If you are a reader of DotWeekly.com, you know this is not the first time that I have written about the whois domain name database system and how it is broken! The biggest problem is, it’s not getting any better and something needs to be done about it!
Why is the whois system broken? Because domain name registrars allow it to happen! It all starts at domain name registrars and the lack of verification upon an individual creating an account.
No hard evidence is needed to create an account. Nothing to really verify who you really are. This is a problem!
Since you really can be who you want to be when you create an account, that same data is shown in the public whois data records.
This is a problem! Why? The internet is strongly known for fraud. This can come in many ways and I do not need to list the full list of potential things that can happen. When one of these things does happen, the people with knowledge of the whois system nearly instant do a whois query on the specific domain name.
The mind set on the person doing the whois query, is that the data provided is correct! Not always the case.
Blame!
So some type of fraudulent activity has taken place. A whois query is done and displays what the person thinks is valid data in the whois database and puts blame based on this data.
What if that data is YOU but you do not own the domain name? What if the data used in the whois information is YOUR data. Name, mailing address, phone number etc….
Maybe the fraud that took place on the domain name / website is stealing credit card data. According to whois data, people would paint YOU as the person doing it!
What if the domain name in question infringed on trademark laws? Who would be named in the lawsuit? YOU and who would have to pay the legal bills to defend your good name? YOU!
Even though you may not own a specific domain name or have anything to do with emails going out from it, the site that is up or any tactics used with a specific domain name, your details may be associated with it in the domain name owners whois database and paint the picture that it is you!
All 1,100 + domain name registrars need to fix the broken whois system! ICANN.org clearly needs to get involved and put in a verification process. The "who do you want to be" whois system needs to be fixed!
A domain name is like a loaded gun. Domain names are extremely powerful. Put in the wrong hands, a lot of damage can be done and no "real" system is in place to show who REALLY owns it!
I think the verification process needs to be something like this. It can be done. Will it cost money, yes, but it will also lower fraud drastically!
2 or 4 Forms of verification~ (this may need some tweaking, but you get my point)
1.) You must provide a registrar a copy of a Valid State issued Driver Licenses/ State ID. Information would be verified here using a system like this. If it’s a New Sign up, they would need to provide there ID number and last 4 digits of their social security only!
2.) A recent copy (2 months or newer) of a Utility Bill showing your Name, Address, City, State, Zip and Account Number. (Same if you are a business)
3.) A recent copy of a Telephone Bill (land line or cellular) showing your Name, Address, City, State, Zip and the Phone Number for that account. (Random calls will be placed for verification)
4.) The last 4 digits of your social security number.
The Whois would house the information provided once these things were Approved and you would become Verified.
For those who trust whois data currently, you should not be so trusting! Secondly, it is likely, without you even know it, that your data might be in use for domain names you do not own Right Now! I wish there was an easy way for you to check this, but there is not. What would fix it, is a better verification process at registrars and the data to go along with the account that later turns into whois data.
jberryhill
“The last 4 digits of your social security number”
Yes, because only people in the United States register domains. When you figure out an internationally uniform method of identification, let us know.
Jamie Zoch
I hear you John. As I stated, “this may need some tweaking, but you get my point”. Domain names are registered differently as well based on extension, so the verification will likely need to be different based on the country. I can tell you one thing for sure, the current system is broken! How can a person from India, be allowed to input whois data to include a US business address? Something like this should be an easy red flag via IP but currently is not. I know IP’s can be masked as well, but most of the time these people also do not cover all tracks.
Richard
Some kind of DMV like, pre-registration verification is a great idea. Hopefully something like this will be put into play soon, transparency is your friend.
Ross
Yes, because no one can ever steal someone’s identity and use it to register a domain name. Your thought while good natured is seriously flawed.
Not only that but part of free speech is anonymous speech which is what makes the internet great. People always propose new laws and regulations under the guise of protecting the people, example is violent video games being banned in Australia to “protect” the children. It is a slippery slope I’d rather not see the industry go down.
sipbkk
I like the system the way it is – if you want to be semi-anonymous you can. I’m with Ross, I’m not real keen about giving out any information to anyone.
If the registrars want to “verify” someone, a simple postcard to a Snailmail address should be good enough, and should work internationally as well.
Jamie Zoch
I agree it is not fun giving any company a bunch of info about yourself but on the flip side of the coin, what stops somebody from using YOUR data as the data they use in whois? Fraudulent or not, when your contact information is used for a domain name you do not own, by somebody, that is not right.
Choz Eimaj
I don’t think there should be a “Who is” database at all.
If they start requiring ID, utility bills, etc., you’ll see domain sales fall off a cliff, making most of your domain holdings worth less than half of what they are today.
Think before you type up senseless articles such as this one.
Jamie Zoch
@Choz,
There are two sides to every story and you are clearly entitled to your opinion. A whois db is needed IMO and it needs to be that you can not change your whois data to whoever you want to be. I should not be able to just grab “somebodies” contact data and input it into the domain names I own or just “certain domains” and like wise.
Choz Eimaj
@Jaime,
If there was NO whois db, there would NO incorrect data to complain about, no?
Adam Strong
Jamie, While I can see your point on whois being broken, I’m afraid there’s really not a great fix that won’t upset someone else’s apple cart.
I think John has done a great deal of work in this area and it’s been explored in depth by several ICANN constituencies. Remember, you can get involved too through ICANN.
Mark Ford
Personally, I think you’re worrying too much. No one’s going to sue you, let alone win if the domain has nothing to do with you.
Jamie Zoch
@Mark
I hear you but I also want to make people aware of the situation. I also think when it happens to you, one has a stronger feeling about it.
Jeremy
I really don’t think this is a problem. Whois is only one way to identify the owner of the domain, the registrar will have correct billing and contact information if there really is a problem. If that information is fraudulent then it’s a law enforcement issue not a regulatory one. Having incorrect or incomplete whois info is already against the rules and you can lose your domain because of it.
A DMV like system for whois info?? Surely you can’t be serious.
Jodi
“The internet is strongly known for fraud”
PRECISELY. You justified why smart people do NOT put their personal information out on the GLOBAL INTERNET for every spammer and scam artist in Russia and China and elsewhere to feed off of.
When WHOIS becomes private, as a default, then I shall trust my registrar to hold my REAL information.
The REAL problem with WHOIS is the collection and THEFT of the searches performed — thereby allowing people to steal your search and register your domain name idea prior to you finishing up your due-diligence on that name or obtaining funding for purchase or whatever. Its quite obvious that our searches are stolen, sold and registered right from under our noses.
There is a LOT about the domain name industry which needs to become transparent. WHOIS is one of them – yes. Pay Per Click programs and the folks that run them are another.
I could go on and on and on about the lack of transparency in the domain name world. Leave our personal information out of it though.