Problems with Proxy Registration and Related Services
By Dynadot Staff Writer
"Trusting a third party to keep your identity secret for you is a dangerous game." - Kevin Bankston, staff attorney at the Electronic Frontier Foundation.
What is Whois?
The Internet Corporation for Assigned Names and Numbers (known as ICANN) is a non-profit regulatory body that is responsible for managing and coordinating the domain name system. ICANN requires that all domain name registrations appear in a public database called Whois. If you register a domain name through any ICANN-accredited registrar or reseller service, your registration will appear in the Whois database. As it is public, anyone in the world can search the Whois database by domain name and find out the name of the registered owner and his/her contact information.
Should I be concerned about my listing in the Whois database?
Yes, you should be concerned about your privacy. Domain registrations are public information. Anyone can lookup the owner of a domain name online through a Whois lookup service. Just by knowing the name of a domain owner, there is not a lot of damage a person could do. However, real problems arise where the domain owner's full contact information is listed as well. Such problems may include identity theft, fraud, domain hijacking, data mining, spam, and other intrusions on your privacy.
Can't I just put fake information in my domain registration record?
You are taking a BIG risk if you choose to use fake name and contact information to register a domain name. If you get caught, your registration could be cancelled without warning, and you could lose your valuable domain. All it takes is for someone to look up your bogus Whois listing and file a complaint with your registrar. Plus, ICANN operates a website called InterNIC which oversees and regularly patrols the Whois listings. Note that this is the policy of all domain registrars (not just Dynadot) because this is what ICANN requires.
How do proxy services and anonymous registration services work?
Numerous other domain registrars offer "proxy" or anonymous registration services that claim to provide complete privacy, including the name of the registered name holder (aka the domain owner). The way these services work is they offer to register the domain themselves on your behalf, and then charge you a premium for the privilege of listing themselves as the registered name holder. You still receive all emails, postal mails, and packages, regardless of whether it is spam or junk. Sometimes these proxy services offer to change your email address every 10 days to throw off spammers, without any guarantees that such a tactic actually prevents your receipt of spam.
But do these services really work? Unfortunately, not as well as these proxy service providers claim. For instance, as Wikipedia, the popular online encyclopedia, states of this type of proxy service: "… this is not true anonymity. Personal information is collected by these registrars to provide the service. To some, the registrars take little persuasion to release so-called 'private' information to the world as the link below demonstrates.  (http://news.com/Private+domains+not+so+private/2100-1038_3-5833663.html)" (Wikipedia.org, December 19, 2005, at http://en.wikipedia.org/wiki/Domain_privacy.)
And who can forget the infamous Re-code.com incident in 2003 involving Domains-By-Proxy, a proxy service provider affiliated with one of the world's largest domain registrar companies. "Domains-By-Proxy revealed the name of its 'anonymous' registrant as soon as the registrant's conduct was challenged, without any determination that the challenger had a legal cause of action." (excerpt from "Comments of the Electronic Frontier Foundation to ICANN'S WHOIS Task Forces 1 and 2, July 5, 2004"; by Electronic Frontier Foundation, December 12, 2005, at http://www.eff.org/Infrastructure/DNS_control/icann_whois.php.) In fact, all it took for the proxy company to sell out its customer was the mere receipt of a threatening letter, not a subpoena, court order, or other legally-mandated procedure. (Roessler, Thomas; WHOIS Task Force 2 – Proxy Registration (and related) Services; published April 7, 2004; at http://does-not-exist.org/proxies.html. ("Roessler").)
Keep reading to learn more.
At least my name and contact information is kept confidential, right???
The reason why these proxy companies are so quick to drop the privacy services is because of the immense legal liability they face since they are the legally recognized registered name holder of the domain. They figure that if they publicly disclose the individual who engaged in the challenged activity, then they can't themselves be sued or accused of the activity. But this is a great disservice to the customer: they promise to protect domain privacy, and then at the first sign of trouble they hang you out to dry. (See again the example in the CNet news article Private Domains Not So Private?, published August 15, 2005, at http://news.com/Private+domains+not+so+private/2100-1038_3-5833663.html.)
In fact, proxy arrangements are regulated by section 220.127.116.11 of ICANN's Registrar Accreditation Agreement (RAA):
18.104.22.168 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm. (Registrar Accreditation Agreement, 22.214.171.124, available online at http://www.icann.org/registrars/ra-agreement-17may01.htm. (emphasis ours))
What the RAA is saying, in plain English, is that the proxy service provider must assume legal liability for any activities you may engage in as the customer, unless the proxy service promptly cancels your privacy service. In other words, ICANN is effectively encouraging the proxy service providers to disclose your true identity as the only way for the provider to avoid legal liability in the event of any problems. In addition, "reasonable evidence of actionable harm" is vague and ambiguous, and fails to tell the customer exactly when their privacy service may be cancelled. The terms outlined by Domains-By-Proxy and other proxy providers appear to be more detailed. However, remember in the Re-code.com case, all it took was a mere "cease and desist" letter – not a subpoena or court order – for Domains-By-Proxy to drop Re-code.com's privacy services. (See Roessler at http://does-not-exist.org/proxies.html.)
Moreover, if you read the terms of the proxy, there is typically no requirement that the proxy companies give you notice before releasing your information to the public. This painful reality has been detailed in the CNet.com news article "Private Domains Not So Private?", published August 15, 2005, at http://news.com/Private+domains+not+so+private/2100-1038_3-5833663.html.
Besides, proxy services do not technically provide anonymity, but pseudonymity, in that the intermediate entity knows the end-user's identity, but publishes its own information in the Whois database instead. Thomas Roessler, a member of ICANN's Whois Task Force 2, has acknowledged this very fact in writing. (See Roessler at http://does-not-exist.org/proxies.html.)
Roessler also summarizes the position of ICANN's At-Large Advisory Committee as follows: "the chief problem with these 'masking' services is that they may unmask their users on slight provocation." This means it doesn't take much before the proxy service providers will cancel your privacy service.
So, do you still think that proxy registration services will keep your identity completely anonymous? Think again, because they have every incentive to publicly reveal your name and contact information at the first sign of trouble. But, what is this "legal liability" that they are worried about? If the customer owns the domain, what liability does the proxy company face? Keep reading for the answer…
Who REALLY owns the domain name?
Don't be fooled. Proxy registrations do nothing more than give you the right to use the domain name, called a license. You do not legally own the domain!
Look carefully at their proxy agreements. These agreements are deceptively crafted to state that, while you retain the "full benefits" of domain registration, the proxy provider remains the actual registrant of the domain. In fact, until more recently, Domains-By-Proxy's website previously stated: "Your domain is registered in our name, which means Domains By Proxy takes ownership of it." (http://www.webhostingtalk.com/archive/thread/73682-1.html.) They have since revised their website to remove the "ownership" language, probably because it made too many customers anxious.
Again, ICANN's policy as it currently stands does not recognize the licensee (aka you) as the owner of record. Remember, section 126.96.36.199 of the RAA clearly states: "188.8.131.52 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record…" (See RAA at http://www.icann.org/registrars/ra-agreement-17may01.htm. (emphasis ours))
In short, "proxy" or "anonymous" services that offer to hide your name are simply complicated ways of saying, "You don't own it – we do!" It's a lot like leasing a car; you can fix it, refuel it, and drive it wherever and whenever you want, but you don't own it. So, how well do you trust the proxy company to give the domain back to you when you want to transfer the domain somewhere else?
Why does this ownership issue matter to you, the customer? Well, if the proxy companies are (legally speaking) the recognized registered name holder, then they carry the burden of any civil or criminal liability for all activities associated with the domain name. If you do something bad with your domain name, the person who will get sued or criminally prosecuted is whoever is listed as the registered name holder. That's why the proxy companies are so eager to cancel privacy and publicize your precious contact information to the world. They figure, if they're no longer listed as the registered name holder, they can't be sued or criminally prosecuted. Translation: Proxy companies have every incentive to cancel your privacy service at the first sign of trouble. Remember, they want your money, not your baggage.
How does Dynadot's Privacy Service work?
Dynadot's Domain Privacy Service operates like a forwarding service. We simply insert our own company's address, email, and customer service telephone number in place of your own information in the Whois lookup directory. But, we do not replace your name. When we receive mail or email addressed to you, we filter it for spam and bulk junk mail. Then, we forward legitimate first-class mail and emails to you. This ensures that you only get the important stuff, and not the spam. Our service also protects your privacy in that spammers, stalkers, harassers, data miners, and identity thieves can't get to you without getting past Dynadot's watchful eyes.
So, not only do spammers fail in contacting you (because we throw out their junk), but you can be assured of receiving important communications about your domain name, such as renewal notices from us and legitimate inquiries from third parties who don't know your real contact information.
And since we are not the registered name holder of the domain, we have no incentive to publish to the world your personal contact information based on mere legal threats.
Is Dynadot's Privacy Service really a better solution?
Absolutely. Because our service is technically a mail forwarding and filtering service, there is no need for us to reveal your true contact information unless compelled by a court order, administrative order, or government agency -- not just mere legal threats. Any party wishing to send you legitimate correspondence concerning your domain name can successfully do so without ever knowing your true and correct address, email, or telephone number. Plus, because your name is listed as the Registrant, you will never have to worry about who owns the domain – you do! And Dynadot never has to worry about legal liability to itself, because we don't face any risk if we are simply a mail forwarding service.
For more information on Dynadot's Domain Privacy Service, check out our website at http://www.dynadot.com/domain/privacy.html.
Copyright © 2005. Dynadot, LLC. All rights reserved. Last modified December 19, 2005.