‘Whois’ is pronounced as the phrase ‘who is’.
The public perception of Whois auditing may be mixed because it is so common to use False Whois information, not necessarily to cover criminal activity but to avoid the risk of identity theft or maintain privacy. However, in the case of a technical malfunction on the registrant’s website or a Domain Name Hijacking attempt, it is important for the registrant’s contact information to be correct so that they can be informed in a timely manner.
More frequent Whois audits can encourage more open behavior in the domain name industry and provide accountability. Hopefully, people concerned about privacy and security will seek additional fee-based privacy or proxy services or sign up with a registrar that provides such services for free instead of risking their domain name by using false Whois information.
See these quotes at: https://icannwiki.org/Whois_Audits_and_Verification
About ‘generic’ and ‘country code’
gTLD: generic top-level domain; ccTLD: country code top-level domain
.nl zone: https://sidn.nl/ – ‘Stichting Internet Domeinregistratie Nederland’
The country code top-level domain SIDN foundation is relatively autonomous.
Global regulations: https://www.icann.org/resources/pages/gtld-registration-data-specs-en
Using the Whois method to check domain name ownership information
- With all efforts to really improve input, updates must be legitimate;
- If a registrant’s name matches, this is not yet a unique identifier. Compare the RISN – Dutch Fiscal Number for a legal person, and the transition to IBAN – International Bank Account Number;
- The forms in the SIDN interface process less than ten percent of the input. Transparency and continuous public supervision are important to SIDN and its customers. In this way, public becomes aware of unexpected data. From the point of view of administrative organization, this acts as a control loop. A domain holder is sensitive to criticism from customers;
- Correct input forms are not a solution to correct long-standing data;
- A professional checklist could become routine during the (semi) annual audit;
- Example of Whois: https://www.sidn.nl/en/whois?q=webhostingtech&lang=en.
How the Whois method can reach the public
- A radio commercial by SIDN about the holder name, was an eye-opener for many. Its text could serve well as a quote;
- Effective framing of Whois usage, based on the six purposes, may reduce registrar nonsense;
- A form field expands professionally to provide explanation on https://en.internet.nl/. A screenshot that includes explanation can be a starting point for maintenance;
- Putting an arrow on a screenshot of SIDN’s Whois can be difficult, because of hidden fields. SIDN’s Whois can easily be improved;
- The Whois screen can replace hard-to-find web pages about SIDN’s terms and conditions and key case law. This way prevents an insufficient mix of aspects on a separate web page;
- Access to a domain provider’s Whois menu differs from optimal to none. Smooth auditing requires user-friendly public Whois and know-how;
- The maintenance of Whois data would improve with minimal knowledge on the part of those responsible.
About privacy requirements
In order to improve privacy in the .nl zone, SIDN changed rules on 1st March 2016. If a domain is for ‘private purposes’, then the holder name is hidden by default in Whois. The ‘private purposes’ versus ‘business purposes’ table field was a big step forward, but I think global analysis leads to an improved Whois.
Some ‘business purposes’ transparency issues
- For a registrant for ‘business purposes’ as compared to ‘private purposes’, privacy is less of a legal issue;
- For Dutch ‘business purposes’ by proprietorship (dutch: ‘eenmanszaak’) there is no fiscal RSIN number, no legal person, and often a home address. In terms of standardization, these types of specific situations do not fit into a data structure;
- For a natural person, use of ‘business purposes’ in order to show holder’s name is a messy workaround. Enabling display of a natural person’s name is outside my menu at my domain provider;
- ICANN and the EU lawyers could discuss a new field called ‘Public Visibility’, which includes layered / tiered access for the privacy of a natural person. Furthermore, showing fields with a hidden value is then no longer necessary;
10 Holder Name hidden; Street Address hidden (default)
20 Holder Name visible; Street Address hidden
30 Holder Name visible; Street Address visible
- Transparency and reporting a leak of data, may require in the future the real ‘business purposes’ holder name, which is mandatory in some zones;
- Having the name of a hosting provider as the holder, the real holder is no longer visible; just a click away, called privacy protection;
- Manually forwarding email to the real domain holder slows down the handling of an issue. This delay could become part of regulation;
- To enforce compliance, the only possible sanction of removal will often harm the public interest and thus be unacceptable to a court;
- In the EU, customer protection authorities may sanction in addition to already functioning data protection authorities.
Four kinds of Whois email contacts for gTLD
See eg https://domain-contact.org; Contact you would like to send a message to: Owner, Admin, Tech or Billing.
The analyzed six legal Whois purposes for gTLD
gTLD Registration Directory Services and the GDPR
Part 1 (Hamilton law firm, 16th October 2017)
(i) The use of Whois data, for instance by registrars and network operators, for invoicing, support and other administration actions in relation to registered domain names.
(ii) The use of Whois data for safeguarding the rights of registrants, for instance by retention of the data in escrow with escrow agents, for recovery in the event of e.g. a distressed registrar or registry or failure by a registrar or registry to fulfill its obligations.
(iii) The use of Whois data by law enforcement agencies to investigate and counter serious crime, terrorism, fraud, consumer deception, intellectual property violations or other violations of law.
(iv) The use of Whois data by intellectual property rights holders to investigate intellectual property rights infringements.
(v) The use of Whois data by the general public to verify the identity of a provider of goods or services on the internet, including for consumer protection purposes.
(vi) The use of Whois data to identify the owner of a domain for business purposes, for instance in relation to a purchase of the domain name or other transactions.
How SIDN’s Whois can be improved
1-7 Clearer agreement than with general terms and conditions
Only choose from six possible purposes, eg: My use of Whois is to verify the identity of a supplier. The various purposes are clear, wrote Mrs. mr. C. Ebbers and drs. J. Jansen, 2019-03-01. Checking a supplier is not yet common practice.
2-7 Clearer explanation of a holder name
Whois information exceeds intellectual property rights. Someone must be in charge. A ‘business purposes’ registrant is not necessarily a legal entity. A change of registrant requires agreement of both parties. Strictly speaking, a domain with a registrant name that does not exist, does not have an owner; a court decision can then provide a solution; a typo can be corrected at an early stage.
3-7 Clearer about hidden information, in relation to the right to view in GDPR / AVG
Over time, a ‘Public Visibility’ form field can grow into a table field instead of country-specific table fields. Then a ccTLD can still fine-tune with a country-specific input form. SIDN could lead the way with the introduction of such a form field with three possible values, derived from existing table fields at SIDN.
houdernaam verborgen; straatadres verborgen
houdernaam zichtbaar; straatadres verborgen
houdernaam zichtbaar; straatadres zichtbaar
Holder Name hidden; Street Address hidden
Holder Name visible; Street Address hidden
Holder Name visible; Street Address visible
quote SIDN: ‘From August 10, 2017, the registration data about each domain name will include contact details for reporting abuse to the registrar. ‘Abuse’ means any form of internet crime. The additional information will soon be available from the Whois on our website. Easy access to abuse contact details will mean that issues involving the domain name can be dealt with more quickly.’
4-7 Clearer abuse contact, instead of hiding if not set, which was a step back
nl: Contactgegevens niet beschikbaar -> Optioneel voor een Registrar
en: Contact details are not available -> Optional for a Registrar
Note: SIDN may consider to show Registrant and Registrar data separately.
5-7 Clearer explanation of an administrative contact
As administrative contact preferably choose the person who manages the administrative affairs. This email address must already be accessible when creating the domain and is preferably of another domain.
6-7 Clearer explanation of a technical contact
As technical contact preferably choose the person who can take immediate action in case of a technical issue.
7-7 Clearer email really needs to be informative to a responsible person
Additional information would help to clarify.