Dangers of Private Domain Registrations and WHOIS Masking

January 22nd, 2014

Any time you register a domain name, you are required to provide valid contact information for the owner of the domain.  This information is published and made publically available in the “WHOIS” database.  Anyone can look there to see who owns the domain and to contact the domain owner if necessary.

Private Domain Registration, or WHOIS Masking, or contact privacy, is a service offered by some domain registrars where they will either (a) not publish the domain owner’s contact details, or will (b) publish “masked” details — i.e. details that point to anonymous names and addresses at the registrar.

We often get inquiries from clients asking about protecting their privacy and keeping their contact information out of WHOIS.  Many people have legitimate reasons for not wanting to make this information public.  However, there are some significant downsides.

Why might you want private domain registrations?

There are many reasons why you might want to keep your contact information out of the WHOIS databases.  This includes:

  1. Simply not wanting people to know who owns the domain name
  2. Wanting to ensure that spammers and marketing companies do not start sending you spam.
  3. To provide added security (through obscurity)

How effective are private domain registrations?

Private domain registrations and contact privacy services are effective in keeping contact information out of the WHOIS database.  However, this is really just a veneer of privacy:

  1. Some domain registrars will sell your masked/private contact information to anyone who wants it for a small fee (like $10).  This is a small hurdle for people who really want this information.
  2. Most registrars will drop the veil of privacy at a moment’s notice when asked by government and law enforcement agencies with any kind of real justification.

So, private registrations limit casual examination of your contact details, but can quickly fold for a small price or when the government asks for it.

But what are the downsides?

So far, private domain registrations seem like a mildly useful privacy tool.  However, before you take the plunge, there are several significant and alarming factors to consider:

  1. Most registrars charge money for the service.
  2. You are no longer the “owner” or your domain name. The domain authorities, like ICANN, define who owns the domain by what is published in WHOIS.  They discount any contracts between you and the registrar.  Whoever is listed in WHOIS is the domain owner.
  3. You no longer have any rights unless you sue the registrar. If you are not listed in WHOIS, then you have no legal rights to the domain.  The only way to assert your rights would be to sue the folks listed in WHOIS and cite whatever contract you have with them in the suit.  This may be difficult if they are in a foreign location or, worse, out of business.

If these legal issues were not enough to convince you of the danger of this privacy vehicle, also consider that:

  • Many companies, LuxSci included, will use the WHOIS records for your domain as a means to verify ownership of the domain and legitimacy of requests regarding it.  Having your contact information in WHOIS allows us and others to contact you in case of any shady or uncertain requests regarding your domain.  The information in WHOIS is assumed to be authoritative and the contact there is the ultimate authority as to what should be happening with the domain.  If your WHOIS information is hidden or masked, then there is no longer a viable “ultimate authority” and that actually weakens the security of your domain and the services that utilize it.

Of course, any place where you have your domain registered can technically change your WHOIS records on you, lock you out, and then you are stuck with no access and your only recourse is to sue.  That is not likely to happen — registrars want repeat business. Trusting your domain registrar with a private registration is not really a big deal unless you think the registrar is shady, might go out of business, won’t let you remove the masking if needed, or might sell your “private” information to others.  I would argue that the loss in security due to not having a published contact who is the authority for your domain is an equally significant reason for being wary.

What does LuxSci do for clients who want WHOIS privacy?

Our partner for DNS and WHOIS services is EasyDNS; they do not offer WHOIS masking services, and have educated us on some of the legal pitfalls that we have mentioned above that are involved.  

That said, we do recognize the utility of the veneer of privacy that is offered by WHOIS masking.  LuxSci will gladly substitute its own corporate information in the WHOIS for any domain owner who wishes their privacy to be respected.  People can then contact LuxSci regarding the domain and we can vet those contacts and let the client respond to them if needed.  In this way, we mask their information and act as a middle man for them and pass along requests — so they can still be the ultimate authority for their domains.