How the WHOIS service exposes personal data

How the WHOIS service exposes personal data

One of the most useful tools when registering a domain name is the WHOIS lookup service. This service allows one to check for the availability of a domain name for registration or to check the details of the owner. It is a publicly available service which means anybody can query and get the information instantly.

To check if a domain is available, one simply needs to use the many available online WHOIS query services and the information is almost instant. This information can be used to identify who is behind malicious domain names.

Of late, there have been many privacy concerns about the information that is availed via WHOIS.

The ugly side of a public WHOIS database

The information provided during the registration is publicly available to everyone and ICANN requires that this information be as accurate as possible. This information is made available through the WHOIS platform.  Domain registries used to offer (many still do) a service where one could pay to have the information hidden from the public records.

The problem with this is that it does not make sense to users. They are asked to provide information to get a domain name, the information is made public to the world, then they are asked to pay to have the information hidden from public view. To a domain buyer, it is like a physical security service provider providing to the public a database of all their clients, their addresses, and the type of alarms they have in their houses, then charging the clients to retract that information from the public.

When you publicly provide the information such as an address, phone number, and e-mail address associated with a domain name, you are giving a potential hacker a starting point where they can hijack the domain. They know the email address that you have used with the domain registrar, and one way to get access to it could be through the phone number provided. A sim swap is what is needed to set off a chain of events that will lead to domain hijacking.

Data protection laws

With data protection laws being adopted in various places, domain registries have had to act to remain compliant. Most registries like KeNIC no longer display the name, phone number, and email of the domain registrant.

There are still some registries that require one to pay to have their personal information hidden from public view. Arguably, the main motivation for this is because they make quite some good money from offering the WHOIS privacy service. With a few million users each paying $3 per year for privacy, offering it for free would lead to a loss of tens of millions of dollars per year. For domain owners, this is profit devoid of morals and many feel that it should not be necessary.

ICANN intervention

As early as 2013, ICANN was considering abolishing WHOIS and instead have a different system that would have restricted access. Unfortunately, it would be hard to build a consensus on who would be given access to the database as different people have varied interests. This has not yet been implemented and building a consensus on such a matter would also take ages.

As of now, it seems that the only way out is to pay for the WHOIS privacy service or leave your data exposed to all.


How the WHOIS service exposes personal data