Hacker News new | comments | ask | show | jobs | submit login
Whois public database is in breach of GDPR, according to European authorities (theregister.co.uk)
545 points by chasontherobot 10 months ago | hide | past | web | favorite | 310 comments

Note that since the issue is GDPR compliance, this should only be a problem for registrants who are natural persons. So if Whois data were only collected and published for corporations, there shouldn't be a problem.

I always felt uncomfortable having to submit my personal data, specifically: my address and phone number, and for it to be published like that (regarding domains where Whois protection services are not allowed). I can understand the motivation for this with regards to corporations and organizations, but what benefit is there with regards to natural persons?

Most of the whois hiding services cost money, so if I get this “service” for free now, I don’t have much sympathy with the whois guys.

If it’s about contacting people, they could make the abuse@ or webmaster@ address mandatory, then you can separate it from your normal email accounts, because the majority will be spam anyway.

Google Domains includes private registration - no additional cost. The service is simple with transparent (although not the best) pricing. Have a few domains there now. And yes, I'm aware that Google and privacy are strange bedfellows in the same sentence.

I second Google domains. For some domains it's worth the money, for others not so much. But still, you get really good DNS and a really nice + simple interface and the fact that I don't need to remember another pair of username/password makes it well worth it.

I've been hesitant to use Google for services like this after hearing about incidents where Google disabled everything associated with a Google account after detecting some violation of their ToS. I'd hate to lose my domain name because I, say, used the Maps API in some way that Google didn't appreciate. Google needs to be better at siloing their products before I'd consider using them for something that mission critical.

>after detecting some violation of their ToS.

And often it's not a violation, it's an alleged, unspecified, un-counterable data point hidden in Google's cloud with no way for the user to determine what it might have been.

But who knows who really owns the domain? Google Knows Who...

This is like saying that GoDaddy, Namecheap, or any of the countless number of other domain registrars own every domain registered with them. Performing a fraudulent transfer or DNS change would destroy their registry business and cause a PR nightmare.

Yeah the shenanigans are caused by rock bottom price market (similar to airfare shenanigans)

I moved everything to AWS DNS and am super happy about it. Domains are mission critical, I'll pay double without blinking to know that my stuff isn't gonna be held ransom over some contrived baloney

> to know that my stuff isn't gonna be held ransom over some contrived baloney

Like accidentally changing the name on a kindle to “baba”?


I'm currently using Google Domains for all of my domains... the really simple UX made the choice and lack of any in your face additional services was nice too.

Though, bulk editing would be nice, I'm about to move. :-( If anyone here works for google domains, it would be REALLY nice to be able to update all contact info on all domains at once.

I'm extremely surprised that they didn't offer some sort of API to it. I just spent the past 10 minutes looking to be sure, but that seems very unlike Google.

>> but that seems very unlike Google.

Not really. Appengine for example didn't have an admin API until recently(and it's still quite limited).

Google is probably the last I would give my personal details, actually I would rather gave them to Facebook. Whois is bothering me exactly becoase of google and similar companies.

Or offer an anonimiser service in place of your email, which just redirects to your actual email. Not everyone hosts email on their domain.

> If it’s about contacting people, they could make the abuse@ or webmaster@ address mandatory

What about domain owners like mysql who have no email attached to their domains? I only have two personal domains, but I have never had a need for an accounts to be associated with the domains nor do I think I would ever check it.

Perhaps have those two account DNS lookups always go through the registrar who then forwards to your account email? Even that doesn't seem very fool proof, though.

AWS Route 53 domains also provides "private" whois for free included in the cost.

    .com are $12/year
    .net are $11/year
    .io are $39/year

I use Porkbun which has free privacy and the pricing is almost wholesale.

.io domains are cheaper on AWS Route53 domains than Porkbun.

$39/year AWS Route53 and $47.68/year on Porkbun.

There's no need for this. The SOA DNS record of every domain already includes an email contact (more by convention than requirement, I think?). It's mildly annoying because they have to replace the '@' with a '.' due to limitations in what can be in the field, but it's pretty easy to extract the correct information.

>Most of the whois hiding services cost money

Where? I never paid a dime

It's probably a question of whether the privacy features are separately charged or are bundled in a standard plan that's a bit higher priced than "bare" registration.

Since control panels, reputation, policies and other services like DNS are also things that can be bundled together, it's going to be difficult to say whether or how much you're paying for just the privacy component.

123reg charge for whois privacy too, as do a bunch of other registrars.

Always felt like mild extortion.

Please do share the registrar that blocks all whois data for free!

I've used Hover.com (owned by Tucows) for several years. In my opinion they are the anti-Godaddy. The things that should be free are and the extras are presented as just that. No trickery or beating you over the head with up-sales.

Are they really free though if the price is higher than alternatives? Also the renewal costs look like they're mostly regcost + $2 for some reason

The higher renewal charge is odd, I hadn't noticed that before. It's nothing like most of the TLDs, but it is nearly half of what they list [1] as trending.

That aside, I'm still glad to pay a little more for the overall better service. If they were charging anything like the old Network Solutions prices, that'd be a different matter.

[1] https://www.hover.com/domain-pricing

Yeah in all honestly a couple extra $ wouldn't put me off using them, I was more wondering if there was a decent reason behind it. Having said that I'm paying almost $20/year less for my io domains at Namecheap, that one's a bit of a steep difference

Once a domain is registered all they need to do really is process auto-renew payments, notify me if my card was declined for any reason, and make sure it's kept registered at the registry.

Unfortunately in any case though I've stopped at the gate, they don't appear to have an API

Whois privacy included in the price is still much better than having to remember to buy and renew the service per domain.

Any registrar making money on whois privacy has an option and motive to autorenew the privacy with the domain. If anything Namecheap bugs me with it because I don't want whois privacy on my domains!

If you don't want it, then you can use pretty much every other registrar that doesn't build it in.

But an issue with whois privacy is that if you ever don't have it for a period (like you forget to renew/autorenew), then it's now saved in a number of DNS/whois history services.

Those services are probably also in breach of GDPR. :-)

namesilo [1] provides free whois privacy on domain name purchases. Classic interface, but very cheap. :)

[1] https://www.namesilo.com

I love namesilo, and I find the interface refreshing/charming. The price is right, too!

As an aside, .us addresses cannot be registered anywhere with privacy controls enabled.

It doesn't seem that .us addresses would be subject to GDPR? One could see .com as an edge case, even though really Europeans should just appreciate the fact we let them on our internet b^), but .us is not in doubt.

True for .us. however: There is currently (as far as I understand) no way to hide whois data for .de (German) domains. So that might get interesting.

I think it depends on TLD. My country TLD whois just lists registrant info as 'data restricted' unless it is explicitly requested to be public.

I registered my domain on Namecheap and I got WhoisGuard at no additional cost, maybe it's only for the first year though? I made sure it was actually no additional cost by removing it to see the total and it was still the same price, $11/year. I say "no additional cost" but it might actually be more like "bundled cost."

Namecheap is free for first year but you have to pay for any additional years.

Thanks for the info.

Ah, yes, its documented:


>When you register an eligible new domain name or transfer an existing eligible domain into Namecheap, you'll receive the first year of WhoisGuard privacy protection absolutely FREE.


Free protection, no upsells, $19/yr for 1 yr of .com $13/yr for 5 years. TOTP 2FA as well. Never had a problem for the 15 years I've been with them.

Glorious porkbun.com


They run their own TLD's .design, .ink and .wiki [1] so these guys really know their stuff. Support is not 24/7, but usual office hours, but those who pick up your phone/email REALLY know what they are talking. Plus really cheap domains, they mentioned somewhere that they are aiming for $1 mark-up for all TLD's.

[1]: http://toplevel.design/

Me three. I own a few .ninja domains there. I didn't even notice they gave you free privacy until after having bought there. Every question I had was promptly answered in a few hours as well.


Doesn't hide your name.


Other services do.

.ca domains don't need to be protected - they get it for free. I only need to sign up for the extra protection when I register domains on other TLDs.

google domains

OVH but they do not hide the name, just all other data


Gandi user here. After I read your comment I tried to enable this but it doesn't work.

When I change whois privacy to enabled and press save it just says "Unable to update the contact."

This happens both with my .com and my .net domain.

Weird; I have active domains where it's working. Given it requires a contact info update, could be an unrelated bug. I'd definitely file a ticket.

njal.la (and they host DNS as well!) - operated by ex-piratebay dudes

There’s an UDRP precedent saying that using njal.la as your registrar constitutes bad faith.


Given that precedent matters a lot in UDRP cases, I’m not sure that njal.la is a realistic option.


name.com charges extra for "whois protection." The e-mails I have registered for various contacts are pretty much spam buckets. You pretty much need a separate VoIP account to handle all the scam calls/voicemail too.

I get some calls/e-mails so quickly I wonder if they have some kind of live stream setup for registrations on some TLDs.


At least in Canada, this is absolutely not true. https://ca.godaddy.com/domainaddon/private-registration.aspx

Sorry, I thought you were replying to the, where it's free parent, not the where it's not free parent. Please ignore what I wrote earlier.

To have IP lawyers go after you. Of course there are no benefits and only downsides for natural persons.

I have little sympathy for ICANN with this. Malevolent persons can always go to registrars which do not publish personal information and even accept anonymous registration. The current policy harms only lawful citizens.

The whois record was highly annoying I and i was getting spam at given email address (which was never posted anywhere else). I dont care what ICANN thinks about whois, it is annoying and it is great if it will go away.

The spam won't go away. Once your address is out there it will stay out there (unless you change your email address).

Those email lists only tend to get longer, never shorter, I still see spam sent to addresses I haven't used in years (and backlink spam requests for websites that haven't been alive since the 90's!).

I will just kill the email address. Due to the tracking on internet I am using a customized email address for each site where I register to (for example sha1(news.ycombinator.com-secret)@mydomain.com) while my personal address is never used on any website so my antispam quest is quite simple :) You send spam, you are redirected to /dev/null

As a side effect, I know when my address is sold to anyone and by which site, I am already sharpening my papers, after 25. of May, every website that will give away my address is going to get serious papercut.

How can you prove a data controller gave away your information and that you didn’t falsely do it yourself?

The burden of proving the provenance of the data relies on the data controller. Unless the data controller wants to pay a high fine, he has to prove where he got the data, and how/when/where the data owner agreed that the data controller was allowed to use the data.

Have you read the GDPR?

Can you please post a blog guide on administering these paper-cuts.

One of the few practical uses of WHOIS data is basically so ICANN have an address on file for when someone wants to dispute your ownership of a domain on trademark grounds. Anyone who registers a gTLD is forced to submit to their private dispute resolution process (UDRP) as part of their agreement with their registrar. There’s literally no way to opt out unless you don’t want a gTLD, thanks to ICANN’s total control.

There's also (very bad) precedent in the UDRP for using out of date or inaccurate WHOIS information as evidence of Registration/Use in bad faith. There's even been cases where a UDRP panelist has argued using WHOIS privacy services was prima facie evidence of bad faith, which beggars belief.


"This Panel member is persuaded there is bad faith registration and use because of several factors. The first factor is using a privacy service in a commercial context raises a rebuttable presumption of bad faith. Respondent has done nothing to rebut that presumption. Respondent does not need to conceal its identity from the marketplace to be a domain name reseller. Respondent offers no explanation as to why Respondent concealed its identity (and conceals it to this very day). Only people with an intent to deceive conceal their identity, which is the very definition of bad faith. Since Respondent did this at the time of registration and through the present day, there was bad faith registration and use of the domain name."

Thankfully other panel members dissented, but the UDRP has a long history of questionable reasoning and decision making, and bizarre WHOIS issues are not unheard of.

But in Germany by law all websites must publish information about the publisher, including their name and address, telephone number or e-mail address, trade registry number, VAT number, and other information depending on the type of company.

all this seems fine according to eu law so I am not sure why dns registration is any diferent

Commercial sites, not all sites. My private homepage doesn't need it, since I don't have ads and don't advertise my own products or services on it.

There are a lot of uncertainties in this area. For example, if you provide journalistic content on your website (e.g. regular blog postings, even for free),then this could be interpreted as an opinion-forming activity, which in turn requires an imprint.

(Source [German]: https://www.e-recht24.de/artikel/datenschutz/209.html )

The Bundesministerium der Justiz und für Verbraucherschutz seems to give a similar opinion:


I'm reading from the English translation here, but it suggests that "businesslike" also includes something that is ongoing / sustained. So if your personal blog is posted every Tuesday, it could be said that is "businesslike" (geschäftsmäßig). They also specify that profit is not a requirement.

The "I have a blog and now I need an imprint" faction is essentially FUD.

Geschäftsmäßig doesn't require Gewinnerzielungsabsicht (intent to make a profit), but does actually require an intent to make business, in whatever form, but not necessarily on the site itself. For example, a business owner having a very simple website just stating what his business does will require an imprint on that site, because obviously the intent of the website is to inform about his business. If, on the other hand, you have a blog with no ads about your kittens then you don't need an imprint.

Just because something is an unbestimmter Rechtsbegriff (non-exhaustively defined law term) doesn't mean you can just go ahead and act as if it means anything you like.

I've given you an upvote, as that does seem to make sense.

But to confirm, the particular quote from the BMJV that I was going by on that page is this one, does it match with your understanding? (My German comprehension isn't great.)

"Die Anbieterkennzeichnungspflicht muss praktisch von jedem, der ein Online-Angebot bereithält, erfüllt werden. Etwas anderes gilt nur bei Angeboten, die ausschließlich privaten oder familiären Zwecken dienen und die keine Auswirkung auf den Markt haben. Im Zweifel sollten Sie davon ausgehen, dass die Anbieterkennzeichnungspflicht besteht."

The first sentence seemed to say that "in practice everyone offering something online must comply", and I took "privaten" in the second sentence to imply private as in "password protected / not publicly accessible". But as someone learning German I've probably interpreted those too narrowly, and I'd love to be corrected on the nuance!

> die ausschließlich privaten oder familiären Zwecken dienen und die keine Auswirkung auf den Markt haben

which exclusively cater to private/family needs/affairs and [thus] have no impact on the markets.

> I took "privaten" in the second sentence to imply private as in "password protected / not publicly accessible".

No, privaten Zwecken here refers to personal affairs.

Holy wow, that seems draconian! Is it solely so they can find you and prosecute you for your opinions? (serious question)

That has nothing to do with opinions but being able to contact someone if laws are broken etc.

Playing devil's advocate, it can be argued in some cases that even if your private homepage met that criteria, its purposes could be to advertise/establish/further your personal "brand" thus is for business purposes. For example, if you blogged about technical topics that could benefit your employment opportunities in the technical fields and get you speaking engagements. There's examples of people who have built careers solely from personal blogs/homepages.

Domain != website

Because you publish yourself, you can change it yourself, and you can take it down again yourself.

And as a reminder, the German rule only applies to commercial sites — a site with no ads and no way to pay such as quasseldroid.info does not need an Imprint.

> And as a reminder, the German rule only applies to commercial sites — a site with no ads and no way to pay such as quasseldroid.info does not need an Imprint.

I wouldn't be too sure. There is, unfortunately, a lot of room for interpretation with this law. Rather cautious adviser urge you to have one as long as your website isn't private in the sense that can't be accessed by the public (i.e. a website for family members that can only be accessed with a password).

This law (IANAL) is just horrible.

How is it horrible?

The law just requires a way to contact a person within of a few days, and a way to be able to get the person behind a site to be able to sue them.

The alternative is sites that you can't do anything against if they act illegally against you, e.g. through libel and slander.

I agree that you should be able to get in contact with the website owner. However, I believe it'd be better if a person had to at least query denic to get your address. That's easy enough if you have to resolve a serious matter and the website owner is also a bit more protected against abuse of their data.

To get whois info for .de you already have to solve a captcha and write a paragraph about who you are and why you need it.

Email address is enough for that.

An email address is no Vorladungsfähige Adresse. You can't sue that, you can't send a Gerichtsvollzieher to it, and you can't seize the owners assets with it.

If I want to send an Abmahnung to a website owner, because they publicly defame me — as has happened before — then I need something stronger than an email address. Or I need to invoke the right to be forgotten, but I don't want to do so, I prefer having a way to eliminate the source.

You are talking about an Impressum. No need for that info in the whois.

The topic was Impressum. The user starting this subthread complained about Impressum.

Unless you provide journalistic content. Then you could be required to have an imprint as well.

I was always wondering if they overturn this at some point. I don't know of any other country requiring it and I doubt that it helps taking down illicit content. If anything, it helps consultants for offshore companies.

I hate this law with a passion. It doesn't seem proportionate to me at all. The main beneficiaries are folks who want to sell addresses in bulk and dodgy lawyers ("Abmahnanwälte").

I'd be fine with depositing my personal date somewhere so that people with legitimate concerns can contact me but it should require some effort so that the function can't be abused.

And the ridiculous thing is that European* law mandates that you have an "impressum" on all but the most basic sites. You can hide your personal adress in the WHOIS info by putting a neutral third party. The registry I use, inwx.de, offers this service for a few euros. But you cannot (easily) hide your identity in the impressum - you might be able to use a shell company or find a natural person willing to put their name there, but it is much harder.

How can they claim "data protection" in one case and make it mandatory to put your name and phone number their in another?

It makes me very uncomfortable to host a website, when I know I will get spam, unwanted telefone calls, maybe even unwanted visits at my home, etc.. And it deters me from posting something even a bit controversial on my own domain - this is probably an intended side-effect of the "impressum" policy.

(* well, German law, but there is likely something similar in other countries)

If I'm not mistaken, businesses are EU-wide required to have contact data on their pages. And German courts tend to use a very wide definition of commerce – the best compromise is probably to keep commerce and private opinion on strictly separated domains, even if that means no advertising income from the private page.

"contact data" is already a pretty nebulous term. If my experience with European business websites is anything to go by, this is not the sort of requirement that the GP is talking about.

I said "contact data" as shorthand for the specific requirements, since I would have to look them up. And yes, the "Impressumpflicht" the parent talks about is exactly that, in a very strict form.

EDIT: To elaborate, the EU e-commerce directive from 2000 requires all member states to have laws that require commercial sites to have at least name of the entity, physical mailing address, business registration IDs if applicable, e-mail and VAT ID published. Since it's only a directive, the details vary from country to country. E.g. France requires also listing a phone number and an actual person responsible for site content.

I'm not talking about the German laws. Germany is not the right example for how the EU works because in cases like this they are almost always much, much stricter than everyone else. The requirements you noted for a business in the more general case (EU-wide, in other words) are much more lax.

No, this is a DACH thing and certainly not a Europe-wide thing: https://en.wikipedia.org/wiki/Impressum

It is for electoral publications in the UK you MUST include the publisher and the electoral agent

> (* well, German law, but there is likely something similar in other countries)

Why do you leave a lie at the top of your comment with an asterisk to clarify it's a lie at the bottom? It's NOT a European law. If other countries have similar laws, it's still not a European law. Please remove the lie.

People can make mistakes without "lying", and it's perfectly fine to correct a mistake by adding a note at the bottom. Indeed it's arguably more helpful that way, since a new reader will better be able to understand the context of the replies.

To bombard someone with the word "lie" crosses into incivility (rather aggressively, as I read it), and also breaks the site guidelines by not giving the benefit of the doubt. Could you please not treat others like this here? Instead, assume good faith, as the guidelines ask.


I respectfully disagree. In cases like this, if the user made a honest mistake and then issues a correction, it should be in line, at the same level as the mistake - otherwise, it's exactly like when a newspaper spreads a false accusation in the first page, and then a retraction at page 7. What sticks in the mind of the casual reader is the first untruth, not the truth that follows.

By the way, even the correction below is a untruth, because only a few other EU countries have similar laws.

Edit: you both are right

In this context, indeed it isn't. It would be just as wrong to write "US law mandates..." when the law in question is in fact only Texas state law. I.e. "European law" != "a law somewhere in Europe".

I'm saying that writing "European law mandates that you have an "impressum"" is a lie.

nabc45 10 months ago [flagged]

>(* well, German law, but there is likely something similar in other countries)

Nah there is not. Don't lie.

This breaks the site guidelines. Please assume good faith in others when posting here.


> what benefit is there with regards to natural persons?

  [ tries to visit ckastner.com ]
  [ the website is down ]
  [ looks up Whois record for ckastner.com ]
  [ picks up phone, dials number ]
  "Hello, yes, Christian Kastner? Your website is down. Just thought you should know."
That, and for the abuse address, and for dealing with technical issues between different sites, etc. You can use a Whois-hiding service to make it private yet still get the communications.

> "Hello, yes, Christian Kastner? Your website is down. Just thought you should know."

This is a perfect example for one of a positive effects of the GDPR afforded to natural persons.

I haven't been associated with that domain for 15 years or so. Why is someone still maintaining my personal data, some of it now wrong/obsolete, in a public database?

Edit: Just to be clear, I don't see a problem with the parent having posted this information here, as the parent just reposted this from another public source. The problem here is clearly the other source.

Realistic version:

• tries to visit ckastner.com

• the website is down

• retrieve the information from an archived snapshot instead https://addons.mozilla.org/firefox/addon/resurrect-pages-isu...

• Christian Kastner was already notified by email from his automated monitoring that the website is down

And his phone number changed 3 times in the meantime so instead you'll be waking up Nina Sonnenschein at 3 am.

Not very realistic for a lot of personal websites. Sure, newfangled ones that leverage similar pipelines as of web applications, absolutely. But a large fraction of the Web is still a bunch of PHP scripts cobbled together on some outdated hosting service, or equivalent.

Not everyone with a website is a web developer, or paid a knowledgeable and modern web developer to make the website.

It's also not realistic to expect people to want some rando to be able to call them about their website.

Is it? I always name my personal belongings (umbrellas et al) so if I forget them somewhere public and whoever finds it is a kind soul, they can return it to me.

Of course nobody _else_ should be forced on sharing details just for this kind of occasional utility, I'm not claiming that.

Am I supposed to make the assumption for you that because you put your name on your lunchbox, you prefer to make available your name, phone number, and address on your website whois?

Honestly, I think you should take social engineering more seriously if you think the benefits outweigh the costs.

Like someone removing their front door because it might encourage someone to drop by for some stimulating conversation.

For example, the author of the "Amazon Backdoor" post a while back suspected that the attacker got their address from a whois of one of their domains.

If his website was down, his email could be down too, if on the same downed server. I suppose an automated monitoring system could phone him though.

For those that weren't around in the 90s, this is exactly what happened. These down votes reflect a perception of the present without a context for the past. The Web was a _very_ different place 25 years ago.

>These down votes reflect a perception of the present without a context for the past

I think rather the comments in support of an open Whois are looking at the past with overwhelming nostalgia instead of objective reality.

To your own point, the Web is a very different place now. But Whois is still the same, reflecting a reality that no longer exists. It's time for a change.

I don't think that comment was supporting open whois, just giving a historical context.

There were still bad actors of course. But the tipping point hadn’t been reached where they materially spoilt it for the rest of us. In those days you might get one spam/phishing/whatever email a week and you’d complain to the SA of the originating site and get a personal email back that they’d dealt with it. Nowadays of course it is a river of sewage.

That sounds like a fantastic reason for whois to be non-public. Perhaps it just receives email and isn't running a web server - why would Christian Kastner want phone calls every day from someone "helpful" on the internet?

The ICANN proposal preserves a way to contact the owner (via e-mail), so that's not impacted.

If your website is down, your mail relay may be down, making e-mail unavailable. The phone is also a much better way to contact someone immediately, which you might want when your website is down.

If you rely on your visitors to phone you when your website is down you are doing something very wrong.

Once I worked for a company where part of the website had been compromised by an attacker, and was being used to host some malware. We only found out when a random visitor found it, then looked through the site and found a random support address (which was supposed to be internal-only), and sent us an e-mail to tell us about it, which luckily generated a ticket which we eventually reviewed.

We would have preferred someone called us immediately, in case we didn't see the ticket immediately. But we didn't have a security hotline publicly listed.

Putting a phone number in a big public directory of phone numbers for when e-mail doesn't work isn't a bad idea, regardless of what anyone (including the EU) says. We've had phone books forever. This is just a phone book for domains.

Well, that's a case for how it should be opt-in, though.


"My website is so critical that I want random people to be able to call me about it" is an oxymoron I don't think anybody has ever said.

Whois info should be available for all businesses under EU law, under the European Directive on Electronic Commerce. In the EU, privacy is only for individuals. If you're in business, the commercial rules apply:[1]

Member States shall ensure that the service provider shall render easily, directly and permanently accessible to the recipients of the service and competent authorities, at least the following information: (a) the name of the service provider, (b) the geographic address at which the service provider is established, (c) the details of the service provider, including his electronic mail address, which allow him to be contacted rapidly and communicated with in a direct and effective manner.

A "service provider" is basically anyone with a commercial web site. See (17) and (18) in [1] for the detailed definition.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...

One's address is a matter of public record anyway, so I'm not too concerned about my address appearing in a WHOIS. Phone number, at worst you get some spam calls, but I don't answer numbers I don't recognize so it's of low concern.

Why do people always over-personalize issues like this. It isn't about you. (It doesn't affect me either, but likewise it isn't about me.)

In many countries, one's address is in fact not a matter of public record. For example, in China.

Wait, I thought everyone lived in the US?

Lowering the bar of getting your name + address + phone number just lowers the bar for social engineering.

It does you zero favors.

> One's address is a matter of public record anyway

Can you clarify what jurisdiction you mean? In the United States, this isn't true - there are certain (admittedly common) things that generate public records with your address, such as buying a house or (in some areas) registering to vote. (In other areas, voter registration databases are technically not public, but volunteers on any political campaign have access.)

However, if you're not registered to vote and you're renting an apartment, there isn't any real reason why your address would be a public record.

Personal addresses are not public record in the UK for the vast majority of people, and neither are phone numbers

You don't have phone directories?

In Germany you can choose to not be listed in those, I assume it's the same in the UK .

YOu can opt out and many people do (ex-directory)

you mean, in the US you can't opt out of them?

When everyone had landlines, I believe you could get an unlisted number for a fee. Very few did AFAIK.

There is no white pages for cellphones but I still get junk calls anyway.

A majority of people are on the open electoral register.

Is that publicly searchable and re-indexed by third parties in other countries?

It's not publicly searchable, but third parties can just buy a copy. https://ico.org.uk/for-the-public/electoral-register/

So that's not the same thing then is it?

What about company officer data that is personal information?

So nefarious entities would just have an employee or owner register the domains personally.

"Corporations are people, my friend."

A little-known fact: WHOIS is extensively relied on by spam fighters like Spamhaus to do their good work, which collectively saves all of us from an enormous tidal wave of spam that would otherwise consume vast resources. Internally, the anti-spam and more generally the anti-abuse community builds a huge and mostly real-time cross-referenced database of information about domains and IP addresses. This database would be impossible to build without WHOIS.

For example, if one domain shares the same contact email address as another, then the domains are related somehow. Doing some data mining on a variety of signals which are apparent in the WHOIS records can help to cluster related domains to help anti-abuse researchers find newly problematic domains by following the trail through WHOIS.

I'm not sure how researchers will do their job effectively without WHOIS. This development is truly a disaster for anti-abuse.

Never mind the WHOIS, those other anti-spam databases may be GDPR-violating, as well. Did that spammer affirmatively opt-in to having his origin addresses/domains/IPs and response phone-numbers/etc tracked in your anti-spam data? Probably not!

That doesn't seem to be personal information.

I believe IP addresses are considered "PII" under GDPR, since they can be used to identify an individual.



"PII" only seems to exist in US law, GDPR has "personal data".

I am far from an expert an GDPR, but it doesn't seem to be so clear cut. Even if IP addresses in this context are considered personal data, there may be "legitimate interest" in processing them for blacklists, e.g. https://gdpr-info.eu/recitals/no-49/ could apply. I am confident a workable solution for spam blacklists will be found.

I have the impression that a lot of the fear around GDPR is unfounded if one uses a reasonable and restrictive approach of processing and storing personal data.

Yes, IPs and any other information can be kept if there is a legitimate interest. For example if another regulation requires you to keep full information for AML or tax purposes, you can't immediately comply with a right-to-be-forgotten request to delete all the data you hold.

It's still personal information though (which was my original point), and so you still need to comply with GDPR by minimizing usage, not sharing it to processors without permission, having a procedure for telling users what data you hold on them, etc. And I think you'd have a harder time claiming that the other stuff is required too, specifically the addresses and phone numbers. You can do spam detection without that information, even if it would be less effective.

The problem I see with GDPR is just that we won't know precisely where the boundaries are until there's some case law to set precedent. It may prove to be easy to comply with, or it may prove to have some sharp edges that are expensive to comply with; we really can't tell.

The same WHOIS is used by spammers to send annoying emails do domain owners

Domain owners are a tiny, tiny fraction of the population spammers are attempting to reach.

> WHOIS is extensively relied on by spam fighters like Spamhaus

Does anyone of importance still use those? Google and other major email hubs have long switched to AB testing and building user profiles as their primary filtering tools. They want to gather that data to improve efficiency of their targeted advertising, so I trust them to be good at it.

Smaller players might not have resources for that, but how do those opaque third-party blocklists help them? In the best case, those "anti-spam communities" do nothing. In the worst case, they act as data-harvesters, potentially leaking information to (lol) _spammers_. Why should we care about their future?

How does AB testing and user profiles have anything at all to do with detecting when incoming email is spam?

This post explains it: https://news.ycombinator.com/item?id=12282894

TL;DR: modern email providers don't care if you are in blacklists. If your IP/domain does not have established reputation, they will drop half of your email in spam folder. If users whitelist it or reply to it, your reputation automatically improves.

If your send too much email or your receivers blacklist you (delete without reading or manually move your email to spam), your reputation takes nose dive. Some providers (for example, Yandex) openly describe that logic in their FAQs.


However, as someone who uses SpamAssassin (via FastMail), spam clearinghouses like Spamhaus are still very important. And as long as we want to avoid centralizing all email in the hands of a few massive providers, they will continue to be important.

And for mail senders, SpamAssassin, especially in a comparatively large deployment like FastMail’s, is super useful because it actually tells you why a message was classified as spam, and it’s mostly actionable. SpamAssassin’s rules won’t be the same as what Gmail uses, but there will be strong similarities in many of the rules, and so the sorts of actions that may be necessary to get your SpamAssassin-assigned X-Spam-score down are likely to help on providers like Gmail too.

(I just wish there was better documentation of what all the rules mean, and how to satisfy them.)

I don't get it.

What the current system does: a private person who registers multiple domains with his own name and then proceeds to spam email users, that person can blacklisted effectively because his persona information can be fetched and matched.

A spam virus is not the problem here, because personal data does not reliably connect infected domains.

And spam companies are not problem here, because GDPR is not concerned with companies.

The person who uses several domains to spam needs to be somewhat aware that he is spamming. But he also needs to be incredibly idiotic to connect his spam domains with his personal info.

Even if WHOIS going down is short term tragedy to anti-abuse, GDPR does not seem to prevent building a replacement that works well enough.

Whois is no longer such a good idea in this age of doxing anyway. I don’t know anyone who isn’t hiding their whois details and writing fake names and addresses.

I had the misfortune of using namecheap and entered my real details once. Their whois privacy didn’t apply to the particular gtld and I only found out once the spam arrived. Never putting any real details ever again.

Spam is only the beginning. Wait until a crazy person gets angry at yuor site.

Whois data is also a dox/social engineering entry point.

But at least in Germany (and perhaps other EU countries?) website owners are required to provide contact details on the website. That's not exactly the same as domains and WHOIS, but it is similar enough to show that the German state (rightly perhaps) doesn't actually care about this sort of privacy.

It's only the DACH region to my knowledge and you can still do a lot to prevent spammers from getting the details.

That basically includes most of the default anti-scraping methods but since you only have one page to do it on, it's far simple to get 99% of the bad guys out (Spammers usually stop bothering once you get more advanced than ROT13 via Javascript or images designed to trip up OCR but still being readable)

Spam and scraping are not the problem, real people are. Getting a nutjob show up with a gun at your office because you are required by law to make your contact and address details public ain't fun, and not something that you can solve with ROT13 in Javascript.

Nutjobs with guns showing up anywhere to shoot up people is rare in my country to the point that I worry more about the extra electricity consumed by transmitting my imprint.

Sorry, but how often does that happen?

Not often enough that I care tbh.

If somebody has legal beef with me, having a contact address to quickly resolve it is more important.

Besides that, you can always simply get legal with the registrar who will get them your address anyway (or escalate until you find somebody who knows who you are)

Oh no someone is sending nasty messages. If your on the web it's to be expected.

It's all fun & games until your doorbell rings.

Or you hear the police shouting.

Ain't that the truth.

It's more of a problem if they know your phone number and where you live.

not when they start posting stuff with your name on social and other media, or threatening you that they know where u live

Putting in false information is grounds for losing a domain. I don't know if anyone has lost a domain for fake info but it could technically happen.

Happened to me a week ago. I had to hop and scream at my host to get it back.

This is why I'm happy the EU is twisting ICANN's arm. This information shouldn't be easy for spammers to harvest.

It's mainly only the address you should worried about, but really a domain should have an owner associated with it. Do you complain about public records for who owns a plot of land?

Yeah, but a million Indians don't send me a letter offering me construction services when I buy a plot of land.

..but they could.

..but they don't

I registered a new domain last month and since have been getting several spam telephone calls a day. The calls come from fake "local" numbers too so they are incredibly hard to screen. Some calls are companies trying to sell me web design services, and some, I think, are just trying to verify if this is "live" number so they can sell it off to other spammers. I can effectively can only trust new calls from numbers I personally know now, and have missed several real calls because I've stopped answering anything else.

These sorts of calls are infuriating when working at a web des/dev company. No we don't any need dev/design services -- we registered that domain because we're doing that!

Looking to change the number out to a voicemail transcription number now that things are picking up so it's easier to filter out the duff calls

I did the same thing on accident a while back. If you have T-Mobile, they have a service called Name ID that will screen calls and auto-reject them. It works tremendously. It's included in the T-Mobile Plus service if you have it.

whois realms.org

My personal info has been on whois since 1995.

Am I ok?

Mines been online forever. Once it’s out ther once you’re done. No point in trying to hide from it I guess.


> From the article -

"Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time."

> From: https://www.icann.org/resources/pages/what-2012-02-25-en

"ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet."


Editorial: The disconnect is frightening.

One month to adapt? They have had two years. Also, I fail to see how this is a problem, considering that quite a few domains nowadays seem to use WhoisGuard or a similar service anyway.

> They have had two years.

Even longer if you consider the time GDPR was worked on. The writing has been on the wall for a really long time, so asking for an interim arrangement is really barefaced.

Are you saying GDPR was ready then? How come if today it is not clear and has ambiguous interpretations or lack of?

It was clear enough to know at least 2 years ago that you can't just make personal data public on the Web.

Here, as in all cases, the supposed vagueness is just a lame excuse to not even start an honest effort of protecting personal data.

ICANN obviously tried to play a game here (let's sit this out and see what happens), and now is under water.

I am not saying that this is an excuse to not protect the data. I am saying in general that GDPR has not been thought through enough and has been pushed without consideration for a lot of edge cases.

"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."

The first amendment also contains not much consideration for edge cases. That is a feature, not a bug.

GDPR sets principles, it isn't a technical specification. The edge cases will be sorted out by courts, as usual for legal issues. Meanwhile, everything looks like that the EU will not immediately start to impose big fines if there are small gaps, as long as affected institutions and enterprises show effort to comply and to fix remaining issues.

All complex laws have ambiguous interpretations.

All bad laws. edit: I am not saying the idea behind GDPR is bad - it is amazing. But execution is really bad.

I disagree; all complex laws. That's the main reason for the existence of supreme courts; to decide on a reading when courts below disagree ("circuit split", in the US).

Right. It shouldn't be okay to push bad (in the sense: incomplete, not researched enough etc.) laws because there is supreme court.

My claim is that you can't avoid it. It's like trying to write a large program with zero bugs without being able to test it. Citing Knuth, "beware of bugs in the above code; I have only proved it correct, not tried it."

To put it another way: can you cite any complex bill that hasn't ever gone to the Supreme Court?

>I fail to see how this is a problem...

Some TLD's don't allow proxy registrations.

whois privacy being a service extra (sometimes included for free sometimes a paid extra which can expire and expose your data if you miss the email) where other TLD's (.uk springs to mind) already have the ability to withheld the personal details of domain registrants (private individuals have the ability to held their data, company registrations have their data shown) at the registry level and not having to use a 3rd party company.

Is there a difference between proxy registrations and not making the registrant information public?

I am an engineer working for a registrar and we've been told by at least one TLD that there is no difference. We used to "mask" the registrant email regardless of whether or not the customer had opted-in for proxy registration, and we were told this was not allowed by the TLD operator.

Well your still seen as the owner of the domain in the register’s eyes and not a proxy company which may help if you need to transfer the domain away from your registar for any unexpected reason.

Hardly. ICANN is not an EU organisation. The idea that GDPR is a global law is a new thing.


The letter also has harsh words for ICANN's proposed interim solution, criticizing its vagueness

Of all the people to criticize others for vagueness, EU data protection people are the very last who should be talking. GDPR is nothing but vagueness.

It's not like WHOIS wasn't problematic before, e.g. even inside ICANN people have been pointing out conflicts with data protection laws for over a decade. And ICANN not being from regions with stricter regulation isn't actually that relevant, since ICANN doesn't directly run WHOIS. The registries and registrars do it, many of which are in the stricter jurisdictions.

GDPR being globally applied certainly ups the overall pressure, and is the reason they want to change the overall wHOIS rules instead of making special rules for individual countries, but the key thing seems to be the fear that there actually might be painful fines now.

The problem is that you don't understand GDPR. Please watch first few minutes of this: https://youtu.be/-stjktAu-7k?t=399

(or even whole, it explains a lot of things)

> I fail to see how this is a problem,

> seem to use WhoisGuard or a similar service anyway

So it was always a problem, now it is also illegal

WhoisGuard is not usually free, except for the first year in some cases.

I would bet substantial number of companies have not even begun GDPR compliance until around Q3 2017. It would be interesting to see the prevelance of GDPR in quarterly earnings call transcripts over time..

Judging by the volume of sales people contacting me at work, I would bet a substantial number of companies have not even begun GDPR compliance until at least Q2 2018.

Yeah, but how many are just US-based without an office in the EU or a real presence in the EU? ICANN is an international organization with a regional office in the EU and an engagement center, with EU customers representing a big chunk of sales/revenue. There's really no excuse for ICANN, whereas if you're a SASS company based in the US, which may have 10% of revenue coming from the EU, it's more understandable.

You still have to implement it in case you are visited by EU national (even if that is just a person visiting the site without intention to buy) - as you shouldn't log EU personal data without permission. Even if you filter out European IP addresses you have to consider that EU national can be visiting from the US for example and you still cannot log without permission.

How can you work on something that is not ready even now?

It's been ready for ages, it just doesn't come into effect until May.

It comes into effect incomplete. Companies still don't know what to do. There are tons of questions unanswered and nobody knows how to be compliant.

The only people that seem to have this problem are:

(1) the ones that didn't bother to read the text of the law (which is surprisingly accessible)


(2) armchair lawyers that come up with all kinds of outrageous edge cases that nobody really cares about but that then get used to discard the law saying it's incomplete and that 'nobody knows how to be compliant'.

For real businesses that are affected by the law the vast majority of the impact is crystal clear and if they've done their homework they'll be more-or-less compliant by May and will at least be able to prove they made a good effort to comply.

I really should work up a to-do list that will get the average SaaS start-up to 90% compliance with the minimum amount of work.

Here's a to-do list to help people get started today: https://gdprchecklist.io/

This is false. There are third parties specialised in getting you compliant if you're unsure what to to - you can send your (legal/technical) questions to them and they answer you.

It still baffles me to this day that people just lie/spread misinformation on the internet (yes, there is a relevant XKCD for this) yet here we are.

It is always the same, a law is enacted and it includes a window of a few years to give everybody time to implement it. A few weeks before the law goes into effect, everybody is screaming that they need more time. I guess we don't leave university after all.

Original blog post from Michele Neylon of Blacknight (registrar based in Ireland): https://blacknight.blog/game-over-for-public-whois-article-2...

As an ex-customer, I've found that Blacknight are generally supportive of Internet freedoms and they do a lot to advocate the adoption of IPv6.

That's a much better article.

Why does WHOIS need someone's phone number anyway? I didn't have a phone number between 1993 and 1998 and I would have liked to have had a domain back then. (I almost did buy one, except they were too expensive back then.)

It was useful when the Internet was small, and all run by nerds who just wanted everything to work. In the mid-90s, the phone number in WHOIS was usually the guy who actually ran the servers. I called people when email auto-responders went awry and caused an email loop, or when ISP's DNS servers had old entries that shadowed web sites we hosted, or when I found a security hole.

Yep, I remember some people in my org having problems emailing a large company. Whois, call number, get tech, get mail guy, gets fixed.

Probably all so they know which direction to point lawyers / government agencies towards when they come knocking about your domain.

They could just send an email to abuse@[domain] like anybody else.

In my experience of recent years, addresses like abuse@, webmaster@, hostmaster@ and postmaster@ normally bounce. It’s a real nuisance when I want to report bugs in web systems, or in email systems where they’re doing enough things badly wrong that they trip (or get close to tripping) spam filters, et cetera.

Sadly I never setup any of those, usually only admin@ and then move on. To be fair I usually list one of the available emails on my sites where it makes sense, or provide some way of contacting me directly. I will definitely create those and forward them to admin@ from now on though. But the issue still remains as others said, now you can claim you never got an email.

... including for ISPs, as I found out recently when trying to report some abuse.

I tried complaining to RIPE but they did nothing.

Which you could ignore, but you can't ignore a lawyer.

Maybe it's better that way, lawyers have to do actual manual work on cases that matters instead of sending random legal threats to every company they can find. Random legal threats are not substitutes for law enforcement.

I can't remember ever being honest when entering WHOIS data, and I own hundreds of domains.

Doesn't that transfer the ownership of the domain to the fake entity/person you've specified?

That assumes the fake entity exists and disputes it.

Interesting, I just queried the WHOIS records of a .im domain which used to display my personal information, but now it displays:

                This information has been redacted to comply with European Union General Data Protection Regulations (GDPR). Please contact us at info@nic.im if you have any further queries.

    Domain Managers
    Name: Redacted
    Domain Owners / Registrant
    Name: Redacted

Particularly interesting, as the Isle of Man isn't in the European Union.

If the TLD authority on the Island is offering a good/service to an EU person, even if they are outside the EU, they will need to protect that data in the way that the GDPR specifies. So they can either decide to not publicize that info for EU persons (based on address?), or not publish any natural person's data.

But let's say they didn't want to. No consequences, right? Not quite... the .im authority allows EU businesses (domain registrars) to register domain names (for example, I can go to transip.nl and register a .im domain name). TransIP has to comply with the GDPR. If TransIP collects my information to pass it outside the EU, they need to be certain that the organization they provide it to is also GDPR compliant. If they don't have those assurances, they can't give them the info. So not being GDPR compliant is not great for the .im revenue stream.

Finally, I have no clue about the legal regime on the Isle of Man. If I were them, I would probably try to sync up a lot of my laws with the UK (and thus EU, for now) laws. So my guess is they have some sort of data protection act, and that it's in line with the GDPR (or will be very soon).

huh .. I just checked my own .im domain and got the same response. Interesting. That was fast.

It's actually slow when you think about it another way. GDPR has been looming for years, and it's now only a month and a week prior to enforcement date that things have started changing.

Whois can perfectly have only technical data.

- domain expiry

- domain registration date

- nameservers

Everything else is not needed and as such would comply with GDPR.

If you want EV certs you definitively need more information than that, part of the idea is that there is public verifiable information that only the owner can change.

There are multiple ways to deliver gated access to registrant data only to those who need to know (like EV cert issuers). See e.g. RDAP, a JSON/REST successor protocol to WHOIS, which displays different amounts of data depending on if you're logged in and what data your account has access to.

But does it need to be personal information?

I think the short answer: It depends.

In some cases it's not enough to register the domain on a legal entity, it needs to be a person, and that person needs to exist in the company and needs to be contactable. You cannot get around this with EV certifications.

It sounds like a positive policy to me, I don't understand the backlash of the author of this article, personal details have no relation to domain names and I don't see why they should.

Personal details related to a car, right? And real estate? I don't understand your argument.

So write your name, address and telephone number on the back of your car. Maybe you don't want to, and thats ok.

...I think you're forgetting about that whole registration thing you do each year.

Something owns a domain, and the details of that something need to be known - personal or not. Easy.

I didn't mind my info being in whois records. Until websites started hosting that info. And Google started crawling those websites.

There's a big difference between your wife's ex guessing your domain and running whois on it to find her home address, vs just being able to Google her name to find it.

Isn't every single one of those websites violating that TOS of the registry, that the data may be queried, but not stored?

(queue the "there's no difference" brigade - yes there is)

I'm guessing they didn't actually store it, because it got cleaned up shortly after I deregistered the domain.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact