Internet privacy

Allen_McRay · October 2, 2003, 12:17am

Apologies if this is off-topic. No chance of it ever happening, correct?
=;]

Allen

Dear Network Solutions(R) Customer,

Did you know that current rules require all domain name service providers
to list the information you provide when you register a domain name in a
public database known as WHOIS?

To help you protect your personal information and online investment, I want
to let you know that Network Solutions is campaigning for stronger privacy
protection in the domain name industry. As part of this effort, we have
developed a new site, www.InternetPrivacyAdvocate.org, which outlines the
steps we are taking to protect your personal data. The site also offers
helpful
tips for what you can do to keep your private data even more secure.

The Internet Corporation for Assigned Names and Numbers (ICANN) is the
non-profit corporation responsible for oversight of domain name
registrations
and for accrediting domain name service providers. As an ICANN-accredited
registrar, we are also required to request that our customers verify, and if
necessary, update their WHOIS contact information. Customers are responsible
for ensuring this information is current, and ICANN mandates that outdated
contact information can be grounds for domain name cancellation.

View the WHOIS information for the domain name(s) you have registered with
Network Solutions, and if necessary, update your information. To help
protect
your privacy, we have added enhanced capabilities, which allow you to select
the
Administrative and Technical contact information you would like listed in
WHOIS
through your Network Solutions account.

To learn how to assign WHOIS contact information and about other actions you
can take to protect your personal information today, visit
www.InternetPrivacyAdvocate.org.

Sincerely,

Brian Cute
Policy Director
Network Solutions, Inc.

Owen_DeLong · October 2, 2003, 2:40am

Sue,
I know it's short notice, but, can we try and get someone from
ICANN to explain at Chicago why they haven't pulled Verisign's contracts
for malfeasance? Further, can we get someone from Verisign to explain
how Verisign plans to correct these actions and stop taking unilateral
destructive actions with the public trust?

This has real operational impact, and, it certainly needs more
coordination that Verisign has so far been willing to apply.

Thanks,

Owen

Martin_J_Levy · October 2, 2003, 3:05am

Owen,

I know it's short notice, but, can we try and get someone from
ICANN to explain at Chicago why they haven't pulled Verisign's contracts
for malfeasance? Further, can we get someone from Verisign to explain
how Verisign plans to correct these actions and stop taking unilateral
destructive actions with the public trust?

This has real operational impact, and, it certainly needs more
coordination that Verisign has so far been willing to apply.

I'm happy to see Verisign's actions on the Chicago NANOG agenda...

http://www.nanog.org/mtg-0310/dns.html

But (alas) I don't see any ICANN names on the list...

http://www.nanog.org/mtg-0310/attendee.list.html

Keep in mind that NANOG is a "North America..." entity and what your addressing here is a global issue.

Martin

Jack_Bates · October 2, 2003, 3:08pm

Allen McRay wrote:

To learn how to assign WHOIS contact information and about other actions you
can take to protect your personal information today, visit
www.InternetPrivacyAdvocate.org.

It's rediculous to state that placing contact information for a domain name is a privacy issue. A domain is public record, as should the contact information be. Is verisign out to help spammers any way that they can? It's bad enough that the whois information is often out of date with obvious bogus information like 555-1212.

-Jack

Jeffrey_Meltzer1 · October 2, 2003, 4:08pm

Not to start a war, but you can block your Telephone Number from being
listed in the phone book, so why shouldn't you be able to block your whois
info?

What valid reason would you have for getting in contact with a domain owner,
if they've unlisted themselves and don't want to be contacted?

Netblock info, yes, because that's where the abuse comes from. Domains are
forged a lot more than IP's are. As long as you can see some contact info
for 1.2.3.4, who cares what the listed contact info for spammer.com is?
Chances are if they know what they're doing, it's bogus info anway, so you
track them through their (hopefully) friendly upstream.

Any abuse/misuse/etc I've ever tracked down has been via netblock, never
domain. But, maybe I'm just not thinking of something.

Jeff

Mike_meuon_Harrison · October 2, 2003, 4:53pm

they can? It's bad enough that the whois information is often out of
date with obvious bogus information like 555-1212.

or that it seems to revert to information circa 1994..
and is nearly impossible to change now.

I gave up, moved all my important domains to an OpenSRS affiliate
(domainmonger mostly)

Stephen_J_Wilcox1 · October 2, 2003, 4:55pm

I'm happy to see Verisign's actions on the Chicago NANOG agenda...

http://www.nanog.org/mtg-0310/dns.html

But (alas) I don't see any ICANN names on the list...

http://www.nanog.org/mtg-0310/attendee.list.html

Keep in mind that NANOG is a "North America..." entity and what your addressing here is a global issue.

Aww a shame Merit is using Verisign to accept registration

You are choosing to pay the NANOG registration fee by credit card.

Please press the button below to process your transaction securely
through VeriSign Payment Services.

(The VeriSign site requires the use of JavaScript.)

Jack_Bates · October 2, 2003, 7:17pm

Jeffrey Meltzer wrote:

What valid reason would you have for getting in contact with a domain owner,
if they've unlisted themselves and don't want to be contacted?

Problem with email or a website to a given domain. The fact that IP addresses aren't swip'd out to the individual owners. Multiple domains owned by different people can be hosted on the same IP.

Sometimes it's a matter of fixing problems, not just abuse.

-Jack

Allen_McRay · October 2, 2003, 7:38pm

Amen. If there is a problem with a domain that I have registered, I want
people to be able to find out who I am, and contact me. If I don't respond
to a request, don't put forth my best efforts, or remove myself from the
network until the problem is corrected - then pull the plug on me. Plain
and simple. The "whois" lookup gives anyone, even with limited skills, the
ability to possibly contact someone in regards to a domain. I know there
have been abuses of the system, but the advantages of having this
information readily available far outweigh what will come when it is hidden
from public view.

Allen

Owen_DeLong · October 2, 2003, 8:22pm

Not to start a war, but you can block your Telephone Number from being
listed in the phone book, so why shouldn't you be able to block your whois
info?

Because you don't need a domain name to live on the Ineternet. If you choose
to have a domain name, then, it's akin to hanging out your own shingle.
If you hang out a shingle, you have an obligation to provide a certain amount
of contact information as a matter of public record.

Noone is saying you should have to give up your contact information to
posess a single /32 IP address, or, even a small collection of them.
However, domain names are a different thing from phone numbers. Domain
names are the ability to operate your own phone book. Certainly I have
never heard of a phone book publisher that didn't provide contact information
for redressing errors/etc.

What valid reason would you have for getting in contact with a domain
owner, if they've unlisted themselves and don't want to be contacted?

What valid reason is there for allowing a domain owner to be unlisted and
uncontactable. If you want to remain anonymous, then you don't need a
domain.

Owen

Leo_Bicknell1 · October 2, 2003, 8:38pm

In a message written on Thu, Oct 02, 2003 at 01:22:12PM -0700, Owen DeLong wrote:

What valid reason is there for allowing a domain owner to be unlisted and
uncontactable. If you want to remain anonymous, then you don't need a
domain.

It is possible to be anonymous and contactable. Is that that good
enough (for domains, IP allocations, or other things served up via
whois)? Is it key we know the owners real identity, or just know
enough information to be able to contact them?

Lyndon_Nerenberg3 · October 2, 2003, 8:50pm

As a company director and officer I do not have to make my home address and telephone number available. I don't even have to make the company's office address or telephone number public. But I do have to provide an "office of record" where the company (or its officers and directors) can be served legal notice. Typically this is the address of the company's lawyer.

There's no reason why domain registrations should be any different. I can think of many good reasons for someone not wanting their home address and telephone number listed in the domain contact info. (For starters, think spousal abuse. Your policy would prevent a woman hiding from an abusive spouse from registering a .name domain.)

HOWEVER, there does need to be *some* form of valid contact information provided. Registrars might want to consider offering a point-of-contact intermediary service as a "value added" product.

--lyndon

Owen_DeLong · October 2, 2003, 8:52pm

Personally, I think having to present your real identity for a domain
name is a legitimate requirement. For small (/29 or smaller) IP allocations,
I have no problem with the upstream provider taking responsibility.
For domains and larger netblocks, I think the individual should be
accountable, identifiable, and, contactable.

Owen

Owen_DeLong · October 2, 2003, 9:01pm

Because you don't need a domain name to live on the Ineternet. If you
choose
to have a domain name, then, it's akin to hanging out your own shingle.
If you hang out a shingle, you have an obligation to provide a certain
amount
of contact information as a matter of public record.

As a company director and officer I do not have to make my home address
and telephone number available. I don't even have to make the company's
office address or telephone number public. But I do have to provide an
"office of record" where the company (or its officers and directors) can
be served legal notice. Typically this is the address of the company's
lawyer.

Right... I have no problem with that.

There's no reason why domain registrations should be any different. I can
think of many good reasons for someone not wanting their home address and
telephone number listed in the domain contact info. (For starters, think
spousal abuse. Your policy would prevent a woman hiding from an abusive
spouse from registering a .name domain.)

If someone registers a domain and wants to pay their lawyer to be the contact
of record for the domain, there is nothing in existing policy or process
that prevents them from doing so. Further, there is no need for such a
woman to register a domain under her own name. The facilities already
exist for handling such situations.

HOWEVER, there does need to be *some* form of valid contact information
provided.

Right.

Registrars might want to consider offering a point-of-contact
intermediary service as a "value added" product.

I think this would be a very bad thing. If some independent organization
wants to provide that service, fine. Allowing registrars to provide it
allows for the possibility of a conflict of interest if any policies ever
come to fruition to allow revocation of resources for bad contact data.

Think about it, if you allow the registrar (who has the ultimate obligation
to pull the domain) to instead obscure their contact for a fee, then, you
have essentially eliminated any such protection.

Owen

Lyndon_Nerenberg3 · October 2, 2003, 9:07pm

Think about it, if you allow the registrar (who has the ultimate
obligation
to pull the domain) to instead obscure their contact for a fee, then,
you
have essentially eliminated any such protection.

That would depend on the terms of the contract between you and the registrar. But I do agree that this would be better served by a neutral third party (who would probably charge a lot less than a lawyer would).

No matter who you go with for the service, read the fine print before you sign on the line ...

--lyndon

Matt_Levine1 · October 2, 2003, 9:09pm

<snip>
I think this would be a very bad thing. If some independent organization
wants to provide that service, fine. Allowing registrars to provide it
allows for the possibility of a conflict of interest if any policies ever
come to fruition to allow revocation of resources for bad contact data.

Think about it, if you allow the registrar (who has the ultimate obligation
to pull the domain) to instead obscure their contact for a fee, then, you
have essentially eliminated any such protection.

Godaddy seems to be offering this service already - http://www.domainsbyproxy.com/

Owen_DeLong · October 2, 2003, 9:10pm

Whatever responsibile third party wants to provide this service already
can. There is no need for any changes. The changes proposed by Verisign
and the things they are currently promoting do not fall within that.

Owen

Sean_Donelan · October 2, 2003, 9:21pm

What's interesting about Verisign's proposal is they are lobbying to
eliminate "free" or compulsary distribution of the WHOIS data; they are
NOT lobbying to keep the data private.

Eliminating public WHOIS access increases the value of Verisign's database
when they sell the (now private) database to list generators. Currently,
Verisign is competiting in the listmarket with other vendors which mine
the same WHOIS data or get it through a compulsary bulk data agreement.

Why pay Verisign when you can get the information for "free?"

Richard_Cox · October 2, 2003, 10:57pm

As a company director and officer I do not have to make my home
address and telephone number available. I don't even have to make
the company's office address or telephone number public.

That may be so in your jurisdiction. Some other jurisdictions differ.

But I do have to provide an "office of record" where the company
(or its officers and directors) can be served legal notice.
Typically this is the address of the company's lawyer.

If there is a person at the office of record that accepts liability for
you (should you prove to be uncontactable) that ought to be sufficient.

There's no reason why domain registrations should be any different.
I can think of many good reasons for someone not wanting their home
address and telephone number listed in the domain contact info.

That may be so. If someone is unwilling to be contacted, it is arguable
if they should have any responsibility for a domain; owners can delegate
the responsibility _provided_ the delegated party accepts the liability.

HOWEVER, there does need to be *some* form of valid contact information
provided. Registrars might want to consider offering a point-of-contact
intermediary service as a "value added" product.

GoDaddy already does. It works very well. However other registrars
might handle such a service in very different ways which could cause
a lot of harm.

Booth_Michael_ENG · October 3, 2003, 5:05pm

>What valid reason would you have for getting in contact with a domain
>owner, if they've unlisted themselves and don't want to be contacted?
>
What valid reason is there for allowing a domain owner to be unlisted and
uncontactable. If you want to remain anonymous, then you don't need a
domain.

Hi Owen. I tried contacting you via telephone to discuss this issue
further, as not to further engage in off-topic chatter here, but I was
unable to, as DELONG.COM is registered a beeper that has been
disconnected. Do you have a current phone number I can reach you at?

Glass houses, stones?

Michael