I really wish WHOIS would go away forever. There is absolutely no point to it. If you don’t pay to get your name private, you get SPAMMED to such an incredible degree, it’s absolutely awful. Literally 10+ calls a day, emails voicemails. So you have to buy the “privacy protection” thing, which defeats the whole purpose anyway. All WHOIS does is create an industry of people selling privacy to WHOIS. This whole narrative about “journalism” and it being used for research sounds like nonsense to me. Something tells me these people have a vested financial interest in this. Would love to hear an alternate point of view on this.
For what it's worth, I've absolutely used whois for journalism. It's helped me contact people for interviews- usually small business owners or bloggers who aren't particularly trying to hide but don't have their contact info on their actual websites.
Most memorably, I reached someone who imported erectile dysfunction supplements from China, only to have them destroyed by order of the FDA because they were actually made with prescription drugs. He said he felt the manufacturer defrauded him and was happy to talk.
But that hasn't worked for me in at least three years, as far as I can remember. The robocall problem has just gotten ridiculous, so everyone's paying to be anonymous. I briefly had a domain registered without privacy protection a couple of years ago, sort of out of principle, and immediately started getting spammy calls about SEO services.
Whois can also be used to identify who owns IP blocks. Which is crucial to many applications such as security.
If you don't want your personal information to be visible thats very different to the full range of what whois can do. You can always use a proxy so there are options for privacy available. I've never got a single spam email/call from my whois data.
I agree WHOIS is completely useless! Anyone can fake this info anyway and anyone using there real info can be SWATTED (https://en.wikipedia.org/wiki/Swatting)
Choose a registrar that doesn't charge you extra? Your name stays in, of course, but your (electronic and snail) mail addresses and phone number can be replaced by registrar-managed ones where they forward you incoming stuff and (mostly) keep the spam.
It's a pretty common thing with European providers, I think.
I've actually found that rotating the email address I have listed in whois quarterly addresses the spam problem pretty well. Phone number goes to my Google Voice account which is set up to send everything directly to voicemail.
domain registration data is in a weird place for the modern internet. I can see the value of having a real registry when it was first developed, but now it seems like a pretty easy way for people to shoot themselves in the foot with regards to privacy. Also, some registrars charge a premium for WHOIS privacy. It should not cost extra to have your legal name and address to be hidden from the entirety of the internet.
When you buy a house, your name and the purchase price are public information. Any one at any time can look up who owns a house, how much they paid for it, and how much they pay in property tax every year.
I get a ton of spam because of this. However, I'd rather have this system than one in which all the owners are secret. I've had to look up owner information before to contact owners of various properties, and having that hidden would have made that task impossible.
You can hide the ownership information of a house, if you pay extra money, by hiring a lawyer to create an entity and put the entity on the property, but then the lawyer has to put their address, and forward any requests on to you, just like the whois privacy folks.
I think it is a good thing that every domain has valid contact info.
And some jokers like OVH do not charge anything for privacy but fuck it up. I got recently hundreds of emails and a dozen phone calls from various spammers as a result of registering some domain names with them despite chosing the privacy options.
The publication of personal information on whois cannot stop soon enough.
Do any registrars not charge a premium for Whois privacy? I know Hover doesn't have a separate Whois privacy entry price, but the base price at Hover seems to be about the price of a domain + Whois privacy at other registrars.
WHOIS privacy isn't even an option for some tlds. Nominet require the registrant's legal name and postal address and only offer a discretionary opt-out for non-commercial websites.
I've gotten so much telemarketing from my whois. Quite frankly, it's ridiculous. I'm glad that the EU twisted ICANN's arm off and beat them into submission.
I think ICANN is going to quickly realize that they will need to take an active role in brokering communication with domain holders; this way they will have to act as gatekeepers against spam.
I like what CIRA (the .ca registration authority) does. The default is for them to hide your contact information. You have to opt-in to make it public.
They then handle all communications people want to send to you. More registration authorities should take stances like this.
Privacy still has a place, this would not keep someone from knowing what corporation owns a domain - and will not keep the government or other interested parties from finding that out. Privacy services still act as an impediment to keep ownership private far better than this will.
In the short term WHOIS is going to be limited to just the registrant organization, state, country and a masked email address (Admin and Technical fields will be removed save email). This is short term to come into compliance with GDPR.
Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc) Who will be able to get to the full whois data. So a sort of tiered system. Expect this to take a minimum of a year. The ICANN multi stake holder model means nothing happens fast.
> Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc) Who will be able to get to the full whois data.
To a substantial degree it's privacy for the powerful and transparency for the weak. It should be the reverse: The powerful and government institutions should be transparent, and citizens should have their privacy.
> Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc)
And trademark owners, of course. So that the Three Letter Corporation (TLC) can continue sending lawyers to wrestle away control over the domain of Theodore L. Clark's personal homepage initially set up in 1995 (and enthusiastically maintained since).
Because chaos and mayhem would result if there's even a single ccTLD where the "tlc" label is not assigned to the same one entity that just redirects it to their .com anyway.
ICANN is scrambling to be compliant they write... We've all had 2 years notice since the GPDR has been adopted! And if you 'didnt know', you have bigger organizational problems.
I understand it is a lot of annoying work, but adtech and data brokers (etc etc) have been gutting privacy and the internet for long enough. We've let it come this far, now we get regulated.
(disclaimer: I only started working on compliance this year, do as I say, not as I do ;))
It's worse than that. Article 29 Working Party (WP29) - which deals with data protection has said since 2003 (well over a decade!) that Whois is not compatible with EU law [0]. They just didn't have a way to enforce it before GDPR.
But ICANN are delusional idiots, maybe because they get so much money from US intellectual property interests. They did nothing, and then seemed to think that they could get a moratorium on enforcement. But even their own Non-Commercial Stakeholders Group basically told them to get lost [1].
It's a fascinating story of just how terrible ICANN is. As always, the Register has a great write-up [2].
One thing it clear, they deserve it. I do feel bad for registrars though, and hope they had more sense than ICANN and developed a plan B.
We've all had 2 years notice since the GPDR has been adopted!
Have we really? The first it cropped up on my radar was late 2017 and I'm in a business that adheres very strictly to EU DP best practices (so was already mostly GDPR compliant).
I'm not sure whose job it was to promote awareness of this but Britain's data protection agency certainly didn't do a good job of it given they've had my email address for years(!)
My .me domain displays (and always has displayed IIRC) nothing but my full name (not that interesting as the domain is my name). Everything else are the contact details from Gandi.
there is another type of whois that people don't ordinarily interact with, but is essential for the correct operation of the internet...
ARIN, RIPE, APNIC and AFRINIC run whois databases for IP space. Network operators use them to find who controls chunks of v4 space (ranging from the globally-minimum-announceable /24 to /12). ISPs can use tools like SWIP to point the whois for a block of space in use by a customer to that customer's whois info.
I sincerely hope that this doesn't become more difficult to use, because it will make basic network diagnostics at a WAN scale much more annoying.
The good news is that the typical ISP-level info in IP space whois databases doesn't fall under the GPDR, since most are role accounts ([email protected] , [email protected], etc). Also generic phone numbers for NOC and network engineering groups. However, a lot of ISPs do currently have individual persons listed as points of contact in their whois entries.
I'm just wondering why ICANN is "scrambling to get it GDPR-compliant" just now, at the eleventh hour. They had just as much time as rest of the world to do it sooner, without any interim modes, and without any rush and all the problems that can come from hastiness.
A big factor is that ICANN is comprised of multiple stakeholder communities of competing interests that have to come up with consensus to make new policies. Refining the model of what is published in the WHOIS has been the subject of working groups in ICANN for over 10 years, but consensus was never reached because you had a huge spread of opinions that never converged. Privacy advocates argued for no WHOIS, whereas interests from law enforcement, security research and intellectual property arguing for full disclosure.
Having a public register that tells you who owns a particular domain or IP address could be useful for a lot of things. Sure, they could take away a lot of fields that are not necessary and might be a privacy problem, like address and phone number, today it's useless, and maybe instead add a GPG public key, so much useful, and keep name and email address.
But don't remove it, it's a useful thing I use a lot, most of the times for security purpose, you see a suspicious IP address or domain while observing a packet capture, WHOIS tells you who owns it, you find in a log an IP address that tries to bruteforce into your server, WHOIS tells you who it is and gives you an address to contact and ask explanations, you need to find a person to contact if you have a problem with a website, contact the email address in the WHOIS record of the domain, you are sure that you are contacting the right person, even if the site gets hacked in the worst way the WHOIS record can't change.
I work for a popular hosting company and WHOIS data is causing constants issues - mostly for non-technical customers, but on one occasion, I accidentally used my work mail address during testing. The WHOIS database for, say, the .net zone is extensively mined by spammers and telemarketers.
I received a torrent of marketing mails for months even though I immediately changed it to a noreply mail address. We receive numerous complaints from customers who ignored our warnings.
Back in 2002 teenager me used WHOIS to lookup my ISP's (adelphia) phone number. Some guy picked up the phone in their server room no shit. He answers the phone like it's a internal only line "server room Jim here how can I help?" Me: "ya um I have a problem with my SMTP port can you help out?" Net Admin "How did you get this number! but ya I can help kid"
My quick and dirty three step scam website detecting process https://travel.stackexchange.com/a/84026/4188 obviously includes whois but -- I think I will make do without. It's only a little harder, to be frank.
[+] [-] clay_the_ripper|7 years ago|reply
[+] [-] smelendez|7 years ago|reply
Most memorably, I reached someone who imported erectile dysfunction supplements from China, only to have them destroyed by order of the FDA because they were actually made with prescription drugs. He said he felt the manufacturer defrauded him and was happy to talk.
But that hasn't worked for me in at least three years, as far as I can remember. The robocall problem has just gotten ridiculous, so everyone's paying to be anonymous. I briefly had a domain registered without privacy protection a couple of years ago, sort of out of principle, and immediately started getting spammy calls about SEO services.
[+] [-] akhatri_aus|7 years ago|reply
If you don't want your personal information to be visible thats very different to the full range of what whois can do. You can always use a proxy so there are options for privacy available. I've never got a single spam email/call from my whois data.
[+] [-] guelo|7 years ago|reply
[+] [-] x0x|7 years ago|reply
[+] [-] slrz|7 years ago|reply
It's a pretty common thing with European providers, I think.
[+] [-] ryan-c|7 years ago|reply
[+] [-] kbar13|7 years ago|reply
[+] [-] jedberg|7 years ago|reply
I get a ton of spam because of this. However, I'd rather have this system than one in which all the owners are secret. I've had to look up owner information before to contact owners of various properties, and having that hidden would have made that task impossible.
You can hide the ownership information of a house, if you pay extra money, by hiring a lawyer to create an entity and put the entity on the property, but then the lawyer has to put their address, and forward any requests on to you, just like the whois privacy folks.
I think it is a good thing that every domain has valid contact info.
[+] [-] cm2187|7 years ago|reply
The publication of personal information on whois cannot stop soon enough.
[+] [-] mort96|7 years ago|reply
[+] [-] jdietrich|7 years ago|reply
https://registrars.nominet.uk/namespace/uk/management/data-q...
[+] [-] phit_|7 years ago|reply
running a hobby project should not require you to share your private contact details with the world
[+] [-] gwbas1c|7 years ago|reply
I think ICANN is going to quickly realize that they will need to take an active role in brokering communication with domain holders; this way they will have to act as gatekeepers against spam.
[+] [-] lamlam|7 years ago|reply
They then handle all communications people want to send to you. More registration authorities should take stances like this.
Now if only they could get DNSSEC support...
[+] [-] robalfonso|7 years ago|reply
[+] [-] appdrag|7 years ago|reply
[+] [-] robalfonso|7 years ago|reply
Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc) Who will be able to get to the full whois data. So a sort of tiered system. Expect this to take a minimum of a year. The ICANN multi stake holder model means nothing happens fast.
[+] [-] forapurpose|7 years ago|reply
To a substantial degree it's privacy for the powerful and transparency for the weak. It should be the reverse: The powerful and government institutions should be transparent, and citizens should have their privacy.
[+] [-] slrz|7 years ago|reply
And trademark owners, of course. So that the Three Letter Corporation (TLC) can continue sending lawyers to wrestle away control over the domain of Theodore L. Clark's personal homepage initially set up in 1995 (and enthusiastically maintained since).
Because chaos and mayhem would result if there's even a single ccTLD where the "tlc" label is not assigned to the same one entity that just redirects it to their .com anyway.
[+] [-] bhhaskin|7 years ago|reply
[+] [-] SmellyGeekBoy|7 years ago|reply
GDPR was announced over 2 years ago, why are they only just starting now?
[+] [-] holstvoogd|7 years ago|reply
I understand it is a lot of annoying work, but adtech and data brokers (etc etc) have been gutting privacy and the internet for long enough. We've let it come this far, now we get regulated.
(disclaimer: I only started working on compliance this year, do as I say, not as I do ;))
[+] [-] guitarbill|7 years ago|reply
But ICANN are delusional idiots, maybe because they get so much money from US intellectual property interests. They did nothing, and then seemed to think that they could get a moratorium on enforcement. But even their own Non-Commercial Stakeholders Group basically told them to get lost [1].
It's a fascinating story of just how terrible ICANN is. As always, the Register has a great write-up [2].
One thing it clear, they deserve it. I do feel bad for registrars though, and hope they had more sense than ICANN and developed a plan B.
[0] http://ec.europa.eu/justice/article-29/documentation/opinion...
[1] https://www.icann.org/en/system/files/files/gdpr-comments-nc...
[2] https://www.theregister.co.uk/2018/04/25/icann_whois_gdpr/
[+] [-] petercooper|7 years ago|reply
Have we really? The first it cropped up on my radar was late 2017 and I'm in a business that adheres very strictly to EU DP best practices (so was already mostly GDPR compliant).
I'm not sure whose job it was to promote awareness of this but Britain's data protection agency certainly didn't do a good job of it given they've had my email address for years(!)
[+] [-] becauseiam|7 years ago|reply
[+] [-] Semaphor|7 years ago|reply
[+] [-] walrus01|7 years ago|reply
ARIN, RIPE, APNIC and AFRINIC run whois databases for IP space. Network operators use them to find who controls chunks of v4 space (ranging from the globally-minimum-announceable /24 to /12). ISPs can use tools like SWIP to point the whois for a block of space in use by a customer to that customer's whois info.
I sincerely hope that this doesn't become more difficult to use, because it will make basic network diagnostics at a WAN scale much more annoying.
The good news is that the typical ISP-level info in IP space whois databases doesn't fall under the GPDR, since most are role accounts ([email protected] , [email protected], etc). Also generic phone numbers for NOC and network engineering groups. However, a lot of ISPs do currently have individual persons listed as points of contact in their whois entries.
[+] [-] pferde|7 years ago|reply
[+] [-] kijeda|7 years ago|reply
[+] [-] 7ewis|7 years ago|reply
I used to put fake info there anyway, I don't want my domain linked to my home address, or provide an easy way for spammers to get my email.
[+] [-] tomyws|7 years ago|reply
[+] [-] alerighi|7 years ago|reply
But don't remove it, it's a useful thing I use a lot, most of the times for security purpose, you see a suspicious IP address or domain while observing a packet capture, WHOIS tells you who owns it, you find in a log an IP address that tries to bruteforce into your server, WHOIS tells you who it is and gives you an address to contact and ask explanations, you need to find a person to contact if you have a problem with a website, contact the email address in the WHOIS record of the domain, you are sure that you are contacting the right person, even if the site gets hacked in the worst way the WHOIS record can't change.
[+] [-] lima|7 years ago|reply
I received a torrent of marketing mails for months even though I immediately changed it to a noreply mail address. We receive numerous complaints from customers who ignored our warnings.
[+] [-] lumberingjack|7 years ago|reply
[+] [-] chx|7 years ago|reply
[+] [-] mirimir|7 years ago|reply
[+] [-] atesti|7 years ago|reply
[+] [-] phicoh|7 years ago|reply
[+] [-] NoSalt|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] techsin101|7 years ago|reply
[+] [-] jiveturkey|7 years ago|reply
-grumpycat
[+] [-] CNJ7654|7 years ago|reply
[deleted]