13
Nov
Is Registrant Search Threatening Your Privacy?
Registrant Search is the latest service to come out of DomainTools.com and has raised concerns of domainers, shocked by the information which is now available on their portfolio and activities. However this issue has wider implications which should be considered by all domain owners, businesses and privacy advocates.
I wrote an article last year for Jim Boykin’s blog, entitled “What Does Google Know about Your Domain Names”. My theory was that Google became a Registrar in order to obtain WHOIS data from the Registries.
I believe Google has built or is building a tool to analyse domain names. The API access they were given as a Registrar allows them to carry out the level of automated queries they needed for this. I would also go further and suggest this tool is building up a historical picture of each domain through regular scraping of their WHOIS records.As you can imagine this tool could be very useful for Google. It would allow them to track the age of domain names and connect likely networks and portfolios. They would see when a domain name changed ownership and allow them to adjust the value of that domain in their engine.
At the time this was speculation but this week the concept has become reality in the form of Registrant Search.
The system is built on the back of the DomainTools.com database, which has been busily collecting WHOIS records and logging changes since 1995. For some time now users have been able to view historical records on a selected domain and view name server changes logged. However this week they took the next logical step and linked the records together.
For a fee you can buy a report which will give you all domain records currently and ever registered to a person or company, as logged by their system. As you see here, we can obtain 314,103 records for Google Inc. and 379,367 for Yahoo! Inc. giving us a unique insight into the domain portfolios for those companies.
However it gets scarier when you consider that searches can also be made on individuals. We have 465 records under the name “Danny Sullivan” and 1,556 recorded entries for “Michael Gray”. Although all but the first letter of the domain names are obscured, I recognised the domains under some of my profiles.
The power of this tool is that it can associate domains, even if they have subsequently been sold on or hidden with WHOIS privacy. One weak link in your WHOIS protection could reveal your entire portfolio. For example if a domain was previously registered in your name and this then moved to a company entity. Both records would be recovered by the search - tying the two together for anyone investigating.
There is also a huge opportunity to discover personal data, including names, addresses and telephone numbers of users who had failed to use WHOIS privacy at an early stage of their domain buying career. As some long-time internet users have pointed out, domain privacy was not available as a service until recently.
Why are people worried?
Apart from the general invasion of privacy, commenters in this thread have put forward specific concerns about the new tool.
If you combined the domain ownership list and the known prices domain were sold at, you end up with a financial valuation of a company or individual. Some of these run into the $millions. Critics have argued that this information could be used by blackmailers or within legal disputes. This data can amount to having your bank statements publicly available.
For domainers involved in UDP (Uniform Dispute Policy) disputes, this information could be used against them in a court of law. Typo and trademark registrations were not as much of a concern in the early days but these cases could be cited as evidence of previous infractions or bad faith.
Individuals who registered politically motivated domains or ones that they might find embarrassing. The domains we register tell people a lot about us, and which sites we may have operated. Some of these we may wish to remain secret.
The domain portfolios of businesses can be checked by their competitors. This would give useful information on their future strategy and list all their current website properties.
There have been some questions about the legality of selling this information. While WHOIS searches are publicly available they often come with clauses which prohibit electronic scraping and re-distributing. Nominet for example have the following clause:
Use of WHOIS and data: You may not:re-package, compile, re-distribute or re-use any or all of the WHOIS database or data (unless you are a lawful user using an insubstantial part);
use any or all of the WHOIS data for advertising or as part of a process of identifying entities, names or addresses for future advertising activity of any sort (any such use may also be unlawful under the Data Protection Act 1998);
Verisign, the operator of .COM gives themselves more room for maneuver by suggesting this can be overcome by ‘prior written consent’. It’s unclear though whether DomainTools has such consent to compile and resell this data.
Jay Westerdal, CEO of DomainTools is asking for feedback on this new tool and has already received over 125 replies. The response has been overwhelmingly negative, with many “>industry leaders joining the calls for this tool to be taken down. However, as has been pointed out, even if this is taken out of public hands there is little to stop them selling the data. The more cynical among us might suggest the publicity surrounding this tool will provide a rich supply of private clients.
One of these clients could even be Google, should they be following similar lines. This data could be sold or leased to help them ‘catch-up’ on the historical records they may have missed.
This episode has been a wake up call for all domain owners to apply WHOIS privacy to their domains. Historical snapshots do not give you the luxury of applying this at a later stage. Even if you do not need it now, you may thank yourself several years down the line.
November 14th, 2007 at 4:25 am
Hi Nick,
You may have overlooked a portion of one of my comments in the discussion.
You say:
“As you see here, we can obtain 314,103 records for Google Inc. and 379,367 for Yahoo! Inc. giving us a unique insight into the domain portfolios for those companies.”
The comment (November 13th, 2007 at 9:35 am) said:
QUOTE:
I searched for Google inc.:
“We are currently only showing the oldest 1,000 whois records. There are 313,664 other records but we only allow users to order reports under 10,000 results. Please try to narrow your search.”
Does this mean that it is not possible to obtain reports for registrants with more than 10 K “results”?
END QUOTE
:) nmw
November 14th, 2007 at 4:36 am
Hi NMW,
Possibly, that note would seem to indicate they limit results to 10k. I guess that’s not such a bad idea. If you were data mining and put in ‘Smith’ you could end up with quite a large email database ;)
November 14th, 2007 at 6:27 pm
I don’t really think this is shocking. Its a search engine.. thats all… nothing new.
November 15th, 2007 at 4:24 am
Hey Webprofessor, thanks for dropping by :)
Well we have two issues here. The first is with historical WHOIS record capture. That has upset some people as they would like to think they can control their own privacy. Picture this situation. You’re getting stalked and you decide it maybe a good idea to hide all your personal information on your domains using WHOIS privacy. It’s too late though, your old records have already been captured and are available for purchase.
Historical WHOIS records stop you having any control over this information.
The second issue here though is with linking the records together, as the Registrant Tool has done. This can provide a *lot* of information on a person or company as I have written above. Some people have suggested that WHOIS records are akin to property deeds for a domain. These are freely available for purchase so why can’t these records be also?
However I wasn’t aware of any public service which gave you an entire property list (past and present) for an individual. This is the bit that worries domainers. Putting that list together with the publicly listed auction sell prices allows you to make estimates of individual’s net worth.
You’re right though, this is just a search engine but it’s one which focuses on making money from selling your personal information. There is no opt-out or recourse to have information removed. I can see why that is upsetting people.
January 29th, 2008 at 3:53 am
Hi Nick,
Selling the historical WHOIS record is totally more than unacceptable, this behavior is illegal.
You are GREAT right, the domain owner can change the whois information or using WHOIS privacy, but all the history information can not be protected. Historical WHOIS records stop you having any control over this information.
Let’s do a assumption: when you live in NY last year, you have a domain whois, DomainTools.com already added this whois into there database, you move to LA this year, for the better contact between you and the registrar, you changed the whois, I believe absolutely that the DomainTools.com will add this new whois into there evil database as soon as they could.
Guess what, everyone can get all your information about both your NY and LA address, phone number, fax number, this only need $15.00 as DomainTools.com offer. Everyone can find out more and more information about you and your family with this two sets of associated whois information. The only cost is $15.00.
ALL YOUR PRIVACY WILL NEVER BE DELETED EVEN AFTER 100 YEARS.
The business of DomainTools.com is totally more than unacceptable, more than illegal, the only word can match it is EVIL.
August 14th, 2008 at 11:14 am
I’m esp. concerned about the fourth comment in the post:
“The domain portfolios of businesses can be checked by their
competitors. This would give useful information on their future strategy and list all their current website properties.”
Can’t agree more! I usually visit DomainTools from time to time to check my websites’ pages, just today I saw that evil link in the DomainTools Exclusive section, now anybody can click and see a complete list of all the domains I have, I can’t express how annoying this is. It’s not a problem for the websites that are already up and running but what about those websites that are under construction and don’t want anybody to know about until they become online? Now anybody can have a look and see what you’re planning to do! This is just horrible!!