Update: we have since flip-flopped on this.
Please See: The Official easyDNS Flip-Flop on Whois Privacy.
We get asked this a alot: Why do you guys not offer whois masking or whois contact privacy?
The brief background on this is: whenever you register a domain name, your contact details are published in a publicly visible database called “whois”, where your contact details are instantly harvested by spambots and marketers who proceed to email and postal mail you marketing offers, deceptive “domain slamming” attempts, ads for dubious products, and perhaps even telemarketing calls.
Nobody likes that, so over the years people started resorting to various tactics to protect themselves from the deluge of crap that inevitably comes with simply registering a domain name: throwaway email addresses in whois records, fake postal addresses, fake phone numbers, etc. The problem is, Registrants are obligated under their various end user agreements to provide true and accurate data (not doing so is grounds to lose one’s domain), and the US even passed legislation making it unlawful to use fake contact details in a domain name registration.
Our response to this, years ago, was MyPrivacy.ca which protects your email address from being harvested from your whois records, but leaves your other data intact. We didn’t see it as a revenue opportunity, in fact we made it free and opened it up to competing registrars, many of whom started recommending it to their customers. We just wanted to drive a stake through the heart of the whois spammers.
It wasn’t long though, before many registrars took it a step further and created the concept of “whois masking” or “contact privacy”, where all of the domain-holder contact details would be masked from the public whois. Of course, this was heralded as a “value-add” and most outfits charge extra for it.
In today’s long overdue post, we’re finally revealing why so-called “whois privacy” puts your domains at risk, costs you more and doesn’t really protect your privacy.
If you haven’t seen a “whois record”, go to http://www.easywhois.com and enter a domain name, any domain existing name, and look at the record. If you enter easydns.com you’ll see our corporate contact details, our address, the legal name of our company, our phone and fax numbers.
Then enter a domain name that has “whois privacy”, instead of seeing the actual end-user contact details of the domain holder, you’ll see something like:
Privacy Protection or
and some other address info which is basically all a “mask”.
Here’s what you need to understand: Whether a domain name is considered “property” (like in .com) or just conveys “rights” (like .ca here in Canada), the domain is considered the property of, or the rights accrue to, whoever or whatever is listed in the whois record.
If you use whois privacy and some kind of dispute arises between you and your Registrar, and you were to go to ICANN or CIRA and assert your rights to that name, they would look at the whois record details and tell you that you have no standing. The domain belongs to the “privacy entity” listed in the record.
From ICANN or CIRA’s point of view, having a contract in place between you and the “privacy provider” isn’t a factor, the domain belongs to them, not you. If you want to do something about it, you’ll have to follow that up in court. If your Registrar (or privacy provider) is in some other legal jurisdiction, then you have that additional hurdle to deal with (that of suing a company in another country).
And that’s if the Registrar is still in existence. If the reason you have a problem in the first place is that your registrar has imploded and disappeared (RegisterFly anyone?) then you have 1) nobody to sue and 2) no way to prove you are the “real” owner of all your “privacy protected” names.
It is true that Registrars are now obligated to escrow their Registrant data to protect against Registrar failure (I call this the “RegisterFly Rule”), if your whois records are privacy masked, then the data that will be escrowed will be the masked data, not the underlying registrant data.
There is nothing in the ICANN Registrar Accreditation Agreement that provisions for whois masking or privacy protection that puts an onus on the Registrar to preserve the underlying registrant data anywhere and maintain a verifiable link between the “real” record and “masked” record. There is nothing in the Registrar data escrow requirements that says a registrar has to provide the underlying “real” record to the escrow provider.
I find this risk so unacceptable that I simply refuse to sell this stuff to the public. Liken whois privacy to the “Credit Default Swaps” of the domain world. As long as nothing goes wrong, everything is fine and everybody makes money. As soon as something goes wrong, all hell breaks loose.
It gets worse: Whois Privacy only protects you from the most cursory examination of your details. In the event of an even moderate intensification of scrutiny: a UDRP challenge, a subpoena, or any legal action, you will find that the Registrar will drop your privacy mask as a matter of policy and restore your underlying live data anyway.
There are even some Registrars who will set you up with “privacy protection” on one hand, and will then sell your private data out the other side to anybody who wants it. Now I once wrote about this and was criticized for “not naming names”, so if you have that same objection now, email me and I will send you a link to a page from a large Registrar who offers whois privacy protection that offers to sell you the underlying masked data for any “privacy protected” registrant on their system for $10.
Once again, we have something that strikes me just another Registrar “cash grab” that not only doesn’t provide any real benefits to the domain holder but actually adds an unacceptable amount of risk.