I just want to add my voice to basically the same sentiment (way below...) With all the data breaches it's almost become easier to list companies who haven't had a massive data breach lately. And once someone walks off with that db it's out there forever tho admittedly still a little more difficult to access than a mere whois query. But most registrars offer a privacy option so whois only returns the registrar's contact info. That of course won't help with mass data breaches. And there are third-party options. All GDPR and similar is likely to do is change exactly who has access to this information and how, and how much it will cost. That might be an improvement for some, and it might offer a false sense of security for many. How many will thereafter willingly pay the $5/month or whatever it is for "privacy" if they believe their data is somehow protected by law? Far fewer I would guess (yes many registrars provide this free but will they after May 25th?) I'll reiterate my suggestion I've been pushing for a while now: Put the WHOIS accessible information into the DNS, possibly as a new RR but that's optional. That would put it completely under the domain owner's control. It doesn't solve the problem of data breaches, and I'd include lawful mass access (i.e., selling your info), but at least it's realistic and easy enough to implement -- just convert any WHOIS query into an appropriate DNS query. But it does separate the WHOIS function from normal customer data management. ICANN and its registries and registrars can then proceed to practice standard customer information management policies without also having to try to layer a WHOIS policy on the same data. On April 19, 2018 at 10:24 rsk@gsp.org (Rich Kulawiec) wrote:
On Sat, Apr 14, 2018 at 05:29:35PM +0000, Aaron C. de Bruyn via NANOG wrote:
So why are you proposing that I can't run my *personal* "I strongly believe in {insert emotionally-charged issue} site" without letting psychos know exactly where I live?
A PO box might suffice. There are also mail forwarding (and phone forwarding) services that serve the purpose. Having encountered exactly these sorts of psychos, this might be a good idea if you think it's a threat you may have to face.
(Although let me note that your address is likely available anyway through some deliberate-public database or through one that's been hacked and subsequently leaked. Or via someone you know who "checked in" with a geolocation app while visiting. Or via someone who handed it over to a third party because they were shipping you something. Or...)
Let me suggest that a better choice for these situations is not to register a domain *at all*. Consider: doing so creates a record at your registrar that has information-of-interest about you. All that stands between a psycho and that information is a security breach, a dataloss incident, or -- maybe -- a hundred bucks in an envelope (old style) or a cryptocurrency transfer (new style). Maaaaybe it would be better not to create that record at all.
That's why I've always recommended (for example) that dissident political movements in repressive countries avoid registering domains: any dictator worthy of the title will easily acquire the real registration details, whether they're held in-country or not.
---rsk
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*