Europe's GDPR, Whois shakeup was supposed to trigger spam tsunami – so, er, where is it? When new European privacy legislation forced internet registries and registrars to withhold the ownership details of internet domain names, a number of groups – including intellectual property lawyers and cybercrime experts – warned it would result in a jump in spam and online fraud. "A lot of people who are using this data …
paying extra to use a privacy service for the whois is pretty common, and a good idea if you personally register a domain. you don't want your home address and real name attached, right?
And so nothing really changed except that, with GDPR, it's theoretically possible to get the same level of service FOR FREE.
Let's do that in the USA too! I like it already.
In theory a registrar would need to have the real name/address and so they would know who to serve paperwork on for any kind of legal action.
That being said, ICANN could require registrars to cooperate with 'due process'. Fixed.
[it's probably like this already for the privacy services]
In the USA, you could do something _like_ an 'order to locate' in which you submit paperwork to a judge, in an 'ex parte' hearing (meaning you walk on in between cases) who then reviews the request and then signs or rejects it, most likely signing it if the case it applies to has any kind of merit. Then you serve paperwork after locating the entity/individual, sometimes involving law enforcement in the service, etc..
The registrar would simply have to honor the judge's order. But it's an extra step, probably doesn't really cost anything more than attorney fees for paperwork, and that will be significant enough for any legal action, so it's like *meh*.
IANAL disclaimer, YMMV, etc.
That is how it works already in the EU. If you serve the name provider with an EU based warrant, they have to hand over the registration information for the named domain(s). That has always been the case under EU data protection law.
You can pass on the PII (personally identifiable information) with either a) the written permission of the identifiable persons in the data or b) a valid EU warrant.
So, basically, if the judge thinks the case has merit, you can gain access to the information, if he thinks it has no merit or is a fishing expedition, he will refuse the warrant and you don't get the information. A fair way to do business, IMHO.
And so nothing really changed except that, with GDPR, it's theoretically possible to get the same level of service FOR FREE.
Except that the registrar becomes the middle-person. With private domain registration, the registrar had a hidden email forwarder setup, so email sent to the whois contact previous went directly to the domain admin email via a secret forwarding address. Now if that information may not present, then the registrar can hire additional people who can interface between the said domain owner and the complaintee.
As long as the issue is taken care of, I don't not care who fixes it. My guess is that this may not be as big of a deal as we all originally thought it would be.
"In theory a registrar would need to have the real name/address and so they would know who to serve paperwork on for any kind of legal action."
That's the practice in the EU, even under GDPR. The information isn't generally publicly available but is required to be collected as part of the contract and may be disclosed when required, so long as disclosure is consistent with GDPR.
The primary reason for paying an additional fee for private registration is to block junk mail. This has always been the case. Rather than pay an extra fee, we decided long ago to create a contact email address just for WHOIS registration.
It is amazing how much spam this email address attracts. If we were really clever, we'd use it as a honeypot.
I rather suspect that the slight reduction in spam may be more due to lists being purged after far too many of us ignored the authorization deluge in our in-boxes in the run-up to GDPR. It's been actually quite noticeable an effect here.
One thing that you do have to watch for in the future is the entitled few that these IP-enforcement mechanisms support find an alternate mechanism. Twisting, for example, ISDS (Investor-State Dispute Settlement) in already, and future, trade treaties would be one route. I really shouldn't give 'the enemy' ideas though.
"...Aka "The Lizards"..."
Excuse me...my son has a Bearded Dragon. Whilst cold, scaly and not actually doing much or of being any real use for anything, I'd still value his worth, trustworthiness, usefulness to society and personality several shades higher than that of most lawyers.
"...Excuse me...my son has a Bearded Dragon. Whilst cold, scaly and not actually doing much or of being any real use for anything, I'd still value his worth, trustworthiness, usefulness to society and personality several shades higher than that of most lawyers..."
Just to reiterate...I am referring to the attributes of the lizard there, not my son... ;)
Well given how much spam was going around before GDPR, I'd say they were already running wild with no way to identify and stop them.
So, no change.
I love it when facts come like a clue-by-4 in the face of people who spew bullshit to the benefit of only themselves.
Yep, I read the arguments about how GDPR would cause an increase in spam. I then re-read them, then read them backwards and even upside down. Even after that I still couldn't see any logic or anything much based in reality other than "special interest groups", or IP laywers and their cronies, getting upset because they'd have to do their job properly.
I can't, for example, see who registered hsbc-payments.co.uk yesterday to use in a phishing run, but I'm pretty sure that before GDPR, I would have seen something along the lines of Domains By Proxy LLC as the registrant. I can see that they domain was registered by Go Daddy, and they will be able to give what information they have to HSBC lawyers / the police / trading standards.
I think I should be able to find out who owns a company.
I think I should be able to find out out who owns a building.
So, I think I should be able to find out who owns a website; and who is emailing me.
And it shouldn't require a warrant or other legal shenanigans.
You can get company information from Companies House - but the usefulness of this is being diminished by shareholders such as : XYZ Nominees LLC - registered in an overseas place where you cannot find the real beneficial owners.
I don't think people or companies should be able to conduct business and expect the various protections that the law offers without public disclosure of ownership.
"I think I should be able to find out who owns a company.
I think I should be able to find out out who owns a building.
So, I think I should be able to find out who owns a website; and who is emailing me."
So according to you, the name and addresses of the owners of each company and buildings should be displayed prominently on their front, which would be the equivalent to the current Whois system?
And the post office should ask for IDs before accepting snail mail sent to you, because you assert u must know who is the sender of mail?
Anon, because ElReg decided that you do not need to know who's replying...
Companies are supposed (in the UK) to list their name outside their premises. Companies House in the UK then provides, for a modest fee or none, the ownership.
Yes, I think the sender of every piece of mail should disclose who they are. Are you sending something you shouldn't?
"Prior to the implementation of the GDPR, many researchers feared that an increase in spam would be an unintended consequence of the law because security researchers would no longer be able to use Whois information to track new domain registrations and identify potentially bad domains,"
Except of course that they still can even after GDPR! You might not be able to view the contact details for a domain, though as others have pointed out those were commonly obscured previously anyway so of limited use, but the registration, updated and expiry dates are still visible which are surely the only really useful elements for consistently seeing if a domain is new so won't have any reputation.
The issue I'm most aware of relates to .UK names but it must be similar with .COMs.
I used to hold hundreds of domain names on behalf of clients registered using my business' contact details. As it happens that email address got surprisingly little spam.
As those clients moved away (I closed my business several years ago) very few clients or their new providers updated their contact details at Nominet (although I advised them to do so).
Consequently Nominet now holds an obsolete postal address, a disconnected phone number and the email address of a now defunct company for around a hundred domains. Should Nominet or anyone else wish to contact the domain name owner they've got a problem...
The same issue will apply to many hundreds of defunct web site design businesses as it was (is?) a widespread practise for them to hold the registration on their client's behalf.
Past experience is that, in the event of no response to an expiry alert email, all Nominet do is suspend the name and later de-register it. They could, but don't, use postal or telephone contact or get fresh contact details from the web-site. With an active domain, suspension will mean the owner probably finds out quite quickly as the website and email will stop working. A bigger problem is with secondary names held defensively for example to protect a name variant or product name. One of my former clients had a variant of their primary name registered to themselves, it lapsed because they'd omitted to update the record at Nominet when they changed email address so Nominet's warnings went into a black-hole.
If the domain name owner wishes to check his domain is registered to himself or check who holds the name on his behalf it is no longer a simple online lookup. He could identify the tag holder and they may help but how many individuals or small businesses would know how? And I guess disclosing those contact details could be in breach of GDPR and so he would have to engage with Nominet (£££).
Many end-users want a simple relationship with one provider, one bill to cover web site design/maintenance, domain name renewal and hosting. Many will not understand if they get separate bills.
Last year (pre GDPR) the owner of a small business asked me what to do because he'd been unable to contact the web site designer. From his non-IT literate perspective he'd paid a guy to build him a web site and that was it, he'd paid one bill and had no idea about domain name registration or hosting. I looked it up for him and emailed him the details. I advised him to try to gain control of the name and hosting but I doubt he really understood (and I'm retired, don't want to start taking on work).
"As those clients moved away (I closed my business several years ago) very few clients or their new providers updated their contact details at Nominet (although I advised them to do so)."
I'm sure that as the registrant, you contacted Nominet to let them know of the change of registrant otherwise Nominet would be transferring ownership based purely on some strangers say so.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
