
Unfortunately, we have renewed our ICANN accreditation - rrauenza
http://iem.easydns.com/link.php?M=1080600&N=201&L=181&F=H
======
stormbrew
You know what would make whois data more accurate? Requiring that registrars
provide basic anonymization without any extra fee and build a meaningful
process for situations where breaking that anonymization is actually the right
thing to do (ie. not an opportunity for collection of bulk mailing address and
phone number lists for spammers and phishers).

It would cost the registrars something to do so, obviously, but so does this.
And a basic level of privacy should never have been allowed to become a
premium service to begin with.

~~~
BinaryIdiot
For what it's worth Google Domains provides free privacy and a few other
things (including up to 100 DNS entries per domain). They cost a little more
though.

~~~
marincounty
Yea, transferred one domain and it was $10. I haven't heard from them, so I'm
assuming it went smooth. After being stalked by Godaddy over the years, I
think I developed Stockholm Syndrome? Hay GoDaddy--I will date you again if
you bring back coupons for renewals? We were together a lot of years, let's
not breakup over money?

(If any Registrar reads this, could you explain the extra cost of providing
free whois privacy? It seems like the cost associated would be minimal, and
the payback would be huge? I heard the true cost to a company for a .com
domain is around $7.00? Go ahead and add one or two dollars to the domain for
profit. Just be consistent, honest, and no shenanigans. Oh, I looked into
Gandi--and they are just to much money.)

~~~
luch
Funny enough, Laurent Chemla (Gandi's founder) did publish an essay in 2002
called "I am a thief", denouncing registrars' artificial prices (Gandi did cut
prices at that time).

An extract [FR] :
[http://www.chemla.org/textes/voleur.html](http://www.chemla.org/textes/voleur.html)

------
ghshephard
I have a small number of domains (about 15 at last check) - and most of them
have a mailing address from 16 years ago. If all they verify is email, why
does this process have any value? It's not like you can't (A) Spin up a random
mail server in 30 minutes, or (B) save yourself the trouble and just use
mailinator.

This, finally, is the most pure form of security theater I have ever seen.
There is no possible argument that this would deter any bad actor from doing
bad things with their DNS domain - totally useless policy.

~~~
rhizome
It has value to _you_. What are you going to do when you get a default
judgement against you and get your domain(s) transferred away from you because
you decided to be cute and put 123 Elm St. for your address, preventing
service of process?

~~~
ghshephard
The comment I was referring to was that sentence about working with LEAs to
ensure accuracy.

If I really have concerns about losing a domain in a legal process, (I'm a
corporation, or ongoing business) - I would use the services of a domain name
portfolio management company, like MarkMonitor.
[https://www.markmonitor.com/services/domain-
management.php](https://www.markmonitor.com/services/domain-management.php)

~~~
rhizome
MM doesn't appear to protect you against attempted trademark-infringement
claims.

~~~
ghshephard
Trademark/Intellectual property claims, in both directions, are one area of MM
speciality.

 _Domain Services

As a full-service, corporate registrar, MarkMonitor offers a complete range of
domain services:

.Brand Registrar Services Trademark Clearinghouse Services Registrations,
renewals and transfers Domain recovery, snapping and masking Enterprise DNS
UDRP administrative services Local presence Domain locking Mission-critical
domain security, including Two Factor Authentication SSL certificates_

Check out
[https://www.markmonitor.com/solutions/role_based_solutions-l...](https://www.markmonitor.com/solutions/role_based_solutions-
legal.php) for some of the services they offer.

~~~
rhizome
As far as I can tell, they only deal with trademark assertion, not defense.

------
dangrossman
Coincidentally, the service some registrars use to do the verification
(wdrp.name-services.com) is down right now. How much fun must it be to watch
your business taken off the 'net because you _can 't_ click a "this
information is accurate" button.

~~~
chippy
When it is up, navigate to name-services.com and see the most dodgy shady
looking site. It does nothing to instil confidence in this process.

I had to spend a good 30 minutes trawl through Dreamhost's forums to get an
official "OK" that this was a legit email.

~~~
talideon
eNom are owned by Demand Media, so that's pretty much what you can expect!

~~~
aeden
Actually, they are no longer owned by Demand Media, rather they are a brand
under Rightside.

~~~
talideon
It's barely worth differentiating between Demand Media and Rightside Group
(and Donuts, for that matter).

------
junto
Somebody needs to create a service which does the following:

\- gives you an email address for the whois as a proxy

\- automatically follows the link given in the email and clicks the stupid
button

\- waits for the confirmation email

\- if after 48 hours you haven't received confirmation then the system
escalates it to a human proxy to click the stupid button (Turk maybe)

Reminds me of Lost

~~~
hyperliner
Let me upgrade that service:

\- Generates real-looking names

\- Generates a "social live" across the internet, with pictures, Linkedin
profiles, and "friends"

\- Generates "obviously valid" email addresses

\- Provides an email forwarding service to your real address as above

\- Provides a "Post office box" pseudo-service so that you can add that as
your "real address"

\- Generates extensions for a (800) we all can use to as to protect our real
phone numbers

\- Signs up to your registrar's information and updates it

You just got yourself a "valid" info set in the eyes of ICAAN (without having
to pay anon services).

~~~
bigiain
"\- Provides an email forwarding service to your real address as above"

Another suggestion - the service keeps a public gpg key you supply, and posts
the email, after encrypting it to you, to usenet/pastebin/wherever searchable
(perhaps by the key fingerprint?), and maybe publishes notifications of that
somewhere distributed (maybe a has tagged Tweet where that hashtag is the key
fingerprint?)

Sign up over TOR, and you could have a pretty good "air gap" between you and
any messages it receives for you. Wouldn't matter if they get subpoenaed or
NSLed - they'd never be able to see who's _reading_ those messages.

------
thaumaturgy
I've already started seeing spam and phishing attempts for official-looking-
but-fake whois verification emails. It was obvious that this was going to
happen when ICANN first announced this new requirement, and I'm only surprised
that spammers haven't been even more on the ball about it.

We haven't yet begun to see how ugly this stupid new program is going to get.

~~~
Zelphyr
It goes without saying but I think we're rapidly getting to the point where
Law Enforcement Agencies are the bad guys.

~~~
talideon
If you think the current WAP is bad, you should've seen what the LEAs were
originally demanding registrars implement! _shudders_

------
cyphunk
Can we just agree that either now or in the near future the idea of thought or
expression without attribution is a thing of the past. Something that our
grandparents internet had but not for us.

This slow crawl of both policy and protocol toward greater bureaucracy will
have a much more permanent effect than say the NSA/GCHQ spying.

~~~
return0
not really. Although generic internet users keep making the internet a "safer
space" , there will be a critical point when a fork will occur for those who
still think the internet can be interesting.

~~~
nrivadeneira
Reddit can be seen almost as an anonymous fork to some degree. Obviously it
doesn't share the same network concepts, but the spirit of anonymous
information sharing is there.

~~~
lmm
Reddit has already started closing its most controversial subreddits. Expect
it to continue to "clean up" as it grows. It's a business after all.

------
talideon
The whois accuracy program is such an enormous pain in the arse. It's
worthless junk law-enforcement agencies demanded be included in the 2013 RAA
that will have _no_ useful impact on anything. It's just a massive resource
drain on registrars.

~~~
jacquesm
> It's just a massive resource drain on registrars.

And on their customers.

~~~
talideon
Yup, but for customers, it's just a periodic annoyance. For registrar, it's a
constant support overhead. I expect domain pricing to increase as more
registrars have to move over to the 2013 RAA.

Nobody's happy with this crap.

------
Glyptodon
I still have a really hard time with the idea that a domain needs to have
"valid" or "meaningful" whois data at all... ...and now there's this? Sounds
like a fishing windfall.

~~~
krisdol
I _wouldn 't_ have a problem with it if the data weren't so easily to crawl
and parse by spam-bots and robo-callers. Ever since switching away from an
whois-anonymization service for one of my domains, the amount of spam letters,
emails, and robocalls from telemarketers I get has increased more than ten-
fold.

For some reason people assume that these whois-anonymization tools are just
used by squatters and spam websites, but I use it to someone overloading my
physical/digital/voice mailbox.

------
PythonicAlpha
I also got such eMails lately and was wondering, because I could find no
connection between the web-address linked to and the company I was ordering
from in the first place, nor any registering authority!

I also asked the company and they said that it was legit, but came from some
kind of service provider.

Finally, the web site, I was directed to also looked very suspicious and less
than professional (something, a hacker could have made up in a weekend -- and
again no names, logos or information that could make up a connection to my
business contacts).

I really would appreciate, when they could make the process more transparent
and less phishing-prone -- so anybody could make up a nice sounding domain and
fire eMails to people with domains ...

Somebody could think, that domain registration authorities have at least basic
knowledge of internet threats ...

------
allochthon
I have a domain registered under my real name and personal email address.
Coming away from the article, my understanding is that my domain is liable to
sniping if I step away from the Internet for more than two weeks (e.g., I go
on a trek into the jungle somewhere) and don't take steps to have a friend or
colleague keep tabs on the issue. This seems like a straightforward and
obviously undesirable scenario; I wonder what came up in the ICANN
consultation when it was discussed.

~~~
Rifu
I believe the two week timer only starts if you initiate a domain transfer,
modify your domain's WHOIS info, or have a renewal notice bounce. 2/3 of this
are forces that are within your control, so you can at least plan around that.

~~~
RobAley
Further, I beleive that if it does happen, your domain is just suspended, i.e.
set to not resolve, and isn't available for anyone else to register/snipe.

------
ekanes
This is a big opportunity for registrars to make their customers feel safer:
"We will go to extra lengths to make sure you don't lose your domain this way.
We will pick up the phone and call you."

~~~
astrodust
Yeah, like I need my registrar calling me all the time. What if you have
several hundred domains? Are you really going to call and harass me about each
one?

~~~
ekanes
Sure, but you always have a few Truly Important domains, that you DO NOT want
to lose. This is about those. An easy solution would be to charge you a few
bucks more for domains you designate as Important.

------
talideon
Oh, and one other thing: while other registrars tried to resist stuff like
this being added to the 2013 RAA, EasyDNS were one of the registrars that sat
on the sideline and did nothing.

Let's just say I don't have too much time for their moaning and griping now.
They should've engaged with the registrar constituency back when the
negotiations were happening.

~~~
StuntPope
We're in the RRSG now, we joined last year (better late than never) - that
said - speaking as somebody who has been on the CIRA board and involved in
early ICANN Whois TF, there isn't a lot that can be done about it. Registrars
are pretty much a captive audience with zero power wrt ICANN and governance in
general.

~~~
talideon
As individuals, yeah, but I know plenty of what goes on behind the scenes, and
what goes on in the mailing lists is only a fraction of the story. A savvy
registrar can have plenty of soft power if they know what they're doing.

BTW, you should get involved in the IETF provreg and eppext WGs: we need a
stronger registrar voice there, and the more registrars involved, the better.

~~~
StuntPope
Time constrained lately but happy to look at it, shoot me an email ( pretty
easy to find it )

------
eridius
I wonder if it would be worth having a way to expressly request that easyDNS
(and any other domain provider following this policy) send a test email for
your accounts? This would be an email that looks like the one they'd send for
this program (as close as possible to ensure spam filters treat it the same)
but is labelled somehow as a test. This way you can make sure that a) the
email address on file works, and b) the email will make it past your spam
filters.

~~~
trombone8
Why need it be a test? If verification just needs a click on a link it doesn't
seem very onerous to require that click. If the mail doesn't arrive, you know
you have a problem with a deadline NOW, instead of a randomly appearing
problem in the future. The former certainly seems better.

~~~
eridius
The problem is you don't want to start the 15 day countdown if you have a
problem receiving the email. Yes obviously you'd still have a problem because
the countdown could be triggered at any time in the future, but it's still
better to not trigger it immediately if you can avoid it.

That said, if the test email bounces, that might be required to start the
countdown anyway?

~~~
logfromblammo
The test e-mail is an e-mail from the registrar to the contact address, so if
it bounces, the register is then required to send a real e-mail to that
address, which will presumably also bounce. _Then_ the countdown starts.

I have very little expectation that the boneheads who came up with this scheme
considered this possibility, and therefore exempted test e-mails from the
bounce-trigger requirement.

The imaginary black-hat that hangs out on my left shoulder has already
suggested that spoofing a bounce message for a correctly delivered registered
e-mail could be used for mischief. Phishing the domain customers is entirely
too obvious for him, though the imaginary white-hat that hangs out on my right
shoulder seems quite concerned about it. They both agree that black-hat wins
this round.

------
javajosh
On the bright side, this will really breath new life into the domain
sniping/blackmail economy!

~~~
trombone8
How? By finding bugs in the interface that allows hostile users to set new
values for the email address at the registrar and using this for triggering
the 15 days period?

~~~
notahacker
Why bother with looking for interface bugs? Domain owners have been told they
risk losing their website if they don't respond to requests for confirmation
of the details of their domain name. So how about I send some emails asking
them to urgently pop by my website, which looks very much like the registrar's
website, and log in to update their details?

Or if I didn't want to do anything actually illegal, I'd probably have an
enhanced chance of success in pulling off the Domain Registry of America scam
and convince people they must update their details [by transferring to my
registrar] in the next 15 days.

Seems almost certain to become the most frequent uses of the contact details
ICANN has kindly ensured will be up to date and accurate.

------
jayess
What a completely worthless process.

~~~
WaxProlix
The post sure does a lot to paint it that way; makes you wonder what, if
anything, is the counterargument?

~~~
trombone8
To me, one issue seems to be that ICANN dares to demand of the registrar that
they must verify the contact information that is REQUIRED to be present in a
registration... that's not really a sane stance to have when you sell a
subscription to what is basically an identity, so lets put that aside.

One other complains is that this verification procedure is really weak: "just
send a mail with a link to the address provided"

Imagine if ICANN changed their rules so that a more substantial verification
process of the MANDATORY fields was required? Like if they didn't make it
optional to verify the telephone number, what would easyDNS do then? From
their post, I presume they would go insane, declare Holy war on the ICANN, and
then start assaulting ICANN officers with the sharp edges of their ibook 12"

They also complain that its a huge phishing opportunity because they must send
mails with a link for people to click, but according to the ICANN spec they
link to the actual requirement is[1]: """ [...] sending an email requiring an
affirmative response through a tool-based authentication method such as
providing a unique code that must be returned in a manner designated by the
Registrar """ So the mails looking very phish-y is entirely their their own
choice, the spec does not mandate that the title is "Look at these funny
pictures, friend" or anything.

Finally, they complain this will lead to a lot of big sites going down because
they are forced to suspend domains if people don't take certain action within
a certain time (although they don't clearly argue that the time is too short
or something like that). But big sites already go down because the dns owner
has been negligent with their interactions with their registrar, like failing
to pay their fees for instance.

So this is not a new type of problem really, you actually already have good
reason to read the mail from your registrar, who knew? (Not Sony online:
[http://www.pcworld.com/article/2454820/sony-gaming-
websites-...](http://www.pcworld.com/article/2454820/sony-gaming-websites-
down-over-unpaid-bills.html))

[1]: [https://www.icann.org/resources/pages/approved-with-
specs-20...](https://www.icann.org/resources/pages/approved-with-
specs-2013-09-17-en#whois-accuracy)

~~~
talideon
I don't blame ICANN for this: this demand came from the law-enforcement
agencies. I know that internally, ICANN would've been happy sticking with the
existing WDRP process.

~~~
mapt
What is ICANN's motivation for complying with law-enforcement agency demands?
Quite a number of them have proven themselves to be bad actors in the past,
and there are provisions in civilized society that restrict them from actually
demanding things, absent a specific court order. Which shouldn't really apply
to an international regulatory body in a prescriptive manner by most standards
- and if it gets such orders it needs to leave for another flag of convenience
that doesn't cripple a global infrastructural standard.

"The Net interprets censorship as damage and routes around it" should be the
ideal we aspire to. LEA and intelligence-agency intervention in the Internet
system is typically damage to our liberty-printing machine, one way or
another. Their incentive structure offers no benefits and poses a lot of
difficulties in dealing with a free Internet. Pressure from them should be
expected as an open adversary to the free Internet, and defended against.

~~~
talideon
They might've proven themselves to be bad actors, but they're backed by
national governments, and that gives them a lot of sway when it comes to these
things. LEAs do have a legitimate interest in this kind of thing because
domain names can be used for fraudulent and otherwise illegal purposes, which
is why they're involved in the process. However, it's up to the other parties
to moderate this influence where possible, which is what the registrar
constituency fought for in the negotiations.

Believe it or not, what the LEAs were looking for in the first place was
significantly more extensive then what ended up in the RAA. Here are their
recommendations: [https://www.icann.org/en/system/files/files/raa-law-
enforcem...](https://www.icann.org/en/system/files/files/raa-law-enforcement-
recommendations-01mar12-en.pdf)

------
josefresco
I get tons of these WHOIS emails as I build websites for small businesses. The
last ICANN email I see regarding WHOIS data accuracy said the following
(GoDaddy)

"If you find that your domain contact data is current and accurate, there's no
need to take action. If, however, your domain contact information is
inaccurate, you must correct it."

This was sent on May 5th - when does this new policy take effect or does it
only effect when you renew/transfer/register?

Edit: I RTFA again and see that the date is June 23rd(?)

~~~
300bps
The email you received was a "friendly reminder" to make sure your registrant
contact information is accurate. It is officially called a Whois Data Reminder
Policy email.

If it was accurate, GoDaddy is correct - there is nothing further for you to
do.

If, on the other hand, the email they sent you would've bounced back as
undelivered then you would've ended up into the next phase. "Click this within
15 days or else."

~~~
Spoom
In fact, GoDaddy in particular (used to?) charge you $25 as a penalty if they
determine that your whois information is incorrect. That's the reason I took
my domains elsewhere.

~~~
crististm
Let's not forget about SOPA/PIPA/OTHER_PA which godaddy famously support.

------
bikeshack
Rather than be harassed by ICANN emails it would be preferable for EasyDNS to
handle any admin issues on a case by case basis. That should, after all, be
included in the cost of buying a domain. I always made sure my registrars were
handling this on my behalf, and for domains where I was required to submit
personally identifiable information; I let the domain expire and die. It's not
worth the hassle. I don't work for free.

~~~
talideon
They can't. They're contractually required to contact you about this stuff.

------
higherpurpose
Interesting:

[http://www.theregister.co.uk/2015/05/21/icann_ceo_quits/](http://www.theregister.co.uk/2015/05/21/icann_ceo_quits/)

~~~
talideon
Fadi quitting has nothing to do with this. The 2013 RAA was done and dusted
before he even started.

------
adamcharnock
Are there any avenues open for avoiding being part of the WAP? i.e. are there
any registrars the WAP will not apply to?

~~~
ca98am79
ccTLD registrars do not need to be ICANN accredited (e.g. .io, .ly, .me, .to,
etc...)

~~~
talideon
Though some, such as Nominet (*.uk) are bringing in not dissimilar procedures:
[http://www.nominet.org.uk/how-participate/policy-
development...](http://www.nominet.org.uk/how-participate/policy-
development/current-policy-discussions-and-consultations/data-quality-policy)

Many ccTLD registries have stricter policies when it comes to WHOIS data, and
actively audit their contact databases for dubious data, place restrictions on
contact updates, or actively review registrations and contact updates to
ensure that the contact data provided is valid.

.me, .co, .io, .ac, .sh, and a few others, are relatively easy-going. .us is
straightforward enough too, and though there are technically restrictions on
who can register .us domains, they're not really enforced all that actively by
Neustar. I really like the .me registry: they're good people.

------
xenophonf
Phishing attempts using "Click this link to verify your Whois data" in 3...
2... 1...

------
nailer
Agreed 'click here to confirm your details on domainadmin.com' looks
suspicious. Maybe EasyDNS can send their customers a 'heads up' email to let
them know to expect the whois accuracy email?

~~~
Mickydtron
Phishing training companies will actually use this tactic (they call it
'double barrel'), which makes me think that real phishers are already doing
this, too. What I think would be better is an email that said to go log into
your account to complete the confirmation, instead of following any link in
the email itself. It's less convenient, but it's not something that phishers
would tell you to do.

~~~
nailer
Sure but domainadmin.com may not have an API to make that possible (they
should have one though, and if they don't it's a reasonable criticism).

------
higherpurpose
Can we kill the DNS system already and move to something more decentralized?

~~~
forgottenpass
It is decentralized, you can spin up an alternate root right now. The problem
has been, and always will be namespace coordination.

You can argue that ICANN could have done better. And part of me still cares,
but of course ICANN fucked up the existing root. In the current business and
legal climate, it's basically a foregone conclusion.

~~~
yellowapple
That's not decentralization; that's just moving the single-point-of-failure.

A better system would be something based on a cryptographic blockchain/ledger,
like Namecoin. Thus, no reliance on a central authority to decide which
domains are or aren't valid; you instead just look at the ledger (which is
maintained decentrally by network participants).

~~~
jsmthrowaway
We can't even deploy IPv6. What's your plan for getting your system deployed
in every Internet connected device, including ancient routers without
cryptography chops and refrigerators, then transferring the multiple billions
spent on the current namespace into your system without conflict?

~~~
lucb1e
> We can't even deploy IPv6

Actually, all my traffic is v6 by default using Telenet (Belgium) and XS4ALL
(the Netherlands). And yes, those are mainstream ISPs. Lots of services, most
noticeably Google and thus Youtube, use it by default as well.

We're nowhere near 100% yet, but as the need increases we _are_ getting there.

~~~
jsmthrowaway
As anyone who knows what you just condescendingly explained knows, anything
short of 100% doesn't alleviate the problem that motivated IPv6 in the first
place. Until absolutely everything is accessible via v6, we must continue to
allocate v4 (or, worse, NAT it all), so we aren't really anywhere.

It was a side point. I'm on dual stack Comcast, so I already knew what you're
telling me, and I made the point nonetheless.

~~~
lucb1e
First of all, sorry, I did not mean to be condescending. People keep repeating
we can't do X because we can't even deploy IPv6 and X is an equally large or
bigger change. Since I've got v6 for years and am getting it in more and more
places, we're getting there alright.

So I do not understand how you can say we cannot deploy v6. You are running
dual stack as well, clearly we are on the way there? And yes of course we
first need widespread deployment before we can turn off v4 entirely, but the
fact that we both have it means that people are getting it and that we can
turn off v4 at some point in the future.

And as an aside, we don't actually need 100% exactly: at 99% (or something)
it's not going to be cost effective to get v4 addresses for everything anymore
and more stuff will become v6-only.

------
moron4hire
What really sucks is that the email some hosting providers are sending out
looks really super spammy. If I hadn't paid very close attention and Googled
the issue, I would have trashed it. At least in DreamHost's case, they look
like phishing emails and the links go to a non-DreamHost domain. But if you
dig into the DreamHost support forums enough, you'll find confirmation from a
developer there that it is legit.

And that's all you'll find. So who knows. It's a pain in the ass.

------
return0
I dont even understand how ICANN can make that decision which has very dubious
benefits. The equivalent would be to require all newspapers to disclose the
real name, telephone email and address of everyone who writes an article or
puts an advertisement in their pages. I might even get it if ICANN required a
private registry with these data; But the useless whois database only serves
as a goldmine for spammers that want me to renew my domains for $1000. this is
illogical and i m at a loss

------
jtchang
I haven't used easydns yet (mostly been using namecheap) but this convinces me
to give them a try.

~~~
eps
This pretty much what this posts exists for in the first place.

------
legohead
They try and appear to be very open about the whole thing, but no mention as
to why they need to be accredited in the first place? Can they just choose not
to get the accreditation and still give out .com domains?

~~~
realityking
ICANN accreditation is a prerequisite to be a registrar for certain TLDs,
including .com and all new TLDs.

------
bhartzer
I have no problem with the Whois Accuracy Program. Make sure you have up to
date whois contact info, or use a whois privacy service if you don't want your
contact info public.

Should web surfers have to right to see who owns a domain (via whois) even if
the domain owner doesn't publish that info on the site? Should they have the
right to (try to) contact the domain owner via the whois and have a reasonable
expectation that that email is going to get to the domain owner (even if they
choose to ignore it)?

~~~
notahacker
If ICANN believed "web surfers have a right to see who owns the domain" it
would ban DNS privacy services rather than enacting this bullshit.

I actually think the rights of web surfers are far more infringed upon by
being unable to access a website because the contact at the organisation that
built and paid for it was on holiday or ignored an email (or possibly didn't
even see it because the spam filter thought it looked like a phishing attempt)

I cannot believe you are defending this.

And for the record, as a domain owner I actually _don 't_ think you
necessarily have a right to email me or the non-technical administrative
contacts to try to sell us similar domains or persuade me to switch to your
dodgy registrar. Even if I don't provide an email address there's always the
option of taking it up with the registrar if there's a genuine legal issue
with the domain or what it points to.

~~~
krisdol
As someone who owns a personal website/domain -- not a business one -- I have
never been legitimately contacted by visitors via the whois info; but now that
I switched away from whois-privacy service I get several letters a week, 2-3
robocalls a day, and hundreds of spam emails a week from bots that spam
legitimate whois contacts.

~~~
TimWolla
I never understood why the .com (.net, .org etc.) domains provide the
registrant information via port 43. Denic for example only provides
information about Tech-C und Zone-C. The other information are behind a
Captcha.

------
BinaryIdiot
I had to do this back when I used GoDaddy just a few months back. I was able
to verify all of my domains but one. For whatever reason I'd click on the link
in the email, go to the page, verify it then get another email a few days
later since I didn't verify it.

Fortunately it was a domain I was going to let lapse so I didn't bother trying
to deal with their support but I swear I verified it 3 different times and
never once did it say it successfully went through. Very frustrating
experience.

------
DanHulton
I literally got hit with this the other day and set it to my registrar as an
obvious example of cheap bullshit fishery.

Imagine my surprise when they wrote back, telling me it was legit.

What an awful, awful program.

------
troyjfarrell
Is there a reason registrars aren't cryptographically signing these messages?
That would give everyone a relatively simple way to verify that they aren't
forged. I get that not everyone who will receive these messages are technical
enough to figure out PGP or S/MIME, but it would be trivial for Gmail,
Outlook.com, Yahoo Mail, etc. to put a pretty seal on these signed messages.

------
tc7
I think when I get one of these from my domain registered through Dreamhost,
it says something to the affect of "Log in and check, if it's OK do nothing",
which is much nicer than having to log in and take action (like I have to do
with Godaddy). I'm basically not required to do anything.

Is that an option? Seems to sidestep these rules, but these rules seem silly.

~~~
StuntPope
You're probably referring to what are known as "Whois Data Reminder Program"
emails (WDRP), which is a few years old. Also mandatory to send those out, but
can be safely ignored (which is what makes this program so much worse).

Even the guy who invented WDRP later admitted it as a useless program which
should die.
[http://www.circleid.com/posts/20120719_a_confession_about_ic...](http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/)

This is much much worse.

------
leap_ahead
So if one wanted to knock over a competitor's business, it would only take to
arrange for the owner to be unavailable for a couple of weeks, send this
email, wait for the deadline, grab the domain. Profit.

What happens if you become sick or get in an accident and must go to a
hospital? Game over?

------
benmmurphy
When I registered a domain with Amazon Gandi sent me the verification email
and it went to my spam folder. Luckily, Amazon sent me a follow up email
saying my domain would be suspended unless I followed the instructions in the
Gandi email.

~~~
pimlottc
> Amazon Gandi

For a moment there, you had me thinking that Amazon had purchased Gandi! But
no, I see they are just partnering with them. Phew.

------
antonp
disclaimer: I work on a wal-related project for a TLD

Let's not throw the baby out with the bathwater.

Projects like the WAL actually do help prevent the spread of malicious sites.
Some TLD registries go into great length to ensure that the identity of their
registrants is valid (address, phone, email).

Valid whois data is a necessity when processing some of these cases (from a
legal point of view). I see this in practice every day.

The potential burden for the majority of domain owners (those who don't plan
to do anything illegal with their little piece of internet real estate) is
undeniably an issue, but projects like WAL have very real merit for the
internet as a whole.

~~~
klausjensen
But if all it takes is an email confirmation, how on earth does this prevent
bad actors from faking their data? Or use a straw-man?

This looks exactly like security theater to me.

Disclaimer: I may or may not have a domain registered in the name of my cat.

~~~
astrodust
It's true. There's honestly no way for these companies to know that "Walter P.
Fluffington" isn't a real person.

~~~
LLWM
Sure there is. Outsource that verification to someone who already needs to do
it, like the local government. South Korea has a pretty poor implementation of
this already, but things will only get better over time.

~~~
astrodust
Do you honestly think it's feasible to maintain a database of contacts for
every country and quasi-political entity in the world?

Secondly, I'm not even sure how you'd reasonably do this in a country like the
United States where there's a functioning government if only because there's
50 states plus other territories to deal with. How would you go about
verifying that "Walter P. Fluffington" exists and lives at some arbitrary
address in Puerto Rico? It seems extremely time-consuming unless you are going
to exclude people who have driver's licenses or some kind of government ID
issued to them, or are foreign citizens living and working there under a visa
of some sort.

This also doesn't even come close to addressing what happens when you register
a domain with someone _else 's_ name.

The whole thing is completely pointless. If South Korea can't do it, nobody
can.

~~~
LLWM
The whole point is you don't verify it. You accept their government-issued
identification and verify the validity of that. Currently this is done
stupidly by comparing their face to a photograph, but if the demand is there,
the process will improve.

Compare to how we verify certificates. Trusted CAs issue certs and we verify
the chain of trust.

~~~
astrodust
If you're depending on "government-issued identification" you've already
failed.

A) What does that even mean? What's considered valid? There's got to be at
last 100 different forms of this in the United States alone. How can anyone be
familiar enough with all of these forms to verify them? Then consider there's
several hundred countries around the world, each with equally quirky
identification systems.

B) So the "face to photograph" method of identification depends on someone
supplying a photograph of themselves? Since when is this part of the process
for applying for a domain name? Secondly, it's impossible to verify that the
photograph is of the applicant. Are we applying for domains at the DMV now?
What about people who have identification where their face is concealed, or is
a woman no longer allowed to register a domain in places like Saudi Arabia?

C) Why should having government-issued identification be a pre-requisite for
owning a domain name? What if you're 10 and want "billyslemonadestand.com",
paid by Bitcoin?

This isn't a trust issue. Owning a domain name shouldn't be terribly
difficult. This isn't like an EV SSL certificate where a notary is going to be
involved. Their entire process is complete _bullshit_ and does nothing to
improve the security of anything.

~~~
LLWM
Uh, yeah. We're not talking about their process. We're talking about how to
improve it. AKA by making it not bullshit and by requiring real verification.

------
evmar
Clearly you need to provide a working email address to receive the
confirmation. Does anyone know the consequences of providing wrong information
anywhere else?

~~~
talideon
Potentially, you can have your registration revoked, but usually the address
information isn't checked. If you don't want your information appearing in
WHOIS, go with your registrar's WHOIS service, if they provide one. Don't use
a third-party 'service', as you'll effectively be in breach of their TOCs
(because you've provided inaccurate information to the registrar).

------
hurin
Can't we just get Namecoin or another blockchain based service supported in
major browsers, so ICANN is no longer a sole monopolist?

------
evantahler
Invalid link?

------
chetangole
GoDaddy already follows this!

------
xianshou
The tl;dr: Respond to an email and confirm your ownership of the domain within
15 days, or your site dies.

I would discourse further on the silliness of this policy, but they stated it
best: "You can thank ICANN...because if it were up to us, and you tasked us
with coming up with the most idiotic, damaging, phish-friendy, disaster prone
policy that accomplishes less than nothing and is utterly pointless, I
question whether we would have been able to pull it off at this level. We're
simply out of our league here."

~~~
StuntPope
The clarify - you will need to do this at key events:

* New domain registration

* Domain transfer

* Upon receipt of an NDN (bounce) in some other mailing

We'll be putting together a mini-FAQ based on questions and feedback of this.

~~~
talideon
Also, if you update any contacts associated with the domain.

------
harry8
Please don't overlook that ICANN is regulatory capture. The idea you need to
pay more than 2c/year for an entry in a goddamnn database and you have to pay
a designated intermediary to make that request is, well, lucrative for the
intermediaries because there's this massive barrier to entry to setting up in
competition with the intermediaries.

Does it look the same as "a seat on the exchange" in the financial world -
trade on an exchange, you and your counterparty both get skimmed by a "broker"
as well as by the exchange.

Anything to make something as simple as putting a tiny entry into a database
more of a pain and hassle justifies the ridiculous fees. The worse they do it
the better it works for them. Incentive, yeah, let's make sure this screws up
and looks like phishing, then they'll _really_ _need_ us and we can claim to
be the _good_ guys with utterly ignorant law enforcement who don't understand
what they're asking for being the bad guys.

If this cost the intermediaries money rather than being something that will
turn out to be lucrative for the industry as a whole, you'd have a very
different result.

Now watch the downvotes and screams from the intermediaries and their
apologists. Hi, enjoy your money!

~~~
eropple
_> Now watch the downvotes and screams from the intermediaries and their
apologists. Hi, enjoy your money!_

I downvoted you for this grandstanding, not for the rest of your post (which I
agree with, for the most part, I think it's a crock). The "conspiracy behind
every hedge" rhetoric stinks, and I wish we wouldn't do it here.

~~~
harry8
Oh come the hell on. Not a conspiracy or anything like it. Just pure market
forces in the presence of a market failure. Regulatory capture is normal and
happens all the time. We should just point it out.

Watch the responses, see whether flagging what I think they will be in advance
is a useful thing or not.

Grandstanding from an anonymous account? Really?

------
Animats
There's a crackdown on scumbags running businesses without disclosing their
identity. Great! That's illegal in many jurisdictions, including the entire EU
and California. Finally, ICANN is doing its job.

If you put your real name, address, phone number, and email in your domain
registration, and keep it updated, there's no problem. I've had real contact
info on all my domains for two decades. I get maybe one phone call a year, two
or three email spams, and a letter or two.

Quit whining.

~~~
Beached
What person in their right mind would want their real name, and contact
information on a public facing database open to be queried by the entire
world? The fact that I have to pay extra money to have a company "Hide" my
data is ridiculous to start, I'm just shifting my trust from the entire world
to a company who will sell my data or use it for their own purposes.

~~~
thaumaturgy
Having your personal information publicly associated with your domain
registration is dangerous even if you're not running a controversial domain.
There's a scumbag company out there called the "Domain Registry of America"
that sends out fraudulent renewal notices to domain holders who have public
information in their domain registration.

If you happen to be a not-savvy domain holder, you get a letter that looks
like it's for a domain renewal, you fill it out and return it with a check,
and that gives DRA the authority to transfer your domain registration.

And getting it back away from them is an unpleasant process at best.

