You know what would make whois data more accurate? Requiring that registrars provide basic anonymization without any extra fee and build a meaningful process for situations where breaking that anonymization is actually the right thing to do (ie. not an opportunity for collection of bulk mailing address and phone number lists for spammers and phishers).
It would cost the registrars something to do so, obviously, but so does this. And a basic level of privacy should never have been allowed to become a premium service to begin with.
Agreed. The mere idea of having to globally expose your personal details is idiotic. Or at least it belongs to a more civilized society we're not seeing a glimpse of yet.
The worst part in my eyes is that at least with some registrars (I experienced this with Dotster), you have to disable whois privacy in order to transfer the domain away. They don't let you receive the authorization code at the anonymized email address, so literally the only way to transfer the domain to a new registrar is to turn off privacy, exposing your information to the world. There may be a technical reason behind this, but it feels more like a way to hold you hostage and prevent you from transferring.
For what it's worth Google Domains provides free privacy and a few other things (including up to 100 DNS entries per domain). They cost a little more though.
Uniregistry.com provides privacy at no extra cost, along with other useful features. I moved all my domains over last year and have been pretty happy with them.
I have a small number of domains (about 15 at last check) - and most of them have a mailing address from 16 years ago. If all they verify is email, why does this process have any value? It's not like you can't (A) Spin up a random mail server in 30 minutes, or (B) save yourself the trouble and just use mailinator.
This, finally, is the most pure form of security theater I have ever seen. There is no possible argument that this would deter any bad actor from doing bad things with their DNS domain - totally useless policy.
It is indeed useless, but it's much more involved than just contacting you the once: registrars are required to contact you at least yearly and after any contact updates, and if your mailserver isn't up and running, and you don't confirm the details, you'll end up with the suspended domains.
It sucks, and I'm saying that as somebody who works for a registrar.
It's funny you mention spinning up a new email server, I've had to do that for a domain I stopped using about 5 years ago, but had used for almost a decade at one point... you'd be surprised how easy it is to miss changing an account/email address.
Of course that was within a year or so of taking down the old domain, and haven't had issue since... just the same, it's interesting how painful an option can be at times.
It has value to you. What are you going to do when you get a default judgement against you and get your domain(s) transferred away from you because you decided to be cute and put 123 Elm St. for your address, preventing service of process?
Coincidentally, the service some registrars use to do the verification (wdrp.name-services.com) is down right now. How much fun must it be to watch your business taken off the 'net because you can't click a "this information is accurate" button.
WDRP is different from the Whois Accuracy Program. All that's required there is that registrars email registrants and admin contacts a reminder showing the current WHOIS information for their domains. No confirmation is needed.
The Whois Accuracy Program is different, and requires contacts actually confirm stuff.
Registrars deal with this in a few different ways, I believe some will allow you to confirm only one email address if there are multiple domains in your account.
I've already started seeing spam and phishing attempts for official-looking-but-fake whois verification emails. It was obvious that this was going to happen when ICANN first announced this new requirement, and I'm only surprised that spammers haven't been even more on the ball about it.
We haven't yet begun to see how ugly this stupid new program is going to get.
Can we just agree that either now or in the near future the idea of thought or expression without attribution is a thing of the past. Something that our grandparents internet had but not for us.
This slow crawl of both policy and protocol toward greater bureaucracy will have a much more permanent effect than say the NSA/GCHQ spying.
The whois accuracy program is such an enormous pain in the arse. It's worthless junk law-enforcement agencies demanded be included in the 2013 RAA that will have no useful impact on anything. It's just a massive resource drain on registrars.
I still have a really hard time with the idea that a domain needs to have "valid" or "meaningful" whois data at all... ...and now there's this? Sounds like a fishing windfall.
I wouldn't have a problem with it if the data weren't so easily to crawl and parse by spam-bots and robo-callers. Ever since switching away from an whois-anonymization service for one of my domains, the amount of spam letters, emails, and robocalls from telemarketers I get has increased more than ten-fold.
For some reason people assume that these whois-anonymization tools are just used by squatters and spam websites, but I use it to someone overloading my physical/digital/voice mailbox.
I also got such eMails lately and was wondering, because I could find no connection between the web-address linked to and the company I was ordering from in the first place, nor any registering authority!
I also asked the company and they said that it was legit, but came from some kind of service provider.
Finally, the web site, I was directed to also looked very suspicious and less than professional (something, a hacker could have made up in a weekend -- and again no names, logos or information that could make up a connection to my business contacts).
I really would appreciate, when they could make the process more transparent and less phishing-prone -- so anybody could make up a nice sounding domain and fire eMails to people with domains ...
Somebody could think, that domain registration authorities have at least basic knowledge of internet threats ...
I have a domain registered under my real name and personal email address. Coming away from the article, my understanding is that my domain is liable to sniping if I step away from the Internet for more than two weeks (e.g., I go on a trek into the jungle somewhere) and don't take steps to have a friend or colleague keep tabs on the issue. This seems like a straightforward and obviously undesirable scenario; I wonder what came up in the ICANN consultation when it was discussed.
I believe the two week timer only starts if you initiate a domain transfer, modify your domain's WHOIS info, or have a renewal notice bounce. 2/3 of this are forces that are within your control, so you can at least plan around that.
This is a big opportunity for registrars to make their customers feel safer: "We will go to extra lengths to make sure you don't lose your domain this way. We will pick up the phone and call you."
"And in order for our thin margin business to be able to provide this new service we've opted you into, we've increased your registration fee by 50%. Don't thank us, thank the friendly folks at [email protected]"
(in all seriousness, I expect the high end registrars probably will do this. Shame they're apparently not permitted to exercise discretion and not kill your website that nobody has objected to)
Yeah, like I need my registrar calling me all the time. What if you have several hundred domains? Are you really going to call and harass me about each one?
Oh, and one other thing: while other registrars tried to resist stuff like this being added to the 2013 RAA, EasyDNS were one of the registrars that sat on the sideline and did nothing.
Let's just say I don't have too much time for their moaning and griping now. They should've engaged with the registrar constituency back when the negotiations were happening.
We're in the RRSG now, we joined last year (better late than never) - that said - speaking as somebody who has been on the CIRA board and involved in early ICANN Whois TF, there isn't a lot that can be done about it. Registrars are pretty much a captive audience with zero power wrt ICANN and governance in general.
I wonder if it would be worth having a way to expressly request that easyDNS (and any other domain provider following this policy) send a test email for your accounts? This would be an email that looks like the one they'd send for this program (as close as possible to ensure spam filters treat it the same) but is labelled somehow as a test. This way you can make sure that a) the email address on file works, and b) the email will make it past your spam filters.
Why need it be a test? If verification just needs a click on a link it doesn't seem very onerous to require that click. If the mail doesn't arrive, you know you have a problem with a deadline NOW, instead of a randomly appearing problem in the future. The former certainly seems better.
How? By finding bugs in the interface that allows hostile users to set new values for the email address at the registrar and using this for triggering the 15 days period?
I get tons of these WHOIS emails as I build websites for small businesses. The last ICANN email I see regarding WHOIS data accuracy said the following (GoDaddy)
"If you find that your domain contact data is current and accurate, there's no need to take action. If, however, your domain contact information is inaccurate, you must correct it."
This was sent on May 5th - when does this new policy take effect or does it only effect when you renew/transfer/register?
Edit: I RTFA again and see that the date is June 23rd(?)
The email you received was a "friendly reminder" to make sure your registrant contact information is accurate. It is officially called a Whois Data Reminder Policy email.
If it was accurate, GoDaddy is correct - there is nothing further for you to do.
If, on the other hand, the email they sent you would've bounced back as undelivered then you would've ended up into the next phase. "Click this within 15 days or else."
Rather than be harassed by ICANN emails it would be preferable for EasyDNS to handle any admin issues on a case by case basis. That should, after all, be included in the cost of buying a domain. I always made sure my registrars were handling this on my behalf, and for domains where I was required to submit personally identifiable information; I let the domain expire and die. It's not worth the hassle. I don't work for free.
[+] [-] stormbrew|11 years ago|reply
It would cost the registrars something to do so, obviously, but so does this. And a basic level of privacy should never have been allowed to become a premium service to begin with.
[+] [-] leap_ahead|11 years ago|reply
[+] [-] zippergz|11 years ago|reply
[+] [-] BinaryIdiot|11 years ago|reply
[+] [-] milesf|11 years ago|reply
[+] [-] hackerboos|11 years ago|reply
[+] [-] ghshephard|11 years ago|reply
This, finally, is the most pure form of security theater I have ever seen. There is no possible argument that this would deter any bad actor from doing bad things with their DNS domain - totally useless policy.
[+] [-] talideon|11 years ago|reply
It sucks, and I'm saying that as somebody who works for a registrar.
[+] [-] tracker1|11 years ago|reply
Of course that was within a year or so of taking down the old domain, and haven't had issue since... just the same, it's interesting how painful an option can be at times.
[+] [-] rhizome|11 years ago|reply
[+] [-] derefr|11 years ago|reply
[+] [-] dangrossman|11 years ago|reply
[+] [-] chippy|11 years ago|reply
I had to spend a good 30 minutes trawl through Dreamhost's forums to get an official "OK" that this was a legit email.
[+] [-] talideon|11 years ago|reply
The Whois Accuracy Program is different, and requires contacts actually confirm stuff.
[+] [-] mariuolo|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] junto|11 years ago|reply
- gives you an email address for the whois as a proxy
- automatically follows the link given in the email and clicks the stupid button
- waits for the confirmation email
- if after 48 hours you haven't received confirmation then the system escalates it to a human proxy to click the stupid button (Turk maybe)
Reminds me of Lost
[+] [-] hyperliner|11 years ago|reply
- Generates real-looking names
- Generates a "social live" across the internet, with pictures, Linkedin profiles, and "friends"
- Generates "obviously valid" email addresses
- Provides an email forwarding service to your real address as above
- Provides a "Post office box" pseudo-service so that you can add that as your "real address"
- Generates extensions for a (800) we all can use to as to protect our real phone numbers
- Signs up to your registrar's information and updates it
You just got yourself a "valid" info set in the eyes of ICAAN (without having to pay anon services).
[+] [-] talideon|11 years ago|reply
[+] [-] bhartzer|11 years ago|reply
[+] [-] thaumaturgy|11 years ago|reply
We haven't yet begun to see how ugly this stupid new program is going to get.
[+] [-] Zelphyr|11 years ago|reply
[+] [-] cyphunk|11 years ago|reply
This slow crawl of both policy and protocol toward greater bureaucracy will have a much more permanent effect than say the NSA/GCHQ spying.
[+] [-] talideon|11 years ago|reply
[+] [-] jacquesm|11 years ago|reply
And on their customers.
[+] [-] Glyptodon|11 years ago|reply
[+] [-] krisdol|11 years ago|reply
For some reason people assume that these whois-anonymization tools are just used by squatters and spam websites, but I use it to someone overloading my physical/digital/voice mailbox.
[+] [-] PythonicAlpha|11 years ago|reply
I also asked the company and they said that it was legit, but came from some kind of service provider.
Finally, the web site, I was directed to also looked very suspicious and less than professional (something, a hacker could have made up in a weekend -- and again no names, logos or information that could make up a connection to my business contacts).
I really would appreciate, when they could make the process more transparent and less phishing-prone -- so anybody could make up a nice sounding domain and fire eMails to people with domains ...
Somebody could think, that domain registration authorities have at least basic knowledge of internet threats ...
[+] [-] allochthon|11 years ago|reply
[+] [-] Rifu|11 years ago|reply
[+] [-] ekanes|11 years ago|reply
[+] [-] notahacker|11 years ago|reply
(in all seriousness, I expect the high end registrars probably will do this. Shame they're apparently not permitted to exercise discretion and not kill your website that nobody has objected to)
[+] [-] astrodust|11 years ago|reply
[+] [-] talideon|11 years ago|reply
[+] [-] talideon|11 years ago|reply
Let's just say I don't have too much time for their moaning and griping now. They should've engaged with the registrar constituency back when the negotiations were happening.
[+] [-] StuntPope|11 years ago|reply
[+] [-] eridius|11 years ago|reply
[+] [-] trombone8|11 years ago|reply
[+] [-] javajosh|11 years ago|reply
[+] [-] trombone8|11 years ago|reply
[+] [-] jayess|11 years ago|reply
[+] [-] WaxProlix|11 years ago|reply
[+] [-] josefresco|11 years ago|reply
"If you find that your domain contact data is current and accurate, there's no need to take action. If, however, your domain contact information is inaccurate, you must correct it."
This was sent on May 5th - when does this new policy take effect or does it only effect when you renew/transfer/register?
Edit: I RTFA again and see that the date is June 23rd(?)
[+] [-] 300bps|11 years ago|reply
If it was accurate, GoDaddy is correct - there is nothing further for you to do.
If, on the other hand, the email they sent you would've bounced back as undelivered then you would've ended up into the next phase. "Click this within 15 days or else."
[+] [-] blfr|11 years ago|reply
OVH also just sends an email that you can ignore if the information is accurate.
[+] [-] bikeshack|11 years ago|reply
[+] [-] talideon|11 years ago|reply
[+] [-] higherpurpose|11 years ago|reply
http://www.theregister.co.uk/2015/05/21/icann_ceo_quits/
[+] [-] adamcharnock|11 years ago|reply
[+] [-] xenophonf|11 years ago|reply