Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Are Public WHOIS Records Necessary? 122

Logic Bomb writes: "CNN is hosting an interesting article from the Associated Press about WHOIS records. Privacy advocates do not like that the owner of a domain name, along with personal contact information, must be made public. It's an interesting issue embodying some larger debates, like whether one truly "owns" a domain name. A justification for public databases of registrants, given by one person quoted in the article, is that the domain name system is a public resource, and therefore you only own the right to use a domain name, not the name itself. People have a right to know who is controlling elements of a public resource, so whois records should be open to all."
This discussion has been archived. No new comments can be posted.

Are Public WHOIS Records Necessary?

Comments Filter:

  • I just started getting nailed with spam, and from big names too like verizon, and abercrombiekids at an addresses that didnt even exist until a few days ago. Well, actually, since I added that address to my qmail dot files the mail is getting through now. The address must have been build from my first name and my domain. Theres only one place where that info would have come from.

    But the spam company does give my the option of opting-out, FROM EACH SPAM CAMPAIGN, ONE AT A TIME AS THE SPAM COMES IN.
    Behold the convenience http://mx01.edirectnetwork.net/cgi-bin/optout.cgi? email=sucker@yourdomain.com&e=734813 &ppi d=1

    I should note that I add new aliases all the time to help me track - and stop - the sources of spam.

    So do I, but I do it with Sneakemail [sneakemail.com], thats what it was made for.
  • One of the reasons I went with NIC.cx [niccx.com] and got my .cx domain [digdug.cx] is that they don't publicize your personal information without you allowing it. (That policy has been changed now, don't bother.)

    Also, when I found the exploit [geekissues.org] in MBNA [mbna.com]'s online credit card application system, it is precisely this information (I also own a .org and a .com domain) they used to contact me and threaten me in several ways.

    --

  • There's one big advantage to knowing how to contact who owns the domain name: responsibility.
    If I'm corresponding with salesperson@some-business.com, and they're not conducting business in an appropriate manner (e.g. insulting my mother, lying about the product, etc.) then the WHOIS records can probably point me towards someone above their head to talk to.
    Another way of looking at it is if someone creates a domain for spam, and starts harassing me, WHOIS gives me contact info for the owner.
    People who realize that their domain's registration info is publicly available are probably far less likely to do immature things like spam...
  • Try:

    $ fwhois slashdot.org@whois.internic.net
  • by Zocalo ( 252965 ) on Thursday November 16, 2000 @12:39AM (#620733) Homepage
    Precisely my view - I couldn't have put it better, and since I am in the same situation, I would have probably have made an almost identical post if you hadn't got there first! The only people who use WHOIS properly are probably in it, and if you use it properly I really can't see you wanting it removed.

    I always check WHOIS for a domain before sending out those "abuse@" and "...master@" type emails, just in case. We recently had a major series of alerts on our firewall from a host in another ISP's address pool, and it looked very much like we had been compromised. Ran WHOIS against the offending domain and it turns out to be the personal domain of a consultant we were using who had locked himself out of our system and was trying to get back in to fix the problem. The matter was "discussed". Without WHOIS though, the guy would have got a napalm enema from his ISP because he tried to avoid getting us out of bed in the early hours or the morning.

    Let's face it; the only people who really stand to gain from removal of the WHOIS database are the companies that have something to hide and generate most of the negative press the Internet receives. Or can someone provide an example of a genuine, non-privacy, reason to withhold details from WHOIS that cannot be worked around? We are talking about a technical contact here; an employee who's views may not reflect that of the employer, and may even work for a different company remember.

    And as for spam, I use a dedicated email address for this type of thing anyway, which means you can really tighten up the email filters... Or alternatively, has anyone tried submitting a fred@NOSPAM.domain.com type email to WHOIS to break the spammer's scripts?

  • That is borderline - If I receive paper junkmail, I can quickly leaf though it and bin the rest. When I get Espam, I have first to PAY for the download, then get to delete it....
    --
  • I've really had it with all this 'domain names are a public resource' shit, they are not. It's not like there's one namespace where domainnames go. The full identification for a domain name technically would have to include which rootservers you are using, so domainnames are a service offered by the owner of those. (Of course, they could still 'sell' them if they wanted).

    But there is _not_ only one DNS namespace, DNS entries are not public resources.
  • Working for an ISP in the UK, if whois info was confidential, this would seriously impact our ability to handle abuse.

    Suddenly, we'd have to ask some "third party" to handle abuse queries for us, as we wouldn't be able to contact the registrants of particular domains directly.

    Whats the bet that this third party would a) charge for this service and b) only operate in US time??

    This situation would be untenable, and if anyone seriously proposes that this be done, I don't think any ISP would actually back it.

    chrome.
  • You think you're anonymous as is? Why should domain owners be different? I admit the spam potential is pretty bad, but other than that all of the same info is found in any emails you send. I don't see the difference here.
  • Davidson said times have changed, and the Internet must change as well.

    "Now, you have regular people using it and there's a much greater need to protect privacy," he said.

    I think that about sums up the problem. "Regular" people can see who is who and owns what. Can't have the peasants getting too informed can we?

  • Well first keep your customers happy . Or you could just go to a Mailboxes etc or the postoffice and get a PO Box and use that. It also gives the advantage that you will get your notices even if you move
  • Tansparency and openess is essential to a (socially) functioning internet, and that can only be acheived if the source of all information is public record

    Are you saying that a society can only function if the source of all information is public record? I think that's nonsense, I even think that "anonymous pamphleteering" can be of great value. It provides a means to express unpopular views. Expression of unpopular ideas is good.

    The fact that anonymity can be abused for fraud is less important than the protection it can offer those who have unpopular, but important, things to say.

    [...]
    ... and I might be wrong, but I think they got 'em with a domain registration...

    You mean the WHOIS record for their domain listed the 'parent' companies? If they got 'em that way, they've just been stupid.

  • Very reasonable.

    Guess, I didn't see it enough from an admins perspective who has to contact somebody (or multiple entities) at once. And ten days for 16 addresses sounds like enough to deter a spammer.

    You mentioned naive and I fear you're on the spot here. Somebody, somewhere finds a way to hack it. Even if this means bribing somebody who's in the position to get that information without restrictions.

  • We the "owners" of the sites should have the power to decide whether or not our info is displayed, other-wise it could just say Anonymous Coward!!!
    The problem with this is abuse tracking. If the information currently contained at places like internic (nsi, whatever) for domain names, and much more significantly RIPE etc, for admins of IP blocks, was not universally public, no-one could ever prosecute a case of abuse, because the first move for a spammer/cracker/incompetent admin would be to remove their details from public record and disable Postmaster@foo.com
    ~cHris
    --
    Chris Naden
    "Sometimes, home is just where you pour your coffee"
  • dotster.com [dotster.com] provides domain registration service that doesn't reveal the billing contact. A few posters have brought up the rationale that it's necessary so that people know who to contact in case of abuse from or to the site. That's fine. Technical and administrative contacts SHOULD be public information. But really, what would justify a third party knowing your billing information? The link above provides a good median between the two. Not to mention that (AFAIK) it isn't NSI.
  • As afr as htings other than email. As a network /security person i have to contact the technical contact when i get attacks from networks. In these cases an email address is useless. You can be pretty much assured that the 'cracker' has compromise the admins email account and will >/dev/null any reports that i send. In this case a phhone number is the most relaible and trustable contact method I have. Though the option for a public PGP key would be kinda cool
  • Let us not forget what DNS really is here... and please, let's not forget that the only thing that gives whoever the controlling body (ICANN & NETSOL) *any* real power is the fact that we all basically use the same root nameservers, and *let* them control them.

    I actually believe two things.
    1) The email addresses given for domain registrations should be *private* and for administrative purposes only. STRICTLY for administrative purposes only. Not to be sold to spammers.
    2) Mailing addresses and other standard contact information should be made available as to who the registered owner is. Technical contact should always be reachable by phone. Real owner should as well. No fraudulent information should be accepted.
    3) There should be a standard email address at every domain like 'domain@' whom will receive mail related to the domain.

    But let's remember, again, what gives this power. If icann ever gets really out of hand, alittle friendly revolt (generally without some other party trying to rise to power) will take care of the situation.
  • I don't know about the US, but in Canada, we call giving out false information FRAUD, and it's a crime.

    Sure, they historically don't do anything about it.... but believe it or not, in this case, Mr. Gates *could* SUE you, quite easily, if you had pretended to be him registering a domain.

    And yes. I know you were being funny. And it was!
  • Of course they should stay, and this author makes a great point.......if you ever need to contact someone at the other site, this is the best way...... Of course, if yer in my situation, and someone has already registered a domain with your company's name, WHOIS provides a great way to contact those people.....unless of course, all the contact information in there (phone, e-mail) is garbage....
  • You're absolutely right. For most people, setting up a web page is a form of self-promotion. For the tiny number of people who are corporate whistleblowers or whatever, these options deal with it.

    This is also how I deal with all those annoying mandatory questionnaires in Eudora, etc.: give the wrong age, wrong gender, wrong zip code and income, wrong everything. If enough people give fake info, it will remove the incentive to try to collect the info.

    If spam is a problem, people can pick an ISP that uses spam filtering.

    --

  • Indeed.


    You need the registrant information, simply to contact people. Whether or not you put your actual info down is another thing entirely - as long as it goes to an email address that gets to you, then put whatever you want.


    I've tracked down a number of spammers using a chain of whois info (whois the spam domain. Find out who owns it. Whois the owner. Find their owner. Whois that owner. Find a contact email and number. Yell/LART as desired). I've contacted businesses based on their domain and info provided - I'd say you put up as much as you want, but there must be some way to contact you. Someone suggested a front that you register with, and they then pass the info. Fine. As long as I can get to the source, I don't care.


    And I don't put my info in registrations - I put down my first name, last initial, and an email alias. The rest of it is either company info or a po box.


    Protect your own privacy, and limit as little as you can at the base.


    So there.

  • Correct. The contact data should really be split
    between domainnames and ip addresses. Then you
    can have contacts for the machines and contacts
    for the domains, with the machine contacts being
    very useful to network people, and domain contacts
    being more useful for business purposes.

    It's really a data normalization problem.

    The ip addresses must be unique in one table,
    with domain names not having to be unique once
    they are qualified with the rootserver.

    Once split, technical contact still works,
    but you can have competition for nameservers,
    and in fact, can create new TLDs.
  • Speaking as someone who has been rung up, threatened, and verbally abused, as a direct result of some content on a domain that was in my name, I would simply like to say "fuck that".

    I'm simply glad I listed a PO box as contact address, rather than my residential address, since the individual in question lived in the same town. I imagine if that had not been the case, I would have ended up on one end or another of some assault charges.

  • You don't have to know any Unix tools to do a whois. All you need is internet access. See here [swhois.net], here [amnesi.com], here [allwhois.com], or just do an internet search for whois. You'll get a ton.

    But, if you take precautions, the info they can get isn't anything special. Slashdot's info [amnesi.com] is a good example of how the email can be set up. For security reasons, the phone number should be an 800 number. If it is not, someone can use a war dialer to dial all the numbers on that phone exchange to figure out which lines, if any, have dialup servers. There are still plenty of cracks where the initial point of entry is a dialup server, believe it or not.

  • Exactly, there are clearly situations when this information should not be publicly available.

    Imagine you live in China or some country like that and you're trying to criticize the government on your website. Oh, but you really can't do that because they can easily know where you live and that can be dangerous for your life! Or imagine you're a writer running a weblog, showing some of your provocative writing to the world, infuriating by chance members of some conservative community. Now they too know where you live, they can surely drive down to pay you a visit, harrass you, throw things at your house, nice stuff like that.

    I see a lot of posts talking about how this is useful for network admins (for spam or DoS issues, for instance). It is. But think about how the Internet is being used today; this is NOT your academic environment of yore when you used the Whois DB to get in touch with your fellow hackers, talk about routers while getting a beer. The Net is being used for many other activities, some of which need and deserve some amount of privacy. And I also think the get-yourself-a-geocities-account-then answer is not acceptable.

  • Whois listing for a spam host:

    Registrant:
    MatrixHost
    not listed
    Notlisted, Notlisted 99999
    United States

    Registrar: Dotster (http://www.dotster.com)
    Domain Name: MATRIX-HOST.COM
    Created on: 13-NOV-00
    Expires on: 13-NOV-01
    Last Updated on: 13-NOV-00

    Administrative Contact:
    Levites, Seagen seagen@matrixhost.com
    MatrixHost
    not listed
    Notlisted, Notlisted 99999
    United States
    not listed
    Technical Contact:
    Levites, Seagen seagen@matrixhost.com
    MatrixHost
    not listed
    Notlisted, Notlisted 99999
    United States
    not listed

    Domain servers in listed order:
    NS1.DOTSTERINC.COM 216.34.94.170
    NS2.DOTSTERINC.COM 64.85.73.15
  • I'd like to address one point in your post:

    Last I checked most free web page services required a real name and addy.

    *snort*

    Of course, if they don't verify, it would be easy to circumvent

    While it's not a matter of free web hosting, but rather free access to a website, I offer the following: nytimes.com, to the best of their knowledge, believes me to be a middle-aged woman with a PhD who makes 60-80k/year. I don't think they have any more going in the way of verification than sites giving away webpages.
  • my question is, how many people actually know of whois? i bet, that not many - sure all of us geeks know it but who else? typical internet-home users have no idea of it.

    imho it should be freely available as it has been (if you know where to look for, nowadays)

  • by CaptainZapp ( 182233 ) on Wednesday November 15, 2000 @11:03PM (#620757) Homepage
    Basically, the WHOIS database should stay public, period. (Hey, it's one of the most valuable get that spammer tools after all).

    However, some measures should be implemented that make address harvesting totally unprofitable.

    For example: The web accessible database only reveals the name (or company) that owns the domain. To get all the information you have to request that by e-mail. This would allow the following scenario:

    Only one request per e-mail

    A maximum of three requests per day, per e-mail address. Alternatively: only one request per e-mail address can be pending. All other requests are trashed

    A three hour delay between the request and the response

    Known spammer domains are not eligible to retrieve the information

    This would have to be applied on a world wide scale, meaning that all registrars and all country nics must adhere to those rules or have their registration privileges yanked.

    Would this make abuses of whois impossible? Probably not. But it would make address harvesting very uneconomic. Considering that spammers are gread freeks by default they would try different attempts to gather mail addresses.

  • What du you mean "out of business"? If you use your domain for business purposes, you'll most probably have a business address that you publicize. What's wrong with registering that instead of your home address?
  • One gem from the article:
    "It's the model that's out there," said John Kane, head of a marketing task force for Afilias, which is seeking a .web suffix. "It's a public resource. You don't own a domain name. You own the right to use it."
    Names have value - especially on the internet. You only have to look at the story [wired.com] of sex.com to see that. Registrars understand this. Heck, its their business.

    So if the individual only buys the right to use a name - who owns the name? The public? Hardly. One doesn't pay the public trust for use of the name. One pays the registrar. When looking at some of the registrar contracts, one gets the distinct impression that registrars are claiming ownership of these "public resources".

  • That you must reveal your secret identity if you want to get your own domain.
    OR
    You have no method of finding out who is behind a site. Oh, that linux site was registred by foo@microsoft.com...

    I say tough luck Clark Kent!

  • by octalman ( 169480 ) on Wednesday November 15, 2000 @11:06PM (#620761)
    There are two sides to this coin, and each is important. I see a couple of references to land record registrations, but a more accurate analogy, which many of us may not even be aware of, is the requirement for anyone engaging in business to register any name used in the business (known in some states as legal alias, assumed name in others) which differs from the person's name. This is so shysters (and others) can't hide.

    The other side is the desire, even the need for anonymity in some cases. In no event should any corporation, or other business entity, ever need, or be allowed to act anonymously. That should be reserved to individuals only, and used wisely and with discretion.

    That said, ALL commercial URL's should be required to comply with legal alias/assumed name registration. The rest of us, well, leave it to our individual discretion, but please do respect the need for occasional complete anonymity.
  • I hit my karma ceiling 6 months ago. Give me all the fives you want, I'll never go up....

    Shouldn't you be off playing with yer new playstation 2 anyway?

  • I regularly use the whois DB to get the deetails of the owner of a site which has facilitated SPAM by having crap security.

    The responses have been generally fair. Most times they say mea culpa (sp?) and trash the account of the SPAMmer. Of course they just move on to another ISP but it's an inconvenience that's my only legit weapon against them.

    I say keep this DB. The details don't need to be personal afterall, they've got their own domain! They can give a Title instead of a name and an e-mail address in the domain instead of a personal one.

    This is an important resource in the fight against people who run such appaulingly insecure mail servers that SPAMmers the world over use them with impunity. Every mail server that's closed up is one less that SPAMmers can use.

    Craig.

  • I am starting up a small web based business, and I have found the whois information valuable for two main reasons:
    1. I can investigate possible names for my business without having to do a full trademark search for every one. This is deeper than just checking to see if a domain is available because...
    2. Some companies have marginal claim to a domain based on their current corporate name or product names and may be willing to part with it, if it is not currently hosting a web site. In this case, it is nice to be able to email or phone a human and ask about the domain's status.

    I currently hold about 20 domains. About a third of those are actively being used, and the rest are pseudo-speculation for my business: I want the domains for future branding reasons, but there is no guarentee that I will actually use them.

    I am quite happy to supply my contact information regarding those names. Truth be told, I would appreciate being contacted if someone else felt they had a claim on one of the names. And I don't mean that I want to make buckets of cash reselling the domain: it simply makes business sense that if there is already a strong brand, I should probably avoid it for my own business.

    On a personal level, as others have mentioned here, the information I have provided is already quite public, although not necessarily so accessible. Is there any current tracking of whois lookups? I don't know for sure, but I certainly doubt it as the quantity of data would be substantial. Such tracking could conceivably be used as discouragement against inappropriate use of the whois data, similar to the tracking of credit information requests. But, such tracking also begs the question... it is also somewhat of an invasion of privacy.

    Also like other posters, I don't think it's that critical of an issue, and anyone who is making it so should probably be picking a fight elsewhere. I personally find whois useful, but neither would it destroy me if it was no longer publicly available...
  • Speaking as a network administrator, whois records perform a vital function. It allows admins from one site to be able to find and contact admins at another site when network problems occur. Problems such as routing issues security compromises and open mail relays. There is no better way to find out how to contact the maintainers of a network for operational problems than WHOIS.

    Agreed completely - but can we please NOT follow the example of web2010.com, who created the following WHOIS entry for me on a domain of mine:

    whois holly-marie-coombs.com@whois.corenic.net
    [whois.corenic.net]
    James Sutherland (template COCO-645538) jas88@cam.ac.uk
    20 Young St
    Craigie
    Perth, - PH2 OEF uk

    Domain Name: holly-marie-coombs.com
    Status: production

    Admin Contact:
    James Sutherland (COCO-645538)
    jas88@cam.ac.uk
    +441738443515 (snip)
    Contact information is one thing, but my home address and 'phone number?!

  • Open SRS is THE best resourse for for dom reg there is. NSI is a ridiculous, monopolistic approach to applying the reins to a free range animal. Working for a hosting company has proven this to me. As for whois records. Very usefull when it comes to getting domains transfered that NSI refuses, or makes nearly impossible to let go. Tucows gets props.
  • Instead of discussing public/not public, maybe a better discussion is public information set/private information set.

    I have used the WHOIS information on several occasions:
    • Notify a company that I cannot connect to their server
    • Notify a company that their registration information has expired and I cannot connect to their server
    • Contact a company to see if I could purchase their domain name
    On all of these instances, all I needed was the email address of a technical contact. I did not need phone numbers, names, or addresses.

    So it appears that all that is really needed for public WHOIS is:
    • domain name
    • company/person holding the name
    • email contacts
    Yes ... I too have gotten spam when I ordered a new domain name, but it usually only lasts a couple of weeks and goes away. I am willing to live with that if it means a helpful internet admin someplace can take a couple of minutes to let me know that my server is not accessable, and keep my butt out of a sling....

    Does anyone really know what internet time it is??/Does anyone really care??
  • I'm not advocating the abolishment of all anonymous communication. There's a big difference between posting as an anonymous coward and presenting yourself as nabisco.com when your really paul turcott of barrie ontario.

    The argument for anonynimity is not an argument for impersonation.

  • both in the case of what's happend with DNS, and with other things throughout life/history.. is when something that was rather beautiful/elegant, and based on a simple service goes awry.

    Take DNS.

    I had no problem with NetSol running the Internic way back when. I had no problem with the 'rules' about who could regiser what. I even had no problem when the US Govt. stopped funding the thing, and Internic started charging a registration fee. (I mean, it DOES cost money to run the registry).
    The thing that I have a problem with, is netsol went from honorably running the registry, to turning the registry database into a commoditty; rather than something available to everyone, anytime, it was now something they wanted you to pay to access. Then they started hiding email addresses.. and just basically changing the rules. Notice that they didn't even attempt to rock the boat until they got really big.

    The thing that gets me is, they got the valuable information, or shoudl I say potentially valuable, because people, consciously or unconsciously, trusted them to run the registry in a cool manner.
    Now they screw it up.
  • A very good point. It is exactly like the contact address of a registered business - something which is required when you register a business, and is public (though a bit harder to find, not much).

    URLs and e-mail addresses can certainly be "unlisted" and provide you with whatever levels of privacy are actually possible. As the registrant of a domain, though, it makes sense for you to have contact info available in the case where other system operators need to contact you because of abuse coming from your site, in order to track down problems in the (shared) Internet network infrastructure (though these days, this is less common), etc.

    If you're worried about someone knowing that you own www.hotsexbabes.com or whatever, you can always register under an assumed name and use a P.O. Box address (you can even get "anonymous remailer" P.O. Boxes). As long as you have a legitimate e-mail address where you can be contacted, so the registrar can send you your forms, and a valid method of payment, the registrars don't really care very much what name and address you use.

    This may be more trouble for you, but if privacy is a concern, you can get a reasonable amount of it without denying others in the community the ability to contact you about your site if it seems to be the source of some issues. (An argument could be made that you can always send such issues to root@domainname.com - but I think the ability to send a "cease and desist" letter to persistent spam sites and other nuisances is of some value - though, of course, the registrars don't actually check valid physical addresses...)

    While I can see the valid points of both the privacy argument and the community argument, I think one can get reasonable enough privacy protection if desired that having WHOIS public is not such a big negative deal and the community seems to like having it...

  • don't think that it makes it any different. With a little patience at city hall, I can dredge up the registration and information on just about anything. Companies register with city hall, names and addresses. Restaurants register liqour licenses with City Hall. Homeowners register renovations with city hall. I just have to get my lazy ass out from in front of my screen, that's the only difference.

    And, on top of that, in Canada (where I am) there are laws that govern the request for information. I can submit a request to city hall for any public records, and any company that exists, more of their records are public than they think. The company from whom I request has a set period of time to reply with either the info that I requested or a damned good excuse, which I can appeal.

    It's not a matter of public vs. private, it's a matter of availability.

  • It allows admins from one site to be able to find and contact admins at another site when network problems occur

    Now if only these people actually read their email...

    I'm sure plenty of them do, but I recently tried contacting the admins at cw.net about a problem with their servers. They appear to be suffering some major traffic overload in the afternoons. My packets get routed through them when going from my ISP to my dedicated server, and two hops in cw.net's domain add over 600ms to the ping time. An 800ms ping may be okay for web surfing, but it makes a linux shell almost useless.

    --

  • I dare you to live in a 3rd world country and say that.

    Man, some Americans are stupid.

    --
  • Isn't your address and phone number also contact information?

    And is there a good reason you provided your home address and phone as administrative contact information?

  • I would like to second this.

    When one of our customers "moves" a domain name to our system we have a nightly perl script that does a regex on the whois record for their domain to see if they actually changed the DNS and Tech contact over to our systems.

    Without whois, we would have a very hard time determining who had control over what domain, and where that domain was hosted!
  • Which part, exactly, is public? You own the computer, either a telco or cableco connects you to an ISP, the ISP owns the servers, routers, and such which connect you to the backbone, which is owned by BtelcosFH.

    Once upon a time, not so long ago, acutally, your claim would have been correct, but no longer.

  • I disagree. If you run a web server from your own computer, it gets connected through the telco and telco/ISP servers and routers, but you are still in control of the domain. When you purchase services from the telco and ISP, even to "rent" server space to host a site, the person who registers the domain is still the "owner". He/she may not own the actual wiring or even the computer the domain runs off of, but the registrant is still responsible for that domain name. The intent is still to remain public.

    The telco, ISP, and other services we buy are just that - services which get a person what they want: their own domain, which is public. I think we're just looking at the exact same thing from different points of view.

  • And as for spam, I use a dedicated email address for this type of thing anyway,

    At work, our domain used to be hosted by a third-party, as we didn't have the in-house know how to do it ourselves. On the WHOIS information, one of the three contacts was someone at our company, while the other two contact points were people at that third-party that did the hosting. The e-mail address listed for the guy at our company was his first name @ our domain.com. However, when the people doing our hosting actually set up e-mail accounts, he went with his first initial followed by his last name. Furthermore, when we took control of the domain ourself (about 5 months ago), he vanished from the WHOIS information completely.

    This address that is not, was not, and will not be valid (except for a few days in the transition where I had set up the mail server to forward any unknown addresses to me; Postfix's luser_relay option for the curious). Scanning the mail logs for the past 4.5 weeks indicates 64 attempts to send mail to the address. For an address that, aside from a WHOIS record, was *never* used.

  • If you want an anonymous web site, there's the bottom-feeders: GeoCities, Tripod, etc. So if you have a real need for an anonymous web site, perhaps because you're involved in some political issue, that's available.

    Businesses can't be anonymous, at least in the US. There has to be an address for service of process somewhere. (If it's fake, winning default judgements is really easy.) So it's not a business issue.

    Spam is the only big problem, and only because it's still legal. We need to fix that. There are only a few hundred spammers, after all.

    So people can get your address. What are they going to do, come and beat you up? The idiots who threaten via E-mail are unlikely to do much in person. A friend of mine puts on her web site "If you have something nasty, dirty, whatever, to say to us, don't share your gutlessness here--come say it to our faces. You know where to find us--San Francisco, California. Just ask around..." Few take her up on it.

    All my domains carry my name and address. Maybe three times a year somebody says something nasty. Only one real threat in the last five years, and that was when I exposed an invention-broker scam. He's out of business and I'm still here. And I'm the guy who runs Downside [downside.com], which predicts dot-com failures. So quit worrying.

  • I'm more uncomfortable with NSI having my contact info than the public in general. They've shown themselves willing to spam; what but "honor" keeps them from pulling email addresses out of the whois database?

    ----
  • Strange.

    whois queries to whois.internic.net and whois.networksolutions.com both (apparently) refer to whois.networksolutions.com, yet each give differing amounts of info.

    could this be purposely done to confuse old folks like me?

    or is my brain just fried from to much coffee this morning?

    I've puzzled over this one. The problem is that the whois database for the .com, .net and .org domains is distributed, and ONLY Network Solutions has the master copy.

    It could also have something to do with their terms and conditions of use for the database, too. I dunno - I'm not a registry :/

    -- And let there be light... so he fluffed the light spell
  • Unfortunately, the default in England and Aus is the same - per-minute charges for dialup, due to the local telephone monopoly dragging it's feet over unmetered access for isps.
    --
  • I never said you could use my name! Your penelty will involve deleting all traces of Linux on your computer and intsall my latest & greatst OS Windows ME. If you do not comply you will be shot in front or a firing squad.

  • by Greg@RageNet ( 39860 ) on Wednesday November 15, 2000 @09:48PM (#620784) Homepage
    Speaking as a network administrator, whois records perform a vital function. It allows admins from one site to be able to find and contact admins at another site when network problems occur. Problems such as routing issues security compromises and open mail relays. There is no better way to find out how to contact the maintainers of a network for operational problems than WHOIS.

    OTOH, I dispise the commercial abuse of the whois database to spam those listed.

    WHOIS should stay, with strict penalties for those proven to data-mine and spam listees; Without involving the legal system it could simply be ruled that anyone guilty of wholesale mining of WHOIS would be effectively removed from the internet by putting all of their registered domains on hold.

    -- Greg
  • NSOL/Verisign spam is not all that frequent.

    I'd hesitate to accuse them of selling the email database outright, since it's so damn easy to write a script that slowly scans whois for emails.

    But in my experience, very few people actually do that. Mostly, the same list gets sold and resold. Even when I use /etc/mail/access.db to fake that the address is dead, they keep re-selling it to new losers; after all, shouldn't you get more money for a big list than a small one? Spam is so fly-by-night that the consequences for selling crap addresses are small.

    I should note that I add new aliases all the time to help me track - and stop - the sources of spam.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • by Yardley ( 135408 ) on Wednesday November 15, 2000 @09:40PM (#620786) Homepage
    The WHOIS database should be the way it was when it was first created, an open, free, non-commercial registry of domain names. Can we please get Network Solutions (or Versign now) out of the drivers seat and then consider whether WHOIS info should be kept confidential. I'm thinking it shouldn't, but it doesn't matter to me at this step since having Network Solution (or Versign) in control means I don't use it.

    --
  • Isn't your address and phone number also contact information?

    It is contact information, but it is the wrong contact information! I do not control those DNS servers or that zone. They do.

    And is there a good reason you provided your home address and phone as administrative contact information?

    I didn't. That's why I'm complaining: this was the billing info for my credit card! I have no control over the WHOIS entry: they created it from my billing info without informing me.

  • We the "owners" of the sites should have the power to decide whether or not our info is displayed, other-wise it could just say Anonymous Coward!!!
  • by vheissu ( 229617 ) on Wednesday November 15, 2000 @09:54PM (#620789)
    I'm really having trouble seeing this as something to get worked up over. If I build a house, it is possible for anyone to go to the deeds office and find out that I own the land, and even how much the county thinks it is worth. If it is a commercial building, they may even give out the blueprints and results of code inspections. How is a domain name different? If your message is so important that you are willing to pay a regular fee and obtain the appropriate resources to make it available, it should be worth making it possible to contact you. If whois is really such an anathema, there are many other options available: the free nameserver pages (cjb.net, et al), free pages hosted on geocities, I suppose freenet if that ever becomes functional. Aside from that, being able to be contacted in case of an emergency is important--when script kiddies take your machine and use it to DoS someone on your day off, wouldn't you appreciate a phone call? Or can you depend on someone getting your e-mail address when your pipe is full? IMHO, the best option is a central database for this kind of thing.
  • Ah, I see now. My apologies for assuming too much.

    That is wrong, but it isn't something wrong with WHOIS. Your registrar screwed up, either by accident or design. You should fix that. Only the really cheap, fly-by-night registrars charge for changing contact information (as opposed to registrant information).

    Oh, and the only contact that needs to be related to contol of the DNS zone is the technical one. You want that one like that so they can make necessary changes if the name service changes. The rest of the contacts are usually related to the registrant.

  • I am reasonably certain I have never met anyone on the net that ever put their real adress on anything net related. Which is probably why that article was written by CNN and not slashdot. I would estimate that a good 90% of all webmasters could care less about WHOIS because I'm sure they simply filled in the information of a handy alias.

    Please forward all criticism to
    Miss Lydia Finnigan
    912 Bells Avenue #77
    Detroit, MI 48116
    313/626-4200

  • by Frymaster ( 171343 ) on Wednesday November 15, 2000 @09:43PM (#620792) Homepage Journal
    Wow, am I going to be unpopular...

    Tansparency and openess is essential to a (socially) functioning internet, and that can only be acheived if the source of all information is public record. In British Columbia four or five years ago, it was uncovered (after a lot of investigative work) that a pro-forestry "citizens group" that did a lot of pro-job/anti-hippie lobbying of the government had in fact been set up, funded and controlled by a joint effort of Interfor and MacMillan Bloedell (two forestry companies). A massive abuse of public trust and gross misrepresentation to the public that put a whole pile of egg on both corporations faces.... the bottom line is that this organization masqueraded as a "citizen's group" for several years before being exposed, and only after a very exhaustive investigation by several media outlets and environmental groups...

    ... and I might be wrong, but I think they got 'em with a domain registration...

  • by Cardinal ( 311 ) on Wednesday November 15, 2000 @09:56PM (#620793)
    It's not exactly a new thing in the whois database. Rather than post information about Bob Woodward, the Account Rep who pays the NSI bill, assign your billing contact to "Internet Accounting".

    Technical contact should almost always be a role anyway, to save great amounts of trouble when your IT guy with his name on all your domains leaves. Any self-respecting ISP that registers domain names frequently will have a generic internic@isp.com or something similar for interfacing with domain registration.
  • by fluxrad ( 125130 ) on Wednesday November 15, 2000 @09:57PM (#620794) Homepage
    sorry, this might be considered off topic, but i earnestly believe it's a sign of trouble when questions like this even have to be asked. Happenings like this prove that the internet is turning away from what it once was, a microcasm(sp) of the world, but one that was open and free(ish). There was etiquite, and those who abused the system were shunned. Not necessarily punished by "societal" standars, but certainly avoided and black-listed to a certain extent.

    It seems to me that this is changing. The whois database used to be just a simple means of finding out who owned a website, getting their contact information, and then contacting them. Now-a-days, it's become a means of grabbing more email for spam, or for offers to buy the domain from them, or (in a worst case scenario) it helps people figure out who to sue.

    Idunno, i look back and i think, when i started on the 'net, i saw it catching on and i thought this would be a great way for people to change their ways; learn to live in a communal environment where everyone played by the rules and those who didn't were swiftly and effectively dealt with...

    seems to me rather than the internet changing us, we're changing the 'net.


    FluX
    After 16 years, MTV has finally completed its deevolution into the shiny things network
  • by GCP ( 122438 ) on Wednesday November 15, 2000 @09:58PM (#620795)
    I REALLY don't want disgruntled customers to have access to my home address. I can't give the registrars a phony address, though, because I can't risk losing my domain name because the renewal notice doesn't reach me. I also don't want to have to shell out the money for an outside mailbox service just for one letter a year. (With that volume of mail, I might miss my letter anyway.)

    Add that to the registrar's claim that *they* really own my domain name anyway, and if they take it from me or accidentally "lose" it ("oops, well too bad for you") I'm out of business.

    What can you say about a company that claims ownership of your property, can cost you your job, and puts your family's lives at risk?

    What are they going to do next? Poison our water supply?
  • I think recent experience has shown that lawmakers are predisposed to making intellectual property and various other non-physical works into things that can be owned. Music and software code come immediately to mind.

    I've not thought about this enough to formulate my own views on the ownership of domains, but I expect that they will be considered private property that can be owned outright, and they will be treated accordingly. Thus, the public databases will go away, as, barring an outright change in the attitude of lawmakers, they should.

  • At times I wonder how a collective environment such as the interenet survives self-serving commercial interest.

    idunno. i think that's beginning to sound like "how does an aids patient survive HIV"

    answer: they don't.


    FluX
    After 16 years, MTV has finally completed its deevolution into the shiny things network
  • by aberoham ( 30074 ) on Wednesday November 15, 2000 @10:08PM (#620798) Homepage
    After getting frustrated with the perl module Net::Whois (or more, the guy who maintains it), I rewrote it with an extensible registrar and parsing system that follows Whois referrals as currently delivered by NSI Registry. If you're interested in perl modules and whois, please check out the beta Net::ParseWhois module [honestabe.net], and help me extend it to correctly parse your favorite ICANT accredited registrar.

    Abe
  • In the UK Nominet [nominet.org.uk] are in charge of the .uk name space. They do have a public whois server, whois.nic.uk, but it does not divulge personal contact details. It does however tell you who the domain is registered for and which ISP/Name broker is currently in charge of the name.

    The WHOIS data publically available looks as follows:-

    Domain Name: FAKEDOMAINNAME.CO.UK

    Registered For: My Company Inc.

    Domain Registered By: TAGHOLDER

    Registered on 29-Feb-2000.

    Domain servers listed in order:

    DNS.YOURDOM.CO.UK 211.31.21.131
    NS0.YOURISP.NET 191.171.161.31
    NS1.YOURISP.NET 191.171.171.31

    WHOIS database last updated at 04:10:01 16-Nov-2000


    All companies who wish to administer and register domains apply to become members of Nominet, with membership you get a , this can be looked up and tell you who is technically responsible for the domain. Each domain registered is tagged with this and this allows me, with the correct PGP signature, to change any of the details on the domain.

    It's up to the registering company to decide how their customers specify changes and many have automated systems of their own. And if you're wondering wether this would work for large domain spaces like .com, .org and .net then the answer is almost definately a yes - .uk is the largest country specific domain space - thanks to Nominet fees being just £5 (Thats $7.20) for two years. Some companies charge this and nothing else and many ISPs give domain names away simply for using their dial-up service.

  • The Whois database should stay public because it is the only way a person can track down a hoaxer or a fraudster.

    Recently I have received a spam regarding some kind of "pre-registration" scheme of new top level domain names with a link to a website. Now how do I know if this is for real, or just another scam (e.g. e-mail address harvesting)? How else can one start investigating other than going to the Whois records?
  • There's nothing recent about copyright. Music and software have always been copyrightable. And just because something may be considered private property does not, of itself, give any right to anonymity.

    The public databases are needed so that we can find who actually does "own" a domain -- it doesn't need to be my home address, any mailing address (like a PO Box) will do, just so that I can be mailed the renewal notice or any valuable offers for my prized domain name ;-)
  • >If you own a piece of land, there's a public
    >record of it somewhere that's accessible by
    >everyone.

    Yes, and now that I am a happy homeowner, I get
    vast quantities of paper spam from everyone who
    has bought my county's property records. At least
    they don't have my (unpublished) phone number. I already get phone spam because I got a recycled
    number.

    I want to register a domain. I am looking at that right now. But I don't want to open myself up to
    spammers, junkmail, telemarketers, stalkers, or any other lowlife who knows how to use whois.
  • I agree, but I'm concerned about the mailing address. For my domain, its my home number. Somebody emailed my own address once (from whois) and the first thing I thought was "mail bomb". I can recycle all the web-related snail-spam I now receive, but I can't recycle a 'splosion. Yes, I could get a post office box... but still.
  • I have several domains under gTLDs, well actually they're all ©org but that's besides the point - and my name and address appears on all of them - does it bother me? No, and I'll tell you why©

    The details on my domain records are available easily to anyone who has the time and inclination to look for for them, they appear on my CV on my homepage, in the WHOIS info for my domains and in the WHOIS info for my NIC handle©

    Even if this information wasn't available in those places, I'm pretty sure it wouldn't take long to track down - anyone who knew my name ¥which also appears on my homepage on the CV and the bottom of each page could find out where I lived without much difficultly - I'm pretty sure electoral registers are public information, armed with my name and roughly where I live ¥also on my page you can find out my address with out much difficulty, just by flicking through a telephone directory if necesary©

    The fact is if people really didn't want other people to be able to find out where they are, they wouldn't register domains, they'd just stick to using the free space from their ISP with the typicaly non-descript URL that comes with it or one of the free hosting services©

    You make the choice of having your personal information made public when you register a domain - if you don't like it, don't do it© It's your choice©

  • Why should the information not be public? The internet is not a private franchise, but a public network. Sure, you have to pay a company in order to get wired into it, but from there it's public. If you want to register a domain name, you're basically asking for a public seat on the network. If you want the contact information you provide to be kept private, then use another set of valid contact info where you can be reached, or don't register the domain name at all. It's just that simple.
  • Ah exactly, you can be as anonymous as in the "real world". So this shouldn't really be a problem.

    What's important for me is that the contact informations for my domains are available to all in case something happens. I don't have my personal phone number public on the contact information, because.. well.. it's unlisted. :) Although, I have another phone line dedicated for my domains which is public. But that could just be a 555- number anyway.

    And it could be important for verification purposes... domain hacked?

  • I laud your efforts, and think you're going in a reasonable direction if something must be done, however you're a little overboard on one detail.

    A 3-hour delay before that information is accessible is totally counter-productive when the WHOIS information is being used to contact somebody whose network is AFU.

    The same goal can be accomplished much more reasonably with an exponential (2^x) backoff routine, with a 15-second seed. Reset the backoff 24 hours after the last request, and refuse to queue more than 4 requests at once.

    This means that for a (naive) spammer to harvest 16 email addresses at once that it will take about 16000 minutes, or ten and a half days.

    On the other hand, a sysadmin who needs two or three WHOIS entries (and sometimes you need to "chain" them to find info) can get his information in less than 5 minutes.

    Reasonable, no?

    --
  • From a network administrator's point of view, having access to WHOIS information is a valuable tool when trying to find contact information on websites that host warez, finding out who is the site contact when a machine has been compromised and is taking part in a DoS attack, or again, finding out who runs a site when a hack attempt is underway. I can see both sides of this argument, but from a purely selfish perspective, I think annonymizing WHOIS records is ultimately a bad thing, and I know it will make my job that much harder trying to track down information I take for granted right now. -Xian
  • Well personally I have to say I am not the biggest fan of the fact that Domain records are public, but as the owner of an internet business who makes use of this information from time to time I think it has to stay. The Whois resource is really the best way to at least begin tracking down those who attempt to attack my company, DoS, or just general hacking. This the information contained therein I can at least contact the ISP that got that attacker on the net and if they co-operate maybe get at them. (14 people have lost their ISP, and 3 have been arrested to date, I have no problem in general with hackers just don't hack me)...on the flip side I do hate the fact that anybody and their brother can access my domain records, and become a general pain in my head. Last year someone used my domain registration to track me down and begin attacking me for infringing on his company's trademark. This jerk used all sorts of intimidation, scare tatics, and general un-niceness to attempt to convince me that I should change my domain name, and at one point he threated to sue me and force me to turn the domain name over to him. Unfortunatel he had no right to at all, my domain name, and the company it is attached to have existed longer than his. If anyone is infringing on anyone else its him on me, in my way of seeing it. My compan maintains a fairl low profile in general, and we keep as much as possible about ourselves hidden, had this guy not had the Whois to work from he probabl never would have found me. Haplo
  • by Sloppy ( 14984 )

    I have two seperate thoughts on this.

    First of all, I think one of the original reason for the whois database was so that network administrators could get ahold of each other to resolve problems. That made sense when domains were networks. Nowdays, most domains are just web sites, and the contact information is a webmaster rather than a network admin. Perhaps (this is just an idea) the whois database should list, not who registered the domain, but who is in charge of the network that hosts the domain.

    And, secondly, this privacy issue seems bogus to me. If there are a lot of people who want to have a domain anonymously, then there is a market force that can easily be brought to bear upon the problem. Just have a domain "holding" company. If you want to run foo.org anonymously, then pay Bar Inc to handle the registration for that domain on your behalf. Then Bar Inc is in the whois database instead of you, and you have a contract with Bar Inc that stipulates under what conditions your identity should be revealed to others, gives you the power to control the domain, etc. Basically, they would be a kind of proxy for you.


    ---
  • The bias here is basically that .com/.org/.net domains (gTLDs) should only be owned by legitimate businesses, who can afford premises and separate phone numbers.

    True. Although, at the same time, it doesn't cost much for an individual to aquire a seperate address and phone number. (I.e., you don't actually have to buy a building.) Get a PO Box and a cheap pager.


  • OK, I agree with the assertion that WHOIS records are vital -- I know I've used them for real work myself.

    But as someone who just bought a domain name and really doesn't care to have to have my email address and home phone number publicized to every spammer and stalker on the planet, I am somewhat shocked at the /. collective brain's attitude.

    This is a problem crying out for a technical solution. There is one obvious such solution, which was used at MIT on their finger server(s) for some time (dunno if it's still there): their fingerd would not serve more than N responses in M minutes to the same requesting IP address. This meant that downloading their finger db wholesale was not feasible.

    That would probably kill a lot of spam, while still allowing sysadmins to contact one another.

    Secondly, some budding entrepreneur should set up an aliasing phone service and mail service, such that you can put into the WHOIS db their phone number plus your unique extension; and that you can configure your account with this service such that calls between 9am and 5pm are routed to your work addy, or are routed to a vmail service so you can call back if legitimate, or routed to /dev/null or whatever; that you can put their mail address down, and they will forward physical mail to you (like a PO Box only with home delivery); thus personal phone and home address are not available to the general public.

    This would basically solve the problem.

  • If I build a house, it is possible for anyone to go to the deeds office and find out that I own the land, and even how much the county thinks it is worth. If it is a commercial building, they may even give out the blueprints and results of code inspections. How is a domain name different?

    Yes, how is it different? My last three landlords certainly didn't have their names on the deeds. Their properties were held by realty trusts, of which they were the beneficiaries, or corporations, of which they were effectively the owner.

    A realty trust is the probate/tax equivalent of an alias. I don't see why we shouldn't have the same thing available for domain name registrations.

    If your message is so important that you are willing to pay a regular fee and obtain the appropriate resources to make it available, it should be worth making it possible to contact you.

    That is logically absurd. That's like saying "if you're willing to die for your cause, you should be willing to paint a target on your forehead."

    If whois is really such an anathema, there are many other options available: the free nameserver pages (cjb.net, et al), free pages hosted on geocities, I suppose freenet if that ever becomes functional.

    Last I checked most free web page services required a real name and addy. Of course, if they don't verify, it would be easy to circumvent, but just because you wish to get an unpopular message out doesn't mean you are a criminal, are willing to break the law, or are willing to enter into a contract in bad faith.

    Freenet at the moment is vaporware. A lovely idea, I'll believe it when I see it.

    Most people here are really only looking at this from the standpoint of the tech -- which surprizes me, usually /.rs are hip to the political consequences of things.

  • Often a WHOIS record is the only way of figuring out who is responsible for an abusive web site... like that ecom site you found on pricewatch that doesn't give you an order confirmation after you give them your credit card number...
  • it's a neccesary thing. I'm a webmaster at an ISP and my job would be VERY frustrating if I didn't have the WHOIS database to check. Think about how many people understand how the DNS works. Discard them. Now think about how many of the remaining people actually know who is hosting their domain. Discard them. Those that are left seem to entrust me with their domains.

    Without WHOIS, I would have to dig for a domain of a name server, then search the web to find this ISP. Upon locating the phone number, then and only then can I start my search for the elusive and wiley hostmaster.

    With WHOIS I issue one command and usually have not only the email address of the hostmaster, but his/her phone number too. The clueful even seem to put a phone number down that has a decent chance of intelligence on the other end.

    Close WHOIS to the public and you'd better give me a subscription!
  • I personally think this is analoguous to the records help of land estate. If you own a piece of land, there's a public record of it somewhere that's accessible by everyone. Most of the time these records aren't available online but this essentially doesn't change the fact anyone can get their hands on the data very easily.

    Why should domain names be any different? If these were made private, you'd probably have to have a court order in order to get to know who owns a domain you might be interested in buying or even worse, who to contact in SPAM related issues.

    Public it is and public it should be.
  • it is a double edged sword, and I openly admit to not fully understanding every possible consequence (that is my little disclaimer).

    I look at owning a domain name like owning a piece of real estate. It should remain on the public record. I recently (within the last 2 months) bought a condo here in the states and was overwhelmed, appalled and annoyed at the fact that I reveived SOOOO much junk mail from people offering me their services as a "new neighbor." However this is a consequence that I have to live with.

    Oh the flip side, I bought the property as an investment and have since been contacted by several realtors who have expressed interest in a client of theirs purchasing the property. I have not marketed this property, but they have access to this information through public records.

    Domain names are (IMHO) like real estate, and the information of their owners should remain as public domain. It truly is a double edged sword, but it is just a price that we all pay for information being free.
  • There are plenty of goood reasons for WHOIS. For instance, When I perform a "whois microsoft.com" on my Unix box, I get the following:

    Microsoft.com.se.fait.hax0rizer.par.tout.zoy.org
    Microsoft.com.owned.by.mat.hacksware.com
    Microsoft.com.n-aime.bill.que.quand.il.n-est.pas .nu
    Microsoft.com.is.secretly.run.by.illuminati.terr orists.net
    Microsoft.com.is.nothing.but.a.monster.org
    Microsoft.com.is.at.the.mercy.of.detriment.org
    Microsoft.com.inspires.c opycat.wanna be.subversives.net Microsoft.com.has.no.linuxclue.com
    Microsoft.com.hacked.by.hacksware.com
    Microsoft.com.fait.vraiment.des.logiciels.a.trio s.francs.douze.org Microsoft.com

    ...and that just makes me feel better.
    --

  • by Paul Crowley ( 837 ) on Wednesday November 15, 2000 @10:33PM (#620827) Homepage Journal
    Is your home address and telephone number on your website?

    No? Why not? It's not *terifically* private information; in most cases, anyone really determined could find it out. It could be useful to let people call you or send you gifts, or so that your friends can look it up to come to parties after you've moved house. But it's usual for people to be a little bit circumspect with their home address, and with good reason: "I know where you live" is a threat.

    The bias here is basically that .com/.org/.net domains (gTLDs) should only be owned by legitimate businesses, who can afford premises and separate phone numbers. These provide a buffer between you and the disgruntled public. If you can't afford those, the message goes, stay off the gTLDs - or open yourself up to potential physical attack, abuse and harrasment.
    --
  • by billstewart ( 78916 ) on Thursday November 16, 2000 @12:12AM (#620832) Journal
    ICANN has done a minor power grab in their insistence on getting and publishing True Names in the whois records. They're mixing several very different uses of that information, which have different requirements and appropriatenesses:
    • Technical Contact When Things Go Wrong: Sometimes the DNS provider needs a technical contact when things go wrong. A working email address is good enough (it helps to have it on some machine not in the domain, because you're most likely to need to contact the Tech when it's broken.) Phone numbers and names are nice too, but not critical. It's nice if this is also available to the public, because sometimes other people have technical issues that need to be addressed, like machines spewing bad bits.
    • Administrative Address - This needs to be a workable contact, to deal with policy issues, name ownership disputes, spammer complaints, etc. Again, no need for True Names, but working contacts are important.
    • Billing contact for the DNS registrar to contact the owner of the name. Again, this doesn't need to be a True Name, and a working email is fine, though it's nice to provide the registrar with enough contact information that your name doesn't just vanish some day because of a billing problem. When NSI was the only DNS Registrar, they should have kept this private, not public, and it was only their own convenience that justified publishing it. With multiple registrars I suspect the same is still true, though perhaps there's a good reason I haven't thought of for doing otherwise.
    • Owner's True Name, ICBM Address, and Subpoena-Serving Address - IMHO, this is Nobody's Business*, but ICANN strongly believes otherwise - they want to be able to deal with legal disputes like trademark conflicts over domain names by suing or subpoenaing the owner. This one's outright wrong, and the most serious privacy violation of the lot. The alternative is that if the dispute can't be resolved using the Administrative Contact (email or whatever), that the plaintiff should deal with the Name Registrar to see about seizing the name, and if the current user (whether Wrongfully Accused Legitimate Owner or Sleazy Cybersquatter) prefers to remain more private and not respond, then they're at more risk of losing their name, but that should be their choice. Again, IMHO, ICANN's positiion is a combination of control-freakism by some members and wanting to keep the name registrar out of disputes that they don't want to be involved with (and I sympathize - a $50 or $10 name registration fee doesn't leave lots of spare money for lawsuit defenses or even clerical dispute resolution, but that's just tough.)

    In practice, ICANN's Data Grabbing isn't accomplishing its positive goals - When I've wanted to hunt down a spammer using Whois, it's generally not very practical - the Supposed True Name info is bogus, or it's a mailbox from a mailbox vendor, or it's outside the US in some jurisdiction where I don't know the alphabet, much less the legal code, and the email contract addresses either get you a black hole, or bounce, or sell your email to other spammers. On the other hand, people have supposedly been stalked, and lots of people have been spammed using this information, and it's Nobody's Business.


    * Technically, I'm probably not allowed to use the phrase "Nobody's Business" here in California, because there's a store by that name in Mendocino County, so it'd be name-squatting or trademark dilution or something :-). It's owned by Wavy Gravy, aka Hugh Romney, who runs the "Nobody For President" [nobodyforpresident.org] campaign. So far, Nobody's winning the election, Nobody's leading the country, and Nobody's going to do a great job!

  • As someone who is all about open-sourcing just about everything, I couldn't help but chuckle a little when I see people wanting to keep secret the domain registrant info. While I agree that Network Solutions is not much of a solution at all (and would love to see a more democratic process working instead!), I find the WHOIS database very helpful. Not to invade privacy nor to spam. My problem is much more direct: I deal with intrusion attempts alomost daily, both at work and at home, and I find the ARIN and other lookups to be an important tool in taking care of the misfit jerkoffs who try to access other people's computers. Believe me - nothing gives me more pleasure than taking down a cracker with bad intent. I work in an ethical business, and try to conduct my life in a similar manner. I don't have any pity at all for people trying to damage or steal information "just because it's there."
    Being able to track down a site admin, and forward that person the IP within their domain from which an intrusion attempt is being made in minutes really does work! Nothing makes a site admin more nervous than knowing that somebody's using their domain to do harm. So I say, let's keep the WHOIS public, but work on making the rest of the infrastructure more free-flowing.
  • From the article:

    It's like a global phone directory -- without the option for an unlisted number.

    But is it really? The owner of the number is the phone company, the administrator is the phone company. And we get the contact information for the phone company. If I register a domain, I will be the "phone company", right or wrong? Now if we talk about an email address (user@domain) or homepage (http://domain/~user) then there's no need for contact information and the user can be "unlisted".

    I think it should be compared to a phone company contacts, not a phone directory listing. You will always have the option NOT to register a top level domain. And get another private URL. How often do you pick your own phone number?

  • I know that that's been the current thinking, but how accurate is it?


    People have a right to know who is controlling elements of a public resource, so whois records should be open to all.


    I'm not convinced that domain names are public resources. I certainly will agree that the registries are essentially public resources, preventing domain name collisions, but the domain name itself I really don't see as a public resource.


    If I start a company, I have to come up with a name for that company to establish presence in my area. I'm required to do a name search for that company name to ensure that I'm not infringing on a name already in use. The name of my company is my own - tied up in its identity.


    The same is true of the domain name system. If I want a domain name, I do a search to find one that hasn't been taken. If someone beat me to the domain name, then I either have to come up with a new one or negotiate with the current holder to turn it over. If the current holder has no legitimate interest in the domain, then there has to be some existing law regarding corporate/personal identity to cover this.


    I suppose I'm also not convinced that ICANN's processes for this are any good, but that's a rant for another time.

  • I'm not convinced that domain names are public resources.
    They are public resources in that ownership of them is only temporary (while you continue to pay registration fees). I strongly hope that the courts will eventually decide that registrants do own the domain name, subject to this limitation.

    Which raises the question of who owns the domain name before it is registered, or after it ceases to be registered. Network Solutions claims that they own the expired domains that their customers have registered, but I'm really hoping that ICANN, the Commerce Department, or the courts will fix that.

    Anyhow, back to the matter at hand. If the registrant owns the domain (even temporarily), then it is very important that the registration information be public. This is just like buying real estate. You can go down to the county courthouse and find out who owns any parcel of land in the county, and this is very important for resolving legal matters. Domains are not any different in that regard.

  • Some of us like to hide. We try to frequent different bars and coffee shops to avoid being noticed. We ignore the friendly smiles of the people who work in the same building. We instruct our browsers to ask permission before accepting a cookie. We monitor every application on our computers that is not open source with a packet sniffer. We monitor the open source software with a packet sniffer. We have 15 different frequently used aliases and 5 free e-mail accounts for each. Our medical insurance number is not our social security number.

    We like to hide. Whois is easy for us to avoid. Except we registered that one site -- microsoft.sux.a.lot.com and accidently left our real e-mail address be known, the one that Grandma uses to write that once a month letter to. It has now shown up in the whois database!

    What are we afraid of? Are we afraid of government monitoring our mp3 trading? Are we consumed by guilt, fearing that the Corporate intenty that has profiled me so well that they get me to actually click on a banner ad will know who I really am? I think the beautiful girl who used to brew my coffee knew my secret life too.

    Spam scares us. Sure it is annoying, but that's not what is frightening about it. It is frightening because they found us. They know us. They know our secret.

    Someday, maybe it will become clear to us that we have no secret. We are just like everyone else. We are consumers.

  • The whois database used to be just a simple means of finding out who owned a website, getting their contact information, and then contacting them. Now-a-days, it's become a means of grabbing more email for spam, or for offers to buy the domain from them, or (in a worst case scenario) it helps people figure out who to sue.
    This is the theme that I picked up on. WHOIS as a tool for network administrators to keep a shared network working? Sure - that's what it USED to be for:
    The idea is to help users contact the name's owner for possible purchase, even though the databases originally helped computer administrators contact one another when networks go awry.
    And what is one of the major registrars concerned with when considering WHOIS or a replacement? Chuck Gomes of VeriSign Global Registry Services states:
    New tools, he said, could help meet the needs of law enforcement officials and trademark owners while protecting privacy for individuals in other circumstances.
    Law enforcement and trademark protection. Administrative contact? What was that, again?

    At times I wonder how a collective environment such as the interenet survives self-serving commercial interest.

  • Who owns a domain is a public record.
    You need an open database to be able to trust it - otherwise, how could you know it was not being tampered with ?

    I don't believe commercial spamming is a problem - owners of domains in general are much more dangerous when fighting spammers than the general audience.

    I believe the Maintainers of RIPE right now just want to hold the copyright in order to void a split(someone copying their service) - however, there may be good reasons to have competition on the field.

  • I own a few domains and I don't particularly like the fact that my real name and some other personal information is made available to the public. I do, however, believe that WHOIS should provide a method of contact via email for the person's who own a domain so that necessary contact can be made and, if volunteered by the owner, a telephone number.
    ---
    seumas.com

It has just been discovered that research causes cancer in rats.

Working...