I've been thinking about the misleading notices sent by Verisign and DROA/DROC, and my thoughts turned to "where did they get the list of postal addresses?".
Assuming they aren't illegally mining the WHOIS (which is doubtful for operations of that size), the answer is most likely that these two companies purchased the information from OpenSRS under the ICANN-mandated bulk WHOIS sharing program. (I'd be interested to hear if OpenSRS would confirm that, although I assume they aren't able to disclose customer information for privacy reasons. But if OpenSRS has never dealt with these companies, it seems possible to say so without overstepping privacy bounds... hint hint...) Anyway, one of the provisions of the ICANN requirement is that the registrar may, at its option, provide domain owners with a way to opt out of the bulk WHOIS sharing: http://www.icann.org/registrars/ra-agreement-17may01.htm (Section 3.3.6.6.) This topic has come up a couple of times over the last two years, and the consensus, if I recall correctly (I'm having a hard time finding the exact responses from OpenSRS folks in the archives) has pretty much been that there were more important things for OpenSRS to work on, which was probably true at the time. I'd like to suggest that this is now a much higher priority issue. Previously, it was merely annoying: other registrars would occasionally send "special offers" to try to tempt our customers, and our customers were subjected to extra paper junk mail -- both annoying, as I said, but both a part of this modern world. Now, it's different: our competitors are using the information that OpenSRS sells them to commit mail fraud in an attempt to steal our mutual customers, and I suspect this situation will probably get worse before it gets better. A way for customers to opt out of having their name, address and domain name sold to third parties in bulk is now much more important. Since ICANN does allow OpenSRS to implement such a thing, I'd hope that this could be made a priority. I would also hope that the technical ability would be provided for resellers to set this flag (and not just end-users), as I would intend to set it for all my customer accounts (disclosing that fact to them, of course, and giving them the chance to leave it on if they wanted to). Finally, I want to point out that I'm NOT blaming OpenSRS for the fact that they sold the info to Verisign/DROA in the past (assuming that happened), because they had no choice, and the work required to ameliorate the situation by providing an opt-out mechanism was previously out of proportion to the benefit. But things have clearly changed. So, OpenSRS folks: any possibility of adding this feature? -- Robert L Mathews, Tiger Technologies "The trouble with doing something right the first time is that nobody appreciates how difficult it was."
