

I find this idea disturbing.

[The I Shing]

Yes, there are criminals with false WHOIS records.

And, at the same time, the WHOIS database is a feeding trough for spammers and scammers, encouraging otherwise honest people to put false information into their WHOIS records just to keep those spammers and scammers from getting their names, email addresses, snail mail addresses, phone numbers, fax numbers, mothers' maiden names, and whatever else their registrars ask for.

I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.

There's an old saying you still see on bumper stickers, "When guns are outlawed, only outlaws will have guns." While that idea might be more accurately stated as "When guns are outlawed, only outlaws will accidentally shoot their own kids," the original sentiment holds for WHOIS, that is to say, "When falsified WHOIS data is outlawed, only outlaws will falsify their WHOIS data."

If the RIAA and MPAA can't find the fake WHOIS record owners, how is the government going to track down the WHOIS record owners and punish them? Why waste time passing a law that, in the end, only punishes honest people who would rather not give their unlisted home phone numbers out when buying a domain name for their kids?

Re:I find this idea disturbing.

[Endive4Ever]

They don't have to spend a whole lot of time tracking down the false WHOIS record holders.

Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

A fully validated WHOIS database would make it trivial to enforce punishment against people who use spammers to promote the websites and scams on said websites registered to them.

Hmmm....

[Anonymous Coward]

I agree with the concept of jerking the registration if the information is false, misleading, or utterly out of date (cannot be found). Add a waiting period before anyone else can register it (so someone can step forward and claim their error), and allow for private registration that can be accessed with a warent, and I think it would be a pretty good idea.

Any other ideas?

Re:I find this idea disturbing.

[Zeinfeld]

They don't have to spend a whole lot of time tracking down the false WHOIS record holders. Just spend a little bit of time trying to track them down. Then cancel their domains. Let them present themselves for identification when they want the domains un-canceled.

The current cost of a domain name is about $10. You can't get any type of address verification/authentication lookup from a reliable database for less than $20. If you want the result to be at all reliable it would cost at least $100 and most likely $200 - sound familliar? Thats what SSL certs cost.

The rule for domain names is quite simple, you use a false address, someone complains, you are likely to never get notice of the complaint, you lose the domain. Or you use a false address, you never get the renewal notice, you lose the domain. You have no idea how many IETF privacy nuts complained about not getting their renewal notices after typing in bogus address data, well DUUHHH!!

The only reason that WHOIS data is public in the first place is that when ICANN was being set up the competing registrars insisted that the rules should allow them to see Network solution's customer list so they could spam them with transfer offers. The other registrars then did what everyone else has done since, they created nominees to hide the true identities of the holder.

WHOIS would be best shut down. The spammers are never going to give valid data anyway. Instead use the reverse DNS to advertise a contact address to go to when you have a problem with info comming from an IP record. Nice thing here is that in many cases the delegation of reverse DNS reaches exactly to the level you would want to pick up a phone to talk to someone about a hacker comming from their net.

Of course you would need to authenticate any use of that data, telephone numbers would only be given out on a need to know basis etc. But we could do a lot better than whois. I have never traced a hacker successfully using whois data.

Re:I find this idea disturbing.

[Short Circuit]

WHOIS would be best shut down.

That's crazy. If someone's DNS server isn't retiring an old entry that puts my domain at an improper address, I want to be able to reach them with as little hassle as possible. Not demand contact information from my friends in Australia who pointed out that they couldn't get to my site.

(That's happened to me, BTW... www.grnet.com [grnet.com] somehow ended up having an old DNS entry with a fubar'd expiration date, but only on a high-level machine in Australia.)

Re:I find this idea disturbing.

[muckdog]

Actually this is not the case with the domain register I have delt with so far. Both with Godaddy and Regsiter.com I have give a separate email and mailing address that goes directly to them when signing up for the domain. The InterNIC Admin, Technical and Zone contact information are set to fake mail and phone numbers. The email address I use is real but not actively used, I also change it every once in a while to help keep down the spam hitting my servers.

When renewal time comes around I get two emails, one to the billing contact email and one to the one I gave register.com/godaddy. I also recieve a letter in the mail to my real address reminding me to pay up.

Re:I find this idea disturbing.

[egburr]

Here is an easy and reasonably cheap way to verify the accuracy of , with no human intervention on the Registrar's side:

• Request email address, snail mail address, and phone number via a web form.
• The registrar places the domain on reserve, pending successful verification.
• Within a few minutes, an email is sent with a unique code to enter or a URL to click on. The user does so.
• Within 10 minutes, a computer calls the phone number and reads a short list of randomly generated numbers.
• The user enters those numbers on the form.
• The computer generates a postcard (or sealed letter) with a different set of random numbers/characters and mails it to the user. The user can elect to pay for faster delivery options.
• The user receives the letter and enters that data.
• The registrar activates the domain.

This may not validate the identity of the user, but it should go a long way toward validating the email address, snail mail address, and phone number that the user provided.

The registrar could even require this validation to be performed once a year, initiated by sending an email to the given address and a letter to the snail mail address. This would be good incentive for people to keep their information updated.

Other than the initial setup, this process shouldn't come close to costing $5 for each validation attempt.

As for identity verification; I have no idea how to do that. In the US, the social security office only wants to see your (or *someone's*) birth certificate before they will issue a replacement card. The department of motor vehicles only wants to see your (or *someone's*) birth certificate or social security card before they will issue a replacement driver's license. Neither the social security card nor the birth cetificate has *ANY* information on it that can be used to even roughly validate my identity. The fact that a driver's license and passport both rely on those documents for verification is absurd.

After having my wallet stolen and having to get my license replaced, I'm no longer surprised that identity theft is so easy and common. All you have to know is a name, their parent's names, their birthplace, and their birthdate, and with that you can get a birth certificate for $5-$10. You'll find out their social security number after waiting 2 weeks for the social security office to mail you "your" new card. Maybe now that many DMV offices do your license photo electronically, a clerk *might* pull up "your" previous photo and question you if you look too obviously different (oh wow! I used to look even fatter than I thought! This diet is amazing!), but maybe not. After that, and maybe a little research on the web, you've got pretty much all you need to check credit reports (to get credit card numbers, etc) and obtain a passport.

I had to do all this for myself once, and the ultimate proof that I was me is that I was able to obtain a copy of a birth certificate with my name on it.

However, I don't know what more they could require and still have validation be possible. Maybe eventually, the social security office or the DMV will start requiring a full set of fingerprints for initial cards or licenses, and a new set for comparison before a replacement is issued.

Maybe then identity verification could work.

Hang on a minute

[rs79]

DNS is a way to identify computers on a network. We don't need a better more secure identd to associate names with numbers.

Re:I find this idea disturbing.

[shaitand]

If nothing else it'd be a great way to wrack up whoever is running the system's phone bills with calls to every number in every phone book in norway.

Re:I find this idea disturbing.

[punkki]

Within 10 minutes, a computer calls the phone number and reads a short list of randomly generated numbers.

Right. And the check would be done in every language from English (different variants of it) to Urdu? Also, let's hope the person isn't hearing impaired.

The user receives the letter and enters that data.

Let's hope the person is able to read the instructions.

In the US, the social security office only wants to see your (or *someone's*) birth certificate

Now I understand. I don't know how to bre

Re:I find this idea disturbing.

[qtp]

The only reason that WHOIS data is public in the first place is that when ICANN was being set up the competing registrars insisted that the rules should allow them to see Network solution's customer list so they could spam them with transfer offers.

Actually, the only reason the whois data is publicly available is because it lways has been, even when it was hosted by DARPA, and it used to contain a lot more info than just domain reg stuff, such as email to realworld name, what domains were registered to sp

Re:I find this idea disturbing.

[flatt]

That may work until someone claims to be from anywhere but the US.

Re:I find this idea disturbing.

[Frank T. Lofaro Jr.]

Some (liekly most) of the false records are OBVIOUS. Like one which had 314-411-0000.

Note, prefixes of the form N11 are never valid. Since those are used for special services (and it is now defined for all N from 2 to 9, btw, see the North American Numbering Plan Administration [nanpa.com] page for details.)

Makes me want to kick somebody...

[cshark]

I wonder how this would affect the Godaddy unlisted domain name service they offer. It could be interesting. Even with false information in the whois; surely the FBI or the MPAA or the RIAA can subpoena the information from the registering authority the domain is registered through. I doubt that any of that information would be false. So that brings me to assume that when people are looking at whois information in order to prosecute the owner, and give up on a bad whois, that the issue is either not important enough to pursue further, or that they are too stupid to figure out how to do it. Either way, New laws in this area won't change anything. How would you enforce it? Do we really need more useless tech legislation that can't be enforced? Sheesh.

Re:I find this idea disturbing.

[pclminion]

A fully validated WHOIS database would make it trivial to enforce punishment against people who use spammers to promote the websites and scams on said websites registered to them.

A fully validated WHOIS database would also make it trivial to enforce punishment against those who express politically dissident views. It would no longer be possible to create a domain for political discussion without the government knowing who you are and where you are.

But I guess you're okay with that scenario as long as i

Re:I find this idea disturbing.

[Anonymous Coward]

A realistic solution to it is to allow people to falsify WHOIS records, but require the registries to maintain records of accurate contact information to be provided in the event of a (legitimately issued) subpoena or an investigation by law enforcement, provided they have a warrant for the information. If people choose to put their real contact information in the WHOIS record, it is still their right to do so, and many already choose to do so despite being able to falsify the data.

Re:I find this idea disturbing.

[NickDngr]

A realistic solution to it is to allow people to falsify WHOIS records, but require the registries to maintain records of accurate contact information to be provided in the event of a (legitimately issued) subpoena or an investigation by law enforcement, provided they have a warrant for the information.

You mean like this [domainsbyproxy.com]? The whois record for my domain does not list my info.

RegisterFLY

[hendridm]

Domains by Proxy is good, however, as far as I've seen is only offered through Go Daddy its resellers. The cheapest I've found it for is $9/year/domain. RegisterFLY.com [registerfly.com] offers the same service for only $2.50/year/domain (or $2.00/year/domain if you buy a 5-pack). And since they're an eNom reseller, they offer the same great DNS services and ease of transfer you're used to.

I posted a Registrar Comparison [danhendricks.com] on my web site, but it lacks Network Solutions since I have never tried them. If anyone has any expe

Re:I find this idea disturbing.

[Anonymous Coward]

There's an old saying you still see on bumper stickers, "When guns are outlawed, only outlaws will have guns." While that idea might be more accurately stated as "When guns are outlawed, only outlaws will accidentally shoot their own kids," the original sentiment holds for WHOIS, that is to say, "When falsified WHOIS data is outlawed, only outlaws will falsify their WHOIS data."

By your measure, I think correctly it would be, "When falsified WHOIS data is outlawed, only outlaws will accidentally shoot th

Re:I find this idea disturbing.

[RobertB-DC]

I could create a brand new, non-obvious email address on one of my domain accounts and put it in as the Admin Contact for a record I own, and use that email address absolutely nowhere else, and I bet that within three months that email address would be getting buckets full of spam.

That's exactly what I did... and had exactly the result you described. Hundreds of spam messages a week to an address used only for domain registrations.

However, I seem to have found a solution. A poster in the hallowed halls of Slashdot was trying to determine the level of email harvesting, but wasn't getting any bites. But the word "spam" was in his email address... so I tried a new domain registration email address that also has "spam" in it.

Results after about a month: no spam to the "domspam@..." address. I don't know if perhaps they're sending mail to "dom@...", 'cause I'm not monitoring it. But the only messages I've recieved at "domspam" are valid messages from the registrars.

Of course, I haven't bothered to update my snail mail address since I moved. I hope the folks who bought our house are enjoying the offers for low-cost hosting and convenient "renewals". I guess I'll have to add that to my growing dossier of criminal activities [dixie-chicks.com]...

Re:I find this idea disturbing.

[Pinky]

Oddly enough I had the exact same situation.I had two email addresses. One of them was public and I used it everywhere - in forums online etc.. The other was private and wasen't used anywhere. The public one started with "spam" as in "spamandrewt@..." and I had, like 3 piece of spam in it during its life. The private one almost had to be abandonned because of the level of spam. If it weren't for yahoomail's nice spam filtering I would get about 100 spams a day. In the end the spam email address was deleted citing lack of use.. The guy in the cube next to me has a similar story.. I wonder if we're on to something here :-)...

Re:I find this idea disturbing.

[RetroGeek]

I wonder if we're on to something here

You WERE onto something, but not anymore.

Since you posted this, now the spammers will simply stop the filtering and the heck with rejected addresses :-(

Re:I find this idea disturbing.

[Ralph Wiggam]

Professional spammers know that if an address on thier list has the string "spam" in it it's one of two things. 1) An legit address that has had "SPAM" inserted into the middle to trick spammers (I see this all the time here) or 2) A semi-fake address created just to use in public forums. Neither one does the spammer any good.

Don't underestimate the enemy. Just because they're weasels doesn't make them stupid. There's money involved.

-B

Re:I find this idea disturbing.

[Zork the Almighty]

The spammers must use that system to avoid sending spam to each other :)

answer to problems

[macshune]

I use these [domainsbyproxy.com] folks whenever I want to register a domain name. It's a nice, cheap, legal way to protect my whois info from anyone I feel like. And no, I'm not getting anything for saying this, it's just a cool idea and one that I appreciate (and use).

Re:I find this idea disturbing.

[epiphani]

agreed - but as an expansion...

I think WHOIS data should be *entirely* optional. Just because I happen to run a domain does not mean that I want my email address, home address, real name and telephone number availible to anyone who wishes to see it. If not optional, then it *definitely* should not be criminal to give false information.

In more direct terms, government, get your ugly freakin nose out of the internet.

Re:I find this idea disturbing.

[American AC in Paris]

If they were talking about criminalizing false WHOIS information, I'd agree with you 100%.

Trouble is, that's not what they're doing. They're talking about creating harsher penalties for people who commit fraud with a website registered under fake credentials.

They're not going to go hunting you down for having false information. Rather, if they catch you committing fraud on your website, they'll tack another few years onto your sentence if the site info wasn't accurate.

You gotta stop believing what they say in the front-page blurbs.

Re:I find this idea disturbing.

[kwandar]

Do you really think that it makes sense to provide a harsher penalty for people who have registered under fake credentials?

I might agree if the registration under fake credentials was done solely for the purpose of committing crime - maybe.

Don't the courts already take into account how heineous your actions were, presumably including hte use of false identification, in committing the crime? What does the stacking of penalty after penalty really accomplish?

Unfortunately I can see this leading to innoc

Re:I find this idea disturbing.

[gmack]

The whois field is the best place to get contact info in the event that someone needs contacting quickly. (talking to owners of spam relays, rooted servers etc) Without that we are stuck having to relay through the isp and that makes it more time consuming and more likely to cause trouble for the person we are trying to contact.

Right now it's set to your isp.. you are also able to set it to an agreeable third party.

Setting it to the wrong info only makes it that much harder for those of use who use the w

Re:I find this idea disturbing.

[pavon]

If the RIAA and MPAA can't find the fake WHOIS record owners, how is the government going to track down the WHOIS record owners and punish them?

Very simple. If the registrar can't contact you because you gave them bogus info then the registration gets dumped. Quite an effective and fair punishment - you are abusing a priviledge so that priviledge gets revoked.

Although I do understand where you are comming from with regard to address harvesting from public WHOIS records. If you were to implement this policy you would have to provide the option for registrants info to remain private to the registrar. Then it wouldn't be such a burden for honest people to provide the correct information.

Re:I find this idea disturbing.

[Fulcrum of Evil]

Quite an effective and fair punishment - you are abusing a priviledge so that priviledge gets revoked.

No, I'm buying a service, not using a privelege. Or should the state be able to confiscate your car if its registration expires?

Re:I find this idea disturbing.

[jroysdon]

But that's retarded. Someone will just register a domain overseas where there is no such restriction.

Re:I find this idea disturbing.

[Anonymous Coward]

This is offtopic, but I find your misuse of statistics disturbing too:

that idea might be more accurately stated as "When guns are outlawed, only outlaws will accidentally shoot their own kids,"

Your statement would imply that there are a lot of accidental shootings. You seem to be buying the gun control and media hype. Statistically, there are VERY few. Taken from guncite.com [guncite.com]

"The risk of being a victim of a fatal gun accident can be better appreciated if it is compared to a more familiar risk...Each

Read the terms and conditions when you register!

[www.sorehands.com]

Bull! Just because someone can track you by your car's license place number does not entitle you to cover it.

When you read the terms and conditions when you register, you are required to put in valid whois information. The problem is many registrars do not enforce it. Then when people complain, the registrar may do someone about it in 6 months, and then update it with invalid information. ICANN investigated some reports who network solutions, but failed to do anything. One address from their investigation, 123 Yellow Brick Road, Oz, Kansas, is still there.

RTFA

[looseBits]

"...would add as much as seven years to prison sentences handed out to anyone committing fraud through a Web site registered under a false name or contact in formation. And it would permit copyright owners to seek larger monetary damages from people who falsify their registration information to run Web sites that distribute copyrighted material without permission."

In other words, you can fake your WHOIS information as long is your website isn't used to commit fraud or distribute copyrighted material. As l

Re:I find this idea disturbing.

[Xformer]

Doesn't anyone RTFA anymore?

The bill would not affect people who are trying to safeguard their privacy because it only makes it a crime to submit false registration data when it is done to help commit a crime, said Mark Bohannon, senior vice president for public policy at the Software & Information Industry Association, which supports the bill.

About whois...

[rs79]

I have a few domains that serve merely as honeypots for whois spammers. The snailmail address is correct but the company is "The Toronto Mango Appreciation Society" and "The Shaolin Gung Fu Death Society" - stuff like that.

I get mail on a regular basis to these addresses from such companies as: IBM, Microsoft, HP, SUN, AT&T and all the other companies who have paid tens of millions of dollars to DC lobbyists to make sure the domain name system is the way they want it.

Each time year hear some DC inside

Re:I find this idea disturbing.

[orthogonal]

"The Government must play a greater role in punishing those who conceal their identities online - Lamar Smith"

Excuse me?

People who are anonymous must be punished?

Are all Texans as offensive as their elected representative?

Hey, terrorist boy, Congressman Smith is right.

Why did you know that once there where these three guys, three anonymous agitators, and they hid behind a fake name, "Publius", and wrote a bunch of stuff that completely changed the government of their country?

Anyway, these three guys started out as rebels and terrorists and traitors, and once things got settled down again, first thing they done was to get together all anonymous like, and they decided to change things yet again.

But they figured that people might not be as convinced of their ideas ifin people know'd it was these rebel traitors behind the ideas, so they made up that fake name "Publius" and published under it.

And what they wrote completely changed the government of their country. It got rid of the Articles of Confederation and made it impossible that the country would ever again be ruled by King George, who they'd rebelled against, and it set up a Constitution and a central government -- actually it was a Federation and them anonymous papers was called The Federalist Papers -- and as a by-product of the debate over them papers, they added ten Amendments to their new Constitution, the first one of which guaranteed, among other things, Freedom of Speech.

And years later one of them anonymous rebels became the Secretary of Treasury of the new country they'd created with their anonymous papers, and one of the then rebels became the First Chief Justice of the Supreme Court of the country they created with their anonymous papers, and the other one, well, he became the fourth President of their new country which they had created with their anonymous papers, a country they called "The United States of America."

And I, honest to god this isn't mere rhetoric on my part, I have tears in my eyes right now when I think of all that those three disreputable anonymous rebels created, and the tears are streaming down my cheeks when I think of the Constitution of the United States of America that Alexander Hamilton and John Jay and James Madison agitated for in their anonymous Federalist Papers, and I get a lump in my throat when I think of the glorious First Amendment to that Constitution, which, among other things according to the US Supreme Court, guarantees a right to anonymity to protect our freedom to engage in political discourse and debate.

And Lamar Alexander -- Lamar Alexander, elected to the Congress planned and created by the same Constitution -- when he says that "The Government must play a greater role in punishing those who conceal their identities", well, I have to ask, when is the last time Lamar Alexander read that fine Constitution, that Constitution created by those three anonymous men publishing under a fake name?

And by god! I contend that the those who stand up for that Constitution, and for Free Speech, and for a right to anonymity -- those persons -- and not Big Brother's lackeys with their newspeak "Patriot Act" -- are the real American Patriots.

Who controls WHOIS?

[Anonymous Coward]

Does Verisign control the WHOIS database? Since they are a US company, is that what gives the US the right to patrol that database? If not Verisign, who? Will the US rules be applied to other countries? This is legislation that will not be enforcable!

Re:Who controls WHOIS?

[isa-kuruption]

Domain name registrations are controlled by ICANN [icann.org] which is a Congressionally funded organization.

From their website:

The Internet Corporation for Assigned Names and Numbers (ICANN) is an internationally organized, non-profit corporation that has responsibility for Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions. These services were originally performed under U.S. Government contract by the Internet Assigned Numbers Authority (IANA) and other entities. ICANN now performs the IANA function.

ICANN then contracts out services to corporations for manage the DNS registrations. Currently, VeriSign controls .com and .net.

Inform your representatives

[jaxdahl]

Write your senators or representatives, via snail mail or fax and inform them of this issue, especially if they are members of the revelant committees.

Lesser of two evils?

[lukewarmfusion]

Wow. Either the spammers get my info from the Whois database or the RIAA can't track down some pirates.

Which do I choose?

Arrr....

spam

[reluctantengineer]

So is my senator going to come over to my house and sort my spam email and junk snail mail that I get from my whois records?

Re:spam

[ryanjensen]

Oh, of course not. Your senator passed CAN-SPAM for that.

It's about time

[scumbucket]

The WHOIS database provides contact information that is necessary for the proper operation of the world wide web. It is not only registrars that need access to this information, if you have a complaint about a domain, and the registrar for said domain is the same company, who do you go to for contact information.

False or missing information in whois records is already a problem that helps (for instance) spammers hide their contact information from people with legitimate reasons to contact them. If you get no response from the contact listed in the domain's SOA record, abuse, admin, webmaster, postmaster, etc, and there is no contact information posted on the site (or false contact information), what do you do? You check out the WHOIS record for the domain. If the info that's supposed to be there is present and accurate, you have a way to contact somebody, if it isn't, you have ammo for asking the registrar to suspend the domain registration, and if *they* won't, you have ammo to ask ICANN to suspend the registrar's activities.

Unfortunately, people don't realize the reason that WHOIS records exist, which is to provide contact information. That's the WHOLE reason. Removing that information makes the WHOIS database useless.

This is just silly...

[bc90021]

...all that's going to happen is that people are going to put in correct information, and then make it unlisted [domainsbyproxy.com]. When the people in Congress are given the analogy with the phone system (ie, unlisted numbers) it will become a matter of subpeonas, and then for the courts in the cases of infringement, as it should be.

Crackdowns we'd like to see...

[heironymouscoward]

- false WHOIS information
- false email headers
- spoofed IP addresses
- misleading web pop-ups
- spyware authors
- technomorons who install spyware
- coverage of mydoom by the BBC
- jj's boobs

Fun with White Aryans and DNS.....

[i_want_you_to_throw_]

About 4 years ago. I registered "whitearyanresistance.com", org and net. I put a nice little cgi in place that sent people to random sites sites like blacksonblondes.com, algore2000.com, NAMBLA and so forth.

Next step was to modify the cgi to regurgitate the IP address where the user got a message that said..

Your IP Address: xx.xx.xx.xx has been recorded for forwarding to the proper authorities. Have a nice day



Then I got tired of picking on Tom Metzger [resist.com] and his retarded ilk and just donated the domains to another group (not the W.A.R.).

You bet your ass I used fake info in my WHOIS then.

I do wonder though if there are legitimate cases of where people run sites where it's best to not know the identity. Much in the same way that an abused woman could never call home from a shelter because her husband who beats her would know where she is thanks to caller ID.

Maybe the Chinese Communists would send goons to whack all the Falun Gong website owners or something (I'm sure you have better examples).

Re:Fun with White Aryans and DNS.....

[poot_rootbeer]

You bet your ass I used fake info in my WHOIS then [when registering "whitearyanresistance.com"].

So basically you want all the benefits of free speech, but none of the responsibilities. All the latitude, none of the culpability. You are afraid to stand behind your words and actions.

Ever notice how on Slashdot, Anonymous Cowards rarely get modded up past +2?

Good grief.

[Grrr]

"The Government must play a greater role in punishing those who conceal their identities online, particularly when they do so in furtherance of a serious federal criminal offense or in violation of a federally protected intellectual property right," Smith said...

So - that sentence can end at the first comma, and be no less accurate in representing his opinion.

Smith and Berman drafted the bill after receiving complaints from the entertainment and software industries...

'Of the corporations, by the corporations and for the corporations'

The bill would not affect people who are trying to safeguard their privacy because it
only makes it a crime to submit false registration data when it is done to help commit a
crime...

Now if we could only keep that pesky concept of what constitutes a "crime" from continually
expanding...

<grrr>

Re:Good grief.

[ConceptJunkie]

Unfortunately, being suspected of having committed a crime is criminal under the Patriot Act.

This story is brought to you by the color "yellow"

[American AC in Paris]

From the Washington Post article:

The bill would not affect people who are trying to safeguard their privacy because it only makes it a crime to submit false registration data when it is done to help commit a crime, said Mark Bohannon, senior vice president for public policy at the Software & Information Industry Association, which supports the bill.

Oh, fer Pete's sake, Taco. Would it really hurt all that much to give a full, accurate blurb on this one?

This isn't about forcing people to use their real name when registering a domain. This is about increasing the severity of the punishment for committing online fraud. Basically, if you commit fraud using a website with faked credentials, you'll face a stiffer penalty than you would had you committed fraud on a website where you used legitimate credentials to register.

I'm not saying I've fully researched this, but it sure as hell isn't the rights-trampling orgy the blurb makes it out to be, Taco. Do your homework before posting half-informed diatribes to the front page.

Re:This story is brought to you by the color "yell

[The Gline]

"Do your homework before posting half-informed diatribes to the front page." ...but this is Slashdot! The whole POINT is to post half-informed diatribes and cause people to assume it's a rights-trampling orgy!

I've said before that if someone discovered Linux was in use in a prison system somewhere, the /. headline for that would read: "Windows Still Used To Violate Civil Rights" or something equally idiotic.

Down the road ...

[s20451]

You know, we're moving towards a world in which computer users and computers themselves are licensed, much as drivers and their cars are licensed.

Is that a good or bad thing? It has its drawbacks, but on the whole I would say good. Fewer viruses, less spam, a modicum of sense from lusers. Less anonymity, yes, but there are always tradeoffs.

Re:Down the road ...

[djrogers]

You mean like Howard Dean [com.com] suggested? Talk about a big brother state...

Re:Down the road ...

[Have Blue]

We're also moving towards a world in which the vast majority of internet traffic is worthless or outright malicious. Eventually, the benefits of computer licensing really will outweigh the drawbacks (unless something changes soon).

Doesn't sound...

[AKAImBatman]

...like it's a big deal. This is the type of law that would only get enforced when you really piss someone off. If you're running an illegal site, you can expect that they'll heap this charge on with the 1000 others they levy against you. Without a motive like illegal activity, it's difficult to prove that you were being intentionally misleading. (Unless you're dumb enough to fill it out with "Snoopy, 10 Charlie Brown Drive, Gotham City" that is...)

Re:Doesn't sound...

[Carch]

Yes, of course, because law enforcement NEVER abuses its power to detain citizens. No innocent person could possibly be charged, held, jailed or put to death for a crime they didn't commit. And before anyone says you'd never be put to death because of domiain information, realize that treason is a capital offense.

Re:Doesn't sound...

[AKAImBatman]

And before anyone says you'd never be put to death because of domiain information, realize that treason is a capital offense.

Two words: Public Outrage

That's why it's so important not to allow secret trials. And for the most part, judges are pretty good at keeping things on the up and up (no matter what the FBI or CIA wants).

Should be the other way around

[Tablizer]

I don't want my physical address available to the world. Domain minders should collect it for billing and security reasons, but NOT for publicly-available databases.

what a bunch of bullshit!

[JeanBaptiste]

i run a small, non profit politically based website with a chatboard. many people have come on the chatboard and threatened me with physical harm and worse because of my views.

and now they want me to put my real home phone number and real home address in the DNS records?

WHAT A BUNCH OF SHIT

Re:what a bunch of bullshit!

[epiphani]

Time to make your home on freenet [sourceforge.net].

Its sad that the world is coming to this.

that is ridiculous

[cyberwave]

What if I want to setup a domain name criticizing my private school? They censor the newspapers so the internet is the only medium in which that would be possible to do anonymously. Just as I could give out fliers while wearing a mask without breaking the law, I should be able to do the same thing on the internet. Additionally, there are alternatives that you can pay for as well (but costs more than putting in fake information). They shouldn't be legislating against the ways in which people conceal themselves; they should be legislating against the things that they DO while concealed! Being anonymous isn't a crime. Punish the crime, not the anonymity. Wow politicians are so stupid. No wonder the good ones turn into teachers instead.

What about the services that will conceal this?

[JessLeah]

What about the various services that will put THEIR name on your WHOIS records for a small fee? GoDaddy offers such a service... I believe it's called DomainsByProxy, or something like that... Are these services going to become illegal? Whenever I register a "potentially controversial" site (read: one where the far-fringe-right-wing lunatics might potentially come and try to bomb my house or something), I use a service like that.

Re:What about the services that will conceal this?

[JessLeah]

Yes, but left-wing lunatics generally don't come and harass you in meatspace because you're hosting a gay/bi/les/trans site...

Godaddy.com

[teamhasnoi]

provides a service that uses a third party proxy as your whois info.

When 'whois'ing your domain it gives the company's email, which gets forwarded to you (after a spam filter if you like). Same with any 'real mail' (except for junk mail if you wish).

Well worth the nominal cost (3 bucks, IIRC) at registration time.

Pointless laws

[taustin]

Selling child pornography on the internet (or off it) is a federal crime, but the FBI won't even take a report on ads for it.

Selling prescription drugs with verifying a valid presecription on the internet (or off it) is a federal crime, but the FBI won't even take a report.

Using a stolen credit card number on the internet (or off it) is a federal crime, but the FBI won't even take a report, even if you have a name and address for the perp.

Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

Re:Pointless laws

[Lead Butthead]

Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

You should, I should, EVERYONE should. Laws in the book that are not enforced today does not mean they will not be exploited at a later date to harass citizens.

Re:Pointless laws

[Hentai]

I've been in exactly this situation with the FBI; they refused to take a report on a verifiable child pornography case.

It appears they only want to catch people who fall for their own sting operations - if you're actively hurting people already, they aren't interested.

Scary thought.

Re:Pointless laws

[NoData]

Who cares if Congress enacts more federal laws that the FBI won't even take a report on?

Because when it's in the interest of big business, you better believe the FBI will act on it and exploit every tool at their disposal. Let's be clear: This bill is not for going after child pornographers, it's for busting that most treacherous of terrorists, the Music File Sharer! One of the sponsors, Howard Berman, is a notorious shill [theregister.co.uk] for the music and entertainment industry.

maybe you're doing it wrong.

[capoccia]

you can go to the Internet Fraud Complaint Center [ifccfbi.gov] and fill out an online report. there is a spot for kiddie porn. it's a joint venture of the fbi and the national white-collar crime center.

you get a pdf reciept for every complaint you file. i know. i've been sending them every piece of spam i get for the last two months.

Re:Pointless laws

[taustin]

Web complaint forms are bit buckets. No human being will ever read it. At best, all that will ever be done with those complaints is that they will be data mined for statistical trends when Congress is reviewing the FBI's budget.

At least read this if you didn't read the article

[prothid]

From the article:

The bill would not affect people who are trying to safeguard their privacy because it only makes it a crime to submit false registration data when it is done to help commit a crime, said Mark Bohannon, senior vice president for public policy at the Software & Information Industry Association, which supports the bill.

I was pretty furious when I read the headline, but the actual article calmed me a bit. Then again, it's all just a conspiracy to eventually become a police state where we have no rights, right?

Actually...

[asdfasdfasdfasdf]

The obvious answer to "tracking down" false whois registrants is to kill their domain.

I don't agree with this idea, nor do I agree with criminalizing false "whois" I, for one, left old phone numbers and addresses on mine because I am reluctant to have that information so freely available to anybody I might flame via email. :-)

This is excruciatingly unfair to the private citizen, while no big deal to any business with a business adress. It's akin to forcing people to have listed phone numbers.

Maybe we do need a UN type governing body here

[l0ungeb0y]

I'm so sick of our government coming through like a steamroller driven by a pack of drunken angry midgets.
Lord knows, I might wind up in a Federal Buttslammer for having my fax number listed as 999.999.9999 in my whois db entry... of coourse that would be taking it to the extreme, but after the DMCA and the US govt's persistant display of ignorance and money grabbing from lobbyists, I have come only to expect the worst.

And the irony here is that a country that calls itself the land of the free seems to want to put anyone and everyone into it's butt-parlours for just about anything it can think up.

My rant aside, isn't there a better contribution our government could make for the sake of the internet?
Like education, so the next generation of lawmakers might actually have a shred of a clue?

Or an international council like the UN in which an open forum could be made that is a bit beyond the corporate lobbyists, if not banned from talking to corporate representitives entirely?

Scary

[DrugCheese]

'The Government must play a greater role in punishing those who conceal their identities online.'

If there's no law against using an alias on sites because you don't want your information public ...

.. You're just guilty because they don't like the way it works now ...

Umm....

[m0rph3us0]

Legally, anyone can make up a name and use it, it simply becomes a legal alias, when you make up a name and use it for the purpose of fraud is when it becomes a crime. Hence, the law is redundant because making up info for the purpose of fraud is already illegal, and creating legal aliases it perfectly legal and supported in case law. Also, No Fixed Address is a perfectly valid legal address. Try writing the law in a way that doesn't require everyone to disclose their primary telephone number and prevents the registration of the 7 digit telephone number for 411. Next point is, people will simply register the domain in a country with out such arcane laws.

Cringely thinks ...

[Poligraf]

http://www.pbs.org/cringely/pulpit/pulpit20031218. html - this is his take on SPAM. I think, the same logics also applies to this issue.

An in a related story...

[TrollBridge]

...in a scene resembling moths battering themselves against a window to get at the light on the other side, congresscritters were observed, once again, battering themselves against jurisdictional barriers.

Various media industry contributors were observed quietly withdrawing from the scene with satisfied looks on their faces.

Moot! Can always subpoena the Hosting Provider...

[izx]

WHOIS authenticity is a moot point; if law enforcement really wants to know who's behind a site, they can just subpoena the hosting provider (which can obviously be found from reverse-DNSing the site IP or just looking at the DNS records).

This is just another shill to give pseudo-law-enforcement's (read: **AA) teeth more bite. If some site is really peddling material they claim is copyrighted, they should just DMCA the hosting provider and then go through the courts to subpoena the provider and get the ide

What about ICANN?

[Nick Kirven]

ICANN [icann.org] already requires that "At least annually, a registrar must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of their domain name registration. Registrants must review their Whois data, and make any corrections."

Isn't this just a case of US lawmakers legislating something that is already (supposedly) required?

Just don't show email addrs in whois records.

[pjbass]

Overall, having accurate information in the WHOIS database I think is essential for the ever-growing registration of web spaces on the Internet. However, just having "valid" data in the current database really won't cut it, as previous posts have stated with spammers conveniently using this as a virtual picking ground for targets.

What there needs to be, IMHO, is a re-vamp of how WHOIS works in storing data, and how the domain registrars handle that data. Things like admin email accounts and contact information (phone numbers, addresses, etc.) should be required to register, but should be in a database maintained by the registrar, and is not available to the rest of the population. If someone has a problem with you (spamming from your domain, etc.), it should be the registrar's issue, since they sold you the domain name. They should be the point of contact, and in turn send you mail with the question or complaint. This will protect people's privacy from the would-be spammer, and then give the government accurate information on who owns what. I don't agree with the whole BB thing either, but having accountability for what one has on his/her website needs to be enforced to a point, and having this data up to date will help enforce that.

Newsflash

[H8X55]

People on the Internet sometimes pretend to be someone they're not.

Anyone who is trying to conceal their identity for illegal activities will continue to do so.

Now we may just get more spam.

Something to remember

[dacarr]

Remember that bill from about a year or so ago that, if passed, would allow (say) the RIAA to hinder your machine's operations if they thought you were harboring copyright materials? Berman is the one who authored that bill, too.

Anyone else seeing a pattern?

Anonymity == illegal?

[3Suns]

It seems like the government, more and more now, is treating anyone who wishes to remain anonymous, or who does things anonymously, as a criminal. Granted there is nothing in our bill of rights or constitution that protects our right to anonymity, but there should be.

There are plenty of legitimate reasons why one would wish to remain anonymous. Not to mention the fact that the US government should have no control over the internet which in essence represents the international community. Just because anonymity can be inconvenient for law enforcement doesn't mean it must be made illegal.

Ski masks, pantyhose, and latex gloves are still available for sale in the US. All these are ideal tools for concealing your identity in real life. Wearing them in real life is not illegal either. It is, however, illegal to commit a crime while employing these tools, although no more so than if one does not employ them.

Some Canadian registrars have the idea re. privacy

[fatwreckfan]

Some Canadian registrars, such as Internic.ca [internic.ca] offer a service called Privacy.ca [privacy.ca] that hides your registration information, so random people can't look up your info.

If it becomes a federal crime to lie in domain records, something similar could be implemented to protect those who want to remain (somewhat) anonymous.

What about...

[Beolach]

Not having any Whois information? I remember a domain name that I wanted to register at one that had already been taken, and when I checked whois to see who had registered it, there was nothing there. Is that going to be illegal, or just having false information? If it's only illegal to falsify info, what's the point; and if no info is also illegal, then this is way too invasive.

Traceroute

[Stonent1]

Then just contact the next to the last person and subpoena the records about who the customer is.

What are you in for?

[eskwayrd]

I'm doing 5-10 for typoing my name.

How will this work?

[OctaneZ]

Especially with some VERY good Overseas Registrars [gandi.net]. (12 Euros a year, with great services, tech support, etc. In Paris, France). We have to get it into the politicians heads that it's not DARPANet, and it really shouldn't be under Congressional control or oversight.

This isn't "false or misleading", it?

[zaren]

So I helped my neighbor set up a domain name for their new business. I put myself in as the technical contact. Phone solicitors snarfed my phone number from the whois information and started calling ME trying to sell me stuff for my NEIGHBOR's business. (I'm also getting snail mail for them as well.) So, to at least cut down on the phone calls, I changed the tech contact in the whois to the following number:

617-861-9507

"The Telemarketer's Nightmare", from the fine folks that brought you "The Rejection Hotline".

Now, it's not really MY phone number, but it IS the phone I want them to have, since I don't want them calling me. My email and home address are valid, so I can still be contacted... just not while I'm sitting down to eat dinner with my family. It's a real phone number, and it doesn't mislead anyone - the message tells someone that I don't want them calling me.

Once again, US != Internet....

[RedHat Rocky]

When will they learn? Yet another 'law' proposed to clear up that dirty old Internet.

Congress, please read: THE INTERNET EXTENDS WAY BEYOND US BORDERS.

Many scams are perpetrated from sites OUTSIDE the US, how do you think your proposed law helps?

Please stop bowing to the corporate masters!

Yes, I am a Citizen of the United States.

What a turd burglar.

[AyeRoxor!]

Texas Representative Lamar Smith is quoted as saying 'The Government must play a greater role in punishing those who conceal their identities online.

In print, I have the express right to remain anonymous. Once more, these ancient old farts think print on a screen isn't print in a paper. SAME RIGHTS, YOU OLD IDIOT!

What is wrong with the government these days?

[dougnaka]

Can't they stay out of private life?

I'm voting libertarian from now on.

Laws should be based on things that make sense, not 200 years of repressive precedent, or over hyped "concerns" of the day that get legislated to death and stick.

Congressmen who throw out stupid ideas about taking away freedoms, privacies, or putting government punishments in place where nobody has been hurt, should be fired for violating the basic tenants of freedom, and the constitution.

The government shouldn't be punishing people who falsify private documents. I believe it's not (currently) a crime to misrepresent yourself, and online there's a lot to be said for the added safeties of misrepresentation, anonymity, and privacy.

The FCC doesn't need to decide what we watch on TV, we do. If we don't like what we see on channel whatever we don't watch it anymore. The only thing worse than the government trying to control our private lives is the people asking them to. Go to Europe you bunch of repressed whiners.

I'm sick of this all.

I don't care how this gets modded, I'm fed up, and /. is a as good a place as any to vent.

MPAA/RIAA OWNS BERMAN - $222,791 Payoff!

[meehawl]

2001-2002
The top industries supporting Howard L. Berman [opensecrets.org] are:
1 TV/Movies/Music $222,791
2 Lawyers/Law Firms $117,450


Lamar Smith also gets mondo payola from MPAA/RIAA [opensecrets.org].

Berman was one of the shills who drafted a nutty bill last session that would have allowed movie and music companies to hack into people's personal computers and networks to erase or destroy "copyrighted" material [politechbot.com]. Most notably, it indemnifies corporations against personal torts resulting from their error for damages under $250. So even if you've almost finished the greatest novel ever written but failed to find a buyer yet, if they erase it, you get nothing. If they destroy your hard drives but show the replacement value is below $250, you lose. And so on.

There is nothing Berman would not do to keep sucking at the media industry tit. Even to the degree of drafting such nonsensical law that clearly violates the "equal treament" under privilege or immunity of the 14th Amendment [cornell.edu] by immunizing corporations against felonious activities conducted by them against citizens without considering due process.

THis latest bit of nonsense is just more of the same. Obviously Smith smells some extra cash within reach and is now also busy pandering to the media conglomerates.

Plea bargain crime

[Julian Morrison]

This seems to me to be one of those plea-bargain "crimes", that's just ladled on as part of the charges. They charge you six ways for the same crime, then heap on a load of side-issues and associated minor whatsits like "conspiracy" and "fraudulent DNS" - the idea being, that the sum total theoretical max sentence would leave you jailed until the heat-death of the universe. That way you can be bargained down into pleading guilty to, say, murdering the pope - without the inconvenience of needing evidence, proof, the guy even being dead, etc etc.

The submission is misleading

[retro128]

The article says that they want to impose stiffer sentences for people if the domain has false contact information and IS USED TO COMMIT A CRIME.

The article does seem to hint that the gubermint is going after everyone, though, so I looked up the bill myself. It's true that they will only go after someone for this if a crime has been committed. The problem with it IMHO is that it's pretty broad...It goes after not only the owners of the domain but also "person[s] acting in concert with the violator". And it tacks on 7 years in prison who what one would otherwise get already. And from the text it looks like it's geared strictly towards copyright infringement, never mind ripping off credit card numbers or running a fake shop, or simulating the identity of a reputable company. Of course, coming from Rep. Berman, this is no surprise.

Here's the bill if anyone's interested [loc.gov]

The link looks a little weird to me so if it is broken go to http://thomas.loc.gov and look up bill # "H. R. 3754".

This is not a useful law

[Sloppy]

False DNS records should not be a federal crime, because DNS is just someone's private database. I'm accountable to the database maintainer, not the government. Lying to the maintainer isn't any different than lying to Slashdot, claiming to be someone named "Sloppy" instead of using my real name.

I think going after fraud from the name angle, is the wrong approach. Those names always end up resolving to an address, and an address is how you (ultimately) track things into the physical world. (Just ask the kids that RIAA has gone after.) Everything about DNS is merely a matter of convenience, and no one should ever have a reasonable expectation that DNS information is trustworthy.

Furthermore, it looks like the article is actually talking about web sites. So use https. Now you've got a CA claiming that someone is who they claim to be. Don't trust (or know anything about) the CA? ("Who is this Thawte company, anyway?") Now you know why x509 sucks and PGP rules. (Oooh, just had to get that little barb in there. ;-) Everything's an illusion until you've met someone face to face. If you can't trust that someone is who they say they are then you just don't know, so don't try to fake it.

If you add legislation to prevent false DNS info, you're just going to increase the false sense of security. "Whois says he's really John Smith, and it's against the law to lie, so I'll give him my credit card number." Guess what, the guy in Asia who you're giving your card # to, doesn't give a fuck about the US law. You should have relied on a trust network to verify him, not the law.

I would LOVE to have accurate WHOIS data!

[JustAnotherReader]

But Register.com refused to change it. Moreover they have a lock on my WHOIS data for no apparent reason. I'm paid up until March of 2005 and yet they seem to be intent on hijacking my domain and holding it ransom.

Just last week they added their own DNS servers to my WHOIS data which pointed my web site and all my email to their search page. Because I registered through my hosting company (who in turn registered through Register.com) Register.com's tech support refuse to help me. They say I have to do everything through my hosting company. But when XO communications asked them to make a change they just said "No".

I mean, I'd love to have an accurate phone number and email in my WHOIS. I'd REALLY love to change the registrar of record to anybody except Register.com. But they're holding my domain hostage and won't give me a way (short of sueing) to maintain my own domain.

So don't make it a crime for ME to have false information in my WHOIS. I'd love to change the information. The jerks at Register.com won't let me.

Am I losing it???

[shaitand]

Am I really seeing a slashdot full of anti-privacy zealots?

Whois is a government regulated collection of information about private individuals. Since when is someone having some privacy on the web a BAD THING???

I thought we all agreed on a few common principles here, free speech, free code and RIGHT TO PRIVACY (ESPECIALLY in our digital world here on the web), and that slashdot needs a built in spellchecker?!!

The government has no damn business either collecting, and especially not publishing the details of domain owners to begin with!