Dangers of Private Domain Registration and WHOIS Masking

January 22nd, 2014

Any time you register a domain name, you must provide valid contact information for the domain owner. This information is published and made publically available in the “WHOIS” database. Anyone can look there to see who owns the domain and contact the domain owner if necessary.

Private Domain Registration is also called WHOIS Masking or contact privacy. It is a service offered by some domain registrars where they will either (a) not publish the domain owner’s contact details or will (b) publish “masked” details — i.e., details that point to anonymous names and addresses at the registrar.

We often get inquiries from clients about protecting their privacy and keeping their contact information out of WHOIS. Many people have legitimate reasons for not wanting to make this information public. However, there are some significant downsides.

Why might you want a private domain registration?

For many reasons, business owners might want to keep their contact information out of the WHOIS databases. Some reasons include:

  1. They may not want people to know who owns the domain name.
  2. They may want to avoid spammers and marketing companies sending spam.
  3. It provides added security (through obscurity).

How effective is private domain registration?

Private domain registrations and contact privacy services keep contact information out of the WHOIS database. However, this is just a veneer of privacy:

  1. Some domain registrars will sell masked/private contact information to anyone who wants it for a small fee. This is a minor hurdle for people who want this information.
  2. Most registrars will drop the veil of privacy at a moment’s notice when asked by government and law enforcement agencies with any justification.

So, private registrations limit casual examination of contact details but will quickly fold for a small price or when the government asks for it.

But what are the downsides?

So far, private domain registration seems like a useful privacy tool. However, before taking the plunge, there are several significant and alarming factors to consider:

  1. Most registrars charge money for the service.
  2. By not listing the business owner’s contact information, they are not considered the owner of the domain name. The domain authorities, like ICANN, define who owns the domain by what is published in WHOIS. They discount any contracts between you and the registrar. Whoever is listed in WHOIS is the domain owner.
  3. The business owner does not have any rights unless they sue the registrar. The business owner does not have legal rights to the domain if not listed in WHOIS. The only way to assert their rights would be to sue the contact listed in WHOIS and cite the contract with them in the suit. This may be difficult if they are in a foreign location or, worse, out of business.

Other Security Considerations

If these legal issues were not enough to convince you of the danger of this privacy vehicle, also consider that:

Many companies, LuxSci included, will use the WHOIS records for your domain to verify ownership of the domain and legitimacy of requests regarding it. Having your contact information in WHOIS allows us and others to contact you in case of any shady or uncertain requests regarding the domain. The information in WHOIS is authoritative, and the contact is the ultimate authority regarding what should happen with the domain. Suppose the WHOIS information is hidden or masked. In that case, there is no longer a viable “ultimate authority,” which weakens the security of your domain and its services.

Of course, any place where the domain is registered can technically change the WHOIS record and lock out the real owner. Then the owner is stuck without access, and the only recourse is to sue. That is not likely to happen because registrars want repeat business. Trusting the domain registrar with a private registration is not a big deal unless the registrar is shady. We would argue that the loss in security due to not having a published contact who is the authority for the domain is an equally significant reason for being wary.

What does LuxSci do for clients who want WHOIS privacy?

Our partner for DNS and WHOIS services is EasyDNS. They do not offer WHOIS masking services and have educated us on some of the legal pitfalls that we have mentioned above that are involved.  

That said, we do recognize the utility of the privacy veneer offered by WHOIS masking. LuxSci will gladly substitute its own corporate information for any domain owner who wishes their privacy to be respected. People can then contact LuxSci regarding the domain, and we can vet those contacts and let the client respond if needed. In this way, we mask their information and act as a middle man for them and pass along requests — so they can still be the ultimate authority for their domains.