WHOIS Privacy, Security and Copyright Enforcement

Currently, if you won a domain name, your information (or whatever information you provided) is available in a public database known as WHOIS.

The WHOIS database has been the subject of controversy for well over a decade, in particular due to its public nature. On one hand, having a public database of everyone who owns domain, IP address or DNS server is very useful for those wanting to track down spammers, copyright infringers and others online.

However, it’s also useful by those same bad guys (PDF), who have often crawled the database as a means to find email addresses and contact information for people they want to send junk mail to or generally harass.

But a new proposal by a group within the Internet Corporation for Assigned Names and Numbers (ICANN), the group that oversees the WHOIS system, aims to change that. It proposes making the database private, one that can only be accessed by authorized individuals, thus reducing the privacy and spamming issues that come with a completely open, public database.

However, that proposal has been met with controversy as well. Many argue that users have a right to know the people behind the sites that they’re using while still others fear that such a system could hamper efforts to stop spammers, prevent online attacks and more.

To understand that cause of the concern, we first have to understand a bit more about the WHOIS system itself and how the proposed changes will work, if they are passed as is.

WHOIS It Anyway?

Currently, for most domains, the WHOIS database is both public and distributed.

Though Verizon maintains something of a centralized database, it only includes basic domain information and directs searchers to the registrars for more information. This is because registrats, such as GoDaddy, Enom, etc. maintain separate WHOIS servers and WHOIS databases for their customers.

However, sites such as Domain Tools can automate the process of querying those individual databases and can provide public information.

To many, this is disconcerting, especially since many register their domains with their home address. As a response, many site owners purchase domain privacy services, such as Domains By Proxy, that replaces the personal information in the WHOIS database with their information.

However, it’s important to remember that ICANN requires that the information in the WHOIS database to be valid. As such, these services forward on email and postal mail sent to them. There are also circumstances where the services will typically reveal the actual identity of a site owner.

But while this is how the system is supposed to work, there has proved to be many problems with it. Many people, including both ethical and unethical site owners, deliberately put false information in their WHOIS records, usually without repercussions.

Likewise, at least some spammers have seized upon the WHOIS system, including registrars that do a poor job preventing unauthorized access to their database, to contact thousands of site admins. Also, others have used the database as a means to send junk mail, often false domain renewal requests, and even seize domains through human engineering.

The new ICANN proposal aims to fix many of these problems, but others worry that it creates much bigger ones than it solves.

The Proposal

The proposed solution is actually very straightforward. Rather than have a public and distributed WHOIS system, switch to a private, centralized one.

Instead of each domain registrar maintaining their own WHOIS database, those records would instead be sent to a an “aggregated registration directory service” (ARDS). However, the ARDS database would not be searchable by the public, users would instead have to apply for access to it.

What that exact application process would be is not known, other than it would be an attempt to minimize abuse and ensure that those with access to the information are accountable for any abuse.

But while the proposal seems to address many of the privacy issues that people are having it raises other questions that are at least equally as serious.

The Problem with WHOIS Privacy

If you find that your content has been infringed by a site with its own domain name, you will likely either want or need the WHOIS information to determine who to contact. This is regardless of whether you want to contact the site owner directly, looking at the WHOIS information attached to the domain, or send a DMCA notice to the host, which requires an IP WHOIS query to determine who controls that network.

If you can’t access the WHOIS server, you are limited to just the information on the site itself and, if there is contact information available, it may be out of date or ignored.

This means individuals who are seeking to enforce their copyright through DMCA takedowns will likely struggle to determine who the host of the site is in many cases. This may, in the long run, result in more copyright holders turning to Google for help, sending DMCA notices to the search engines to get infringing pages removed from their indexes (rather than simply getting them removed from the Web).

While this could be a boon for people such as myself that provide DMCA services, I would most likely go through the process of becoming authenticated and may gain business from those who don’t or can’t, it would be bad news for content creators in general.

However, copyright is only one area that this could impede legitimate investigations and enforcement. Spam, phishing, spyware, hacking attempts, botnets, etc. could all be accidentally protected by a more private WHOIS system.

Of course, all of this is hinged on the unanswered question of how difficult it will be to get access to the ARDS. If it’s too hard, almost no one will be able to access the data and enforce and create a potential security issue. On the other hand, if it’s too open, the system does nothing to address the privacy problems that it’s trying to solve.

In short, a restricted WHOIS system will not necessarily make the Internet more safe. In fact, it can make it much more dangerous by protecting the very people it was designed to expose.

Bottom Line

Obviously, there is a need for balance when it comes to the WHOIS database. There’s a need find a way to reasonably protect the identities of people who have legitimate reasons for wanting to protect it and a need to help investigators track down and stop various abuses on the Web.

There’s no easy answer to this and the current system is riddled with flaws. Not only does it leave the personal information of webmasters completely exposed, but it also is filled with inaccurate information, limiting its usefulness.

Solving this problem is going to take drastic action, but going from one extreme to another isn’t likely to solve anything and may make things much more worse.

There are better, more targeted solutions that are available if ICANN is willing to explore them. Those including steps that let individuals keep their information private while requiring companies, including those who own IP addresses, to have their information public.

Even though such a system would not be perfect, it would be preferable to the proposal currently being floated.