Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Whois Tim Henwood
17 May 2016

WHOIS database

In 2012, Wired writer Mat Honan had his entire online life hacked. His Apple ID password was reset. His Gmail password was reset. His Twitter password was reset. His iPhone, iPad and MacBook were all remotely wiped using Apple’s “Find My” tool – the tool that locates and gives remote access to your various iDevices.

This was made possible by crafty social engineering, and security policies that assumed people operated in a vacuum, but, it all started with an email address and a billing address found through a WHOIS search.

Who is WHOIS?

A WHOIS search lets you know WHO the owner of a domain IS and how to contact them. A domain is the bit after the “www” of a website address, or after the “@” in an email address. A WHOIS search gives you information such as the phone number and address of the person or organisation behind that domain.

Over the last seven months or so, the Domain Name Commission (DNC) has been consulting on what information should show up when you run a WHOIS search on a domain ending in .nz. This consultation follows two previous rounds.

Information can be dangerous

As the story about Mat Honan shows, the information found in a WHOIS search can be used to harm individuals. In some cases, the need to prevent people accessing information is even greater – think about people who are victims of abuse, or online harassment. Ensuring that they can have both personal safety and run a website is something that privacy-aware policies can help with.

Public registers have privacy controls built into their individual legislation, as well as specific provisions in the Privacy Act. While the register of .nz domain owners isn’t an official “public register,” it has many of the hallmarks of public registers, and it is just as important to safeguard the personal information in the .nz register as it is with any public register.

 In our previoussubmissions to the DNC, we’ve advocated strongly for people to have the ability to suppress their contact details in WHOIS searches – especially if you would be able to seek similar suppression from public registers.

In our second, more comprehensive submission, we asked the DNC to consider the public good of making individual domain registrants’ information available overall. That submission is available here. We’re also listening to the current discussion to help inform our views.

We are still developing our submission for the current round of consultation. There is value in maintaining a transparent register, but it’s important that the argument to do so – and how to decide where to draw the line - is convincing.

Photo credit: Ralf Appelt via Flickr




No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.