It's pretty absurd to require users to continually pay you money with threat of revealing all of their personal information publicly if they ever choose to stop paying you.
I can't imagine many industries getting away with that except for registrars due to how the whois system has worked historically, but it's basically just extortion, keep paying us or you're doxxed. Whois privacy should be the default everywhere for no additional charge, so I guess this is a change in the right direction.
But at the same time, I reflect upon the days of the phone book, which most people on this board likely never knew. Your phone number and address would be listed by the phone company as part of your phone number subscription - an unlisted number would cost you more.
While times of change, and the searchability of the digital world does raise some other concerns, I still wonder how big a deal it is for ICANN to require this. Is it really revealing "all of your personal information" if you reveal the PO box, spam-trap "domains@" email address, and phone number of the domain owner?
If the registrar were revealing other info, I'd say "it's pretty absurd." But by default allowing people the info to contact you, as the owner of a domain name? That doesn't seem like extortion. Heck, if you own any real estate in the U.S., your contact info is listed in the tax assessor's database for all to find, same as in the WHOIS database.
Regardless, definitely an interesting topic to chew on.
Not everyone has a PO Box, they cost actual real money. Not everyone has a public/business phone number, those cost actual real money. Requiring another phone number and a PO Box means domains go from costing $10/year to $250/year.
You can allow people to contact an owner without giving out their information. Craigslist does it.
Not everyone has a domain name, they cost actual real money.
The question comes down to: is owning a domain like owning a computer (a commodity)? Or is owning a domain more akin to owning a phone (landline), or real estate, or a business?
If the former, privacy should generally be assumed by default. If the latter, I think it's worth questioning whether it should be.
To your point, the price doesn't escalate to $250/yr. It escalates to $10/year plus ~$2-5/yr for privacy protection. That's what we've been talking about this whole time - SHOULD you have to pay a premium for an "unlisted number"?
Luckily for those concerned with privacy, companies like Namecheap, Google, Namesilo, and a few others are now offering this by default, making that discussion irrelevant.
I do similar - cheap burner phone number attached to a voicemail. I'll check the voicemail occasionally so it's a legit whois record but it's only ever people trying to sell web design services
I exist as a pseudonymous individual online. Nobody has any right to know my phone number or name just because I wish to have a website. Nobody has any right to be able to contact me just because I own a domain. If I wanted to be contacted I would list methods on how to do so. Coincidentally, I do just that on my website and without doxxing myself in the process. There is no justification or purpose for that information being public. I shouldn't need to buy a burner phone or a PO box to remain anonymous.
Not to mention the chilling effect on speech it would have.
Completely agree but publishing accurate Whois information is an ICANN requirement for all registrars and not some gimmick set up by registrars to profit from their customers. If we failed to do this we would lose our accredidation. Whoisguard was set up to replace customer info but when we do that we are also exposed to all the legal issues that come with the territory which costs quite a bit to defend. We spend millions of dollars per year safeguarding user information and not simply turning off whoisguard without a proper legal order.
Is there a process to get that modified/amended? It seems like a carryover from the days when the internet was a friendlier place and not full of abuse.
Essentially because ICANN says so. ICANN requires the registrars to maintain accurate contact info, and also to publish the contact info on port 43. In addition they allow registrars to offer proxy registration service, which does has additional requirements for the registrar (see the whois primer linked in this thread).
HOWEVER, due to the GDPR, ICANN's "Temporary Solution" to the GDPR changes a lot of these requirements. One of the changes is that the requirement to make the contact info publicly available via whois has been removed. Registrars now are only required to show the state+country of the registrant, as well as some anonymized way to contact the domain owner (e.g.: via an anonymous email, or, via a web form).
For transfers of domain names between registrars, this also means the gaining registrar no longer is required to email you asking for authorization to transfer the domain (because the gaining registrar does not have access to the email addresses any longer). ICANN is working on a replacement for whois called RDDS which has tiered, authenticated access, as well as an accredidation process for people that need access to the real contact info such as law enforcement. However, they haven't worked out all of the details on this yet.
ICANN has also said regsitrars are not required to distinguish between an EU customer or a non EU customer when applying this rule.
So essentially, ICANN's temporary solution to the GDPR makes a lot of the reasons for "Whois Guard" or proxy registrations less useful.
They do provide a contact proxy service as part of this though. So that people who need to contact you can, just without learning who you are. Like a PO box.
And again, you don't have to buy a domain. Or you can go through the same steps I've can to (eg) mask the sale of land and property with an intermediary company.
People's recent outbursts at the WHOIS system strike me as odd. It's been this way for two decades. It's really very similar to other public records.
And for two decades it's been a system for the lawyered class at the expense of grandpa Joe who just wants his own model train website and doesn't understand all the phonecalls and spam that came with it.
I don't necessarily disagree but I don't think it's ever been that elitist. Almost anybody can form a legally recognised company and/or have a representative (yes lawyer, accountant, "professionals") stand in for them on public records.
There just seems to be this recent backlash against public records. In the UK, you buy a house and your name goes on the public record (along with the sale price). This seems very similar and useful for similar reasons.
No disagreement that it can also give you an involuntary spamgasm but that's just a symptom of another problem. Cold calling and spamming people still pays the bills.
To be fair, ICANN required WHOIS info and registrars could be sued or lose registrar status if they didn't provide it. ICANN only recently said they wouldn't sue non-compliant registrars.
I realise it's not even in the same ball park really but the US health service works in that way from an outsider's perspective "Keep paying us or die"
Indeed, that was my point. The parent couldn't imagine many industries getting away with it, my counter example was insurance - In my comment's example health insurance but it fits most insurance-based services
Can someone explain in more detail why they aren't able why they aren't able to cover certain TLDs (including several falling under GDPR in the EU)? Their FAQ says: "Due to registry restrictions, WhoisGuard cannot be used with .asia, .ca, .cn, .uk, .co.uk, .de, .eu, .in, .id, .me, .uk, .nu, .li, .ch, .fr, .sg, .com.sg, .org.uk, .us, .es, .com.es, .nom.es, .org.es, .com.au, .net.au, .paris, .vote, .voto, .xn--3ds443g, .nyc, or .org.au domains."
DENIC (.de) has had it’s own policy including their own form of protection for a long time.
Currently you can query for generic data and an abuse email address but the contact details are only revealed if you are the domain holder or have a solid reason[1].
> In all other cases, DENIC will generally not provide information. Instead, if you think that the contents of a website that can be accessed via a domain may be illegal, you should send an e-mail reporting the matter to the e-mail address for abuse reports (Abuse). You find the e-mail address on the domain query page. Moreover, the imprint, if any, of the website concerned will inform you who is the operator of the website.
To add some additional context, a proper, up-to-date imprint, including a postal address (no P.O.) and in most cases a phone number, is legally required for practically every website in Germany
I've talked with someone on IRC about this, and apparently they do give out the email rather easily (without being law enforcement, abuse stuff, etc), so there's still some possibility to contact the domain owner even if there's no website running.
It's also worth noting .de don't allow foreigners to own their domains, in opposition of most other nation tdls. I won't considered them as an example.
That‘s interesting, I didn‘t know that. Fully agree that they are not a good example. My last paragraph was to explain how pointless this privacy theater is anyway, considering that every website owner is required to give out much more info in the imprint.
Yes, you need to submit German driver license, German utility bills, and things in the like. We were working on localizing one French website to a German version, and just ended using .eu as the German site.
This makes me sad. I don‘t think I had ever had to do this but I always used a German postal address and German bank account. Also my last .de domain registration is a few years ago, so maybe they handle this stricter now.
Anyway, if you have any questions regarding domain registration in Germany or which registrars worked well for me, feel free to contact me, my details are in my profile.
I have registered a .de for a Finnish company. No problem at all via gandi.net. It would be weird if an EU country could limit registration like that. .no I believe is restricted, but not an EU country.
Not sure about the others, but if you do a whois on a .ca domain you will see it already returns a proxy address (Canadian Internet Registration Authority). You have to provide a valid Canadian address to register a .ca, but they'll only give that information to law enforcement.
Only recently -- probably in response to the GDPR.
I was showing a non-technical colleague only two weeks ago how doing a whois query on our company's .co.uk domain showed our company address and the individual responsible for registration. I just checked again now and pretty much all the useful info has gone.
.NYC requires that the owner have a physical presence in New York City. In addition to the standard whois owner/tech/billing/etc contact sections, .NYC requires a "Nexus" contact -- basically, a NYC-based address of either a person or business affiliated with the domain.
See http://www.ownit.nyc/faq, under "WILL PROXY REGISTRATIONS, SOMETIMES CALLED “DOMAIN PRIVACY” BE ALLOWED ON MY .NYC DOMAIN NAME?"
Basically, it's the registrar's policy to prohibit obfuscating the actual domain owner. Resellers like Namecheap have to abide by these policies.
I can't speak for EU domains, or for the reasoning behind the .NYC policy.
It's what it says, for some extensions, whois information is managed by the registry. Namecheap is legally obliged to provide the registrant information to the registry and they publish the whois information.
In the case of most of those, it's simply unnecessary. For instance, for EU ccTLDs, none of them reveal anything more than the most basic information in Whois for private individuals owing to the DPD (and its successor, the GDPR). For others, as people have noted, you need to prove residency. This is pretty common with ccTLDs who aren't subject to ICANN regulation, even outside of the EU.
I can't recall the .vote/.voto policies (haven't work for a registrar in a year), nor those for .asia.
Every registry has some leeway to set its own policies, and especially ccTLD registries, which aren't even contracted parties with ICANN.
Most of those listed TLDs likely have requirements about who can register domains on that TLD, so they need that info for verification purposes. That doesn't mean that they're publishing it in WHOIS though; many are not.
I just renewed a domain with Namecheap and, based on the price they're now charging, pretty sure the cost of this “free” whois privacy protection is now just built into the cost of their products. Not impressed.
Jan 23rd 2018: $10.87 for .com and $0.99 for whoisguard ($11.86 total)
29th May 2018: $10.98 (+0.11) for .com and 0.18 ICANN'T fee ($11.16 total).
So it's $0.71 cheaper without whoisguard. So that margin (increase in .com) probably covers the actual whoisguard cost, the $1 fee was pretty much pure profit.
Yeah, mine was a renewal not a new registration and cost about $12.58. Previous renewals without whoisguard were closer to the prices you mention, which makes it seem to me like all they've done is bake the cost in.
Not that I know of. For me, I stick with .com so the discount only saves me a few dollars. So I don't really notice when I renew if I have a coupon code or not.
I trawled for free whois privacy a few years back and found <https://internetbs.net/>. For a registrar I can't complain, it's cheap and the offer hasn't disappeared. Now all my domains live there.
You might be impressed with Namesilo. They've always had Whois protection for free as long as I've used them. .com domains are something like $8 per year.
> Because at Namecheap, we care about your privacy protection.
Only when we can stop profiting from selling privacy services because of a new law that came into effect a few days ago.
I'd have believed them if they did this 2 years ago once GDPR was announced. Already moved my domains from namecheap since they are not the cheapest and didn't offer free whois until now.
I only read good things about them here on HN, but their website design put me off. It looks like them haven't updated it for a decade.
On the "Create new account" page, their captcha is just a table with black/white background colors to create the letters. Never seem something like that before, and it can be trivially bypassed.
Ugh, leave it to Namecheap to fuck up extremely simple UX. Instead of just giving me a toggle in the domain settings, I have to add WhoisGuard to my cart, once per domain (for the tens of domains I own), then go and select "10 years" in the purchasing screen (and wait for the entire page to reload) once for each domain, and then go through the entire checkout process to pay $0.
Why not just let me click a single button, Namecheap?
I wish a new registrar would come in with good service and UX and eat every other registrar's lunch. There aren't any registrars that easily let me manage my domains without trying to sell me tons of stuff every time I need to make a simple change. I've switched to Cloudflare for DNS because their UI is no-nonsense, I half wish they just sold me the domain as well.
And while you're at it, I hope you'll automatically post account credits to pending charges. Previously, I've had to go through an obscure laborious process to apply credits Namecheap gave me. If you don't want people to use their account credits, don't offer them.
Maybe, as a first shot, they decided to favour near-instant implementation over usability by simply setting the price for an existing product to $0 and use the existing checkout flow.
Maybe, but it would have been equally as instant to just set all domains as "WhoisGuard purchased until the year 3000" in the database, and much more user-friendly.
If you're registering as a business rather than an individual it looks dodgy to have a whois privacy record instead of your business details. Not necessarily a deal breaker but definitely a single red flag
Because whois, along with the many people who scrape it, provide a public record of my domain ownership. With privacy protection it is a lot harder to prove ownership if the registrar makes a balls up.
I used to have many domains at NameCheap and left after their redesign a couple of years ago. Huge spacing, many clicks to get to any information, and good luck trying to update multiple domains. Seems like they wanted to alienate their pro/bulk users in favor of the buy-a-one-page-website crowd.
Route53 (using now) just makes more sense: easy programmatic access, unified billing with other services, included domain privacy, and no games with renewal pricing/discounts.
Same here. I've moved everything to uniregistry from namecheap. It was such a headache moving domains, I wouldn't use namecheap again... even with free whoisguard. And inexplicably some of my domains that were using whoisguard had their email contact information changed, without my knowledge, to "legal@namecheap.com" meaning that I wouldn't receive any confirmation emails. What a mess.
That's interesting, I'll take a look, although I don't like using Google services. Thanks for the suggestion, I wasn't even aware that they had a domain registration product.
I had just switched all my domains over to porkbun for this very reason - whois guard wasn't free at namecheap. I think I'll just leave the domains I moved there, and then continue with namecheap going forward. Now I view them as essentially equivalent plus or minus a few pennies per year.
Moved my domains to Porkbun as well, price is over 30% cheaper than Namecheap for .com renewals ($13 vs $9), privacy is also free, and they've got a real 2FA solution which Namecheap still does not have after all these years, so I'll be sticking with the Pork.
It was basically a tossup between Porkbun and Namesilo, so I went with the service with the more modern interface even though I don't interact with it much.
Their table to see how they stand up against competitors is hilarious! So many free privacy providers since ever like Dreamhost, Namesilo, BrandShelter, Marcaria (some TLDs), but yet you look at that table and you think "wow they are the only one".
GoDaddy still charges more than 2X what we used to charge for WhoisGuard. We have always given away WhoisGuard for the first year of registration and have always been transparent about the renewal charge. However, now it is 100% free. No deception here.
I moved everything to namecheap after they supported the EFF during the SOPA days. Then namecheap decided to get in the censorship business along with cloudflare. All my domains came off namecheap.
I see that so much here on HN. A mainstream, name-brand company rolls out a great feature, and the trolls come out of the woodwork to say "but numberonecheaphosting.spam has had this for years!"
Some people just can't recognize a good thing as a good thing. As a Namecheap customer, though, I'm pretty darn happy at this news!
> So you get to choose who we perceive as our competitors now?
No, I don't as I am not Namecheap employee. I don't work or approve off companies that serve US-based clientele, but constantly outsource their customer support to Eastern-block countries and hire people that barely speak English. I think its anti-american frankly speaking, but I don't think you are American citizen anyways so this doesn't apply.
But I do chose who competes for my dollars, so its unfair to show me competitors that you know don't have certain features, while you purposely avoiding those who do have those features. Unless you so out of touch with supposedly your market (anyone can create HN account with "CEO" in it) that you are not aware Dreamhost and Namesilo are offering these services for FREE for many years by now.
And if you really happen to be a Namecheap CEO (highly doubt and scary to think a CEO has time to post on HN) then I'm glad you posted this, as you are only reassuring me in my decision to move out all my domains long time ago.
Your logic is absolutely ridiculous but I'll try to play along. Go here http://www.registrarowl.com/report_registrar_total_domains.p... and tell me again who our competition is. I don't see any of the companies you listed there. Even if they may be fine companies that's not who or what we are aiming for and that is our choice as a business. It's like asking Coca Cola or Pepsi to list Jarritos soda as their competition just because it exists. We are a global company with offices in the US, Berlin, Porto, Kharkiv, India and more to come. We service customers from all over the world 24/7. If you have a problem with that fine, but I won't apologize for serving a global market efficiently nor will I apologize for being globally focused.
I never asked you for apology; you conduct your business whichever way you want, whether you are CEO of Namecheap or not, I really don't care.
And when you click on the link you yourself provided, who is the FIRST company in the first column right in your face?? Yeah, you heard about those guys?
NameSilo provides free Whois Guard at least since I moved my domains out of Namecheap some 7 years ago when my disgruntled employee claimed domains zoned with you are his just because he knew my first name, last name and my DOB. Although they were not taken offline, but certainly froze for a week or so before I wasted many hours to try and clear the situation out. Since then I strongly oppose your "security logic" and proudly had at least 4 people move all their domains out. Although frankly I still have fun locking my ex employee out of his own Namecheap account, simply because I happen to know his username and that's all you need to lock someone out attempting wrong password a few times :)
Anyways, let's end this time-consuming worthless conversation, because frankly you are shooting yourself in the foot.
Edit: from the link you provided and clicking on NameCheap name, did you read the February 22nd review about deleting someones 75 domains and not even having phone support to discuss the issue?? Jesus man; how do you sleep with yourself knowing how much stress you have cause another human-being?? :facepalm
Tangent : what happens to the whois guard if I want to transfer a domain between providers (eg- namecheap to google)? I've heard that during the transfer the whois guard has to be disabled. This means that services such as Domain Tools will log the whois data. Is this true? If so, is there any way to transfer a domain between providers while keeping contact details out of the public whois database?
I had to transfer domains once (from WordPress to Namecheap) and the instructions explicitly required disabling the privacy guard. It was only needed for the transfer period, which was about 3 days. I would love to know why the process requires it.
Now that this is mentioned, I revisited WordPress' instructions page and it says: "Most domain names registered at WordPress.com have GDPR protection, which means registrant contact information is not visible publicly, regardless of whether or not the domain has Privacy Protection in place. For these domains, disabling privacy will not result in contact info being publicly published."[0] Does this mean the process doesn't really need it but they registrars require it for some odd reason? If they can work it out without disabling privacy feature to comply with GDPR, why can't they do the same for everyone?
In my experience you can usually pre-enable whois guard equivalents during the checkout process for the transfer.
From the Domain Tools point of view the transfer should look like Old Whois Privacy LLP on SomeRegistrar transferred a domain to New Whois Privacy Corp on NewRegistrar
I've had my whoisguard at namecheap unexpectedly not renew several times, despite my having enabled auto renew, and the domain auto renewing. As a result my info was exposed until I caught it. I've migrated most of my domains to iwantmyname.com. much nicer experience so far. .io domains are really cheap at namecheap though so I haven't migrated them yet :/
Namecheap web design is very poor. They always plaster new feature on the top without deeper implementation. Many times I click a button only to see empty red box missing any obvious error message.
Besides I still have fun blocking my ex-employer namecheap account time to time. All you need is provide their username with wrong password 4 times and account is locked. You have to go thru extensive re-verification process. Its hilarious and totally unnecessary in the times of 2FA.
Besides namecheap has a long tradition of not standing up for your domain name. If they are pressed by someone offended by your content, they will take down your domain and take over it. That was few posts on Web Warrior I found years ago from terrorized people that made me change all my domains to namesilo.
I see a lot of comments about how clumsy this solution is and that it doesn’t work for some TLDs.
The solution I’m using is MyPrivacy.ca. It’s not a 1:1 replacement for WHOIS privacy but solves the Spam problem very well, it’s easy to set up and it works for all TLDs.
It is basically an opt-in email forwarder with a customizable whitelist of common registrars and NICs. So you will never miss an important mail from your registrar while most Spam will never make it through the challenge/response process.
It’s completely free and run by the guy behind easydns.ca (Mark Jeftovic).
They don't mention Gandi because that would be a marketing disaster. Gandi do no advertising, no affiliate/referral links, or anything else shady.
You might pay slightly more, but I believe Gandi operate a significantly better service, catering to shrewd users (I don't work there or have any financial interest in the matter, just a happy customer).
In fairness, Namecheap seem like a pretty decent second-choice, and most of my ire is reserved for all the 'baby's first domain name' bottom feeders out there.
For years, they've had a standing active "coupon" value that reduces it from $2.99 to $0.99 / year / domain. Unfortunately, you can't apply it to automatic renewals.
This finally solves that problem.
--
P.S. TO NAMECHEAP (who sometimes surfs HN, IIRC): PLEASE make sure that WhoisGuard is reliably renewed with this change in place.
Given the occasional glitches I've seen in your systems in the past, I want to emphasize this. It would be most unfortunate if a glitch exposed contact information: Once out, you can't take it back.
It took a long time for me to decide to try/trust autorenew. I'm worried I may now need to go back to manually signing in at each renewal, to make sure nothing has gone sideways.
At Namecheap, we care about your privacy and are now giving ALL our Namecheap customers FREE WhoisGuard for life, when they register a domain* with us.
This important change supports our strong belief in privacy, security, freedom and the equal treatment for all internet users.
Suddenly, they care about my privacy, whereas all the previous years they were soliciting subscriptions to their WhoisGuard service with each new registration or renewal order.
What a coincidence! And what an unfortunate choice of wording to their existing customers. (Apparently, I was very upset when I got this emailed)
Great domain provider i second that. Furthermore for us domains they have customer support directly in usa. Namecheap customer support is outsourced to romania. I dont have anything against it but i rather have my us based domains names looked at by us-personel.
Yes. It’s a marketing thing. (Someone correct me if i’m wrong) As I know, all domain name sellers should default to privacy (aka Whois guard) due to GDPR.
I'm asking because domain registration is a very competitive business, so profit margins should be thin. In such a market a company that sells the exact same product for half the price is pretty unexpected.
So is the market not as competitive as it looks, or is there something else going on?
Read this UDRP decision, they found that using Njallas proxy service constitutes bad faith.
While this was a terribly misguided decision, UDRP cases rely heavily on precedent, so it'd be tricky to get this reversed.
Don't get me wrong though, most of the time njal.la is pretty nice and I have tens of domains with them. I just wouldn't use them for anything very important.
Most registrars are already redacting whois output to comply with GDPR.
Registrars that aren't doing this for non-EU costomers (e.g.: godaddy) are the exception. The only reason for this is to push sales of their privacy/proxy registration service.
I can't imagine many industries getting away with that except for registrars due to how the whois system has worked historically, but it's basically just extortion, keep paying us or you're doxxed. Whois privacy should be the default everywhere for no additional charge, so I guess this is a change in the right direction.