Should I buy domain privacy now that GDPR is in

by Moana Springfeild   Last Updated July 21, 2019 06:04 AM - source

I used to get scammers ringing my phone because I didn't buy domain privacy. Being in the EU, Do I still need to buy this service if I dont want scammers and spam ringing my phone by looking up whois?

Thanks



Answers 1


They are two different things.

Typically, (it depends a little on the TLD), personal data is stored at two places: the registrar and the registry.

Typically, in gTLDs, there is a public whois server at the registry, and at each registrar, to get access to data. In ccTLDs instead it is often only at the registry.

In any way, a given source can send back only the data it has, or less, but not more. Of course now with the GDPR less and less data is published publicly by default, which means you get whois results like:

Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Name.com Inc.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: CO
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY

But it remains that:

  • whatever data you give to a registrar may end up at registry also, per requirements (not true yet for .COM/.NET that remains a thin registry still, but that exception will disappear soon)

  • if you use some proxy/privacy service then the registrar will send that data (and not yours) to the registry: so even the registry will not know the "real data", and can technically not show anything else than the proxy/privacy service details. The registrar and its whois, can display what it wants.

They are caveats in both direction:

  • GDPR applies to EU citizens with also constraints on the providers (Wikipedia says: "The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. "); this is certainly not worldwide. So whatever protection you can derive out of it will depend a lot on your citizenship/residency and which providers (both registrar and registry) you use; note that views diverge: Iceland (in EEA but not in European Union, GDPR applies still) registry decided to continue publishing everything in whois, seeing no disagreement about that and GDPR, see http://domainincite.com/22939-iceland-breaks-ranks-on-whois-will-publish-emails ; so based on which TLDs you register domain names in, you can get very different results in whois output... (things will change a little soon with RDAP providing a uniform output format, but that still does not solve the problem on what to give as data to whom)
  • you have to trust the privacy/proxy service you use, be it your registrar or not. It has first to work correctly and hide your identity (but will probably revert things to you as soon as a dispute is coming), and even that sometimes breaks (like providers first creating the domain with your data, then switching to proxy contact; this could as well be user errors not selecting both service at domain creation). Of course for the external world, that service is the real owner of the domain, and it controls emails delivery to contact and so on... technically it could steal your domain without problems. There are also consequences for transfers between registrars.
Patrick Mevzek
Patrick Mevzek
July 22, 2019 17:52 PM

Related Questions


My clients name isn't shown in Whois

Updated January 05, 2019 12:04 PM


Has the owner ignored the domain for 9 years?

Updated February 15, 2019 16:04 PM