Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
The Internet Privacy Security

Google Error Leaks Website Owners' Personal Information 42

itwbennett writes: A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private. The privacy breach involves whois, a database that contains contact information for people who've bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee. But Craig Williams, senior technical leader for Cisco's Talos research group, discovered that the privacy settings for domain names registered through the company eNom were being turned off right at the time when the domains were up for renewal, starting around mid-2013. Williams contacted Google, and in about six days the privacy settings had been restored. In a notice, Google blamed a "software defect." Cisco said in a blog post that some 282,867 domains were affected.
This discussion has been archived. No new comments can be posted.

Google Error Leaks Website Owners' Personal Information

Comments Filter:
  • by eedwardsjr ( 1327857 ) on Friday March 13, 2015 @12:55PM (#49251323)
    "Google blamed a “software defect.” Company officials could not immediately be reached". That sounds about right.
  • You shouldn't even be allowed to hide who you are when you own a domain.
    • Re:Leak? (Score:4, Interesting)

      by Richard_at_work ( 517087 ) <richardpriceNO@SPAMgmail.com> on Friday March 13, 2015 @01:12PM (#49251457)

      And why not? Why shouldn't domain owners have privacy?

      • Re:Leak? (Score:5, Informative)

        by sumdumass ( 711423 ) on Friday March 13, 2015 @01:23PM (#49251567) Journal

        Yup. They should have as much privacy as any home owner, car owner, anyone who has been party of a court case, holds a business license, contributes to political actions in the state of california and i'm sure a lot of other activities subject to public records searches.

        But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

        • Re:Leak? (Score:5, Insightful)

          by ShaunC ( 203807 ) on Friday March 13, 2015 @05:30PM (#49253235)

          But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

          Maybe I'm reading you wrong, but my understanding is you feel that a domain owner's personal information should be clearly available in WHOIS. I disagree.

          If you as the owner of a domain are party to a court case involving that domain, whether due to your operation of a business using that domain or for any other cause of action, your ownership will become public record during the legal proceedings, regardless of your domain registration preferences. It's not as if WHOIS privacy protection somehow makes the registered owner truly anonymous.

          Do you drive a car? If so, I presume it displays a license plate. The license plate doesn't contain your name, your address, your phone number, or any other personally identifying information (unless perhaps you've volunteered the info by registering a vanity tag). Suppose one day you do something in traffic which another driver perceives as an asshole move, and they become enraged. Like, "I want to kill that person" enraged. They can't just go home and type `whois [your tag]` and get all of your personal information. That's a good thing, right?

          If you've committed a crime, the police have access to that data and are able to unmask you in order to enforce the law. But Joe Random, who has become upset at you for some reason and wishes to do you harm, isn't readily able to derive your personal information from your car's license plate. Why should your domain name be any different? If you make a post on your blog that offends someone, should that person be able to look up your full name and address and do who-knows-what?

          • But seeing how domain names are often treated like property, i'm not sure why it isn't expected to be treated a lot like property.

            Maybe I'm reading you wrong, but my understanding is you feel that a domain owner's personal information should be clearly available in WHOIS. I disagree.

            If you as the owner of a domain are party to a court case involving that domain, whether due to your operation of a business using that domain or for any other cause of action, your ownership will become public record during the legal proceedings, regardless of your domain registration preferences. It's not as if WHOIS privacy protection somehow makes the registered owner truly anonymous.

            Do you drive a car? If so, I presume it displays a license plate. The license plate doesn't contain your name, your address, your phone number, or any other personally identifying information (unless perhaps you've volunteered the info by registering a vanity tag). Suppose one day you do something in traffic which another driver perceives as an asshole move, and they become enraged. Like, "I want to kill that person" enraged. They can't just go home and type `whois [your tag]` and get all of your personal information. That's a good thing, right?

            If you've committed a crime, the police have access to that data and are able to unmask you in order to enforce the law. But Joe Random, who has become upset at you for some reason and wishes to do you harm, isn't readily able to derive your personal information from your car's license plate. Why should your domain name be any different? If you make a post on your blog that offends someone, should that person be able to look up your full name and address and do who-knows-what?

            What? All of those things that person listed are public records that can be looked up if you go to the clerk's office and spend about $20. That was the point. You can even just look some of them up now on the web, although it usually is behind a small paywall.

        • Tell me where I can submit a free request and get back full ownership details for either a building or a vehicle - both of those are restricted in the UK.

          • In the USA, the county auditors office will give you a listing of the homes, owners, purchase price, current tax appraised value and much more. Often this is online and available from anywhere in the world. For instance, you can go to

            http://property.franklincounty... [franklinco...uditor.com]

            which is the county auditors office property page for Franklin county Ohio (Columbus Ohio area). You can select search, then by any means you have and gain access to the property records. For instance, I searched for willis under the search by o

    • Re: (Score:3, Insightful)

      by Akili ( 1497645 )
      I've certainly had the same thought.

      There are times I actually try to find the owner of a domain, only to find them hidden behind a proxy registration. Some owners have forgotten their info to manage their proxied domains, leaving me unable to trivially verify if the site is still theirs when helping them.

      There is a risk involved with having a valid address on file for domain ownership, though. Can't ignore that. I have a private domain and my information is not protected, and I have yet to be
      • Here's another scenario... if the original owner accidentally allows the domain to expire, can the proxy site choose to register the name itself, and only sell it back to the owner at whatever price they want to ask?

        Why not? If private individuals can do that, why not a company? I let a domain I wasn't using expire. It was snapped up by a speculator who sent me a couple of emails or letters (I forget) offering me the name back for a fee. I ignored him and he eventually went away.

        • by Akili ( 1497645 )
          It certainly helps if you don't care to get the domain back!

          If someone is watching a given domain to pounce it as soon as it expires, there's really nothing to be done aside from not allowing it to expire. But the proxy company could potentially do so as a matter of automation, since they already have the domain on file along with other information about it. So while you may ordinarily have a grace period of a few days before anyone notices - purely by chance, of course - you might not have it in this
    • by Zedrick ( 764028 )
      It's not (not for the gTLD's). People who are anonymous either uses fake information in the whois, or (more likely) doesn't actually own the domain. Which can cause some interesting situations when they want to transfer the domain, and the proxy-service that actually owns it doesn't cooperate.
  • by Anonymous Coward

    So it's like 4 people then?

  • There's not much scary here. I mean, it's not like Google has more sensitive information than domain registrations about every person ever. I'm glad that such information is so secure it only takes a minor bug to reveal it to the world. I feel so safe.

User hostile.

Working...