It’s been tough adjusting to less Whois data.
It’s been about 6 months since the European Unions General Data Protection Regulation (GDPR) went into effect and many registrars obscured Whois records as a result. Here are some of the practical implications this has had for me personally as someone covering the domain business for DNW and as a domain investor.
Verifying domain ownership is more difficult
I’ve had several instances this year when I needed to verify who owned a domain name for a transaction and had difficulty doing so. In one case, a friend was buying a domain and wanted to verify that the person who previously owned it still did before doing the transaction. The registrar had masked Whois. I was able to find a recent public record showing the owner.
In another case, someone wanted to buy a domain and was at an impasse because the Whois record was masked and the domain didn’t resolve. There were no public Whois records so the potential transaction died.
Finally, I helped a friend who was trying to track down a domain owner. There was an active site but the owner didn’t identify himself on the site. There were some old Whois records but the most recent ones had info for a disconnected phone number and an email that bounced. Finally, by going further back in historical Whois records I was able to find a name and track the person down using other databases.
While historical Whois records from services like DomainTools help in some cases, the value of these records is degrading every day as new masked records are added.
It’s harder for people to reach out to me via whois
There are good reasons people reach out to me using Whois (want to buy a domain) and bad reasons (spam).
Fortunately, GoDaddy still displays contact info via web-based Whois. This has helped facilitate transactions this year. Most of my domains are at GoDaddy but it’s possible I’ve missed inquiries on domains at other registrars.
Finding domains for end-user sales reports is challenging
It’s a lot harder to find end user sales to report in my weekly end user reports. I can only find a handful each week based on Whois records so I have to dig deeper and hope that sites are already being developed. This means fewer names on the list.
thelegendaryjp says
Amen
Mansour says
Since I am a reseller of Tucows registrar and also a domain investor who owns over 2,300 domain names for the past 16 years, I can give you a larger picture on the affect of my registrar’s implementation of GDPR. Prior to the implementation, I have sold 18 premium domain names, one of them 0007.com, which sold for $172,000 to a Chinese buyer.
I have expected that the secondary market would collapse after May 25, 2018. At that time I sold many of my domain names cheap to meet the deadline. Now I have realized that after the implementation of GDPR, the prices I got before, I cannot get today. This leads me to believe that the value of the domain names is in decline. After May 25, there was a 65% increase of customers transferring their domain names to registrars who do not implement GDPR.
I have not sold one domain name since then until now. There is a drop of 97% of inquiries on domain names that I own. Sedo and 4.cn refuse to list my domain names for sale, since they cannot verify ownership.
The spam I am receiving on my main websites has increased by 10,000%.Technical support for my customers has increased 15 fold since many have forgotten which registration company they have registered their domain name with.
Expiring domain names are 50% more than normal.
All in all, I believe this rule is disastrous and it did not help anybody, but special interest groups.
I reached out to Tucows and I was premised that in the very near future there would be a way for domain owners to opt in to GDPR. I am still waiting and hoping.
Charles Christopher says
Rumors via “the grape vine” suggest thefts have increased as well. But how do you prove it and defend it when you no longer have proof of registration? Thus the issue disappears into the fog, where yesteryear you could just point to a whois record for everyone else to see and confirm.
This has been a very effective why to damage the secondary market.
It would seem that placing ones whois on the landing page itself, with a snapshot at Archive.org, might be a good defense.
Andrew Allemann says
You can make an argument that thefts will actually decrease. Theives use Whois to find out the email address they need to hack or use at the registrar.
Charles Christopher says
Mine was factual conversations.
Did everyone change their email addresses, or are the DomainTools email whois snapshots still valid?
And that is the asymmetry of it. The emails are still valid, but the proof of registration is not.
Maybe in 5 or 10 years that argument might have some validity. However I have no changed my email addresses I’m almost 20 years.
Natsu says
How selfish you are? This article is just laughable. You prioritise your small problems and you don’t understand why private data must be hidden on whois? The day some one will manace you family because he find your house using, directly or indirectly, in the whois records maybe you understand how this article is a nonsense.
Charles Christopher says
>The day some one will manace you family
How does that happen?
Privacy whois seemed to be working just fine for 16 years. Many registrars had it enabled by default. I still recall when it first started and we were all waiting to see what ICANN would say thinking ICANN would refuse to allow it. They were just fine with it. Because for 16 years THAT was the functioning solution that you are in effect claiming never was solved until GDPR.
GDPR added NOTHING to whois privacy.
What fascinates me from the beginning is how people have generally ignored privacy whois role. For some reason the entire planet said lets just throw everything out and start over.
All GDPR has done is provided cover for miscreants, and that is not what we want. Non miscreants already had privacy whois, which is why there were no whois complaints of LACK OF PRIVACY.
Andrew Allemann says
I don’t prioritize anything in this article. I’m just stating how it has impacted me. There are certainly some benefits to it as well.
That said, Whois proxy services have been around for nearly two decades, so anyone who wants privacy could easily get it.
Dude says
So a domain squatter has problems with his business due to GDPR. I am Joe’s complete lack of concern.
Charles Christopher says
You are absolutely right. So next up we need to shut down the entire commodities market.
Why?
Because if you have no intention of eating the bacon that comes with the contract you just bought then you have no right to own a contract for delivery of that bacon (aka pork bellies). You are a bacon squatter and we can’t have that can we?
And after that market gets shut down to, please get back to us regarding the price of the next package of bacon you purchase. Because there are no more intermediaries willing to accept market risk.
After GDPR stabilizes in the domain secondary market, just watch how much it costs you to purchase a domain name … Because now there is a website with traffic on it and your cost will cover more than just the domain name.
Just like buying land with no intention of building on it. You MUST build on it to own it. So if you want someone else’s land now you get to pay for the building to.
We lose, and so will you … Eventually.
That is what happens when a free market is no longer free … And there is a name for that …
Domaining.pro says
Sorry, I can’t help it: https://gdpr.sucks/
C.S. Watch says
The security issue is absolutely important, and startups with two domains shouldn’t have to pay 150/yr or so for a remote mailbox as domainers have always done.
Whois privacy is a minuscule expense for the registrar, and so is forwarding via an anonymized Whois email address, á la Craigslist. It must be mandatory that registrars provide these options to customers at cost–that’s how the US rises to GDPR.
Registrars are cultivating a hostage situation on the down low, piling on fees and forcing brokerage commissions. Domain investors are equipped to protect themselves via hosted pages and mail handlers, but non-professionals aren’t. Further, it is completely inane that taxpayers, courts, and parties are made to suffer just because a gouging registrar stands in the way of C&D emails autoforwarding to registrants.
Charles Christopher says
Why do you blame registrars here?
GDPR is a regulation from unelected bureaucrats, that ICANN with half a billion dollars in the bank refuse to comment on or defend registrants right to proof of ownership data.
The blame needs to be placed on the EU for there absurd regulation applied to domain names, and the ICANN for ignoring administrative laws in one country do not apply outside their border, and the the US gov (and other gobs around the world) not getting involved also supporting their domain registrants.
This will become more obvious once a major company’s domain name gets stolen and gets taken on a ride through a few registrars in a very short period of time. Sadly, I doubt GDPR will be pointed out as the cause, new administrative laws will then be put in effect and make the problem worse.
Again, GDPR provides bad actors far more protection than it provides good actors who have had privacy whois for 16 years. Governments LOVE chaos, it helps justify their existence and growth (read: taxes).
C.S. Watch says
Registrars should never have been allowed to charge for privacy—the common weal was never going to allow a registrar’s upselltunity to override personal safety. Enter GDPR. So now we offer workarounds or we GTFO.
Your response to Natsu’s personal safety risk comment above was ‘how does that happen.’ Not everyone knows how to protect themselves online. I’ve seen my doctor try to send an email from the Google search field. And should your kid be forced to post her home address on the front of her lemonade stand unless she ponies up? Of course not. Default registration should come with privacy and anonymized Whois email forwarding—we’ve all gotten these gratis for decades.
For verification concerns, Registrants have always been able to log in and trigger an email from the registrar bearing the EPP, what if we could log in and trigger an email from the registrar to a third-party, bearing our domain’s Whois registrant data?
Charles Christopher says
>Registrars should never have been allowed to charge for privacy
I know many registrars that never charged for privacy whois. This is not an issue, anybody being “extorted” for privacy whois fees could have selected another registrar.
>Not everyone knows how to protect themselves online.
Your response is unrelated to whois. Not to mention registrants now can’t protect their ownership since they now CANT opt to have their whois public.
And GDPR changes nothing when it comes to people entering data they should not in places they should not.
For those that want others to protect them from themselves so be it. Some of us like accepting responsibility for ourselves, and I know this is a dying position for one to take these days.
>Registrants have always been able to log in and trigger an email from the registrar bearing the EPP
Registrants have not, and still may not in some cases, trigger an auth code email. Further, GDPR’s effect on this is not helpful.
Lets return to the days of RegFly. I had a custom app monitoring the whois on all of my domains. Twice the whois of my domains changed to a record suggesting ownership by a student in a university. Twice I called them on the phone to immediately correct the whois. After the second time I posted on DomainState telling everyone what was going on and suggested everyone transfer their domains out as I was doing. Then:
https://www.theregister.co.uk/2007/03/03/icann_registerfly_domain/
This eventually led me to become a registrar as it was clear that was the only way to protect my domain names. RegFly is not the only registrar that has tried to steal my domains. Yes, registrars DO steal their customers domain names.
Now GDPR makes it impossible to detect such changes, be it the registrar attempting theft, or a third party that got into ones admin account.
Far better to have public whois breadcrumbs than total opaque history and be left trying to prove the impossible.
For those who have actual experiance of domain theft the view is very different than those for who this is their future.
I have also helped other in the recovery of domains from time to time. I can tell you from experience, the average registrant has no clue how easy it can be to steal a domain name. And GDPR has made it a lot easier.
Charles Christopher says
After more thought I will speak directly to your concerns of the illusion of privacy.
I friend is a hunter and was hunting on private lands. To do this he obviously had to contact the owners when he saw opportunities. He was at my house and pulled out his phone and started up an app he was paying $30 (from memory) a month to have access to. The app showed my neighborhood with lines on the boundaries and the name of the owner inside the boundary. Touch the name and more detailed info came up to contact the owner. The app pulls pubic data from county recorders offices.
Some time ago on CircleID Vint Cerf made comments similar to yours, about how only law enforcement had access to private info based on license plates. Then he included his license plate in the post. Within a few minutes I posted the begining and end of his car’s VIN, and the model Tesla is was for. He emailed me one line: “That is depressing”.
I have 2 phone numbers, one that is public and one that I don’t give out and it never received solicitors or errant texts. Then a couple months after the Experian break in released data on virtually everyone in the US suddenly my private number gets unwanted callers and texts.
Then there is USPS who in its infinite wisdom and “Informed Delivery”, a service that emails you and image of eahc mail peice that well be delivered to you mailbox the next day. I read this article in regards to identity thieves using the service to gain further access to the victim’s accounts. The thief signs up for the service, see an bank statement with be delivered the next day, and then steals it just after delivery. Must people unaware of this USPS “service” get nailed for many accounts before they realize what is happening. The stolen Experian data likely makes this USPS service even more useful.
Then there is Google using credit card company backend data to match online and in store sales for advertising customers.
I believe GDPR covers all of the above cases. Has’nt helped much has it?
Adolfo says
ICANN is currently taking comments regarding changes in GDPR and how to handle personal information.
https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-initial-2018-11-21-en
In my opinion we should have the right to decide wether our data is displayed publicly or not, but it seems that this option is not even thought of!
The fact that all information is systematically hidden, in my opinion, is also against what the internet is all about.
Information control is also a mean to obtain power. Someone will benefit from this. Still unsure who, though