Whois? More like WHOWAS: Domain database on verge of collapse over EU privacy An effort to resolve conflicts between upcoming European privacy legislation and the global Whois service for domain names has, predictably, failed, raising fears that cybercriminals will take advantage of the impasse. At the end of a week of meetings hosted by domain-name overseer ICANN, the US-based organization's proposed …
On the other side of the equation, civil society groups were actually happy with the idea of anonymized email addresses, noting that it would "go a long way to reducing spam and harassment that end-users face."
This again is an issue only due to ICANN's decision to try and monetize the data they hold.
Up untill a few years ago, it wasn't worth the effort for a spammer to manually trawl through whois records for email addresses, and the level of spam to my admin email accounts for our domains was minimal.
However, then ICANN decided to publicise a list of any changes to whois records or domain registrations, including contact details, and now, I get over 100 emails a week offering me SEO services or "Build You a website" or other shit.
The abuse and domain admin emails for domain registrations should not be obscured, they should be readliy available to anyone who needs to look them up using the whois system.
But they shouldn't be published as an easily farmable list, everytime there's a change in any domain registration, and that's what is happening now.
"I get over 100 emails a week offering me SEO services"
I'm not sure whether it's an improvement in Hotmail/Live/Outlook filtering but I now get very few.
Alternatively it might be a consequence of the fact that I've got into the habit of writing back if I've nothing better to do and saying that oddly enough they seem to have omitted their own domain name from their pitch so I can't check whether they're any good at getting their own site on first page in Google if I search for first page in Google. This is usually accompanied by a critique of their written English; I'd expect them to take especial care of this when presenting themselves. I usually finish up by pointing out that the address they've spammed is my spam bin and if it's typical of the list they bought they've been overcharged. The trick is to sucker them into reading through what's initially a helpful-looking the whole reply before telling them just how crap they are.
Of course they're all lead generators. I only ever had one who passed the lead on to someone who claimed to have a UK branch (situated above a language school operating out of a shop front in Longsight): probably a cousin. I wrote back pointing out the crapness of the reference sites he gave. With any luck the ?cousin got shafted for incompetence.
The EU has passed a law that (either intentionally or unintentionally) undermines the Internet, and that when enforced in the fashion they like would actually terminate any contract that violates it. In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain. I would have to go back and read the contract as it was last time I renewed, but I know that when I started back in the early 90’s the contract explicated stated that the total liability of the registrar in a contract termination or dispute was a refund of funds paid or the issuance of a different domain name.
Nobody wants that, but the EU doesn’t have the legal authority to retroactively modify contracts between their citizens and third parties – they can however declare the contracts invalid.
I like NICAT’s approach. Not sure if is completely legal within the terms of the contracts, but it is a good starting place.
ICANN should have handled this years ago, but wasting money and churning out new GTLDs apparently took too much of their time.
An open registry of who owns domains is important to the continued operation of the Internet. Law enforcement and intellectual property owners aren’t the only ones who need access, so does everyone involved in website development, domain management, and computer security.
Any legal entity must have an address of record. Publishing that information in a public registry is not a violation of privacy. Besides, in most cases the law requires that their address be prominently published on the website already. This includes non-for-profit organizations and clubs.
Individuals who register domains must agree to terms and services, and part of those terms is that the information they provide is published. In other words, they have “opted in” to having it listed.
Individuals who wish to have domains, but do not wish to have their information published, have a variety of “private registration” options already available to them. Some registrars even still do it for free.
People who complain about spam because they used their “normal” email address to register a domain fall into same category as those who used CD-ROMS as coffee cup holders.
Phone numbers are a problem – every time I register a domain I get dozens of phone calls (to the point where I now have a dedicated phone number for domain registrations that goes directly to voicemail so that I can ignore the telemarketers). Of course mining the Whois for that purpose is already illegal, but there aren’t any teeth to it so they don’t care. Put enforceable fines in place and it might cut down on that.
Street addresses aren’t a problem – MOST spammers are too cheap to spring for a stamp (though there is one that routinely sends me bogus invoices)
...Wow, I didn't know surrender flags were called "heavy arms" now....
'Heavily Armed' is quite compatible with the standard smear of the French military - in that they might require high levels of equipment and violence to deal with an unarmed pensioner civilian, while surrendering at the sight of a small boy with a catapult... :)
In fact, French soldiers have fought some famous actions against heavy odds. Much of the 'surrender' stereotype comes from incompetence at the high command and political level - a field where many other countries have a poor track record...
But that was a tragic mistake that followed a long investigation by security forces, with a suspected terrorist living at the same address as the innocent Brazilian. It wasn't something that happened because of one hacker's phone call. So, while innocent people can die at the hands of law-enforcement authorities in Britain as well (note that these were military personnel, not London bobbies) there is a difference between the situation there and that in the United States.
"But that was a tragic mistake that followed a long investigation by security forces, with a suspected terrorist living at the same address as the innocent Brazilian."
I'm not sure "long investigation" is really the case. There had been suicide bombers the day before, and one of the unexploded bombs had a gym membership card with the address that Charles was living at.
"note that these were military personnel, not London bobbies"
The people who shot him where police. Specialist police, SO19 firearms officers, not your standard bobbies, but still police. The undercover operatives on the train with Charles *might* have been from the military surveillance unit, but they didn't shoot him.
Now, the fact that the chap who "identified" him as terrorist was military (from the surveillance unit). That this identification was managed without taking a photo, while the soldier was having a piss, and lead to the assumption that Charles was dodgy. So the military may have lead to him getting shot (and may have been holding him in a bear hug while the cops shot him in the head), the didn't actually pull the trigger.
"The EU has passed a law that (either intentionally or unintentionally) undermines the Internet, and that when enforced in the fashion they like would actually terminate any contract that violates it. In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain."
Could you cite the clause or clauses which say that?
Upvote for talking 98% good sense.
But the "private registration" options are least available to those who have most to lose by becoming visible. You won't hide your domain ownership from the authorities, no matter what. Answer: if you really need to be invisible, don't register a domain but piggyback off someone else's and be prepared to move at the drop of a hat, just like in the physical world.
And "normal" vs "honeytrap" email addresses are way above the technical or attention limit of most people. The best answer is to make spamming globally less acceptable and harder to do, and that seems to be - very slowly - gathering institutional support.
Somebody in reply has suggested that sociopaths might visit you in person. The solution is to use a proxy registration option.
"You won't hide your domain ownership from the authorities, no matter what. "
True. If you need to hide from the authorities, you shouldn't be using a domain name at all. You should be using named IP addresses, change them every so often, and distribute them to your co-conspirators through some other communications channel.
"You won't hide your domain ownership from the authorities, no matter what. "
I beg to differ, there are many registrars that will accept Western Union, prepaid debit cards or crypto currencies for payment, and that don't verify any address details to register domain names. So if you used a proxy and a throw away email you could easily set up a dodgy website where none of the details including the billing info actually identified the registrant.
It would be interesting to hear of how many crimes actually get solved by law enforcement just getting the info from the whois database, i bet even stupid criminals at least opt for proxy registrations even if they use their own real billing info to pay.
"In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain. ...
Nobody wants that, but the EU doesn’t have the legal authority to retroactively modify contracts between their citizens and third parties – they can however declare the contracts invalid."
This is an interesting legal question. On the face of it, I can't actually think of any legal reason why the EU could not retroactively modify contracts between private citizens per se. Elsewhere in EU law, it arguably already does this - if you include an unfair clause in a consumer contract, the law will only invalidate that particular clause (https://europa.eu/youreurope/citizens/consumers/unfair-treatment/unfair-contract-terms/index_en.htm). So the contract remains valid, just without the unfair bit (assuming that the removal of the unfair bit isn't so fundamental that it breaks the altogether).
With the GDPR, though, it doesn't actually say anything about retroactively modifying contracts, or indeed negating contracts that do not comply with the law. All it says is that the controller and processor will get fined if the contract is not up to snuff - and that the data subjects has certain rights in law which will take precedence over any competing obligations in contract. So what, then, is the legal status?
For the following, I am assuming that the wholesale publication of personal data in the whois domain actually is contrary to the GDPR and that they don't introduce a compliant system in time. I don't actually think that this is inevitable and I reckon there are many, many ways to adapt the system to be legally compliant. But that's another issue for another day.
First question: Is this a consumer contract? If so, a term requiring you to give up your statutory rights is unfair and therefore unenforceable. As noted above, the rest of the contract remains valid. So you keep your domain, but the obligation to allow them to publish your details is removed.
Second question: If it is not a consumer contract, is the clause anyway unenforceable? (Nb: just because it is a business contract does not mean that there is no personal data involved - see, for example, C-28/08 P - Commission v Bavarian Lager). The answer is maybe, maybe not. I've had arguments about this and it could go either way, probably depending on the skill of the barrister in question. Ultimately, however, this issue isn't decided at EU level. It therefore depends on your national law, so will vary from Member State to Member State. At least in the UK, even if it is unenforceable, we can use the concept of severance in contract law to simply remove the offending clause and keep the rest of the contract alive.
Bottom line: Even if your contract relies on your information being published in the whois AND even if that clause ends up being invalid, your contract will probably remain valid, at least in the UK.
We complain about the US when it tries to impose US law on other country, but here is the EU insisting that the entire world obey it's rules.
If you want GDPR protection use an EU based registrar, if you want a .com or any other domain controlled by registrars outside the EU, you should not expect those registrars to have to pander to the EU.
This post has been deleted by its author
With the domain names that I own, I pay extra to my registrar in order for them to act as a proxy -- their information appears in the WHOIS records rather than mine, and if anyone uses the contact information provided, my registrar will forward the message or letter on to me.
Sounds like a perfect solution to me!
Me too. I don't understand this handwringing: "That would leave law enforcement and intellectual property lawyers, among others, unable to access registrant details" - if they currently rely on public whois data, they're already up shit creek.
Frankly all public records are a privacy nightmare, especially for business owners. You're better off identifying as a 'natural person', doubly so under GDPR. But anonymity is best. It's not safe out there.
The thing is, you pay for the proxy service.
It sounds like the ICANN proposal to its governance board was to run a similar type of scheme, but who would pay for it? Without adding costs to the domain registration, they wouldn't be paid, so it's no wonder they refused.
I suppose the nearest "official equivalent" to the proxy idea would in effect be a way to force European users to pay for such a service - either via a proxy service like you use, or a domain surcharge to pay for an ICANN run scheme.
As for the issue of law enforcement, the arguments cited in the article are bollocks.
If law enforcement need the domain owners details, they can contact the registrar the domain was bought from. They are the ones who maintain the databases that make up the public whois database after all!
In addition, the registrar will hold personal/billing details. Whilst it's possible that they have been faked, as they are not public, and are likely to have credit card billing information, they are going to be far more accurate than the public database - and any person registering a domain with criminal intent who doesn't register with real billing details will not have real details on the currently public view either!
Yes, but if you want to move your domain to a different host, you first need to switch it back to your real details, and at that point, you are at risk; especially if the reason you want to move it is that your current provider doesn’t like what you are publishing on the website.
"if you want to move your domain to a different host, you first need to switch it back to your real details"
I moved a batch of mine a few years back, and didn't have to do that -- but I had to talk to actual human beings to do it, the automated systems wouldn't work. It may not be trivial and automatic, but it's not hard.
I have had a domain name since the last century, as a private individual, from a UK-based registrar. My name and address is protected by the current Data Protection Acts, which implement current EU law, and this GDPR doesn't seem to implement anything new for me.
The basic privacy rules are so old that they applied when I was using a 2400 baud modem to access FidoNet. And, every so often, the USA has signed up to some agreement to protect personal info, so they can trade with the EU, and gone on, after a couple of years, to ignore it.
The USA has form on the abuse of personal data, going far beyond the allowed Law Enforcement access that Europe already has. Facebook and elections have made headlines over the weekend, and if they are rich (and white) Americans will ignore all these laws.
ICANN may be stupid, but it's a part of a pattern of American criminality about our personal data.
Since we're leaving the EU, we're going to be outside their protection, and I am not sure we can trust the UK government to to even maintain the existing protections.
It should be simple enough. Natural persons resident in the EU (or UK when the new DPA is in place) have an option from the registrar to hide personal details just like any other data subject. Where appropriate these details can be obtained from the registrar by going to court, obtaining a warrant and presenting it to the registrar. If the court disagrees about what's appropriate they don't get the warrant. It's pretty well how any other online business will have to operate. Why do they think they need to be different?
> but won't Companies House become the first target of GDPR attorneys?
The EU itself?
http://ec.europa.eu/taxation_customs/vies/
This is going to be interesting, HMRC only permits individuals to be VAT registered. So for example whilst Vodafone UK's vat number is currently GB 569953277, the number is actually assigned to a person who is personally responsible and liable for Vodafone's VAT. So firstly is the VAT data that of a legal person or that of a legal entity. Secondly, where, in the sign-up is the opt-in allowing personal data to be published on the Internet by the EU?
"I know the UK is leaving the EU, but won't Companies House become the first target of GDPR attorneys?"
No. Your right to privacy is not absolute and is balanced against the rights of the data controller/processor. This is manifested into six "justifications" for processing data, which you can broadly place onto a spectrum trading off your rights for the controller's.
So at one end you've got consent, where you've freely handed over your data. You can likewise freely rescind that consent ("right to erasure"). At the other end of the spectrum you have legal obligation, wherein a law requires the controller to process your data regardless of what you as the data subject think, say or do. This is what allows banks to retain your records for 7 years, for example. Likewise it's what allows government bodies to function*.
ICANN are mostly in this pickle because they fundamentally don't understand GDPR. There's a reasonable argument to be made for the Legitimate Interests justification, but they've so badly hammed this up that I doubt that'd ever fly now. Their only real recourse is to simply stop storing personal details of natural persons, or plot some middle ground where they store-but-don't-publish, but that'd involve actually defining and running a fair and secure record retrieval process. Fat chance.
*Interesting side note: government bodies can't even use consent as a Justification because you can't give free consent to someone who can put you in prison.
WHOIS was great when communication was letter and telephone. You know - when the modem connection to a mail server hasn’t worked right for a couple of days. Then you could phone the sysadmin who would fix it with a screwdriver.
These days, the need to map to old world communication paths is rather limited. If a company even accepts letters and phone calls, the details are on the website.
The closest you get to useful “WHOIS” these days is via the SSL certificate.
Why shut down the whois service? Just don't allow Europeans to register domain names, until Europe amends its laws so that ICANN can operate without fear in its usual manner. If Europeans can't meet the requirements for having a domain name, then they can't get one.
This won't deny Europeans access to the Internet, they could just set up their own alternative (and more anonymous) domain name system. People wanting to view European sites would just have to choose an alternative DNS.
Thats the point of GDPR. it should be your choice as to whether you're fine with it, and you shouldnt have to pay for a service if you're not.
Nominet already go most of the way.
on my many domains, the only personal detail is my actual name, everything else is "The registrant is a non-trading individual who has opted to have their <x> omitted from the WHOIS service"
if I transfer them to my company (probably will do down the line) this gets filled with the companies registered address and contacts I provide.
...and as you point out, far more critical personal data is being leaked constantly. If people are in that much danger from WHOIS records, then a LOT more time and effort and legal sledgehammers need to be put towards the entities (generally large corporations) doing such shitty jobs at protecting peoples' private communications, non-public identities, financial information, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
