Home / Blogs

More on WHOIS Privacy

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
John Levine

Last week I wrote a note the ICANN WHOIS privacy battle, and why nothing's likely to change any time soon. Like many of my articles, it is mirrored at CircleID, where some of the commenters missed the point.

One person noted that info about car registrations, to which I roughly likened WHOIS, are usually available only to law enforcement, and that corporations can often be registered in the name of a proxy, so why can't WHOIS do the same thing?

If we were starting from a blank sheet of paper, it would certainly be possible to set up a registration system with registrants represented by proxies. But we don't have a blank sheet, we have the existing WHOIS. All of the existing WHOIS proposals have, as I laid out in my previous article, been completely one-sided. The privacy crowd gets to redact some amount of information, while those of us who actually use WHOIS get nothing whatsoever in return. Why is anyone surprised this is not a winning proposal?

The biggest problem with WHOIS is that much of the data is wrong, and (unlike cars and corporations) there are no meaningful consequences if a registrant lies. If the OPOC proposal were combined with changes to ensure that the data behind the OPOC were real, that could lead to a deal. But the idea that someone should be responsible for even minimal verification of the OPOC itself, much less the rest of the info met with horror. It's too much work! It's someone else's problem! So, no surprise, no deal.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: DNS, ICANN, Policy & Regulation, Privacy, Whois

 
   

Comments

Re: More on WHOIS Privacy John Berryhill  –  Sep 04, 2007 10:09 AM PDT

The biggest problem with WHOIS is that much of the data is wrong

Care to define "much"?

I see situations pretty much every week in which someone is complaining "The registrant didn't answer my telephone call, respond to my email, or answer my mail, therefore the contact data is wrong."

Let's take a domain name, say spews.org.  I have no connection with that organization.  Would you characterize this whois data as "wrong", and how would you propose to verify it:

Registrant Name:chip level domains
Registrant Organization:Visit Lake Biakal!
Registrant Street1:po box 61, Baikalsk-2
Registrant Street2:
Registrant Street3:
Registrant City:Irkutsk region, — 665914
Registrant State/Province:
Registrant Postal Code:665914

Re: More on WHOIS Privacy John Levine  –  Sep 04, 2007 11:43 AM PDT

I'm using "much" in the standard English sense.  Consult any dictionary.

The data for spews is completely bogus, and we all know it.  What's your point, other than to confirm mine?

Re: More on WHOIS Privacy Thomas Barrett  –  Sep 04, 2007 1:52 PM PDT

As a registrar, I would not call this Whois record "completely bogus". 

There is no ICANN policy that says optional fields in the Whois cannot be used for something else, especially if they are not needed to identify the contact.

In this case, "organization" is optional since "name" is provided.  The issue of whether the "registrant name" is a legally filed organization is not relevant in this context.  (the admin contact "name" field lends credibility to the registrant "name")

I assume "verification" means two things:

1. Is this a valid postal address?
2. Is this registrant able to receive mail to this postal address?

While item #1 might be confirmed using an online resource, such as a telephone book, item #2 cannot reliably be confirmed using online resources.

The "most" reliable postal verification technique is to simply send a postcard to the postal address with a PIN number.  The recipient would need to respond to the registrar with this PIN number, using any method such as the web, email, telephone or the postal service. (this is what my local motor vehicle registry does)

But postal service is not completely reliable.  For extra cost, the registrar could ask for delivery confirmation.  Of course, this is not available in all countries.  So, a verification policy would need to consider if additional postcards can be sent or if the registrant could alternatively fax or email copies of a utility bill showing their postal address.

This scenario only applies to registrant-initiated transactions, such as registrations or renewals. 

The potential for abuse or misuse arises when third parties want verification, such as Whois Data Accuracy complaints.

There is no ICANN policy that says registrants must respond to inquiries sent to their Whois contacts. So, a lack of response to a Whois contact does not necessarily imply inaccurate whois data.

Tom Barrett
EnCirca

Re: More on WHOIS Privacy John Berryhill  –  Sep 04, 2007 2:51 PM PDT

The data for spews is completely bogus, and we all know it.

How do we know that?  That's my question.  I have no idea whether someone associated with Spews receives mail from a post office box in Siberia, and neither do you.  How do you suggest a registrar make determinations like that.

John, I recently dealt with a hi-jacked domain name that wound up at a bogus "privacy" service run by Richard Kirkendall at Namecheap.com. 

Notice the sequence of events in this UDRP:

http://www.arb-forum.com/domains/decisions/1008008.htm

Complainants are HandHeld Entertainment and Kieran O'Neil (collectively, “Complainant”), represented by John Berryhill, 4 West Front Street, Media, PA 19063.  Respondent is WhoisGuard a/k/a WhoisGuard Protected (“Respondent”), 8939 S. Sepulveda Blvd. #110 - 732, Westchester, CA 90045.

Now, at NO time did Mr. Kirkendall's supposed "privacy service" identify the real party in interest relative to the domain name, or even offer up any whois data other than their own.  I've seen more than one stolen domain name end up at Namecheap's Hi-Jacker Haven.  His outfit never disclaimed responsibility for the hi-jacking during the procedure, and were perfectly comfortable remaining as the named respondent - as they have consistently done in UDRP proceedings.

I am simply trying to get a handle on a number corresponding to your use of "much", and what it is, exactly, you are suggesting registrars do to confirm whether whois data is "correct".

Re: More on WHOIS Privacy John Levine  –  Sep 04, 2007 7:46 PM PDT

Jeez, guys, can't you just read what I wrote?  I entirely agree that more accurate WHOIS data would require actual work costing actual money. But unilaterally making WHOIS worse, with no benefits to WHOIS users, just isn't going to happen. If anyone wants to move off dead center, they'd better come up with a plan that has benefits for all sides.

With respect to SPEWS, anyone who followed last year's SPEWS follies knows that there were a bunch of spammers trying to sue them, and I think it is reasonably safe to assume that if there were someone to find in Siberia, one of them would have done so. It's also pretty clear from circumstantial evidence that the people who ran SPEWS were in North America.

With respect to nitpicky arguments about what technically consitutes bogus data, wow, I'm glad you're not my registrar.

Re: More on WHOIS Privacy Suresh Ramasubramanian  –  Sep 04, 2007 10:46 PM PDT

John's said all I need to say in that last post.

Right now, I'm kind of glad the whois task force report has ended up chasing its tail .. the status quo is bad enough but what was getting proposed was far worse, and how it would be implemented if at all beggared belief.

Hooray for the status quo.  And for some more wrangling continuing through, say, the next half dozen or so ICANN meetings.

Re: More on WHOIS Privacy John Berryhill  –  Sep 05, 2007 10:16 AM PDT

Jeez, guys, can’t you just read what I wrote?

Reading hard.  Hurt brain.

I entirely agree that more accurate WHOIS data would require actual work costing actual money.

Well, that's what makes the registrars seem prickly and defensive on this point.  The ICANN policy process is open to any number of busybodies who don't have any "skin in the game", and if the result of any ICANN policy process is "Hey, let's make the registrars jump through another hoop" then the registrars become increasingly suspect of the BOHICA effect at work in this bottoms-up process.

Hey, let's penalize the registrars if 4 out of a million registrants provide false contact data....

Hey, let's penalize the registrars if a domain registrant is a cybersquatter…

Hey, let's penalize the registrars if a domain registrant is a spammer…

Name the issue, and you will find someone in ICANNland chomping at the bit to suggest, "Hey, let's penalize the registrars for (fill in the blank)" And "penalize" here can translate to "add cost", "increase complexity", etc.

There are sometimes perfectly understandable reasons for "bad whois data".  I have been pointing out this whois record, among other similar ones, for years now:

Domain Name:WORLDTELEPORT.ORG

Registrant Name:  World Teleport Association
Registrant Organization: World Teleport Association
Registrant Street1:  2 World Trade Center Suite 215

It's one of the domains that always leaps to my mind when I hear noises about rotten domain registrants and "bogus" whois data.

if there were someone to find in Siberia, one of them would have done so.

I hear Lake Baikhal is lovely this time of year.

Re: More on WHOIS Privacy jeroen  –  Sep 06, 2007 12:01 PM PDT

John Berryhill said:

Hey, let's penalize the registrars if 4 out of a million
registrants provide false contact data....

And there is EXACTLY where the problem is: it's all about the money.

As long as registrars can get away with selling LOADS of domains and thus earning an awful lot of money for a few bits, but never actually doing their job of simply.

Now if, like that namecheap example the registrar takes the stance that they in effect own the domain and are responsible for all the mis happenings of it, then that is a good point, but that generally requires law suits and other methods to contact the problematic person in question and for quite a number of purposes eg 'your mail is bouncing', 'why are you sending my X amount of traffic' doing a probably month-long or more lawsuit is not an option, especially not over country borders.

As such, like RIR whois data, the information provided should be correct and contactable. If not the domain should be suspended by the registrar, when the registrar doesn't handle this type of complaint then the registrar should be suspended for not taking it's job up.

Indeed, it will most likely cost the registrar quite some money, but I rather have them have a few less millions and a more safe internet where people can be hold accountable.

Re: More on WHOIS Privacy John Berryhill  –  Sep 07, 2007 8:07 AM PDT

And there is EXACTLY where the problem is: it’s all about the money.

Well, some of us are not independently wealthy, and must work for a living.

You are free to believe that a registrar's offices are like Ali Baba's cave, but the assumption that they are lolling about on piles of money is not well supported.

Re: More on WHOIS Privacy John Levine  –  Sep 07, 2007 9:46 PM PDT

When I thought up the registrar/registry split in 1996, I anticipated correctly that registrars would bundle domains with other stuff, but I didn't foresee the race to the bottom that's given us razor thin margins and registrars whose entire business model is predicated on lousy service at a rock bottom price, which makes them extremely reluctant to do anything that would cost extra. Even if the new requirements are applied equally, so no registrar would be placed at a disadvantage, the big registrars (except, perhaps, NSI) have trapped themselves by focusing on low price.

A significant part of the problem is ICANN's fault, since they have consistently failed to require that registrars perform the duties they agreed to under the existing RAA, particularly section 3.7.8 that requires verification of the registrant information. It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

Re: More on WHOIS Privacy Dave Zan  –  Sep 08, 2007 2:05 AM PDT

Indeed, it will most likely cost the registrar quite some money, but I rather have them have a few less millions and a more safe internet where people can be hold accountable.

One can always switch to a registrar whose business model factors in the costs of strongly enforcing "valid" WHOIS data policies. But if one doesn't care to consider their costs of doing so, then don't be disappointed if they don't care to consider the reasons (much more the benefits) of what is desired of them by others.

Re: More on WHOIS Privacy jeroen  –  Sep 08, 2007 1:35 PM PDT

John Berryhill said:

And there is EXACTLY where the problem is: it’s all about the money.

Well, some of us are not independently wealthy, and must work for a living.

Like somebody in the 'western countries' will notice 50EUR/USD a year!? Or where you meaning "I am working there"

You are free to believe that a registrar's offices are like Ali Baba's cave, but the assumption that they are lolling about on piles of money is not well supported.

If they are not, then they are doing something wrong when they are selling virtual bits for cash.

Dave Zan said:

One can always switch to a registrar whose business model factors in the costs of strongly enforcing "valid" WHOIS data policies. But if one doesn't care to consider their costs of doing so, then don't be disappointed if they don't care to consider the reasons (much more the benefits) of what is desired of them by others.

Domain ID:D2306700-LROR
Domain Name:UNFIX.ORG
Sponsoring Registrar:Network Solutions LLC (R63-LROR)

That is already the case, actually I can't be bothered with changing over, why should I and I am relatively sure that NetSol/Verisign/coohoots will stick around.

But the problem is that even if I and other responsible people act responsible with these things the people who don't want to be responsible won't. And that is where the problem lies.

As for extra services, just try to find one which can do IPv6 NS glue. Enom can (they indeed ask more) but that is about it.

John Levine said:

A significant part of the problem is ICANN's fault, since they have consistently failed to require that registrars perform the duties they agreed to under the existing RAA, particularly section 3.7.8 that requires verification of the registrant information. It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

This is indeed partially where the problem lies.

It is is not about the price of the resource, it is about the way that domains get used: for typoharvesting etc, not for actually pointing to a real organization which has an internet resource available.

Re: More on WHOIS Privacy John Berryhill  –  Sep 10, 2007 10:37 PM PDT

It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

Let's start with the phone number for these jerks that use bad whois data:

Domain Name:WIPO.ORG
Created On:16-Jul-1993 04:00:00 UTC
Last Updated On:21-Mar-2007 14:12:05 UTC
Expiration Date:15-Jul-2009 04:00:00 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:22769476-NSI
Registrant Name:WIPO
Registrant Organization:WIPO
Registrant Street1:c/o UNICC, Palais des Nations
Registrant Street2:
Registrant Street3:
Registrant City:Geneva
Registrant State/Province:
Registrant Postal Code:10 1211
Registrant Country:CH
Registrant Phone:+1.9999999999
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:ns-admin@UNICC.ORG

Not even WIPO provides a real telephone number for their domains.

How do you robotically confirm a telephone number.  I screen all of my calls with an answering machine.  Do I have to be home when my registrar robot calls?  I can sign up for free voice mail and forwarding online.

And, of course, anyone who uses a Turing-test email-response spam filter is screwed.  You will notify them of your new whois policy somehow, I suppose… perhaps by calling them on the telephone and leaving a message.

Any new policy you impose is going to have to "work" for the thousands and thousands of people who registered a domain name four years ago, paid for ten years, and haven't really thought about it much since then because the domain name works.  You'd be surprised how large a "legitimate registrant" boat that is.

Re: More on WHOIS Privacy John Levine  –  Sep 11, 2007 6:32 AM PDT

Yes, WIPO is a bunch of hypocrites and there's a lot of bogus whois info.  We all know that.  The point I've been making over and over, which I really do not think is particularly subtle or complex, is that if you want people who make use of WHOIS data to accept having less data available, you need to offer them something meaningful in exchange.  Better underlying data would be something meaningful.  I never said it would be trivially easy to provide; if it were, the WHOIS privacy argument would have been over years ago.

Anyway, if you know what you're doing, it's not hard to do robot confirmation of email addresses and phone numbers.  Look, for example, at what Geotrust does when you buy an SSL certificate (try it through this link for $14.95).  It will not confirm you if you don't read your mail or answer your phone, but of course that's the point of the exercise.

Re: More on WHOIS Privacy John Berryhill  –  Sep 11, 2007 8:53 AM PDT

Look, for example, at what Geotrust does when you buy an SSL certificate

And Geotrust then publishes the confirmation telephone number where, exactly?

An individual signing up for a new service under ruleset A is distinguishable from an organization having signed up for a service several years ago and having ruleset B imposed on that service.  The notion that every domain name is going to be associated with a telephone number that will be answered by a human is unrealistic, but your idea that domain registrants should get used to responding to automated telephone calls in order to keep their domains opens up delicious social engineering attacks on domain names.  No, Microsoft, Ebay, etc. are not going to publish a dedicated phone number for some person in their IT department, because the only thing that person is going to do thenceforth is answer the telephone.  Some folks use extensions within their PBX, some folks use voicemail numbers, and so on.  WHOIS requires a telephone number, it does not require that domain registrants engage in conversation with every idiot who calls them.

I don't have to give "people who use WHOIS data" anything in exchange for not wanting them to call me.  You, John, do not have any legitimate need for my telephone number.  It's that simple.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

2016 U.S. Election: An Internet Forecast

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Dyn Weighs In On Whois