back to article Europe's GDPR, Whois shakeup was supposed to trigger spam tsunami – so, er, where is it?

When new European privacy legislation forced internet registries and registrars to withhold the ownership details of internet domain names, a number of groups – including intellectual property lawyers and cybercrime experts – warned it would result in a jump in spam and online fraud. "A lot of people who are using this data …

  1. bombastic bob Silver badge
    Meh

    lots of people pay for privacy service for whois info

    paying extra to use a privacy service for the whois is pretty common, and a good idea if you personally register a domain. you don't want your home address and real name attached, right?

    And so nothing really changed except that, with GDPR, it's theoretically possible to get the same level of service FOR FREE.

    Let's do that in the USA too! I like it already.

    In theory a registrar would need to have the real name/address and so they would know who to serve paperwork on for any kind of legal action.

    That being said, ICANN could require registrars to cooperate with 'due process'. Fixed.

    [it's probably like this already for the privacy services]

    In the USA, you could do something _like_ an 'order to locate' in which you submit paperwork to a judge, in an 'ex parte' hearing (meaning you walk on in between cases) who then reviews the request and then signs or rejects it, most likely signing it if the case it applies to has any kind of merit. Then you serve paperwork after locating the entity/individual, sometimes involving law enforcement in the service, etc..

    The registrar would simply have to honor the judge's order. But it's an extra step, probably doesn't really cost anything more than attorney fees for paperwork, and that will be significant enough for any legal action, so it's like *meh*.

    IANAL disclaimer, YMMV, etc.

    1. big_D

      Re: lots of people pay for privacy service for whois info

      That is how it works already in the EU. If you serve the name provider with an EU based warrant, they have to hand over the registration information for the named domain(s). That has always been the case under EU data protection law.

      You can pass on the PII (personally identifiable information) with either a) the written permission of the identifiable persons in the data or b) a valid EU warrant.

      So, basically, if the judge thinks the case has merit, you can gain access to the information, if he thinks it has no merit or is a fishing expedition, he will refuse the warrant and you don't get the information. A fair way to do business, IMHO.

    2. gnarlymarley

      Re: lots of people pay for privacy service for whois info

      And so nothing really changed except that, with GDPR, it's theoretically possible to get the same level of service FOR FREE.

      Except that the registrar becomes the middle-person. With private domain registration, the registrar had a hidden email forwarder setup, so email sent to the whois contact previous went directly to the domain admin email via a secret forwarding address. Now if that information may not present, then the registrar can hire additional people who can interface between the said domain owner and the complaintee.

      As long as the issue is taken care of, I don't not care who fixes it. My guess is that this may not be as big of a deal as we all originally thought it would be.

    3. John Brown (no body) Silver badge

      Re: lots of people pay for privacy service for whois info

      "In theory a registrar would need to have the real name/address and so they would know who to serve paperwork on for any kind of legal action."

      That's the practice in the EU, even under GDPR. The information isn't generally publicly available but is required to be collected as part of the contract and may be disclosed when required, so long as disclosure is consistent with GDPR.

  2. Evil Auntie

    Spammers have always harvested Whois contact info for junk mail

    The primary reason for paying an additional fee for private registration is to block junk mail. This has always been the case. Rather than pay an extra fee, we decided long ago to create a contact email address just for WHOIS registration.

    It is amazing how much spam this email address attracts. If we were really clever, we'd use it as a honeypot.

  3. Anonymous Coward
    Anonymous Coward

    I rather suspect that the slight reduction in spam may be more due to lists being purged after far too many of us ignored the authorization deluge in our in-boxes in the run-up to GDPR. It's been actually quite noticeable an effect here.

    One thing that you do have to watch for in the future is the entitled few that these IP-enforcement mechanisms support find an alternate mechanism. Twisting, for example, ISDS (Investor-State Dispute Settlement) in already, and future, trade treaties would be one route. I really shouldn't give 'the enemy' ideas though.

  4. Mark 85

    Whois: It's what the lawyers want though...

    So not having the data for free is a bad thing then? I note that it's IP lawyers which obviously includes such groups as the movie and music IP lawyers? It might affect the their bottom line as it will take a bit longer and some more costs...

    1. Doctor Syntax Silver badge

      Re: Whois: It's what the lawyers want though...

      "It might affect the their bottom line as it will take a bit longer and some more costs."

      That's what confuses them. They expect other people to give them money. They don't understand when it works the other way round.

  5. Potemkine! Silver badge

    " intellectual property lawyers "

    Aka "The Lizards".

    1. TonyJ

      Re: " intellectual property lawyers "

      "...Aka "The Lizards"..."

      Excuse me...my son has a Bearded Dragon. Whilst cold, scaly and not actually doing much or of being any real use for anything, I'd still value his worth, trustworthiness, usefulness to society and personality several shades higher than that of most lawyers.

      1. TonyJ

        Re: " intellectual property lawyers "

        "...Excuse me...my son has a Bearded Dragon. Whilst cold, scaly and not actually doing much or of being any real use for anything, I'd still value his worth, trustworthiness, usefulness to society and personality several shades higher than that of most lawyers..."

        Just to reiterate...I am referring to the attributes of the lizard there, not my son... ;)

  6. big_D

    Don't said contracts...

    generally also have a default clause that says if any one clause in the contract turns out to be unenforceable due to local laws, it will be excluded, but the contract itself will remain valid?

    1. Nick Ryan Silver badge

      Re: Don't said contracts...

      It's also quite clear in the GDPR that conflating unnecessary requirements, as part of a contract or terms of service, is not acceptable. Therefore just shoving something arbitrary in a contract will not work.

  7. Pascal Monett Silver badge
    FAIL

    "spammers could run wild with no way to identify and stop them."

    Well given how much spam was going around before GDPR, I'd say they were already running wild with no way to identify and stop them.

    So, no change.

    I love it when facts come like a clue-by-4 in the face of people who spew bullshit to the benefit of only themselves.

    1. Nick Ryan Silver badge

      Re: "spammers could run wild with no way to identify and stop them."

      Yep, I read the arguments about how GDPR would cause an increase in spam. I then re-read them, then read them backwards and even upside down. Even after that I still couldn't see any logic or anything much based in reality other than "special interest groups", or IP laywers and their cronies, getting upset because they'd have to do their job properly.

  8. katrinab Silver badge

    Can't see any real difference

    I can't, for example, see who registered hsbc-payments.co.uk yesterday to use in a phishing run, but I'm pretty sure that before GDPR, I would have seen something along the lines of Domains By Proxy LLC as the registrant. I can see that they domain was registered by Go Daddy, and they will be able to give what information they have to HSBC lawyers / the police / trading standards.

    1. Richard 12 Silver badge

      Re: Can't see any real difference

      On receipt of a valid warrant.

      Which is as it should be.

  9. David Tallboys

    Privacy or accountability ?

    I think I should be able to find out who owns a company.

    I think I should be able to find out out who owns a building.

    So, I think I should be able to find out who owns a website; and who is emailing me.

    And it shouldn't require a warrant or other legal shenanigans.

    You can get company information from Companies House - but the usefulness of this is being diminished by shareholders such as : XYZ Nominees LLC - registered in an overseas place where you cannot find the real beneficial owners.

    I don't think people or companies should be able to conduct business and expect the various protections that the law offers without public disclosure of ownership.

    1. katrinab Silver badge

      Re: Privacy or accountability ?

      The PSC register should tell you who actually owns the company. Of course, the information may not be accurate, that is always a problem.

    2. Anonymous Coward
      Anonymous Coward

      Re: Privacy or accountability ?

      "I think I should be able to find out who owns a company.

      I think I should be able to find out out who owns a building.

      So, I think I should be able to find out who owns a website; and who is emailing me."

      So according to you, the name and addresses of the owners of each company and buildings should be displayed prominently on their front, which would be the equivalent to the current Whois system?

      And the post office should ask for IDs before accepting snail mail sent to you, because you assert u must know who is the sender of mail?

      Anon, because ElReg decided that you do not need to know who's replying...

      1. David Tallboys

        Re: Privacy or accountability ?

        Companies are supposed (in the UK) to list their name outside their premises. Companies House in the UK then provides, for a modest fee or none, the ownership.

        Yes, I think the sender of every piece of mail should disclose who they are. Are you sending something you shouldn't?

  10. Keith Langmead

    Tracking new domains

    "Prior to the implementation of the GDPR, many researchers feared that an increase in spam would be an unintended consequence of the law because security researchers would no longer be able to use Whois information to track new domain registrations and identify potentially bad domains,"

    Except of course that they still can even after GDPR! You might not be able to view the contact details for a domain, though as others have pointed out those were commonly obscured previously anyway so of limited use, but the registration, updated and expiry dates are still visible which are surely the only really useful elements for consistently seeing if a domain is new so won't have any reputation.

  11. Anonymous Coward
    Anonymous Coward

    not much spam but...

    The issue I'm most aware of relates to .UK names but it must be similar with .COMs.

    I used to hold hundreds of domain names on behalf of clients registered using my business' contact details. As it happens that email address got surprisingly little spam.

    As those clients moved away (I closed my business several years ago) very few clients or their new providers updated their contact details at Nominet (although I advised them to do so).

    Consequently Nominet now holds an obsolete postal address, a disconnected phone number and the email address of a now defunct company for around a hundred domains. Should Nominet or anyone else wish to contact the domain name owner they've got a problem...

    The same issue will apply to many hundreds of defunct web site design businesses as it was (is?) a widespread practise for them to hold the registration on their client's behalf.

    Past experience is that, in the event of no response to an expiry alert email, all Nominet do is suspend the name and later de-register it. They could, but don't, use postal or telephone contact or get fresh contact details from the web-site. With an active domain, suspension will mean the owner probably finds out quite quickly as the website and email will stop working. A bigger problem is with secondary names held defensively for example to protect a name variant or product name. One of my former clients had a variant of their primary name registered to themselves, it lapsed because they'd omitted to update the record at Nominet when they changed email address so Nominet's warnings went into a black-hole.

    If the domain name owner wishes to check his domain is registered to himself or check who holds the name on his behalf it is no longer a simple online lookup. He could identify the tag holder and they may help but how many individuals or small businesses would know how? And I guess disclosing those contact details could be in breach of GDPR and so he would have to engage with Nominet (£££).

    Many end-users want a simple relationship with one provider, one bill to cover web site design/maintenance, domain name renewal and hosting. Many will not understand if they get separate bills.

    Last year (pre GDPR) the owner of a small business asked me what to do because he'd been unable to contact the web site designer. From his non-IT literate perspective he'd paid a guy to build him a web site and that was it, he'd paid one bill and had no idea about domain name registration or hosting. I looked it up for him and emailed him the details. I advised him to try to gain control of the name and hosting but I doubt he really understood (and I'm retired, don't want to start taking on work).

    1. John Brown (no body) Silver badge

      Re: not much spam but...

      "As those clients moved away (I closed my business several years ago) very few clients or their new providers updated their contact details at Nominet (although I advised them to do so)."

      I'm sure that as the registrant, you contacted Nominet to let them know of the change of registrant otherwise Nominet would be transferring ownership based purely on some strangers say so.

  12. Anonymous Coward
    Anonymous Coward

    "Fear mongers forced to eat shorts"

    Were they also prohibited from having a cow, man?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like