Which UK Internet Company Hates Your Privacy the Most? Here’s a Contender

UPDATE June 13: There’s now a part 2 to this story

As a matter of course, major internet companies have a responsibility towards keeping personal information private. Everything from SWATing, trough stalkers, to identity theft and the [VERY] occasional online sex offender becomes possible when you have personal information about someone easily searchable out in the wild.

So if I were to tell you that a major UK Internet company, and indeed a monopoly company at that, was deliberately attempting to expose people’s information, by making it as difficult as it possibly can, to protect that information. This is not an accident, it’s BY DESIGN.

The company is Nominet. It’s the Domain name registry in the UK, behind every .co.uk, .ac.uk, and starting next week every .uk

Today, as part of the ‘reset the net’ campaign, I thought it would be an appropriate time to highlight these problems. So let’s start with the beginning.

As you all can see, this is a .co.uk domain. It was purchased in February 2012, for this, my personal website. At the time, I paid extra to namecheap for WhoisGuard services BUT that service can’t be used on Nominet domains. I’d missed the disclaimer that noted

Due to registry restrictions, WhoisGuard cannot be used with .asia, .bz, .ca, .cn, .co.uk, .de, .eu, .in, .io, .me.uk, .nu, .li, .ch, .fr, .sg, .com.sg, .org.uk,…

No problem, thought I, Nominet has an opt-out policy for “non-trading individuals”, I’ll just use that. So I did. No problems, until 2 weeks ago.

Subject: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Fri, 23 May 2014 16:18:10 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek,

It has been brought to my attention that you are using your ktetch.co.uk domain name for business or trading purposes and your address details are also opted out of our WHOIS search facility as a consumer. To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.

We have notified your registrar about the status of your domain name and they have the facility to remove the opt-out on your domains. If the opt-out is not removed by them, then I will remove the opt-out on 30 May 2014 and the address details that we hold for you will be published on the WHOIS search facility available at http://www.nominet.org.uk/go/whoisfaq

The reason for this is:

The domain name is being used as part of a business, trade or profession.

If you wish to continue to remain opted out of our WHOIS you will need to arrange for the website to be changed so that you do not advertise using this domain name.

Once the domain name has been opted in, you will be unable to set the opt-out through our Online Services. You should contact your registrar to do this for you if you meet the criteria for opting out at any time in the future. Alternatively, you can contact us if your registrar is unable to help.

You can find more information about our WHOIS policy by visiting http://www.nominet.org.uk/go/whoisfaq

If you have any questions please contact me on 01865 332244, or by replying directly to this email.

Kind regards,

Hannah Dawson

Customer Services
T +44 (0) 1865 332244 F +44 (0) 1865 332288 E [email protected]
http://www.nominet.org.uk

Nominet UK is a company limited by guarantee and registered in England
under No. 3203859. Our registered office is Minerva House, Edmund Halley
Road, Oxford Science Park, Oxford, OX4 4DQ, England.

(I’m going to cut the footers in future, take it as read that’s what they all say)

Huh what?

I do some consulting on the side, and work for a number of other sites, but this is my personal site. I keep my business stuff off here pretty much. So I emailed back

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Fri, 23 May 2014 20:16:33 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

In what way is it being ‘used as part of a business, trade or profession’? It’s got my personal blog on it. Could you tell me what my ‘business, trade or profession’ is, since I’ve taken extensive steps to avoid that for this reason.

Andrew Norton

The reply was NOT swift in coming.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Tue, 27 May 2014 09:34:27 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi Andrew,

Thank you for your response.

On your website on the right hand side is an amazon advert that states ‘buy my book’ and links through to the site. As this is an advertisement for a product it is classed as business trade or profession.

Please remove this link and any other that point to sites that sell and we can assess further.

If you have any questions please call me.

Hannah Dawson

Fair enough, I can see how promoting my book in a sidebar could be considered as a commercial activity. It was but the work of 20 seconds to drag the widget from the sidebar, to the inactive section in wordpress.

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Tue, 27 May 2014 16:29:30 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

Ok, the widget has been deactivated. Can you give me a list to the rules,so I can see if there is anything else I can spot?

Andrew

Fairly self explanatory, She’s highlighted a problem, and I’ve dealt with it, told her so, and asked for more information so I can be proactive. All sorted yes?

No.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Wed, 28 May 2014 14:19:27 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi,

Thank you, for removing this link.

As this domain name is currently registered to KTetch Dureek and we have been unable to identify this as an individual you are still unable to be opted out. If this is changed to a individual name then there is the option if the domain name is being used for private use to be opted out.

more details about the rules of the whois please visit http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/contract-terms

Thanks

Hannah Dawson

Say what now? I ask for a link to rules for other issues, and instead of getting future tips, I get a new issue with less than 2 days left. And go check the link they send me.

Purpose of the WHOIS and no promises of accuracy:

  • We provide the WHOIS as a publicly viewable register solely to allow users to obtain information about the existence and status of the domain name and the identity of the registrant and registration agent of the domain name for the general purposes set out below but always subject to the restrictions listed below. At times it may lag behind the underlying register by several minutes.
  • We do not guarantee the accuracy or availability of the WHOIS records. Any WHOIS record provided is provided on an “as is” basis without any representations or warranties of any kind.

Emphasis theirs. So it’s ‘as is’, according to their info, so what’s the problem? Well, it makes it harder to sell info to advertisers (not that I’d EVER allege that Nominet undertakes such actions, it’s just a theoretical possibility.

So anyway, now I’m a bit miffed. It’s been several days of back and forth and I’m back to square one. I reply accordingly, and do so in-line, since there are now multiple issues

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Wed, 28 May 2014 12:36:48 -0400 From: Andrew Norton <[email protected]> To: [email protected]

On 5/28/2014 9:19 AM, [email protected] wrote:
> Hi,
>
> Thank you, for removing this link.
>
> As this domain name is currently registered to KTetch Dureek and we have been unable to identify this as an individual you are still unable to be opted out. If this is changed to a individual name then there is the option if the domain name is being used for private use to be opted out.

And how have you attempted this? I’ve found this individual in everything from screengrabs of TV shows to panel discussions on… Privacy online.
>
> more details about the rules of the whois please visit http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/contract-terms
>

I did indeed look there, and can’t find any references to ‘identify as an individual’ or ‘commercial usage’ there.

In fact, it specifically states the opposite with “We do not guarantee the accuracy or availability of the WHOIS records. Any WHOIS record provided is provided on an “as is” basis without any representations or warranties of any kind.”

The only other appropriate section states “generally the WHOIS is intended to: *locate and contact the registrant and/or host of the domain name in relation to the prevention or detection of systems abuse, or to establish or defend legal rights (including an intent to use the Dispute Resolution Service).”

In contacting me, you have proven that to be both accurate and true. As such, I can not see any violations of the rules you have referenced. Thus I see the matter as resolved.

This is based on responses I’ve had previously from Nominet regarding domain name irregularities. Quote “Nominet requires that .uk domains be registered to an address that the registrant can be contacted at. As far as we know Peter L E Davies can be contacted at the address listed against the domain registration.” (Paul Wray, case number 135757) for instance. Have you attempted to contact him at that address? I can assure you he can be.

Glad that’s now all sorted.

You can guess what happened next?

Yep, more changes to what’s wrong. This is where it also gets really interesting.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Thu, 29 May 2014 09:38:24 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi Andrew,

To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.

I can still see the below reasons why this domain name does not meet these requirements:

The domain name still has numerous links to trading websites.

This domain has a subscribe list, which gathers personal information from visitors to the site.

The domain name registration has been registered to an entity we are unable to validate as an individual and the opt-out functionality is only available to individuals. If you want further information about our new data quality policy please see this link www.nominet.org.uk/how-participate/policy-development/current-policy-discussions-and-consultations/data-quality-policy

If you update your registration so it shows an individual’s name that we can validate, remove all the links to trading sites and remove the subscription functionality on the site we will look to remove the whois information if we feel that at this point it meets the requirements.

Kind Regards

Hannah Dawson

Wow, there’s three issues here. The third was only raised the previous day, and the other two are new.

Let’s start with the third. They said they had a problem with the registration name, because ‘they can’t validate it’. I asked how they attempted it. and implied the information is out there, and had I gotten a response to my query, I would have followed up by providing said info. Note their Data Quality Policy. It’s so band new (came into force less than a month ago) that there are literally ZERO references to it in almost any other document. And while they claim ‘notice’ was sent out 2 months ago, I for one never got any, so who was notified? I don’t remember any consultation. Nor am I the only one having issues.

They did Tweet something for Registrars though

 

Just to recap, since we’re now 2000 words on from the start, that having been contacted Friday the 23rd, and told that my personal info will be available to all and sundry from the 30th unless I comply, I’ve attempted to comply and then the last day, they bring up whole new claims. Yeah, that’s kosher…

It’s the other two claims that are perhaps the most ludicrous of all though.

First, the subscription box. With it I may be able to get your email address! wow. I’m glad she didn’t notice there’s also comments here, which also require an email address. Also, I’m glad she forgot that there’s these things called ‘IP addresses’ which tend to be a bit more ‘personally identifiable’ than an email address. [email protected] doesn’t tell me anything, and an ISP email may tell me what country you’re in, and of course, it’s voluntary. When you visit this site, however, your IP address is easy enough to record, and I have a location for you, and in the UK, a Norwich Pharmacal order isn’t that hard to get (see ACS:Law, which I had more than a minor hand in) to convert that into an ISP account holder.

A little digging did showcase why she may be under this impression however. You see Miss Hannah Dawson has only been working at Nominet since March. Prior to that, she wasn’t at other tech companies, she was assistant manager at an upscale clothing store. Before that? Supervisor in a “7 for all mankind” jeans shop (also where she first worked, before becoming a hair dresser(!) and a sales person for Sage) **SEE UPDATE AT BOTTOM**

Dilbert.com

I kid you not, just check out her Linkedin profile.

Yet most important of all, it’s the first of the issues that’s the biggest problem of all. Let me reiterate it again

The domain name still has numerous links to trading websites.

Let me remind you of what constitutes a ‘trading website’ in Nominet terms is. It means any website that sells a product, or makes money from adverts. Yahoo, Google, your host, Facebook, Twitter, Amazon, Myspace, Fetlife, Instagram, or indeed Nominet.

And of course, if you link to such a site, you’re considered a trading site by Nominet. So any site that links to you is ALSO a trading site. It’s like 6-degrees of Kevin Bacon but digitally.

At this point, I’m beyond fuming.

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case
1594954)
Date: Thu, 29 May 2014 10:28:31 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

On 5/29/2014 4:38 AM, [email protected] wrote:
> Hi Andrew,
>
> To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.
>
> I can still see the below reasons why this domain name does not meet these requirements:
>
> The domain name still has numerous links to trading websites.

There is NO website on the internet that does not have said links. Be it
to ‘amazon’, Google (which trades via google shopping, and before that
froogle) and indeed most other large sites (including Wikipedia).
Especially as you seem to define a ‘trading site’ as “one that includes
adverts, or a link to a site that sells something”.

This is an impossible barrier to overcome in the manner you have stated,
nor is it an interpretation of the nominet rules that I can find anywhere.

>
> This domain has a subscribe list, which gathers personal information from visitors to the site.

The subscribe module is a standard part of the wordpress install. The
personal information is ’email address’. In fact, less information is
obtained/retained than using a comments system.

Through all the policies you have stated I can find zero reference to
this. indeed, simply visiting a website leaves personal information
which a visitor can ‘gather’. An IP address for instance can be far more
easily converted into a name and address via a simple Norwich Pharmacal
order, than an email address can be.

>
> The domain name registration has been registered to an entity we are unable to validate as an individual and the opt-out functionality is only available to individuals. If you want further information about our new data quality policy please see this link www.nominet.org.uk/how-participate/policy-development/current-policy-discussions-and-consultations/data-quality-policy

You have been ‘unable’ or ‘unwilling’ to validate?
from the link you give, the following definition is given:
““Validate” means confirming that data is reliable by comparing it to
data provided by a trustworthy source (which may be a third party
database), and “Valid” and “Validated” shall be understood accordingly.”

If you would care to, for instance, send a physical notification to the
name/address listed, the US Postal service (a quasi-government entity)
would certainly be able to validate it for you.

It would appear you have made no good-faith effort to do any validation.

OR you will notice there’s a phone number at the bottom of each and
every one of these emails (along with the ‘contact’ page of the
aforementioned site) – had you called that at ANY TIME over the past two
years, you would have been connected to K`Tetch.

>
> If you update your registration so it shows an individual’s name that we can validate, remove all the links to trading sites and remove the subscription functionality on the site we will look to remove the whois information if we feel that at this point it meets the requirements.

It would appear that your aim is not to pursue accuracy, or uphold a
common-sense reading of the rules, but to fabricate under any and all
means, reasons to publicly expose personal data, presumably for
commercial reasons. It is naught but a bad-faith attempt to create
conditions which nominally satisfy

As such, I will be filing a complaint about your actions/activities, and
request and require that you postpone all actions until such complaints
are settled. As is well known, the public revealing of personal information
can not regain non-public status after having been exposed, and as such,
organisations should err on the side of privacy where possible.

If you’re wondering about the last, its based on the old maxim of ‘what’s on the internet, stays on the internet’, despite the dubious “Right to be forgotten“.

So, did I sent a complaint? Sure did! Got this back shortly afterwards

Subject: RE: Complaint regarding case 1594954
Date: Thu, 29 May 2014 16:25:55 +0000
From: Louise Maishman <[email protected]>
To: ‘Andrew Norton’ <[email protected]>
CC: Kirti Srivastava <[email protected]>

Dear Mr Norton

Thank you for your email.

The Head of our Customer Services Department, Kirti Srivastava, is looking into the situation for you and she or one of her senior advisors will be in contact with you shortly.

If you have any further questions regarding this please do not hesitate to contact her directly. Her contact details are:

Kirti Srivastava Interim Head of Customer Services Direct Line: +44 (0) 1865 332214 Email: [email protected]

Best Regards,

Louise

Best Regards,

Louise Maishman PA to Eleanor Bradley, Chief Operating Officer, Gill Crowther, Director of HR and Helen Tomes, Director of Service Delivery

Nominet 01865 332358 www.nominet.org.uk

Sounds promising, eh?

No.

Because the very next day I get this email.

Subject: Your .uk domain name has been opted in to the WHOIS (case 1594954)
Date: Fri, 30 May 2014 16:18:10 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek,

It has recently been brought to my attention that you do not meet the criteria to use the opt-out service for our WHOIS domain name search facility.

A registrant can only use the opt-out if they are a consumer, i.e. is a living individual who is not using their domain name in the course of a business, trade or profession.

Please note that we have removed the opt-out, and the address details that we hold for you are now published on the WHOIS. Further information about our WHOIS policy and a WHOIS search can be made at http://www.nominet.org.uk/go/whoisfaq.

The function to activate the opt-out through our Online Services has now been disabled. If you meet the criteria for opting out at any time in the future, you should contact your registrar to do this for you. You can contact me if your registrar is unable to help.

If you have any questions please do contact me on 01865 332244, or by replying directly to this email. You have 30 working days to appeal against our decision by replying to this email, stating why you believe these domains should still be opted out. After 30 working days you will need to contact us on the number or email address below.

Kind regards,

Hannah Dawson

Now generally, in most companies, when there’s a pending complaint over the handling of an incident, and an action which can not be readily undone (in this case, exposing previously private personal information) would result, it’s normal to put a temporary halt on it, until the issues are resolved. A weeks hold on something that’s already been happening for 2+ years and which has had zero demonstrated harm is not unreasonable.

I had to immediately go out, and rent a PO Box to direct things to, then change the information. I also immediately filed a dispute using the online tool. Where I get the following email.

Subject: Your WHOIS opt-out appeal (case 1594954)
Date: Sat, 31 May 2014 01:56:40 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek c/o M Carpenter,

Thank you for contacting me to appeal against the decision to opt in the above domains. I will investigate your claim and reply with a decision and explanation within 3 working days.

If you have any questions or have any further information that would help the investigation please contact me on 01865 332244, or by email at Hannah.[email protected]

Kind regards,

Hannah Dawson

ARGH!!!!!!! It’s like the damned twilight zone.

Luckily, on the following Monday I get the following response

Subject: Re: Re: Your WHOIS opt-out appeal (case 1594954)
Date: Mon, 2 Jun 2014 16:03:47 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: Andrew Norton <[email protected]>

Hi Andrew,

This case is now being looked after by Scott due to the formal complaints procedure. He will respond to your query tomorrow, Tuesday 3rd June 2014.

Kind Regards

Hannah Dawson

I awaited the response with anticipation. Be warned, it’s a bit long

Subject: Complaint regarding case 1594954
Date: Tue, 3 Jun 2014 09:43:41 +0000
From: Scott Jones <[email protected]>
To: ‘[email protected]’ <[email protected]>

Hi Andrew

Thank you for your email in relation to the domain name ktetch.co.uk. I am sorry to hear that you have not received the service you expected.

I have spoken to Hannah’s team leader about your concerns regarding the actions and attitudes displayed by Hannah and that has been addressed.

I would like to explain the process that Hannah undertook. We received a notification that the domain name ktetch.co.uk was opted out of the WHOIS and was not eligible to do so (anyone can do this, via our website at http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/opt-out).

Hannah assessed the validity of the opt out and upon seeing that the domain name was not being used solely for personal use, started the process where you received the first notification from us. (I would just like to clarify that .uk domains can ‘opt-out’ of having their address shown on a WHOIS search ‘if the registrant is not a business or organisation and, in the case of domain names registered to individuals, you do not use or plan to use your domain name for business, trade (such as pay per click advertising, etc.) or professional transactions’.) The domain name ktetch.co.uk does have advertisements and there is also the option to donate to the site.

If the website for the domain continues to have these displayed, unfortunately you are not able to have the address for the domain opted out of a WHOIS search. I would like to highlight that if that’s the case and you wouldn’t be happy to have the PO box address displayed, you can use another address that we are able to contact you at, such as an address of your registrar.

Your complaint has highlighted a flaw in our process, in that you didn’t receive all the reasons that your domain name wasn’t able to opt out of the WHOIS in your first notification, so I apologise for that and we’ve changed our process here as a result of that.

Another issue that you’ve raised is the correspondence you received regarding the registrant name of ktetch.co.uk. We carry out a programme of data validation for all .uk domains and where the details given to us are not obvious or we’re unable to validate the registrant name and address, we then contact both the registrant and registrar asking for them to clarify the details or where necessary make the appropriate changes.

.uk domain names do need to be registered to a identifiable legal registrant, such as a person’s legal name or company name. Although you mention that you are also known as KTetch, this wouldn’t be sufficient to have KTetch Dureek as the legal registrant name as we don’t allow pseudonyms as the registrant for .uk domain names.

As that is the case, Hannah started a process where you will have received an email (on the 23rd May), please follow the instructions in that email to change the registration to your legal name.

Please contact me if you have any further queries regarding this.

Regards,

Scott Jones | Second Level Support and Abuse | Nominet UK
+44 (0)1865 332233 | [email protected] | www.nominet.org.uk

So, just to recap. Hannah done goofed. Badly. Kept changing reasons, including adding some more the day before the deadline. Hardly “experienced in customer service management” and “striving to give the customer the very best.”

As for the ads, that’s the internet. Ads do not make a website a commercial business. Also, part of the complaint was that linking to business sites counts as a ‘commercial activity’ as well. Then there’s the sop about changing procedures. I strongly doubt it. I’ve worked customer service too, that’s the line you give when your staff screwed up and you don’t want to discipline.

I am ktetch nominetData validation. The pertinent question is ‘why’. Why must a domain name now have an identity that’s ‘verifiable’? It can’t be to contact, because they’ve proved that they’re more than capable of doing that with the pre-existing data, by contacting me.

It can’t be to ‘serve the legal representative of the site’, because it suggests ‘the address of the registrar’ (except the services to do just that, Nominet doesn’t allow)

So what’s left? Is it a case of trying to make their WHOIS database as attractive as possible for marketers? I hope not, since that would fall foul of the UK Data Protection Act. So the only reason that’s left is ‘government’. Now they don’t have to ask Nominet to release the information, because Nominet has forced the release of the information on everyone.

I have to say, I wasn’t too happy, so I sent a response back to Scott. I basically pointed out everything I’ve just said (so I won’t repeat it further) but I also added concern that in all the emails I received from them,  never once did I get an email with any digital signature, proving it was from who it is claimed to be. Since Nominet is an internet company, in fact THE internet company in the UK, that’s a massive security hole.

Here’s his response.

Subject: RE: Complaint regarding case 1594954
Date: Wed, 4 Jun 2014 07:58:56 +0000
From: Scott Jones <[email protected]>
To: ‘Andrew Norton’ <[email protected]>

Hi Andrew

Thank you for your email.

I feel that I have addressed all the points in your email, in my previous email to you, but I would like to agree with a point you raised ‘pretty much ANY website is a ‘trading  website”. This is the case and it’s rare that a .uk domain name is able to opt-out of having their address details displayed. Where a .uk domain is being used for anything other than personal use, e.g. it has advertisements or taking donations for the upkeep of the site etc, the registrant should be traceable through a WHOIS search so visitors of the site are able to trace the person/company behind the domain name..

And there you have it. The privacy features of Nominet are DESIGNED to be impossible to comply with. Their privacy rules are designed to deny privacy.How this can be reconciled with UK and EU law I’ve no idea. Additionally, he’s just blown apart the idea of ‘having the registrar’s details’ he had proposed the day before.

Then he goes on a little more on the topic of digitally signed emails.

You also mention your concern that emails you’ve received from us have not been digitally signed. On the whole, we deal with two distinct customer bases, our registrars and registrants. When we email our registrars with emails from our system, these are PGP signed (as most registrars are familiar with this, in fact up until 7 years ago, all our registrars had to use PGP/GPG with our systems) so the registrar would know the email was from us and hasn’t been tampered with, but when we contact registrants, such as yourself, normally the registrant wouldn’t have access to (or even be familar with) PGP/GPG software, so would not know how to treat an email that had been signed.

Regards,

Scott Jones | Second Level Support and Abuse | Nominet UK
+44 (0)1865 332233 | [email protected] | www.nominet.org.uk

This would make sense, except for one thing. He’s replying to a message which is itself signed, as has every other email I’ve sent them (8 at that point), and I use in-line signing. So he’s perfectly capable of using digital signatures, but has deliberately chosen not to.

His reasoning also doesn’t add up. Every single email I’ve sent for the last 5 years (literally thousands of emails) is automatically signed, if it’s not encrypted. Only once has anyone even commented on it, and that was a lawyer asking how he could set it up. I’ve talked to everyone from government officials, to grannies, leading security experts to high school students, and no-one’s had an issue. And that’s with in-line signing where the cryptographic signature is embedded in the text of the message.

Luckily for Mr Jones, there’s a second way, and it’s called ‘PGP/MIME. Instead of adding the key in the text of the message, it works via a small attachment. The message itself is clean. It’s even less likely to confuse people. It’s not exactly new either, as it’s detailed in RFC 3156 “MIME Security with OpenPGP“, which is dated August 2001.

Seriously, for not just an internet company, but the domain registrar for a major company, Nominet really does seem pretty damned clueless about technology and security.

Since I doubt I’m going to get a resolution on this from Nominet (who, let’s face it, either don’t care or just don’t understand the issues) , I’m filing a complaint with the Information Commissioner. I’ll let you know how THAT goes.

 But which internet company hates your privacy the Most? It’s hard to say, but Nominet is certainly in the running.

UPDATE 6/6/2014:
It seems right around the time of the comment below, her linkedin profile was made private (I guess she is finally starting to grasp the whole ‘privacy’ issue. As I noted above though, ‘what’s on the net, stays on the net’, and that’s true here as well, you can see the full profile, as it appeared when this was first published, here. or in this image.

UPDATE 13/6/2014:
There’s now a part 2 to this story