I always felt uncomfortable having to submit my personal data, specifically: my address and phone number, and for it to be published like that (regarding domains where Whois protection services are not allowed). I can understand the motivation for this with regards to corporations and organizations, but what benefit is there with regards to natural persons?
If it’s about contacting people, they could make the abuse@ or webmaster@ address mandatory, then you can separate it from your normal email accounts, because the majority will be spam anyway.
And often it's not a violation, it's an alleged, unspecified, un-counterable data point hidden in Google's cloud with no way for the user to determine what it might have been.
I moved everything to AWS DNS and am super happy about it. Domains are mission critical, I'll pay double without blinking to know that my stuff isn't gonna be held ransom over some contrived baloney
Like accidentally changing the name on a kindle to “baba”?
Though, bulk editing would be nice, I'm about to move. :-( If anyone here works for google domains, it would be REALLY nice to be able to update all contact info on all domains at once.
Not really. Appengine for example didn't have an admin API until recently(and it's still quite limited).
What about domain owners like mysql who have no email attached to their domains? I only have two personal domains, but I have never had a need for an accounts to be associated with the domains nor do I think I would ever check it.
Perhaps have those two account DNS lookups always go through the registrar who then forwards to your account email? Even that doesn't seem very fool proof, though.
.com are $12/year
.net are $11/year
.io are $39/year
$39/year AWS Route53 and $47.68/year on Porkbun.
Where? I never paid a dime
Since control panels, reputation, policies and other services like DNS are also things that can be bundled together, it's going to be difficult to say whether or how much you're paying for just the privacy component.
Always felt like mild extortion.
That aside, I'm still glad to pay a little more for the overall better service. If they were charging anything like the old Network Solutions prices, that'd be a different matter.
Once a domain is registered all they need to do really is process auto-renew payments, notify me if my card was declined for any reason, and make sure it's kept registered at the registry.
Unfortunately in any case though I've stopped at the gate, they don't appear to have an API
But an issue with whois privacy is that if you ever don't have it for a period (like you forget to renew/autorenew), then it's now saved in a number of DNS/whois history services.
As an aside, .us addresses cannot be registered anywhere with privacy controls enabled.
Ah, yes, its documented:
>When you register an eligible new domain name or transfer an existing eligible domain into Namecheap, you'll receive the first year of WhoisGuard privacy protection absolutely FREE.
Free protection, no upsells, $19/yr for 1 yr of .com $13/yr for 5 years. TOTP 2FA as well. Never had a problem for the 15 years I've been with them.
They run their own TLD's .design, .ink and .wiki  so these guys really know their stuff. Support is not 24/7, but usual office hours, but those who pick up your phone/email REALLY know what they are talking. Plus really cheap domains, they mentioned somewhere that they are aiming for $1 mark-up for all TLD's.
Other services do.
When I change whois privacy to enabled and press save it just says "Unable to update the contact."
This happens both with my .com and my .net domain.
Given that precedent matters a lot in UDRP cases, I’m not sure that njal.la is a realistic option.
I get some calls/e-mails so quickly I wonder if they have some kind of live stream setup for registrations on some TLDs.
I have little sympathy for ICANN with this. Malevolent persons can always go to registrars which do not publish personal information and even accept anonymous registration. The current policy harms only lawful citizens.
Those email lists only tend to get longer, never shorter, I still see spam sent to addresses I haven't used in years (and backlink spam requests for websites that haven't been alive since the 90's!).
As a side effect, I know when my address is sold to anyone and by which site, I am already sharpening my papers, after 25. of May, every website that will give away my address is going to get serious papercut.
There's also (very bad) precedent in the UDRP for using out of date or inaccurate WHOIS information as evidence of Registration/Use in bad faith. There's even been cases where a UDRP panelist has argued using WHOIS privacy services was prima facie evidence of bad faith, which beggars belief.
"This Panel member is persuaded there is bad faith registration and use because of several factors. The first factor is using a privacy service in a commercial context raises a rebuttable presumption of bad faith. Respondent has done nothing to rebut that presumption. Respondent does not need to conceal its identity from the marketplace to be a domain name reseller. Respondent offers no explanation as to why Respondent concealed its identity (and conceals it to this very day). Only people with an intent to deceive conceal their identity, which is the very definition of bad faith. Since Respondent did this at the time of registration and through the present day, there was bad faith registration and use of the domain name."
Thankfully other panel members dissented, but the UDRP has a long history of questionable reasoning and decision making, and bizarre WHOIS issues are not unheard of.
all this seems fine according to eu law so I am not sure why dns registration is any diferent
(Source [German]: https://www.e-recht24.de/artikel/datenschutz/209.html )
I'm reading from the English translation here, but it suggests that "businesslike" also includes something that is ongoing / sustained. So if your personal blog is posted every Tuesday, it could be said that is "businesslike" (geschäftsmäßig). They also specify that profit is not a requirement.
Geschäftsmäßig doesn't require Gewinnerzielungsabsicht (intent to make a profit), but does actually require an intent to make business, in whatever form, but not necessarily on the site itself. For example, a business owner having a very simple website just stating what his business does will require an imprint on that site, because obviously the intent of the website is to inform about his business. If, on the other hand, you have a blog with no ads about your kittens then you don't need an imprint.
Just because something is an unbestimmter Rechtsbegriff (non-exhaustively defined law term) doesn't mean you can just go ahead and act as if it means anything you like.
But to confirm, the particular quote from the BMJV that I was going by on that page is this one, does it match with your understanding? (My German comprehension isn't great.)
"Die Anbieterkennzeichnungspflicht muss praktisch von jedem, der ein Online-Angebot bereithält, erfüllt werden. Etwas anderes gilt nur bei Angeboten, die ausschließlich privaten oder familiären Zwecken dienen und die keine Auswirkung auf den Markt haben. Im Zweifel sollten Sie davon ausgehen, dass die Anbieterkennzeichnungspflicht besteht."
The first sentence seemed to say that "in practice everyone offering something online must comply", and I took "privaten" in the second sentence to imply private as in "password protected / not publicly accessible". But as someone learning German I've probably interpreted those too narrowly, and I'd love to be corrected on the nuance!
which exclusively cater to private/family needs/affairs and [thus] have no impact on the markets.
> I took "privaten" in the second sentence to imply private as in "password protected / not publicly accessible".
No, privaten Zwecken here refers to personal affairs.
And as a reminder, the German rule only applies to commercial sites — a site with no ads and no way to pay such as quasseldroid.info does not need an Imprint.
I wouldn't be too sure. There is, unfortunately, a lot of room for interpretation with this law. Rather cautious adviser urge you to have one as long as your website isn't private in the sense that can't be accessed by the public (i.e. a website for family members that can only be accessed with a password).
This law (IANAL) is just horrible.
The law just requires a way to contact a person within of a few days, and a way to be able to get the person behind a site to be able to sue them.
The alternative is sites that you can't do anything against if they act illegally against you, e.g. through libel and slander.
If I want to send an Abmahnung to a website owner, because they publicly defame me — as has happened before — then I need something stronger than an email address. Or I need to invoke the right to be forgotten, but I don't want to do so, I prefer having a way to eliminate the source.
I was always wondering if they overturn this at some point. I don't know of any other country requiring it and I doubt that it helps taking down illicit content. If anything, it helps consultants for offshore companies.
I'd be fine with depositing my personal date somewhere so that people with legitimate concerns can contact me but it should require some effort so that the function can't be abused.
How can they claim "data protection" in one case and make it mandatory to put your name and phone number their in another?
It makes me very uncomfortable to host a website, when I know I will get spam, unwanted telefone calls, maybe even unwanted visits at my home, etc.. And it deters me from posting something even a bit controversial on my own domain - this is probably an intended side-effect of the "impressum" policy.
(* well, German law, but there is likely something similar in other countries)
EDIT: To elaborate, the EU e-commerce directive from 2000 requires all member states to have laws that require commercial sites to have at least name of the entity, physical mailing address, business registration IDs if applicable, e-mail and VAT ID published. Since it's only a directive, the details vary from country to country. E.g. France requires also listing a phone number and an actual person responsible for site content.
Why do you leave a lie at the top of your comment with an asterisk to clarify it's a lie at the bottom? It's NOT a European law. If other countries have similar laws, it's still not a European law. Please remove the lie.
To bombard someone with the word "lie" crosses into incivility
(rather aggressively, as I read it), and also breaks the site guidelines by not giving the benefit of the doubt. Could you please not treat others like this here? Instead, assume good faith, as the guidelines ask.
By the way, even the correction below is a untruth, because only a few other EU countries have similar laws.
Nah there is not. Don't lie.
[ tries to visit ckastner.com ]
[ the website is down ]
[ looks up Whois record for ckastner.com ]
[ picks up phone, dials number ]
"Hello, yes, Christian Kastner? Your website is down. Just thought you should know."
This is a perfect example for one of a positive effects of the GDPR afforded to natural persons.
I haven't been associated with that domain for 15 years or so. Why is someone still maintaining my personal data, some of it now wrong/obsolete, in a public database?
Edit: Just to be clear, I don't see a problem with the parent having posted this information here, as the parent just reposted this from another public source. The problem here is clearly the other source.
• tries to visit ckastner.com
• the website is down
• retrieve the information from an archived snapshot instead https://addons.mozilla.org/firefox/addon/resurrect-pages-isu...
• Christian Kastner was already notified by email from his automated monitoring that the website is down
Not everyone with a website is a web developer, or paid a knowledgeable and modern web developer to make the website.
Of course nobody _else_ should be forced on sharing details just for this kind of occasional utility, I'm not claiming that.
Honestly, I think you should take social engineering more seriously if you think the benefits outweigh the costs.
Like someone removing their front door because it might encourage someone to drop by for some stimulating conversation.
For example, the author of the "Amazon Backdoor" post a while back suspected that the attacker got their address from a whois of one of their domains.
I think rather the comments in support of an open Whois are looking at the past with overwhelming nostalgia instead of objective reality.
To your own point, the Web is a very different place now. But Whois is still the same, reflecting a reality that no longer exists. It's time for a change.
We would have preferred someone called us immediately, in case we didn't see the ticket immediately. But we didn't have a security hotline publicly listed.
Putting a phone number in a big public directory of phone numbers for when e-mail doesn't work isn't a bad idea, regardless of what anyone (including the EU) says. We've had phone books forever. This is just a phone book for domains.
"My website is so critical that I want random people to be able to call me about it" is an oxymoron I don't think anybody has ever said.
Member States shall ensure that the service provider shall render easily, directly and permanently accessible to the recipients of the service and competent authorities, at least the following information: (a) the name of the service provider, (b) the geographic address at which the service provider is established, (c) the details of the service provider, including his electronic mail address, which allow him to be contacted rapidly and communicated with in a direct and effective manner.
A "service provider" is basically anyone with a commercial web site. See (17) and (18) in  for the detailed definition.
In many countries, one's address is in fact not a matter of public record. For example, in China.
It does you zero favors.
Can you clarify what jurisdiction you mean? In the United States, this isn't true - there are certain (admittedly common) things that generate public records with your address, such as buying a house or (in some areas) registering to vote. (In other areas, voter registration databases are technically not public, but volunteers on any political campaign have access.)
However, if you're not registered to vote and you're renting an apartment, there isn't any real reason why your address would be a public record.
There is no white pages for cellphones but I still get junk calls anyway.
For example, if one domain shares the same contact email address as another, then the domains are related somehow. Doing some data mining on a variety of signals which are apparent in the WHOIS records can help to cluster related domains to help anti-abuse researchers find newly problematic domains by following the trail through WHOIS.
I'm not sure how researchers will do their job effectively without WHOIS. This development is truly a disaster for anti-abuse.
I am far from an expert an GDPR, but it doesn't seem to be so clear cut. Even if IP addresses in this context are considered personal data, there may be "legitimate interest" in processing them for blacklists, e.g. https://gdpr-info.eu/recitals/no-49/ could apply. I am confident a workable solution for spam blacklists will be found.
I have the impression that a lot of the fear around GDPR is unfounded if one uses a reasonable and restrictive approach of processing and storing personal data.
It's still personal information though (which was my original point), and so you still need to comply with GDPR by minimizing usage, not sharing it to processors without permission, having a procedure for telling users what data you hold on them, etc. And I think you'd have a harder time claiming that the other stuff is required too, specifically the addresses and phone numbers. You can do spam detection without that information, even if it would be less effective.
The problem I see with GDPR is just that we won't know precisely where the boundaries are until there's some case law to set precedent. It may prove to be easy to comply with, or it may prove to have some sharp edges that are expensive to comply with; we really can't tell.
Does anyone of importance still use those? Google and other major email hubs have long switched to AB testing and building user profiles as their primary filtering tools. They want to gather that data to improve efficiency of their targeted advertising, so I trust them to be good at it.
Smaller players might not have resources for that, but how do those opaque third-party blocklists help them? In the best case, those "anti-spam communities" do nothing. In the worst case, they act as data-harvesters, potentially leaking information to (lol) _spammers_. Why should we care about their future?
TL;DR: modern email providers don't care if you are in blacklists. If your IP/domain does not have established reputation, they will drop half of your email in spam folder. If users whitelist it or reply to it, your reputation automatically improves.
If your send too much email or your receivers blacklist you (delete without reading or manually move your email to spam), your reputation takes nose dive. Some providers (for example, Yandex) openly describe that logic in their FAQs.
However, as someone who uses SpamAssassin (via FastMail), spam clearinghouses like Spamhaus are still very important. And as long as we want to avoid centralizing all email in the hands of a few massive providers, they will continue to be important.
(I just wish there was better documentation of what all the rules mean, and how to satisfy them.)
What the current system does: a private person who registers multiple domains with his own name and then proceeds to spam email users, that person can blacklisted effectively because his persona information can be fetched and matched.
A spam virus is not the problem here, because personal data does not reliably connect infected domains.
And spam companies are not problem here, because GDPR is not concerned with companies.
The person who uses several domains to spam needs to be somewhat aware that he is spamming. But he also needs to be incredibly idiotic to connect his spam domains with his personal info.
Even if WHOIS going down is short term tragedy to anti-abuse, GDPR does not seem to prevent building a replacement that works well enough.
I had the misfortune of using namecheap and entered my real details once. Their whois privacy didn’t apply to the particular gtld and I only found out once the spam arrived. Never putting any real details ever again.
If somebody has legal beef with me, having a contact address to quickly resolve it is more important.
Besides that, you can always simply get legal with the registrar who will get them your address anyway (or escalate until you find somebody who knows who you are)
This is why I'm happy the EU is twisting ICANN's arm. This information shouldn't be easy for spammers to harvest.
Looking to change the number out to a voicemail transcription number now that things are picking up so it's easier to filter out the duff calls
My personal info has been on whois since 1995.
Am I ok?
"Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time."
> From: https://www.icann.org/resources/pages/what-2012-02-25-en
"ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.
ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet."
Editorial: The disconnect is frightening.
Even longer if you consider the time GDPR was worked on. The writing has been on the wall for a really long time, so asking for an interim arrangement is really barefaced.
Here, as in all cases, the supposed vagueness is just a lame excuse to not even start an honest effort of protecting personal data.
ICANN obviously tried to play a game here (let's sit this out and see what happens), and now is under water.
The first amendment also contains not much consideration for edge cases. That is a feature, not a bug.
GDPR sets principles, it isn't a technical specification. The edge cases will be sorted out by courts, as usual for legal issues. Meanwhile, everything looks like that the EU will not immediately start to impose big fines if there are small gaps, as long as affected institutions and enterprises show effort to comply and to fix remaining issues.
To put it another way: can you cite any complex bill that hasn't ever gone to the Supreme Court?
Some TLD's don't allow proxy registrations.
whois privacy being a service extra (sometimes included for free sometimes a paid extra which can expire and expose your data if you miss the email) where other TLD's (.uk springs to mind) already have the ability to withheld the personal details of domain registrants (private individuals have the ability to held their data, company registrations have their data shown) at the registry level and not having to use a 3rd party company.
The letter also has harsh words for ICANN's proposed interim solution, criticizing its vagueness
Of all the people to criticize others for vagueness, EU data protection people are the very last who should be talking. GDPR is nothing but vagueness.
GDPR being globally applied certainly ups the overall pressure, and is the reason they want to change the overall wHOIS rules instead of making special rules for individual countries, but the key thing seems to be the fear that there actually might be painful fines now.
(or even whole, it explains a lot of things)
> seem to use WhoisGuard or a similar service anyway
So it was always a problem, now it is also illegal
(1) the ones that didn't bother to read the text of the law (which is surprisingly accessible)
(2) armchair lawyers that come up with all kinds of outrageous edge cases that nobody really cares about but that then get used to discard the law saying it's incomplete and that 'nobody knows how to be compliant'.
For real businesses that are affected by the law the vast majority of the impact is crystal clear and if they've done their homework they'll be more-or-less compliant by May and will at least be able to prove they made a good effort to comply.
I really should work up a to-do list that will get the average SaaS start-up to 90% compliance with the minimum amount of work.
It still baffles me to this day that people just lie/spread misinformation on the internet (yes, there is a relevant XKCD for this) yet here we are.
As an ex-customer, I've found that Blacknight are generally supportive of Internet freedoms and they do a lot to advocate the adoption of IPv6.
I tried complaining to RIPE but they did nothing.
This information has been redacted to comply with European Union General Data Protection Regulations (GDPR). Please contact us at email@example.com if you have any further queries.
Domain Owners / Registrant
But let's say they didn't want to. No consequences, right? Not quite... the .im authority allows EU businesses (domain registrars) to register domain names (for example, I can go to transip.nl and register a .im domain name). TransIP has to comply with the GDPR. If TransIP collects my information to pass it outside the EU, they need to be certain that the organization they provide it to is also GDPR compliant. If they don't have those assurances, they can't give them the info. So not being GDPR compliant is not great for the .im revenue stream.
Finally, I have no clue about the legal regime on the Isle of Man. If I were them, I would probably try to sync up a lot of my laws with the UK (and thus EU, for now) laws. So my guess is they have some sort of data protection act, and that it's in line with the GDPR (or will be very soon).
- domain expiry
- domain registration date
Everything else is not needed and as such would comply with GDPR.
In some cases it's not enough to register the domain on a legal entity, it needs to be a person, and that person needs to exist in the company and needs to be contactable. You cannot get around this with EV certifications.
There's a big difference between your wife's ex guessing your domain and running whois on it to find her home address, vs just being able to Google her name to find it.
(queue the "there's no difference" brigade - yes there is)