Home / Blogs

Whois Masking Considered Harmful

Mark Jeftovic

Whenever you register a domain name, your contact details are published in a publicly visible database called "Whois", where your contact details are instantly harvested by spambots and marketers who proceed to email and postal mail you marketing offers, deceptive "domain slamming" attempts, ads for dubious products, and perhaps even telemarketing calls.

Nobody likes that, so over the years people started resorting to various tactics to protect themselves from the deluge of crap that inevitably comes with simply registering a domain name: throwaway email addresses in Whois records, fake postal addresses, fake phone numbers, etc. The problem is, Registrants are obligated under their various end user agreements to provide true and accurate data (not doing so is grounds to lose one's domain), and the US even passed legislation making it unlawful to use fake contact details in a domain name registration.

Our response to this, years ago, was MyPrivacy.ca which protects your email address from being harvested from your Whois records, but leaves your other data intact. We didn't see it as a revenue opportunity, in fact we made it free and opened it up to competing registrars, many of whom started recommending it to their customers. We just wanted to drive a stake through the heart of the Whois spammers.

It wasn't long though, before many registrars took it a step further and created the concept of "Whois masking" or "contact privacy", where all of the domain-holder contact details would be masked from the public Whois. Of course, this was heralded as a "value-add" and most outfits charge extra for it.

This post reveals why so-called "Whois privacy" puts your domains at risk, costs you more and doesn't really protect your privacy.

If you haven't seen a "Whois record", go to easyWhois and enter a domain name, any domain existing name, and look at the record. If you enter easydns.com you'll see our corporate contact details, our address, the legal name of our company, our phone and fax numbers.

Then enter a domain name that has "Whois privacy", instead of seeing the actual end-user contact details of the domain holder, you'll see something like:

Privacy Protection or
Contact Privacy

... and some other address info which is basically all a "mask".

Here's what you need to understand: Whether a domain name is considered "property" (like in .com) or just conveys "rights" (like .ca here in Canada), the domain is considered the property of, or the rights accrue to, whoever or whatever is listed in the Whois record.

If you use Whois privacy and some kind of dispute arises between you and your Registrar, and you were to go to ICANN or CIRA and assert your rights to that name, they would look at the Whois record details and tell you that you have no standing. The domain belongs to the "privacy entity" listed in the record.

From ICANN or CIRA's point of view, having a contract in place between you and the "privacy provider" isn't a factor, the domain belongs to them, not you. If you want to do something about it, you'll have to follow that up in court. If your Registrar (or privacy provider) is in some other legal jurisdiction, then you have that additional hurdle to deal with (that of suing a company in another country).

And that's if the Registrar is still in existence. If the reason you have a problem in the first place is that your registrar has imploded and disappeared (RegisterFly anyone?) then you have 1) nobody to sue and 2) no way to prove you are the "real" owner of all your "privacy protected" names.

It is true that Registrars are now obligated to escrow their Registrant data to protect against Registrar failure (I call this the "RegisterFly Rule"), if your Whois records are privacy masked, then the data that will be escrowed will be the masked data, not the underlying registrant data.

There is nothing in the ICANN Registrar Accreditation Agreement that provisions for Whois masking or privacy protection that puts an onus on the Registrar to preserve the underlying registrant data anywhere and maintain a verifiable link between the "real" record and "masked" record. There is nothing in the Registrar data escrow requirements that says a registrar has to provide the underlying "real" record to the escrow provider.

Liken Whois privacy to the "Credit Default Swaps" of the domain world. As long as nothing goes wrong, everything is fine and everybody makes money. As soon as something goes wrong, all hell breaks loose.

It gets worse: Whois Privacy only protects you from the most cursory examination of your details. In the event of an even moderate intensification of scrutiny: a UDRP challenge, a subpoena, or any legal action, you will find that the Registrar will drop your privacy mask as a matter of policy and restore your underlying live data anyway.

There are even some Registrars who will set you up with "privacy protection" on one hand, and will then sell your private data out the other side to anybody who wants it. Now I once wrote about this and was criticized for "not naming names", so if you have that same objection now, email me and I will send you a link to a page from a large Registrar who offers Whois privacy protection that offers to sell you the underlying masked data for any "privacy protected" registrant on their system for $10.

Suffice it to say that Whois masking not only doesn't provide any real benefits to the domain holder but actually adds an unacceptable amount of risk.

By Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.
Follow CircleID on
Related topics: Domain Names, ICANN, Privacy, UDRP, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Great explanation Joseph Zuccaro  –  Nov 23, 2008 9:28 AM PDT

For those of us on the marketing side, thank you for the explanation.  When I registered my domain to create www.marketing-consigliere.com, I was afraid of all the bad things you described but when ahead and disclosed my identity in full.  I don't think I've gotten much spam as a result, which may be due to the filtering I have configured with my email client and ISP.

But this should be a lesson for all that there are always tradeoffs in your decisions regarding presence on the Internet

Hijacked Derek  –  Nov 24, 2008 9:34 AM PDT

This may have been a noble idea initially. However what is the reality today.

We have everybody qualifying for a private domain registration, no verification of identity required. This may still sound noble ... freedom of expression.

But how is this used? We find websites used for money mule scams, escrow scams, 419 scams, phishing scams etc hiding behind domains registered with whois privacy. Whois privacy has fast become synonymous with lack of accountability. What was the answer to the issue where identity theft was being uncovered daily in domain registrations at once reseller? Whois privacy.

While whois privacy was and remains something much needed, the concept has been hijacked by parties who use this privacy for layered protection for nefarious purposes. Once you unwrap the privacy, you find bogus whois details or stolen identity details lifted from credit cards etc. Suddenly a retired teacher in a small town in the USA owns the Bank of Nigeria, the Treasurer of the Bead Society of XXXX suddenly owns a Diplomatic courier services, two "attroney" companies ...

Theoretically the privacy provider is responsible for the domain unless it discloses the real identity of the registrant when given evidence of wrongdoing:
http://www.icann.org/en/registrars/ra-agreement-17may01.htm#3.7.7.3

Heaven forbid you buy a vehicle via Auto Trade Wizz (atrwizz.com), try and have anything escrowed/shipped via shipping-globe.com, accept an offer from this Intercontinental Investment Services (iis-cb.com) just to name once source of private registrations!

Now, this is where the cookie starts crumbling. Do you protect a criminal, or do you disclose the data? We may now say a scam victim has to depend on LEA to resolve this. How many cases will LEA actually investigate?

Which LEA - the domain was registered to a California address (the privacy provider), invetsigations may reveal the real provicy provider is actually in Australia, the underlying registrant data might say the real registrant is in Canada, the victim is in India, the website claimed to be a company in the UK, while the sign up was from Romania as per IP, or even worse, a proxy. Unless you have lost millions, LEA will walk away!

Sorry, but while the intentions behind private registrations may have been noble, more misdeeds are hidden behind proxy registrations than ever before. Nobody values privacy more than criminals and unless some accountability is brought into the equation soon, the problem will simply get worse.

> We find websites used for money Thomas Kuehne  –  Nov 26, 2008 10:53 AM PDT

> We find websites used for money [...] scams etc hiding behind domains
> registered with whois privacy. Whois privacy has fast become synonymous
> with lack of accountability.

Partially true. The real problem isn't to identify the operators - follow the money ... - but to deal with them. The agencies responsible for enforcing the local law usually don't even start investigating. In addition many payment system operators seem very reluctant to enforce their own TOS.

Please keep in mind that cooperations are a legal device to limit accountability thus I don't think that effective anti-whois privacy rules can be written.

Depending on legal system - lawyers and/or others - are allowed as proxy owners and are thus another way to circumvent any potential anti-whois privacy rules.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign