Domain Privacy Protection and the hidden costs

Registrars are making a lot of money by simply providing ‘Domain Privacy Protection’, which is basically an option to hide all your personal information which you HAVE to provide when you purchase an domain. If you take a look at various domain providers, you will see that they ask various prices for the Domain Privacy Protection.

Cyberwarzone is located in The Netherlands, and our host is also based in The Netherlands. Last night, we received an ‘update’ from our provider, claiming that we will need to start paying money if we want to hide our domain privacy from public users. This will cost us 10 euro a year, and if we do not pay this amount, our privacy settings will be changed to public. Allowing everyone to grab the domain information.

Now let me explain, why it is important to have domain privacy protection: Hackers and evil users on the internet will try to obtain all type of information, which will help them to start an attack on their target. Once the Domain Privacy Protection has been disabled, hackers will be able to do a query, which will grab the privacy information. This information can be used in a social engineering attack or other hacking methods.

Privacy by default

Note that some domain extensions have privacy caveats:

  • .at, .co.at, .or.at: Since May 21, 2010, contact data (defined as phone number, fax number, e-mail address) is hidden by the registrar and must be explicitly made public.
  • .ca: Since June 10, 2008, the Canadian Internet Registration Authority no longer posts registration details of individuals associated with .ca domains.
  • .de: Owner and technical contact must show their postal addresses. Phone number and e-mail address do not have to be made public.
  • .us: In March 2005, the National Telecommunications and Information Administration (NTIA) said that owners of .us domains will not have the option of keeping their information private, and that it must be made public.
  • .uk: Nominet, the guardian of UK domain namespace, provide inclusive domain privacy tools on their extensions (.co.uk, .me.uk etc), providing that the registrant is not trading from the domain name.

Currently, the Internet Corporation for Assigned Names and Numbers (ICANN) broadly requires that the mailing address, phone number and e-mail address of those owning or administrating a domain name be made publicly available through the “WHOIS” directories.

However, that policy enables spammers, direct marketers, identity thieves, or other attackers to use the directory for personal information about those people. Although ICANN has been exploring changing WHOIS to enable greater privacy, there is a lack of consensus among major stakeholders as to what type of change should be made. However, with the offer of private registration from many registrars, some of the risk has been mitigated.

So what do you think, should the ‘client’ be hold responsible for the costs, or do you think that hosting companies simply need to provide a ‘free option’ to hide the domain privacy.