Privacy and Security in Domain Registration

Using a proxy to register Domain names

Privacy

Domain registrations are public information.  Anyone can lookup the owner of a domain name online through a Whois lookup service.  Just by knowing the name of a domain owner, there is not a lot of damage a person could do.  However, real problems arise where the domain owner's full contact information is listed as well.  Such problems may include identity theft, fraud, domain hijacking, data mining, spam, and other intrusions on your privacy.

You are taking a BIG risk if you choose to use fake name and contact information to register a domain name.  If you get caught, your registration could be cancelled without warning, and you could lose your valuable domain.  All it takes is for someone to look up your bogus Whois listing and file a complaint with your registrar.  Plus, ICANN operates a website called InterNIC which oversees and regularly patrols the Whois listings.  Note that this is the policy of all domain registrars (not just Dynadot) because this is what ICANN requires.

Proxy and anonymous registration services

Numerous other domain registrars offer "proxy" or anonymous registration services that claim to provide complete privacy, including the name of the registered name holder (aka the domain owner).  These services offer to register the domain themselves on your behalf, and then charge you a premium for the privilege of listing themselves as the registered name holder.  You still receive all emails, postal mails, and packages, regardless of whether it is spam or junk.  Sometimes these proxy services offer to change your email address every 10 days to throw off spammers, without any guarantees that such a tactic actually prevents your receipt of spam.

But do these services really work?  Unfortunately, not as well as these proxy service providers claim.  For instance, as Wikipedia states of this type of proxy service: "… this is not true anonymity.  Personal information is collected by these registrars to provide the service.  To some, the registrars take little persuasion to release so-called 'private' information to the world as the link below demonstrates. [1] (http://news.com/Private+domains+not+so+private/2100-1038_3-5833663.html)"  (Wikipedia.org, December 19, 2005, at http://en.wikipedia.org/wiki/Domain_privacy.)

And who can forget the infamous Re-code.com incident in 2003 involving Domains-By-Proxy, a proxy service provider affiliated with one of the world's largest domain registrar companies.  "Domains-By-Proxy revealed the name of its 'anonymous' registrant as soon as the registrant's conduct was challenged, without any determination that the challenger had a legal cause of action." (excerpt from "Comments of the Electronic Frontier Foundation to ICANN'S WHOIS Task Forces 1 and 2, July 5, 2004"; by Electronic Frontier Foundation, December 12, 2005, at http://www.eff.org/Infrastructure/DNS_control/icann_whois.php.)  In fact, all it took for the proxy company to sell out its customer was the mere receipt of a threatening letter, not a subpoena, court order, or other legally-mandated procedure. (Roessler, Thomas; WHOIS Task Force 2 – Proxy Registration (and related) Services; published April 7, 2004; at http://does-not-exist.org/proxies.html. ("Roessler").)

 

The reason why these proxy companies are so quick to drop the privacy services is because of the immense legal liability they face since they are the legally recognized registered name holder of the domain.  They figure that if they publicly disclose the individual who engaged in the challenged activity, then they can't themselves be sued or accused of the activity.  But this is a great disservice to the customer:  they promise to protect domain privacy, and then at the first sign of trouble they hang you out to dry. 

Proxy arrangements are regulated by section 3.7.7.3 of ICANN's Registrar Accreditation Agreement (RAA):

Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.  (Registrar Accreditation Agreement,    3.7.7.3, available online at http://www.icann.org/registrars/ra-agreement-17may01.htm. (emphasis ours))

What the RAA is saying, in plain English, is that the proxy service provider must assume legal liability for any activities you may engage in as the customer, unless the proxy service promptly cancels your privacy service.  In other words, ICANN is effectively encouraging the proxy service providers to disclose your true identity as the only way for the provider to avoid legal liability in the event of any problems.  In addition, "reasonable evidence of actionable harm" is vague and ambiguous, and fails to tell the customer exactly when their privacy service may be cancelled.  The terms outlined by Domains-By-Proxy and other proxy providers appear to be more detailed.  However, remember in the Re-code.com case, all it took was a mere "cease and desist" letter – not a subpoena or court order – for Domains-By-Proxy to drop Re-code.com's privacy services.  (See Roessler at http://does-not-exist.org/proxies.html.) 

Moreover, if you read the terms of the proxy, there is typically no requirement that the proxy companies give you notice before releasing your information to the public. 

Besides, proxy services do not technically provide anonymity, but pseudonymity, in that the intermediate entity knows the end-user's identity, but publishes its own information in the Whois database instead.  Thomas Roessler, a member of ICANN's Whois Task Force 2, summarizes the position of ICANN's At-Large Advisory Committee as follows:  "the chief problem with these 'masking' services is that they may unmask their users on slight provocation."  This means it doesn't take much before the proxy service providers will cancel your privacy service.

So, do you still think that proxy registration services will keep your identity completely anonymous?  Think again, because they have every incentive to publicly reveal your name and contact information at the first sign of trouble.  But, what is this "legal liability" that they are worried about?  If the customer owns the domain, what liability does the proxy company face?  Keep reading for the answer…

Who REALLY owns the domain name?

Don't be fooled.  Proxy registrations do nothing more than give you the right to use the domain name, called a license.  You do not legally own the domain! 

Look carefully at their proxy agreements.  These agreements are deceptively crafted to state that, while you retain the "full benefits" of domain registration, the proxy provider remains the actual registrant of the domain.  In fact, until more recently, Domains-By-Proxy's website previously stated:  "Your domain is registered in our name, which means Domains By Proxy takes ownership of it." (http://www.webhostingtalk.com/archive/thread/73682-1.html.)   They have since revised their website to remove the "ownership" language, probably because it made too many customers anxious.

Again, ICANN's policy as it currently stands does not recognize the licensee (aka you) as the owner of record.  Remember, section 3.7.7.3 of the RAA clearly states:  "3.7.7.3 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record…" (See RAA at http://www.icann.org/registrars/ra-agreement-17may01.htm. (emphasis ours))

In short, "proxy" or "anonymous" services that offer to hide your name are simply complicated ways of saying, "You don't own it – we do!"  It's a lot like leasing a car; you can fix it, refuel it, and drive it wherever and whenever you want, but you don't own it.  So, how well do you trust the proxy company to give the domain back to you when you want to transfer the domain somewhere else?

Why does this ownership issue matter to you, the customer?  Well, if the proxy companies are (legally speaking) the recognized registered name holder, then they carry the burden of any civil or criminal liability for all activities associated with the domain name.  If you do something bad with your domain name, the person who will get sued or criminally prosecuted is whoever is listed as the registered name holder.  That's why the proxy companies are so eager to cancel privacy and publicize your precious contact information to the world.  They figure, if they're no longer listed as the registered name holder, they can't be sued or criminally prosecuted.  Translation:  Proxy companies have every incentive to cancel your privacy service at the first sign of trouble.  Remember, they want your money, not your baggage.

Dynadot's Privacy Service Forwarding Service

Dynadot's Domain Privacy Service operates like a forwarding service. They insert their company's address, email, and customer service telephone number in place of your own information in the Whois lookup directory.  But, they do not replace your name. Thus you are still the owner.  When they receive mail or email addressed to you, they filter it for spam and bulk junk mail and then forward legitimate first-class mail and emails to you.  This ensures that you only get the important stuff, and not the spam.  This service protects your privacy in that spammers, stalkers, harassers, data miners, and identity thieves can't easily get to you or steal your address and contact information.

And since they are not the registered name holder of the domain, they have no incentive to publish to the world your personal contact information based on mere legal threats.

This is technically a mail forwarding and filtering service.

What is Whois?

The Internet Corporation for Assigned Names and Numbers (known as ICANN) is a non-profit regulatory body that is responsible for managing and coordinating the domain name system.  ICANN requires that all domain name registrations appear in a public database called Whois.  If you register a domain name through any ICANN-accredited registrar or reseller service, your registration will appear in the Whois database.  As it is public, anyone in the world can search the Whois database by domain name and find out the name of the registered owner and his/her contact information.

 

Dr. Rob Longwell