April 2017 is nearly 4 years ago as I'm writing this article. Why does it matter? Well, it was when domain name registrars started putting actions in place to comply with upcoming General Data Protection Regulation (GDPR) laws.
To be safe, most domain name registrars removed or hid domain name ownership identifiers like registrant name, address, phone number and email address from public WHOIS records.
It was a game changer!
I am not writing this article to say I like or dislike the policy. It is what it is, but I can tell you from experience what I see happening without this data almost 4 years later.
WHOIS history records are fading away from accuracy and it is becoming a guessing game now. These WHOIS history records were my vital lifeline to help verify and connect the minimal current information that I could see to the past.
Since I do a lot (I mean A LOT) of research into domain names, I am basically guessing who owns a domain name now, more times than not. That is not a good thing if you are trying your best to verify ownership of a domain name or the details I need to go further/deeper into an investigation. If I cannot tell who owned the domain before and I cannot compare it to anything now, there is no easy way to tell either way. Dead end!
The very same can be said for someone trying to acquire a domain and get in contact with the domains owner. Even as a professional, it is becoming very challenging to tell who owns a domain.
There are/were some fantastic domain name related tools that highlight and monitor things like registrant email changes. They do not work without an email in WHOIS records though. This was a method I would often use to detect domain sales and domain theft. Registrant email was a bullseye to watch because it relates to domain ownership and often control over the domain. Using WHOIS history and current records would help tell the story.
I would estimate that this domain name hijacking of Perl.com could have been detected months before the full hijacking was detected when the domain transferred, and DNS later changed. It was likely the registrant email address was changed, nothing else.
Not being able to publicly confirm ownership of a domain name not only hurts security researchers like myself, it also hurts commerce of domain names. WHOIS was the easiest and often most accurate way to contact a domains owner (if not under WHOIS privacy) and see who owned it. Not any longer. This may not fully stop someone from making contact with a domains owner, but it certainly puts in a big roadblock and often one with no outlet.
If the WHOIS details provide little to no contact details due to GDPR and the domain name does not resolve to a page providing any contact details, your hands are literally tied if you wish to make contact with them.
Although it is required by ICANN (2.5.1) that a means of contact (email/link) to the domains owner has to be presented in WHOIS, it’s not always followed by all registrars. I have seen general email addresses like firstname.lastname@example.org provided as a registrant contact method, which will certainly not get in you contact with the specific domains owner. Neither will null@null!
If contact was the only concern, the current method is not all that bad, if a contact method is presented. Most domain name registrars follow ICANN’s rules and do provide a means of contact. The domain registrant will get the contact in most cases, whoever that may be.
No public data to help highlight a potential red flag is the main problem I have been seeing. Who is behind that contact form and how long have they been there is another major issue and concern. 4 years of fog covering public WHOIS records of ownership.
GDPR has taken away my ability to “connect the dots”. WHOIS history records from paid services have greatly helped to this point, but those records have been covered up by yet another privacy related law called CCPA (California Consumer Privacy Act of 2018). Old records have been retroactively edited based on location of the registrant or registrar in DomainTools, leaving some WHOIS history records totally blank. Besides the fact that things change over 4 years, the data was only going to stay useful for so long and time was ticking.
Security/ownership are a very real concern, and it relates to nearly blank public WHOIS domain name ownership records.
Domain name commerce, a billion-dollar industry, is being slowed and at times prevented due to means of contact methods being obscured in WHOIS.
The fact of this contact obstruction is upsetting to me and appears to be getting worse as WHOIS history data continues to deteriorate.
The most accurate and fulfilling WHOIS data is from April 2017 and prior but I witness daily how the accuracy of that data is fading away.
I do not want to say this may hurt the value of domain names, but how can I not say that? It is important to verify ownership of any asset and if you cannot do that easily in a public fashion, it can be hard to put a high value on it. Yes, most will be able to verify ownership with domain name renewal receipts privately but let’s hope that the interested party can contact you to get to that part in the process. Being able to make contact with a domains owner is also important for business to be conducted.
If you are interested in being contacted, please do make it easy to be contacted. As the registrant of a domain name, you have the right to fully display contact information in WHOIS records. It is required that you provide consent to your domain name registrar to display it though.
Please keep domain name renewal receipts to help associate your domain name to you, it may be helpful in the future.
I am hopeful that new technology will help with domain name ownership verification (keep in mind that domains are selling for 8 figures at times) and you won't have to work for hours trying to find a contact method to speak with a domains owner.