What Should ICANN do about WHOIS?

by on October 30, 2007 · 11 comments

One of the largest issues to be considered here at the Los Angeles ICANN meeting is about WHOIS. As the AP reports, there are proposals to eliminate the WHOIS database, modify the information process, or call for more studies. Indeed, there’s a lot of people interested in this topic, particularly privacy advocates on the one side and trademark owners on the other.

But there’s more to this issue than privacy and IP rights. The reality is that WHOIS is important for law enforcement to track criminals that steal personal information.

What is WHOIS? It’s the publicly available database that reveals the contact information for who owns a domain name.  ICANN has grappled about what to do with WHOIS for a long time, and this week we’ll see action by ICANN’s board of directors as to whether to approve a new proposal to create an operational point of contact (OPoC) or to even eliminate WHOIS, so that registrants don’t have to provide their contact information for the whole world — or the dictator in an authoritarian country — to see.

This is a controversial proposal. Registrars – the websites that you go to to register a name – would love to see OPoC because it gives them another point of revenue. They’d be the ones that could operate the systems to designate an OPoC. But there are a lot of questions raised. How does a point of contact relay information to the registrant? How quickly would it have to respond to law enforcement? Or a trademark owner?

In addition to the OPoC supporters, there are those that would like to abandon WHOIS entirely. This would be a mistake, as Saul Hansell writes in his New York Times blog:

To my mind, whois is mostly a good thing. If you are going to stand up in public and say something, it seems to me that you should give people some sort of way of talking back to you. Then again, there is a lot to be said for anonymous speech some times.

Indeed, all things considered getting rid of WHOIS would be a mistake. Because it helps law enforcement tack down phishing scams and other online ways for identity theft, WHOIS helps protect our personal information. WHOIS isn’t perfect, and is certainly not 100% accurate, but according to the FTC it’s a useful tool.

But I’m not making the decision – we’ll know more on Thursday.

  • http://linuxworld.com/community/ Don Marti

    This is one more reason why ICANN should be allowing more TLDs. Require working phone and email for .com, and have different requirements for “.anon” or .biz. Then the browsers can go out configured not to post long strings of digits to .anon sites by default.

    ICANN seems to act as if the only reason to have more TLDs is to make all the trademark holders who have a .com domain buy more domains.

  • http://linuxworld.com/community/ Don Marti

    This is one more reason why ICANN should be allowing more TLDs. Require working phone and email for .com, and have different requirements for “.anon” or .biz. Then the browsers can go out configured not to post long strings of digits to .anon sites by default.

    ICANN seems to act as if the only reason to have more TLDs is to make all the trademark holders who have a .com domain buy more domains.

  • http://mcgath.blogspot.com Gary McGath

    Just how does the whois contact information help law enforcement? Do you think that phishers are going to put up their real address and phone number just so the cops can conveniently find them?

    What should be kept up is the domain server and registrar information, so that the hosting of a domain can be determined. But I’ve had to lie about my phone number on my own registrations, so that I won’t be giving out my unlisted number.

    The notion that crooks on the Internet give out accurate contact information is hopelessly naive. The contact information should be dropped from public view.

  • http://mcgath.blogspot.com Gary McGath

    Just how does the whois contact information help law enforcement? Do you think that phishers are going to put up their real address and phone number just so the cops can conveniently find them?

    What should be kept up is the domain server and registrar information, so that the hosting of a domain can be determined. But I’ve had to lie about my phone number on my own registrations, so that I won’t be giving out my unlisted number.

    The notion that crooks on the Internet give out accurate contact information is hopelessly naive. The contact information should be dropped from public view.

  • http://www.netchoice.org Steve DelBianco

    Responding to Gary McGath’s comment about false data from bad actors:

    Even false Whois data can help protect consumers and companies. Consider just these three examples:

    When we see false data in Whois, it’s a signal that someone with bad intentions may be at work in that domain. And when that same false data is also present in other domains, we use it to proactively investigate activities on those domains.

    Law enforcement and industry use Whois to help notify victims of phishing emails presumably being sent by the victim.

    Finally, law enforcement and industry use Whois to notify those whose domains have been infected with bots that are broadcasting phishing, spam or denial of service attacks.

  • http://www.netchoice.org Steve DelBianco

    Responding to Gary McGath’s comment about false data from bad actors:

    Even false Whois data can help protect consumers and companies. Consider just these three examples:

    When we see false data in Whois, it’s a signal that someone with bad intentions may be at work in that domain. And when that same false data is also present in other domains, we use it to proactively investigate activities on those domains.

    Law enforcement and industry use Whois to help notify victims of phishing emails presumably being sent by the victim.

    Finally, law enforcement and industry use Whois to notify those whose domains have been infected with bots that are broadcasting phishing, spam or denial of service attacks.

  • http://mcgath.blogspot.com Gary McGath

    I doubt that even one person in 100,000 checks a domain’s whois info for accuracy before doing business there.

    It should be my choice if I want to make contact information available in the case of a subverted server. In any case, the “Technical Contact” is more likely to be able to fix the problem than owner of a personal domain.

    Whois information is of no value in locating people who have been sent phishing email.

  • http://www.techliberation.com/ Tim Lee

    The address information on the domains I own tend to be several moves out of date. I don’t bother to update it, since I have absolutely no interest in anyone sending me snail-mail information or calling me on the phone. I can see an argument for requiring a valid email address, but requiring addresses and phone numbers for domain owners seems silly.

  • http://mcgath.blogspot.com Gary McGath

    I doubt that even one person in 100,000 checks a domain’s whois info for accuracy before doing business there.

    It should be my choice if I want to make contact information available in the case of a subverted server. In any case, the “Technical Contact” is more likely to be able to fix the problem than owner of a personal domain.

    Whois information is of no value in locating people who have been sent phishing email.

  • http://www.techliberation.com/ Tim Lee

    The address information on the domains I own tend to be several moves out of date. I don’t bother to update it, since I have absolutely no interest in anyone sending me snail-mail information or calling me on the phone. I can see an argument for requiring a valid email address, but requiring addresses and phone numbers for domain owners seems silly.

  • venkat2009

    Domain name Details ..Divisions Are nice to know in this article.I am used the site Tucktail.com For the Domain name Registration.

Previous post:

Next post: