WHOIS data is worthless nowadays. A lot of people host content on Wordpress, Github, Medium, etc. where the WHOIS data doesn't tell who is actually responsible, and the shady sites are using services to hide the true WHOIS data anyways.
Edit: There seems to be a misconception (or a lack of reading comprehension). Hiding is not shady, but shady sites hide WHOIS information always. So it's eventually useless for the one thing it should do: give information about the owner in case of unlawful content.
I didn't say that everybody who hides their data is doing something shady, I said that a shady site - where someone would actually want the information about who is responsible for the content - is hiding the WHOIS information anyways.
Exactly. I am in India and I frequently get SMS and calls about web hosting services, they use the name and number I provide while registering the domain. It is definitely not shady if I want my info hidden from these spammers.
Actually i have found just as many shady sites use fictitious whois data as those whose registrars provide whois privacy. It is of little use either way.
Especially considering how much people's addresses are being abused now. Not just spam or scammers, but also harassment, internet/social media campaigns after controversies, swatting, etc.
Having WHOIS data public makes all of those things incredibly easy for the scumbags out there.
> If EPAG's actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.
Aren't most registrations private now? Such as "1&1 Internet, Inc.", "Whois Privacy Corp., and "Whoisguard".
It's similar to how you can buy a house via a corporation, or trust. There is still a public record of the owner, but finding the person behind that takes more effort.
The GDPR takes that much further. Are we going to have totally anonymous ownership of land next?
Personally I think this data should be private. There should be some type of pass through so that A domain name owner doesn’t have to worry about their personal information being connected with the domain. We know it’s possible because of the proxy services, that should just become standard.
I can understand not wanting to publicise personal details but why not the name of the company? The purpose of a company is to act as a proxy, financially and legally, for its directors and domain registration seems like the perfect use-case.
I respect ICANN for the most part but the publicity of WHOIS data is seriously awful. On one of my new domains, I made the mistake of forgetting to turn on WHOIS privacy. A couple days later I finally realized that I'd forgotten, after wondering why I was suddenly getting so many spam calls and emails. Two years later, I still occasionally get the spam... Every time I'm woken up by a robocall telling me about a $10000 business loan I die a little inside.
Sadly ICANN isn't the only one that this is a problem with. Try registering on an gov small business sites, all that information is scrapped non stop. Because it's for contracting reasons you can't put in fluff either. It's a really messed up system.
No, public data IS a problem. I’d rather not have my home address on the Internet for anyone to see. I’d rather not mix my Internet and IRL identities. If I was living in the land of the free, and I had no whois protection, swatting me would be so easy.
Even better is if you register a trademark. Starting a year or two before it expires you start getting at least weekly junk mailings formatted to look like official government letters from entities like the "US Trademark Bureau Ltd." offering to assist you with the process of renewing for a small fee of several hundred to thousand dollars.
Fortunately most of them contain a prepaid envelope, so I get a small amount of enjoyment out of sending those back empty, or with the outer window envelope stuffed inside...
I rely on WHOIS data to contact sysops of delinquent sites, it is completely reasonable that somebody be available to at least attempt to contact.
If you don't like the spam, use Google apps/Gmail for your technical/administrative contacts.
It is fair and reasonable, if you are operating a domain, to be available for legitimate contact. I accept the small amount of money and time I spend receiving spam phone calls roughly once or twice a month, in exchange for the important notices and communications I receive (and can make) every couple.
It’s not about all or nothing – WHOIS data should make public an email that can be reached, and, if the requester identifies themselves, they should also be able to get more information to either directly contact or sue the owner.
But a random bot looking for victims it can spam shouldn’t be able to read all the WHOIS data.
> But a random bot looking for victims it can spam shouldn’t be able to read all the WHOIS data.
It is public information, and it is impossible to watermark. There is absolutely nothing you can do about the scraping of WHOIS data if it maintains any of its current usefulness.
DENIC (the folks who handle the German .de domain) doesn't expose owner and admin-c via whois anymore. If you want/need that information you have to use their web interface which sends the data over TLS, requires you to solve a captcha and implements rate-limiting.
Technically, it's already in SOA record's RNAME field, which IMHO is a much saner option - given that whois is registry-dependent and doesn't even exist for some TLDs, and DNS is universal.
Well, no one can guarantee that it's working and mails will be read. Same as with whois data, of course.
Yeah the email and phone numbers in many of the WHOIS entries is absolutely useless.
Even for companies – PrivateInternetAccess’s phone number just is a robot saying "please send an email to the address listed in our WHOIS data" and hangs up.
> On the one hand public resources (like domain names - or plots of land) have traditionally always been publicly recorded.
That is bullshit. Land has been publicly recorded because land is expensive. Recording the actual owner publicly makes it much more difficult for a bad actor to sell you land he does not actually own.
A domain is like 15 bucks a year. You can't register a domain name of someone else's brand, if that brand actually cares.
Publicly recording domain names is like publicly recording who has bought milk at the supermarket.
Before 1990 in England and Wales land registration was not compulsory and the register was not public. This openness is a recent innovation, over here anyway.
2things.
1, Spam that contains my Whois data is very much more concerning, especially if it looks like a legitimate service I may already be using.
2, if a company collects my Whois data, and justifies monetising it to me or you, especially under the guise of ‘its for my/your security’, and I am not financially compensated for it, or I am unaware of it, or unable to change the terms and conditions of access/usage of it, then I consider it stolen.
I think there is a simple solution, make the VHOIS data private and the hosting would have to provide this
1 a form that would allow you to send an email to the domain owner without revealing the email
2 a form for requesting name and phone number but with restrictions, if you request the data you must have an account so measures to prevent abuse would be implemented, you must have a reason and domain owner should have the option not to allow the information to be made available.
Since there are already services to protect your identity why not make them default by law, what is ICANN losing by this? or is pressure from the companies that want to sell the "private mode" ?
The idea of having to post my full name, phone number and address publicly on the Internet is absurd. It is dangerous and doesn't actually serve any purpose (especially when WhoisGuard exists).
But, like many things related to ICANN (think domain parking), it is just another way to squeeze money out of us. I have no doubt that the people selling "WHOIS anonymization" have a lot of pull in the ICANN.
The GDPR is a great excuse for this. We need more registars and registries to start resisting - they can't sue everyone.
For me, wanting presentation in internet and yet wanting to be anonymous is absurd.
People have legitimate needs to contact domain owner, spam/scam issues for example.
Most importantly though, that is old, working model and nobody forced into this. To me those "I want change" types remind people, who move into new neighbourhood and then complain about things that have been always there.
Instead destroying, there should be more building: don't change working thing, make new and better (with blackjack, if I are allowed Futurama reference :) )
Regarding the first part of your comment; there are perfectly legit reasons you might not want your full contact details published on a database accessible to the wider public. Just think of political dissidents in other countries or people at risk of being doxxed for various reasons or simply not wanting that information to be public at all.
Regarding the second part, it's not viable to "make new and better". There is new and maybe better but nobody is using it. The ICANN has a quasi-monopoly on governing the DNS registration rules on the internet. It's like saying that if we don't like Facebook we should switch to Diaspora. As much as I'd like to, Diaspora doesn't have the network of Facebook or the reach which is an immediate nogo for a lot of people. Not recognizing that is simply ignoring the reality of many people's lives.
Thanks for your levelheaded comment!
Sadly, I can't discuss more, because this is clearly emotional topic, if I look into other comments.
Most posters here are young developers, so personal approach is more geared towards privacy.
If you are system administrator, maybe old UNIX greybeard, then you have different set of problems, communication and open community is then more important.
I can't point out, why, but I feel that RFC2468 [0] is somewhat relevant here (as sentiment, not personal experience).
Imho whois private data should have one mandatory field: holder/owner. It details who controls the domain, be it a individual, an association, a company, and so on. There is no need for phone numbers of emails there (unless the controller wants to add that).
This is how it works with .fi domains and I find it perfect. You can still get enough data that should you really wish you can contact the owner but you can't really automize it.
ICANN are desperate for this to keep the copyrighters and DMCA people happy. They had years for this and did nothing. We absolutely need to diversify from ICANN.
This makes me wonder when we'll see a viable alternative to ICANN and the current DNS system for domains in general. Maybe the answer is to remove control from companies and similar organisations and set up a more decentralised system that requires simply running a Let's Encrypt style process to register and maintain a domain name.
Do that, and consign this whole system to the dustbin of history.
I have contacted domain owners by WHOIS information many times for a number of reasons such as looking to purchase a domain with nothing on it. It seems to me to be important public information, not something I should have to go to the local police for.
Honestly I think if people had similar access for car, people would drive a lot more politely. For house, I have your address by your physical existence and can write you a letter.
For anyone who this might help, Namesilo is a registrar that gives everyone whois protection by default, at no extra cost. That's especially great since they're already pretty much the lowest cost registrar around. I feel like in a way they're the Let's Encrypt of the registrar world.
Their website looks like it's from the 90s, and I don't really like it, but I like everything else about them.
Looking at this release, it looks like they are simply requiring Namesilo to keep collecting the data. I see no mention of it being required for a public WHOIS.
60 comments
[ 4.8 ms ] story [ 127 ms ] threadEdit: There seems to be a misconception (or a lack of reading comprehension). Hiding is not shady, but shady sites hide WHOIS information always. So it's eventually useless for the one thing it should do: give information about the owner in case of unlawful content.
All shady sites use WHOIS privacy, but not everyone who uses WHOIS privacy is shady.
Having WHOIS data public makes all of those things incredibly easy for the scumbags out there.
Aren't most registrations private now? Such as "1&1 Internet, Inc.", "Whois Privacy Corp., and "Whoisguard".
It's similar to how you can buy a house via a corporation, or trust. There is still a public record of the owner, but finding the person behind that takes more effort.
The GDPR takes that much further. Are we going to have totally anonymous ownership of land next?
or should I be able to swat you easily and without consequences if I happen to know a public tidbit about you, for example where you live?
Fortunately most of them contain a prepaid envelope, so I get a small amount of enjoyment out of sending those back empty, or with the outer window envelope stuffed inside...
If you don't like the spam, use Google apps/Gmail for your technical/administrative contacts.
It is fair and reasonable, if you are operating a domain, to be available for legitimate contact. I accept the small amount of money and time I spend receiving spam phone calls roughly once or twice a month, in exchange for the important notices and communications I receive (and can make) every couple.
But a random bot looking for victims it can spam shouldn’t be able to read all the WHOIS data.
It is public information, and it is impossible to watermark. There is absolutely nothing you can do about the scraping of WHOIS data if it maintains any of its current usefulness.
I own a .de, a .eu and a .info
I get hundreds of spam mails per day for the .info, nothing for the other two.
It works.
Technically, it's already in SOA record's RNAME field, which IMHO is a much saner option - given that whois is registry-dependent and doesn't even exist for some TLDs, and DNS is universal.
Well, no one can guarantee that it's working and mails will be read. Same as with whois data, of course.
Even for companies – PrivateInternetAccess’s phone number just is a robot saying "please send an email to the address listed in our WHOIS data" and hangs up.
The number of calls and emails was just stupid.
So those who couldn't afford WHOIS privacy addons, now get them for free. All good in my book.
On the one hand public resources (like domain names - or plots of land) have traditionally always been publicly recorded.
But spammers have made that unpleasant.
Does the GDPR apply to records documenting the owner of a house in England? It's not really all that different with domain names.
And I don't see why ICANN wouldn't fit within this definition (publishing the records might be a different issue though)
That is bullshit. Land has been publicly recorded because land is expensive. Recording the actual owner publicly makes it much more difficult for a bad actor to sell you land he does not actually own.
A domain is like 15 bucks a year. You can't register a domain name of someone else's brand, if that brand actually cares.
Publicly recording domain names is like publicly recording who has bought milk at the supermarket.
And many domain names have changed hands for more than the costs of a house. PrivateJet.com $30 million. CarInsurance.com $50 million.
Would be really cool if I could buy a domain without providing all my real life details. That is really disturbing.
Since there are already services to protect your identity why not make them default by law, what is ICANN losing by this? or is pressure from the companies that want to sell the "private mode" ?
Regarding the second part, it's not viable to "make new and better". There is new and maybe better but nobody is using it. The ICANN has a quasi-monopoly on governing the DNS registration rules on the internet. It's like saying that if we don't like Facebook we should switch to Diaspora. As much as I'd like to, Diaspora doesn't have the network of Facebook or the reach which is an immediate nogo for a lot of people. Not recognizing that is simply ignoring the reality of many people's lives.
I can't point out, why, but I feel that RFC2468 [0] is somewhat relevant here (as sentiment, not personal experience).
-------------
[0] https://tools.ietf.org/html/rfc2468
An email address is more than enough for an abuse contact.
This is how it works with .fi domains and I find it perfect. You can still get enough data that should you really wish you can contact the owner but you can't really automize it.
Do that, and consign this whole system to the dustbin of history.
And why should we give it enough power to influence the way things work globally?
I do not like their imperialistic ambitions at all when it comes to internet businesses and affecting the life of other country's citizen.
I have a car. When police wants to know who the car belongs to they ask the registrar for the match between the number and my name.
I live in France and only French police can check that. If US police need this info, they will contact the French police.
I have a .fr domain. It should be managed by a French entity, which would hold my contact data and reveal them to the autorities.
ICANN would like to have this authority everywhere in the world, no surprise that prior put bogus data.
I do not want someone to have access to my contact information just because he wants to buy my car, house, or domain.
Phone is not.
Their website looks like it's from the 90s, and I don't really like it, but I like everything else about them.