Reasons to Leave Me the Hell Alone Already
After I wrote my little diatribe about the evils of telemarketing, I started to think a bit more about privacy in general, and my identity, specifically.
Now, I must qualify a few things. One, I'm really not that paranoid. I have friends and acquaintances who put me to shame in that department (some have their reasons; others... well, look out for their pictures in the post office). Two, I don't have a criminal record or anything like that (just a driving record with more points on it than Kobe put up last season). Three, I have a web site, righ'chere, but, I mean... there's really not much at all going on (I know of two people who actually read anything here, and one of them is me). I don't sell anything, I don't, as far as I'm concerned, have any agenda I'm pushing. There is no porn here. I'm just a guy with a little site, mostly minding my own bidness.
Something occurred to me a few days ago, regarding my site. That particular something is a something I've more or less let go for as long as I've owned bansheewerks.com, as in the domain. It's a something that many, many folks with domains have let go for years, and a something that probably a great many have never even considered or worried about. A bit more on that something in a moment.
A lot of what I'm going to cover here in this little story will be old hat for a lot of folks who own a domain. For many, it's probably No Big Deal. For a few, however, it might be something you haven't considered. For the rest of you, this is just a cautionary tale. I've tied up loose ends, and I feel better now. And just remember: there's no "I" in "paranoid." NO, there's NOT.
When one decides that one simply must have a piece of real estate on the Web, i.e., a domain (a whatever.com, for example), getting hold of one is pretty simple. People buy domains just to have them. There was a big boom in the mid-'90s where people were going out and buying domains, popular ones that folks would want, something like "food.com," and reselling them to corporations who wanted to have the domain as identity. A few folks made money on this. The cost of a domain is pretty cheap, and some companies were willing to pay a relative lot of money to have a particular domain name.
Domain names are managed by entities known as registrars, or registries. These are the companies who take your money so you can own biteme.com. They charge you a "setup" fee and yearly fees to keep the domain. It's pretty big business. It is necessary. It can also be an immense pain in the ass dealing with these registries. More on that in a bit.
By far and away the biggest, baddest player in the registrar game is VeriSign, with offices in scenic Sterling, Virginia, should you like to pay them a visit. (Network Solutions [NSI] was the sole registrar of Internet addresses from 1992 until 1999, when the Commerce Department approved the creation of new registrars to compete with NSI in the booming market. VeriSign acquired Network Solutions in 2000. Source: News.com.)
VeriSign or NSI, however you want to look at the company, these folks were pretty much The Registrar for many years, basically a monopoly, and they did everything they could to keep other startup domain registries out of business for a long, long time. Eventually a few alternatives to VeriSign managed to establish themselves, after much battle in court and sessions with the Internet Corporation for Assigned Names and Numbers (ICANN) and what have you. It's far more than I have the energy to cover here, but suffice it to say that the registry game (like a great many Web governing bodies, sadly) is completely and utterly... effed up. That's putting it nicely.
Suffice it also to say that VeriSign continues to manage the lion's share of domains. It's a pretty good bet that just about any domain registered before, say, 1999-2000, was registered with NSI and is now managed by VeriSign, unless the registrant freed themselves of VeriSign's steely grip, post-1999. More on that in a few.
Why is all of this important and how does it relate to privacy? Well, I'll tell you.
The following is old news to just about anyone who has been savvy enough to click around on the Web. Anyone, at all, can do what I'm going to describe. I'm not going to tell you exactly how to do this thing, which relates to the something. Doing the thing related to the something is completely legal. And I will state, in some cases and really, in intent, the thing, as well as the something, is in place to guard the consumer - in other words, "It's there to protect you." That is exactly what VeriSign will tell you, if you raise the something as an issue, in any event.
There's this thing called WHOIS. It's out there. It's on the Web. It's been out there for years and years. WHOIS is a database of domains and IP addresses (don't worry about it - and a domain is really just an IP address, but again, don't worry about it - it's not that important). If you have a domain or an IP address, it is listed in WHOIS. People use WHOIS for all sorts of reasons: good, bad, nefarious, illegal, clueless, revenge-seeking, pinup-girl-website-stalking, ping-attacking. Et cetera. WHOIS is, in my opinion, a good thing. That's not what this is really about. I have no problem with WHOIS. I have a problem with what is in WHOIS and how that information is used.
[The absolute last thing on earth I want to do with this installment is encourage anyone to mess with anyone using methods intentionally left vague below. Please don't be a jerk with anything contained herein. I provide this information as more of a public service announcement than anything. Plus, I'm pissed.]
If you knew (or know - again, it's really, really easy) how, you could pick any old domain, say, "comeoninandclickme.com," right now, and plug that domain in a WHOIS search (you'll have to find out exactly how to do this on your own, and again, it ain't no big deal at all). And you would find a listing. In that listing you would find some information on that domain. You would find, for instance, the registrant, the person or entity who registered the domain. You would find, most probably, an administrative contact, the person or entity who administers the site (usually, in the case of a dinky little private site run by a person - like me - it's the same person as the registrar). And you would probably find a technical contact, which is usually the entity who hosts the site. Most folks, unless they host their site themselves, contract hosting out to a hosting service, which simply means that they lease some server space somewhere, and that's where they keep the data on their site, and the host deals with the traffic on the site, etc.
With me so far? Sound like a big deal? Yes? No? Maybe?
If you have your own domain or maintain a site and you've never done a WHOIS lookup on your domain, I strongly urge you to do so. Right now. You might be surprised at what is, in fact, listed on WHOIS, in your name. This is, you guessed it, the something.
For as long as I've owned a domain, which is about five years, my domain's WHOIS lookup showed a bevy of personal information. For five years I sort of let it go. It was something I always thought of looking in to. Despite the fact that my personal email address does not exist anywhere on bansheewerks.com, I get more than 200 spam emails a week at that personal email address (and far more at my junk email addresses). The amount of email I receive, working for A Very Large Tech Company, is staggering to begin with. Spam is a fact of life for me. I mass-delete 20-30+ spam emails per day. It's annoying, but it's something I deal with. My personal email address is something I try like hell to keep private. But hey, here it is, on WHOIS. In fact, to my knowledge, WHOIS is the only place on the Web that my personal email address exists (at least under my own cognizance; I did find one source who quoted me and included, with no malicious intent, my personal email address). Interesting...
What else is on WHOIS pertaining to my person? What's this? Oh, my home address. And my phone number and fax. I've had an unlisted number for more than 10 years, but here's this listing on the Web, on WHOIS, for my protection, that lets any old wingnut know just exactly who and where I am, and how to contact me. Why, they might as well just stop by for coffee while they're in the neighborhood (P.S., don't).
In addition to loads and loads of telemarketing calls these days, I get bushels full of junk mail (I know, like everyone else). But curiously, almost all of this junk mail is addressed to "Banshee Werks." Now that's interesting. Why? Because, well, I'm not a corporate entity. If there's a space for "Company" on some form somewhere, I don't write down "bansheewerks.com." Because that's just pompous. And because I'm just a guy with a laptop and a busted foot. But, according to this envelope containing a fake Visa card, Banshee Werks has been pre-approved to get screwed by some offshore scam if Banshee Werks would simply Sign Here. Now, I wonder where people are getting my home address? And how would they associate it with my web site? Oh... That's because WHOIS lists them both together, right here, on the Web.
For some folks, this stuff might not be a big deal. A few flyers and a gold card in the mail now and again. A cold call once in a while. Some people welcome the contact of complete strangers. I believe Erica Jong is one such person. If you don't care, no problem. Stop reading here. Have a nice day.
The ratio of junk mail to real mail that comes to my address is about 5:1 (and by the way, hello again). I get cold called at work daily by some fathead broker or real estate peddler. Junk mail is a waste of natural resources. I abhor it. I have never bought one single thing from a telemarketer (okay, I did, once, in college, but that's too long a story, maybe later - and it was more than a decade ago, and it was a scam [and probably put me on The List of Dopes]). I hate the phone to begin with. I already told you about the suspicious lunchmeat appearing on the quarter hour in my electro-inbox.
So yes, my point is that the information contained in WHOIS was contributing to my general unease and was the source of, I estimate, the majority of the crap with which I've been dealing. Yes, I maintain, the more egregious examples of invasions of privacy I've encountered lately, have been the result of what is listed in WHOIS. The rest is just the result of undistilled evil, what I've taken to calling wingnuttery, because it sounds cuter.
How did all of this happen, you ask? Why did WHOIS do this to me? Well, WHOIS didn't do anything. WHOIS is good people. The people who did this are Bad People. Here's how it works.
Registrant desires domain comeoninandclickme.com. Registrant (you know, the dude who wants to have a site) contacts, more than likely, VeriSign, and registers domain. I'll get into VeriSign's cryptic process of communicating with the customers it so values in a moment, but let's just say the registrant gets through registration without too much of a hitch. In the process of registering the domain, the registrant provides billing information to the registrar (i.e., VeriSign). The registrant (hell, anyone who needs to pay for something) bascially has to do this. They have to be able to bill you and have correct contact information. And, in the event that you do something illegal or someone has a complaint against your site (like say you suck and you ripped someone off with some snake-oil transaction, for example), the information is there, in the hands of the registrar, and they can put whomever in touch with whomever (this process is, thankfully, highly [and some would say poorly] regulated).
What VeriSign (and other registrars, most likely - this is all mandated process) never makes clear in the registration process is that they are going to put your personal billing information on WHOIS. So the billing information you give to them to complete the transaction? Goes straight to WHOIS. And there's not a damn thing you can do about it. VeriSign is not the only registry who does this, but not all of them do. A number of them don't provide personal information on your WHOIS listing (Tucows OpenSRS registrations don't seem to contain registrant info, for example). I'll be damned if I know why, or how that works (you'll just have to do some random WHOIS queries of various domains to see what I'm talking about). But I'll tell you, I never asked, to my knowledge, that my home address appear on WHOIS, and if someone had told me it would appear in the database (you know, really clearly, not some tiny type somewhere, but some Big Important Announcement of Identity Listing IN CAPS YOU MUTHA, because I think this is the kind of thing that warrants that sort of fanfare), I'd have tried to do something about it.
It was a year or so after I registered a domain before I even did a WHOIS lookup on myself. At the time, when I saw what I saw, I didn't much care that my information was out there. Several years later, under a ton of junk calls, mail and email, not to mention a number of hate mails (I have no idea, none whatsoever), I'd had enough.
I attempted to contact VeriSign about removing the personal information. Don't bother calling them. Their customer service line is a dead end. I tried using their contact email forms and asked [nicely, at first] if I could please remove my personal information from WHOIS (there are account management functions that allow you to update and change contact and registrant information on your listing - but you are prohibited from removing information). I was told that the personal information had to stay on the listing, by decree of ICANN, for my own protection. Here is the first email I received from VeriSign:
Thank you for contacting VeriSign.
Your information is publicly available in our domain name
registration database for several reasons. For example,
it is the only way a domain name registrant can easily
determine if the domain name registration record is current
and accurate. Additionally, it is the registrant's only
means of determining who has been designated as the
Administrative, Technical and Billing Contacts to act on behalf
of the registrant.
If you prefer to keep your street address private,
we recommend that you establish a post office box and
use it as your public address in our database.
Renting a P.O. Box runs about $100 a year in my area, by the way. This would be a P.O. Box I would pay to never visit for a mere $100 per annum. All because these dolts won't take my personal information off a database they maintain on my behalf. I had a couple of followups with VeriSign, in which they essentially implied [NIC-04040404.5555] I Don't Get It and that I might consider [NIC-04040404.5556] Pounding Sand. Then I got into one of their auto-generated mail loops and gave up. Which saves them an awful lot of effort, come to think of it...
I considered, after talking to my hacker friends for a little while, simply altering my information in WHOIS with a bunch of bogus information. Actually, I did. In order to do this you have to respond to a stream of automatically generated emails from VeriSign that are unbelievably cryptic. If you get one little line or character out of whack, the mail will get bounced and you'll get in a loop of automated, robot-generated bouncemail. It is far and away one of the most frustrating exercises I've been through (the process is in place, in truth, to prevent fraudulent changes to your domain listing, and hey, I bet it works really well - in fact, it would be interesting to see data on how many changes are ever successfully updated through VeriSign's system). It took me six bounces and a day of rest before I finally got the bogus info updated. Listen, I'm not that dumb.
Which is, in fact, illegal - the bogus info ruse - I found out later (don't worry, I'm a good little pup: I undid it; see below). VeriSign is actually being sued for innaccurate listings in WHOIS - folks routinuely beat the system by entering bogus information into WHOIS listings - in the lawsuits alluded to here, those folks have domains managed by VeriSign. It's a quite common tactic, actually. Most people input bogus information for reasons I've hopefully made clear thus far. However, some folks input erroneous information so their evil deeds on the Web can go untracked. Yes, still more Bad People. (If you're intersted, VeriSign has a list of class action lawsuits longer than any arm you might want to wrestle. For more information on that topic, get clicking.) But that's another matter - my little walk on the wrong side of the law - and, for reasons I'll reveal very shortly, it's a moot point anyway.
So in talking to one of my good little hacker friends, that friend recommended that I transfer my domain to godaddy.com. Go Daddy got into the registration game, like a number of other upstarts, a few years ago. My friend said he'd had good luck, but did warn me that my mileage may vary.
I took a look at Go Daddy's web site, and I found an interesting link that described a service allowing registrants to register "private domains." Go Daddy provides this service through a sister company called Domains By Proxy (DBP). The long and short of it is that you can use DBP to keep your information on WHOIS private. The information listed on WHOIS, if your domain is managed by DBP, is actually that of DBP. If you want, you can have email forwarded by a proxied (i.e. alias, i.e. fake) email address to one you designate. Like a junk email address you've created at hotmail.com or yahoo.com. Or... you can choose to never have any email or snail mail forwarded to you.
It's brilliant. I think...
I called Go Daddy and an actual human answered the phone. I talked to a guy, seemed like a nice fellow, for some time about my concerns. He answered all of my questions and in the end I arranged a transfer of management of my domain name to Go Daddy, from VeriSign. The guy did warn me to expect a very confusing automatically generated email from VeriSign that would be as cryptic as any I've ever seen from them (VeriSign is infamous for this method of communication and they have been sued for predatory practices related to misleading email scams - I defy anyone to make good sense of any of their communications). I got that email today. About 60 lines into the email, which began with a strongly worded greeting about how valued a customer I am, which led directly into a speil about a special offer and "Click Here," and all of the powerful tools at my disposal; yes, about 60 lines in, was one poorly constructed line of instruction on how to complete the transfer, if I so desired, by cutting and pasting this one line into the subject of the mail. I managed to get it done in one send. There is justice.
The guy at Go Daddy called me this morning and we finished the deal. The whole thing cost me less than $20, all told, and about three days of being extremely pissed off. Hopefully these folks will play fair. At any rate, my personal information is gone from WHOIS, and, depending on how you look up my domain, you'll get not much at all to the DBP aliased information.
So you might wonder why VeriSign was so hell-bent on keeping my personal information, my address, my phone, my email, on my domain's WHOIS listing. I sure wondered. I mean, in the event that I did something naughty or gave someone the shaft, that someone should be able to contact my host, or VeriSign, for that matter, and report the domain, which eventually would get back to me, provided folks did their jobs. I just don't see why the registrant's personal info should have to be on WHOIS. VeriSign has my billing information, whether they list it or not. I exist, whether I'm in WHOIS or not. And if someone really wants to get hold of me, they can do that, right here on my site. Been that way for five years. Though, yes, I realize some folk could masquerade behind an identity or simply not provide a way to contact them. Anyhoo...
It seems to me, and maybe I'm missing something, but it appears that the only real reason for listing my information, at least in practice, is to make it available to third parties.
It seems to me quite plausible that VeriSign and a few other registrars hide behind "guidelines" set forth by ICANN as an excuse to, I don't know... sell my information to telemarketers and direct mailers and spammers? Or at least enable them? Wink-wink, nudge-nudge. Say no more. That seems entirely plausible to me. Because really, those are the only things to have ever sprung from that formerly public listing, as far as I can tell. That, and a handful of wingnuts hassling me and calling me names.
If you do a WHOIS lookup just about anywhere, you'll probably see a disclaimer on the lookup that says something like... well, I'll just quote from one in particular:
Note: Hello, I'm the freakin' registrant. And I know who the Admin is. It's me. And the Tech contact? That's the putz I pay to host me. Billing? Also me. But hey, thank you for your concern.
and my response:
In a message dated 9/19/2002 1:36:24 PM Eastern Daylight Time, verisign.com writes:
> Your information is publicly
> available in our domain name
> registration database for
> several reasons. For example,
for example, it's the only publicly-available method folks currently have for:
1. telemarketing me ad nauseum
2. junk mailing me ad nauseum
3. spamming me ad nauseum
4. perpetuating other crap i'd rather not get in to
so i have to go out and spend money on a p.o. box... there must be a reason why your customer service number is busy 100% of the time.
So you get it, right? They say you can't, that you shan't, that it is forbidden. But people do. There's nothing in place to stop them (Go Daddy does have a mechanism in place to foil harvesting information, or data-mining).
These Very Bad People, and they're out there, they write a script, and they plug in domains, and they run batch queries against the WHOIS database, and they take your address and your phone number, and they put everything on The List and they basically screw with you, variously. That's what happens, folks.
Yes, I get some junk from catalog lists and magazine subscriptions, and from buying stuff on the Web from companies with very lax privacy policies who sell my email address. But I get more junk, based on the lightning-fast, sociopathically-driven investigation I've conducted just lately, as a result of the boneheads who work the gate at WHOIS (i.e., in my and many others' cases, VeriSign), who made my personal information public. And if it isn't the data-mining jackholes getting hold of this stuff, it's the nutter who likes your photos a little bit too much. Or doesn't like them enough. Or something. You can't freakin' win.
So do something about it. Ditch The Evil. If your domain is managed by VeriSign or another registrar and you don't want to have your personal information listed in WHOIS, demand that they remove it, and if they don't (I admit I didn't give them much time - and I did file a complaint with Internic - like it really matters), and they won't (but maybe enough knocks at the door...), find someone who will.
For the record, I understand the [good] reasons behind listing registrant info in WHOIS. But I think there are far too many bad things Bad People can do with that information, and I think Good People should have the right and the tools to do something about that.
I've made some great friends on the Web over the years. It's a fabulous tool. I don't know what I'd do without it. Friends of mine, take no offense at this. I'm not talking about you here. Keep yakking my way.
The rest of you simps, you pushers of piles of waste, you just simply have to go to hell.
Click to share:
»Back to Whinge