Rights, privacy, and public information as it relates to Whois.
As the internet community debates Whois and privacy this week in Kobe, Japan, I’d like to revisit my thoughts on the subject.
I am not in favor of default Whois privacy for domain names. Some of this is selfish; I often use Whois to track down who is buying and selling domain names, to figure out when a domain was stolen, to verify ownership, to check the veracity of legal claims, and to hunt down fraud. Not having public Whois makes this much harder for me.
But I also challenge the notion that people have a human right to privacy and I also believe that what is commonly called privacy is actually an issue of public information.
First, on human rights. Human rights are fictitious; they are things that we as humans have created, much like the notion of corporations. This can be a good thing, no doubt.
But the right to privacy is really only something that governments define and manage. And there’s a difference between privacy and information.
The governments that have authority over me enforce certain rights. You don’t have a right to enter my property to look in my bedroom.
If I want to do certain things, such as buy a house or car, I have to give some of my information to the public. Anyone can go to my county’s website and get the details of my house and property tax bill. If I want to set up a business I also have to give information.
If I don’t want this information to be public, I can take affirmative action. I can buy my house through a corporation, for example.
There are public benefits to open information, which is really what we’re talking about here. This isn’t about privacy–it’s about information.
One key benefit to open information is that it helps cut down on graft.
Where should domain names fall on this spectrum? Should my information be public if I register a domain name?
There are good arguments on both sides of this question. It’s fair to argue that public Whois information leads to spam and that is a reason to keep it private. That’s a reasonable argument and I respect it.
It’s also fair to argue that public Whois information helps security researchers, journalists and people transacting domain names.
What I don’t find a reasonable argument is that publishing Whois information violates someone’s right to privacy.
Much like other transactions we make that result in public data, there is both a public benefit to publishing such data and a way to prevent your personal information from becoming public when you register a domain name. Just add Whois privacy. Many registrars offer it for free.
I obviously agree with you as I have said for a long time that proxy whois should not be allowed. As you say, privacy can be obtained in other ways, while maintaining a “door” that can be “knocked on” when there is a problem.
>Human rights are fictitious
Do you have a right to your life outside of government authority?
If your answer is no, then who is your owner, what exactly does your owner own?
Games being played regarding the SOURCE of human rights is the sophistry we face today. And this is a very ancient fight that will never end.
The way that WHOIS data is currently obscured is ridiculous. Mind you when you look at the Morons who rub the EU you can understand why they have a GDPR law (i.e. they are clueless about anything outside their own cosseted World) . What should be vieable is (A) Name of Registrant and (B) Email address which works. That would then leave some privacy on things such as telephone numbers which I know are abused because I receive many spam calls from India.
I am really surprised by this post.
To avoid a manufactured consensus about “WHOIS privacy bad”, I will add some comments from the front lines as a full-service registrar:
– Many types of faith based organizations. There are parts of the world where people are routinely persecuted for their faith, including threats to their lives.
– Many businesses work from home. They may not want someone showing up at their residence and don’t need the expense of a private PO Box.
– Many people who are involved in political campaigns can be targeted, cataloged or otherwise doxed.
– For people who simply choose to be unlisted, e.g. due to threats of harassment, their mental health can be impacted due to crippling fear.
As for free speech, a topic that I have defended elsewhere, people who choose to engage in wrongspeak sites can be targeted if they don’t self-censor.
I have seen these cases all first-hand and now they are common. It is for these reasons and many others Epik made WHOIS privacy.
When GPDR went into effect, we made WHOIS privacy the default and did it in a way that registrants can still be contacted if they wish.
As some folks here know, Epik is working on a universal WHOIS registry project called WhoQ.com that anticipates the work of the ICANN EPDP and RDAP. It will provide registrants, registrars, and registries with “WHOIS as a service”, including compliant forms of privacy. For anyone at ICANN, Sufyan Alani and Nick Lim are still there and available to meet to discuss the project.
I have just left Kobe myself but had many good discussions with stakeholders about the future of RDAP compliance. The Epik team engaged thoughtfully with both the “privacy” caucus and the “surveillance” caucus both on the EPDP and otherwise. At the end of the day, I am sure that there is a way to protect people’s privacy without protecting criminality. It is not easy but it is needed.
You’re surprised by the post, but did you read it? I’m not opposed to offering the option of Whois privacy. I just don’t think it should be on be default.
Andrew, I agree with you. Whois Privacy has been available for many years, by choice of the registrant for very little fees or free of charge and it is left up to the registrant to choose, and was not forced on them by the registrar. We never needed a court order to tell us what is good for us. We’re not talking about abortion and human rights. It is unfortunately up to the registrar to decide if they will enforce the GDPR or not. It all depends on the registrar’s evaluation of which benefits them the most. For example, GoDaddy decided not to enforce the GDPR since they have many customers with hundreds of domain names holding onto them for investment, not for private use. On the other hand, Tucows depends on hosting companies and individuals with very few numbers of domain names, so they decided to enforce the GDPR, because it is for their benefit. Uniregistry, after enforcing the GDPR policy on all registrants, found that many of their important customers complained and threatened to transfer their domain names. It is a shame that ICANN did not set a policy where it is up to the owner/registrant of the domain name to decide what is good and beneficial for them. I remain optimistic that someone will realize that the whois GDPR is not one size fits all, because it is not.
@mansour the GDRP is not to blame for the Privacy in the domain names, before without the GDRP also many buyers dicifil find the name and surname of the seller domain in the Whois and nobody comment anything and there was the same problem.
@Andrew
Your (apparent) secular bias might impact your world view, e.g. your comment that “Human rights are fictitious.”. It was actually that statement that surprised me the most.
As an American citizen, you likely know that the Constitution was overwhelmingly authored by brilliant Deists who were building on a Christian foundation. Their starting point was that man does have inalienable, God-given rights, and that includes the right to publishing with a pseudonym as has been commonplace. Even George Orwell was a pen-name. His real name was Eric Arthur Blair. And to this day, the real identity of Shakespeare is a matter of intellectual debate.
As for the default setting, a properly implemented WHOIS will provide a pass-through proxy so you can still reach the registrant to the extent that the resolved page does not make it amply obvious who is behind it. Epik.com makes it easy to manage domain profiles so if your default needs to be to expose your identity, then you can do that. Force obfuscation as was done by Donuts on 243 strings was really not good for the industry, as discussed with Akram and Matt Oveman in person in Kobe.
Bottom line — I support free will and personal accountability in all matters, and that includes how you set your WHOIS privacy. The idea of a forced default is the worst possible outcome. And very shortly, if EPDP goes the way I think it will, accredited law enforcement will have unprecedented ability to peek behind the privacy veil. Those details are still being hashed out, including somewhat in private session. And not surprisingly the EPDP is still without a Chairperson.
I actually had breakfast this morning with Kurt Pritz at ICANN in order to discuss his new focus with .ART but also to touch upon his perspective on WhoQ.com as the outgoing Chairman of the main ICANN group working on Whois policy. Kurt would be an interesting person to interview on this topic. The folks that are sitting members on the EPDP — and I met privately with several this week — are far more reserved in their rhetoric, especially on the record.
The topic you raised is of immense importance. The direction that ICANN is going is “Orwellian”, which I think is the wrong direction and could easily seed the demise of domains as publishers reassert their digital sovereignty. Epik is already hedged against that scenario, working concurrently on the conventional domain economy and the emerging decentralized alternatives, e.g. Blockchain, Handshake and even our own DNS resolver at Anonymize.com.
I hope that clarifies.
You know, I find your views on free and anonymous speech these days rather perplexing, given that you used to complain to me that I allowed anonymous commenting on this site.
I am in favor of incontrovertible truth not unaccountable trolls. That never changed. I am also in favor of free speech with personal accountability.
However, on the anonymous web, what sometimes happens in blogs and forums, including this one, is people without reputation spout nonsense.
If I ever advise a blogger to take down a comment, it is only if I believe someone is engaging in a narrative that undermines the value of the blog.
A good example of a troll spouting nonsense in this industry was on this classic thread from TheDomains:
https://www.thedomains.com/2017/02/27/good-bad-ugly-epik/
Towards the end a troll, likely tied to SPLC or ANTIFA, started spouting nonsense. Then quick-witted guys like Joseph Peterson lit him up in classic Joseph style.
Comment censorship is a big problem. The latest example of how the world is dealing with commenting with censorship is Dissenter.com, powered by Gab. It is growing like a weed.
A good example can be found here:
https://www.splcenter.org/hatewatch/2019/01/11/problem-epik-proportions
There is no comment section on this very obvious nonsense article. However, if you have the Dissenter browser plugin there is a lively comment section without censorship.
Sometimes one’s critic is labeled a troll
Yes, Joseph definitely gets my Bruce Lee award of the year for that one. 🙂
I could not agree more with the need for privacy as expressed by Rob here.
Rob is actually the only person I have ever let know who I am as I post in the blogs anonymously. I’m inclined to think presumably Joseph does as well after joining Epik, or perhaps almost certainly figured it out if he ever even gave any thought to it at all, not that I regard myself to be important of course by any means. I have trusted Rob and Epik not to “out” me, and even brought that up to Rob once briefly in some email in the past. 🙂 (Unless required by some law or due official policy of course.)
(In case anyone is still wondering, by the way, Rob could tell you I am not a known person in the industry if he said anything at all, and am not on any record for any UDRP or domain dispute of any kind.) 🙂
If we don’t like something someone says, it is very easy to declare they are a “troll.” The same way the world plays any and every type of “card” that people play whenever they don’t like something you say. I experienced a little of that in the early days of my blog commenting, most particularly by one particular well known and somewhat influential person who was well known for the capacity for combat and strife. Accordingly, I have also sometimes commented in the blogs about the very need and benefit of allowing privacy there as well. On occasion I have even accused a few others of being a troll themselves myself, though I only do that with care to the above.
I was also a bit surprised by your statement about rights, Andrew, though not completely.
Personally I would distinguish between fundamental “natural” rights as endowed by the Creator, rights which arguably derive from such fundamental rights and from certain moral principles, and rights which I believe and would argue should be established as rights by law.
John, you might be reading too much into my word choice there. I mean fictitious in that they only exist because we as a community agree that they exist.
A great book on the role that things like the idea of the limited liability companies played in the world is Sapiens by Yuval Noah Harari.
You know Andrew, you might want to consider that if rights are fictitious, so is morality. There is no basis for morality in what appears to be your particular bias as Rob put it. Concepts like good and evil, right and wrong, have no real meaning or significance. Life itself is also meaningless.
Rob Monster, you can’t handle the incontrovertible truth.
Really.
Not at all, Andrew, I took it exactly as you meant it.
The issue is whether rights have true objective existence without reference to and apart from whether “we as a community agree that they exist.”
Along with objective truth, an objective basis for morality, and whether life itself has any objective meaning and significance at all.
>accredited law enforcement will have
>unprecedented ability to peek behind
>the privacy veil
Therein is the problem with your other points Rob.
I became a self registrar because most registrars have no financial incentive to stand up for their customers.
I think we were far better off when the person that answered the phone was the actual registrar owner. Fact is ICANN wants as few registrars as possible and thus we lost that valuable relationship.
In the case of EPIK, what you did for GAB says a lot to me. I applaud you for what you did. But you are an outlier.
Bottom line is that registrars make so little money on domain registrations that most will always give law enforcement what they ask with very little resistance. This is in fact why GoDaddy implemented the policy that if a domains get disputed, etc, GoDaddy will bill the registrant a fee ($30 last I knew). So in practice law enforcement has always had, and always will have, virtually unlimited access to registrant info. They send a pretty piece of paper, with pretty letter head and pretty writing on it and the registrar caves.
And that is why proxy whois is an illusion per your comments about oppression. If the Chinese Government wants the whois of a domain name it WILL get it … Short of my owning my own registrar and putting them on ignore, and letting them put my ICANN contractual obligations to the test, or yourself providing a unique service that most other registrar never will offer. That does not even take into account that ICANN can’t override local laws. If a government wants data from an in country registrar it will get it.
Like Facebook removing ZeroHedge yesterday, let the oppressors reveal themselves. Sadly it seems that is only way through history to solve the problem. A thousand years ago they could hide their actions … Fortunately today, it is very hard to hide. The oppressors are slowly being dealt with …. Look at Brixet, don’t get the vote result you want, try again … Ooops, people are reaching for pitch folks. Sadly this is the way of history.
Fear is never an option, that idea is found throughout the bible … And its why governments seed and nurture fear to oppress. Never buy into fear.
Apologies for my lateness to this discussion, but I felt my ears burning. I believe Mr. Monster is referring to me regarding the discussion on thedomains. I would simply like to point out that I am not affiliated with the SPLC or “ANTIFA” and it’s preposterous to come to such a conclusion just based on my comments on that post. I might suggest that Mr. Monster’s paranoia is getting the better of him.
Of course, Rob is free to have the opinion that I’m a troll, though I would disagree. I may have had a difference of opinion, and/or have been mistaken in some assumptions, but Rob’s and Joseph’s responses to my points were far out of proportion. At this point, I have no interest in what Rob and Joseph have to say, but I don’t appreciate having my name dragged about in some sad little point of “victory” for them.
So, again, I’m not an activist. Just a regular guy. Though I am somewhat amused that Rob thinks I am part of some sort of Marxist cabal out to get him. Sorry to disappoint.
Privacy is a fundamental right as the human rights of people around the world and any social status.
I can register a domain for 10 years and put in privacy because I want it.
I buy premium domains or register domains for 2 years and leave Whois without privacy, I think it’s better for buyers.
I think privacy is now a medicine for many newcomers in the Domaining market and that is a fad at a time that does not lead anywhere.
Happy Day. Jose.
I am not in favor of default Whois privacy for domain names either. it should be optional.
If your argument is security is impacted by default privacy, then surely the option for any privacy goes against your argument.
FYI, I would mention that we still do not have the option for whois privacy for .US domains, although as reported by Konstantinos Zournas at his blog on 10/10/2017 Neustar had indicated it was their biggest policy issue to date. That doubtless has a “chilling effect” upon adoption, registration and use for some, even for many. Does anyone know if that is planned this year?
Andrew. I concur. Privacy per whois should be an option, but not the default.