GoDaddy deleting most ancillary registration contact information
I just received this notice through one of my clients. Due to recent changes in the Registration Data Policy (Addendum II), we're updating how Organization Name info is displayed in WHOIS/RDDS: Currently, we collect Registrant, Administrative, Billing, and Technical contacts. Going forward, we'll collect the minimum data required by each domain registry. Most registries will be moving to the minimum data set, so Technical, Administrative, and Billing contacts will no longer be collected or displayed in WhoIs/RDDS. On or after August 21, 2025, we'll delete extra contact data and the registrant fax number from our systems unless the registry specifically requires that data. There is no action needed from you for the above changes. Where your Registrant contact data contains a populated Organization field, this will not be displayed in the Whois/RDDS. First, this seems like awfully short notice. Second, although I remember reading something about this a month ago having to do with GDPR, I didn’t realize it would result in the deletion of existing data in North America. For domains I manage, I have an opportunity, however brief, to collect this information for future use. However, I’m surprised that this is happening to domains registered in North America. I would think it would conflict with ICANN requirements. Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-) -mel
whois used to be operationally useful and very commonly used. glad that's been fixed, eh? randy
On Thu, Jul 17, 2025 at 1:43 PM Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: [snip from GoDaddy] Currently, we collect Registrant, Administrative, Billing, and Technical
contacts. Going forward, we'll collect the minimum data required by each domain registry.
Most registries will be moving to the minimum data set, so Technical, Administrative, and Billing contacts will no longer be collected or displayed in WhoIs/RDDS.
On or after August 21, 2025, we'll delete extra contact data and the registrant fax number from our systems unless the registry specifically requires that data.
[snip, then from Mel]
Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-)
One thing that comes to mind: the (admittedly long-tail) activity of reclamation of fallow / misfiled / "mis-owned" domains. For good or ill, the previous WHOIS model had its own redundancy -- three different contacts, two of which with authority to make technical changes, as well as the power conferred by being the named registrant. On at least three occasions, after M&A activity, I've had to leverage any and all of these to "fix" a domain's ownership, in order to make changes -- in some cases years, or in at least one case *decades* later. This has involved everything from recreating dead email addresses, to calling people who didn't work there anymore, to digging up contracts and printing them on letterhead, etc. ... all to restore the power to make changes. Of course, that's me as an ISP-scarred end user, not as a registry operator. Maybe these alternate paths are an attack surface that should be eliminated. But "this entity used to have the authority to manage this domain, and I am the direct descendant of that entity, lemme in" is gonna get harder. So while I can see removing the WHOIS from visibility, *deleting* so that even the *registrar* doesn't have it anymore feels like it destroys information that would still have value. Royce
Hi, On Jul 17, 2025, at 2:43 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
First, this seems like awfully short notice. Second, although I remember reading something about this a month ago having to do with GDPR, I didn’t realize it would result in the deletion of existing data in North America.
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located. So if an EU citizen happens to be the registrant/contact for a domain registered anywhere in the world (including in the US), the data holder (i.e., the registrar) would, in theory, be liable for misuse of that data to the tune of “up to €20 million or 4% of the company’s global annual turnover from the preceding financial year, whichever is higher.” Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.
For domains I manage, I have an opportunity, however brief, to collect this information for future use. However, I’m surprised that this is happening to domains registered in North America. I would think it would conflict with ICANN requirements.
I see you, like any sane person, are blissfully unaware of the ongoing frenetic and kafkaesque events at ICANN since GDPR went into force in May 2018. In short, ICANN continues to require registrars to collect registrant information, however that information is (largely) unavailable to the public. Since the “temporary specification” (temp spec) was put in place shortly after GDPR went into effect, fields in Whois (now RDAP) that can contain PII must be redacted. ICANN did create a system to allow for requests of the redacted data (see https://www.icann.org/rdrs-en), but let’s just say opinions vary on its usefulness. I suspect GoDaddy will probably argue that they have taken this step to try to minimize their liability exposure as a data holder — if the registry doesn’t require the data, the safest approach is obviously not to collect it. I believe this fits within ICANN’s requirements. Oh, and you, as a member of the public, will still be unable to see that data (law enforcement may be able to see it if they ask and/or they have a court order).
Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-)
My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Regards, -drc
On Fri, 18 Jul 2025 19:39:47 +0000, David Conrad via NANOG wrote:
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.
Not a lawyer either but a European citizen. Gee, I did not know that I carried my shiny GDPR armor when I lived in the US - so many missed opportunities to sue companies! ;-) Seriously, the "regardless of where they're located" is true for the companies when you do business with someone _in_ the EU. Btw, it's not just EU citizen but also residents of the EU (!). I found this explanation: https://gdpr.eu/companies-outside-of-europe/
Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.
I doubt the citizenship matters. It's your address, i.e. your residency. But yeah, opting for less information to stay on the safe side is a likely outcome of GDPR. For GoDaddy.com, when I typed it in my browser I got the https://www.godaddy.com/es-es page as I'm in Spain. With prices in Euro. Which fits the example the gdpr.eu page above mentions. Still, another detail that favors the big companies and creates risks for the small ones. Should have studied law, I guess. Regards, Marc
I doubt the citizenship matters. It's your address, i.e. your residency. But yeah, opting for less information to stay on the safe side is a likely outcome of GDPR.
It's referred to as the 'Brussels Effect' , or 'California Effect'. When certain types of regulation apply in a very large market, most companies just apply those rules to their entire business operation, because that's easier then trying to be surgical about it and making a mistake. By extension, consumers in other places reap much of the same benefits as a result. On Fri, Jul 18, 2025 at 7:14 PM Marc Binderberger via NANOG < nanog@lists.nanog.org> wrote:
On Fri, 18 Jul 2025 19:39:47 +0000, David Conrad via NANOG wrote:
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.
Not a lawyer either but a European citizen. Gee, I did not know that I carried my shiny GDPR armor when I lived in the US - so many missed opportunities to sue companies! ;-)
Seriously, the "regardless of where they're located" is true for the companies when you do business with someone _in_ the EU. Btw, it's not just EU citizen but also residents of the EU (!). I found this explanation:
https://gdpr.eu/companies-outside-of-europe/
Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.
I doubt the citizenship matters. It's your address, i.e. your residency. But yeah, opting for less information to stay on the safe side is a likely outcome of GDPR.
For GoDaddy.com, when I typed it in my browser I got the https://www.godaddy.com/es-es page as I'm in Spain. With prices in Euro. Which fits the example the gdpr.eu page above mentions.
Still, another detail that favors the big companies and creates risks for the small ones. Should have studied law, I guess.
Regards, Marc _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YBTUHWT3...
yeah, opting for less information to stay on the safe side is a likely outcome of GDPR. It's referred to as the 'Brussels Effect' , or 'California Effect'.
When certain types of regulation apply in a very large market, most companies just apply those rules to their entire business operation,
Businesses usually want to implement the same standards everywhere they operate, But they don't If the standard is economically detrimental to overcome inertia. California has something akin to the FTC's failed click to cancel rule, and there are websites which have the "easy" online cancel button only available to subscribers who claimed to be a resident of that state, and those in other states have the difficult cancel button. I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness. It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent. And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules. -- -JA
I found this on ICANN’s web site: “Recently, new global data privacy regulations such as the European Union's Global Data Protection Regulation have restricted the amount of public information that your Registrar needs to make available, to help protect the privacy of registrants.” <https://www.icann.org/en/contracted-parties/consensus-policies/registration-data-reminder-policy/faqs-domain-name-registrant-contact-information-and-icanns-whois-data-reminder-policy-wdrp-25-02-2012-en> FAQs: Domain Name Registrant Contact Information and ICANN’s WHOIS Data Reminder Policy (WDRP)<https://www.icann.org/en/contracted-parties/consensus-policies/registration-data-reminder-policy/faqs-domain-name-registrant-contact-information-and-icanns-whois-data-reminder-policy-wdrp-25-02-2012-en> icann.org<https://www.icann.org/en/contracted-parties/consensus-policies/registration-data-reminder-policy/faqs-domain-name-registrant-contact-information-and-icanns-whois-data-reminder-policy-wdrp-25-02-2012-en> [favicon.ico]<https://www.icann.org/en/contracted-parties/consensus-policies/registration-data-reminder-policy/faqs-domain-name-registrant-contact-information-and-icanns-whois-data-reminder-policy-wdrp-25-02-2012-en> -mel via cell On Jul 19, 2025, at 9:16 AM, Jay Acuna via NANOG <nanog@lists.nanog.org> wrote: yeah, opting for less information to stay on the safe side is a likely outcome of GDPR. It's referred to as the 'Brussels Effect' , or 'California Effect'. When certain types of regulation apply in a very large market, most companies just apply those rules to their entire business operation, Businesses usually want to implement the same standards everywhere they operate, But they don't If the standard is economically detrimental to overcome inertia. California has something akin to the FTC's failed click to cancel rule, and there are websites which have the "easy" online cancel button only available to subscribers who claimed to be a resident of that state, and those in other states have the difficult cancel button. I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness. It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent. And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules. -- -JA _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/JJFWC7L2...
Jay, On Jul 19, 2025, at 9:15 AM, Jay Acuna via NANOG <nanog@lists.nanog.org> wrote:
I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness.
ICANN is a bit odd in that it is a private entity responsible for a global resource that folks all over the world have to use if they want to use the public Internet. I believe one could say GDPR is “controlling” because ICANN’s "contracted parties" (gTLD registries and ICANN accredited registrars) and the larger community operate and live in areas in which GDPR is the law of the land. I think it fair to say ICANN (both organization and community) failed to take GDPR seriously prior to it going into effect, but that's water under the bridge long ago.
It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule
You may be unaware how ICANN works (using the term loosely). ICANN is not a government or treaty organization. ICANN (the organization) has what powers it has by private contract. It can’t unilaterally impose new contractual obligations to existing contracts. To add new obligations, it must negotiate with the contracted parties, in many cases involving (or being driven by) the larger community. For reference, the most recent amendments to the Registrar Accreditation Agreement took about 10 years to negotiate and get put into force.
requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent.
And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules.
And Registrars, particularly European ones, would agree to these terms because…? (And that’s not even taking into consideration the concerns of government representatives like those from the EU and privacy advocates within the community that would surely weigh in heavily if a policy along these lines ever came up). To be clear, I’m not trying to defend ICANN here, just trying to provide information as to why things are the way they are. Regards, -drc
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.
GDPR applies to any data collector, processor, or subject of data collection , if any of those activities occur inside of the EU. **Citizenship or residence is not a factor.** For example, an American visiting an EU country is just as covered as a citizen of that country. If the data collector, processor and subject are solely outside of the EU, then GDPR *PROBABLY* does not apply. There are many edge cases here though. But the key takeaway is that the citizenship or residence of the data subject DOES NOT MATTER with respect to GDPR applicability. On Fri, Jul 18, 2025 at 3:40 PM David Conrad via NANOG < nanog@lists.nanog.org> wrote:
Hi,
On Jul 17, 2025, at 2:43 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
First, this seems like awfully short notice. Second, although I remember reading something about this a month ago having to do with GDPR, I didn’t realize it would result in the deletion of existing data in North America.
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located. So if an EU citizen happens to be the registrant/contact for a domain registered anywhere in the world (including in the US), the data holder (i.e., the registrar) would, in theory, be liable for misuse of that data to the tune of “up to €20 million or 4% of the company’s global annual turnover from the preceding financial year, whichever is higher.” Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.
For domains I manage, I have an opportunity, however brief, to collect this information for future use. However, I’m surprised that this is happening to domains registered in North America. I would think it would conflict with ICANN requirements.
I see you, like any sane person, are blissfully unaware of the ongoing frenetic and kafkaesque events at ICANN since GDPR went into force in May 2018. In short, ICANN continues to require registrars to collect registrant information, however that information is (largely) unavailable to the public. Since the “temporary specification” (temp spec) was put in place shortly after GDPR went into effect, fields in Whois (now RDAP) that can contain PII must be redacted. ICANN did create a system to allow for requests of the redacted data (see https://www.icann.org/rdrs-en), but let’s just say opinions vary on its usefulness.
I suspect GoDaddy will probably argue that they have taken this step to try to minimize their liability exposure as a data holder — if the registry doesn’t require the data, the safest approach is obviously not to collect it. I believe this fits within ICANN’s requirements. Oh, and you, as a member of the public, will still be unable to see that data (law enforcement may be able to see it if they ask and/or they have a court order).
Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-)
My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless.
Regards, -drc
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LCEN6OBF...
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote:
My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless.
That's a questionable "statistical" argument. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%. Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category. I realize it became a truism, a part of the narrative, within ICANN to say many, even most, registrant data was useless often accompanied by a laugh at the number which were registered to fictional cartoon characters etc. But I'm not sure that's a reasonable argument for labeling all of the data "useless". Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"? This seems like an admission that this policy was not enforced. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Barry, On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote:
My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...). However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much. Regards, -drc
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG <nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David, Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for. It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota. I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR! -mel via cell
Barry,
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VTC33LVN... <signature.asc>
Cloudflare and Namecheap default to privacy, and don't charge for it. -----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG <nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David, Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for. It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota. I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR! -mel via cell
Barry,
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK...
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion. On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...
So, 2 out of 2400. “Two, if not all”. LOL! -mel via cell
On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.
On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX...
Hey, I was just providing two major examples! Google, Gandi, Godaddy, Porkbun, NameSilo (provided free, not sure if enabled by default), Network Solutions (not by default as far as I recall, but free still), etc... I can't think of a registrar that *doesn't* do it anymore since the advent of GDPR Etc etc..... -----Original Message----- From: Mel Beckman <mel@beckman.org> Sent: Saturday, July 19, 2025 8:05 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; Gary Sparkes <gary@kisaracorporation.com>; Dorn Hetzel <dorn@hetzel.org>; nanog@lists.nanog.org Subject: Re: GoDaddy deleting most ancillary registration contact information So, 2 out of 2400. “Two, if not all”. LOL! -mel via cell
On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.
On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically:
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-ica nn-against-german-domain-registrar-highlights ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registra tion-Data-Accuracy-March-2024.pdf .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-mali ciously-registered-domains-08nov24-en.pdf, but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/V FIPBHSKZYDFMKRT5RRMPCGMIESCXUZ6/ _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/E X7HBCA5RDMPXEZ3R4RSOWU33RS242AD/
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2 JC46XX6B4TOLBK5LDBFKK63LCJMRCL/
Network Solutions only offers free domain privacy if you buy one of their packages. -mel via cell
On Jul 19, 2025, at 5:09 PM, Gary Sparkes <gary@kisaracorporation.com> wrote:
Hey, I was just providing two major examples!
Google, Gandi, Godaddy, Porkbun, NameSilo (provided free, not sure if enabled by default), Network Solutions (not by default as far as I recall, but free still), etc... I can't think of a registrar that *doesn't* do it anymore since the advent of GDPR
Etc etc.....
-----Original Message----- From: Mel Beckman <mel@beckman.org> Sent: Saturday, July 19, 2025 8:05 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; Gary Sparkes <gary@kisaracorporation.com>; Dorn Hetzel <dorn@hetzel.org>; nanog@lists.nanog.org Subject: Re: GoDaddy deleting most ancillary registration contact information
So, 2 out of 2400. “Two, if not all”. LOL!
-mel via cell
On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.
On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically:
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-ica nn-against-german-domain-registrar-highlights ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registra tion-Data-Accuracy-March-2024.pdf .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-mali ciously-registered-domains-08nov24-en.pdf, but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/V FIPBHSKZYDFMKRT5RRMPCGMIESCXUZ6/ _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/E X7HBCA5RDMPXEZ3R4RSOWU33RS242AD/
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2 JC46XX6B4TOLBK5LDBFKK63LCJMRCL/
Huh, good to know, my only dealings with NetSol are to port domains out whenever I encounter them, anyway..... -----Original Message----- From: Mel Beckman <mel@beckman.org> Sent: Saturday, July 19, 2025 8:11 PM To: Gary Sparkes <gary@kisaracorporation.com> Cc: nanog@lists.nanog.org; bzs@theworld.com; Dorn Hetzel <dorn@hetzel.org> Subject: Re: GoDaddy deleting most ancillary registration contact information Network Solutions only offers free domain privacy if you buy one of their packages. -mel via cell
On Jul 19, 2025, at 5:09 PM, Gary Sparkes <gary@kisaracorporation.com> wrote:
Hey, I was just providing two major examples!
Google, Gandi, Godaddy, Porkbun, NameSilo (provided free, not sure if enabled by default), Network Solutions (not by default as far as I recall, but free still), etc... I can't think of a registrar that *doesn't* do it anymore since the advent of GDPR
Etc etc.....
-----Original Message----- From: Mel Beckman <mel@beckman.org> Sent: Saturday, July 19, 2025 8:05 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; Gary Sparkes <gary@kisaracorporation.com>; Dorn Hetzel <dorn@hetzel.org>; nanog@lists.nanog.org Subject: Re: GoDaddy deleting most ancillary registration contact information
So, 2 out of 2400. “Two, if not all”. LOL!
-mel via cell
On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.
On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically:
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-ic a nn-against-german-domain-registrar-highlights ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registr a tion-Data-Accuracy-March-2024.pdf .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-mal i ciously-registered-domains-08nov24-en.pdf, but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message / VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ V FIPBHSKZYDFMKRT5RRMPCGMIESCXUZ6/ _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ E X7HBCA5RDMPXEZ3R4RSOWU33RS242AD/
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H 2 JC46XX6B4TOLBK5LDBFKK63LCJMRCL/
I believe the majority of registrars are used for drop catching, so many of those 2400 are associated with around 200 registrar “families” (last I looked, it’s sort of hard to be exact since families aren’t official). If you peruse https://www.icann.org/en/contracted-parties/accredited-registrars/list-of-ac... you’ll see obvious signs of affiliated companies (e.g., look at “namepal” to pick one example). It might be more useful to look at the market share of the registrars and see which of those registrars default to “redacted for privacy”. However, this feels like hair splitting to me. If you don’t like the term “most, if not all”, how about “lots”? Not sure where you’re going with this. You were the one who raised the question of potential operational impact of GoDaddy’s action and I’ve been trying to point out that yes, there is non-trivial impact and how we got here. YMMV. Regards, -drc
On Jul 19, 2025, at 5:04 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
So, 2 out of 2400. “Two, if not all”. LOL!
-mel via cell
On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion.
On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... .
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3JK2HBDK...
It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now. Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-) -mel via cell On Jul 19, 2025, at 5:29 PM, David Conrad <drc@virtualized.org> wrote: I believe the majority of registrars are used for drop catching, so many of those 2400 are associated with around 200 registrar “families” (last I looked, it’s sort of hard to be exact since families aren’t official). If you peruse https://www.icann.org/en/contracted-parties/accredited-registrars/list-of-ac... you’ll see obvious signs of affiliated companies (e.g., look at “namepal” to pick one example). It might be more useful to look at the market share of the registrars and see which of those registrars default to “redacted for privacy”. However, this feels like hair splitting to me. If you don’t like the term “most, if not all”, how about “lots”? Not sure where you’re going with this. You were the one who raised the question of potential operational impact of GoDaddy’s action and I’ve been trying to point out that yes, there is non-trivial impact and how we got here. YMMV. Regards, -drc On Jul 19, 2025, at 5:04 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: So, 2 out of 2400. “Two, if not all”. LOL! -mel via cell On Jul 19, 2025, at 4:47 PM, Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote: None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never will. Personally, it feels skanky to do it, but I guess that's just one opinion. On Sat, Jul 19, 2025 at 7:39 PM Gary Sparkes via NANOG < nanog@lists.nanog.org> wrote: Cloudflare and Namecheap default to privacy, and don't charge for it. -----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG < nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. David, Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for. It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota. I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR! -mel via cell Barry, On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote: On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%. I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point. Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category. As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course). Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"? AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai... ). However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da... . This seems like an admission that this policy was not enforced. Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much. Regards, -drc _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H2JC46XX... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3JK2HBDK... <signature.asc>
On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote:
It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.
They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://www.dnib.com/articles/interisle-report-examines-domain-name-contact-... which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper: "Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.” Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears: Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes onamae.com and z.com, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains (I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey) Translating that to operational impact, according to the first line of the dnib.com paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.
Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)
Ironically, the original aphorism was “the plural of anecdote is data” (see https://web.archive.org/web/20080523225000/http://listserv.linguistlist.org/cgi-bin/wa?A2=ind0407a&L=ads-l&P=8874). Regards, -drc
David, Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”. Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! -mel On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote: On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now. They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://www.dnib.com/articles/interisle-report-examines-domain-name-contact-... which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper: "Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.” Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears: Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes onamae.com and z.com, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains (I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey) Translating that to operational impact, according to the first line of the dnib.com paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”. Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-) Ironically, the original aphorism was “the plural of anecdote is data” (see https://web.archive.org/web/20080523225000/http://listserv.linguistlist.org/cgi-bin/wa?A2=ind0407a&L=ads-l&P=8874). Regards, -drc <signature.asc>
"Hard cases make good Law." RonY Sent from my iPhone
On Jul 21, 2025, at 4:03 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
David,
Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”.
Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN!
-mel
On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote:
On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.
They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dnib.com_articles_interisle-2Dreport-2Dexamines-2Ddomain-2Dname-2Dcontact-2Ddata-2Davailability&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=HNhAt6Xw9R20rk1Pj0Tj-ITXDLXG90K7EXYZiuBTWTY&e= which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper:
"Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.”
Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears:
Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes https://urldefense.proofpoint.com/v2/url?u=http-3A__onamae.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=uoaC7ef9fHZuYnOyn_w5D7ieZzQ-MCyy9ga_QBVpsHc&e= and https://urldefense.proofpoint.com/v2/url?u=http-3A__z.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=MRl6alNNS_i0U5Bq8CXDNH4qCDW0qv4u9c5QR78WyuY&e=, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains
(I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey)
Translating that to operational impact, according to the first line of the https://urldefense.proofpoint.com/v2/url?u=http-3A__dnib.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=5ZsrGJY45ZbllizLyKjX1emApZIBr1LeQ-TuDxc_TNY&e= paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.
Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)
Ironically, the original aphorism was “the plural of anecdote is data” (see https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20080523225000_http-3A__listserv.linguistlist.org_cgi-2Dbin_wa-3FA2-3Dind0407a-26L-3Dads-2Dl-26P-3D8874&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=QkUD_G-cq1lqEdKXDmHSbmGs-glweWBR0jxpODvg1Eg&e=).
Regards, -drc
<https://urldefense.proofpoint.com/v2/url?u=http-3A__signature.asc&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=8ENcEhGfP9eqIBumbAp1m6lHbRhFJKyQd-ZhwY5jZio&e=> _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_FLKJDDSLRNAOCMQCVRQ5YBG4LFHJ6TBA_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=BjYFzTJZ8A6LT08zu-r8Jv2bTgdC9gbao7YG4PD-cBw&e=
Hey are you related to Jonah? Jonathan Kalbfeld office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662 ThoughtWave Technologies, Inc. Studio City, CA 91604 https://thoughtwave.com View our network at https://bgp.he.net/AS54380 +1 844 42-LINUX
On Jul 21, 2025 at 2:41 PM, Ron Yokubaitis via NANOG <nanog@lists.nanog.org> wrote:
"Hard cases make good Law."
RonY Sent from my iPhone
On Jul 21, 2025, at 4:03 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
David,
Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”.
Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN!
-mel
On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote:
On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.
They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dnib.com_articles_interisle-2Dreport-2Dexamines-2Ddomain-2Dname-2Dcontact-2Ddata-2Davailability&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=HNhAt6Xw9R20rk1Pj0Tj-ITXDLXG90K7EXYZiuBTWTY&e= which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper:
"Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.”
Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears:
Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes https://urldefense.proofpoint.com/v2/url?u=http-3A__onamae.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=uoaC7ef9fHZuYnOyn_w5D7ieZzQ-MCyy9ga_QBVpsHc&e= and https://urldefense.proofpoint.com/v2/url?u=http-3A__z.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=MRl6alNNS_i0U5Bq8CXDNH4qCDW0qv4u9c5QR78WyuY&e=, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains
(I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey)
Translating that to operational impact, according to the first line of the https://urldefense.proofpoint.com/v2/url?u=http-3A__dnib.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=5ZsrGJY45ZbllizLyKjX1emApZIBr1LeQ-TuDxc_TNY&e= paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.
Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)
Ironically, the original aphorism was “the plural of anecdote is data” (see https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20080523225000_http-3A__listserv.linguistlist.org_cgi-2Dbin_wa-3FA2-3Dind0407a-26L-3Dads-2Dl-26P-3D8874&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=QkUD_G-cq1lqEdKXDmHSbmGs-glweWBR0jxpODvg1Eg&e=).
Regards, -drc
<https://urldefense.proofpoint.com/v2/url?u=http-3A__signature.asc&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=8ENcEhGfP9eqIBumbAp1m6lHbRhFJKyQd-ZhwY5jZio&e=> _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_FLKJDDSLRNAOCMQCVRQ5YBG4LFHJ6TBA_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=BjYFzTJZ8A6LT08zu-r8Jv2bTgdC9gbao7YG4PD-cBw&e=
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EMJ5I5QA...
Jonathan Kalbfeld office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662 ThoughtWave Technologies, Inc. Studio City, CA 91604 https://thoughtwave.com View our network at https://bgp.he.net/AS54380 +1 844 42-LINUX
On Jul 21, 2025 at 5:17 PM, jonathan via NANOG <nanog@lists.nanog.org> wrote:
Hey are you related to Jonah?
Jonathan Kalbfeld
office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662
ThoughtWave Technologies, Inc. Studio City, CA 91604
View our network at
+1 844 42-LINUX
On Jul 21, 2025 at 2:41 PM, Ron Yokubaitis via NANOG <nanog@lists.nanog.org> wrote:
"Hard cases make good Law."
RonY Sent from my iPhone
On Jul 21, 2025, at 4:03 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
David,
Thank you for supplying the factual data I was looking for. I’m happy to now accept “most”.
Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN!
-mel
On Jul 21, 2025, at 1:24 PM, David Conrad <drc@virtualized.org> wrote:
On Jul 19, 2025, at 5:41 PM, Mel Beckman <mel@beckman.org> wrote: It’s not that I’m “going somewhere” with this comment. I’m just looking for factual data, not wild guesses. I’ll accept “some” for now.
They weren’t "wild guesses”. As mentioned, my comments regarding registrars redacting for privacy was in relation to my discussions with law enforcement. This would appear to be corroborated by John McCormac’s post that pointed to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dnib.com_articles_interisle-2Dreport-2Dexamines-2Ddomain-2Dname-2Dcontact-2Ddata-2Davailability&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=HNhAt6Xw9R20rk1Pj0Tj-ITXDLXG90K7EXYZiuBTWTY&e= which seems to confirm “most” (if not “if not all”). The TL;DR quote from that paper:
"Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants.”
Since my day job causes me to be somewhat involved in never ending registration data debacle, I did a quick check of the top registrars by market share John listed. It appears:
Godaddy (27.6% market share): privacy on by default for all eligible new domains Namecheap (8.04%): privacy on by default for all eligible new domains Tucows (includes Enom and Hover, 4.3%): on by default for all eligible new domains Squarespace (formerly Google, 3.3%): on by default for all eligible new domains GMO Internet (includes https://urldefense.proofpoint.com/v2/url?u=http-3A__onamae.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=uoaC7ef9fHZuYnOyn_w5D7ieZzQ-MCyy9ga_QBVpsHc&e= and https://urldefense.proofpoint.com/v2/url?u=http-3A__z.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=MRl6alNNS_i0U5Bq8CXDNH4qCDW0qv4u9c5QR78WyuY&e=, 2.37%): on by default for all eligible new domains Dynadot (2.21%): on by default for all eligible new domains Netsol: (2.16%): NOT on by default, a $9.99 added service Gname: (2.12%): NOT on by default, free for all eligible new domains
(I was only able to find one other registrar that doesn’t have privacy on by default, Bluehost, but I didn’t bother figuring out their market share or doing a further, exhaustive survey)
Translating that to operational impact, according to the first line of the https://urldefense.proofpoint.com/v2/url?u=http-3A__dnib.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=5ZsrGJY45ZbllizLyKjX1emApZIBr1LeQ-TuDxc_TNY&e= paper, about "Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system […]”.
Is every good scientist knows, the absence of data is not data, and the plural of anecdote is not data :-)
Ironically, the original aphorism was “the plural of anecdote is data” (see https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20080523225000_http-3A__listserv.linguistlist.org_cgi-2Dbin_wa-3FA2-3Dind0407a-26L-3Dads-2Dl-26P-3D8874&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=QkUD_G-cq1lqEdKXDmHSbmGs-glweWBR0jxpODvg1Eg&e=).
Regards, -drc
<https://urldefense.proofpoint.com/v2/url?u=http-3A__signature.asc&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=8ENcEhGfP9eqIBumbAp1m6lHbRhFJKyQd-ZhwY5jZio&e=> _______________________________________________ NANOG mailing list https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_FLKJDDSLRNAOCMQCVRQ5YBG4LFHJ6TBA_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=cGrDT0liF-gD_o4EJ7o_qg&m=j0RyxXxwnpCmSqoSZYvbAwrZgb09c8cpYDfGWknN0HfiGA4donrvcrH83MttE3st&s=BjYFzTJZ8A6LT08zu-r8Jv2bTgdC9gbao7YG4PD-cBw&e=
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EMJ5I5QA...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/B4BDSKKC...
On July 21, 2025 at 21:40 nanog@lists.nanog.org (Ron Yokubaitis via NANOG) wrote:
"Hard cases make good Law."
Hard cases make good luggage. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Jul 21, 2025, at 5:02 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: ... Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! Rather unlikely to occur, as organizations using ARIN’s registry services are informed that they are public in nature – as benefitting their role in supporting global Internet operations – and take appropriate precautions when collecting and entering personally identifiable information (e.g. personal phones numbers, email address, residential home addresses); more specifically, organizations are to either obtain consent of the individual or use a more appropriate form of contact information (e.g. business number, business email, business street address.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers P.S. This is all covered in ARIN’s privacy policy <https://www.arin.net/about/privacy/>; excerpts from relevant section(s): ARIN collects several types of information through the use of our Websites, Services, and related interactions with individuals: “Personal Data” is information that can be used to identify an individual, such as their given name, postal address, telephone number, fax numbers, or email addresses. … Note that some of these ARIN Services (e.g. our public mailing lists, public wikis, or other public forums, participation in our public meetings, etc.) make the information that you provide public and therefore you are responsible for careful consideration of whether to use these Services. “Organizational Data” is information supplied to ARIN that pertains to the organizations that are authorized to use our Services. The primary data elements that ARIN collects in the normal course of its activities are routine business contact information – organization name, street address, and organizational contact information (i.e. department name or other point of contact in the organization, including business email address and telephone number.) Organizations should only provide Personal Data (of their staff, customers, or others) to ARIN with the consent of the affected individuals, as organizations supplying such information to ARIN are responsible for its ongoing accurate maintenance. … Note that many of ARIN’s Services are registry services or discussion forums that by their inherent nature involve the publication of information either publicly or to an identified community in accordance with specific policies of the registry.
The APAC community has APNIC Prop-162 WHOIS Privacy up for discussion, which effectively makes person objects in WHOIS redundant. https://www.apnic.net/community/policy/proposals/prop-162/ The idea is to remove (or hide) all PII from WHOIS, as well as other unnecessary information such as street addresses, fax numbers, etc. Regards, Christopher Hawker Sent from my iPhone On 22 Jul 2025, at 8:50 am, John Curran via NANOG <nanog@lists.nanog.org> wrote: On Jul 21, 2025, at 5:02 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: ... Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! Rather unlikely to occur, as organizations using ARIN’s registry services are informed that they are public in nature – as benefitting their role in supporting global Internet operations – and take appropriate precautions when collecting and entering personally identifiable information (e.g. personal phones numbers, email address, residential home addresses); more specifically, organizations are to either obtain consent of the individual or use a more appropriate form of contact information (e.g. business number, business email, business street address.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers P.S. This is all covered in ARIN’s privacy policy <https://www.arin.net/about/privacy/>; excerpts from relevant section(s): ARIN collects several types of information through the use of our Websites, Services, and related interactions with individuals: “Personal Data” is information that can be used to identify an individual, such as their given name, postal address, telephone number, fax numbers, or email addresses. … Note that some of these ARIN Services (e.g. our public mailing lists, public wikis, or other public forums, participation in our public meetings, etc.) make the information that you provide public and therefore you are responsible for careful consideration of whether to use these Services. “Organizational Data” is information supplied to ARIN that pertains to the organizations that are authorized to use our Services. The primary data elements that ARIN collects in the normal course of its activities are routine business contact information – organization name, street address, and organizational contact information (i.e. department name or other point of contact in the organization, including business email address and telephone number.) Organizations should only provide Personal Data (of their staff, customers, or others) to ARIN with the consent of the affected individuals, as organizations supplying such information to ARIN are responsible for its ongoing accurate maintenance. … Note that many of ARIN’s Services are registry services or discussion forums that by their inherent nature involve the publication of information either publicly or to an identified community in accordance with specific policies of the registry. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CCUXPE2M...
Christoper - As I understand the proposed APNIC policy, it only removes the contact information objects from the Bulk whois dataset - With the exception of abuse contact information, APNIC should remove address, phone, fax-no, e-mail, and notify fields (the Contact Information) from Org, IRT, and role objects in the Bulk Access dataset. Hence the title in the policy text reading "prop-162-v003: WHOIS Privacy for Bulk Access”, and the policy Objective as follows - 2. Objective of policy change ----------------------------- This policy will eliminate the unnecessary distribution and retention of APNIC member organisation contact information by third parties. APNIC systems will become the only source of obtaining address, phone, fax-no, e-mail, and notify data for APNIC members. This policy change will not prevent APNIC members or other authorised users of APNIC WHOIS from obtaining contact information for network resources in either ad-hoc or automated queries. FYI, /John John Curran President and CEO American Registry for Internet Numbers On Jul 21, 2025, at 8:24 PM, Christopher Hawker <chris@thesysadmin.au> wrote: The APAC community has APNIC Prop-162 WHOIS Privacy up for discussion, which effectively makes person objects in WHOIS redundant. https://www.apnic.net/community/policy/proposals/prop-162/ The idea is to remove (or hide) all PII from WHOIS, as well as other unnecessary information such as street addresses, fax numbers, etc. Regards, Christopher Hawker Sent from my iPhone On 22 Jul 2025, at 8:50 am, John Curran via NANOG <nanog@lists.nanog.org> wrote: On Jul 21, 2025, at 5:02 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote: ... Let us hope the slippery slope of anonymizing registration data doesn’t creep into ARIN! Rather unlikely to occur, as organizations using ARIN’s registry services are informed that they are public in nature – as benefitting their role in supporting global Internet operations – and take appropriate precautions when collecting and entering personally identifiable information (e.g. personal phones numbers, email address, residential home addresses); more specifically, organizations are to either obtain consent of the individual or use a more appropriate form of contact information (e.g. business number, business email, business street address.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers P.S. This is all covered in ARIN’s privacy policy <https://www.arin.net/about/privacy/>; excerpts from relevant section(s): ARIN collects several types of information through the use of our Websites, Services, and related interactions with individuals: “Personal Data” is information that can be used to identify an individual, such as their given name, postal address, telephone number, fax numbers, or email addresses. … Note that some of these ARIN Services (e.g. our public mailing lists, public wikis, or other public forums, participation in our public meetings, etc.) make the information that you provide public and therefore you are responsible for careful consideration of whether to use these Services. “Organizational Data” is information supplied to ARIN that pertains to the organizations that are authorized to use our Services. The primary data elements that ARIN collects in the normal course of its activities are routine business contact information – organization name, street address, and organizational contact information (i.e. department name or other point of contact in the organization, including business email address and telephone number.) Organizations should only provide Personal Data (of their staff, customers, or others) to ARIN with the consent of the affected individuals, as organizations supplying such information to ARIN are responsible for its ongoing accurate maintenance. … Note that many of ARIN’s Services are registry services or discussion forums that by their inherent nature involve the publication of information either publicly or to an identified community in accordance with specific policies of the registry. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CCUXPE2M...
On 20/07/2025 01:29, David Conrad via NANOG wrote:
I believe the majority of registrars are used for drop catching, so many of those 2400 are associated with around 200 registrar “families” (last I looked, it’s sort of hard to be exact since families aren’t official).
The majority of ICANN accredited registrars are used for drop catching. The drop catching aspect is only part of the market and the number of registrars operated by a drop catcher operation increases the chances of catching a newly deleted domain name. In addition to tracking domain name hosting history, I've got the ICANN registrar transactions data back to July 2001. Drop catching has been going on for a long time. The bulk of registrations are on retail registrars and brand protection registrars. Drop catching is an important part of the business and is highly competitive. Multiple registrar accreditations increase the chances of a drop catcher catching a newly deleted domain name. From monthly website IP surveys, approximately 9.57% of .COM is on sale. The drop catcher process generally involves the domain names being moved to a sales/auction website or a website created with a "for sale" landing page. The rate of new ICANN accredited registrars has slowed and the ccTLDs have become more important in their own markets with the effect that businesses are more likely to become ccTLD registrars in their local ccTLD and outsource gTLD registrations to larger gTLD registrars that provide reseller accounts and services. If you peruse https://www.icann.org/en/contracted-parties/accredited-registrars/list-of-ac... you’ll see obvious signs of affiliated companies (e.g., look at “namepal” to pick one example). It might be more useful to look at the market share of the registrars and see which of those registrars default to “redacted for privacy”. A quick way of grouping some of the drop catcher operations is to look at the registrar URL or contact details for the registrar in the ICANN registrar data. From the February 2025 ICANN data, the market shares for the top individual registrars are: Godaddy : 27.60% Namecheap : 8.04% Tucows : 4.30% Squarespace II (formerly Google Domains) : 3.30% GMO Internet : 2.37% Dynadot : 2.21% Netsol : 2.16% Gname : 2.12% The effect of the GDPR mess is cumulative because new registrations since May 2018 often have their details redacted by default. Some registrars have taken the opportunity to redact everything including data not covered by GDPR (GDPR applies to personal information). Verisign's Domain Name Industry Brief website (dnib.com) commissioned Interisle to estimate the number of domain names affected by WHOIS privacy and redaction. Approximately 90% of gTLD domain names are affected. https://www.dnib.com/articles/interisle-report-examines-domain-name-contact-... The problem is much worse on some European ccTLDs were all contact and ownership details are redacted by default. GDPR and ICANN's implementation of "privacy" made a mess of things for the gTLDs. The bureaucrats in Brussels have come up with NIS-2 and it tries to undo some of the damage caused by GDPR on WHOIS/RDS data. It requires that registrants be contactable. While registrant data is often available to the registries with European ccTLDs, the registrant data for gTLD registrations is not centralised in the same manner. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by Avast antivirus software. www.avast.com
On Sat, Jul 19, 2025 at 6:46 PM Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never
I'd suggest one of the problems is the registry's failure to distinguish between a domain to be managed by a network operator or a business/organization properly for conducting commerce, such as selling products, or soliciting payments, through the online presence attached to their domain; Versus a domain used and owned by an individual for personal usage; such as a personal blog, or personal email box. Personal domains should merit privacy, I would think, and there should be a means of displaying the hosting provider or network operator's contacts in WHOIS, instead of the registrant's home information for a personal domain. To avoid exposing their home address and other such personal info. But for a business: there should be no "Privacy", and the registration ought to list contacts at their office or place of business. Which also are not subject to GPDR protections, since they are the Information for a business and not a person's personal details. For example; If I find the online website of a business considering to do business with them, then I expect to find verifiable business Information in WHOIS, and it is necessary information to help confirm the legitimacy of an ecommerce website or commercial email message. A WHOIS indication on the business domain showing masked details or missing information would be a strong indicator that the domain is used by scammers, phishers, etc. You ought to always be able to WHOIS a business domain and see the purported administrative business contact details for their network or company.
Personally, it feels skanky to do it, but I guess that's just one opinion. -- -JA
FWIW I 99% agree with you, maybe 100%. I've said about the same thing for many years. If you do business with the public you have to disclose your identity. "Identity" is generally defined, as a minimum, as someone and some place to serve legal notices. And sufficient to identify any business licenses or equivalent, corporate filings, trademarks, case law, etc. Most countries of any legal sophistication have long required this in general, long before the internet. No doubt there will be gray areas but as the expression goes: Hard cases make bad law. They can be worked out, they have been worked out in the non-online world, this is not a new idea. On July 20, 2025 at 13:58 mysidia@gmail.com (Jay Acuna) wrote:
On Sat, Jul 19, 2025 at 6:46 PM Dorn Hetzel via NANOG <nanog@lists.nanog.org> wrote:
None of my personal domains have any sort of privacy turned on, never have (it didn't exist when the oldest ones were registered via SRI), and never
I'd suggest one of the problems is the registry's failure to distinguish between a domain to be managed by a network operator or a business/organization properly for conducting commerce, such as selling products, or soliciting payments, through the online presence attached to their domain; Versus a domain used and owned by an individual for personal usage; such as a personal blog, or personal email box.
Personal domains should merit privacy, I would think, and there should be a means of displaying the hosting provider or network operator's contacts in WHOIS, instead of the registrant's home information for a personal domain. To avoid exposing their home address and other such personal info.
But for a business: there should be no "Privacy", and the registration ought to list contacts at their office or place of business. Which also are not subject to GPDR protections, since they are the Information for a business and not a person's personal details.
For example; If I find the online website of a business considering to do business with them, then I expect to find verifiable business Information in WHOIS, and it is necessary information to help confirm the legitimacy of an ecommerce website or commercial email message.
A WHOIS indication on the business domain showing masked details or missing information would be a strong indicator that the domain is used by scammers, phishers, etc. You ought to always be able to WHOIS a business domain and see the purported administrative business contact details for their network or company.
Personally, it feels skanky to do it, but I guess that's just one opinion. -- -JA
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
As does GoDaddy (which triggered this thread), which is the largest registrar by far (based on market share). Regards, -drc
On Jul 19, 2025, at 4:38 PM, Gary Sparkes via NANOG <nanog@lists.nanog.org> wrote:
Cloudflare and Namecheap default to privacy, and don't charge for it.
-----Original Message----- From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Saturday, July 19, 2025 7:11 PM To: nanog@lists.nanog.org Cc: bzs@theworld.com; nanog@lists.nanog.org; Mel Beckman <mel@beckman.org> Subject: Re: GoDaddy deleting most ancillary registration contact information
On Jul 19, 2025, at 2:03 PM, David Conrad via NANOG <nanog@lists.nanog.org> wrote: I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted.
David,
Most if not all? I don’t know of any registrars that default to “privacy” for registrations. In fact, the all sell it as an add-on option that you have to explicitly accept and agree to pay for.
It seems like registrars are doing this to just reduce the amount of data they’re responsible to maintain, while not reducing costs one iota.
I’ll bet if the FTC, or whoever, mandated that this reduced level of service required a refund to existing registrants, we’d find exactly how much non-European Registrars really respect the GPDR!
-mel via cell
Barry,
On Jul 19, 2025, at 11:50 AM, bzs@theworld.com wrote:
On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) wrote: My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless. Even if 90% were useless it would still be of use, possibly critically, in the other 10% of cases and I don't think it's anywhere near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point.
Particularly if one can consider legitimate "privacy providers" useful as they can be contacted, subpoenaed, etc. which you seem to count as being in the "useless" category.
As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course).
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....
This seems like an admission that this policy was not enforced.
Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously..., but that probably doesn’t help that much.
Regards, -drc
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VT C33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/ <signature.asc>
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VFIPBHSK... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EX7HBCA5...
On July 19, 2025 at 21:03 nanog@lists.nanog.org (David Conrad via NANOG) wrote:
Whatever happened to "if your registration data is fraudulent, obsolete, or incorrect you stand to have your registration canceled"?
AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-agai...).
However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Da....
People wonder why ICANN's overhead / operating cost is so high but then one has to wrap their heads around contract enforcement in roughly 200 countries...Basically that's much of what ICANN is, a global web of contracts. Looking at that link does bring up a pet peeve though. There're no references to any other policy documents, particularly models external to ICANN. Too often it's as if the universe was created this week and ICANN sat down and named all the plants and animals etc. anew. Surely there are many models out there for similar registration systems some probably in existence and enforced for 100+ years. For example WIPO comes to mind but everything from registering ships to banking, multinational business registrations, etc. Some specifics such as email are newer concepts but even in that case email's been around for decades. I'd imagine when the validity of their contracts gets dragged into a court or other dispute resolution that after citing applicable laws and statutes the next thing would be comparing those contracts to those analogous regimens. For example how does WIPO or the ITU handle registrant disclosures. Yet it's always as if these policies were created out of thin air with no precedent or model. Perhaps there are stacks of such considerations they don't include in public documents but I can think of some specific instances where they were developing a policy and I suggested a survey of other organizations' analogous policies and felt like I was met with blank stares. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (15)
-
bzs@theworld.com -
Christopher Hawker -
David Conrad -
Dorn Hetzel -
Gary Sparkes -
Jay Acuna -
John Curran -
John McCormac -
jonathan -
Marc Binderberger -
Mel Beckman -
Randy Bush -
Ron Yokubaitis -
Royce Williams -
Tom Beecher