In 2012, Wired writer Mat Honan had his entire online life hacked. His Apple ID password was reset. His Gmail password was reset. His Twitter password was reset. His iPhone, iPad and MacBook were all remotely wiped using Apple’s “Find My” tool – the tool that locates and gives remote access to your various iDevices.
This was made possible by crafty social engineering, and security policies that assumed people operated in a vacuum, but, it all started with an email address and a billing address found through a WHOIS search.
Who is WHOIS?
A WHOIS search lets you know WHO the owner of a domain IS and how to contact them. A domain is the bit after the “www” of a website address, or after the “@” in an email address. A WHOIS search gives you information such as the phone number and address of the person or organisation behind that domain.
Over the last seven months or so, the Domain Name Commission (DNC) has been consulting on what information should show up when you run a WHOIS search on a domain ending in .nz. This consultation follows two previous rounds.
Information can be dangerous
As the story about Mat Honan shows, the information found in a WHOIS search can be used to harm individuals. In some cases, the need to prevent people accessing information is even greater – think about people who are victims of abuse, or online harassment. Ensuring that they can have both personal safety and run a website is something that privacy-aware policies can help with.
Public registers have privacy controls built into their individual legislation, as well as specific provisions in the Privacy Act. While the register of .nz domain owners isn’t an official “public register,” it has many of the hallmarks of public registers, and it is just as important to safeguard the personal information in the .nz register as it is with any public register.
In our previoussubmissions to the DNC, we’ve advocated strongly for people to have the ability to suppress their contact details in WHOIS searches – especially if you would be able to seek similar suppression from public registers.
In our second, more comprehensive submission, we asked the DNC to consider the public good of making individual domain registrants’ information available overall. That submission is available here. We’re also listening to the current discussion to help inform our views.
We are still developing our submission for the current round of consultation. There is value in maintaining a transparent register, but it’s important that the argument to do so – and how to decide where to draw the line - is convincing.
Photo credit: Ralf Appelt via Flickr