Alternatively, one could enter information that looks plausibly valid but is in fact completely invented. How often does one receive articles in the mail or phone calls to the whois contact points anyway? As far as I've experienced, any communication is to the email address. I suppose it depends what the penalties are if you're somehow found out.
Incidentally this is why I use .eu
It wouldn't be prudent to build a business/brand/reputation on a domain name where you've intentionally registered it to a false identity.
To me, the penalties are only one of the concerns - how you'd deal with someone attempting to hijack your domain when you've faked the ownership records is a problem too.
a PO Box address
In the U.S., some/all post offices have added the option of real "street addressing." Before, you'd have to use PO Box 123, City, State. But with street addressing, now you can use - say - 45 Main St #123, City, State.
Non-USPS places have had this sort of thing for a while. Some will even "let" you call it "Suite 123" - despite it being a small metal box with not much room for furniture. (I think the "letting" part is more them just not caring, and only looking at the numbers. It's not impossible but I'd be surprised if there were actual laws covering that. Though it could be a factor if something like fraud were being committed. IANAL.)
No. They will require PO box providers to be accredited with ICANN and subject to all these crazy rules, giving you no privacy.
> Alternatively, one could enter information that looks plausibly valid but is in fact completely invented.
This is exactly what all the real crooks will do, but you and me will not be able to, because we don't want to lose our domains.
Well, I'd be very interested to see how ICANN could get post offices, like the United States Postal Service or Royal Mail, to go along with submitting to ICANN accreditation. That aside, data on people who own USPS-provided post office boxes and boxes held at commercial mail receiving agencies (CMRAs, like the UPS Store, and so on) can be obtained from the USPS, per 39 CFR 265.6(d)(5)(i) through (iii):
(i) To a federal, state or local government agency upon prior written certification that the information is required for the performance of its duties.
(ii) To a person empowered by law to serve legal process, or the attorney for a party in whose behalf service will be made, or a party who is acting pro se, upon receipt of written information that specifically includes all of the following: (a bunch of things)
(iii) In compliance with a subpoena or court order, except that change of address or boxholder information which is not otherwise subject to disclosure under these regulations may be disclosed only pursuant to a court order.
Are all of their domain names registered properly? Shall we start sending them A LOT of mail explaining these consequences?
ICANN is only the authority because we all said they are the authority. Do you know the fight that would break out if we lost faith in ICANN and multiple firms in the right economic place who know the right people at the right time provided an alternative authority? The switch to ipv6 is already weakening ICANN authority. The value of an ip address is decreasing.
We have to trust someone. End users are not gonna type in ip addresses human brains just aren't wired like that. But talking with any government is not cool. ICANN is a trust all citizens of earth currently agree on. ICANN is the global diplomat they need diplomatic immunity - and need not abuse it.
What makes you think that? ICANN's requirement is that you provide a valid address you are contactable at. A PO box fulfils that requirement.
Is there some sort of middle ground where somebody like Amnesty International is one of the domain privacy providers? And another is, say, the Society of Professional Journalists? I would totally trust well-established organizations like that to make reasonable decisions about when to keep information private.
There has got to be a few radfems who have top level domains too. Say what you want about their politics but they are excellent at wiping up a shit storm.
I think there are some major misunderstandings around what ICANN are doing with WHOIS privacy.
ICANN have pretty much always required that registrants provide registrars with accurate contact information. ICANN required that registrars periodically escrow this data with an escrow provider (Iron Mountain, usually, though there are now more).
When you use registrar-provided WHOIS privacy, the registrar is still able to escrow the correct contact information. This is not the case with third-party WHOIS privacy providers. The difference now is that, due to the demands of law enforcement agencies, they're now requiring that information be validated and verified.
Third-party WHOIS privacy services always existed in a legal grey area, whereas registrar-provided WHOIS privacy did not. Even before the 2013 RAA came in, you were risking having your domain being taken from you by using a third-party provider and providing their contact information to your registrar as it meant that the registrar had inaccurate contact information and thus could not provide accurate information to the escrow provider.
Before the LEAs got all antsy about this, the WDRP emails you get from your registrar, giving you a list of domains and their WHOIS data and a warning of the consequences of providing inaccurate data, were the most ICANN required in practice. It was an honour system, and the requirement to provide accurate data - which has always been a requirement - wasn't actively enforced. All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
The requirement on third-party WHOIS privacy providers is to normalise their situation so that they have the same requirements to record information correctly and escrow it that domain registrars already have had to do for ages. And it's not that onerous a requirement: actually implementing an EPP client is orders of magnitude more difficult that writing the code needed to do data escrow: https://www.icann.org/en/system/files/files/rde-specs-09nov0... - you can implement that in an afternoon. The accreditation process for a WHOIS privacy provider is nowhere near as horrible as it's being made out to be. All you need to do is show that you can accurately escrow data.
Everybody's so late to the party on this one. The registrar constituency in ICANN fought pretty hard against this. If you think what ICANN are requiring now is bad, the LEAs were demanding much crazier stuff during the negotiations. If you're an EU citizen or using an EU registrar, you're even better off, as EU data protection law meant that some of the requirements of the RAA were illegal in the EU, so EU-based registrars are able to get an opt-out of certain requirements of the RAA. We still do have to validate, verify, and escrow contact details associated with domains we manage, however.
You say that like it's a small thing.
If the government suddenly started throwing all the operators of marijuana dispensaries in federal prison, you could say that all they're doing is enforcing the law, but it still represents a fundamental shift in policy.
Rules that aren't enforced don't get repealed because people care more about what happens in actual fact than what would happen on paper. Threaten to start enforcing them and you can't be surprised when the thing people want to know is not why it wasn't previously enforced but rather why such a stupid rule is still on the books.
In the past, they encouraged an honour system through the use of WDRP emails. In addition, they only acted or required registrars to act when an issue was reported or noticed. I guess you could call this passive enforcement.
Now, what they're requiring is that contact details are validated and verified upon first use and subsequent changes. This would be active enforcement, and was requested by the LEAs.
The practical difference that when you register a domain name, the registrar will attempt to make sure that your address is valid, that the email address you provide actually accepts email and you answer it, and check that the phone number you provide is valid.
I'm fully aware of the impact of all this. Even if wasn't personally affected by it, given I own domain names, I had to implement this stuff on the technical end, and make sure that in enabling it, we wouldn't end up scheduling thousands of our customers' domains for deletion. From a purely selfish point of view, I'm all too familiar of what the impact of the change from passive to active enforcement means.
All that will be changing on the data collection, verification, and escrow front, you mean? That isn't an aspect that people seem focused on at the moment. Almost everyone is focused on REVEALS and what processes will become mandatory.
Have anything to say about that and/or RELAYS?
I'm taking another read over the report.
'Relays' requires that email forwarding works on the provider's side when WHOIS privacy is in place. There are other complicating factors that can cause issues here, such as SPF records for the domain that don't mention the forwarding mailserver, but that's really it.
'Reveal' is a consequence of the situation with third-party WHOIS privacy services being normalised. Up until now, you were effectively in breach of your contract with ICANN as a registrant if you used a third-party WHOIS privacy/proxy service because the registrar had invalid contact details for the registrant.
'Reveal' does not mean that just anybody will be able to ask or demand that the provider disclose the contact details behind a private registration. Most registrars have LEA liaisons who they use to validate that a request from a law-enforcement agency is genuine. If we get a legal demand disclose to disclose details, that goes straight to our solicitors, and we would only reveal them if there's a genuine legal reason for doing so. Any other requests are invalid and, at least here in the EU, giving out the contact details of a proxy registration would be against data protection law. So no, the argument that this would be a conduit for doxxing isn't a valid one. The exact baseline requirements for the reveal process haven't been locked down yet, but they will likely be similar to what I've outlined.
You see, both of these processes are already mandatory based on other parts of the registrar-registrant relationship and existing legal requirements. The difference is that it wasn't explicitly formalised and non-registrar WHOIS privacy was a massive grey area.
If you think this is bad, just be happy that you don't live in Germany, Switzerland, or Austria: https://en.wikipedia.org/wiki/Impressum
Individuals have privacy rights. Businesses do not. The EU is very clear on this. The European Privacy Directive covers individual privacy. The European Directive on Electronic Commerce covers business privacy online. They're very different.
But an author selling an e-book or a lone developer earning a side income from ads should not be required to publish their home address and cell phone numbers. This is ridiculous.
Somehow I doubt that the definition will be a reasonable one, given everything else in the article.
At the same time, it should be perfectly reasonable for a business to hire a registered agent and supply their contact information. The point is that the business be reachable.
I would rather have a restricted whois database, where the authorities can look at the street address, but Average Joe can not.
That's silly. I, as an individual, am a business: I perform work in return for pay, just as a business provides goods and services in return for payment. If the work I do is writing a blog, and the payment comes from ads or subscriptions, I should be permitted not to have my home address broadcast to all and sundry.
(on a related note, I should also be able to deduct expenses like a business does for tax purposes, but that's a different topic)
So they want to prohibit anonymity when it might hurt them, but allow it when it might hurt the customers of their hosting clients.
I think requiring real names from their clients but opposing it for publicly accessible WHOIS records is perfectly consistent with their views:
Since we started back in 2002, one of the things that's repeatedly been made clear to us is that governments aren't the biggest threat to free speech. They certainly bear watching and perpetual wariness, but they're just not the source of the everyday threats to our members' ability to express themselves.
The most common threats come from corporations and the pressure they can bring. Not a week goes by that we don't hear from some cheap lawyer about how mad some company is that some website said something that they don't like and what horrible things they're going to do to us if we don't hop to and do their bidding.
If the WHOIS records were only viewable by the courts, or at least ICANN, your implication of hypocrisy would carry some weight, but they're viewable by everyone, and that makes it a much larger threat.
SWAT-ing is really one of the less serious things that could happen. Crazy nutjobs are born every day. Someone didn't like a banner on my website, now they know where to find me, and they brought tanks. Meaning that it could be the government you are peaceably criticizing.
Our privacy online and off is already being deeply threatened on many other fronts. If you think this proposal is bad for our privacy and bad for our internet, please take a moment and email your thoughts to the working group.
I wonder if a decentralized type of DNS, like blockchain-based DNS, will ever take off. If we even have an acceptable alternative right now, I suppose the first meaningful step towards adoption would be baking support in to a major browser.
1) Make sure to click on a link in the follow-up email they send you in order for your comment to go through.
2) The contents of your email (though it seems not the email address itself) will be made public, so if you don't want your real name in the open, don't sign with it.
This is bad. Very bad. The NameCheap email probably gave a lot of people the wrong first impression about what ICANN's proposal really means. Seriously, it sounded like they were just complaining about their bottom line. And since a lot more people use NameCheap than NearlyFreeSpeech, not many people are going to read the more thorough analysis and urgent call to action that the NearlyFreeSpeech article contains.
If anyone around you has read the NameCheap email, please tell them to forget about it. Tell them to read this article instead.
>"Commercial activity" casts a wide net, which means a vast number of domain holders will be affected. Your privacy provider could be forced to publish your contact data in WHOIS or give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?
>We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process.
I can't say that it "glosses over what counts as a business" or the requirement to disclose customer identities.
Sure, their bottom line is at stake, but it didn't feel to me that that's all this is about.
> Under new guidelines proposed by MarkMonitor and other organizations who represent the same industries that backed SOPA, domain holders with sites associated to "commercial activity" will no longer be able to protect their private information with WHOIS protection services.
Maybe it's just me, but this gives the impression that the remainder of the paragraph only applies to sites associated with commercial activity. This impression is reinforced by the last sentence, which again focuses only on commercial activity.
The email does mention "without due process", but that's pretty vague. The landing page of their petition site is slightly more informative, as it says:
> Let ICANN know that you object to any release of personal information without a court order.
But even this is misleading. The issue is NOT that ICANN will release your information without a court order. The issue is that ICANN wants to force third parties to have weak privacy policies. Now that sounds ridiculous, which it should, because it is indeed a ridiculous demand.
That privacy providers should not be forced to reveal my private information without verifiable evidence of wrongdoing
Which sounds goods when you first read it. However, I think that wording might be interpreted by ICANN as an endorsement of privacy providers being the ones to decide what is "wrongdoing" and when registrant details get published or disclosed to requesters. Many people don't want information being published or disclosed unless there is a court order, subpoena, etc.
Perhaps the common point would be: pay close attention to what the different parties are proposing and make sure it is exactly what you want before you follow their lead.
"The more laws that governments pass, the less individual freedom there is. Any student of history will tell you that. Totalitarian countries ban pretty much everything.
Bill O'Reilly (He couldn't be the first one to coin this?)
For example, individual owners of Canadian .ca domains can have their contact info hidden, whereas corporations can't. Similar policies are in effect in a number of other countries, as well as .eu.
Will these countries need to change their policies so that individuals who have ads on their blogs will have their contact info exposed? Will they have to change the way they respond to requests for disclosure?
Or does the ICANN policy only apply to gTLDs?
Dealing with registries, be they ccTLD or gTLD registries, is just a massive pain in the ass.
How can I trust a business when it hides behind an anonymous registrar? If something goes wrong with my order, I'd have no way to even determine who is behind the company.
Of course, the free speach argument is mostly irelevant. There are plenty of ways to share anonymously either on other people's domains, on TOR, or using just IP addresses. If my privacy was important, I wouldn't rely on Godaddy to protect it.
WHOIS is an extraordinarily valuable protocol with a heritage dating back to the ARPANET days. As an example, for quite a while we've had this ideal of the semantic web we're trying to move towards, but in practice each website is its own special snowflake with more concern given to legacy rendering in Internet Explorer than making sure that contact information is easily findable and semantic. But it's mostly okay, because if I really need to contact someone there's this almost 40-year-old protocol which gives me unfettered access to information such as a technical contact email and an address.
Many registrars don't seem to pay much attention to the quality of their WHOIS records and most people or businesses probably don't give it a second thought or check the records after registering a new domain. But they should; and I applaud ICANN for their efforts to uphold the quality and integrity of WHOIS.
That said, the right to freedom of speech implies that one should have the ability to disseminate ideas with complete anonymity. ICANN's proposal would completely undermine this, which is unacceptable.
I think there is space for a middle ground, where ICANN can ensure that the WHOIS records aren't what amounts to a blantant lie in the case of anonymous registrations (i.e the registrar providing their own details as the contact information). The current situation is pretty bad: if I want to contact the owner of such a domain, all I can reasonably expect is for any email sent to be blackholed by the registrar. I'm not talking about attempting to deanonymise the owner of such a domain, merely the idea that a domain is a named endpoint with an owner who is contactable through freely available means.
Imagine if ICANN created a new class of domains where it was made explicit in the WHOIS that the owner wished to remain anonymous, but nonetheless provided accurate information such as a pseudonym and a means of contact without violating their privacy. This means of communication could be some form of email hosted by a trusted third party, or potentially something more esoteric such as a GPG-encrypted message embedded in the bitcoin blockchain.
This would preserve the correctness and utility of the WHOIS database while respecting the rights I believe ICANN have a responsibility to uphold.
Also under your system I could still blackhole the email or just let it go straight to gmails archive.
You may need to contact me, but that doesn't mean I give a rats ass about what you have to say - frequently not being able to be contacted is more valuable than being able to be contacted (for one thing if you can't contact me you can't threaten me with a lawsuit if I don't remove some content that you object to) and anyway my blog accepts comments.
I do not however like that companies can be totally anonymous on the Internet. It's not like the average person checks out the people behind a company before they buy some commodity from them. I do however whois a domain if I'm suspicious and a common thing is that most use anonymous registrars. Even serious companies use anonymous registrars now a days, witch is weird, or maybe I'm the only one who thinks it's important to know who the people behind a company are before you do business with them.
Luckily, the organization that administrates .de domains has 4 types of contact data: zone-C, the person managing the whole DNS zone, Tech-C, the person managing the servers of the specific domain, Admin-C, the person practically owning the domain, and OWNER, the person who gets the letters. Only Tech-C and Zone-C are available through WHOIS.
- contact a sysadmin who is creating BGP instabilities? - contact a domain with an openrelay? - contact the webadmin that is hacked? - contact technician when programs are creating infinite loops by ping ponging bogus messages? ... (see this link as a "story from the trenches: why whois contacts are important": https://archive.icann.org/en/comments-mail/01apr99-30apr99/m...)
How do you check an operator has really the use of the IPv4/v6/AS BGP... resources if you cannot find the contact and correlate with the RIR who allocated?
How do you check a set of IP address given to be routed in Europe (for defragmentation purpose of the BGP stream) is indeed routed in Europe without whois?
You know all network protocols are far from perfects and don't always detect "infinite loops" and whois database really needs to exists.
If you had to deal with serious scale sys/net admin you know why this article is as stupid as "having a national ID is a privacy violation and I don't want alien on my territory".
Internet cannot work without all sysadmins communicating together by the means of the contacts given in whois database. Or nanog for the big one in america.
That's incredibly bold.
Iirc, that is a perfectly legitimate option and relatively cheap for those of us with numerous domains.
/>10yr NFSN client
but icann never checked anything anyway. you can register a domain as bill gates right now if you wanted.
the problem is always payments.