Is Online Anonymity a Bad Thing?

My previous post talking about the project (of which I have no connection with whatsoever-- I just think it's neat) generated a lot of comments and feedback both in comments and in email. I thought I would take a few minutes here and answer a few of the more popular the comments and questions that were posed.

Let's start with somebody who misses the point. Somebody who runs an anonymous ISP suggests that I am against online anonymity. "What is it about anonymity," he asked, "that you find so problematic?"

Truth be told, I find nothing wrong with individual privacy or anonymity online. That's not the problem. The problem is that spammers and companies hide behind this easy layer of anonymity offered via registrar privacy services, making it harder to tell good guys from the bad guys. Domain privacy protect services are part of the problem; they're hugely imperfect and they give bad guys a place to hide. No legitimate company should ever have a need to mask their domain ownership information via privacy protect. Yet, I run into it periodically, significantly so, when trying to vet a potential email marketer or online store that I had otherwise never heard of --  or, worse yet, the only data I have so far about them suggests bad acts, and a lack of transparency implied by masking ownership info does nothing to address those concerns. This has become such a problem that companies like email service providers and ISPs are beginning to prohibit use of privacy protect on domains clients use via their services. Why? Because bad guys exploit it.

Also, mass anonymity of commercial domain ownership is damaging to efforts to stop bad guys. Many smart anti-virus, anti-spam and security researchers utilize WHOIS data in bulk to look for various data points that help to identify bad guys. Being able to denote things like commonality and similarities in that data help spam filterers figure out who to block; figure out what related senders, domains, entities, etc., relate to some other bad actor or bad act, sometimes allowing them to be proactively blocked before a bad actor has a chance to fire up that new domain or new spam cannon.

Smart spam fighters are telling me that it's gotten to the point where if they see evidence of bad activity and run into privacy protect when trying to trace ownership, to them, that screams "spammer!" Thank the spammers for ruining it for the rest of us.

I understand the need for personal online anonymity. I am instead pointing out that the current privacy protect-style process is both flawed and unnecessary.

A couple other folks who commented on that last post suggested that, "Anonymous domain registration is the only thing or the best thing that can protect me from people showing up at my door."

Keep in mind that I totally understand why you wouldn't want people to know your home address. I own around forty domains myself and none of them have my home address and phone number on them, and that's the way I'd like to keep it. I've managed to keep my home address and phone number hidden easily enough, and so can you, even without using privacy protect. Because of the number of domains I own, it'd be cheaper for me to go register a PO Box to use as the mailing address for all the domains than it would be to pay extra for privacy protect service on each domain. And the phone number in my domain registrations is a free Google Voice number. If I didn't want to use the post office, I could use a UPS Store or other "mailboxes for rent" type place. I could put my office address. I could put my friend's office address. None of these uses would constitute illegitimate data in your WHOIS entry, as long as you can actually receive mail at the address.

And if you're planning this as a legal shield, good luck with that. Whoever decides to sue you will just subpoena your domain registrar to find out who you really are.

I know some people say things are more difficult in other countries. Look, if you're in Iran, you don't even want to bother with privacy protect. Make up a totally fake address and break the rules. Don't risk the bad guys being able to subpoena or hack your info from the registrar and have the cops show up and take you away. ICANN's domain registration policies should be the least of your concerns.

If you really need to be anonymous on the internet, your best bet isn't to register a domain. Set up a website under a domain or some other free service where they'll provide you a URL. Use free webmail providers for email service. You don't need to provide any sort of ownership info to a public registry in either instance.

I know that some people think that blocking mail from anonymously-registered domains is unfair.

Nobody even said they were blocking mail. This ANONWHOIS project recommends *against* being used as a blacklist. They recognize that non-spammers, non-badguys likely also use privacy protect service to some degree. I saw a complaint in Slashdot comments that the data shouldn't be published as a blacklist--  but I disagree with that. Being able to monitor for domain anonymity in a fashion like this is a boon to researchers working on spam filters and other measures of online reputation. It allows them to measure correlation between anonymized domain registrations and bad actors. It is clear to me that publishing this data set as a DNS-queryable RHSBL is the best way to make it accessible.

Also? If somebody starts blocking your mail because your domain registration is anonymized: too bad. That's the way the internet works. People can block mail for whatever reason they want, and if you don't like it, you can lump it. People regularly block mail from ISPs and companies they don't like. The internet email ecosystem is not one postal system; it is comprised of millions of them. They're all privately run, and they're all free to set their own rules.

This reminds me a lot of the "open relay blocking wars" going back over ten years ago. People started to notice that they were getting spam from open relaying mail servers, so they started rejecting mail from those open relays. Lots of people got mad, protesting that they absolutely needed to run open relays, blocking their legitimate mail just to stop spam is unfair, etc., etc. etc. Somehow, the internet continues on, and people manage to send email. You'll have a very hard time convincing me that you've truly been wronged because you weren't able to send me mail from your anonymous mail.


  1. From the gut level I have to ask - why would I want to be contacted by someone who doesn't want their information known to me? If you're trying to contact me you should give a little bit of yourself first before you expect me to give anything back. Hiding basic details makes no sense - at least for legitimate commercial senders.

  2. Thank-you Al for fleshing out my thoughts as expressed in the comments section of the other post. As you so rightly note, there are legitimate 'needs' for anonymity online, but for those who need it, believing that cloaking a domain name will allow even the tiniest iota when the Big Bad Wolf comes a-knockin are going to be sorely mistaken, or perhaps far worse, in the case of citizens of oppressive régimes.

    There are credible allegations that the malware/hacking attack on Google in China was perpetrated by the Chinese government after the identities of some activist nationals.

    Can anyone of the hand-wringers touting domain proxies as an approach to anonymity actually say, with a straight face, that such services would be the slightest hitch to such a plan for disclosure, if this is true?

    Court orders come with instructions to disclose. They do not include rationale for the investigation. So when one lands on the desk of a proxy operator, they disclose, not knowing if they are assisting in the politically-motivated search for an activist or whistleblower, a kiddie porn pervert, a man who beat his wife, or whatever. Wrapping themselves in the flag of virtue is obfuscation.

    Fact is, these are lousy services designed to make money for those who provide the service, nothing more.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.