Previous month:
June 2015
Next month:
August 2015

July 2015

How to Protect Your Privacy When You Register a GTLD Domain Name

ChurchillonwhoisRecent efforts to introduce or revise policies governing Whois for ICANN generic Top Level Domains have come under intense criticisms of the policy regarding public display of point of contact information associated with a domain name registration  (1, 2, 3).  In this post I provide some explanation of a domain name registrant’s obligation to provide complete and accurate point of contact information and also explain how to register a domain name without disclosing personal data.

What the RAA says

The 2013 ICANN Registrar Accreditation Agreement RAA says the following about public display of registration data: 

“The Registered Name Holder with whom Registrar enters into a registration agreement must be a person or legal entity other than the Registrar” (4)                                                   

The phrase “Legal entity other than the Registrar” is included in the RAA to make clear that submitting the name of a natural person is a choice not an obligation.  The obligation is that you submit contact data – legal name, postal address, voice telephone number, email address – that will allow parties to reach you, your business or organization, or an agent that you authorize to respond on your behalf to technical or administrative inquiries. The very existence of domain privacy services demonstrates that personal names – and identifying data generally – are not required. (It is also worth noting that subsequent clauses in the RAA accommodate the enforcement of personal data protection laws where such apply.)

There are many ways other than using your personal data or a privacy protection service to satisfy this obligation. Some examples follow.

Your registrant name need not be your natural name

If an individual chooses to do business under his or her natural person name, and also chooses to submit this name as a registrant name, then it is true that a Whois query would return the registrant’s natural person name. If you don’t want to expose your natural person name and you live in countries where personal data protection laws do not apply, you still have options.

For example, if you do business in the United States under an assumed business name (DBA), then you can submit this legal name as the registrant organization name and use a role name such as “domain contact” or any name that is meaningful to you as the Registrant Name, and you’ll fully comply with the Whois obligation. 

This is a common large enterprise practice, see, for example:

Domain Name: DUPONT.COM
Registrant Name: Domain Name Management
Registrant Organization: E.I. du Pont de Nemours and Company
 

Domain Name: CISCO.COM
Registrant Name: Info Sec
Registrant Organization: Cisco Technology Inc.

Domain Name: GRATEFULDEAD.COM
Registrant Name: Rhino Entertainment
Registrant Organization: Rhino Entertainment

Domain Name: BEYONCE.COM
Registrant Name: Domain Administrator
Registrant Organization: BGK Trademark Holdings, LLC
 

If it's good enough for Beyoncé, it's probably good enough for you. There's a cost: you'll have to incorporate or file your DBA. There are advantages to filing a DBA and privacy protection is one of them. My experience having once established a small business is that the benefits of filing your DBA are worth the cost.

Your registrant email need not be your personal email

You are obliged to provide a reachable email address so that your registrar can contact you with notices regarding your registration and also for situations where someone must contact you for technical or administrative purposes, however, you do not have to use a personal email address. Instead, use an email address that is separate from your personal email address.  ICANN’s Security and Stability Advisory Committee recommends such measures for security minded organizations and also comments that:

“Individuals or small businesses can implement a similar defensive measure. Create email accounts for points of contact through an email service provider that has earned a positive reputation for managing its mail service.” (SAC 044)

SSAC further recommends that you should use email address named outside your domain name for domain name registration.  For example, if your domain name is marysembroidery.<tld>, you could create a email address at Gmail of the form domainsofyourregistereddomain@gmail.com. or domainsofyourregistereddomain@yahoo.com.

Debunking the “but I’ll get lots of spam” myth

I follow the advice I give here. I’ve created an email address for my domain name registrations. I don’t use this email for any purpose not related to my domain name. Below is two years’ correspondence from my In Box of my Gmail account for my domain and I haven’t received spam at this address.

Inbox

SpamWhile #YMMV may apply, the evidence I illustrate here is consistent with the findings from an ICANN SSAC study (SAC023) on whether Whois is a source of email address harvesting for spammers.  

You can keep your phone number personal

If you choose to use your home or personal mobile phone number to conduct business, you’ve made a conscious choice to conflate this phone number’s purpose as both personal and business. It is again likely that you’ve published this number on business cards, your web site or in a phone directory. 

You are, however, not obliged to publish your personal phone number. Get a separate phone number for your business use. A Skype Personal Number or business number or a VOIP number from a service like NocTel or Vonage will do nicely  Some small businesses choose to use Google Voice. Your options are simple, abundant and inexpensive.  And so long as you can be reached at this number, you’ve complied with the Whois obligation.

You needn’t provide your home address as a Whois point of contact address

If you choose to publish your home address in any online or printed directory form, or on your web site, then publishing your address in Whois does not expose you to more or different data collection than you’ve already accepted.

You are, again, not obliged to publish your home address or address of any other physical residence. You can rent a postal box and use this, or (better) you can arrange with your attorney, accountant, agent or other party whom you know and trust to use their address as your postal address. I favor this approach because these are parties that you know and trust. As your authorized representatives, they will do as you instruct, consult with you, and comply with legal orders. These services may incur a fee, but while these fees may be higher than a privacy protection service, you know that these parties are very likely to serve you personally and well.

Having to choose is not the same as forcing you to disclose

Claims that ICANN will force you to disclose personal data are patently wrong. You have a choice to disclose personal data or to substitute equally compliant, complete and accurate contact information without revealing personal data when registering a domain name from an ICANN accredited registrar for an ICANN accredited Top Level Domain. There may be fees involved, but it should be increasingly clear today that what is "free" on the Internet often costs you in units of personal data. If you are interested in protecting your personal data, think carefully about protecting your personal data and about the value of separating business from personal identities. As an individual or home/small business operator, assess which arrangements of the kinds I’ve illustrated meet your needs.


Cry havoc! and let slip the iPad investigators of malicious domains!

For some time, I've used an Android tablet, for the simple reason that Android offered more security and networking utilities. The availability landscape has changed, and I've found iPad apps that meet my mobile needs for five tools I use routinely from a laptop to query domain, IP address, autonomous system, registration and reputation information. I'd encourage anyone who investigates DNS or IP badness to try these. 

DNS Stub Resolver

NslookupproRegardless of the kind of crime you're investigating, you will invariably find a need to look up domain names, IP addresses or autonomous systems.  For this you'll need a client app that behaves like a stub resolver. Since I also want to be able to configure the recursive resolver I'll use for investigations (who knows who's logging what?). I like:

NSLookup Plus. Using defaults, this app returns ANY records for a name you query. You can choose query type, class, timeout and name server. You can also choose to use recursion, cache or to force authoritative. Responses are "Explorer-formatted": you can drill down on NS and MX names to resolve these. This app saves your responses: tap the submission form to reveal your previous queries in an editable list.

Whois Client

DeepwhoisYou'll also want to learn who's registered domain names. For these purposes, you'll want a Whois app but you'll also want your Whois client to query IP and ASN information. I looked for an app that allows me to choose my Whois server. For a standalone app that gives you a classic look, Linux command line response, try 

Deep Whois. This app lets you to specify Whois server and timeout and you can add support for new TLDs as they are delegated. It stores your queries, has a convenient copy or mail feature and supports multiple languages. It handles IP and ASN Whois correctly. Does the job well and quickly.

Geolocation Service (Geo-IP)

IplocationWhile Geo-IP is not a reliable indicator of the actual location of a host/IP, it's often useful in fraud or other investigations. The folks at Dayana Networks who developed NSLookup Pro offer geolocation service for free via an app called

IPLocation. Submit the IP, get a pin drop on a map, satellite image or hybrid of the two. You can accumulate pins for a list of addresses you've queried, which can give some very interesting results. A multiple entry submission form would be a nice addition.

Anonymous Browsing

RedonionAnonymity is important for an investigator. If I have to explain why, you may be reading the wrong post, but read Want Tor to Really Work? for insights. Tor Project doesn't have an app for iOS so knowing that all the browsers I found at the App Store are derivative-developed, I am happy with:

Red Onion Browser. All the anonymity and privacy hooks seem to be here. You can customize your Tor config and Tor bridges and create new identities.  If you've enabled Touch ID, you'll be challenged to verify your identity. 

Reputation (Blocklist) Checker

Rblstatus1tinyIf you are investigating a domain, IP or URL, there's a good chance that someone else is, too. Or has. It's good practice to check a domain, URI, or URL at VirusTotal early in your investigation. It's also good practice to check a reputation list to see if someone's already identified your target as malicious or criminal. While you can use the DNS stub resolvers I mentioned to check individual reputation lists (e.g., Spamhaus DBL), try

RBL Status. This terrific app is similar to Jerry Gamblin's Python script, isthisIPbad? It checks the IP or domain you submit against a long and customizable list of reputation services. So far as I can tell, it's the only app of this kind and it rocks.

Cry havoc!

My colleague and friend, Allen Gwinn, is the Socratic ideal form for a mobile worker who can do everything from an iPad. I'm still carrying a Macbook Air on my travels and while I remain skeptical that I can do everything from my iPad, I'm enthusiastic that I can do far more than I had anticipated. Try these apps - you too, Allen - and share your favorites!