Like many other public databases, Whois serves a vital public interest. It shouldn’t be private by default.
It’s becoming increasingly clear that privacy advocates are using GDPR as an opportunity to demand privacy for all domain name registrants. They are successfully framing the discussion as privacy should be the expectation of everyone, and any exception to that requires scrutiny.
That’s a far cry from today’s status quo. No privacy is the default but privacy can be added.
Perhaps my view is colored by being a U.S. citizen, but I believe privacy advocates are going to far.
I have a reasonable expectation of privacy in my home. I don’t have one when I go out on the street. I also don’t automatically get privacy when I buy a home or car, start a business, or register a domain name.
Anyone in Austin can look up information about a homeowner’s property and its taxes through a centralized database. A record of my car purchase is available from the county or state. My name is attached to my business registrations. And for domains, there’s Whois.
Now, if I really want or need privacy, I can get it. But I have to put a little bit of effort into it. I can use a proxy for my transactions. A homebuyer can create a trust to buy a home or they can request their information be obscured in the county’s appraisal database. I can use a registered agent for my business. And I can use a Whois proxy service for my domain name.
The public is well served by making this information public. They can investigate who is behind a company. They can spot fraud or foreign governments spreading discontent. They can understand trends and find evidence of discrimination using public data.
Those people who need a little extra privacy can readily get it by essentially “opting out” of having their information public.
I’m fortunate to live in a country in which the government isn’t trying to silence bloggers (for the most part).
Anonymity can be a real problem for people in some parts of the world, and it’s an issue that domain name registrars have created a solution for: Whois proxy services, often called Whois privacy.
These services work really well and they can be added for free at many registrars. Registrars are good at pushing these services on registrants, too; GoDaddy adds them by default and asks people to opt out of using them.
Yes, you can interpret GDPR as meaning that Whois information should be private…for EU residents and citizens.
I also understand that the easiest approach for domain registrars is to use a blanket approach across all registrants.
But we should be careful about framing the discussion as privacy-first.
One of the areas this is coming up is with an accreditation system to give certain groups access to full Whois records. Privacy advocates are worried about people getting access to Whois records as these people chase down IP infringers, find phishers and, in my case, perform journalistic research.
Of course, GDPR will still apply to what people do with this data. I’m not going to take 20 unmasked Whois records of EU citizens and publish them. But there’s a real public interest in this data.
This is one of the reasons I believe there will still be a use for Whois proxy services in the age of GDPR. Even with an accredited access model, information will be seen by many groups…including government agencies.
If people truly need protection they can add a proxy service. At the same time, the public is served by making most of the information public.
Speaking of Privacy- it would seem godaddy going private also. They took off any way to reach them by email. Chat only- yet chat only is offline and hold time by phone time was 18 minutes. Then I finally got the Chat line an hour later and then the rep had never heard of Afternic/GD domain listing service.
With privacy majority of domain investors will need to Escrow.com. They will be a big winner with this. I just used the concerige service and I won’t be going back to the other way after all the privacy stuff passes.
Off-topic a bit here. But with all the privacy issues coming on GD is making it more easy push domain names by instant transfer. This has been all planned for past year look at the portfolios they have bought. Some questions:
Does anyone know if they place the appraisal value next to your BIN price with the new GD domain listing service.
Also how long does it take to show up as a listing after you put on system.
And when a consumer searches for a domain inside godaddy.com who will show up first as being available for sale the .guru .online .club ? Or will our listing show up.
Agreed . Going too far. One advocate was building case using the holocaust as a moral equivalent. Privacy rights yes Forced Privacy no. ICANN can mandate that Registrars offer Free Privacy for all and/or that registries/registrars black out all EU registrant info but forcing Privacy on non EU registrants is a overreach and will have so many unintended consequences too large to list. The implementation on a full black out even for 6 months will lead to increased internet crime, backup and slow the legal system and most of all reduce domain name commerce.
ICANN contracts can’t impose pricing.
Hey, I reckon that this will be another REVENUE STREAM for Registrars.Mark my words in not to distant a date , they will sell access to Whois records.
They can sell bulk access already, it’s in their agreement with ICANN. The value of it will actually be less now, since it will also need to be redacted.
“Privacy advocates want Whois private by default. It shouldn’t be.” I completely agree that it should be. Would like your home address resident list be public? Would you like your name be publish by your cellphone company? The answer is no. Whois is another big money making machine off the people. Why should i have to pay fees to GD to hide my personal information after purchasing a domain?
If you can opt-in to privacy, then your argument against privacy being an opt-out model is null and void.
You say lack of privacy is useful.
But if that is the case, then you should be arguing against privacy as an option.
Out-in means nefarious individuals can protect their id while average citizen who may not be aware of privacy as an option (or who can’t justify the additional cost) is left exposed.
Out-out on the other hand can provide an expanded level of trust from companies and individuals choosing to provide public information.
Out-in should be opt-in
Out-out should be opt-out
(Auto-correct strikes again)
It’s curious how fast these privacy x security debates degenerate into people from both sides of the fence forcing their world vision on others.
But the default position should be the current situation and negotiate from there
Defining a starting point is already a negotiation, and usually the most likely way to create a failure in the negotiating process. Just look at all ICANN efforts with WHOIS so far and judge for yourself how well that played out.
Andrew,
There are a ton of reasons to have the WHOIS information opt-out by default.
– First, in Europe public records are all anonymized. If not, the are in violation of the privacy laws. So you’re statement saying that only in-house you have your privacy is wrong. US should do something about that! That is the reason news stations put a camera in your face (without blurring your face) if they think you did something wrong.
– Second, did you registered a .com domain name lately? You get spammed only a few minutes after registrering. They do that based on the public WHOIS, even if you use a WHOIS proxy service after that, the WHOIS records are stored on internet almost immediately. And this can’t be wiped from Google easily.
– Third, people make up fake names and addresses to register domain names. Besides, who will check this if I really live there. It’s just a farce and totally not needed.
– Fourth, It’s bad for freedom of speech. I mean, if you write something nasty about me on your website, it’s childsplay to look for your address and obtaining redress.
– Fifth, It’s waaayyy too easy for stalkers , burglars and other (sexual) predators to find someone (online) and harass them.
Do I need to go on? In other words:
WHOIS should be blocked world-wide for all extensions even the ones based in the USA. Registry’s and law enforcements still have access to the full WHOIS, so there is absolutely no thinkable reason for other people to lookup people’s details like name, (email) addresses, phone numbers etc.
These are all reasons that people should have access to a Whois privacy service. But there are lots of reasons to not have them private by default.
There are many thinkable reasons for people to have full access to people’s names, email addresses, etc. Many security investigations use Whois. Even the bad guys leave breadcrumbs when they fake Whois records. Trademark interests need to find out who is cybersquatting. The list goes on and on.
You are obviously not in the domain industry. I contact people daily to see if they want to sell their domain. People contact me daily to buy my domains. Whois blocked by default will definitely make me lose money. Not that you would care but I believe there are lots of tools people can use to protect their privacy. This is just more nannystate big brother knows best things. They think people can’t take care of themselves so someone has to step in and do it for them. I disagree. I personally use a PO box and a free internet phone line. I could easily use privacy for free but I don’t want it. I want to be able to be contacted.
A positive freely given consent is legal under GDPR, but ICANN took so long denying GDPR that such a disclose mechanism won’t be ready by May 25th, unfortunately.
The whole thing will blow up due to unintended consequences. USA registrants need a path to opt out of Privacy as opposed to forced into a law designed for citizens of the EU and forcing EU privacy law onto US citizens and companies sets an ugly president, that cannot survive scrutiny. USA Privacy advocates need to focus efforts in changing USA privacy laws no forcing this EU law on everyone – when it only applies to EU citizens . Privacy should be free to all not a paid service though in USA for most services. Privacy should be a free choice. . Keep in mind US phone companies still charge to have an unlisted phone number, all state tax collectors list personal data on real estate info searches.
Biz names & contacts not part of EU Privacy law, right?
Biz names are not but registrars are going to end up blocking that too. Concern over business contacts if someone puts their own name or a personal email address.