Sign in Subscribe
7 min read identity

Registering Domains Can be Dangerous to Your Privacy

It’s dangerous to use personal data for URL buys. When you buy a domain, your personal info, including your name, email, address, and phone, may be publicly available in the WHOIS database. This exposure will very definitely lead to unwanted solicitations.
Registering Domains Can be Dangerous to Your Privacy

It’s dangerous to use personal information for domain purchases. Here's why.

When you purchase a domain, your personal information, including your name, email, address, and phone number, may be publicly available in the WHOIS database. This exposure will very definitely lead to unwanted solicitations, spam, and possibly worse. It can even cause attempts at identity theft.

Once Your Data Is In WHOIS, You're Screwed

Domain registrars and hosting companies often sell your information or leave it vulnerable to prying eyes unless you pay for extra privacy. Many users are unaware that their personal details are at risk until it’s too late.

Our client Laura used her personal email, phone number, and home address when registering the domain, unaware that this information would be publicly available in the WHOIS database. Within weeks of launching her site, Laura started receiving an influx of unsolicited emails and phone calls. She was overwhelmed trying to separate legitimate clients from spam.

Laura was lucky - she didn't fall for any scams in that deluge. But she lost a large business opportunity that she thought was an email from a scammer. 

Domain Privacy Protection

Domain privacy protection is a feature that masks your contact information from being visible in the WHOIS directory. It’s great protection. These services are offered directly by domain registrars when you buy a new URL. 

Many registrars offer this free of charge. Others, like GoDaddy, have been criticized in the past for not automatically including this protection, leaving users to opt-in manually or purchase it at an additional cost. Not opting in is, of course, a very dumb move.

Many of the privacy offenders have now switched up tactics after being called out (and we suspect warned by regulators). They now do offer free masking, but upsell you for "Full Domain Protection," in effect charging you for the privilege of using two-factor authentication to secure their systems.

It's a Forever Thing

Even with domain privacy protection enabled, once you sell your domain, if you stop paying for the domain, or if the privacy protection is removed, your private data can be exposed. Its not a for sure thing, but its a likely thing. So, you have to keep paying and paying.

Can You Get Out of WHOIS?

Getting your data out of WHOIS is not easy and a lot like closing the barn door after the cows have escaped. Even if you could delete the data, it has likely already been copied by many other services and sold downstream. 

    • Opt-out of Public WHOIS: Some domain extensions (like .us) allow you to opt out of public WHOIS altogether. This means your personal data will not be displayed in the WHOIS database.
    • GDPR/CCPA: If you are located in a region covered by data protection regulations like GDPR or CCPA, you may have the right to request the removal of your personal data from the WHOIS database. Contact the registrar or registry and cite the relevant regulations.
    • Still Captured Historically: Several organizations specialize in collecting and providing access to historical WHOIS information, each offering unique services:
      • DomainTools: Offers a comprehensive WHOIS History service, allowing users to view historical WHOIS records for domains (DomainTools).
      • DomainIQ: Provides detailed domain analytics, including historical WHOIS data, helping users investigate domain ownership over time (Intelium).
      • WhoisXML API: Supplies WHOIS History Lookup services, granting access to a vast archive of historical WHOIS records for domain names (Whois History).
      • Whoxy: Offers a WHOIS History API that enables retrieval of historical WHOIS records, beneficial for tracking domain ownership changes (WhoisXY).
      • BuiltWith: While primarily focused on technology trends and website analytics, BuiltWith maintains datasets that include historical information about domain technologies (BuiltWith).
      • HackerTarget: Provides various security and intelligence tools, including WHOIS lookup services that can aid in gathering domain information (HackerTarget).
      • ICANN: The Internet Corporation for Assigned Names and Numbers manages the global WHOIS database and offers a Registration Data Lookup Tool for accessing current registration data (ICANN Lookup).
      • SecurityTrails: Delivers comprehensive domain and IP intelligence data, including historical WHOIS records, to assist in security investigations.
      • Recorded Future: Provides threat intelligence services that include analysis of domain registration data and historical WHOIS information to identify potential security threats.
      • RiskIQ: Specializes in digital threat management, offering services that include monitoring domain registrations and historical WHOIS data to detect fraudulent activities.
      • Whoisology: Offers WHOIS lookup services, providing access to domain registration information, which may include historical data.
      • Web.com: A domain registrar and web hosting company that provides WHOIS lookup services, primarily offering current registration information.

Lost Domains - What’s at Stake?

Losing a domain for non payment or selling it off means the data on your domain record will go public. It's possible you can change it before it goes public, but it's unlikely you can stop it.

There are other risk, especially if you were using the domain to run a business:

Privacy Threats

    • Unintended Data Exposure: Even if a business is no longer actively using a domain, it might still hold residual data like customer information, past transactions, or analytics. Relinquishing the domain without proper data sanitization could inadvertently expose this sensitive information to the public.
    • Lingering Digital Footprint: Even after a business closure, a lost domain can leave a digital footprint that can be exploited. Previous customers, partners, or even malicious actors might attempt to contact the business through the old domain, leading to potential privacy breaches or social engineering attempts.
    • Reputational Damage: A lost domain can create confusion and uncertainty for customers and partners who might stumble upon outdated information or malicious activity associated with the domain. This can damage the reputation of the business and its associated brand, even if the business is no longer active.

Cyber Threats

    • Brand Impersonation: Malicious actors might acquire the relinquished domain and use it to create convincing replicas of the original website or email addresses. This could lead to phishing scams, fraudulent transactions, or the spread of malware under the guise of the legitimate business.
    • Typosquatting: Similar-looking domains (typosquatting) can be registered to capitalize on user errors and redirect traffic to malicious websites, potentially leading to data theft or malware infections.
    • Negative SEO: Competitors or malicious actors might acquire the relinquished domain and use it to engage in negative SEO practices, harming the search engine rankings and online visibility of the business, even if it's using a different domain.

The Real Cost of "Free" Exposure

Here’s why using your personal details for domain and hosting purchases could be more dangerous than you think:

    • Identity Theft: Bad actors can exploit exposed contact information to steal your identity, opening accounts in your name or conducting fraudulent activities.
    • Spam and Scams: Your email and phone number may be sold to spammers or used in phishing attempts.
    • Targeted Attacks: Cybercriminals can use your personal information for social engineering or personalized scams, particularly if they correlate your domain registration with other online activities.
Our Recommendations to Reduce Risk

Don’t Use Your Deets

Don’t use your real name or personal contact details when registering domains. Use a business name or an anonymous alternative.

Avoid .us Domains

Unlike many other top-level domains (TLDs), .us domains are not allowed to use privacy protection services. This means the registrant’s personal details, such as their name, address, phone number, and email, are always publicly accessible in the WHOIS database. This requirement was imposed by the National Telecommunications and Information Administration (NTIA) in an effort to promote transparency.

Enable WHOIS Privacy Protection

Choose a registrar that includes privacy protection by default. Some companies, like NameCheap and porkbun offer domain privacy protection at no extra cost.

    • NameCheap 
      • Great prices. Privacy by default.
      • Feature-rich platform, advanced domain tools, more niche TLDs.
    • porkbun 
      • Simple streamlined interface and great customer service
      • Free privacy protection & SSL certificates  for the lifetime of the domain

Avoid these Registrars

Avoid these registrars based on privacy concerns and data-sharing practices:

    • GoDaddy
      • The largest domain registrar globally.
      • Criticized for upselling privacy features and sharing customer data.
      • They have gotten better about privacy lately, but I just don't trust them. And their prices are high.
    • Name.com still upcharges for privacy, at least on some domain extensions.
    • NewFold Digital owns multiple brands, including:
      • Network Solutions, Register.com, Domain.com, BuyDomains.com, SnapNames.com, Bluehost, HostGator, and Web.com
      • Has faced scrutiny for lax privacy practices. 
      • Collects a wide range of personal, usage, and device-related data, shares it with numerous third parties for advertising and marketing purposes, and retains data for extended periods. 
      • Privacy policy provides broad rights to use and combine data in ways that could be invasive for users concerned about their privacy.
Our Final Thoughts and Advice

The internet was built on open access to information, but that doesn’t mean your personal details should be easy to find. Whether you’re a small business owner or a privacy-conscious individual, protecting your information when purchasing domains or hosting is critical.

⚫ Be safe: Use our Checklist for Secure Domain Registration.


⚫ Call ObscureIQ for specific advice about handling domains.

Subscribe for weekly insights you won't find elsewhere. Not news. Not marketing. Just the juicy stuff we find as we research and operationalize the recovery of privacy for our clients.

What else are we thinking about? The link between data brokers and cyber crime.

How does your data get collected? How can you delete it?

Published by:

Jeff Jockisch

You might also like...

Sep
23
Ping SMS Spam. Secret Weapon of Phishers and Brokers.

Ping SMS Spam. Secret Weapon of Phishers and Brokers.

Ping spammers, AKA active number spammers, are the ever-present phone trolls flooding your inbox with SMS messages, trying anything and
7 min read

Member discussion