back to article Whois? More like WHOWAS: Domain database on verge of collapse over EU privacy

An effort to resolve conflicts between upcoming European privacy legislation and the global Whois service for domain names has, predictably, failed, raising fears that cybercriminals will take advantage of the impasse. At the end of a week of meetings hosted by domain-name overseer ICANN, the US-based organization's proposed …

  1. Alister

    On the other side of the equation, civil society groups were actually happy with the idea of anonymized email addresses, noting that it would "go a long way to reducing spam and harassment that end-users face."

    This again is an issue only due to ICANN's decision to try and monetize the data they hold.

    Up untill a few years ago, it wasn't worth the effort for a spammer to manually trawl through whois records for email addresses, and the level of spam to my admin email accounts for our domains was minimal.

    However, then ICANN decided to publicise a list of any changes to whois records or domain registrations, including contact details, and now, I get over 100 emails a week offering me SEO services or "Build You a website" or other shit.

    The abuse and domain admin emails for domain registrations should not be obscured, they should be readliy available to anyone who needs to look them up using the whois system.

    But they shouldn't be published as an easily farmable list, everytime there's a change in any domain registration, and that's what is happening now.

    1. Anonymous Coward
      Trollface

      They always spammed me. Maybe your domains weren't cool enough for them to bother?

    2. Doctor Syntax Silver badge

      "I get over 100 emails a week offering me SEO services"

      I'm not sure whether it's an improvement in Hotmail/Live/Outlook filtering but I now get very few.

      Alternatively it might be a consequence of the fact that I've got into the habit of writing back if I've nothing better to do and saying that oddly enough they seem to have omitted their own domain name from their pitch so I can't check whether they're any good at getting their own site on first page in Google if I search for first page in Google. This is usually accompanied by a critique of their written English; I'd expect them to take especial care of this when presenting themselves. I usually finish up by pointing out that the address they've spammed is my spam bin and if it's typical of the list they bought they've been overcharged. The trick is to sucker them into reading through what's initially a helpful-looking the whole reply before telling them just how crap they are.

      Of course they're all lead generators. I only ever had one who passed the lead on to someone who claimed to have a UK branch (situated above a language school operating out of a shop front in Longsight): probably a cousin. I wrote back pointing out the crapness of the reference sites he gave. With any luck the ?cousin got shafted for incompetence.

    3. Ole Juul

      ICANN promoting spam

      I too get more than I used to. Still, it's not a huge problem other than they're basically insults suggesting I don't know what I'm doing.

      1. Anonymous Coward
        Anonymous Coward

        Re: ICANN promoting spam

        I too get more than I used to. Still, it's not a huge problem other than they're basically insults suggesting I don't know what I'm doing.

        Oh, sorry, was that you?

  2. Donn Bly

    An open registry of who owns domains is important

    The EU has passed a law that (either intentionally or unintentionally) undermines the Internet, and that when enforced in the fashion they like would actually terminate any contract that violates it. In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain. I would have to go back and read the contract as it was last time I renewed, but I know that when I started back in the early 90’s the contract explicated stated that the total liability of the registrar in a contract termination or dispute was a refund of funds paid or the issuance of a different domain name.

    Nobody wants that, but the EU doesn’t have the legal authority to retroactively modify contracts between their citizens and third parties – they can however declare the contracts invalid.

    I like NICAT’s approach. Not sure if is completely legal within the terms of the contracts, but it is a good starting place.

    ICANN should have handled this years ago, but wasting money and churning out new GTLDs apparently took too much of their time.

    An open registry of who owns domains is important to the continued operation of the Internet. Law enforcement and intellectual property owners aren’t the only ones who need access, so does everyone involved in website development, domain management, and computer security.

    Any legal entity must have an address of record. Publishing that information in a public registry is not a violation of privacy. Besides, in most cases the law requires that their address be prominently published on the website already. This includes non-for-profit organizations and clubs.

    Individuals who register domains must agree to terms and services, and part of those terms is that the information they provide is published. In other words, they have “opted in” to having it listed.

    Individuals who wish to have domains, but do not wish to have their information published, have a variety of “private registration” options already available to them. Some registrars even still do it for free.

    People who complain about spam because they used their “normal” email address to register a domain fall into same category as those who used CD-ROMS as coffee cup holders.

    Phone numbers are a problem – every time I register a domain I get dozens of phone calls (to the point where I now have a dedicated phone number for domain registrations that goes directly to voicemail so that I can ignore the telemarketers). Of course mining the Whois for that purpose is already illegal, but there aren’t any teeth to it so they don’t care. Put enforceable fines in place and it might cut down on that.

    Street addresses aren’t a problem – MOST spammers are too cheap to spring for a stamp (though there is one that routinely sends me bogus invoices)

    1. JohnFen

      Re: An open registry of who owns domains is important

      "Street addresses aren’t a problem"

      They aren't a problem until you post something to your site that angers a sociopath enough that they SWAT you. Then the published street address could cost you your life.

      1. TrumpSlurp the Troll
        Trollface

        Re: An open registry of who owns domains is important - SWAT?

        I don't think they do that in the EU. More of a Merkin hobby to charge around all guns blazing.

        With a few notable exceptions like for plumbers on tube trains.

        1. Graham Dawson Silver badge

          Re: An open registry of who owns domains is important - SWAT?

          French police are notoriously heavy-handed and heavily armed to boot.

          1. Anonymous Coward
            Anonymous Coward

            Re: An open registry of who owns domains is important - SWAT?

            French police are notoriously heavy-handed and heavily armed to boot.

            Wow, I didn't know surrender flags were called "heavy arms" now.

            1. Dodgy Geezer Silver badge

              Re: An open registry of who owns domains is important - SWAT?

              ...Wow, I didn't know surrender flags were called "heavy arms" now....

              'Heavily Armed' is quite compatible with the standard smear of the French military - in that they might require high levels of equipment and violence to deal with an unarmed pensioner civilian, while surrendering at the sight of a small boy with a catapult... :)

              In fact, French soldiers have fought some famous actions against heavy odds. Much of the 'surrender' stereotype comes from incompetence at the high command and political level - a field where many other countries have a poor track record...

        2. Stork Silver badge

          Re: An open registry of who owns domains is important - SWAT?

          I thought the Brazilian fellah was an electrician...

          1. John Savard

            Re: An open registry of who owns domains is important - SWAT?

            But that was a tragic mistake that followed a long investigation by security forces, with a suspected terrorist living at the same address as the innocent Brazilian. It wasn't something that happened because of one hacker's phone call. So, while innocent people can die at the hands of law-enforcement authorities in Britain as well (note that these were military personnel, not London bobbies) there is a difference between the situation there and that in the United States.

            1. MonkeyCee

              Re: An open registry of who owns domains is important - SWAT?

              "But that was a tragic mistake that followed a long investigation by security forces, with a suspected terrorist living at the same address as the innocent Brazilian."

              I'm not sure "long investigation" is really the case. There had been suicide bombers the day before, and one of the unexploded bombs had a gym membership card with the address that Charles was living at.

              "note that these were military personnel, not London bobbies"

              The people who shot him where police. Specialist police, SO19 firearms officers, not your standard bobbies, but still police. The undercover operatives on the train with Charles *might* have been from the military surveillance unit, but they didn't shoot him.

              Now, the fact that the chap who "identified" him as terrorist was military (from the surveillance unit). That this identification was managed without taking a photo, while the soldier was having a piss, and lead to the assumption that Charles was dodgy. So the military may have lead to him getting shot (and may have been holding him in a bear hug while the cops shot him in the head), the didn't actually pull the trigger.

    2. Doctor Syntax Silver badge

      Re: An open registry of who owns domains is important

      "The EU has passed a law that (either intentionally or unintentionally) undermines the Internet, and that when enforced in the fashion they like would actually terminate any contract that violates it. In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain."

      Could you cite the clause or clauses which say that?

    3. Danny 14

      Re: An open registry of who owns domains is important

      gdpr isnt new. people have sat on this for 2 years. all icann needed to do was have an opt in and a right to erasure. thats it. its not hard.

      1. Anonymous Coward
        Anonymous Coward

        Re: An open registry of who owns domains is important

        So all you're saying is that ICANN need to stop being Fingers & Thumbs, Have a Little Respect, perhaps even Take a Chance?

        1. Roj Blake

          Re: An open registry of who owns domains is important

          Would this apply Always, or only Sometimes?

          1. It depends.....

            Re: An open registry of who owns domains is important

            @Roj - I don't know whether or not you would prefer an upvote or A Little Respect for your comment....

    4. steelpillow Silver badge

      Re: An open registry of who owns domains is important

      Upvote for talking 98% good sense.

      But the "private registration" options are least available to those who have most to lose by becoming visible. You won't hide your domain ownership from the authorities, no matter what. Answer: if you really need to be invisible, don't register a domain but piggyback off someone else's and be prepared to move at the drop of a hat, just like in the physical world.

      And "normal" vs "honeytrap" email addresses are way above the technical or attention limit of most people. The best answer is to make spamming globally less acceptable and harder to do, and that seems to be - very slowly - gathering institutional support.

      Somebody in reply has suggested that sociopaths might visit you in person. The solution is to use a proxy registration option.

      1. JohnFen

        Re: An open registry of who owns domains is important

        "You won't hide your domain ownership from the authorities, no matter what. "

        True. If you need to hide from the authorities, you shouldn't be using a domain name at all. You should be using named IP addresses, change them every so often, and distribute them to your co-conspirators through some other communications channel.

        1. mark l 2 Silver badge

          Re: An open registry of who owns domains is important

          "You won't hide your domain ownership from the authorities, no matter what. "

          I beg to differ, there are many registrars that will accept Western Union, prepaid debit cards or crypto currencies for payment, and that don't verify any address details to register domain names. So if you used a proxy and a throw away email you could easily set up a dodgy website where none of the details including the billing info actually identified the registrant.

          It would be interesting to hear of how many crimes actually get solved by law enforcement just getting the info from the whois database, i bet even stupid criminals at least opt for proxy registrations even if they use their own real billing info to pay.

        2. JohnFen

          Re: An open registry of who owns domains is important

          "You should be using named IP addresses"

          By this, I meant "You should be using naked IP addresses".

          1. wallisoft

            Re: An open registry of who owns domains is important

            shame - quite liked the idea of a named ip..

    5. Buzzword Candidate

      Re: An open registry of who owns domains is important

      "In essence, if you owned your own domain the EU is saying that the contract you signed is no longer valid – meaning it is quite possible that you no longer own your domain. ...

      Nobody wants that, but the EU doesn’t have the legal authority to retroactively modify contracts between their citizens and third parties – they can however declare the contracts invalid."

      This is an interesting legal question. On the face of it, I can't actually think of any legal reason why the EU could not retroactively modify contracts between private citizens per se. Elsewhere in EU law, it arguably already does this - if you include an unfair clause in a consumer contract, the law will only invalidate that particular clause (https://europa.eu/youreurope/citizens/consumers/unfair-treatment/unfair-contract-terms/index_en.htm). So the contract remains valid, just without the unfair bit (assuming that the removal of the unfair bit isn't so fundamental that it breaks the altogether).

      With the GDPR, though, it doesn't actually say anything about retroactively modifying contracts, or indeed negating contracts that do not comply with the law. All it says is that the controller and processor will get fined if the contract is not up to snuff - and that the data subjects has certain rights in law which will take precedence over any competing obligations in contract. So what, then, is the legal status?

      For the following, I am assuming that the wholesale publication of personal data in the whois domain actually is contrary to the GDPR and that they don't introduce a compliant system in time. I don't actually think that this is inevitable and I reckon there are many, many ways to adapt the system to be legally compliant. But that's another issue for another day.

      First question: Is this a consumer contract? If so, a term requiring you to give up your statutory rights is unfair and therefore unenforceable. As noted above, the rest of the contract remains valid. So you keep your domain, but the obligation to allow them to publish your details is removed.

      Second question: If it is not a consumer contract, is the clause anyway unenforceable? (Nb: just because it is a business contract does not mean that there is no personal data involved - see, for example, C-28/08 P - Commission v Bavarian Lager). The answer is maybe, maybe not. I've had arguments about this and it could go either way, probably depending on the skill of the barrister in question. Ultimately, however, this issue isn't decided at EU level. It therefore depends on your national law, so will vary from Member State to Member State. At least in the UK, even if it is unenforceable, we can use the concept of severance in contract law to simply remove the offending clause and keep the rest of the contract alive.

      Bottom line: Even if your contract relies on your information being published in the whois AND even if that clause ends up being invalid, your contract will probably remain valid, at least in the UK.

    6. HieronymusBloggs

      Re: An open registry of who owns domains is important

      "Street addresses aren’t a problem"

      Many stalking victims would disagree with you.

    7. druck Silver badge
      Stop

      Re: An open registry of who owns domains is important

      We complain about the US when it tries to impose US law on other country, but here is the EU insisting that the entire world obey it's rules.

      If you want GDPR protection use an EU based registrar, if you want a .com or any other domain controlled by registrars outside the EU, you should not expect those registrars to have to pander to the EU.

    8. This post has been deleted by its author

  3. JohnFen

    What about proxies?

    With the domain names that I own, I pay extra to my registrar in order for them to act as a proxy -- their information appears in the WHOIS records rather than mine, and if anyone uses the contact information provided, my registrar will forward the message or letter on to me.

    Sounds like a perfect solution to me!

    1. Anonymous Coward
      Anonymous Coward

      Re: What about proxies?

      Me too. I don't understand this handwringing: "That would leave law enforcement and intellectual property lawyers, among others, unable to access registrant details" - if they currently rely on public whois data, they're already up shit creek.

      Frankly all public records are a privacy nightmare, especially for business owners. You're better off identifying as a 'natural person', doubly so under GDPR. But anonymity is best. It's not safe out there.

      1. Jamie Jones Silver badge

        Re: What about proxies?

        The thing is, you pay for the proxy service.

        It sounds like the ICANN proposal to its governance board was to run a similar type of scheme, but who would pay for it? Without adding costs to the domain registration, they wouldn't be paid, so it's no wonder they refused.

        I suppose the nearest "official equivalent" to the proxy idea would in effect be a way to force European users to pay for such a service - either via a proxy service like you use, or a domain surcharge to pay for an ICANN run scheme.

        As for the issue of law enforcement, the arguments cited in the article are bollocks.

        If law enforcement need the domain owners details, they can contact the registrar the domain was bought from. They are the ones who maintain the databases that make up the public whois database after all!

        In addition, the registrar will hold personal/billing details. Whilst it's possible that they have been faked, as they are not public, and are likely to have credit card billing information, they are going to be far more accurate than the public database - and any person registering a domain with criminal intent who doesn't register with real billing details will not have real details on the currently public view either!

    2. katrinab Silver badge

      Re: What about proxies?

      Yes, but if you want to move your domain to a different host, you first need to switch it back to your real details, and at that point, you are at risk; especially if the reason you want to move it is that your current provider doesn’t like what you are publishing on the website.

      1. JohnFen

        Re: What about proxies?

        "if you want to move your domain to a different host, you first need to switch it back to your real details"

        I moved a batch of mine a few years back, and didn't have to do that -- but I had to talk to actual human beings to do it, the automated systems wouldn't work. It may not be trivial and automatic, but it's not hard.

    3. Dave Bell

      Re: What about proxies?

      I have had a domain name since the last century, as a private individual, from a UK-based registrar. My name and address is protected by the current Data Protection Acts, which implement current EU law, and this GDPR doesn't seem to implement anything new for me.

      The basic privacy rules are so old that they applied when I was using a 2400 baud modem to access FidoNet. And, every so often, the USA has signed up to some agreement to protect personal info, so they can trade with the EU, and gone on, after a couple of years, to ignore it.

      The USA has form on the abuse of personal data, going far beyond the allowed Law Enforcement access that Europe already has. Facebook and elections have made headlines over the weekend, and if they are rich (and white) Americans will ignore all these laws.

      ICANN may be stupid, but it's a part of a pattern of American criminality about our personal data.

      Since we're leaving the EU, we're going to be outside their protection, and I am not sure we can trust the UK government to to even maintain the existing protections.

  4. The Nazz

    Hmmm, , unfettered access and Venn diagrams

    One has to be careful, let's not forget that Venn diagrams of lawyers and criminals would certainly overlap.

    I'll leave the extent of which to the viewer.

  5. Doctor Syntax Silver badge

    It should be simple enough. Natural persons resident in the EU (or UK when the new DPA is in place) have an option from the registrar to hide personal details just like any other data subject. Where appropriate these details can be obtained from the registrar by going to court, obtaining a warrant and presenting it to the registrar. If the court disagrees about what's appropriate they don't get the warrant. It's pretty well how any other online business will have to operate. Why do they think they need to be different?

  6. Pascal Monett Silver badge
    Facepalm

    Well duh

    In other words, ICANN made bad decisions based on incomplete information and failed to explain how or why it arrived at those decisions.

    In other words, business as usual at ICANN.

  7. Anonymous Coward
    Anonymous Coward

    What about Companies House

    I know the UK is leaving the EU, but won't Companies House become the first target of GDPR attorneys?

    Yes, I'm back and off-topic at the same time.

    1. Voland's right hand Silver badge

      Re: What about Companies House

      In theory yes.

      In practice, we will be eating cake then.

    2. Roland6 Silver badge

      Re: What about Companies House

      > but won't Companies House become the first target of GDPR attorneys?

      The EU itself?

      http://ec.europa.eu/taxation_customs/vies/

      This is going to be interesting, HMRC only permits individuals to be VAT registered. So for example whilst Vodafone UK's vat number is currently GB 569953277, the number is actually assigned to a person who is personally responsible and liable for Vodafone's VAT. So firstly is the VAT data that of a legal person or that of a legal entity. Secondly, where, in the sign-up is the opt-in allowing personal data to be published on the Internet by the EU?

    3. Anonymous Coward
      Anonymous Coward

      Re: What about Companies House

      "I know the UK is leaving the EU, but won't Companies House become the first target of GDPR attorneys?"

      No. Your right to privacy is not absolute and is balanced against the rights of the data controller/processor. This is manifested into six "justifications" for processing data, which you can broadly place onto a spectrum trading off your rights for the controller's.

      So at one end you've got consent, where you've freely handed over your data. You can likewise freely rescind that consent ("right to erasure"). At the other end of the spectrum you have legal obligation, wherein a law requires the controller to process your data regardless of what you as the data subject think, say or do. This is what allows banks to retain your records for 7 years, for example. Likewise it's what allows government bodies to function*.

      ICANN are mostly in this pickle because they fundamentally don't understand GDPR. There's a reasonable argument to be made for the Legitimate Interests justification, but they've so badly hammed this up that I doubt that'd ever fly now. Their only real recourse is to simply stop storing personal details of natural persons, or plot some middle ground where they store-but-don't-publish, but that'd involve actually defining and running a fair and secure record retrieval process. Fat chance.

      *Interesting side note: government bodies can't even use consent as a Justification because you can't give free consent to someone who can put you in prison.

  8. Anonymous Coward
    Anonymous Coward

    Whois is obsolete

    WHOIS was great when communication was letter and telephone. You know - when the modem connection to a mail server hasn’t worked right for a couple of days. Then you could phone the sysadmin who would fix it with a screwdriver.

    These days, the need to map to old world communication paths is rather limited. If a company even accepts letters and phone calls, the details are on the website.

    The closest you get to useful “WHOIS” these days is via the SSL certificate.

    1. wallisoft
      Meh

      Re: Whois is obsolete

      https://letsencrypt.org/ - wildcard subdomains now work - certbot certonly -d *.yoursite.com --manual --preferred-challenges dns

  9. Teiwaz

    ICANN

    Perhaps a name change to ICANT is in order...

    It's not as if GDPR was one of those UK rushed through parliament by whipping MPs more thoroughly than their usual 45 minute 'private appointment' at a discrete establishment.

    1. ecarlseen

      Re: ICANN

      Beat me to it. :-)

  10. John Savard

    What's the Problem?

    Why shut down the whois service? Just don't allow Europeans to register domain names, until Europe amends its laws so that ICANN can operate without fear in its usual manner. If Europeans can't meet the requirements for having a domain name, then they can't get one.

    This won't deny Europeans access to the Internet, they could just set up their own alternative (and more anonymous) domain name system. People wanting to view European sites would just have to choose an alternative DNS.

    1. Yet Another Anonymous coward Silver badge

      Re: What's the Problem?

      Or Europe could just get hold of one of those hacks of American's data and publish the name, home address, phone number, SSN and credit card details for everyone outside Europe.

      If keeping your personal data secure is so bad

      1. keithzg

        Re: What's the Problem?

        Name and address and telephone numbers are fine; hell, I'm in the phonebook personally. If you want to stay anonymous you can already choose anonymized ways of registering domains, there's no reason to entirely break WHOIS for the entire world.

        1. EnviableOne Silver badge

          Re: What's the Problem?

          Thats the point of GDPR. it should be your choice as to whether you're fine with it, and you shouldnt have to pay for a service if you're not.

          Nominet already go most of the way.

          on my many domains, the only personal detail is my actual name, everything else is "The registrant is a non-trading individual who has opted to have their <x> omitted from the WHOIS service"

          if I transfer them to my company (probably will do down the line) this gets filled with the companies registered address and contacts I provide.

      2. keithzg

        Re: What's the Problem?

        ...and as you point out, far more critical personal data is being leaked constantly. If people are in that much danger from WHOIS records, then a LOT more time and effort and legal sledgehammers need to be put towards the entities (generally large corporations) doing such shitty jobs at protecting peoples' private communications, non-public identities, financial information, etc.

  11. Frank Oz

    Because in Europe ...

    ... it's important that nobody knows who they are dealing with.

    In addition to the Corporate Veil, we also have the Internet Cloak.

  12. Kevin McMurtrie Silver badge

    but why is?

    Last time I checked ICANN, it required a responsible contact for a domain name, not your personal info. You can hire a third party to be the contact, create an LLC, use a friend, use your ISP (some offer this service), or whatever.

    The '.eu' TLD isn't even under ICANN.

  13. ecofeco Silver badge

    This is crazy!

    Whois and Betterwhois have been THE goto reference for who owns domain names.

    Why would anyone want to break this system?

    Web 2.0 like hell.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is crazy!

      Smoke and mirrors to obscure the real failures to protect privacy: Like the Equifax leak and Five Eyes own mass intrusions. Frankly I've never liked the proxy option: anyone who wants a vanity domain should be advised up front to set up their own legal entity for registration purposes. The Internet isn't a consumer shopping mall, its a global comms system. Anyone too stupid or cheap to do that can publish on facebook.com or wordpress.com. With most of the world in poverty it's obscene for anyone to insist that owning your own domain name is some kind of human right. The GDPR is complex and draconian enough that the real bad guys in the privacy space like Equifax are going to find ways to circumvent it, while the rest of us foot the bill for politicos bragging rights.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is crazy!

        Downvoted because setting up an anonymous legal entity is costly and time-consuming, and probably impossible in many jurisdictions. That's not a solution for the typical registrant who just wants a web presence without offering up their personal information on a silver platter to every malcontent who passes by - or to the likes of Facebook or Wordpress.

        And this is not a distraction from corporate and government surveillance - it's all a problem.

  14. Anonymous Coward
    Anonymous Coward

    So many problems, so many solutions.

    I have a domain registered. It's 'Privately Registered'. My contact info is hidden.

    Any essential contact (Legal or Technical issues) has to get past the private registration company. Not once in a decade. Only contact concerns renewals.

    There's an associated email address, but it's yet another gmail account dedicated to the purpose.

    And because it's gmail, spam is essentially a non-issue. There are people unaware of this?

    There are other examples where my contact info must be listed in public; inherent in the purpose. I need to explicitly agree to use such services, and list my details. So I may choose to set up yet another gmail address. This explicit permission approach, perhaps hiding the email address, seems to be most suitable.

    One forum insisted that everyone must, henceforth, use a real name. So I did. I converted my account to use "a" real name; I selected the one at the bottom of the memo directing everyone to use a real name.

    Good luck.

    1. Anonymous Coward
      Anonymous Coward

      Re: So many problems, so many solutions.

      You're putting a lot of faith in Gmail....

    2. Anonymous Coward
      Anonymous Coward

      Re: So many problems, so many solutions.

      (double post... forum's having issues today)

  15. Old Handle
    FAIL

    Why wait for the EU?

    This is something they should have addressed decades ago.

    WHOIS strikes me as a holdover from the early Internet, when it was all universities and large companies. Now that many (perhaps even most?) domain names are owned by private individuals, it makes no sense to have all their personal contact information, published by default.

  16. DerekCurrie
    Megaphone

    WHOIS is entirely sane, fair and not abusive of privacy. It's a form of responsibility!

    IOW: IMHO the EU is foisting irresponsibility onto the Internet. That's not sane.

    And no, eMail should not be anonymized either. Encrypted email, ABSOLUTELY! Anonymous, never.

    Trolling is the #1 nightmare of the Internet. Allowing people to hide who they are is enabling cowardice. Speaking truth to power requires face to face contact, NOT lame, weakling weasel to face contact. Stand up and be counted! Enable bravery, not wimpiness.

    Yes, I heartily champion the death of all forms of SPAM. I'd gladly dance upon its grave with glee. But anonymizing everything is utterly insane and a FAR worse fate for the Internet.

    Anonymous ≠ safety or security. Clarity is required. Note how I am not posting this comment anonymously. That's as it should be.

  17. razorfishsl

    it's bollox.

    Specifically because you can "opt out", so that the company specifies one contact in the company who's data is available.

    Which is already the same for directors of companies.

    list the name, the email address & the company head office.

    All of which is available on a business card.

  18. Snorlax
    FAIL

    Shambles

    "In short, the effort to make Whois compatible with GDPR has been a public policy shambles for which ICANN should shoulder the bulk of the blame. A more effective organization would have foreseen the inevitable conflicts and carefully managed them ahead of time.

    As it was, the organization's staff ignored the problem until it became impossible to do so any longer, and then published its proposal when people were boarding planes to fly to its meeting this week in Puerto Rico. It should have come as no surprise that little was achieved."

    Proper

    Planning

    Prevents

    Piss

    Poor

    Performance

    I was reading Brian Krebs' Twitter where he was moaning that this is a GDPR problem rather than an ICANN problem: "Waah, I can't query registration info to further my business interests anymore..."

    Why is it that America thinks it has a right to everybody's info?

    They have no concept of privacy (or no desire to implement privacy) unless a gun is put to their fucking heads.

    As somebody replying to him pointed out; companies like Facebook took the piss with people's data for so long, it's no surprise the GDPR was introduced.

    One other thing ICANN - it's not the 1970s anymore. People don't want their name, address and phone number out there for public viewing like an entry in a phonebook

  19. Mike 137 Silver badge
    Flame

    It's about time someone actually read the GDPR

    I have spent more almost two years now supporting the efforts of businesses towards GDPR compliance and have found that almost everyone has their head in the sand - if not somewhere less salubrious. It's a pity that a body as ubiquitously necessary as ICANN seems to have done what almost everyone else has - NOT READ THE REGULATION!!

    Apart from the 'sensitive' categories of personal data (which I should hope are irrelevant to WHOIS) GDPR prohibits no processing. What it requires is that processing is justified by one of a set of alternative lawful bases and a specified legitimate business purpose.

    It should not be beyond the brains of anyone in business to select an appropriate basis from the list and specify a legitimate purpose for any fair and necessary processing. I suggest to ICANN that the "public Interest" basis and "in order to facilitate the registration of domain names and assure the accountability of registrants" might be worth considering. It might just be that simple!

    All the kerfuffle and confusion about GDPR in the corporate sphere arises from not having done the necessary basic homework about what the regulation actually demands, but, two months from going live, it may be a bit late to start.

    1. Snorlax

      Re: It's about time someone actually read the GDPR

      @Mike 137:"Apart from the 'sensitive' categories of personal data (which I should hope are irrelevant to WHOIS)..."

      Any domain registration I've ever done has asked for:

      Name

      Address

      Phone number

      Email

      ...which are all forms of personally identifiable or 'sensitive' information.

      Why does a registrar need to publish them to the world?

      Especially when it's information that they'll happily withhold if you pay a 'privacy' fee.

      Publication of user data in this way should be opt-in, not opt-out.

      1. Mike 137 Silver badge

        Re: It's about time someone actually read the GDPR

        "Name

        Address

        Phone number

        Email

        ...which are all forms of personally identifiable or 'sensitive' information"

        No they are not - please read the GDPR. The sensitive information categories (as set out in Article 9) are:

        racial or ethnic origin

        political opinions

        religious or philosophical beliefs

        trade union membership

        genetic data, biometric data for the purpose of uniquely identifying a natural person

        data concerning health

        data concerning a natural person's sex life or sexual orientation.

        The data categories you list are merely "personal data" under GDPR.

        Article 9 para. 2(g) provides for the public interest basis and purpose I referred to in my original post.

        And in answer to "Why does a registrar need to publish them to the world?" - it's quite simple. It must be possible to hold anyone publishing anything on the web accountable for the lawfulness and propriety of what they publish, just as it is for publishers in paper print. The web as a medium does not confer (and should not confer) any special exemption.

        Given the extent of web publishing, the proportion of cases where release of the publisher's identity might lead to harm is vanishingly small, and could be handled by registrars via an exception process. As a general principle, the motives of any publisher who wants to avoid being held accountable need to be shown to be legitimate (as for example in the case of "whistle blowing" for which there are provisions already on most statute books).

        I might conceptually favour reversal of the current "opt out" for demonstrably private registrants so a private registrant's details would so concealed from public view unless they specifically requested disclosure (in line with the "opt in" for consent under GDPR). However that would put a burden on registrars both to establish the validity of the asserted "private registrant" status in order to control fraudulent registrations (which are a recognised problem already) and to establish a mechanism whereby legitimate requests for disclosure could be complied with in aid of registrant accountability.

        BTW there's nothing to prevent anyone setting up a PO Box and/or a non-geographical phone number and quoting these in their registration. The critical point is that, directly or indirectly but reliably, the registrant of a web site must be contactable for legitimate purposes.

        1. Snorlax
          Facepalm

          Re: It's about time someone actually read the GDPR

          @Mike 137:"No they are not - please read the GDPR. The sensitive information categories (as set out in Article 9)..."

          The combination of name/address/email/phone # is way more sensitive than any of the other things you listed. Publishing/withholding this specific information from random people is what the article is about; didn't you read it?

          The criteria you list? Irrelevant waffle for the purposes of this article... I've never been asked to detail my religious beliefs or health when ordering a domain.

          "BTW there's nothing to prevent anyone setting up a PO Box and/or a non-geographical phone number and quoting these in their registration. "

          How much does a PO box cost per year? £315 per year.

          So, again, explain to me why the onus should be on the registrant to pay for privacy? A two- or three-line answer will be fine...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022