I will start out by admitting that I hate Domain Privacy. But I just read a story in Naked Security on February 9th that is causing me to reevaluate my opinion. It turns out that the new White House press secretary, Sean Spicer, has a personal website at www.seanspicer.com. The website has been turned into a private site, but the WHOIS record for seanspicer.com is showing his home address, phone number, and personal email address. As I write this article five days since the Naked Security post appeared, it is still a matter of public record. I would think a press secretary would not want his home phone number and address in the hands of every news reporter and political crackpot. (As of today, February 27, it is still public.)
When I am working as a cybersecurity penetration tester, the WHOIS record is one of the places I use in the reconnaissance phase of the test, to gather information about the company and personnel at the target.
For those of you not familiar with domain name registration, WHOIS is a public web service. It is a database of website domain names and the people or companies that they are assigned to. In simple terms, a public record of the “owners” of the domain names. Domain names are not really owned, they are assigned using a registration system that is more like a lease. I request a name, and if it is available and not already in use, I pay a yearly fee to use it. If I stop paying, I will lose it. This database is maintained by ICANN, the Internet Corporation for Assigned Names and Numbers, at https://whois.icann.org/en.
The reasons I dislike domain privacy really has to do with my life as a sometime web designer and host. I found that for new clients who had Domain Privacy turned on with their exisitng hosting company, it was often difficult to change their DNS information to point to the new website, and almost impossible to transfer the domain name to a different registrar. Most of this issue revolved around two problems. Often the client could not remember the password they had used to set up their account with the domain privacy company. And sometimes the official email address on file had changed (from an AOL account to Gmail, for instance) and the client never updated this information with the DP company. Since the email address was masked, it was impossible to know if this was a problem. This made password recovery or any other form of communication with the DP company impossible. Often the client had to abandon their domain name and start using another one.
In researching this article, I found that this issue is pretty divisive among Internet professionals. Those with a security focus advocated for domain privacy. Those who were using their domains in a business setting, where online reputation and page rank are concerns, advocated against. Even ICANN appears to be conflicted on this issue. For more information see the links below.
Reasons for domain privacy:
- Reduce the risk of identity theft
- Protect your email address
- Prevent or reduce spam. Spammers harvest WHOIS data in order to get email accounts to spam.
- Protect yourself from phishing exploits. Ditto.
- Keep your identity and location private
- Prevent or reduce the risk of domain name hijacking
Reasons against domain privacy
- Additional annual fee
- ICANN regulations state that your domain is actually “owned” by the domain privacy company, not you.
- Changing your domain registrar or web host can be problematic.
- If your site is a business or commercial site, domain privacy may negatively impact your online reputation, causing lower page rank, and may hurt online sales.
- Spam filtering companies use domain reputation to determine what email to block, and this can cause difficulty with the delivery of email using your domain name.
- People may think domain privacy means your are hiding something, or are dishonest.
So what is my take on all this? If you have registered your domain name personally, and by that I mean that you are the Registrant Contact, and the address in the record is your home address, and the email is your personal email, and the phone number is your personal phone number, I would recommend that you purchase domain privacy to protect yourself from online scammers and cyber-criminals.
Unless you are a person using your website or blog commercially. Then you may want to consider getting a mail drop (FedEx Kinkos or the UPS Store), and using that address in your WHOIS record. Use a separate email account that uses the domain name (for spam avoidance), and set up a business phone number on Google Voice for free.
If you are a business, then you should change the Registrant Contact information to use the business address, business email account, and business phone number. If your personal information appears in the Administrative, Technical, or Billing Contact, you will want to update those records as well. Do not register the domain in the Company Name unless you are prepared for the added hassle of proving you are an authorized agent of the company the next time you want to transfer your domain.
These are three options for your consideration. You can feel free to blend these to suit your needs. But if personal privacy is important to you, then domain privacy will be important, too.
- Naked Security article about Sean Spicer
- Wikipedia – Domain Privacy
- TechDirt – ICANN’s War on Whois Privacy (6-24-2015)
- DailyBlogTips – Time to stop Using Whois Privacy (11-10-2009)
- GreenGeeks – 7 Reasons Why You Should Be Using WHOIS Privacy (12-8-2015)
- easyDNS – 10 Things You Must Know (see item 5)
- easyDNS – The Official Flip-Flop on Whois Privacy
- asmallorange.com – Domain Privacy Protection – Is It Worth It? (9-2012)
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com