IE 11 is not supported. For an optimal experience visit our site on another browser.

Net scam-fighting tool disappearing?

Duane Hoffman/

To some, it's the best way of screening out Internet scam artists. To others, it's a spam attack or identity theft waiting to happen. The disagreement is at the center of an international tug of war that could ultimately change a basic Internet tool and, according to critics, make life much easier for cyber con artists.

Today, every Web site owner must supply detailed contact information when registering a new Internet domain. That information is made readily available to all Web users through a simple tool called "Whois," which dates back to the origins of the Internet. When Web site owners register their domains with companies called registrars, they are required to supply personal contact information. Then, anyone with an Internet connection can usually access the data and find out who is behind that particular Web site.

Many privacy advocates think the Whois system is antiquated and even downright crazy.

By publishing e-mail addresses, phone numbers and sometimes home addresses, the Whois system exposes millions of people to criminals. Detractors, who have been fighting for six years to eliminate the service, say that's a needless privacy violation.

On the other side is a coalition of consumer advocates, U.S. law enforcement officials and industries worried about piracy, such as U.S. music and film companies.

Their battle that will be enjoined anew next month when the Internet's governing body, the Internet Corporation for Assigned Names and Numbers (ICANN), meets in Los Angeles.

Eliminating the Whois service would make it easy for Web site owners -- from protestors to criminals -- to remain anonymous.

Piracy-fighters use Whois information to quick-start lawsuits against file-sharing Web site owners. Phishing fighters use it track down Web sites that steal personal information. The U.S. Federal Trade Commission says its uses the data to find and sue spyware companies and other Internet bad guys. Journalists use it to track down unwilling interview subjects.

'One of the first things we teach'

And while few consumers take advantage of it, some use Whois to sniff out potential con artists. Simply looking up a site's registration information is often a great tipoff to a firm's legitimacy -- or its desire to be sneaky. Faked information, such as phone numbers like (999) 999-9999, indicate the company doesn't want to be contacted, usually a bad sign.

"It's one of the first things we teach consumers to do, look up the Whois information," said Beau Brendler, direct of Consumer WebWatch, the Internet arm of Consumers Union. Brendler, a recent appointee to an ICANN advisory board studying the issue, is a vocal opponent of shutting down Whois access. "There needs to be a way for consumers to get at this information."

The U.S. Federal Trade Commission also is a staunch supporter of keeping Whois data widely available. Last year, FTC Commission Jon Leibowitz made an impassioned plea to keep the data public.

"For the past decade we have used Whois databases in virtually all of our Internet investigations," he said during a congressional hearing. "It is often one of the first tools we use to identify wrongdoers."

Antiquated system?

Privacy advocates also have a long list of arguments in favor of their position that Whois should be shut down. Chief among them is that the Whois data is not nearly as useful as its advocates make it out to be. Criminals can easily foil the system by entering false contact information or using proxy services that hide their identities.

"Whois is an anachronism. There are much better sources of this information now," said Ross Rader, who operates the popular Canadian-based domain name registrar Tucows. Rader also is on ICANN's chief domain name policy-making committee, the Generic Names Supporting Organization. While ICANN has been stalling over changes to Whois, market forces have created their own answer to the problem, he said -- proxy services that register domains for individuals who wish to remain anonymous. These firms enter their own contact information into the Whois database for a fee, allowing the site owner to remain anonymous.

This solution, however, is imperfect, he notes, as proxy services are largely unregulated. Some are too eager to give information to law enforcement, and others are too easily used by criminals to hide. Meanwhile, they are not allowed on some sub-domains, such as the .US subdomain. The end result is less consumer-friendly than a reformed Whois system, Rader argues.

Another ICANN advisor, privacy attorney Wendy Seltzer, said the Whois requirement remains a severe hindrance to the Internet's important role as bastion of free speech. Protestors and bloggers should be able to speak their mind on Web sites without fear of having their identities exposed, she said.

"I feel quite strongly that privacy should be respected here for free speech and First Amendment principles," Seltzer, now a staff member at the Electronic Privacy Information Center, said. "Individuals should be able to speak anonymously online. They should be able to register sites without ever giving their real name."

Riddled with errors

There is little disagreement that the current Whois situation is broken. Despite a renewed mandate from ICANN several years ago that Whois data be accurate, it is still peppered with mistakes and lies designed to throw investigators and consumers off the track. A study released by the U.S. Government Accountability Office in 2005 found that 5 percent of all Web sites were registered using information that was "obviously and intentionally false." Another 3 percent of registrations had incomplete information.

Those findings lead privacy advocates to argue that Whois requirements only serve to penalize honest Web users while allowing criminals to easily hide.

But Brendler disagrees. Despite the inaccuracies, Whois data often provides good leads to journalists and other investigators, he said.

"We use Whois to investigate Web sites and in more cases than not it is very helpful," he said.

Numerous compromises through the years have been shot down or mired in debate. The most common proposal would allow individuals to remain anonymous while requiring commercial entities to supply public ownership information. The discussion usually breaks down over the definition of commercial entities. Where would nonprofit protest groups that raise money fit in, for example?

The stalemate -- the first Whois reform committee was formed in 2001 -- led privacy advocates like Rader to make radical suggestions. In October, ICANN will consider a proposal that would simply make current Whois requirements expire. Absent new rules, anonymous Web site registration would be allowed by default.

That would end the status quo, argues Rader, and perhaps force decisive action.

Europe vs. U.S.

But a larger issue looms behind the debate, which could reignite global disagreement on who runs the Internet. Whois rules contradict many international privacy laws, some say. In Canada and Europe, for example, it's generally illegal for a company to make any consumers' personal information available to others.

"As a Canadian company, we have laws to abide by. It's very questionable whether ICANN policy is consistent with Canadian law," Rader said.

On the other hand, the U.S. government position is clear: Keep Whois available. While the U.S. has been engaged in a slow process of surrendering control of Internet management, the Department of Commerce maintains ultimate control of the Internet's domain name system. And should U.S. law enforcement efforts be threatened, it's likely the U.S. government would act to stop the dismantling of Whois.


Try Whois while you can. For now, using Whois to perform background check on Web sites you are about to do business with is a great idea. Of course, con artists are often clever enough to foil the system, so it is no guarantee of legitimacy, but it's a useful tool. Any company willing to take money from you should be willing to publish a working phone number and a physical address, as well as an e-mail address that appears legitimate (not a free, Web-based e-mail address).

Many registrars offer their own Whois information, but one place to start is Just type in a domain name, wait a moment, and see what data is provided.