The US government has waded into the omni-shambles that is the internet infrastructure industry's failed effort to comply with European privacy laws.
Having tried to use its behind-the-scenes influence at a recent meeting of DNS overseer ICANN to drive decisions, the Department of Commerce's frustration had led to it going public with a letter to ICANN [PDF] in which it pressures the organization to investigate the world's largest registrar GoDaddy for limiting access to its "Whois" service.
In preparation for the May 25 deadline of Europe's General Data Protection Regulation (GDPR), and in light of the utter failure of ICANN to come up with a way to make the Whois service compliant with that law, GoDaddy has started hiding personal contact details for the 50 million+ domain names it looks after and has begun throttling access to its Whois service.
That would appear to be a commonsense response to a law that can see the company fined millions of dollars for failing to keep personal details private. But it earned the ire of several companies that make a living from accessing such details.
A letter [PDF] from one intellectual property lawyer representing those interests urged ICANN to take action against what he claimed were "clear and direct violations" of GoDaddy's contract with ICANN. ICANN responded [PDF] with no more than an acknowledgement it had received the complaint.
But the US government has unexpectedly came to their defense, noting in its letter that "the actions taken by GoDaddy last month... are of grave concern for NTIA given the US government's interest in maintaining a Whois service that is quickly accessible for legitimate purposes."
-- submitted from IRC
(Score: 3, Disagree) by lentilla on Saturday April 21 2018, @06:24AM (11 children)
Occasionally we might want to get into contact with someone who owns a domain.
So let's have a show of hands - has anybody; in say the last fifteen years; had any success in contacting somebody via the WHOIS information?
No, I didn't think so. You pretty much have to pipe any email address you publish in the WHOIS record straight to /dev/null because the signal-to-noise ratio is about one to a million.
(Score: 4, Touché) by The Mighty Buzzard on Saturday April 21 2018, @06:46AM
Why, yes. Yes I have.
My rights don't end where your fear begins.
(Score: 4, Interesting) by MostCynical on Saturday April 21 2018, @07:38AM
I was once working for a government department. They were changing their domain names (yay for "branding"), so we needed to contact the 'owner', and Whois gave us the name of the employee who had registered the domain, and their desk phone number (obsolete) and email (also obselete).
Amazingly, the person still worked for the department, and could be tracked down using the internal directory, and they were even in a similar role, and could therefore 'manage' the redirection and update the contact details to the current person in the role...
Tl;dr: whois doesn't work well with government departments (norm for that matter, does the apple play store for registering apps.. "Individual" is king, even if the work is done by appointment or delegation..)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Interesting) by Anonymous Coward on Saturday April 21 2018, @08:08AM (7 children)
When I get spam e-mail, I often report it to the appropriate abuse contact. I received sincere-looking responses on Thursday and Friday (U.S. time), the last times I made reports.
When I'm spammed by sites run by people who violate RFC 2142, I try telephoning if they're in my country. Another course of action I sometimes take is to contact their upstream provider. When nothing else works, I blacklist. Of course, I've encountered irresponsible attitudes like yours. Spammers naturally gravitate toward sites that disregard abuse reports. The attitude you profess is not unusual. Yet it's far from universal, even among the sites from which I receive spam. Often enough, I see indications that my reports are read by a person (as the RFC requires) and are acted on. On rare occasions, I've managed to contact the owner of a misconfigured site, and it was corrected. That happened within the last few months. I encourage you to establish and monitor the mailboxes specified by RFC 2142 that are appropriate to your site, and to act on the reports that arrive. If your site sends e-mail, your site's e-mail deliverability may improve, due to fewer people reporting it to their e-mail providers or to community blacklists as a spam source. If your site is a Web host, you may learn sooner about security breaches or problematic content. If, on the other hand, you're truly too busy to read those e-mails, please consider hiring someone to host your Internet presence, or discontinue it. You'll be doing the rest of us a favor.
(Score: 4, Interesting) by Lester on Saturday April 21 2018, @09:54AM (6 children)
An abuse email could be public without revealing any private data. Nevertheless, GDPR doesn't say that nobody can access to whois data, but that those data shouldn't be public. I don't know the details, but for instance ISPs and registrars may have access to data and report abuses, but not me. There is a proposal from ICANN, an "accreditation program" [icann.org] that is more or less accepted by GDPR.
I have no objection to be addressable so that any one can contact me regarding to domain issues. But I can't see why my data must be public so spammers can offer me to transfer my domain to another registrar, or worse, many scammer try to cheat me to transfer my domain (let alone enlarge my penis or cheap loans). I don't know why I should make home address public, it is only useful to make me fill a fake address, so legitimate post real mail will never ever reach me.
(Score: 3, Interesting) by The Mighty Buzzard on Saturday April 21 2018, @12:55PM (5 children)
Accreditation program? Really? I've heard a lot of silly things in my time but people cheering on a requirement of a license to talk to someone else definitely makes the top ten list.
My rights don't end where your fear begins.
(Score: 3, Disagree) by Lester on Saturday April 21 2018, @02:29PM (4 children)
When there is a billion of anonymous people watching my data, yes, please, I want a barrier.
(Score: 4, Insightful) by The Mighty Buzzard on Saturday April 21 2018, @04:00PM (3 children)
Yeah, that whole responsibility coming with freedom thing just doesn't work for some people.
My rights don't end where your fear begins.
(Score: -1, Troll) by Anonymous Coward on Saturday April 21 2018, @05:24PM
Well that explains why you're a gay Mexican who identifies as a vagina, but it doesn't really help this discussion.
(Score: 0) by Anonymous Coward on Saturday April 21 2018, @08:54PM (1 child)
Yes, because someone's personal information not being publicly available for all is such an egregious violation of freedom and responsibility.
(Score: 3, Insightful) by The Mighty Buzzard on Saturday April 21 2018, @09:52PM
You don't get it, do you? You want the freedom to say what you like that comes with owning a domain, you also have to take the personal responsibility for what you say.
My rights don't end where your fear begins.
(Score: 3, Touché) by MichaelDavidCrawford on Saturday April 21 2018, @03:12PM
A New York Times columnist had a personal website. I used Whois to get his email address. I got a useful reply
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by Dr Spin on Saturday April 21 2018, @07:53AM
What does it matter if hundreds of innocent parties have their privacy destroyed, if one scammer is granted legitimate access to their private parts ....
oh, wait ...
Warning: Opening your mouth may invalidate your brain!
(Score: 5, Interesting) by jimbrooking on Saturday April 21 2018, @12:15PM (11 children)
Mosquitos and leeches "make a living" from accessing blood from host animals like us. I suppose there ought to be rules and regulations that apply to those who swat mosquitoes or detach leeches from their person.
How typical of the US gummint to take a position that's pro-business and anti-privacy, damn them to hell.
(Score: 3, Interesting) by The Mighty Buzzard on Saturday April 21 2018, @01:05PM (10 children)
Requiring valid whois information is no more oppressive or anti-individual than phonebooks.
My rights don't end where your fear begins.
(Score: 1, Touché) by Anonymous Coward on Saturday April 21 2018, @02:53PM (1 child)
It was a happy accident when Verizon botched my phone book listing. They used my town name as if it was my last/family name. Saved me paying extra for an unlisted number, and also makes it really obvious when a junk caller asks for "Mr. [TownName]".
(Score: 3, Informative) by The Mighty Buzzard on Saturday April 21 2018, @04:07PM
Honestly, spam filtering for email can be good enough nowadays that there's no reason not to use a valid email address in whois.
It's not like you can't give an email address, post office box, and burner phone number all only used for domain management anyway.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday April 21 2018, @05:12PM (1 child)
[in lumburg voice]: mmm, gonna have ta go ahead and disagree with you on this one, buzzard.
(Score: 2) by The Mighty Buzzard on Saturday April 21 2018, @05:44PM
That's fine. Far be it from me to ever say people don't have the right to be as wrong as they like.
My rights don't end where your fear begins.
(Score: 2) by janrinok on Saturday April 21 2018, @05:58PM (5 children)
And I have the right for my telephone number and home address to be excluded from a telephone directory if I so choose.
All the spam and crap mail (both email and snailmail) seems to originate from my Whois data - which has a small but deliberate error in it. It is not available if you search records on this side of the pond, but it is if you query Whois. I would like that to not be the case. I don't want my personal information made available to spammers and others.
(Score: 2) by The Mighty Buzzard on Saturday April 21 2018, @07:32PM (4 children)
You don't set aside an email address, post office box, and google voice/burner phone number for things like that? Man, I don't give my primary contact info even when I'm registering a domain for personal use. They're all legit and I do check them but I don't go giving out any personal details except my name on anything that's going to be public.
My rights don't end where your fear begins.
(Score: 2) by janrinok on Sunday April 22 2018, @06:44AM (3 children)
And the annual proforma that originates from the US each year to make sure that the Whois record is correct, insists on having my personal data as the owner of a specific domain. It actually warns that if I provide false information under US law I could have my domain seized and lose ownership of it. They already have the information relating to a contact to resolve problems but, over the last few years and with the over reaction in the US regarding the terrorist threat, the requirement to provide additional information has been extended.
In Europe, we believe that private information should be kept private. The fact that I have to provide it does not give anyone the inherent right to allow anyone else to harvest it for purposes other than those for which it was intended. Perhaps in the US you just decide to lie about everything rather than challenging the need to provide the information in the first instance.
(Score: 3, Insightful) by The Mighty Buzzard on Sunday April 22 2018, @10:30AM (2 children)
I didn't say provide false information. I'm saying compartmentalize. The information you give should be valid but it shouldn't be your primary, personal contact points.
My rights don't end where your fear begins.
(Score: 2) by janrinok on Sunday April 22 2018, @12:02PM (1 child)
It clearly stipulates that it must by my personal contact details. There is another field for the organisation that actually manage my domain, but for some reason they want my real address and actual phone number, .... or risk having my 'domain seized'.
(Score: 3, Informative) by The Mighty Buzzard on Sunday April 22 2018, @04:24PM
The cell phone you use for calling your buddies is no more or less your own than one you use for registering domains. It qualifies if you plan on answering it or at least looking at who called it. Ditto (e|snail)mail addresses.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday April 21 2018, @02:05PM
Does it echo in here? Please remove the dupe first line. KTHXBYE
(Score: 5, Insightful) by Rosco P. Coltrane on Saturday April 21 2018, @02:50PM
Fuck companies that make a living accessing whois. If they disappear, nothing of value will be lost.
(Score: 3, Interesting) by MichaelDavidCrawford on Saturday April 21 2018, @03:10PM (1 child)
While researching my employment index [soggy.jobs] I found that the mobile site of a Seattle software company had been hacked
So I called their registrar and ask them to connect me to their customer
"I can't do that"
"They've been hacked by a porn spammer. I think that they would want to know about that. Could you at least email them?"
He said he would. Their site was fix d later that day
Yes I Have No Bananas. [gofundme.com]
(Score: 2, Insightful) by Anonymous Coward on Saturday April 21 2018, @04:49PM
Um, MDC, what are you talking about?
The problem got resolved, demonstrating that there is no need for public WHOIS... which somehow means WHOIS privacy is harmful? I hope I'm being Poe'd by a sarcastic post title.
(Score: 1, Interesting) by Anonymous Coward on Saturday April 21 2018, @05:15PM
they are just running interference for scum RIAA MPAA lawyers.
(Score: 3, Insightful) by crafoo on Saturday April 21 2018, @05:28PM (9 children)
WHOIS information should be public. This is in keeping with the spirit of what once we called the internet. If people don't want their information public, do not register a web site. Do not participate. Pay someone else to do it for you.
(Score: 2) by janrinok on Saturday April 21 2018, @06:02PM (7 children)
Do you ever purchase anything on the internet - well why not give us all your PIN and bank account details? After all, it is in keeping with the spirit of what once we called the internet.
(Score: 2) by Geotti on Saturday April 21 2018, @11:51PM (6 children)
How the fuck is your Whois related to your bank account details? What sort of argument is that, janrinok?
How is giving out your bank account "keeping with the spirit"? WTF?
You don't want whois? Make an onion or freenet site, pay extra for an anonymizing service or whatever. How is this even a topic that we have to argue about here, is there even anyone on this site, who did not witness the beginnings?
(Score: 2, Insightful) by janrinok on Sunday April 22 2018, @05:02AM (5 children)
The Whois site is supposed to allow system administrators to contact each other to resolve problems with the internet. It was not supposed to be a source of personal data that is accessible to anyone who wishes to harvest personal information.
Just as you have an expectancy for your personal bank account details to be kept securely when you share them via the internet with a supplier who provides you with a service, I have a reasonable expectancy for my personal details to only be divulged when it is necessary for me to be contacted to resolve a problem on the internet - presumably in relation to one of the several domains that I own. But because some companies in America want to be able to collect big data you are arguing that my personal details should be available to all and sundry. NO, they should not be.
So I merely used your own illogical argument back to you - your shared your bank details on the internet so surely anyone now has the right to have access to them? It might not be for the purpose you originally intended, but that doesn't matter because I shouldn't have to state why I need the information or what I am going to use it for, right? Or is that somehow different because you are personally affected?
Access to Whois data should be limited to those who can prove that they have a need to know that data, and it should only be used for the purpose for which it was intended. And I should be informed that the information has been shared with the person requesting it. The European law is giving me back the right to control who has my personal telephone number and home address - who needs that information to help resolve 'problems' on the internet?
(Score: 2) by Geotti on Monday April 23 2018, @07:30PM (4 children)
No, I'm sorry, that still doesn't make sense to me.
To foil data grabbers it's enough to put a rate limit and a captcha like, e.g. denic has had for about a decade.
What you're asking for is capitulating our position that "the internet belongs to the ones who build it".
Just as there is a public interest in knowing who owns a company, there is public interest in knowing who owns a domain.
You want us to jump through hoops just to be able to see the contact information of a domain owner? Fuck that!
There's a gazillion legitimate reasons to view such contact information, do you really think a drop down, where you select a reason and some contact information of the requesting party will stop the marketeers? Get real, man. There are other means of reigning the misbehavers in.
(Score: 2) by janrinok on Tuesday April 24 2018, @08:57AM (3 children)
None of which appear to have worked. So the EU, in bringing the law onto the books, are making sure that those in Europe that actually manage the domains realise that they cannot just provide personal information for public release without consequences, and that those who publish it in Europe, which includes providing it to Whois, or do not adequately protect such data on those protected by this law are committing an offence.
Nobody is suggesting that the internet doesn't belong to those who built it - which basically is the entire world - but that those very same people are protected from exploitation by others whose motive is pure greed. If you need access to the information in order to 'fix the internet' then you will still have access to it, but you will have to justify why you need the information rather than just making all of the Whois data - including personal information - available for anyone to harvest. Why should I have to suffer from spam mail because Whois have published my home address in addition to the address of those responsible for managing my domains? Why should I have to put up with numerous out-of-hours telephone calls on my private phone because Whois think that putting that information out on the web is a good idea?.
The information given out regarding who owns a company does not include personal information. Please look-up Mark Zuckerberg's mobile phone number and tell me what you find. It contains business information and business contacts. Whois publishes all information on the web and does not limit it to the essential business or management information, and it is this that the EU law seeks to address.
Each year I receive an email from Whois demanding that I update my personal information at penalty of potential domain seizure by Homeland Security, just so that Whois can update the databases of spammers and others. There are better ways of doing this than the current method, and the EU law is simply making sure that private information stays private.
And if I am the only contact that you have that can 'fix the internet' then all is lost!
(Score: 2) by Geotti on Tuesday April 24 2018, @06:49PM (2 children)
Form a company and provide company information. There, problem solved. Nobody requires you to provide personal information, if you register the domain in the name of your business. Invest the 250 quid and get a ltd or some other regional equivalent. Also, nobody requires you to provide your mobile phone number. Get a free number from e.g. sipgate and put up a mailbox.
Stop whining, the GDPR is a pile of shit that just makes life more complicated and doesn't change a thing for the people who have a vested interest in collecting your data. You don't seriously believe for a moment, that FB & Co. will actually delete your data, when you request them to do so, do you? That's just not technically feasible. Just don't post anything that you don't want to be on the internet to the internet, like TMB wrote before. You should know better, after all.
Why, according to our favorite encyclopedia [wikipedia.org], quite a lot of progress has been made since the 90s.
(Score: 2) by janrinok on Tuesday April 24 2018, @06:58PM (1 child)
Perhaps it is different where you live, but I do receive an instruction from the US authorities each year to confirm that my details are truthful and accurate, or risk having my domain seized by the US courts - who for some reason believe that they rule the world with their laws.
Furthermore, you fail at reading comprehension. I haven't put my details onto the internet - Whois have!
(Score: 2) by Geotti on Tuesday April 24 2018, @10:02PM
Maybe you should change your registrar then? I have quite a few (CNO) domains and not once have I received such an instruction.
I can recommend inwx [whois.com].
Pardon me, but I have to point out that you're the one mixing up the www and the internet here, or did you register by snail mail or phone?
(Score: 3, Touché) by Lester on Saturday April 21 2018, @06:39PM
Where is writen thai it is all or nothing?