‘Whois’ is pronounced as the phrase ‘who is’.
‘The public perception of Whois auditing may be mixed because it is so common to use False Whois information, not necessarily to cover criminal activity but to avoid the risk of identity theft or maintain privacy. However, in the case of a technical malfunction on the registrant’s website or a Domain Name Hijacking attempt, it is important for the registrant’s contact information to be correct so that they can be informed in a timely manner.‘
‘More frequent Whois audits can encourage more open behavior in the domain name industry and provide accountability. Hopefully, people concerned about privacy and security will seek additional fee-based privacy or proxy services or sign up with a registrar that provides such services for free instead of risking their domain name by using false Whois information.‘
See these quotes on icannwiki.org/Whois_Audits_and_Verification
What are top-level domains?
gTLD: generic top-level domain, such as .com / .net / .org (/ .co)
ccTLD: country code top-level domain, such as .nl / .eu
nTLD: new top-level domain program – in October 2013; new TLDs were delegated, such as .frl
brandTLD: brand top-level domain, such as .amazon
geoTLD: geographic top-level domain, such as .wales
Root Zone Database www.iana.org/domains/root/db: ‘generic’ versus ‘country-code’.
What about control?
A country code top-level domain is quite autonomous, such as the .nl zone:
www.sidn.nl (SIDN B.V.)
Which authority is above web facilities in the Netherlands?
The Dutch Authority for Digital Infrastructure as of January 1, 2023: www.rdi.nl
The RDI is from the Ministry of Economic Affairs and Climate Policy.
How to use the Whois method to check domain information?
- Better input also requires updates to be legitimate;
- If a registrant’s name matches, this is not yet a unique identifier. Compare the RISN – Dutch Fiscal Number for a legal person, and the transition to IBAN – International Bank Account Number;
- The forms in the SIDN interface process less than ten percent of the input. Transparency and continuous public supervision are important to SIDN and its customers. In this way, public becomes aware of unexpected data. From the point of view of administrative organization, this acts as a control loop. A domain holder is sensitive to criticism from customers;
- Correct input forms are not a solution to correct long-standing data;
- A professional checklist could become routine during the (semi) annual audit;
- Example of Whois: https://www.sidn.nl/en/whois?q=webhostingtech&lang=en.
How to improve the Whois method for the public?
- A radio commercial by SIDN about the holder name, was an eye-opener for many. Its text could serve well as a quote;
- Effective framing of Whois usage, based on the six purposes and added purposes, may reduce registrar nonsense;
- Form fields provide explanations in a professional way on https://en.internet.nl/. A screenshot of such an explanation can be a solid problem statement for maintenance;
- Putting an arrow on a – still illegal – screenshot of SIDN’s Whois can be difficult, because of protected field names. SIDN can easily improve by adding a ‘registrant_protected’ form field;
- The Whois screen can replace hard-to-find web pages about terms and conditions, and key case law. Modular explanation makes maintainable;
- Access to a domain provider’s Whois menu differs from optimal to none. Smooth auditing requires user-friendly public Whois;
- Maintenance of Whois data would improve with minimal knowledge on the part of those responsible.
Are privacy requirements finished?
In order to improve privacy in the .nl zone, SIDN changed rules from 1st March 2016. If a domain is for ‘private use’, then the holder name is protected by default in Whois. Country-specific requirements require a generic Whois standard.
Some business transparency issues
- For a ‘registrant_trade_name’ as compared to ‘registrant_personal_name’, privacy is less of a legal issue;
- For Dutch proprietorship (Dutch: ‘eenmanszaak’) there is no fiscal RSIN number, no legal person, and often a home address. In terms of global standardization, these types of specific situations do not fit into a data structure;
- For public use by a natural person, a new type ‘personal public use’ would work;
- A new ‘registrant_protected’ field can communicate tiered / layered access for a natural person’s privacy;
- Transparency and reporting a leak of data, may require in the future the real ‘registrant_trade_name’, which is mandatory in some zones;
- Having the name of a hosting provider as the holder, the real holder is no longer visible (just a click away, called ‘privacy protection’);
- Manually forwarding email to the real domain holder slows down the handling of an issue. This delay could become part of regulation;
- To enforce compliance, the only possible sanction of removal will often harm the public interest and thus be unacceptable to a court;
- In the EU, customer protection authorities may sanction in addition to already functioning data protection authorities.
Four kinds of Whois email contacts for gTLD
See eg domain-contact.org; Contact you would like to send a message to: Owner, Admin, Tech or Billing.
The analyzed six legal Whois purposes for gTLD
gTLD Registration Directory Services and the GDPR
Part 1 (Hamilton law firm, 16th October 2017)
(i) The use of Whois data, for instance by registrars and network operators, for invoicing, support and other administration actions in relation to registered domain names.
(ii) The use of Whois data for safeguarding the rights of registrants, for instance by retention of the data in escrow with escrow agents, for recovery in the event of e.g. a distressed registrar or registry or failure by a registrar or registry to fulfill its obligations.
(iii) The use of Whois data by law enforcement agencies to investigate and counter serious crime, terrorism, fraud, consumer deception, intellectual property violations or other violations of law.
(iv) The use of Whois data by intellectual property rights holders to investigate intellectual property rights infringements.
(v) The use of Whois data by the general public to verify the identity of a provider of goods or services on the internet, including for consumer protection purposes.
(vi) The use of Whois data to identify the owner of a domain for business purposes, for instance in relation to a purchase of the domain name or other transactions.
How to maintain terms and conditions of SIDN, and elsewhere?
- issue: A registrar will correct an obviously incorrect registrant’s name if SIDN so orders.
issue: A contact with primary responsibility is required; a registrar is limited.
issue: Eg for the .eu zone https://whois.eurid.eu/nl/complaint/ is not effective.
suggestion: Naming to correct, even for a non-existent name, cannot be a shared responsibility.
suggestion: Model a naming request text to someone’s supplier.
Expected holder names, from domains of political parties started:
2000-02-27 https://www.sidn.nl/whois?q=fvd.nl (name fixed)
2019-02-18 https://www.sidn.nl/whois/?q=boerburgerbeweging.nl (name fixed)
2002-12-06 https://www.sidn.nl/whois?q=pieteromtzigt.nl (issues fixed)
2002-12-06 https://www.sidn.nl/whois?q=pieteromzigt.nl (issues fixed)
2023-07-26 https://www.sidn.nl/whois?q=partijnieuwsociaalcontract.nl (issues fixed)
Unexpected holder names, from domains of political parties started:
2020-12-02 https://www.sidn.nl/whois/?q=ja21.nl (name reported)
2018-02-20 https://whois.domaintools.com/voltnederland.org (name and security.txt reported)
2021-11-30 https://www.sidn.nl/whois?q=steunfondsomtzigt.nl (an email issue was recognized);
change of rules by the owner SIDN applicable from October 1, 2023:
regarding registrants: A domain name must be applied for by the person or legal entity that will be the effective controller of the registration and the actual user of the domain name. That person or legal entity will then be recorded as the registrant of the domain name. It will therefore be the domain name’s effective controller that is entitled to our services. That person or legal entity will also be responsible, and may be held accountable, for the domain name’s use. SIDN is entitled to cancel a registration if the nominal registrant is another party, such as the registrar, or a reseller or a privacy or proxy service provider. A registrar or reseller may nevertheless temporarily stand in for a domain name’s effective controller by acting as the nominal registrant, providing that the domain name is not used on the internet while that temporary arrangement is effective.
regarding registrars(/resellers): You must register domain names in applicants’ names and using their details. You must not register a .nl domain name in your own name (unless the domain name is for your own use), or in the name of a reseller or a privacy or proxy service provider. In the sense of this article, a privacy or proxy service provider is any party that acts as a domain name’s nominal registrant, but is not the domain name’s effective controller. However, you or a reseller may temporarily stand in for a domain name’s effective controller by acting as the nominal registrant, providing that no name servers are created for the domain name, and it is not active in the DNS.
remark 1: Is the following allowed? The effective controller, also user, such as:
sidn.nl: ‘Stichting Internet Domeinregistratie Nederland’ for user ‘SIDN B.V.’
freedom.nl: ‘Stichting Bits of Freedom (Bof)’ for user ‘Freedom Internet B.V.’
remark 2: Free registrars from update costs from September 1, 2023 up to and including December 31, 2023;
remark 3: The Netherlands may realize that register-registrar-user interfaces recognize ‘personal private use’, ‘personal public use’ and ‘business use’ as types;
remark 4: If a natural person is the holder, the domain may enter a black hole upon death. If a domain’s effective controller is a natural person, privacy protection limits the domain’s continuation. Quite often, a server’s domain is in the name of a natural person rather than the name of the using organization. A living will can then offer a solution. NIS2 may include a rule that fixes this problem;
remark 5: A (VPS) server’s domain will normally be a customer’s domain or a provider’s domain. SIDN could clearly indicate that the contacts of that domain must be approachable;
remark 6: The administrative contact must inform the person responsible. The administrative contact person must inform the person responsible. Technical personnel qualify themselves with the correct understanding;
- issue: A third party is allowed and must therefore be able to notify a registrar.
suggestion: Make abuse contact details mandatory, or disallow a third party;
- issue: A ‘privacy protected’ email address, obliges only the hosting provider to reply
REALISED: Require the real holder to answer a contact request.
Eg at a political party https://www.sidn.nl/whois/?q=ja21.nl.
SIDN has implemented a rule change from October 1, 2023;
- issue: Whois screens are improved for privacy since GDPR.
suggestion: Allow Whois screenshots for financial statements;
- issue: Key case law and expertise must reach the public
suggestion: Describe an informative Whois screen;
- issue: Changes in data are unclear to a holder.
REALISED: Communicate listed data after a change;
- issue: In court decisions, all kinds of spelling mistakes require correction.
issue: Reporting a misspelling gets stuck in process descriptions for registrars.
issue: The direct responsibility of a registrar for its own naming seems too new.
suggestion: SIDN works / communicates towards customer protection through auditing;
- issue: Answering a problem of abuse by support can use name and function.
suggestion: Try to achieve informative ‘abuse’ mail account naming;
- issue: The registrar process and fee information got hidden for public.
suggestion: Go back to policy of communicating process and rate information;
- issue: I cannot find the ‘Aanvullende Voorwaarden’ for eg a former EU country.
suggestion: Really don’t block the transparency of internet usage.
How can SIDN’s Whois be improved?
suggestion 1-7: Clearer agreement than with general terms and conditions
Choose from six possible purposes, eg: My use of Whois is to verify the identity of a supplier.
(The various purposes are clear, wrote Mrs. mr. C. Ebbers and drs. J. Jansen, 2019-03-01)
A screenshot no longer reveals confidential information after the privacy regulation.
Checking a supplier is not yet common practice.
suggestion 2-7: Clearer explanation of a holder name
Whois information exceeds intellectual property rights. Someone must be in charge. A ‘registrant_trade_name’ is not necessarily a legal entity. A change of registrant requires agreement of both parties. Strictly speaking, a domain with a ‘registrant_trade_name’, or ‘registrant_personal_name’, that does not exist, does not have an holder; a judicial decision can then provide a solution; a typo can be corrected at an early stage.
suggestion 3-7: Clearer about protected information, in relation to the right to view in GDPR
Field checking does not work with the sentence ‘The registrant’s details can be withheld from public view.’. A modeled ‘registrant_protected’ form field is derived from existing data. A ccTLD can still fine-tune a country-specific form.
Citing SIDN: ‘From August 10, 2017, the registration data about each domain name will include contact details for reporting abuse to the registrar. ‘Abuse’ means any form of internet crime. The additional information will soon be available from the Whois on our website. Easy access to abuse contact details will mean that issues involving the domain name can be dealt with more quickly.’
suggestion 4-7: Clearer abuse contact, instead of hiding if not set, which was a step back
nl_NL: Contactgegevens niet beschikbaar -> De registrar geeft zijn contactgegevens niet.
en_US: Contact details are not available -> The registrar does not provide his contact details.
suggestion 5-7: Clearer explanation of an administrative contact
As administrative contact preferably choose the person who manages the administrative affairs. This email address must already be accessible when creating the domain and is preferably from another domain.
suggestion 6-7: Clearer explanation of a technical contact
As technical contact preferably choose the person who can take immediate action in case of a technical issue.
REALISED 7-7: Clearer information in email
Start differently in any email content for ‘admin-c’, ‘admin-t’ and the registrar.
encore: Analyzable turnover
Renewal of existing domain registrations
Registering of new domains
Transaction revenues domain data (to change to rate zero)
Transaction revenues registrar data (to change to rate zero)
Gross turnover total
-/- Volume discount (to scale down)
-/- Direct debit discount (to phase out)
-/- New registration discount (works great)
-/- Multi-year registration discount (to phase out)
-/- Proper registration rewards (to phase out)
-/- Direct costs
Net turnover total
Note: A comparison with the previous financial year is also useful.