DH domain registration risk


#1

When you initiate a fresh domain name registration at DH, the first screen checks availability of the name and the next screen takes the whois details.

In this second screen the form is pre-filled with your actual name, address and phone nr, and your DH account primary email address … which might be considered an inadvisable set of presets … but the situation saved because at the top of the form is a pre-selected radio button saying “Use DreamHost’s free WHOIS privacy service”.

A customer who registers many domain names soon becomes accustomed to accepting the default settings on this form.

When the TLD is one for which DH cannot offer whois privacy, the screen looks similar to the familiar one, except that the pre-selected radio button saying “Use DreamHost’s free WHOIS privacy service” is missing.

There is no advisory, nor any pop-up, about the risks of accepting the default settings.

If a customer carelessly accepts the default settings, as they are accustomed to doing at this stage, then their name, address and phone nr … and perhaps worst of all, their DH account primary email address … become published in the whois.

Is this a case of careless customers getting what they deserve? Or is it a case of DH procedures being badly designed? Or both?

My opinion: it’s the second. Experienced customers who pay reasonable attention to procedure can very easily be misled into making a mistake at this point.


#2

There really isn’t another decent option. It’s illegal to put inaccurate information in your WHOIS. The best we could do is warn you “Hey, due to the weird laws of the world, we can’t provide you anonymity with your domain registration with this domain. We can only do that for …” (I forget which ones, but I think it’s limited to com/org/net these days).


#3

Another option, much better: provide a check-box, unchecked by default, saying “Use my Dreamhost contact details”. Checking that box would fill in all the fields in the form, which are otherwise (apart from the name field) pre-set to blank but marked as obligatory fields.

And, if you like, include a message reminding the registrant that accurate name and contact details are a requirement.

Incidentally, for the .eu TLD, complete anonymity for personal registrants (as opposed to companies) is available.

Could you please explain why Dreamhost does not offer it?

Also, for registrants who don’t want to go as far as complete anonymity, there’s a further alternative (which I think Dreamhost also does not offer): according to http://www.eurid.eu/files/whois_en.pdf “Natural persons who apply for a .eu Domain Name will be explicitly informed by their Registrars of the possibility to create and use a specific functional e-mail address for publication in the WHOIS as an alternative to the use of their personal e-mail address.”


#4

I’ll take invisible choice 3: It is neither.

It is unquestionably inadvisable to use inaccurate information in a WHOIS record. But if you want to, then go right ahead. Most hosts couldn’t care less what you put in there. At the end of the day it’s the registrant who risks losing their domain name due to false contact details, not the registrar.

[quote=“tomtavoy, post:3, topic:58887”]Incidentally, for the .eu TLD, complete anonymity for personal registrants (as opposed to companies) is available.
Could you please explain why Dreamhost does not offer it?[/quote]

According to your own research, they do offer it.

Additionally, Dreamhost do “explicitly inform” that complete anonymity is available.
For all TLD’s that allow it, not just for .eu (again, see above).


#5

No one in this thread is suggesting putting inaccurate contact details in whois.

For TLDs that do not offer privacy, it is advisable to use a phone number through which messages reach the registrant but which is not the registrant’s home phone number, nor their primary personal cellphone number. Whereas, the phone number which a personal Dreamhost customer has registered with Dreamhost is likely to be either their home phone number or their primary cellphone number.

Similarly, to use a working email address different from their personal email address. It should definitely be different from the email address which they use for logging in to the Dreamhost panel.

For the mailing address: according to ICANN, “The postal mailing address is valid if it accurately identifies a functioning destination or postal mail that has been designated by the Registered Name Holder. There is no requirement that the address be the primary residence of an individual or the headquarters of an organization. A valid mailing address could be a post office box or the address of a mail forwarding service arranged by the registrant or the registrar of a third party.” (my emphasis added).

For all these reasons, the contact details which a personal customer has registered with Dreamhost are not an advisable set of pre-sets for the domain registration form, except when private registration is available and selected by default.

Now, as for the .eu TLD:

private registration is available, for personal registrants (not for companies)

Dreamhost does not offer it … most likely for some reason connected with Dreamhost’s choice of registrar which is based (for .eu registration purposes) in the Seychelles.

Furthermore, Dreamhost is delinquent in not advising .eu registrants of the possibility “to create and use a specific functional e-mail address for publication in the WHOIS as an alternative to the use of their personal e-mail address.”


#6

“delinquent”? Total anonymity is the default choice.

If users choose to include real-world contact information then that is their decision.


#7

For Dreamhost personal customers, anonymity is not the default choice for .eu registrations, nor is it even offered as an option.

The registry advises that it is available, and should be the default choice for personal registrations:

See http://www.eurid.eu/files/whois_en.pdf ,

[quote]When the Registrant is a natural person (private individual) the Registrant contact information published is restricted to the e-mail address, unless they request otherwise.

Natural persons who apply for a .eu Domain Name will be explicitly informed by their Registrars of the possibility to create and use a specific functional e-mail address for publication in the WHOIS as an alternative to the use of their personal e-mail address.[/quote]

(my emphasis added)


#8

I’m unsure how more anonymous one could be when total anonymity is the default, including the email address itself.

If anything your rtfm outline above is unequivocally “less anonymous” than the perfectly legal one provided by default.

(emphasis mine, because I typed it)


#9

Interesting … if I’ve understood you correctly … but I’m not sure if I have. Are you saying that Dreamhost allows (or even better, defaults to) whois anonymity for .eu registrations?

From my investigations it seems that Dreamhost does not allow that. But then you are saying … or seem to be saying … that I am mistaken.

The registrar I normally use for .eu registrations charges $15 a year and allows whois anonymity; Dreamhost only charges $10 a year; if it now allows whois anonymity I will try it out again.


#10

This is what I see when choosing a dot EU…

Dreamhost front page: the form is blank, allowing the user to fill in any data she wants.

Dreamhost Panel using a non-European Union account: the form has a warning notice emblazoned across the top reading:

This is sensible as it means I could register a dot EU for someone who actually resides in the European Union. As far as I’m aware EURID still limit .eu for actual EU entities and haven’t opened the gates to everyone like some other TLD’s have. If this is not the case then that limitation should be lifted from the process.

I would suggest that if you want “legally pure anonymity” for an EU domain then you’d be better off paying the extra couple of dollars registering a .eu with an actual EU-based registrar, as they could then legally act as a proxy on your behalf. Dreamhost, being a US company, wouldn’t have the proxy rights that are otherwise available to EU companies in this respect.


#11

[quote]This is what I see when choosing a dot EU…

Dreamhost front page: the form is blank, allowing the user to fill in any data she wants.[/quote]

Thank you for checking. So from your experience and mine we can safely infer as follows:

(1) When the address associated with the Dreamhost customer account is outside the EU, the form is pre-filled with blank;
(2) When the associated address is in the EU, the form is pre-filled with the contact details which Dreamhost has for the customer, including the primary email address used for logging in to the Dreamhost account.

As you mention, in either case the customer can then fill in or adjust the form fields as desired. However, this is not the main issue for this thread, at least as regards the OP, which is as follows:

to pre-fill the form with the customer’s account contact details, especially the primary account email address, is an inadvisable pre-set, unless private registration is offered and is pre-selected by default.

In post #2, Ipstenu suggested that “There really isn’t another decent option.”

Well I really do very much appreciate the more frequent input from Dreamhost staff that we’ve recently been getting in these forums.

But not only is there a much better option, but the current procedure is not even good.

The better option is that (IF Dreamhost is unable to offer private registration for .eu registrations, which is an ongoing question of some interest), then at least some of these pre-sets should be blank (and if appropriate, the fields can be marked as required).

(Plus, for convenience, it would be quite OK to provide a check-box, unchecked by default, which says “Use my Dreamhost contact details”, which would fill in all the fields.)


#12

I’d think automatic propagation of data is a de-facto standard for forms on any site where a user holds an account. It’s really a device of convenience and is suitable for those who “follow the book” so to speak and include all their correct data. Personally I think the WHOIS requirement is overly strict for all TLDs, and am actually quite surprised that EURID seem to be somewhat more strict than other registries, most especially by apparently disallowing non-EU registrars to act as proxies. It’s really odd that the EU are vocally strong on the world stage where privacy issues are concerned, and yet their TLD registry rules appear more prohibitive than many others.

Bureaucracy is a pest.


#13

“EURID seem to be … disallowing non-EU registrars to act as proxies”

But they are not disallowing that! They are taking the opposite position. EURid requires that their registrars act as proxies, in the case of personal registrations, unless the customer has requested otherwise.

And there is no requirement that the registrar be itself based in the EU, or even have an office in the EU, in order to do this.

Dreamhost and/or their registrar for .eu registrations are not following the rules correctly.

You might not like the rules, and it could be interesting to discuss that, but the issue at the moment is that Dreamhost and/or their registrar are not following the EURid rules, by refusing to act as a proxy to provide whois anonymity for personal registrations in cases where the customer has not requested otherwise.

At least, that’s how it looks based on what I’ve managed to find out so far. Any clarifications from Dreamhost staff or others at this point would be much appreciated.


#14

The “General Eligibility Criteria” implies that the proxy or representative is themselves a legal EU entity.


#15

Well actually it doesn’t. The General Eligibility Criteria are:

for a person, to reside in the EU;
or for a company, to have its registered office or headquarters in the EU;
or for an organization, to be established in the EU.

That sentence is saying that the details which a registrar sends to the registry must be the details of the actual registrant;

and if a would-be registrant does not meet the General Eligibility Criteria, the registrar cannot try to get around that fact by using instead the details of a proxy, or representative, or of the registrar itself.

But there is no requirement that a registrar meet the General Eligibility Criteria.

Presumably because of marketing, the most successful .eu registrars do tend to be based in Europe, or have subsidiaries there, but they are not obliged to. See for example, “EU registrars corner .eu registration market”:

[quote]An overwhelming 84% of .eu domain names are registered by registrars based in the European Union, according to analysis done by the .eu registry, EURid.

The domain name industry is global, so .eu accredited registrars can be located anywhere. Many US-based registrars have subsidiaries in Europe.[/quote]

but the graph shows that for the UK, more than 50% of .eu registrations are with non-EU registrars.

For more about the information which must be supplied by the registrar to the registry, see the Code of Conduct:

but this does not affect whois anonymity. The information is collected by the registry, but (for personal registrations) is not to be published in the whois unless the customer requests it.


#16

info@eurid.eu


#17

I investigated some more and may be able to shed some light on the problem.

The registry’s guidelines are that a personal registrant (as opposed to company) should leave any ‘organization’ field in the registration form blank. Then their registration will be processed as personal and their contact details will not be published in the whois.

Well, in the registration form at https://panel.dreamhost.com/index.cgi?tree=domain.registration& the first field is ‘name’ and the second field is ‘organization’. But if one tries to submit that form with the ‘organization’ field blank, then the panel flags that as an error and marks the field as ‘required’. Thus a personal registrant through Dreamhost is forced to either abandon the registration attempt, or to pretend to be a company or organization with the result that their contact details will be published in the whois.

Now I’m trying to find out if this is an error which Dreamhost can correct, or if the error originates with their registrar (publicdomainregistry.com) … have submitted a support ticket.


#18

Perhaps a minor alteration to the page’s javascript could solve the matter without too much fuss. Flip a switch [x]Business []Personal - where Personal would set the problematic Organisation field to disabled, and it’s processing variable to blank.


#19

Response has arrived from Dreamhost support (two weeks ago … I’ve only just got around to dealing with it)

Good news. Now the whois info at the registry shows only my email address and my choice of language. No name, no address, no phone number. The only non-email contact information shown is for Dreamhost’s registrar which is PublicDomainRegistry.com with an address and phone number in Oregon USA.

So this is definite proof that this is possible, for .eu domains, even when the registrar is located outside Europe.

(The registrant needs to provide a European address, but neither the address nor the registrant’s name nor phone number need be shown in the whois.)

The underlying problem in Dreamhost’s registration procedure is still unfixed: for a .eu domain, the registrant is still forced to fill in the organization field in the registration form, which will result in their being registered as a company; if they want private registration, they then have to ask Dreamhost support to get their identifying information removed.

Hopefully this can be corrected when time allows; as bugs go, it’s probably not very high priority. In the meantime, personal registrants can simply use another registrar.