Domain Registration Privacy: Another View

Electronic Frontier Foundation's Jeremy Malcolm and Mitch Stoltz published an article yesterday quite reasonably expressing concern over a proposal in front of ICANN that would limit use of "domains by proxy"-style WHOIS privacy for domain registration services.

It's a concern I can understand. My wife, a feminist author who has been "lucky" enough to only occasionally have message board threads calling her horrible names (and so far has avoided some of the more intense harassment leveled at other women online) and I have watched other people, often women, get doxxed and harassed in horrible ways and I totally agree that for a lot of people, it is entirely reasonable to not want to put your home address on a domain registration and have it visible to the whole world.

I'm not against online anonymity. I just also see the other side of it, misuse of these tools by bad actors. Consider the following.

Privacy protection of domain registrations impedes good guys from doing good work to track bad guys. Even when the bad guys fake domain registration info; they tend to falsify things in certain ways that allow for identification of commonality. It makes them easier to identify and group together the many domains that bad guys use. This is one reason why spam fighters are almost universally against this type of privacy protection. Indeed, there is even at least one email blacklist meant to help you reject mail from domains utilizing privacy protect services. (And if you send email from that domain; good luck trying to get an ISP or corporate postmaster to respond to you if you're trying to work with them to resolve a spam blocking issue. Many will denote that you're hiding the ownership info of the domain and decline to assist, because you don't seem legitimate.)

The restrictions being proposed only relate to commercial use of a domain. If you're buying or selling, you're truly in business online, and businesses have postal addresses. I don't think it's fair or appropriate to hide your locale when you're a business. It projects a shady front. (Yet another reason why spam fighters and anti-abuse/network security folks tend to be against this type of privacy protection.)

Even so, this does NOT mean you have to reveal your home address-- even if you run a home-based business. A Post Office Box from the USPS costs about $72/year in my neighborhood. The UPS Store charges more, but is more flexible about names used and has many locations. If you want to cut corners, you could consider using a false address. I don't endorse this, but my understanding is that it's very rare for a registrar to notice and revoke a domain name due to it using a false mailing address.

One thing I have personally done for years, long before privacy protect was a thing, is let friends use my personal office address when registering domains. I'm happy to handle the mail, it's legit as far as the registration goes, and any angry goober drive-bys would leave the bad guys disappointed to find their target not there. (Obviously your mileage may vary.)

Also keep in mind that you don't even need to register a domain name to have an internet presence. You can start a site for free under,,,, or Google's, among many other options. None of these sites require providing your home address as a prerequisite to setting up a web site.

And finally, keep in mind that if you truly are worried about online harassment crossing the line into offline harassment, you really probably should not trust the privacy protect flag on your domain registration to keep your contact information forever private. It's a setting that can be turned off at any time. If it's literally just a switch flick away, I'd be concerned about what happens if a site gets hacked or information gets leaked. Or what if you, or the registrar, reset this setting accidentally? If I didn't want my home address shared ever, accidentally or not, I would prefer that they not even have that information to begin with. If it is a matter of life or death, literally or figuratively, then don't trust that little switch to save your life.
Post a Comment