On Fri, 18 Jul 2025 19:39:47 +0000, David Conrad via NANOG wrote:

IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.

Not a lawyer either but a European citizen. Gee, I did not know that I carried my shiny GDPR armor when I lived in the US - so many missed opportunities to sue companies! ;-) Seriously, the "regardless of where they're located" is true for the companies when you do business with someone _in_ the EU. Btw, it's not just EU citizen but also residents of the EU (!). I found this explanation: https://gdpr.eu/companies-outside-of-europe/

Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.

I doubt the citizenship matters. It's your address, i.e. your residency. But yeah, opting for less information to stay on the safe side is a likely outcome of GDPR. For GoDaddy.com, when I typed it in my browser I got the https://www.godaddy.com/es-es page as I'm in Spain. With prices in Euro. Which fits the example the gdpr.eu page above mentions. Still, another detail that favors the big companies and creates risks for the small ones. Should have studied law, I guess. Regards, Marc

...

yeah, opting for less information to stay on the safe side is a likely outcome of GDPR. It's referred to as the 'Brussels Effect' , or 'California Effect'.

When certain types of regulation apply in a very large market, most companies just apply those rules to their entire business operation,

Businesses usually want to implement the same standards everywhere they operate, But they don't If the standard is economically detrimental to overcome inertia. California has something akin to the FTC's failed click to cancel rule, and there are websites which have the "easy" online cancel button only available to subscribers who claimed to be a resident of that state, and those in other states have the difficult cancel button. I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness. It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent. And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules. -- -JA

Jay, On Jul 19, 2025, at 9:15 AM, Jay Acuna via NANOG <nanog@lists.nanog.org> wrote:

I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness.

ICANN is a bit odd in that it is a private entity responsible for a global resource that folks all over the world have to use if they want to use the public Internet. I believe one could say GDPR is “controlling” because ICANN’s "contracted parties" (gTLD registries and ICANN accredited registrars) and the larger community operate and live in areas in which GDPR is the law of the land. I think it fair to say ICANN (both organization and community) failed to take GDPR seriously prior to it going into effect, but that's water under the bridge long ago.

It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule

You may be unaware how ICANN works (using the term loosely). ICANN is not a government or treaty organization. ICANN (the organization) has what powers it has by private contract. It can’t unilaterally impose new contractual obligations to existing contracts. To add new obligations, it must negotiate with the contracted parties, in many cases involving (or being driven by) the larger community. For reference, the most recent amendments to the Registrar Accreditation Agreement took about 10 years to negotiate and get put into force.

requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent.

And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules.

And Registrars, particularly European ones, would agree to these terms because…? (And that’s not even taking into consideration the concerns of government representatives like those from the EU and privacy advocates within the community that would surely weigh in heavily if a policy along these lines ever came up). To be clear, I’m not trying to defend ICANN here, just trying to provide information as to why things are the way they are. Regards, -drc

IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.

GDPR applies to any data collector, processor, or subject of data collection , if any of those activities occur inside of the EU. **Citizenship or residence is not a factor.** For example, an American visiting an EU country is just as covered as a citizen of that country. If the data collector, processor and subject are solely outside of the EU, then GDPR *PROBABLY* does not apply. There are many edge cases here though. But the key takeaway is that the citizenship or residence of the data subject DOES NOT MATTER with respect to GDPR applicability. On Fri, Jul 18, 2025 at 3:40 PM David Conrad via NANOG < nanog@lists.nanog.org> wrote:

Hi,

On Jul 17, 2025, at 2:43 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:

...

First, this seems like awfully short notice. Second, although I remember reading something about this a month ago having to do with GDPR, I didn’t realize it would result in the deletion of existing data in North America.

IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located. So if an EU citizen happens to be the registrant/contact for a domain registered anywhere in the world (including in the US), the data holder (i.e., the registrar) would, in theory, be liable for misuse of that data to the tune of “up to €20 million or 4% of the company’s global annual turnover from the preceding financial year, whichever is higher.” Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.

...

For domains I manage, I have an opportunity, however brief, to collect this information for future use. However, I’m surprised that this is happening to domains registered in North America. I would think it would conflict with ICANN requirements.

I see you, like any sane person, are blissfully unaware of the ongoing frenetic and kafkaesque events at ICANN since GDPR went into force in May 2018. In short, ICANN continues to require registrars to collect registrant information, however that information is (largely) unavailable to the public. Since the “temporary specification” (temp spec) was put in place shortly after GDPR went into effect, fields in Whois (now RDAP) that can contain PII must be redacted. ICANN did create a system to allow for requests of the redacted data (see https://www.icann.org/rdrs-en), but let’s just say opinions vary on its usefulness.

I suspect GoDaddy will probably argue that they have taken this step to try to minimize their liability exposure as a data holder — if the registry doesn’t require the data, the safest approach is obviously not to collect it. I believe this fits within ICANN’s requirements. Oh, and you, as a member of the public, will still be unable to see that data (law enforcement may be able to see it if they ask and/or they have a court order).

...

Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-)

My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless.

Regards, -drc

_______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LCEN6OBF...

Barry, On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote:

...

My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...). However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much. Regards, -drc

Cloudflare and Namecheap default to privacy, and don't charge for it. -----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information

On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG <nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.

David, Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for. It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota. I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR! -mel via cell

Barry,

...

On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:

...

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

...

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....

...

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.

Regards, -drc

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK...

So, 2 out of 2400. “Two, if not all”. LOL! -mel via cell

On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:

None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.

...

On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:

Cloudflare and Namecheap default to privacy, and don't charge for it.

-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information

...

On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.

David,

Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.

It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.

I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!

-mel via cell

...

Barry,

...

...

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy

On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

...

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .

...

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.

Regards, -drc

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>

---

NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX...

Network Solutions only offers free domain privacy if you buy one of their packages. -mel via cell

On Jul 19, 2025, at 5:09 PM, Gary Sparkes <gary@kisaracorporation.com> wrote:

Hey, I was just providing two major examples!

Google, Gandi, Godaddy, Porkbun, NameSilo (provided free, not sure if enabled by default), Network Solutions (not by default as far as I recall, but free still), etc... I can't think of a registrar that *doesn't* do it anymore since the advent of GDPR

Etc etc.....

-----Original Message----- From: Mel Beckman <mel@beckman.org> Sent: Saturday, July 19, 2025 8:05 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; Gary Sparkes <gary@kisaracorporation.com>; Dorn Hetzel <dorn@hetzel.org>; nanog@lists.nanog.org Subject: Re: GoDaddy deleting most ancillary registration contact information

So, 2 out of 2400. “Two, if not all”. LOL!

-mel via cell

...

On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:

None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.

...

On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:

Cloudflare and Namecheap default to privacy, and don't charge for it.

-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information

...

On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.

David,

Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.

It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.

I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!

-mel via cell

...

Barry,

...

...

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically:

On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

...

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-ica nn-against-german-domain-registrar-highlights ).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registra tion-Data-Accuracy-March-2024.pdf .

...

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-mali ciously-registered-domains-08nov24-en.pdf, but that probably doesn’t help that much.

Regards, -drc

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>

---

NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/V FIPBHSKZYDFMKRT5RRMPCGMIESCXUZ6/ _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/E X7HBCA5RDMPXEZ3R4RSOWU33RS242AD/

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2 JC46XX6B4TOLBK5LDBFKK63LCJMRCL/

I believe the majority of registrars are used for drop catching, so many of those 2400 are associated with around 200 registrar “families” (last I looked, it’s sort of hard to be exact since families aren’t official). If you peruse https://www.icann.org/en/contracted-parties/accredited-registrars/list-of-ac... you’ll see obvious signs of affiliated companies (e.g., look at “namepal” to pick one example). It might be more useful to look at the market share of the registrars and see which of those registrars default to “redacted for privacy”. However, this feels like hair splitting to me. If you don’t like the term “most, if not all”, how about “lots”? Not sure where you’re going with this. You were the one who raised the question of potential operational impact of GoDaddy’s action and I’ve been trying to point out that yes, there is non-trivial impact and how we got here. YMMV. Regards, -drc

On Jul 19, 2025, at 5:04 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:

So, 2 out of 2400. “Two, if not all”. LOL!

-mel via cell

...

On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:

None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.

...

On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:

Cloudflare and Namecheap default to privacy, and don't charge for it.

-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information

...

On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.

David,

Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.

It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.

I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!

-mel via cell

...

Barry,

...

...

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy

On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

...

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .

...

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.

Regards, -drc

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>

---

NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX...

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3JK2HBDK...

On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote:

It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.

They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://www.dnib.com/articles/interisle-report-examines-domain-name-contact-... which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper: "Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.” Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears: Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes onamae.com and z.com, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains (I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey) Translating that to operational impact, according to the first line of the dnib.com paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.

Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)

Ironically, the original aphorism was “the plural of anecdote is data” (see https://web.archive.org/web/20080523225000/http://listserv.linguistlist.org/cgi-bin/wa?A2=ind0407a&L=ads-l&P=8874). Regards, -drc

"Hard cases make good Law." RonY Sent from my iPhone

On Jul 21, 2025, at 4:03 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:

David,

Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”.

Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN!

-mel

On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote:

On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.

They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dnib.com_articles_interisle-2Dreport-2Dexamines-2Ddomain-2Dname-2Dcontact-2Ddata-2Davailability&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=HNhAt6Xw9R20rk1Pj0Tj-ITXDLXG90K7EXYZiuBTWTY&e= which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper:

"Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.”

Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears:

Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes https://urldefense.proofpoint.com/v2/url?u=http-3A__onamae.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=uoaC7ef9fHZuYnOyn_w5D7ieZzQ-MCyy9ga_QBVpsHc&e= and https://urldefense.proofpoint.com/v2/url?u=http-3A__z.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=MRl6alNNS_i0U5Bq8CXDNH4qCDW0qv4u9c5QR78WyuY&e=, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains

(I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey)

Translating that to operational impact, according to the first line of the https://urldefense.proofpoint.com/v2/url?u=http-3A__dnib.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=5ZsrGJY45ZbllizLyKjX1emApZIBr1LeQ-TuDxc_TNY&e= paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.

Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)

Ironically, the original aphorism was “the plural of anecdote is data” (see https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20080523225000_http-3A__listserv.linguistlist.org_cgi-2Dbin_wa-3FA2-3Dind0407a-26L-3Dads-2Dl-26P-3D8874&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=QkUD_G-cq1lqEdKXDmHSbmGs-glweWBR0jxpODvg1Eg&e=).

Regards, -drc

<https://urldefense.proofpoint.com/v2/url?u=http-3A__signature.asc&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=8ENcEhGfP9eqIBumbAp1m6lHbRhFJKyQd-ZhwY5jZio&e=> _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_FLKJDDSLRNAOCMQCVRQ5YBG4LFHJ6TBA_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=BjYFzTJZ8A6LT08zu-r8Jv2bTgdC9gbao7YG4PD-cBw&e=

Jonathan Kalbfeld office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662 ThoughtWave Technologies, Inc. Studio City, CA 91604 https://thoughtwave.com View our network at https://bgp.he.net/AS54380 +1 844 42-LINUX

On Jul 21, 2025 at 5:17 PM, jonathan via NANOG <nanog@lists.nanog.org> wrote:

Hey are you related to Jonah?

Jonathan Kalbfeld

office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662

ThoughtWave Technologies, Inc. Studio City, CA 91604

https://thoughtwave.com

View our network at

https://bgp.he.net/AS54380

+1 844 42-LINUX

...

On Jul 21, 2025 at 2:41 PM, Ron Yokubaitis via NANOG <nanog@lists.nanog.org> wrote:

"Hard cases make good Law."

RonY Sent from my iPhone

...

On Jul 21, 2025, at 4:03 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:

David,

Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”.

Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN!

-mel

On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote:

On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.

They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dnib.com_articles_interisle-2Dreport-2Dexamines-2Ddomain-2Dname-2Dcontact-2Ddata-2Davailability&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=HNhAt6Xw9R20rk1Pj0Tj-ITXDLXG90K7EXYZiuBTWTY&e= which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper:

"Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.”

Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears:

Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes https://urldefense.proofpoint.com/v2/url?u=http-3A__onamae.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=uoaC7ef9fHZuYnOyn_w5D7ieZzQ-MCyy9ga_QBVpsHc&e= and https://urldefense.proofpoint.com/v2/url?u=http-3A__z.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=MRl6alNNS_i0U5Bq8CXDNH4qCDW0qv4u9c5QR78WyuY&e=, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains

(I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey)

Translating that to operational impact, according to the first line of the https://urldefense.proofpoint.com/v2/url?u=http-3A__dnib.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=5ZsrGJY45ZbllizLyKjX1emApZIBr1LeQ-TuDxc_TNY&e= paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.

Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)

Ironically, the original aphorism was “the plural of anecdote is data” (see https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20080523225000_http-3A__listserv.linguistlist.org_cgi-2Dbin_wa-3FA2-3Dind0407a-26L-3Dads-2Dl-26P-3D8874&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=QkUD_G-cq1lqEdKXDmHSbmGs-glweWBR0jxpODvg1Eg&e=).

Regards, -drc

<https://urldefense.proofpoint.com/v2/url?u=http-3A__signature.asc&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=8ENcEhGfP9eqIBumbAp1m6lHbRhFJKyQd-ZhwY5jZio&e=> _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_FLKJDDSLRNAOCMQCVRQ5YBG4LFHJ6TBA_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=BjYFzTJZ8A6LT08zu-r8Jv2bTgdC9gbao7YG4PD-cBw&e=

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EMJ5I5QA...

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/B4BDSKKC...

On Jul 21, 2025, at 5:02 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: ... Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! Rather unlikely to occur, as organizations using ARIN’s registry services are informed that they are public in nature – as benefitting their role in supporting global Internet operations – and take appropriate precautions when collecting and entering personally identifiable information (e.g. personal phones numbers, email address, residential home addresses); more specifically, organizations are to either obtain consent of the individual or use a more appropriate form of contact information (e.g. business number, business email, business street address.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers P.S. This is all covered in ARIN’s privacy policy <https://www.arin.net/about/privacy/>; excerpts from relevant section(s): ARIN collects several types of information through the use of our Websites, Services, and related interactions with individuals: “Personal Data” is information that can be used to identify an individual, such as their given name, postal address, telephone number, fax numbers, or email addresses. … Note that some of these ARIN Services (e.g. our public mailing lists, public wikis, or other public forums, participation in our public meetings, etc.) make the information that you provide public and therefore you are responsible for careful consideration of whether to use these Services. “Organizational Data” is information supplied to ARIN that pertains to the organizations that are authorized to use our Services. The primary data elements that ARIN collects in the normal course of its activities are routine business contact information – organization name, street address, and organizational contact information (i.e. department name or other point of contact in the organization, including business email address and telephone number.) Organizations should only provide Personal Data (of their staff, customers, or others) to ARIN with the consent of the affected individuals, as organizations supplying such information to ARIN are responsible for its ongoing accurate maintenance. … Note that many of ARIN’s Services are registry services or discussion forums that by their inherent nature involve the publication of information either publicly or to an identified community in accordance with specific policies of the registry.

Christoper - As I understand the proposed APNIC policy, it only removes the contact information objects from the Bulk whois dataset - With the exception of abuse contact information, APNIC should remove address, phone, fax-no, e-mail, and notify fields (the Contact Information) from Org, IRT, and role objects in the Bulk Access dataset. Hence the title in the policy text reading "prop-162-v003: WHOIS Privacy for Bulk Access”, and the policy Objective as follows - 2. Objective of policy change ----------------------------- This policy will eliminate the unnecessary distribution and retention of APNIC member organisation contact information by third parties. APNIC systems will become the only source of obtaining address, phone, fax-no, e-mail, and notify data for APNIC members. This policy change will not prevent APNIC members or other authorised users of APNIC WHOIS from obtaining contact information for network resources in either ad-hoc or automated queries. FYI, /John John Curran President and CEO American Registry for Internet Numbers On Jul 21, 2025, at 8:24 PM, Christopher Hawker <chris@thesysadmin.au> wrote: The APAC community has APNIC Prop-162 WHOIS Privacy up for discussion, which effectively makes person objects in WHOIS redundant. https://www.apnic.net/community/policy/proposals/prop-162/ The idea is to remove (or hide) all PII from WHOIS, as well as other unnecessary information such as street addresses, fax numbers, etc. Regards, Christopher Hawker Sent from my iPhone On 22 Jul 2025, at 8:50 am, John Curran via NANOG <nanog@lists.nanog.org> wrote: On Jul 21, 2025, at 5:02 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: ... Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! Rather unlikely to occur, as organizations using ARIN’s registry services are informed that they are public in nature – as benefitting their role in supporting global Internet operations – and take appropriate precautions when collecting and entering personally identifiable information (e.g. personal phones numbers, email address, residential home addresses); more specifically, organizations are to either obtain consent of the individual or use a more appropriate form of contact information (e.g. business number, business email, business street address.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers P.S. This is all covered in ARIN’s privacy policy <https://www.arin.net/about/privacy/>; excerpts from relevant section(s): ARIN collects several types of information through the use of our Websites, Services, and related interactions with individuals: “Personal Data” is information that can be used to identify an individual, such as their given name, postal address, telephone number, fax numbers, or email addresses. … Note that some of these ARIN Services (e.g. our public mailing lists, public wikis, or other public forums, participation in our public meetings, etc.) make the information that you provide public and therefore you are responsible for careful consideration of whether to use these Services. “Organizational Data” is information supplied to ARIN that pertains to the organizations that are authorized to use our Services. The primary data elements that ARIN collects in the normal course of its activities are routine business contact information – organization name, street address, and organizational contact information (i.e. department name or other point of contact in the organization, including business email address and telephone number.) Organizations should only provide Personal Data (of their staff, customers, or others) to ARIN with the consent of the affected individuals, as organizations supplying such information to ARIN are responsible for its ongoing accurate maintenance. … Note that many of ARIN’s Services are registry services or discussion forums that by their inherent nature involve the publication of information either publicly or to an identified community in accordance with specific policies of the registry. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CCUXPE2M...

On Sat, Jul 19, 2025 at 6:46 PM Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:

None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never

I'd suggest one of the problems is the registry's failure to distinguish between a domain to be managed by a network operator or a business/organization properly for conducting commerce, such as selling products, or soliciting payments, through the online presence attached to their domain; Versus a domain used and owned by an individual for personal usage; such as a personal blog, or personal email box. Personal domains should merit privacy, I would think, and there should be a means of displaying the hosting provider or network operator's contacts in WHOIS, instead of the registrant's home information for a personal domain. To avoid exposing their home address and other such personal info. But for a business: there should be no "Privacy", and the registration ought to list contacts at their office or place of business. Which also are not subject to GPDR protections, since they are the Information for a business and not a person's personal details. For example; If I find the online website of a business considering to do business with them, then I expect to find verifiable business Information in WHOIS, and it is necessary information to help confirm the legitimacy of an ecommerce website or commercial email message. A WHOIS indication on the business domain showing masked details or missing information would be a strong indicator that the domain is used by scammers, phishers, etc. You ought to always be able to WHOIS a business domain and see the purported administrative business contact details for their network or company.

Personally, it feels skanky to do it, but I guess that's just one opinion. -- -JA

There are two ways to use the Internet: one is to be very open with your identity (you are Dom Hetzel, and a quick Google search finds where you work and a picture of your face, unless that's a different Dom Hetzel) and the other is to be secretive about your identity (I am (currently) "immibis" (and you only see that in the headers) - that seems like some random letters and not a real person's name. Do I even have a face?). There's not really an in-between option. There's no "not skanky but also not publishing my full name and address to the whole world". Some people seem to default to the former and some to the latter. Possibly based on getting burned in the past or seeing others get burned. Possibly a generational gap. You mentioned your domain has been around for a very long time. I heard there was once a time on the Internet when strangers were generally trustworthy. My registrar knows my real name and address, but it's not published in WHOIS since they (like most registrars one might use for a personal website) offer free WHOIS privacy. I'm not going out of my way to buy a domain from a shady registrar with Bitcoin, but I'm also only giving my personal info to trustworthy companies and not the entire Internet. I presume there are at least one or two things you ever thought about putting on your personal domain, but didn't because the whole world would be able to associate it with your full name and address. On 20 July 2025 1:46:09 am GMT+02:00, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:

None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.

On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:

...

Cloudflare and Namecheap default to privacy, and don't charge for it.

-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information

...

On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.

David,

Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.

It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.

I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!

-mel via cell

...

Barry,

...

...

On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy

On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.

I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.

...

Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.

As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .

...

This seems like an admission that this policy was not enforced.

Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.

Regards, -drc

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>

---

NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX...

On July 19, 2025 at 21:03 nanog@lists.nanog.org (David Conrad via NANOG) wrote:

...

Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?

AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).

However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....

People wonder why ICANN's overhead / operating cost is so high but then one has to wrap their heads around contract enforcement in roughly 200 countries...Basically that's much of what ICANN is, a global web of contracts. Looking at that link does bring up a pet peeve though. There're no references to any other policy documents, particularly models external to ICANN. Too often it's as if the universe was created this week and ICANN sat down and named all the plants and animals etc. anew. Surely there are many models out there for similar registration systems some probably in existence and enforced for 100+ years. For example WIPO comes to mind but everything from registering ships to banking, multinational business registrations, etc. Some specifics such as email are newer concepts but even in that case email's been around for decades. I'd imagine when the validity of their contracts gets dragged into a court or other dispute resolution that after citing applicable laws and statutes the next thing would be comparing those contracts to those analogous regimens. For example how does WIPO or the ITU handle registrant disclosures. Yet it's always as if these policies were created out of thin air with no precedent or model. Perhaps there are stacks of such considerations they don't include in public documents but I can think of some specific instances where they were developing a policy and I suggested a survey of other organizations' analogous policies and felt like I was met with blank stares. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*