Is it time to get rid of the Whois directory?

The Whois database may disappear.

An Internet Corporation for Assigned Names and Numbers committee is considering a sunset proposal at its meeting this week in Los Angeles that would effectively scrap the directory system on privacy grounds. Among those arguments is that a public-by-default Whois listing may run afoul of Canadian and European Union privacy laws.

Having this debate is not a bad idea. It's about time that we rethought whether the Whois directory service--which has public contact information for domain name owners--should exist in its current form.

Trademark and copyright holders, and their lobbyists, are opposing this move. They argue that a public Whois database is necessary to help track down trademark infringements, copyright infringements, and "cybersquatting."

The American Intellectual Property Law Association even went so far as to claim that "accurate and available information is essential for law enforcement in crimes" (PDF), including "hate literature, terrorism, and child pornography," ignoring that so-called hate literature is constitutionally protected in the United States. (And I wonder how many terrorists and child pornographers will tell the truth when asked for their real home address when registering a domain.)

This is not a new debate. Nearly four years ago, I wrote:

Whois is broken. Like the Internet mail protocols that were drafted during a more innocent era and are now being exploited by spammers, the Whois database was not intended to be melded into the shape preferred by copyright and trademark lobbyists.

The origins of today's domain name system can be found in standards RFC 1034 and RFC 1035, published in November 1987, when the Internet was still young, and commercial traffic would not officially be encouraged for another five years. Back then, before individuals started to buy their own domain names, a public Whois database was necessary to permit network administrators to fix problems and maintain the stability of the Internet.

Today, however, the open nature of the Whois database is no longer a boon to people who own domain names. If you buy a domain name, current regulations created by ICANN say you must make public "accurate and reliable contact details, and promptly correct and update them during the term of the...registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number."

Who wants to make that kind of personal information public for the benefit of spammers, direct marketers, and snoops? You shouldn't have to publish your home address--and other personal details--to everyone in the world, just to own a domain name. And if you decide to lie by typing in "1 Nowhere Road," I don't see why you should be punished for attempting to protect your and your family's privacy.

There are plenty of legitimate reasons why domain name holders might leave their address blank. As an international coalition of civil-liberties groups said in a letter to ICANN in October 2003: "Anyone with Internet access can now have access to Whois data, and that includes stalkers, governments that restrict dissidents' activities, law enforcement agents without legal authority, and spammers...Many domain name registrants--and particularly noncommercial users--do not wish to make public the information that they furnished to registrars. Some of them may have legitimate reasons to conceal their actual identities or to register domain names anonymously."

Since then, the debate has advanced. An ICANN task force published a report last year listing the widely differing views of intellectual-property lobbyists, Internet service providers, noncommercial users, and so on.

Syracuse University's Milton Mueller and Mawaki Chango wrote an analysis this year concluding that the Whois database would never have been made public if it weren't a default rule left over from the Internet's early days. There's also a handy timeline and an overview prepared this month by ICANN staff (PDF). That overview says:

Due to this lack of consensus, the GNSO Council recommends that the Board consider "sunsetting" the existing current contractual requirements concerning Whois for registries, registrars, and registrants that are not supported by consensus policy by removing these unsupported provisions from the current operating agreements between ICANN and its contracted parties, and that these provisions be sunset no later than the end of the 2008 ICANN Annual General Meeting and that such provisions will remain sunset until such time that consensus policy in this area has been developed to replace the sunset provisions, at which point, they will be eliminated or modified.

I suspect that the intellectual-property rights lobbyists will win this round, and Whois will stay around at least a while longer. But this is a fine opportunity to re-evaluate whether all domain owners must have their home addresses, phone numbers, and e-mail addresses publicly available by default to spammers and all other species of Internet miscreants.

[Cricker12]

No, accountability is necessary

I've used the directory twice - once when I had absolutely no success stopping porn spam. I traced it to a Canadian host and found the owner of the domain on Whois. After I forwarded him a copy of what I was getting with a complaint, I never received another spam from them.
Another time I used it when one of my newsletters wasn't getting through to a subscriber in Britain. His email host had NO way to contact them about problems, so I traced the company and found the company that owned them, and emailed the CEO. Problem fixed within a day!
Probably Whois wouldn't be necessary if Internet hosts were required to have a working contact address with people who would actually respond and deal with problems.

[tomanjeri]

there are options to make your info private

I do it on all my domains and as a Web developer I find having
Whois public to be a great help. Many clients are clueless about
their domain name and slightly less about where their Web sites
are hosted. Their coming to me often because their previous
Web developer is long gone or there's a creative or billing
dispute. I need to find out who owns the domain, when it
expires and who hosts their Web site quickly with out stepping
on toes. A public Whois hurts no one, as long as those who wish
their info to be private do so, and every domain registrar I've
worked with has made that option available, very inexpensively.

[contentcreator--2008]

Reciprocal Privacy and Publicity

There's no question there is a great need to be able to access this information for legitimate reasons, without making it open season for miscreants.

There is a sane way of dealing with these sorts of problems: transparency. Require truthful information. But, require the same of those seeking to access it, and log access. So, my information is available to others, but I can go and check and see who accessed it, and have their own equivalently detailed information.

[gsmiller88]

A spammers dream...

The Whois database, while it's original intentions might have been
good, is nothing but a way for spammers to scam domain name
owners.

[fwbroke]

Wi is great ...

I use WI all the time to look up information, 99% of the time to contact people. Hope they keep it around.

[dayebreak]

Bad Idea

So the Whois database for domains that provide goods and services for the public should only be accessible to law enforcement pursuant to a subpeona? So let's say you're Kelly Hoose and the police say those images on your hard drive from that adult site are minors---how do you contact the domain owners: http://amjur.wordpress.com/2007/09/29/alleged-child-porn-victims-identified%e2%80%94as-adults-prosecutor-ignores-evidence-insists-they-are-pre-teens-and-proceeds-with-prosecution/

Domain names should be registered similar to how trademarks are registered, and that information should be publicly available. If they want privacy then they can set up on a blog hosting facility. Delete the Whois and watch how quickly legislation is enacted to control the Internet because of annonymous domain owners.

[BaffyOfDaffy]

Whois is vital

Looking up an I.P. address with Whois is the only way to effectively file a complaint about a host that is abusing internet traffic (hacking or spamming)

[mbrusl]

If they scrap whois, then we all suffer more

I use the whois database all the time to lookup criminals that abuse the net and make my reports to the proper registrar or ISP.

Now if they scrap it, how does a person find out who owns a domain or block of IPs? Not good for most of us. Who would benefit from this? Hmmm...one guess. The criminals like spammers and hackers. Why do you ask? Do you really need to ask? Is because then then they can hide even more without ever being tracked down. Plus it would allow even more criminals to breed on the net. You think you have a difficult time finding out where that spam email really came from, just imagine a hacker gaining access to your computer right from their own system without having to go thru a proxy server to hide their IP address because you cannot look it up anymore. Then while they are gaining access to your computer, they decide to plant criminal information on your hard drive to implicate you in some bazaar crime. Then they call the authorities to make a complaint about you that you have done something against the law that you are now arrested for. However, you never commited these crimes. Scary huh?

Here's another situation. Suppose you run a website and you get infiltrated by a hacker. You have no means to really track them because the tools that you once had, ie whois, was no longer available. So these hackers gain access and turn your site into a porn site that has all sorts of graphic teen and pre-teen porno on it. They don't even bother putting up a redirect from your domain anymore. Why bother when they can run it all right from a bot that was setup in the background and control it remotely. Now who do you suppose the authorities will look at when they find this? Certainly not the hacker/spammers.

See my point? Without some type of mandatory database that is kept current on all domains and IPs, we wont have a chance to know who is who. You think the internet is bad now. Just wait til a few years after the Whois is taken down and you will undoubtedly be seeing something similar to what was in the movie terminator, with the super virus on the net. No other similarities are being said here, because thats fiction. But the super virus could become fact soon after.

Now if there were changes to be made, this could become a plus in everyone's favor. What needs to be done is open the database up for all to see. However, this information would have to be kept up to date monthly with an email verification. And as an additional check could be to send out in the snail mail a verification for a physical address check where the owner has to respond back in writing once a year. For most of us, that not going to be an issue. The cost of the stamp and paper can be included in the registration costs. The only ones that are going to have real issues are the criminals out on the net.

With this said and if instituted, then the net would become a better place because the criminals would not be able to hide as easily as they do now. Anonymous proxy servers would become a thing of the past, as the only reasons people use them, are to hide.