‘Whois’ is pronounced as the phrase ‘who is’.
The public perception of Whois auditing may be mixed because it is so common to use False Whois information, not necessarily to cover criminal activity but to avoid the risk of identity theft or maintain privacy. However, in the case of a technical malfunction on the registrant’s website or a Domain Name Hijacking attempt, it is important for the registrant’s contact information to be correct so that they can be informed in a timely manner.
More frequent Whois audits can encourage more open behavior in the domain name industry and provide accountability. Hopefully, people concerned about privacy and security will seek additional fee-based privacy or proxy services or sign up with a registrar that provides such services for free instead of risking their domain name by using false Whois information.
See these quotes at: https://icannwiki.org/Whois_Audits_and_Verification
What are top-level domains?
gTLD: generic top-level domain, such as .com / .net / .org (/ .co)
ccTLD: country code top-level domain, such as .nl / .eu
nTLD: new top-level domain program – in October 2013, the first new TLDs were delegated
brandTLD: brand top-level domain – such as .amazon
geoTLD: geographic top-level domain – such as .wales
A country code top-level domain is quite autonomous, for example the .nl zone:
(https://sidn.nl/ – ‘Stichting Internet Domeinregistratie Nederland’)
Global regulations: https://www.icann.org/resources/pages/gtld-registration-data-specs-en
How to use the Whois method to check domain information?
- With all efforts to really improve input, updates must be legitimate;
- If a registrant’s name matches, this is not yet a unique identifier. Compare the RISN – Dutch Fiscal Number for a legal person, and the transition to IBAN – International Bank Account Number;
- The forms in the SIDN interface process less than ten percent of the input. Transparency and continuous public supervision are important to SIDN and its customers. In this way, public becomes aware of unexpected data. From the point of view of administrative organization, this acts as a control loop. A domain holder is sensitive to criticism from customers;
- Correct input forms are not a solution to correct long-standing data;
- A professional checklist could become routine during the (semi) annual audit;
- Example of Whois: https://www.sidn.nl/en/whois?q=webhostingtech&lang=en.
How to improve the Whois method for the public?
- A radio commercial by SIDN about the holder name, was an eye-opener for many. Its text could serve well as a quote;
- Effective framing of Whois usage, based on the six purposes, may reduce registrar nonsense;
- Form fields provide explanations in a professional way on https://en.internet.nl/. A screenshot of such an explanation can be a solid problem statement for maintenance;
- Putting an arrow on a – still illegal – screenshot of SIDN’s Whois can be difficult, because of hidden field names. SIDN can easily improve by adding a ‘held_back’ form field;
- The Whois screen can replace hard-to-find web pages about terms and conditions, and key case law. Modular explanation makes maintainable;
- Access to a domain provider’s Whois menu differs from optimal to none. Smooth auditing requires user-friendly public Whois;
- Maintenance of Whois data would improve with minimal knowledge on the part of those responsible.
Are privacy requirements finished?
In order to improve privacy in the .nl zone, SIDN changed rules from 1st March 2016. If a domain is for ‘private use’, then the holder name is hidden by default in Whois. ‘Business use’ yes/no was a big step forward, although global analysis may lead to an improved Whois standard.
Some ‘business use’ transparency issues
- For a registrant for ‘business use’ as compared to ‘private use’, privacy is less of a legal issue;
- For Dutch ‘business use’ by proprietorship (dutch: ‘eenmanszaak’) there is no fiscal RSIN number, no legal person, and often a home address. In terms of standardization, these types of specific situations do not fit into a data structure;
- For a natural person, type ‘business use’ in order to show holder’s name is the best workaround. Enabling display of a natural person’s name is correctly outside my domain provider’s menu. Otherwise, the ‘private use’ type would continue to lead to ‘business use’ warnings;
- A new ‘held_back’ field can communicate tiered / layered access for a natural person’s privacy. Furthermore, it is no longer necessary to show all fields with a hidden value;
- Transparency and reporting a leak of data, may require in the future the real ‘business use’ holder name, which is mandatory in some zones;
- Having the name of a hosting provider as the holder, the real holder is no longer visible (just a click away, called ‘privacy protection’);
- Manually forwarding email to the real domain holder slows down the handling of an issue. This delay could become part of regulation;
- To enforce compliance, the only possible sanction of removal will often harm the public interest and thus be unacceptable to a court;
- In the EU, customer protection authorities may sanction in addition to already functioning data protection authorities.
Four kinds of Whois email contacts for gTLD
See eg https://domain-contact.org; Contact you would like to send a message to: Owner, Admin, Tech or Billing.
The analyzed six legal Whois purposes for gTLD
gTLD Registration Directory Services and the GDPR
Part 1 (Hamilton law firm, 16th October 2017)
(i) The use of Whois data, for instance by registrars and network operators, for invoicing, support and other administration actions in relation to registered domain names.
(ii) The use of Whois data for safeguarding the rights of registrants, for instance by retention of the data in escrow with escrow agents, for recovery in the event of e.g. a distressed registrar or registry or failure by a registrar or registry to fulfill its obligations.
(iii) The use of Whois data by law enforcement agencies to investigate and counter serious crime, terrorism, fraud, consumer deception, intellectual property violations or other violations of law.
(iv) The use of Whois data by intellectual property rights holders to investigate intellectual property rights infringements.
(v) The use of Whois data by the general public to verify the identity of a provider of goods or services on the internet, including for consumer protection purposes.
(vi) The use of Whois data to identify the owner of a domain for business purposes, for instance in relation to a purchase of the domain name or other transactions.
How to maintain terms and conditions of SIDN, and elsewhere?
- issue: A registrar has to correct a clearly wrong name of the registrant.
issue: A person with primary responsibility is required; a registrar is limited.
issue: Eg for the .eu zone https://whois.eurid.eu/nl/complaint/ is not effective.
proposal: Naming to correct, even for a non-existent name, cannot be a shared responsibility.
proposal: Model a naming request text to someone’s supplier.
Expected holder names, of started political parties:
Unexpected holder names, of started political parties:
2019-02-18 https://www.sidn.nl/whois/?q=boerburgerbeweging.nl&lang=en (issue reported)
2020-12-02 https://www.sidn.nl/whois/?q=ja21.nl&lang=en (issue reported)
- issue: A third party is allowed and must therefore be able to notify a registrar.
proposal: Make abuse contact details mandatory, or disallow a third party;
- issue: A ‘privacy protected’ email address, obliges only the hosting provider to reply.
proposal: Require the real holder to answer a contact request.
Eg at a political party https://www.sidn.nl/whois/?q=ja21.nl&lang=en
- issue: Whois screens are improved for privacy since GDPR.
proposal: Allow Whois screenshots for financial statements;
- issue: Key case law and expertise must reach the public.
proposal: Describe an informative Whois screen;
- issue: Changes in data are unclear to a holder.
proposal: Analyze and then list communication purposes after a change;
- issue: In court decisions, all kinds of spelling mistakes require correction.
issue: Reporting a misspelling gets stuck in process descriptions for registrars.
issue: The direct responsibility of a registrar for its own naming seems too new.
proposal: SIDN works / communicates towards customer protection through auditing;
- issue: Abuse is answered by support without name and function.
proposal: Try to achieve ‘abuse’ mail account naming and clear responsibility texts;
- issue: Process and fee information for registrars was hidden from the public.
proposal: Get back to communicating with the public of process and fee information;
- issue: I cannot find the ‘Aanvullende Voorwaarden’ for e.g. a former EU country.
proposal: Really don’t block the transparency of internet usage.
How can SIDN’s Whois be improved?
proposal 1-7: Clearer agreement than with general terms and conditions
Choose from six possible purposes, eg: My use of Whois is to verify the identity of a supplier.
(The various purposes are clear, wrote Mrs. mr. C. Ebbers and drs. J. Jansen, 2019-03-01)
A screenshot no longer reveals confidential information after the privacy regulation.
Checking a supplier is not yet common practice.
proposal 2-7: Clearer explanation of a holder name
Whois information exceeds intellectual property rights. Someone must be in charge. A ‘business purposes’ registrant is not necessarily a legal entity. A change of registrant requires agreement of both parties. Strictly speaking, a domain with a registrant name that does not exist, does not have an holder; a court decision can then provide a solution; a typo can be corrected at an early stage.
proposal 3-7: Clearer about hidden information, in relation to the right to view in GDPR
Field checking does not work with the sentence ‘Registrant details may be withheld from the public’.
A ‘held_back’ form field as described, which is composed of existing table field values, can change over time to a table field instead of country-specific table fields. A ccTLD can still fine-tune a country-specific form.
SIDN: ‘From August 10, 2017, the registration data about each domain name will include contact details for reporting abuse to the registrar. ‘Abuse’ means any form of internet crime. The additional information will soon be available from the Whois on our website. Easy access to abuse contact details will mean that issues involving the domain name can be dealt with more quickly.’
proposal 4-7: Clearer abuse contact, instead of hiding if not set, which was a step back
nl_NL: Contactgegevens niet beschikbaar -> Contactgegevens zijn nog optioneel voor een Registrar
en_US: Contact details are not available -> Contact details are still optional for a Registrar
Registrant and registrar details may be like https://whois.eurid.eu/en/search/?domain=eurid.eu.
Legitimate notifications by a third party will not work without the registrar’s email address, so information cannot be optional.
proposal 5-7: Clearer explanation of an administrative contact
As administrative contact preferably choose the person who manages the administrative affairs. This email address must already be accessible when creating the domain and is preferably of another domain.
proposal 6-7: Clearer explanation of a technical contact
As technical contact preferably choose the person who can take immediate action in case of a technical issue.
proposal 7-7: Clearer information in email
- Start differently in email content for ‘admin-c’, ‘admin-t’ and registrar;
- Refer to ‘admin-c’ as the approachable person behind an IT professional (‘admin-t’);
- Write in case of a private holder type, that business use is not allowed;
- Emphasize the privacy of non-personal email addresses;
- Describe approachability, although limited for website content;
- Ask if the legal abbreviation for ‘Besloten Vennootschap’, ‘B.V.’, matches;
- Mention SIDN’s Whois in order to check the most recent public information.