Protect Your Domain Registrations and Privacy

9 minute read

When you register a domain name, you may expose personal information about yourself: your address, phone number email address. Let’s take a look at domain name registration and privacy.

I was a domain name hoarder: uvjobs.com… uvfood.com… uvweather.com… thermonster.com… pdxlead.org… wattsense.com… shouldisellitnow.com… buyr.biz… trackr.biz… recovr.org… wstlk.us… wowstalker.com… 23meals.com… stuffthatshouldnthavesugarinit.com… unwishlist.com… thingsijustlearned.com… These are just a few from the collection.

Whenever I bought domains like this I also picked up all the .org and .net versions. Because while you think that the .org/.net forms of your domain names don’t matter, they do. If, for example, you’re a presidential candidate, it might be embarrassing for someone who's opposed to your policies to get ahold of them. And it’s definitely embarrassing to let the .com version of your domain slip through your fingers, especially if it ends up in the hands of Donald Trump and he redirects all your traffic to his site.

It’s common for people to buy domain names related to political figures or ideas they disagree with. But although there’s no technological way to register all domains containing a phrase or name — and often organizations miss, or choose not to register, ones like FillInAPoliticiansNameSucks.com — it’s difficult to understand why Jeb Bush’s organization wouldn’t have registered the domain with the simplest form of his own name.

When it came to my own domain buying habits, I was generous. I’d say, “Ahhh! Romkey, you just have lots of ideas!” Some were good, many were unusual (“let’s put a toaster on the internet!”), and a few actually went somewhere — I built websites and user communities for uvfood.com and uvweather.com, and ran them both for several years, so those at least were not just impulsive ideas.

But more often than not, nothing would happen. An idea would pop into my head, I’d think of a cool name, go about acquiring the corresponding domain name, and then let it sit there for eternity.

Occasionally, I’d stumble across a good top level domain—a .com version of the project name — and feel compelled to grab it. Sometimes I was lucky. I only had to pay $10 or $20 annually for it. But usually, the cost of the domains I really wanted spiraled into the hundreds and thousands (thankfully, not the millions). That’s because speculators (A.K.A. domain name squatters) buy up domain names they think may be of value in the future. They hold a domain for $10 a year and make an easy profit when they sell it for thousands later on.

It’s not just speculators and squatters who cash in. Domain registration is big business, with industry revenue at $2 billion annually. It’s also a great way to erode your income in increments of $10 and $20—that’s assuming you only register unused domain names. Buying domain names that someone else already owns could mean spending hundreds to hundreds of thousands of dollars to take control of a valuable piece of online real estate.

With domain names worth so much money, it’s not surprising that, sometimes, people steal them.

Protect Your Domains

Believe it or not, domain name theft is a real problem that actually happens.

In the 90s, when the world beyond the networking community was first coming online, sex.com was one of the most valuable domain names. It was also the first high profile domain to be stolen. One day, its owner found that its registration had been transferred to another person. The thief used forged documents and email messages to fraudulently take control of the domain, leading to a five year, $65 million lawsuit.

Domain registrars are more careful about transfers today than they were in 1995, but there are still several things you can do to improve the protection of your domain names.

First, enable registrar lock. The details vary by registrar, but there’s likely some kind of “lock” functionality which tells them not to allow the domain to be transferred away. Registrars like this because it means they keep getting paid for holding your domain. But the setting isn’t always, by default, enabled. Double check that it is turned on. This way, you have to manually disable it to be able to transfer a domain elsewhere.

You should also increase the security of your domain registrar account. Use a strong, unique password, and if your registrar supports two-factor authentication, enable it. This will prevent your account (and your domains) being accessed by anyone who doesn’t have your cell phone or whatever device you use as the second factor. Why should you beef up the security on your account? Because If someone gets control of your domain registrar account, they have total control of your domains (registrar lock or no), so treat your account as a high value asset.

Also consider turning auto-renew on, or purchasing your domain for multiple years. Besides the embarrassment of having a web service go offline because you forgot to renew its domain name, you can easily lose control of your domain if you let it expire. Once the domain expires, someone else can legally go ahead and take control of it just by paying the registration fee. That’s not even theft; you gave up your rights to the domain when you failed to pay on time. It’s easy to find out when a domain expires (as well as who owns it—more on that next), and once someone knows that, they can wait till the expiry date and grab it if it doesn’t auto-renew. This is called “sniping”—it’s similar to the auction sniping that eBayers experience—and it’s a common way for people to gain or lose control of domains.

Protect Your Privacy

Even if you own and have secured your domain name, unless you’ve taken steps to protect it, your personal information is freely published online for anyone to see. This can include your name, home or office address, phone number and email. That’s because, by default, the information you share with your registrar is public information. There’s even a special protocol for it, the “whois” protocol. The whois protocol is one of the simplest protocols ever—the program opens a connection to the “whois” servers, sends a line containing the name you want to look up, and the server burps an answer back at the program, which then displays it.

Check your public domain information now: [pwhois]

or you can inspect whois information at https://whois.icann.org/en. Try going there and plugging in your favorite site. If the domain owner hasn’t protected their information, you’ll see something like this:

Domain Name: ROMKEY.COM
 Registry Domain ID: 10483066_DOMAIN_COM-VRSN
 Registrar WHOIS Server: whois.enom.com
 Registrar URL: www.enom.com
 Updated Date:
 Creation Date: 1999-09-21T04:13:00.00Z
 Registrar Registration Expiration Date: 2018-09-21T04:13:09.00Z
 Registrar: ENOM, INC.
 Registrar IANA ID: 48
 Reseller: NAMECHEAP.COM
 Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
 Registry Registrant ID:
 Registrant Name: John Romkey
 Registrant Organization: romkey.com
 Registrant Street: 1428 Elm Street
 Registrant City: Springfield
 Registrant State/Province: OZ
 Registrant Postal Code: 00000
 Registrant Country: US
 Registrant Phone: +555.5551212
 Registrant Phone Ext:
 Registrant Fax: +seriously?
 Registrant Fax Ext:
 Registrant Email: [email protected]

Registering a domain may have resulted in your address, phone number and email being published for anyone to see. Do you know who likes to discover this sort of information? Spammers and scammers.

Once your info is out there, expect to receive emails insisting that you pay for search engine listing, or urging you to (falsely) renew your domains. You may even get phone calls from these people. Depending on how many domains you have registered and how aggressive the scammers are with you, you may receive emails daily, implying that they have something to do with your domain name.

Screenshot 2017-04-11 11.23.14.png

All in all, the amount of spam you receive will rise dramatically. But there is a way out. Of course, it’s not free. Neither was getting phone companies to keep your number unlisted.

Domain registrars are infamous for upcharges. You just want a domain, but what about hosting? How about premium DNS? Do you want a free email account? A site builder? Oh, you’ve gotta have an SSL certificate!

registrar-upcharges.jpeg

Privacy gets lost amongst all these upcharge options, even though it’s really the only one you need (SSL certificates are important but you can usually get those for free today via Let’s Encrypt). I wouldn’t suggest having your registrar hosting or promoting your site, or that you get email through them. If you need those things, buy them from companies which specialize in them. But your registrar is the only one who can protect your whois information.

Different registrars have different names and prices for this service: GoDaddy calls it “Privacy Protection” and charges $9.99 per year, Namecheap calls it “WhoisGuard” and charges $2.88 per year for it. EasyDNS calls it “Whois Privacy” and charges $7.50.

Once you purchase/enable it, your whois entry will look more like this:

Domain Name: ROMKEY.COM
 Registry Domain ID: 10483066_DOMAIN_COM-VRSN
 Registrar WHOIS Server: whois.enom.com
 Registrar URL: www.enom.com
 Updated Date:
 Creation Date: 1999-09-21T04:13:00.00Z
 Registrar Registration Expiration Date: 2018-09-21T04:13:09.00Z
 Registrar: ENOM, INC.
 Registrar IANA ID: 48
 Reseller: NAMECHEAP.COM
 Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
 Registry Registrant ID:
 Registrant Name: WHOISGUARD PROTECTED
 Registrant Organization: WHOISGUARD, INC.
 Registrant Street: P.O. BOX 0823-03411
 Registrant City: PANAMA
 Registrant State/Province: PANAMA
 Registrant Postal Code: 0
 Registrant Country: PA
 Registrant Phone: +507.8365503
 Registrant Phone Ext:
 Registrant Fax: +51.17057182
 Registrant Fax Ext:
 Registrant Email: [email protected]

Note that none of my personal information—not even my name—is listed in the whois entry for romkey.com.

But isn’t it easier—and free—to lie? Not really.

ICANN, which is the organization that controls the domain name system, requires valid contact information when you register a domain. If you lie and they catch you, you may lose your domain. Registrars have their own unique ways of dealing with this requirement—some even use third party services to verify contact information.

But while it’s difficult for me to argue that it costs anywhere near $10 a year for a registrar to provide this service, it’s easily worth $10 per year for me to have my information kept private.

Protect Your Sanity And Wallet

Suppose you kept a gallery of all the ideas you ever had but never followed up on. Something out of sight but which you had to see occasionally while getting a glass of water or cleaning the cat box.

That’s what my domain registrar account was. I frequently needed to make small changes to the one or two domains I actually used, and every time I did, I had to search for them in the list of all the domains I didn’t use. I’d have to trawl through a list of unrealized ideas, ideas that were not worth pursuing, ideas which felt more and more like failures every time I saw them. I registered them to protect them and hoard them for my own use, and to have a tiny, micro-commitment saying “Hey, this idea is worth at least $10 to me!” But they soon became a real drag.

The fact is, not all ideas deserve our time and attention. My domain name graveyard became a list of the ones that didn’t get mine. Ultimately, I realized I was better off just letting them go, rather than keeping them around for the day when I might get around to finally using them. After all, was I really likely to follow-up on an idea next year which hadn’t been appealing enough to do something with two years ago?

Now, I only register domain names I’m confident I’ll use. And if I don’t use them within a year, I let them go—“Fly, be free! Go back into the wild where someone else can use you to realize their own ideas and ambitions.”

Updated: