Preventing WHOIS

Discussion in 'Computer Security' started by tobito85, Feb 23, 2009.

  1. tobito85

    tobito85 Guest

    Hello!

    I LOVE privacy. Is there a way to set up a website anonymously? Right
    now anyone can use whois http://www.yourwebsite.com and he'll find out
    who the domain is registered to. There is the possibility to use a
    company that offers you a proxy server but then that company legally
    becomes the holder of that domain.

    I'd like to be the sole owner of the domain and yet be impenetrable to
    the whole whois gestapo thing. Is there a way?

    Are there some top level domains that are more suitable for this than
    other?

    Is there anybody out there who can offer me some help, give me some
    pointers of something?
     
    tobito85, Feb 23, 2009
    #1
    1. Advertisements

  2. tobito85

    Ari© Guest

    Lie.
     
    Ari©, Feb 23, 2009
    #2
    1. Advertisements

  3. tobito85

    No One Guest

    On Mon, 23 Feb 2009 11:10:02 -0500, Ari© wrote:
    The person who calls himself "No One", but who's real name is Dan
    Camper, used this as his signature in his post above:

    Meet Ari! http://tr.im/1fa3

    Only thing is, the person depicted in the photograph at
    http://tr.im/1fa3 is *not* Frank J. Camper, or as he calls himself,
    "Ari".

    That is a photo of "Kinky" Friedman, who has a webpage at
    http://www.kinkyfriedman.com/

    FYI
     
    No One, Feb 23, 2009
    #3
  4. tobito85

    Gerard Bok Guest

    Sure. Host your website on 10.0.0.1
    Or on 127.0.0.1
    Absolute privacy guaranteed. And cheap too.
     
    Gerard Bok, Feb 23, 2009
    #4
  5. $ whois yourwebsite.com

    Registrant:
    yourwebsite
    36480 Peugeot Place
    Newark, California 94560
    United States

    Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
    Domain Name: YOURWEBSITE.COM
    Created on: 02-Jan-98
    Expires on: 01-Jan-10
    Last Updated on: 29-Dec-08

    Perhaps you would want to use "example.com" (reserved for the purpose)
    instead of a domain name actually owned by someone.
    Got a cite for that? I've a couple of domains and the privacy company
    does *not* own them.
    Yes. Avail yourself of the privacy services offered by your registrar.
    Normally, it is an extra-cost option, maybe $9USD or about 78 Swedish
    Kronor per year.
    Explore your registrar's site for the privacy option. Ex:
    http://www.godaddy.com/gdshop/dbp/landing.asp?ci=9002
     
    Beauregard T. Shagnasty, Feb 23, 2009
    #5
  6. tobito85

    nemo_outis Guest

    wrote in @n2g2000vba.googlegroups.com:

    It can be done very privately but it requires *your own* company.

    I give the strongest way below but using any company (either one you
    already own or a newly-set-up one - I believe *everyone* should own at
    least one company) will go a long way to shielding your personal privacy.

    For ordinary privacy (not, say, thwarting a multi-million-dollar lawsuit)
    the **simple unadorned version** (i.e., any old company with no
    embellishments, with all domain registration addresses, etc. as the
    company's) is plenty.

    But if you want *maximum* privacy, here's how:

    A (USian) LLC is preferable to a traditional company. And the best LLC
    is a New Mexico one (permits bearer shares, etc.). An LLC has an address
    for its New Mexico "agent" but the address of the actual LLC can be (and
    usually is) elsewhere (in fact, the mailing address can be different from
    the place of business address and both can be different from the agent's
    NM address). There is no list of LLC members, etc. (well, there is, but
    it's at the LLC's - possibly offshore - place of business :) It will be
    next to impossible to trace you personally if you set this up right
    (e.g., have an intermediary set up the LLC and then you buy all the
    bearer shares, etc.).

    Domain registration (I'll speak of .com; requirements can be different
    for some others) is in the company/LLC's name (not a person's). The
    other names that must be given (administrative contact, technical
    contact, etc) will not have personal data for address, etc. but rather
    will use the *company's* address, phone number, email, etc. Anyone
    trying to compromise the privacy of a real live human being (whose name
    may itself be fictitious - the LLC fired and replaced its "administrative
    contact" last month if anyone inquires :) will dead-end at the LLC agent
    (or the LLC's mail drop address) or the actual domain site. (In fact, if
    the domain is hosted, it is common for the "technical contact" to be the
    hosting site fellow.)

    This is much better than lying (it would be a real PITA if, after using a
    domain name for years, you lost it because of a registration
    irregularity) or going through a registration intermediary like Godaddy
    (who then becomes the *real* owner of your domain name).

    Regards,

    PS Initially setting up the LLC (or just a company in your home
    jurisdiction) will typically cost only a few hundred dollars ($300-500)
    and annual operating costs (essentially just for the NM agent) are
    typically $100-200. Not free, but well within reach of anyone who truly
    values his privacy. Pay the LLC fees and the domain name fees with cash
    or money orders.

    (Incidentally an LLC - or better, several of them - have many other uses
    for privacy purposes. There will be no tax complications if your LLC does
    no serious business and/or operates on a flow-through basis.)

    PPS If you are paranoid a number of additional layers of security can be
    added such as having any mail directed to a mail-drop, ideally in a
    foreign country (again, can be done for $100 or so). Similar precautions
    can be done with telephone (e.g., use VOIP, etc.) You can even have the
    LLC itself "owned" not by a person but by a different company (LLC, etc.)
    possibly offshore (usually this level of security is only needed for
    major tax fraud, asset hiding, etc. and not for ordinary privacy).
     
    nemo_outis, Feb 23, 2009
    #6
  7. tobito85

    VanguardLH Guest

    Sure. Use a registrar that provides for private registrations. ICANN
    requires that registrars provide a name for whomever is responsible for
    the domain registration. The loophole is that the registrar volunteers
    to be responsible. So you register your domain with them but the
    registrar list themself as the contact for that domain. There are
    several registrars that now provide private registrations and the number
    is growing: GoDaddy with their Domains by Proxy service, Network
    Solutions, and WildWest Domains (known for having lots of spam sources
    and affiliate to GoDaddy) are some of them.

    If customers see that you are hiding that they figure there is a
    negative reason to do so and they may not trust you. That's how I feel
    when I find a domain owner that tries to hide. There are better ways to
    block domain registration related spam. For example, in the e-mail
    address you provide for registration (required and is supposed to be a
    valid, active, and monitored account), just use a rule in that account
    to block all e-mails that don't originate from your registrar. You'll
    get their e-mails regarding your registration but dump everyone else's.

    http://help.godaddy.com/topic/248
    http://www.godaddy.com/gdshop/dbp/landing.asp?ci=9002
    https://www.networksolutions.com/domain-name-registration/private.jsp

    However, I've heard that many of them will divulge the actual domain
    registrant when pressed for the information and without requiring a
    subpoena. If the plantiff provides sufficient cause for divulging that
    info, the registrar will release it. You can try to hide. That doesn't
    mean you cannot be found.
     
    VanguardLH, Feb 23, 2009
    #7
  8. I'd like to be the sole owner of the domain and yet be impenetrable to
    I have one domain registered under a fake name and address, this goes
    against the ICANN rules and they will take it away from me when they
    find out. But they need to find out first.

    If you go down this road I advice you use a working email address to
    get your registrar emails and avoid bouncing them.
    Many Ltd domains do not allow whois privacy. I would stick to .com and
    ..net
    You can use the whois protection service at http://www.namecheap.com

    Or Ixquick "Registrar that offers whois protection"
     
    Frank Merlott, Feb 23, 2009
    #8
  9. tobito85

    Gerard Bok Guest

    Next problem you may face is proving you are the owner if in fact
    the "registered owner" doesn't exist at all :)
     
    Gerard Bok, Feb 24, 2009
    #9
  10. Don't flame me just because I'm a n00b... :-(

    This contradicts what nemo_outis says.
     
    Torbjörn Svensson Diaz, Feb 24, 2009
    #10
  11. What I want to do is percetly legal. I just don't want some animal
    rights/feminist/far left/far right/whatever acitivst to call me in the
    middle of the night and threaten me because of my website. That's the
    amount of protection I want presently. Later on I might want some
    more. Still, if authorities want to find out about me, that's OK.

    I am neither a criminal, nor a terrorist, nor a freedom fighter, nor
    an advocate of extreme ideologies or creeds, but only a slightly
    controversial citizen in need of some basic privacy that I thing is
    being compromized if any random punk can call me in the middle of the
    night and go bananas towards me.

    That's all.

    Kind regards,

    Tobito
     
    Torbjörn Svensson Diaz, Feb 24, 2009
    #11
  12. Is it heavily trafficed?

    Thanks for pointing it out.

    What is an Ltd domain? Is it a domain owned by a corporation? Ldt as
    in limited. Or do you mean TLD as in top-level domain?

    I know that e.g. .se doesn't allow privacy.
    Thanks.

    Best regards,
     
    Torbjörn Svensson Diaz, Feb 24, 2009
    #12
  13. I don't understand "permits bearer shares, etc". How is that
    important? Does bearer shares give me additional privacy, control of
    the company, etc? Bear in mind that I'm a n00b.


    In case I earn some money, where do I pay the taxes? Do I pay Swedish
    income tax only or do I have to pay some kind of American corporate
    tax as well?
    Good thinking.
    PITA = pity?
    What an NM agent?

    Why is it better to use several of them? Is the idea that company A
    owns company B that owns company C that owns www.somewebsite.com?
    Does this really work? I mean, are there lots of assets that's
    successfully hided this way?

    Regards,

    Tobito
     
    Torbjörn Svensson Diaz, Feb 24, 2009
    #13
  14. Wouldn't this make my computer a server? Is it possible to set up a
    website this way? What would the URL of my site be?

    Regards,
     
    Torbjörn Svensson Diaz, Feb 24, 2009
    #14
  15. tobito85

    Gerard Bok Guest

    It would:
    a) guarantee you absolute privacy
    b) prevent anyone from claiming ownership of your content.
    And:
    c) It would prevent anyone outside your own network from viewing
    your pages.
    (And in case you still don't get it: it basically reads: "don't
    commit your website to the internet".)

    The whole idea behind 'Internet' is universal access.
    If you want to publish your opinions anonymously, that can be
    done. If you want to retain ownership of your material, that can
    also be done (heck, that's even the default situation!).
    If you want to hide behind some anonimizer's service, that's also
    quite possible.

    What you cannot accomplish is: publish matter on the World Wide
    Web AND retain the material's ownership AND refrain from using
    some proxy organisation's services AND remain anonymous at the
    same time.

    And as to some other comment in this thread: maybe governements
    are much dumber elsewhere (which I doubt), but practically,
    anything that is accessible to the government is also accessible
    to keen activists. (The latter commonly using governmental data
    sources to digg information the government itself is unable to
    extract from it's resources :)
     
    Gerard Bok, Feb 24, 2009
    #15
  16. tobito85

    nemo_outis Guest

    There are two levels to my advice. The first, more important one, is to
    do the domain registration in the name of a company you own. The second,
    more complicated and unnecessary for ordinary privacy, is the
    recommendation to use a particular kind of company (a US New Mexico LLC)
    because it can be structured to provide some very strong privacy features
    approaching anonymity. You probably only need the first level - much of
    the info on how to use an LLC (the second level) is moderately
    complicated and technical.

    One of the "extreme" privacy features of a NM (NM = New Mexico) LLC is
    the ability to use "bearer shares." This means that the share does not
    have to be in the name of a particular shareholder (e.g., John Smith) but
    belongs to whoever holds the share certificate in his hand (the
    "bearer"). A bearer share works just like a cheque that says "Pay to:
    cash" or "Pay to: bearer" rather than "Pay to: John Smith". Obviously
    this permits the owner (i.e., the bearer) of the share to remain
    completely anonymous with no record anywhere. This (and other) tricks
    make it next to impossible to find out who really owns the NM LLC (i.e.,
    the company owning the domain). You hide not only the owner of the
    domain but even the owners of the company from almost any search (except
    that of an intelligence service of a major government). That's privacy!

    (Incidentally, the NM terminology uses "member" and "membership
    certificate" rather than "shareholder" and "share" but the meanings are
    almost the same.)

    ....
    The normal way a NM LLC is set up is 'as if it wasn't there" for tax
    purposes - all income and expenses (and therefore the taxes owing on
    them) are passed through to the members (roughly, shareholders). The
    members pay any taxes (in whatever country they reside), not the company
    (This is called "flow-through"). There is no US tax (but the company
    must file a US form saying so).

    However, it is best to not have the LLC make any money (use a different
    LLC for that). Keep the domain-owning LLC just for that single purpose:
    privacy - don't mix privacy and money-making in the same LLC.

    By making sure you never make any money in the LLC that owns the domain
    name, you ensure that the US tax authorities will never become
    "interested" in you. You also make sure there is no money for anyone to
    get from the LLC if someone sues it because of the website, etc. Use that
    LLC for privacy only, not privacy and business.

    ....
    PITA = pain in the ass = nuisance, bother, hassle
    NM = New Mexico

    If you form an LLC (in any US state, but I'll confine myself to NM) you
    must have a person/company **IN** New Mexico who can receive any
    "official" documentation (including service of legal processes, state
    communications about the LLC, etc.) on behalf of the LLC (which usually
    has an out-of-state mailing and business address).

    There are any number of companies/persons who will perform this "NM
    agent" function for about $200/year - it's usually done as part of the
    process of setting up the NM LLC. There are also annual state fees of
    about $80/year.

    Incidentally, there are lots of websites that (for a fee) will set up a
    NM LLC for you. The problem is that their quality varies tremendously
    from reputable firms to outright con artists.
    I have shown one way to use LLCs - for privacy regarding domain
    ownership. There are many others. For instance, an LLC could be used to
    own a house in a different country. That country might have a large tax
    if a house is sold. But by having the LLC own the house you can just
    sell the LLC to someone else, effectively transferring the house
    "invisibly." Of course, you must do a lot of checking if this is legal
    in whatever jurisdictions apply.

    Other uses for an LLC are to put your assets out of reach from being sued
    (many doctors do this in the litigation-crazy US). Or for tax purposes.
    But one good principle to follow is: one major asset = one LLC. That
    guarantees that you you don't have all your eggs in one basket if you are
    sued, ownership gets exposed, etc.

    In short, many people use an IBC in a tax haven jurisdiction (e.g., Turks
    & Caicos) for privacy/business purposes (some legal, some illegal).
    Incidentally, IBC = international business corporation. Well, a New
    Mexico LLC is really one of the best IBCs in the world (better and
    cheaper and more private than one, say, in the Cayman Islands).
    Yes, there are lots of folks who do this but using 'chains" of companies
    around the world only begins to make sense (in terms of complication,
    cost, etc.) somewhere above $100,000 (some would say above $1,000,000).

    But returning to YOUR situation and skipping the fancy stuff:

    I suggest that, for simplicity, you do the following without any LLC:
    Form a small company in your home jurisdiction (if possible with just one
    director and one shareholder). Ask your lawyer if he will "host" the
    company (which really means the paperwork, including *his* address as the
    company address, just stays in his bottom desk drawer and you pay him a
    small annual fee). A lawyer is best because he acts as a barrier/buffer
    using client-solicitor privilege to shield you from inquiries.

    Register the domain in the name of the company with the lawyer as
    administrative contact (using the lawyer's/company's address but a
    separate VOIP line routed to you, and email to you at your domain. Same
    for technical contact, etc. If anything comes up regarding the domain
    your lawyer will contact you (but will invoke client-solicitor privilege
    to not reveal your name to any inquiries). This will stand up to all but
    the most serious privacy attacks (and will "buy time" even against the
    very serious ones).

    (If company directors, etc. are a matter of public record (which could
    reveal you), consider having the lawyer "own" the company instead of you
    with you holding an irrevocable option to purchase the company at any
    time for one dollar. However, this extra protection is unnecessary for
    "ordinary" WHOIS privacy.)

    Regards,
     
    nemo_outis, Feb 24, 2009
    #16
  17. Of course not, this is a domain paid yearly that I use it for testing
    purposes mainly, I would not want to risk a worthwhile domain name
    giving fake name.

    But I have had that domain registered with fake details for over five
    years now, I think it is very hard for the ICANN to find that out.

    It is when problems arise, ie a complaint is made against you, that
    this will come to light, but otherwise as far as I know the ICANN does
    not go around checking on people's real registration details.
    That was meant to be a Top Level Domain TLD, sorry, Ltd. stands for
    Limited Company I think, totally irrelevant for this case.
     
    Frank Merlott, Feb 24, 2009
    #17
  18. tobito85

    nemo_outis Guest

    Guy is completely right about this. Both he and I are only incorporeal
    voices across the internet. You are unwise to rely on either of us but
    instead you must do *your own* investigations and due diligence. The
    most you should use us for is as signposts to possibly fruitful lines of
    inquiry for YOU to pursue.
    A good place to start is to RTFM (read the f**king manual :) In this
    case it's the "Registration Agreement" for 000domains to perform
    registration for you. You can find it here:
    https://secure.registerapi.com/order/register/agreement.php?siteid=35427

    It is up to you to decide if this meets your needs. However, although
    Guy may find it satisfactory, I find a number of its clauses very, shall
    we say, dsquieting!

    For instance, Clause 5.3 says (in part):
    ___

    Use of registration information and additional registration information.
    You agree and acknowledge that 000Domains will make available the
    Registration Information and the Additional Registration Information to
    ICANN; to other third parties such as VeriSign, Inc. Global Names
    Registry Ltd., Neustar, Inc., Afilias USA, Inc., Global Domains
    International (collectively, "Registry Administrators"); AND AS
    APPLICABLE LAWS MAY REQUIRE OR PERMIT. [my caps]
    ___

    I think you can drive a truck through that gaping hole (especially the
    final "OR PERMIT")!

    Clause 5.4 goes on to say (in part):
    ___

    You further agree that your failure to respond in less than ten (10)
    calendar days to inquiries by 000Domains concerning the accuracy of the
    Registration Information or IMMEDIATELY UPON DISCOVERY OF ANY WILLFUL
    INACCURACY (including i.e. phone number of 555-1212, 000-0000) associated
    with your domain registration shall constitute a material breach of this
    Agreement and WILL BE SUFFICIENT BASIS FOR CANCELLATION OF YOUR DOMAIN
    REGISTRATION. [my caps]
    ___

    This puts you completely at the mercy of 000domains in deciding whether
    to cancel your domain registration if it (in its sole discretion as near
    as I can tell) decides you are in breach. I don't know about you but that
    scares the shit out of me!

    Oh, but you could appeal, of course - not to an impartial court system
    but instead using a special "Dispute Policy" that is incorporated by
    reference into the "Registration Agreement" That "Dispute Policy" can be
    found explicitly here:
    https://secure.registerapi.com/order/register/dispute.php?siteid=35427

    This dispute policy can completely destroy your privacy (even arising
    from a pretty frivolous complaint) **even if you are lucky enough to win
    the appeal and keep your domain registration.** I think it sucks - HARD!
    Others may differ.

    In short, your ass is hanging in the wind and some very chill breezes
    could blow on it. Not because 000domains is a disreputable or dishonest
    company (their terms don't seem any more onerous than most others
    offering similar services) but because - as is completely obvious on even
    the most cursory reading! - the "agreements" are designed to PROTECT
    THEM, NOT YOU! The "agreements" are specifically crafted to give them
    the latitude to throw you to the wolves at the first sign of trouble!
    Once again Guy is completely right - 00domains just wants to make money
    off you **providing you don't cause them any trouble.** If you run a
    completley "vanilla" site and never generate complaints you could happily
    use 000domains for years entirely satisfactorily.

    Nut, on the other hand, if you want your privacy to not be totally
    dependent on 000domain's goodwill and forebearance, and not to collapse
    at the first serious challenge, you would be wise to use stronger
    measures such as the ones I suggest.

    Your ass, your call.

    Regards,

    PS If you not already sufficiently frightened by 000domains "agreement"
    you should read clauses 10 & 11 regarding 000domains' control of the
    content of YOUR domain! You might also read clause 14 about
    Indemnification.

    Why are these clauses there? Becuase 000domains IS THE REAL REGSTERED
    OWNER OF THE DOMAIN - NOT YOU! and is doing all sorts of legal "bobbing
    and weaving" to make sure it doesn't become liable for YOUR actions on
    ITS DOMAIN! Very understandable (I'd do the same if I were 000domains)
    but it leaves YOU out in the cold if anything goes wrong!
     
    nemo_outis, Feb 24, 2009
    #18
  19. tobito85

    nemo_outis Guest

    Guy Macon <http://www.GuyMacon.com/> wrote in

    I agree with your clarifications. It seems that ownership is not
    compromised. However, the privacy protections they offer are quite weak.
    (Well, not really weak when they're in place, just *potentially* very
    easy to revoke.)

    Yeah, I followed the ICANN privacy story for a while back in the mists of
    time and then just gave up on them and used my own privacy mechanisms.

    For an example of how one big business (Microsoft!) handles the privacy
    aspect (well, not really privacy but not using real persons' names) take
    a look at their WHOIS registration. Note that the "administrative
    contact" and "technical contact" are really *roles* not *names* (you can
    also use a corporate name, including that of the corporate registrant or
    some agent company, rather than a human's name) And of course, the
    address, telephone numbers and email addresses are Microsoft's. Nice
    tight closed loop.

    http://www.networksolutions.com/whois-search/microsoft.com

    This is similar to what I did with my LLC (except the address is a mail
    forwarder and the telephone just leads to a recorded message saying how
    to send email or snail mail). My LLC is owned by a Canadian company
    which I control.

    Regards,
     
    nemo_outis, Feb 25, 2009
    #19
  20. Good, yes, but incomplete and inaccurate.
     
    Alpha Romeo India ©, Feb 25, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.