Moral domain registrars: do they even exist?

I came across a recent blog post over at Wired, asking the famous question: who exactly is a worthwhile registrar?

As I expected, “worthwhile” can be interpreted in many ways. For some, worthwhile means low-cost (whoever’s the cheapest). For others, it’s about privacy — and I happen to be one of the latter.

As someone who has provided 100% free hosting services to the world since the 90s, I’ve learned that it’s really not about price: it’s about quality and privacy. I like a registrar who offers a good control panel interface to managing your domains (for example, if I add/remove a nameserver I do not want to have to repeat the process for every single domain I have with that registrar — a bulk modification method is a must), and one who truly respects their customers’ privacy.

You might be asking “what exactly does the word ‘truly’ encompass?” It’s very simple, and any basic security-savvy administrator adheres to it: do not disclose ANY of the information I provide you, unless I provide prior consent. That means no one except employees of your company have access to the information I give you (excluding things like WHOIS records, or the “real” owner of a domain (which gets submit to ICANN)). I don’t want my information given to third-parties, associates, affiliates, or even contractors (I’m willing to exclude the last item only if the company provides its customers a copy of the legally-binding contract their contractors have to sign, and it must include statements of what the legal ramifications are if the contractor violates privacy policies in regards to customer information).

It gets complex when you consider that ICANN demands customer records (not WHOIS, but the actual/true owner of the domain) for themselves… but then requires registrars to make available that information to those who want it (usually through large resales; e.g. US$10K will get you the entire database, even with companies like OpenSRS).

I don’t mind ICANN having my information, what I do mind is companies like the Domain Registry of America (otherwise known as Domain Renewal Group) getting access to my name, address, phone number, Email address, and lots of other things. For tens of thousands of dollars, they can get all of my information — and I’ve never been comfortable with that.

It gets scary when you start looking for what I call a “moral” registrar: one who actually understands and complies with the above security concept. Let’s take a look at the privacy policies of the top 10 popular registrars, based on what http://www.registrarstats.com/ considers the top 10 (with a couple of registrars I consider “popular” thrown in):

  1. GoDaddy
  2. eNom
  3. Network Solutions (VeriSign)
  4. Tucows (OpenSRS)
  5. Melbourne IT
  6. Schlund+Partner (1&1 Internet)
  7. Wild West Domains (explictly excluded, see below)
  8. Moniker Online Services
  9. Register.com
  10. PublicDomainRegistry
  11. Gandi (see below)
  12. DomainDiscover

All of these companies or organisations have two common clauses: a clause mentioning they have to submit your real contact details to ICANN (which is true; there’s no avoiding that), and — this is the kicker — a clause stating they reserve the right to distribute your information to third-parties, affiliates, or other “mysterious entities”… but they never tell you who (and I’m willing to bet they never mail you to tell you who they go into business with either).

Wild West Domains was explicitly excluded because they have direct relation to the Domain Registry of America, who I won’t discuss based on past legal actions of theirs against bloggers. This is what I’m talking about:

PublicDomainRegistry is absolutely amazing. See Section 13, subsection (2) of their Registrant Agreement PDF. I don’t know anyone in their right mind who would agree with this had they read it in full prior to a domain purchase.

Finally, Gandi. I read 4 separate PDFs of theirs, all of which are somewhat ambiguous in regards to what they do with your information. They don’t even state that said information has to go to ICANN; instead, it seems they imply the information in your WHOIS records is what they go off of. It’s amusing when you note that they offer “Whois protection”, except all they protect is your Email address.

Take the time to review all of the above policies. You’ll be quite disgusted with how open-ended they are; there’s absolutely no guarantee your information won’t be viewed by someone who isn’t a direct employee of the registrar.

It’s a very depressing situation we’re in; all these companies have shady behind-the-scenes ties with companies who are doing god-knows-what with your contact information — and I mean the stuff that’s associated with your billing data, not WHOIS data.