Another problem is that since WHOIS data is public it's not effectively possible to run a website anonymously. I'd be okay with sharing contact info with limited parties (ICANN, registrar) but forcing people to share this info with the public is nuts. It makes running a website as an individual much more personally risky.
That left ICANN in a tricky situation. The registrar was pushing them this modified contact information, so they needed verification. Waiting until the next time the domain name is renewed is not a good option because that can be years down the road. That is especially true if this happened immediately after renewal. (The article was not clear whether the auto-renewal of the privacy service occurred during domain name renewal.) This opens up an opportunity to abuse the system.
Of course refusing to changed the DNS records until the updated contact information was verified is an option. It is probably a process error on ICANN's part, a process that is probably more a result of changes to policies than malice. Still, changing the policy does not change things all that much. In that case the registrar would have to take action because the privacy service was not renewed. They would probably end up doing the same thing as ICANN. If they didn't, the system would be ripe for abuse yet again.
As a customer I only want to interact with my registrar. Why do I even have to talk to ICANN? My registrar can then interact with ICANN if necessary.
(Note there is plenty to complain about how ICANN or the community functions.)
For a lot of reasons, it is nice to know who owns a domain and privacy is just an annoying detail. So it is long standing practice that WHOIS information has to be accurate. In theory, the ICANN community can change this. In practice I doubt you would get consensus on that.
That's rules you have to deal with and ICANN (the company) is tasked with enforcing those rules.
Knowing that ICANN enforces these rules, it doesn't make sense for a registry to make random changes to the WHOIS of a domain. If there should be any blame, if a registrar is violating community principles as a service, then be way more careful.
Or as a domain holder, if you want to violate community principles don't complain if that backfires.
Also, what the servers are doing isn't the domain's business. Traceroute the IP and bring it up with their ISP. Killing the domain isn't going to kill the availability of the content.
The situation is now this:
> what the servers are doing isn't the domain's business
> what the servers are doing isn't CloudFlare's business
The Anon-DNS provider doesn't feel responsible, CloudFlare doesn't feel responsible (while at the same time hosting the authoritative DNS). I can't even tell which jurisdiction these spammers operate from, so it's kind of impossible to do anything about it.
God I hate receiving these stupid "We are just a reverse proxy, we are not responsible" emails from CloudFlare. They most these clowns will do is forward my contact info to the ISP running the criminals' backend servers, which might very well be these same criminals.
Thanks for nothing CloudFlare.
Some people have legitimate reasons to not want to be found and the police aren't going to do much with that kind of harassment either.
Similarly, if there is legitimate evidence a "crime" was committed via the website they can seize the domain or the registrar can. "Anonymous DNS" information doesn't get you very far if there is a legitimate court case.
That's definitely true!
But let's say a crime has been or is being committed (and I am not sure why you're putting it in quotes) via a website who's contact information is available via WHOIS and which is served from a legitimate ISP.
The usual route to take is to contact the registrar and the ISP with the info that this-and-that is happening. Usually, after a short period of time the registrar or ISP will agree (or not!) that whatever is going on is not acceptable on their network, and then take appropriate action. That even works for privacy oriented ISPs in Island, where they are under not legal obligation to do anything.
This is what I've been doing for many years when I come across illegal content, spam, botnets, phishing, and so on.
Sometimes networks do not cooperate and then usually it possible to block their net ranges as a means to make them realize hosting botnets isn't maybe so great.
But with the combination of ButtFlare and certain Whois privacy hosters, this is not possible. ButtFlare is too large to just block, and ButtFlare just doesn't give any fucks. They aren't a beacon of light upholding freedom of speech on the internet, they are just too cheap to actually have anyone deal with these sort of reports seriously, so they, instead of reading what I report to them, report with the same canned response:
> We are just a proxy. We are responsible for nothing.
The absolute maximum they are willing to do, is forward my request to the upstream ISP, which for safety reasons is unacceptable.
So you see, I do understand the legitimate need to not be found.
I just think that if you run a service as your main business, then you are responsible for what your service is offering.
Ebay somehow manages to not be a marketplace for anonymous heroin deals, I'm holding CloudFlare to the same standard.
+1 for that alone. I've fond memories of the Cloud2Butt extension.
As do public companies.
(e.g. sharing Falun Gong material, or for a more controversial example Wikileaks)
If ICANN can seize a domain for a clerical error, they can seize one for a crime. If measured by the American standard of innocence first, then a 3rd party would make & prove their claim and the 3rd party would have the domain seized or defend themselves.
Also, I could beat the current system with a gmail account and a vanilla visa gift card.
What about this loaded question, which is also as absurd:
Shouldn't piracy claims and "alleged" victims of revenge-porn post and a continually update their contact info publicly online. Should you be able to hide behind anonymity(1).
1. There is a difference between anonymity, and non-public.
ICANN in my humble opinion has no blame in this, they are simply following the rules that they set out and OP agreed with when he registered the .com domain name. As stated in other comments keeping your WHOIS information is the sole responsibility you have when owning a domain name. That and timely renewing the domain of course.
In my somewhat limited experience the WHOISGUARD system is something that only causes problems. It's a pain to work with when transferring or trading a domain name and upon expiration can result to the exact situation that OP currently in. To add, I'm somewhat weary of a site that hides it's owner. The whois data can create a certain form of trust and serve as a verification to ascertain the owner of the site is who he claims to be. I'm not sure why you would want to hide this data.
A .com domain has the option to register the domain in the name of a corporation, thus removing the personal data of the owner (name and email) and only showing the name of the company, it's data and a administrative e-mail address in a minimal setup. As OP has; and I quote; "about a hundred domain names", I'm not sure why no company has been formed to solve this problem for all these domain-names.
I personally think that the WHOIS system is one of the best ways to solve the problem that domain name registration poses. It's accessible for anyone, anywhere, in plaintext and without the need for special software. It's actually pretty great.
That's a nice piece of dissonance they have and which you are rebroadcasting into the aggregate. I don't agree at all, and would point out all of us should be doing anything we can to figure out how to establish a decentralized governance for the Internet...for the world's unheard.
what happens when my site gets very popular and lucrative, and someone uses my whois info to rob me in my home?
the reason for this is that I am a non-Serbian citizen living in Serbia right now, where most people have monthly expenses of $300!! :)
I ask because I have a number of domains still registered to an old home address. I have never bothered to update them due to laziness and privacy concerns - but the domains keep working.
There has never been an attempt to verify the address.
You form a company around it and use the business address? Or use your domain registrar’s privacy guard if you can’t/won’t form a company.
If I then move it to a business address, that will prevent casual snoopers but you can buy access to historical whois records...
Thankfully (though not helpful in your case) the UK registry does allow “non trading individuals” to opt out of the public record. You can also change the registrant type from individual to company later.
Imagine I find your domain now and because I don't like what you wrote, I'm going to start contacting you on your private phone and start sending you mail at home. Would you still want to keep your real data on whois? Guess when I stopped.
Isn't paying a company to do this basically the same, and less hassle?
I'm not a particularly big fan of ICANN's process here either, the same thing has happened to me before and it was very annoying. But "I have lots of domains" and "who uses email anyway" are extremely poor excuses. Having lots of domains seems like about the most logical reason one should be on top of this sort of thing.
If you buy a car and park it directly in front of a fire hydrant and forget about it, then the government will seize your car until such time as you pay your fine, the towing fee and storage fee. If you register a domain in contravention to the agreed contract then ICANN will seize your domain until such time as you correct it (including the time it takes to confirm that you have complied). It really isn't that strange.
seizure and then negotiation is an unnecessary show of force in my opinion, unless the site was doing something criminal
What is unreasonable about requiring accurate and up-to-date contact information for the registrant?
Anyway as I stated originally, I am no fan of ICANN's process here, but currently it is what it is so the responsibility, particularly of superusers, is to understand and have systems in place for compliance. I simply do not buy the "too many domains" and "who uses email" excuses presented in the post.
"i have too many cars, so i shouldn't need to worry about if i park some of them in front of fire hydrants"
i would say that im struggling to understand a situation where the confiscation of a domain or a car is ever warranted, unless something criminal and clearly urgent (a fire, a drug running operation) needs to be stopped, rather than just as bureaucratic overreach to ensure payment and compliance
The process overall is not great, but ICANN's process didn't fail this customer. The customer needs to keep contact information up to date. If you own 100+ domains you should be very familiar and have your own process for managing this.
Its been this way since 2013.
The process to shut down a site is quite thorough in that many attempts at contact need to be made.
I'm a little surprised a phone call wasn't generated. By the time we've emailed you 3 times - we are making a phone call - we don't want to shut down a site if its at all avoidable.
This "24-48" hours stuff is nonsense - The suspension/un-suspension of a domain can be done almost immediately.
It remains to be seen but NameCheaps only potential issue here is whether they failed to renew the WHOIS privacy service.
I own a few domain names and they ask me to update this info one per year. I've never understood why they need it at all though. Why should they have my address/contact info and why should it be publicly available? I'm sure the answer is obvious but I can't figure it out.
Regarding Why - ICANN runs on a multi stakeholder model, meaning governments and legal entities get a seat at the table too.
They have an interest in knowing who is behind a domain - its that simple.
Also whois privacy is not the protection everyone thinks it is. Its a lock on a door. It keeps casual looks out - spammers, scammers, etc.
If a government or police organization wants that information and they have legitimate need to do so, they will get it.
Please take a moment to view the WHOIS listing for each of the domain names you currently have registered through us. Please verify your mailing address, email address, and the administrative and technical contacts assigned to each domain name are correct. If your WHOIS information has changed or is inaccurate please log into your account manager and update accordingly. If your WHOIS information is correct, you do not need to take any action.
(Edited to fix typo for RAA)
- the user has made some mistake about some auto-renew feature, so that it didn't work smooth and has fallen to the previous known state (=using his real information)
> For some reason, WhoisGuard wasn’t set to renew and it expired.
- because of that, he didn't notice he was receiving e-mails, since it was an e-mail address he hasn't used for years.
> Because I’ve been using WhoisGuard for years, I haven’t used the old email (...) that USED to be set as the contact BEFORE (...) This email wasn’t connected to this domain for 3 years. So when it switched back, I never got ANY of ICANN’s verification request emails.
- Well, his old e-mail probably got the e-mails. He just didn't check it because he didn't access the old e-mail. ICANN now verifies every change in the whois information by sending an e-mail (something that I regard as a safety measure, because, well, when you register, you must inform a way to be reached, and e-mail is a reasonable way to do it):
> The problem is (1) their emails look like SPAM and often end up in SPAM folders (2) who uses email these days anyway? (3) they often send them to old email addresses.
Or, in other words, my e-mail provider filters e-mails automatically (samp rules), who should use e-mail when e-mail is the official way to be contacted about your site (huh?) and ICANN send e-mails to the old address (which is the one he informed when he registered his site).
I'm not sure, perhaps I misunderstood something, but the problem seems to be caused:
- by the user: now using auto-renew, not updating the whois information, not checkin the e-mail regularly (or having some forwarding rule to the e-mail he uses today)
- by the WhoisGuard, if the auto-renew was disable by mistake of the site, not from the user
- by Gmail (?), by having spam rules (?)
And I don't know where it wa a ICANN error.
Sorry, but I don't see a real problem here. The user lost his site for few days, ok, but due to some mistakes he made.
In principle having whois records is fine and keeping them up to date is fine but because of bots and people who send spam to public addresses like that it doesn't make sense nowadays especially if you have multiple domain names for different businesses...
My only point is that ICANN specifies that you should have a contact. Almost every site that I know don't have public information anymore, all information is hidden behind some service like whoisguard.
In general it's a paid service. If don't pay/renew/etc, each one will have a procedure. In the case of whoisguard, it's to provide the information he had about the real owner. Good, that's what whoisguard did.
(side note: was the OP checking his e-mail about informations sent from whoisguard, since it was a very old e-mail? Did he missed something by not checking it?)
ICANN tried to confirm this change by sending e-mail to the e-mail they had. No luck.
Officially, whoisguard wasn't in the circuit anymore, I don't know if ICANN should have contact them, and given that whoisguard had exactly the same address that they provided to ICANN whois (that old e-mail), don't think it would have made difference.
Namecheap should have stepped in? Don't know. Perhaps, if they were diligent enough, they could know that whoisguard was expiring and be in contact with the OP. OTOH, they are separated companies, probably there wasn't any legal obligation in doing so, and I don't know if it suits their business model to be kind to their costumers.
ICANN should have contacted namecheap? Don't think so. They had an e-mail address. They contacted it, as I understood. The OP didn't check it because.... it was an old e-mail and "who uses e-mails anyway".
Yes, it had impact in one of his sites. Yes, nobody likes that. Yes, probably the OP is in anger right know, and might or might not read all these comments in a different mood in the future.
I read this thread as lessons learnt: if you depend on something for your business, like ICANN, I'd take some steps to be sure that a bad "configuration" (the miss of auto-renew) doesn't add up with another problem (having an old e-mail as a contact) and with another one (don't checking that e-mail, don't having a forward rule, don't trying to filter it out outside spams)... to have such a problem.
Even a kind of heartbeat if the site was alive or not seems to be important: weren't for some costumers complaining, how long would the site be out before the OP noticed?
Only if you take ICANN's procedures as a given. They could have adapted one of dozens more customer friendly ways of dealing with this, but they don't have to because they're ICANN and they can do this with impunity.
There's ways besides shutting down somebody's entire business. Which seems like a power move, if anything.
OP didn't say ICANN made an error, he says ICANN has a stupid and/or badly implemented policy.
> "This is an short story on how ICANN acts like mafia and has taken my site, Nomad List, hostage for 2 days now."
That implies malicious activity, or some other kind of wrongdoing like extortion or something like that.
A couple of times a year I'll get an email asking me if I'm interested in buying a domain like <mky name>.com for (the one that quoted a price) $1000.
Usually just ignore them.
I did so in 39 hours because I don't check that email account very often.
All my running instances were shut down in 2 weeks without additional warnings. Only emails I got from them were about 20$ coupons for referral. As support later explained, I did not meet 24 hours deadline.
(AWS haves me as customer last 4 years with 10's of thousands USD spent yearly and never asked for ID or credit card copies).
Owning a domain is not a right, it's a business relation. Treat it as such and know the what and how of it. If I don't pay the yearly fee on my car, they'll take the plates - should I make an angry blog post about they should "ask me nicely"? And hey, you can preorder my book btw...
Renewing a passport at my city hall used to take several visits, often with a long wait, during business hours. After enough people complained the procedure was mostly moved online, with optional Fedex delivery of the passport.
So, you see, these business relations are not set in stone, it's just that they were formulated for maximum convenience of ICANN, without consultation of domain owners...
No, where do you read this? I paid for my domain. NameCheap's WhoisGuard expired, contacts changed to old ones I didn't use from 3y ago. The domain was paid for. My "business relation" with ICANN was paid for.
> If I don't pay the yearly fee on my car, they'll take the plates.
No, I paid for the domain. They took it hostage because my 3-year old email wasn't confirmed. That's not about a business relation. That's bad "business" behavior.
We had one of our domains taken hostage because the whois information pointed to our support@ address, and the support staff thought it was spam.
What it's supposed to help, I don't know - because accurate registration information really doesn't seem to be a whole lot of help to anyone except perhaps ICANN themselves.
Anonymising services or not, nothing on WHOIS needs to work except the email address, and that can be a random gmail address, the only thing you ever need respond to is ICANNs email.
It certainly doesn't help in trying to identify or contact the real owner of domains.
Another gripe with ICANN is that they're zero help when trying to take down scamming/spamming domains. Adding to that, many registrars simply don't give a shit about what their customers are doing with the domains they register.
At work we own <ourcompanyname>.com and the local equivalents in pretty much every country.
Some scammer purchased <ourcompanyname>.<new-generic-tld> and used that in fake job ads (the 'We need a support person in <country> to process payments' etc type). The ads get taken down pretty quick (job boards are familiar with this) but not before enough people are emailing jobs@ the scammer's domain.
We only heard about this because a few people emailed us pissed about the scammy behaviour.
We contacted the hosting company, domain registrar (both the reseller and the actual registrar), and Donuts, all of whom either completely ignored us, or said fuck off talk to ICANN. Even having our lawyers send a C&D letter to all the various parties got us nowhere. (Hosted in Russia, registered to a fake address in NYC, etc).
ICANN won't touch it without us spending up to submit a dispute, which we did, but it takes them months to process and each domain costs something like USD$1500 to dispute. In the months while the scam was active, we got something like 100 people contacting us to report it, god knows how many actually fell for it.
While we're in the process of disputing that, the smartass registers a couple of new generic-tld domains and starts using those.
This is a stupid requirement anyway. The fact that whoisguard exists is testament to it.
If WhoisGuard expired, shouldn't they update the domain WHOIS data with his current contact details. I can't imagine levels not having up to date email address with his account.
So if I am correct, WhoisGuard expired, record reverted to original one. But domain is still registered via NameCheap. NameCheap should use levels current details. Not the one from 5y ago.
Why would you have those mails go to your inbox? Why not have something in your incoming mail filters that looks for them and moves them to a mailbox dedicated to domain admin mails? It's way easier to monitor that way, and harder to miss something in the noise.
Other than the click-baity headline and book plug at the end, I think it's spot on.
I reach out to my registrar who tells me it's a new ICANN policy and that I should have gotten an email...
Yep. End of story.
The entire overview of the decision is in the article. Essentially, one piece of how the Internet was managed was handed over from the U.S to ICANN. The reason is fairly straightforward; the federal gov did not feel the need to manage this thing for which there was no need for them to manage it.
Here is the email I got from the support:
Thank you for contacting Namecheap Support!
Please accept our sincere apology for any frustration this issue may have caused you. Let us just clarify the issue: WhoisGuard protects domain contacts 7 days after expiration. After that WhoisGuard is disabled and depending on TLD contact details may or may not be displayed. Therefore these details are not mentioned in the quoted message. We would like to assure you that we have forwarded your feedback regarding the issue to the corresponding department and they will consider implementing it as soon as possible.
The TLDs provided below usually have their contact details revealed in 7 days: .us.com ; .de.com ; .pw ; .website ; .press ; .host ; .online ; .space ; .io ; .co ; .me ; .info ; .biz ; .link ; .xyz ; .site ; .london ; .club ; .design ; .rent ; .college ; .tech ; .cn.com ; .eu.com ; .gb.com ; .gb.net ; .uk.com ; .uy.com ; .hu.com ; .no.com ; .qc.com ; .ru.com ; .sa.com ; .se.com ; .se.net ; .za.com ; .jpn.com ; .ae.org ; .kr.com ; .ar.com ; .us.org ; .com.de ; .wiki ; .fans ; .com.se ; .gr.com ; .jp.net ; .la ; .rest ; .bar ; .ink ; .co.com ; .love ; .br.com ; .uk.net ; .hu.net ; .in.net ; .mex.com ; .theatre ; .security ; .protection ; .cloud ; .top ; .us ; .bid ; .trade ; .webcam ; .men ; .black ; .pink ; .blue ; .red ; .kim ; .shiksha ; .lgbt ; .poker ; .pro ; .accountant ; .download ; .loan ; .racing ; .win ; .review ; .date ; .party ; .faith ; .cricket ; .science ; .mobi ; .voto ; .vote ; .green ; .mom ; .porn ; .adult ; .vegas ; .global ; .sex ; .irish ; .bz ; .vc ; .game ; .asia ; .stream ; .com.bz ; .net.bz ; .com.vc ; .net.vc ; .org.vc ; .krd ; .film ; .one ; .sydney ; .melbourne ; .study ; .audio ; .blackfriday ; .christmas ; .click ; .diet ; .flowers ; .gift ; .guitars ; .help ; .hiphop ; .hiv ; .hosting ; .juegos ; .lol ; .photo ; .pics ; .property ; .sexy ; .tattoo ; .xxx
As a possible work-around it is possible to have an active domain removed from your Namecheap account. So if you have any non-expired domains in the account and you do not wish to renew them, you can just contact us and we will remove them. As a result, your contact details will be substituted with the ones of Namecheap and they will be shown in Whois.
Should you have any questions please do not hesitate to contact us again.
Needless to say I won’t do business with any company that doesn’t take privacy of their customers seriously.
They don’t even warn you Whois Guard is about to expire.