Network News

X My Profile
View More Activity

'Net Governance Body Punts On WHOIS Privacy

The nonprofit organization that manages the Internet's domain-name system has voted to punt on a proposed change to the global WHOIS database of Web site name registrants. The changes would have given Web site owners the ability to shield their identities online and, indirectly, cut spammers off from an easy-to-mine database of legitimate e-mail addresses. on Monday ran a story I wrote about proposed changes to the global WHOIS database -- which contains information such the name, phone number, e-mail and physical address of anyone who has registered a Web site name ending in ".com" ".net" ".info" ".biz" or basically any other domain name ending in three letters.

Privacy advocates had been guardedly hoping that the Internet Corporation for Assigned Names and Numbers (ICANN) would approve their proposal to limit the amount of personal information in the WHOIS database.

From that story: "Privacy groups say the domain registry has become a data-mining dream for marketers and spammers, who constantly trawl the database for new e-mail addresses. Opponents of any change in the system counter that the data is essential in resolving intellectual property disputes, aiding cyber crime investigations, and helping computer security experts quickly shutter fraudulent Web sites."

To hardly anyone's surprise, in a vote of 7 yeas to 17 nays, ICANN decided to propose additional studies on the privacy impact of the WHOIS database.

I'd be curious to know how many readers who have registered Web sites have chosen to either provide blatantly false WHOIS data, or who have in view of privacy concerns opted to pay their registrar an added fee to keep their information private.

By Brian Krebs  |  October 31, 2007; 4:20 PM ET
Categories:  From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hiding In Plain Sight
Next: Anti-Virus On A Mac?

Comments offers a free privacy service called WhoisGuard with all registrations. It can be reverted anytime, and I've used it quite happily for some time.

Posted by: dtjohnso | October 31, 2007 5:05 PM | Report abuse

The first spammer that harvested my (real) name from WHOIS made a typo that has proliferated to the spam. That was before the turn of the century; spammers evidently aren't big on attention to detail.

I personally don't see a big problem. If the technical contact for a domain does not know how to run spam filtering then who does ?

Posted by: GTexas | October 31, 2007 5:08 PM | Report abuse

One of my registrars offers free "shielded" registration, but I haven't used it yet.

I don't think spam avoidance is the primary reason for hiding WHOIS info. Rather, people with controversial websites would like to avoid having the kooks ring our doorbells with complaints.

Posted by: tjallen | October 31, 2007 5:54 PM | Report abuse

Did you ever get crud and trace it back, only to find that the information was blocked? I would rather the crook provide bad info, with a resultant legal/financial consequence to the site host.

Posted by: Joel | November 1, 2007 12:14 AM | Report abuse

What tjallen said. Having the info public, and preferably verified, would help people be able to harrass the runners of the spam & scam domains right out of business.

Posted by: Henry | November 2, 2007 1:37 PM | Report abuse

Often legitimate sites are hacked and unknowningly host malware, phishing, porn ads, etc. By publishing WHOIS info the legit site owners can at least get prompt notification when their site has been hacked. Do registrars really want to get into the business of being the liason for this sort of thing?

Posted by: John | November 2, 2007 5:07 PM | Report abuse

How will it be possible for Spam reporters to identify which ISP for reporting purposes. This now legitimizes spammers to "Hide" from spam reports making it all but impossible to shut down infected hosts.

It COULD reciprocate by providing "abuse" Email addresses from the IP address, and provide the IP Block. That's all info we need from ISP in order for us to shut down the spammer's efforts.

Posted by: JD | November 2, 2007 7:01 PM | Report abuse

A few misconceptions and inaccuracies:
" offers a free privacy service called WhoisGuard with all registrations." - This is only for the first year. After the first year you have to pay for it.

"How will it be possible for Spam reporters to identify which ISP.." - This is not the function of whois. To determine the escalation route for reporting spam sites, an IP lookup is made, from there the netblock owner is found - something slightly different.

Section of the Registrar Accrediation Agreement ( states that and party that allows the use of a domain name to a third party will accept responsibility for harm for that domain name, unless disclosing it promptly upon reasonable evidence of actionable harm.

If this would allow such a party to cancel the domain as well upon receiving the evidence, great!

Some privacy protection providers do do something similar (, but all to often we only find more duff details that as hidden.

Privacy protecion is a double sided sword. It can cause as much harm as it does to protect the innocents and is not the long term ansswer. We need accountability at all levels before we allow it. Law enforcement is not the answer do to the international nature of the Internet. Only if all the role players adopt a "the buck stops here" attitude can it work.

Without the check and balances, which are not in place/functional now, privacy protection will just give parties registering domains for fraud and and other criminal usage a more powerful tool to avoid detection.

Posted by: DS | November 3, 2007 11:14 AM | Report abuse

... and to add to my previous comments:
Question: How many people do the registrars/privacy protection agencies have in total to analyze and registrant details?
Answer: Hardly any. Most of it is done electronically.

However, there are many times more anti-abuse organizations and people out there analyzing whois details and reporting domains used for fraud than the registrars etc will ever have. We need to question why this is.

With privacy protection these people would not be able to function efficiently in this task, a task that will definitely not be taken up by registrars and/or privacy protection agencies.

Posted by: DS | November 3, 2007 11:22 AM | Report abuse

The solution is incredibly simple. Bandwidth is what we pay for. The theft of such bandwidth is a theft of services and as such should be prosecuted as a theft and damages paid for loss of use due to said theft. This would also apply to ISP's who censor bandwith usage of clients or restrict the speed and accessablity of said use. We paid the freight to develope the internet and every advance to it's infrastructure and to assume the ownership is exclusive to preferred clients friendly to or involved with the ISP is the theft by deception of monies already collected including profits and dividends paid to date. To ignore the crime is to imply it's legality.

Posted by: anOPINIONATEDsob | November 3, 2007 1:38 PM | Report abuse

I've had kooks knock on my door as the result of my website, even though it wasn't terribly controversial. It was more of an online resume than anything. Someone found it and decided it warranted people protesting outside my house and bothering my kids.

We need real WHOIS privacy - not just stop-gap for pay methods.

Posted by: A. Nonie Mouse | November 6, 2007 6:19 AM | Report abuse

I pay my registrar a penny a day to shield my private data from the public. I would definitely like to see this on the ICANN level.

Posted by: Ryan | November 6, 2007 10:58 AM | Report abuse

i have been stalked in the past (years before the www) and the privacy my unlisted home phone number/apartment address are sacred to me. i do not run any bogus businesses/websites online, and as a woman, privacy is an utmost concern for me. in the phone book, look at how many women just have their first initial listed with their last name and not their full name. why is/was this? because creepy men and women like to harass us, by making offensive phone calls. true, due to the invention of caller id and blocking private calls, some of this problem is alleviated, but i pay verizon money to be unlisted from the white pages and 411 listings. it would be a real drag; and horrible to say the least, if i was required to cite all my personal info for all my domain names and not have private registration.

Posted by: bal | November 17, 2007 10:01 AM | Report abuse

I have just found an interesting forum on this theme

Posted by: angel food ministries | January 14, 2008 7:50 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company