NordVPN Promotion

Home / Blogs

More on WHOIS Privacy

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Last week I wrote a note the ICANN WHOIS privacy battle, and why nothing’s likely to change any time soon. Like many of my articles, it is mirrored at CircleID, where some of the commenters missed the point.

One person noted that info about car registrations, to which I roughly likened WHOIS, are usually available only to law enforcement, and that corporations can often be registered in the name of a proxy, so why can’t WHOIS do the same thing?

If we were starting from a blank sheet of paper, it would certainly be possible to set up a registration system with registrants represented by proxies. But we don’t have a blank sheet, we have the existing WHOIS. All of the existing WHOIS proposals have, as I laid out in my previous article, been completely one-sided. The privacy crowd gets to redact some amount of information, while those of us who actually use WHOIS get nothing whatsoever in return. Why is anyone surprised this is not a winning proposal?

The biggest problem with WHOIS is that much of the data is wrong, and (unlike cars and corporations) there are no meaningful consequences if a registrant lies. If the OPOC proposal were combined with changes to ensure that the data behind the OPOC were real, that could lead to a deal. But the idea that someone should be responsible for even minimal verification of the OPOC itself, much less the rest of the info met with horror. It’s too much work! It’s someone else’s problem! So, no surprise, no deal.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

John Berryhill  –  Sep 4, 2007 5:09 PM

The biggest problem with WHOIS is that much of the data is wrong

Care to define “much”?

I see situations pretty much every week in which someone is complaining “The registrant didn’t answer my telephone call, respond to my email, or answer my mail, therefore the contact data is wrong.”

Let’s take a domain name, say spews.org.  I have no connection with that organization.  Would you characterize this whois data as “wrong”, and how would you propose to verify it:

Registrant Name:chip level domains
Registrant Organization:Visit Lake Biakal!
Registrant Street1:po box 61, Baikalsk-2
Registrant Street2:
Registrant Street3:
Registrant City:Irkutsk region,—665914
Registrant State/Province:
Registrant Postal Code:665914

John Levine  –  Sep 4, 2007 6:43 PM

I’m using “much” in the standard English sense.  Consult any dictionary.

The data for spews is completely bogus, and we all know it.  What’s your point, other than to confirm mine?

Thomas Barrett  –  Sep 4, 2007 8:52 PM

As a registrar, I would not call this Whois record “completely bogus”. 

There is no ICANN policy that says optional fields in the Whois cannot be used for something else, especially if they are not needed to identify the contact.

In this case, “organization” is optional since “name” is provided.  The issue of whether the “registrant name” is a legally filed organization is not relevant in this context.  (the admin contact “name” field lends credibility to the registrant “name”) 

I assume “verification” means two things:

1. Is this a valid postal address?
2. Is this registrant able to receive mail to this postal address?

While item #1 might be confirmed using an online resource, such as a telephone book, item #2 cannot reliably be confirmed using online resources.

The “most” reliable postal verification technique is to simply send a postcard to the postal address with a PIN number.  The recipient would need to respond to the registrar with this PIN number, using any method such as the web, email, telephone or the postal service. (this is what my local motor vehicle registry does)

But postal service is not completely reliable.  For extra cost, the registrar could ask for delivery confirmation.  Of course, this is not available in all countries.  So, a verification policy would need to consider if additional postcards can be sent or if the registrant could alternatively fax or email copies of a utility bill showing their postal address.

This scenario only applies to registrant-initiated transactions, such as registrations or renewals. 

The potential for abuse or misuse arises when third parties want verification, such as Whois Data Accuracy complaints.

There is no ICANN policy that says registrants must respond to inquiries sent to their Whois contacts. So, a lack of response to a Whois contact does not necessarily imply inaccurate whois data.


Tom Barrett
EnCirca

John Berryhill  –  Sep 4, 2007 9:51 PM

The data for spews is completely bogus, and we all know it.

How do we know that?  That’s my question.  I have no idea whether someone associated with Spews receives mail from a post office box in Siberia, and neither do you.  How do you suggest a registrar make determinations like that.

John, I recently dealt with a hi-jacked domain name that wound up at a bogus “privacy” service run by Richard Kirkendall at Namecheap.com. 

Notice the sequence of events in this UDRP:

http://www.arb-forum.com/domains/decisions/1008008.htm

Complainants are HandHeld Entertainment and Kieran O’Neil (collectively, “Complainant”), represented by John Berryhill, 4 West Front Street, Media, PA 19063.  Respondent is WhoisGuard a/k/a WhoisGuard Protected (“Respondent”), 8939 S. Sepulveda Blvd. #110 - 732, Westchester, CA 90045.

Now, at NO time did Mr. Kirkendall’s supposed “privacy service” identify the real party in interest relative to the domain name, or even offer up any whois data other than their own.  I’ve seen more than one stolen domain name end up at Namecheap’s Hi-Jacker Haven.  His outfit never disclaimed responsibility for the hi-jacking during the procedure, and were perfectly comfortable remaining as the named respondent - as they have consistently done in UDRP proceedings.

I am simply trying to get a handle on a number corresponding to your use of “much”, and what it is, exactly, you are suggesting registrars do to confirm whether whois data is “correct”.

John Levine  –  Sep 5, 2007 2:46 AM

Jeez, guys, can’t you just read what I wrote?  I entirely agree that more accurate WHOIS data would require actual work costing actual money. But unilaterally making WHOIS worse, with no benefits to WHOIS users, just isn’t going to happen. If anyone wants to move off dead center, they’d better come up with a plan that has benefits for all sides.

With respect to SPEWS, anyone who followed last year’s SPEWS follies knows that there were a bunch of spammers trying to sue them, and I think it is reasonably safe to assume that if there were someone to find in Siberia, one of them would have done so. It’s also pretty clear from circumstantial evidence that the people who ran SPEWS were in North America.

With respect to nitpicky arguments about what technically consitutes bogus data, wow, I’m glad you’re not my registrar.

Suresh Ramasubramanian  –  Sep 5, 2007 5:46 AM

John’s said all I need to say in that last post.

Right now, I’m kind of glad the whois task force report has ended up chasing its tail .. the status quo is bad enough but what was getting proposed was far worse, and how it would be implemented if at all beggared belief.

Hooray for the status quo.  And for some more wrangling continuing through, say, the next half dozen or so ICANN meetings.

John Berryhill  –  Sep 5, 2007 5:16 PM

Jeez, guys, can’t you just read what I wrote?

Reading hard.  Hurt brain.

I entirely agree that more accurate WHOIS data would require actual work costing actual money.

Well, that’s what makes the registrars seem prickly and defensive on this point.  The ICANN policy process is open to any number of busybodies who don’t have any “skin in the game”, and if the result of any ICANN policy process is “Hey, let’s make the registrars jump through another hoop” then the registrars become increasingly suspect of the BOHICA effect at work in this bottoms-up process.

Hey, let’s penalize the registrars if 4 out of a million registrants provide false contact data….

Hey, let’s penalize the registrars if a domain registrant is a cybersquatter…

Hey, let’s penalize the registrars if a domain registrant is a spammer…

Name the issue, and you will find someone in ICANNland chomping at the bit to suggest, “Hey, let’s penalize the registrars for (fill in the blank)”  And “penalize” here can translate to “add cost”, “increase complexity”, etc.

There are sometimes perfectly understandable reasons for “bad whois data”.  I have been pointing out this whois record, among other similar ones, for years now:

Domain Name:WORLDTELEPORT.ORG

Registrant Name:      World Teleport Association
Registrant Organization: World Teleport Association
Registrant Street1:    2 World Trade Center Suite 215

It’s one of the domains that always leaps to my mind when I hear noises about rotten domain registrants and “bogus” whois data.


if there were someone to find in Siberia, one of them would have done so.

I hear Lake Baikhal is lovely this time of year.

jeroen  –  Sep 6, 2007 7:01 PM

John Berryhill said:

Hey, let’s penalize the registrars if 4 out of a million
registrants provide false contact data….

And there is EXACTLY where the problem is: it’s all about the money.

As long as registrars can get away with selling LOADS of domains and thus earning an awful lot of money for a few bits, but never actually doing their job of simply.

Now if, like that namecheap example the registrar takes the stance that they in effect own the domain and are responsible for all the mis happenings of it, then that is a good point, but that generally requires law suits and other methods to contact the problematic person in question and for quite a number of purposes eg ‘your mail is bouncing’, ‘why are you sending my X amount of traffic’ doing a probably month-long or more lawsuit is not an option, especially not over country borders.

As such, like RIR whois data, the information provided should be correct and contactable. If not the domain should be suspended by the registrar, when the registrar doesn’t handle this type of complaint then the registrar should be suspended for not taking it’s job up.

Indeed, it will most likely cost the registrar quite some money, but I rather have them have a few less millions and a more safe internet where people can be hold accountable.

John Berryhill  –  Sep 7, 2007 3:07 PM

And there is EXACTLY where the problem is: it’s all about the money.

Well, some of us are not independently wealthy, and must work for a living.

You are free to believe that a registrar’s offices are like Ali Baba’s cave, but the assumption that they are lolling about on piles of money is not well supported.

John Levine  –  Sep 8, 2007 4:46 AM

When I thought up the registrar/registry split in 1996, I anticipated correctly that registrars would bundle domains with other stuff, but I didn’t foresee the race to the bottom that’s given us razor thin margins and registrars whose entire business model is predicated on lousy service at a rock bottom price, which makes them extremely reluctant to do anything that would cost extra. Even if the new requirements are applied equally, so no registrar would be placed at a disadvantage, the big registrars (except, perhaps, NSI) have trapped themselves by focusing on low price.

A significant part of the problem is ICANN’s fault, since they have consistently failed to require that registrars perform the duties they agreed to under the existing RAA, particularly section 3.7.8 that requires verification of the registrant information. It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

Dave Zan  –  Sep 8, 2007 9:05 AM

Indeed, it will most likely cost the registrar quite some money, but I rather have them have a few less millions and a more safe internet where people can be hold accountable.

One can always switch to a registrar whose business model factors in the costs of strongly enforcing “valid” WHOIS data policies. But if one doesn’t care to consider their costs of doing so, then don’t be disappointed if they don’t care to consider the reasons (much more the benefits) of what is desired of them by others.

jeroen  –  Sep 8, 2007 8:35 PM

John Berryhill said:

And there is EXACTLY where the problem is: it’s all about the money.

Well, some of us are not independently wealthy, and must work for a living.

Like somebody in the ‘western countries’ will notice 50EUR/USD a year!? Or where you meaning “I am working there”

You are free to believe that a registrar’s offices are like Ali Baba’s cave, but the assumption that they are lolling about on piles of money is not well supported.

If they are not, then they are doing something wrong when they are selling virtual bits for cash.

 

Dave Zan said:

One can always switch to a registrar whose business model factors in the costs of strongly enforcing “valid” WHOIS data policies. But if one doesn’t care to consider their costs of doing so, then don’t be disappointed if they don’t care to consider the reasons (much more the benefits) of what is desired of them by others.

Domain ID:D2306700-LROR
Domain Name:UNFIX.ORG
Sponsoring Registrar:Network Solutions LLC (R63-LROR)

That is already the case, actually I can’t be bothered with changing over, why should I and I am relatively sure that NetSol/Verisign/coohoots will stick around.

But the problem is that even if I and other responsible people act responsible with these things the people who don’t want to be responsible won’t. And that is where the problem lies.

As for extra services, just try to find one which can do IPv6 NS glue. Enom can (they indeed ask more) but that is about it.


John Levine said:

A significant part of the problem is ICANN’s fault, since they have consistently failed to require that registrars perform the duties they agreed to under the existing RAA, particularly section 3.7.8 that requires verification of the registrant information. It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

This is indeed partially where the problem lies.

It is is not about the price of the resource, it is about the way that domains get used: for typoharvesting etc, not for actually pointing to a real organization which has an internet resource available.

John Berryhill  –  Sep 11, 2007 5:37 AM

It would not be terribly onerous to require at least robotic verification of the phone number and e-mail address.

Let’s start with the phone number for these jerks that use bad whois data:

Domain Name:WIPO.ORG
Created On:16-Jul-1993 04:00:00 UTC
Last Updated On:21-Mar-2007 14:12:05 UTC
Expiration Date:15-Jul-2009 04:00:00 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:22769476-NSI
Registrant Name:WIPO
Registrant Organization:WIPO
Registrant Street1:c/o UNICC, Palais des Nations
Registrant Street2:
Registrant Street3:
Registrant City:Geneva
Registrant State/Province:
Registrant Postal Code:10 1211
Registrant Country:CH
Registrant Phone:+1.9999999999
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]

Not even WIPO provides a real telephone number for their domains.

How do you robotically confirm a telephone number.  I screen all of my calls with an answering machine.  Do I have to be home when my registrar robot calls?  I can sign up for free voice mail and forwarding online.

And, of course, anyone who uses a Turing-test email-response spam filter is screwed.  You will notify them of your new whois policy somehow, I suppose… perhaps by calling them on the telephone and leaving a message.

Any new policy you impose is going to have to “work” for the thousands and thousands of people who registered a domain name four years ago, paid for ten years, and haven’t really thought about it much since then because the domain name works.  You’d be surprised how large a “legitimate registrant” boat that is.

John Levine  –  Sep 11, 2007 1:32 PM

Yes, WIPO is a bunch of hypocrites and there’s a lot of bogus whois info.  We all know that.  The point I’ve been making over and over, which I really do not think is particularly subtle or complex, is that if you want people who make use of WHOIS data to accept having less data available, you need to offer them something meaningful in exchange.  Better underlying data would be something meaningful.  I never said it would be trivially easy to provide; if it were, the WHOIS privacy argument would have been over years ago.

Anyway, if you know what you’re doing, it’s not hard to do robot confirmation of email addresses and phone numbers.  Look, for example, at what Geotrust does when you buy an SSL certificate (try it through this link for $14.95).  It will not confirm you if you don’t read your mail or answer your phone, but of course that’s the point of the exercise.

John Berryhill  –  Sep 11, 2007 3:53 PM

Look, for example, at what Geotrust does when you buy an SSL certificate

And Geotrust then publishes the confirmation telephone number where, exactly?

An individual signing up for a new service under ruleset A is distinguishable from an organization having signed up for a service several years ago and having ruleset B imposed on that service.  The notion that every domain name is going to be associated with a telephone number that will be answered by a human is unrealistic, but your idea that domain registrants should get used to responding to automated telephone calls in order to keep their domains opens up delicious social engineering attacks on domain names.  No, Microsoft, Ebay, etc. are not going to publish a dedicated phone number for some person in their IT department, because the only thing that person is going to do thenceforth is answer the telephone.  Some folks use extensions within their PBX, some folks use voicemail numbers, and so on.  WHOIS requires a telephone number, it does not require that domain registrants engage in conversation with every idiot who calls them.

I don’t have to give “people who use WHOIS data” anything in exchange for not wanting them to call me.  You, John, do not have any legitimate need for my telephone number.  It’s that simple.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

NordVPN Promotion