When you buy a new domain name, one of the first choices that you have to make is whether or not to hide whom you are. Every registrar has the ability to mask your contact information, what they call a proxy or private domain service. Typically, these services carry additional monthly fees to the annual domain registration itself. Examples include GoDaddy’s Domains by Proxy, Network Solutions’ Private Domain Registration and Name.com’s Whois Privacy, just to name a few.
The idea is that public disclosure of this information, usually available through the Whois protocol, can provide a target for unsolicited sales calls or spam. Of course, the proxy services can be also be used to protect potential criminal activity such as identity theft, cybersquatting, trademark infringements or to threaten the domain owner for blackmail. If someone needs to get in touch with the actual domain owner, they can apply for a court order or subpoena these services to divulge the contact information.
But as these services have blossomed, they have created a series of issues. There is no common oversight or governance of the proxies and none of them have any accreditation with any national or international Internet standards bodies. On top of this, notification of when a challenge to the proxy varies widely and there aren’t even a set of published best practices. Ideally, it would be nice if domain ownership could be discovered with something other than a subpoena in circumstances where a business is at risk, versus having a very motivated individual that is just trying to track down a specific domain for personal reasons (such as cyber-harassment).
Even the subpoena process isn’t predictable: the domain owner can drag their feet in responding to it, or can lawyer up and try to quash the motion. Or the proxied domain owner can abandon their original domain and open up a new domain that will require a new discovery process. Like many other things, on the Internet no one knows you are a dog, but they can’t easily find out if you are a cat either.
Here is where ICANN comes into play. Earlier this summer ICANN proposed a change to its rules on how domain proxy information can be used. A big change to the current rules is that commercial businesses that own domains won’t be eligible for these proxy services. While nothing has been finalized yet, as you might imagine ICANN has gotten numerous comments. Certainly, having a protected domain registration can be useful in certain circumstances, as the Electronic Frontier Foundation has mentioned here: ”The ability to speak anonymously protects people with unpopular or marginalized opinions, allowing them to speak and be heard without fear of harm. It also protects whistleblowers who expose crime, waste, and corruption.”
That may be true, but still it might be difficult to distinguish when a business or an individual registers a domain with any sort of accuracy. Let’s say I register my strom.com domain to my business, which is called David Strom Inc. (a legitimate corporation registered in Missouri), and want to obscure my contact details. Is that for my own personal purposes or do I have a legit business reason for doing so? If my business is in tech publishing, perhaps obscurity may protect me from harm if a vendor didn’t like my article and wanted to come visit my office and do me harm. Or perhaps it could be a personal reason; such as I don’t want someone who has harassed me in the past to know my current address.
ICANN’s final ruling can take months or years, since they rely on consensus and there are still unresolved issues. In the meantime, you need to do some homework if your business wants to make use of these proxy services. First, you should understand what your domain proxy service is actually promising, what they charge and what information they actually obscure from the standard Whois query. Second, you should know what happens if they receive a subpoena and how they will respond to releasing your contact information. In certain circumstance, the proxy service will put your information in the Whois data after someone sues them if it looks like your business is questionable or if the service might be liable financially. Third, this might be a good time to review all of your domain ownerships and see if any of the contact information is still accurate or any of the employees listed are no longer with your company. Finally, review the ICANN report that is linked above and make sure you understand the various nuances of the proxy world.
However,
None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.
