Save a few dollars per year on my website
Those services that offer Private Registration will suffer.
You may no longer be able to see the name, email or house address for whoever owns a specific domain name under new rules proposed by DNS overseer ICANN. Such details will be removed from the Whois service that covers hundreds of millions of domain names across the world in order to comply with new European privacy legislation …
I've always taken the "lie glibly on the form" approach. No fucking way am I publishing my home address on the internet.
Even with the law; it's still a matter of trust that there will be no cock-ups; envelopes full of money; or people who have authorisation and use it for purposes that you would not approve of. No data, no problem.
Namesilo offers free domain privacy. I have tons of domains through them. And for all my UK domains, I've opted out anyway wherever relevant if the domain is registered as an individual (non-trading). This whole thing is a stupid kneejerk reaction to a misinterpretation of the law. All the commercial services which cache WHOIS information will still have massive caches of PII, probably mostly accurate as well. They should be worrying more than the registries.
What bothers me is how can the EU dictate how ICANN runs the global internet? ICANN along with IANA, is responsible for the technical operation, and is contracted by the U.S. Dept. of Commerce to run it. The EU only has jurisdiction within it's borders. To my knowledge, those companies who offer privacy services are actually not complying with the rules because the current rules state that the REAL information about a registerant is supposed to be public.
Look up the so called 'Brussels effect'. Brussels, followed by Washington (and Beijing nowhere to be seen) are so called 'regulatory magnets'. Due to the size (not just in population but also because of its purchasing power) of the EU market standards that are set at EU level tend to have global impact. In addition to size the quality and the typically relatively tough standards make EU standards attractive to apply globally.
If you are a, let's say Australian, manufacturer you have three choices. You can apply Australian standards which means you can sell your products in Australia but not necessarily anywhere else. If you apply Washington standards you can sell in the US but, due to the American standards typically being a bit lower, not necessarily in the EU. If you apply EU standards you can usually sell just about anywhere. That is why both national regulators and manufacturers all over the world tend to keep an eye on regulation that comes out of Brussels and align or out right copy it.
In this case, selling to a 500 million strong group of richest people in the world means sticking to their rules to be able to sell to them. And which company doesn't want a piece of that market. Strictly speaking the EU has no jurisdiction over ICANN but its market power will speak for it.
ICANN are supposed to be global. Ignoring the 1st/2nd largest market in the world (depending on what you're looking at, America often comes after Europe in terms of market size etc.) because you happen to be originally based in America is a really dumb idea if you want to have that global responsibility.
America has also had to play ball if it wants European information. Don't want that information? No problem. Want it? Then you handle OUR information in a way compliant with OUR laws (or there's no point having them as everyone will just say "Oh, I spammed you anyway because although I'm European and that's illegal, I just had a US company do it for me". There's a reason that America basically are inheriting our data laws - if they want to trade, they have to be on the same level.
If they don't play ball, they will lose the European market, who will quite happily take their Internet ball home and play a different game. Likely a better one, to be honest. Fact is, if ICANN claims to control/manage every .uk, .eu, .fr, .it etc. domain that it either plays ball or has those taken away from it (i.e. bye-bye 50% of revenue).
The EU has all the jurisdiction over its own data. And it's own top-level domains. And trade that involves any European entity. That's WAY more than enough to have a say.
And, yes, the WHOIS-hiders are breaking the rules, but they were never enforced anyway (mainly because they realised what a stupid idea a public database of everyone's address was). This is way, way overdue. No other place that I sign up to has the right to just put my real name and address on a worldwide, publicly-searchable database that I can't remove it from without breaking the rules (and certainly not for something as trivial as a name to run a website). And they had phone number and email too.
This should have ALWAYS been like this. Law enforcement, sure. Anyone else, no. And it hit personal users hardest as they didn't have a company head office to hide behind.
I basically agree with just about everything you wrote. Except this:
This should have ALWAYS been like this.
There was damned good reason for it being that way in the early days of the net. There were few virtual hosts, technology was still evolving, and there were very few non-geeks having a domain name. Back then you could do something really stupid that affected large chunks of the net and it was imperative people contacted you in a hurry.
These days any non-techy can grab a domain name, pay for a vhost (or cloud host) to put up an eyesore of a website. But that's OK, because if you do something on a vhost that causes big problems your hosting company will notice (in an ideal world, anyway) and do something. Nobody needs to contact you to get you to fix it because you wouldn't know how anyway.
I've seen a number of people bitten by whois. Back in the early days one paid by credit card for Yahoo! for hosting and they dumped her name, address and phone number from the card details into the whois. As a result of which, given the nature of her website, she got a stalker.
So yes, it needs to change. But it should have been like this back in the early days. The Morris Worm was just one of the many occasions where being able to find out-of-band contact details (like a phone number) allowed things to be cleaned up a lot faster.
"What bothers me is how can the EU dictate how ICANN runs the global internet?"
Look at it from the rest of the world's point of view. How can the US dictate how the internet is run within the EU borders or, indeed within the borders of non-US countries in general?
ICANN depends more on global consent than it does on the US's contract. The RotW could, if it so wished, get together, clone ICANN's root registry and then treat the clone as definitive. Given ICANN's governance problems which have been reported here a number of times it's slightly surprising this hasn't happened already.
In reply to your question, what the EU can dictate is what businesses, including registrars, can do with respect to the privacy of individuals within its borders. It can levy fines on any entity with a presence within its borders for breaching its legislation. That affects all EU registrars. It also affects any multinationals with offices within the EU. There's nothing in the EU legislation which would effectively prevent a non-EU registrar from publishing PII information on whois; nothing, that is, except it would then be competing with other registrars who don't and it would limit any subsequent expansion into the EU itself. So, although the EU can't dictate how ICANN manages the internet globally the control it exerts within the EU means it has to be respected. ICANN has finally faced up to that.
"What bothers me is how can the EU dictate how ICANN runs the global internet?"
Nominet for example are based in Oxford, so they have to comply with English law, which for now, includes any EU laws that are in force.
The dotscot registry is based in Glasgow, so they have to comply with Scottish law, which likewise includes any EU laws and also laws on reserved matters made by the Westminster parliament.
Most of the time I don't use 'whois' - except when I want a bit more information to decide if a dodgy looking email that got past Spamassassin is spam or contains dodgy links. However, using the combination of:
* a quick look at the sender and/or embedded domain name with 'whois'
* feeding the domain name through 'host' to get its IP
* feeding the IP back through 'host' to see if it references the original domain.
will often give useful clues about the malignancy quotient of an email and is quick to do.
If GDPR succeeds in making this information inaccessible without providing a replacement malignancy test tool I, for one, shall be extremely pissed off.
It seems to me your system is a tad too complicated.
As for me, I have a programmed my own spam filter and it follows these rules :
1) If I have already accepted mail from that address, then it passes through (whitelist)
2) if my email is not specifically in the SendTo, it is spam (kills all those generic mails sent to God knows who I couldn't care less about)
3) if the ReplyTo domain does not match the From domain, it is spam (go ahead and pretend to write from Microsoft while sending from GMail, I dare you)
There are a few more criteria.
I don't need the IP address, and I don't need the WhoIs, although I do understand your use of it.
My system uses less bandwidth though.
Oh, and I'm just a private person. My needs are not those of a company, I acknowledge that.
the email is from natwestbankonline.com
it is addressed specifically to you
all the sender headers match
however, you aren't entirely convinced it comes from Natwest Bank.
You can check whois, and see that it is registered to a domain privacy service, whereas the more familiar natwest.com is registered to National Westminster Bank plc at their registered head office.
You can conclude that it is not a genuine email.
> decide if a dodgy looking email that got past Spamassassin is spam or contains dodgy links. However, using the combination of:
Apart from extremely brittle, resource intensive and laughably unreliable, your "system" appears kind of pointless.
> If GDPR succeeds in making this information inaccessible without providing a replacement malignancy test tool I, for one, shall be extremely pissed off.
The system is exactly what every privately registered .eu and .fr domain, amongst others, have been doing for years (since its very inception for .eu, I believe).
For other domains, many registrars offer anonymisation, often as a complimentary free service.
1) About bloody time.
2) What idiot thought it was a good idea for anyone other than law enforcement to have that information anyway? I mean, I have my ISP account tied to me, but I'm not required to put that in a public database and so let any website know who I am when I visit.
3) Apparently good things come out of GDPR, as well as all the hassle.
It is indeed the individual who should be in charge of their own privacy and who should decide how and where to reveal their information. That ICANN thought that they should be in charge of this is obviously rooted in the far away past. It's actually outrageous that some internet company that I have a relationship with should even consider publication of my personal details in the first place.
"Can companies and publishers decide that it is outragous that the address of the manufacturer of something you bought be available to you or the address of a newspaper office be available to complaints"
This has nothing to do with addresses of manufacturers or newspapers. It's to do with personal information, the addresses of individual people who have their own domain, that's all.
So at what point are you a real web publisher who should a public address and "just a individual website" ?
There are quite a few issues wrapped up in that.
If you are an individual registering a domain you will be entitled to keep your details confidential. You're not obliged to do so.
If you register your site for commercial purposes you lose the entitlement. That would, AFAICS, include operating as a sole trader. On the whole you'd probably not want to hide your identity unless you're a cowboy; regular traders want people to contact them.
If you're operating a business as a Ltd company you'd register under the company name and the registered address would be the appropriate address to use. However Companies House would register the names and addresses of the officers of the company (director, company sec etc) although the addresses given are often enough the registered company address. Even if you want to keep your identity confidential you can't if you're an officer of the company; it has to be on the company returns, those are public as a matter of law and as such they're excluded from any protection GDPR provides.
I'm for it because I found out first hand what happens when you don't apply privacy, my block list on phone and email are huge and still rising, this is after over 12 months.
On the question of whether it will be worldwide I can only assume it will because anyone in Europe with a VPN will still be able to access the information falling foul of the GDPR.
I'm for it because I found out first hand what happens when you don't apply privacy, my block list on phone and email are huge and still rising, this is after over 12 months."
That's odd. I have lots of domains, and going back quite a few years too. I get some, but very little email spam actually. It is simply not a problem. Phone calls aren't either, though I do use a number that automatically goes to voice mail and has a telemarketer filter - one of the advantages of inexpensive modern VoIP services.
> On the question of whether it will be worldwide I can only assume it will because anyone in Europe with a VPN will still be able to access the information falling foul of the GDPR.
That's not how it works at all.
You seem to be under the impression that the GDPR is about restricting Europeans' access to personal information, whereas it is about protecting Europeans' personal information.
Good point but what if as a European I register a .com domain or other non-European domain. How would icann know to hide the information? What if I'm in America but then move to Europe transferring my domains with me? Too many if questions for it not to be worldwide.
I'm sure people are thinking registered address could solve these two questions but would you take the risk with GDPR?
but the registrar needs to be registered with ICANN and follow their rules. At least that's my understanding and I don't think registrars themselves will chance falling foul of the GDPR.
What if I am European with a business state side? Am I still covered by GDPR even though the address is in the states and I am in Europe because that address leads to my identification by use of other data on my company?
It's going to be worldwide, I'm pretty sure of that. I may be wrong but I have a gut feeling on this one.
> How would icann know to hide the information?
The issue actually works at another level: your organisation decides whether or not it is going to be doing business with EU residents (note that it doesn't matter a iota whether you are a EU citizen or not). Most global organisations with significant interests in the EU will probably choose to abide by the Regulation and give everyone the same rights as if they were EU residents.
Another option, e.g., for not-quite-global businesses would be having you declare that you are not an EU resident and make it a condition to let them know if you become one (possibly causing a termination of your business relationship). I am speculating here though.
PS: I do not know the nature of ICANN and whether it falls under the GDPR or not, so I am talking about an hypothetical organisation of a general nature.
"I'm for it because I found out first hand what happens when you don't apply privacy, my block list on phone and email are huge and still rising, this is after over 12 months."
I normally apply privacy in all the domains I manage; but a couple years ago, my details were exposed for a couple of weeks during a registrar changeover. During that time, I was getting about one spam per day from entities all over the world (including a sporting goods store in Australia) claiming they were my new hosting service, and that I should "log on here" and check out the cool new dashboard.
The article says that "Nominet has also proposed removing the requirement of people with a second-level .UK address to provide an address based in the UK before they are allowed to register a domain." Perhaps now is not the time to tell someone that I own a second-level .uk address, I don't live in the UK, I don't have an address in the UK, and I've never set foot in the UK (I'd like to, but it's a long flight). I didn't know this was supposed to be blocked until reading this, so obviously it's not hard. That ship doesn't seem to be in port anymore.
"Perhaps now is not the time to tell someone that I own a second-level .uk address"
If you're setting up something like example.uk there's supposed to be a UK residency requirement. Presumably it's up to the registrar to check. example.co.uk wouldn't need residency. Ownership of example.co.uk would give you preference in gaining example.uk if you wanted that as well.
Maybe you owned the .co.uk or .org.uk version and then gained the .uk on those grounds and nobody thought to check?
"Maybe you owned the .co.uk or .org.uk version and then gained the .uk on those grounds and nobody thought to check?"
Indeed - if you have a .co.uk then you get the .uk version reserved for you automatically when the TLD was released. Can't speak for .org.uk though.
"Can't speak for .org.uk though."
My registrar seems to think either applies. I'm not sure what happens if .co and .org have different owners. I have a .org and the corresponding .co is owned by a completely unrelated business. However, if they want the .uk they're welcome.
Nope. In this case, I needed a domain, and I looked at cheap ones, which .uk ones seem to be. example.uk was available, and so was example.*.uk as well. I chose not to bother with the .co.uk or related ones, so I just asked for example.uk. I entered my correct non-UK address, clicked go, and I've had that domain for a few months now. Oops guys...but I'm not giving it back.
"taken overall, it is a logical, commonsense approach to dealing with the Whois issue"
Wrong. It is a shortsighted solution that will only appeal to e-children who think that the Internet is their private, anonymous domain.
There are many official company websites, the status of which can be confirmed by looking at the ICANN registration. These websites often contain official policy and/or product recommendations. With the proposed ICANN scheme, it will be difficult to differentiate between official websites and poseurs.
>Meanwhile, talking of last-minute consideration, this week the .UK registry Nominet published an online survey asking for opinions on its own changes to its Whois service in light of GDPR.
I've been waiting for this to turn up here. Clicked their link to view the changes, and got asked for personal details (with no apparent way to skip), so I'd not (until now) seen what the cretins were planning on doing.
I can understand requesting details to respond to the survey, but to view the proposed changes?
"Clicked their link to view the changes, and got asked for personal details (with no apparent way to skip), so I'd not (until now) seen what the cretins were planning on doing."
Are they keeping that running until after GDPR becomes operational? AFAICS that will be a breach in its own right.
Whois data was never particularly good at identifying the true owner of a site, especially if it is a scam website, pirate site etc. Lots of registrars will let you buy a domain and put in any name, address and phone number without verifying the information. You can also pay with some registrars using Bitcoin, Western Union or Pre-paid debit cards meaning that even the payment information doesn't tie to a specific person.
I thought the display of WHOIS information was opt-in to begin with? I remember when I first registered my domain there was a glaringly obvious tickbox that said something along the lines of "I consent to having my information shown in WHOIS lookups." If you didn't want it shown, the box was ticked or unticked. Simples.
So how does normal people with a complaint about a website or something on it trace the owner ?
Do they have to go to the internet police ?
It may be fine to be police, a lawyer or other specific group, but what of the jane/joe NetCitizens out there !
Can we perhaps complain to ICAAN or will they just fob it off ?
"So how does normal people with a complaint about a website or something on it trace the owner ?"
Through the registrar and/or the hosting company. However, to get them to take notice the matter would have to be illegal in which case the police could take it up or contrary to the registrar or hosting co's T&Cs. In the latter case you'd almost certainly also need to be lawyered up to have an effect.
The ICANN proposals include an anonymising email passthrough-type service.
So, on WHOIS/registars page there will be a "contact the domain owner" type button, and pressing that will either open a form which the registrar will forward through to the email address registered to the domain, or there wil be an anonymous email service like, for example, cracker, where you send an email to "firstname.lastname@example.org" and that forwards the email onto the advertiser.
Note that this does not mean a domain can be registered anonymously or without PII, it means that the registrar can't publish that PII publically. Doesn't mean the registrar doesn't have that information.
So law enforcement gets my details if they say please. I'm basically OK with that. That's the price of living in a civilised society.
I am not so enthusiastic that "IP lawyers" can see whatever they like. If I wanted to encourage parasites, I would swallow a tapeworm egg. They are more likeable.
why should lawyers of any type have automatic access to personal information.
They should have to go to court like anyone else and get a court order to access this information.
If they have reasonable grounds then they will be given a court order for the information and then the registrar will be required to release this information.
this should stop fishing expeditions by lawyers.
If ICANN or individual registrars decide that organisations or individuals (lawyers of the IWF) are allowed direct access then this should be challenged as not complying with the GDPR.
You should never have been able. It should have needed a court order. It's not the same as a phone book or a Company office!
Also ALL commercial websites selling stuff or services ought to have clearly visible email/contact form, physical address, phone number. That is indeed IS the law (and ignored) in many countries, so no need for public WhoIs.
"however, an obvious solution will be for the US government to provide accreditation to such groups, forward their names and details to ICANN"
But its not up the the US government. Its a decision for the EU. Just like the current privacy shield arrangements to exempt US companies from the Patriot Act for protected EU data. Which is likely to be found inadequate and blocked by a current EU court case.
here comes the TERROPEADOCOPYFAKENEWSRIGHT brigade........
I've registered a few domain names personally, and seeing as they were personal domains and not about to contain anything anyone *else* could do bugger all with, the domain registrant that showed up in whois amounted to Dr Hole, Black email@example.com 12345 whatever st, south dakota Mexico.
I get that anyone that actually has a website should be reachable under specific circumstances, and that GDPR means that whois has to change it's ways, but I'm thinking that there needs to be a far more rigourous method of getting past the anonymization.
Biting the hand that feeds IT © 1998–2020