+menu-


Which UK Internet Company Hates Your Privacy the Most? Here’s a Contender

UPDATE June 13: There’s now a part 2 to this story

As a matter of course, major internet companies have a responsibility towards keeping personal information private. Everything from SWATing, trough stalkers, to identity theft and the [VERY] occasional online sex offender becomes possible when you have personal information about someone easily searchable out in the wild.

So if I were to tell you that a major UK Internet company, and indeed a monopoly company at that, was deliberately attempting to expose people’s information, by making it as difficult as it possibly can, to protect that information. This is not an accident, it’s BY DESIGN.

The company is Nominet. It’s the Domain name registry in the UK, behind every .co.uk, .ac.uk, and starting next week every .uk

Today, as part of the ‘reset the net’ campaign, I thought it would be an appropriate time to highlight these problems. So let’s start with the beginning.

As you all can see, this is a .co.uk domain. It was purchased in February 2012, for this, my personal website. At the time, I paid extra to namecheap for WhoisGuard services BUT that service can’t be used on Nominet domains. I’d missed the disclaimer that noted

Due to registry restrictions, WhoisGuard cannot be used with .asia, .bz, .ca, .cn, .co.uk, .de, .eu, .in, .io, .me.uk, .nu, .li, .ch, .fr, .sg, .com.sg, .org.uk,…

No problem, thought I, Nominet has an opt-out policy for “non-trading individuals”, I’ll just use that. So I did. No problems, until 2 weeks ago.

Subject: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Fri, 23 May 2014 16:18:10 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek,

It has been brought to my attention that you are using your ktetch.co.uk domain name for business or trading purposes and your address details are also opted out of our WHOIS search facility as a consumer. To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.

We have notified your registrar about the status of your domain name and they have the facility to remove the opt-out on your domains. If the opt-out is not removed by them, then I will remove the opt-out on 30 May 2014 and the address details that we hold for you will be published on the WHOIS search facility available at http://www.nominet.org.uk/go/whoisfaq

The reason for this is:

The domain name is being used as part of a business, trade or profession.

If you wish to continue to remain opted out of our WHOIS you will need to arrange for the website to be changed so that you do not advertise using this domain name.

Once the domain name has been opted in, you will be unable to set the opt-out through our Online Services. You should contact your registrar to do this for you if you meet the criteria for opting out at any time in the future. Alternatively, you can contact us if your registrar is unable to help.

You can find more information about our WHOIS policy by visiting http://www.nominet.org.uk/go/whoisfaq

If you have any questions please contact me on 01865 332244, or by replying directly to this email.

Kind regards,

Hannah Dawson

Customer Services
T +44 (0) 1865 332244 F +44 (0) 1865 332288 E [email protected]

http://www.nominet.org.uk

Nominet UK is a company limited by guarantee and registered in England
under No. 3203859. Our registered office is Minerva House, Edmund Halley
Road, Oxford Science Park, Oxford, OX4 4DQ, England.

(I’m going to cut the footers in future, take it as read that’s what they all say)

Huh what?

I do some consulting on the side, and work for a number of other sites, but this is my personal site. I keep my business stuff off here pretty much. So I emailed back

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Fri, 23 May 2014 20:16:33 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

In what way is it being ‘used as part of a business, trade or profession’? It’s got my personal blog on it. Could you tell me what my ‘business, trade or profession’ is, since I’ve taken extensive steps to avoid that for this reason.

Andrew Norton

The reply was NOT swift in coming.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Tue, 27 May 2014 09:34:27 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi Andrew,

Thank you for your response.

On your website on the right hand side is an amazon advert that states ‘buy my book’ and links through to the site. As this is an advertisement for a product it is classed as business trade or profession.

Please remove this link and any other that point to sites that sell and we can assess further.

If you have any questions please call me.

Hannah Dawson

Fair enough, I can see how promoting my book in a sidebar could be considered as a commercial activity. It was but the work of 20 seconds to drag the widget from the sidebar, to the inactive section in wordpress.

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954)
Date: Tue, 27 May 2014 16:29:30 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

Ok, the widget has been deactivated. Can you give me a list to the rules,so I can see if there is anything else I can spot?

Andrew

Fairly self explanatory, She’s highlighted a problem, and I’ve dealt with it, told her so, and asked for more information so I can be proactive. All sorted yes?

No.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Wed, 28 May 2014 14:19:27 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi,

Thank you, for removing this link.

As this domain name is currently registered to KTetch Dureek and we have been unable to identify this as an individual you are still unable to be opted out. If this is changed to a individual name then there is the option if the domain name is being used for private use to be opted out.

more details about the rules of the whois please visit http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/contract-terms

Thanks

Hannah Dawson

Say what now? I ask for a link to rules for other issues, and instead of getting future tips, I get a new issue with less than 2 days left. And go check the link they send me.

Purpose of the WHOIS and no promises of accuracy:

  • We provide the WHOIS as a publicly viewable register solely to allow users to obtain information about the existence and status of the domain name and the identity of the registrant and registration agent of the domain name for the general purposes set out below but always subject to the restrictions listed below. At times it may lag behind the underlying register by several minutes.
  • We do not guarantee the accuracy or availability of the WHOIS records. Any WHOIS record provided is provided on an “as is” basis without any representations or warranties of any kind.

Emphasis theirs. So it’s ‘as is’, according to their info, so what’s the problem? Well, it makes it harder to sell info to advertisers (not that I’d EVER allege that Nominet undertakes such actions, it’s just a theoretical possibility.

So anyway, now I’m a bit miffed. It’s been several days of back and forth and I’m back to square one. I reply accordingly, and do so in-line, since there are now multiple issues

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Wed, 28 May 2014 12:36:48 -0400 From: Andrew Norton <[email protected]> To: [email protected]

On 5/28/2014 9:19 AM, [email protected] wrote:
> Hi,
>
> Thank you, for removing this link.
>
> As this domain name is currently registered to KTetch Dureek and we have been unable to identify this as an individual you are still unable to be opted out. If this is changed to a individual name then there is the option if the domain name is being used for private use to be opted out.

And how have you attempted this? I’ve found this individual in everything from screengrabs of TV shows to panel discussions on… Privacy online.
>
> more details about the rules of the whois please visit http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/contract-terms
>

I did indeed look there, and can’t find any references to ‘identify as an individual’ or ‘commercial usage’ there.

In fact, it specifically states the opposite with “We do not guarantee the accuracy or availability of the WHOIS records. Any WHOIS record provided is provided on an “as is” basis without any representations or warranties of any kind.”

The only other appropriate section states “generally the WHOIS is intended to: *locate and contact the registrant and/or host of the domain name in relation to the prevention or detection of systems abuse, or to establish or defend legal rights (including an intent to use the Dispute Resolution Service).”

In contacting me, you have proven that to be both accurate and true. As such, I can not see any violations of the rules you have referenced. Thus I see the matter as resolved.

This is based on responses I’ve had previously from Nominet regarding domain name irregularities. Quote “Nominet requires that .uk domains be registered to an address that the registrant can be contacted at. As far as we know Peter L E Davies can be contacted at the address listed against the domain registration.” (Paul Wray, case number 135757) for instance. Have you attempted to contact him at that address? I can assure you he can be.

Glad that’s now all sorted.

You can guess what happened next?

Yep, more changes to what’s wrong. This is where it also gets really interesting.

Subject: Re: Re: Your .uk domain name will be opted in to the WHOIS (case 1594954) Date: Thu, 29 May 2014 09:38:24 +0100 (BST) From: [email protected] Reply-To: [email protected] To: Andrew Norton <[email protected]>

Hi Andrew,

To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.

I can still see the below reasons why this domain name does not meet these requirements:

The domain name still has numerous links to trading websites.

This domain has a subscribe list, which gathers personal information from visitors to the site.

The domain name registration has been registered to an entity we are unable to validate as an individual and the opt-out functionality is only available to individuals. If you want further information about our new data quality policy please see this link www.nominet.org.uk/how-participate/policy-development/current-policy-discussions-and-consultations/data-quality-policy

If you update your registration so it shows an individual’s name that we can validate, remove all the links to trading sites and remove the subscription functionality on the site we will look to remove the whois information if we feel that at this point it meets the requirements.

Kind Regards

Hannah Dawson

Wow, there’s three issues here. The third was only raised the previous day, and the other two are new.

Let’s start with the third. They said they had a problem with the registration name, because ‘they can’t validate it’. I asked how they attempted it. and implied the information is out there, and had I gotten a response to my query, I would have followed up by providing said info. Note their Data Quality Policy. It’s so band new (came into force less than a month ago) that there are literally ZERO references to it in almost any other document. And while they claim ‘notice’ was sent out 2 months ago, I for one never got any, so who was notified? I don’t remember any consultation. Nor am I the only one having issues.

They did Tweet something for Registrars though

 

Just to recap, since we’re now 2000 words on from the start, that having been contacted Friday the 23rd, and told that my personal info will be available to all and sundry from the 30th unless I comply, I’ve attempted to comply and then the last day, they bring up whole new claims. Yeah, that’s kosher…

It’s the other two claims that are perhaps the most ludicrous of all though.

First, the subscription box. With it I may be able to get your email address! wow. I’m glad she didn’t notice there’s also comments here, which also require an email address. Also, I’m glad she forgot that there’s these things called ‘IP addresses’ which tend to be a bit more ‘personally identifiable’ than an email address. [email protected] doesn’t tell me anything, and an ISP email may tell me what country you’re in, and of course, it’s voluntary. When you visit this site, however, your IP address is easy enough to record, and I have a location for you, and in the UK, a Norwich Pharmacal order isn’t that hard to get (see ACS:Law, which I had more than a minor hand in) to convert that into an ISP account holder.

A little digging did showcase why she may be under this impression however. You see Miss Hannah Dawson has only been working at Nominet since March. Prior to that, she wasn’t at other tech companies, she was assistant manager at an upscale clothing store. Before that? Supervisor in a “7 for all mankind” jeans shop (also where she first worked, before becoming a hair dresser(!) and a sales person for Sage) **SEE UPDATE AT BOTTOM**

Dilbert.com

I kid you not, just check out her Linkedin profile.

Yet most important of all, it’s the first of the issues that’s the biggest problem of all. Let me reiterate it again

The domain name still has numerous links to trading websites.

Let me remind you of what constitutes a ‘trading website’ in Nominet terms is. It means any website that sells a product, or makes money from adverts. Yahoo, Google, your host, Facebook, Twitter, Amazon, Myspace, Fetlife, Instagram, or indeed Nominet.

And of course, if you link to such a site, you’re considered a trading site by Nominet. So any site that links to you is ALSO a trading site. It’s like 6-degrees of Kevin Bacon but digitally.

At this point, I’m beyond fuming.

Subject: Re: Your .uk domain name will be opted in to the WHOIS (case
1594954)
Date: Thu, 29 May 2014 10:28:31 -0400
From: Andrew Norton <[email protected]>
To: [email protected]

On 5/29/2014 4:38 AM, [email protected] wrote:
> Hi Andrew,
>
> To opt out, you must be a ‘consumer’ i.e. an individual who has registered and is using the domain name for a purpose unconnected with any business, trade (this includes the registration of domain names for monetisation purposes, e.g. pay per click advertising etc) or profession.
>
> I can still see the below reasons why this domain name does not meet these requirements:
>
> The domain name still has numerous links to trading websites.

There is NO website on the internet that does not have said links. Be it
to ‘amazon’, Google (which trades via google shopping, and before that
froogle) and indeed most other large sites (including Wikipedia).
Especially as you seem to define a ‘trading site’ as “one that includes
adverts, or a link to a site that sells something”.

This is an impossible barrier to overcome in the manner you have stated,
nor is it an interpretation of the nominet rules that I can find anywhere.

>
> This domain has a subscribe list, which gathers personal information from visitors to the site.

The subscribe module is a standard part of the wordpress install. The
personal information is ‘email address’. In fact, less information is
obtained/retained than using a comments system.

Through all the policies you have stated I can find zero reference to
this. indeed, simply visiting a website leaves personal information
which a visitor can ‘gather’. An IP address for instance can be far more
easily converted into a name and address via a simple Norwich Pharmacal
order, than an email address can be.

>
> The domain name registration has been registered to an entity we are unable to validate as an individual and the opt-out functionality is only available to individuals. If you want further information about our new data quality policy please see this link www.nominet.org.uk/how-participate/policy-development/current-policy-discussions-and-consultations/data-quality-policy

You have been ‘unable’ or ‘unwilling’ to validate?
from the link you give, the following definition is given:
““Validate” means confirming that data is reliable by comparing it to
data provided by a trustworthy source (which may be a third party
database), and “Valid” and “Validated” shall be understood accordingly.”

If you would care to, for instance, send a physical notification to the
name/address listed, the US Postal service (a quasi-government entity)
would certainly be able to validate it for you.

It would appear you have made no good-faith effort to do any validation.

OR you will notice there’s a phone number at the bottom of each and
every one of these emails (along with the ‘contact’ page of the
aforementioned site) – had you called that at ANY TIME over the past two
years, you would have been connected to K`Tetch.

>
> If you update your registration so it shows an individual’s name that we can validate, remove all the links to trading sites and remove the subscription functionality on the site we will look to remove the whois information if we feel that at this point it meets the requirements.

It would appear that your aim is not to pursue accuracy, or uphold a
common-sense reading of the rules, but to fabricate under any and all
means, reasons to publicly expose personal data, presumably for
commercial reasons. It is naught but a bad-faith attempt to create
conditions which nominally satisfy

As such, I will be filing a complaint about your actions/activities, and
request and require that you postpone all actions until such complaints
are settled. As is well known, the public revealing of personal information
can not regain non-public status after having been exposed, and as such,
organisations should err on the side of privacy where possible.

If you’re wondering about the last, its based on the old maxim of ‘what’s on the internet, stays on the internet’, despite the dubious “Right to be forgotten“.

So, did I sent a complaint? Sure did! Got this back shortly afterwards

Subject: RE: Complaint regarding case 1594954
Date: Thu, 29 May 2014 16:25:55 +0000
From: Louise Maishman <[email protected]>
To: ‘Andrew Norton’ <[email protected]>
CC: Kirti Srivastava <[email protected]>

Dear Mr Norton

Thank you for your email.

The Head of our Customer Services Department, Kirti Srivastava, is looking into the situation for you and she or one of her senior advisors will be in contact with you shortly.

If you have any further questions regarding this please do not hesitate to contact her directly. Her contact details are:

Kirti Srivastava Interim Head of Customer Services Direct Line: +44 (0) 1865 332214 Email: [email protected]

Best Regards,

Louise

Best Regards,

Louise Maishman PA to Eleanor Bradley, Chief Operating Officer, Gill Crowther, Director of HR and Helen Tomes, Director of Service Delivery

Nominet 01865 332358 www.nominet.org.uk

Sounds promising, eh?

No.

Because the very next day I get this email.

Subject: Your .uk domain name has been opted in to the WHOIS (case 1594954)
Date: Fri, 30 May 2014 16:18:10 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek,

It has recently been brought to my attention that you do not meet the criteria to use the opt-out service for our WHOIS domain name search facility.

A registrant can only use the opt-out if they are a consumer, i.e. is a living individual who is not using their domain name in the course of a business, trade or profession.

Please note that we have removed the opt-out, and the address details that we hold for you are now published on the WHOIS. Further information about our WHOIS policy and a WHOIS search can be made at http://www.nominet.org.uk/go/whoisfaq.

The function to activate the opt-out through our Online Services has now been disabled. If you meet the criteria for opting out at any time in the future, you should contact your registrar to do this for you. You can contact me if your registrar is unable to help.

If you have any questions please do contact me on 01865 332244, or by replying directly to this email. You have 30 working days to appeal against our decision by replying to this email, stating why you believe these domains should still be opted out. After 30 working days you will need to contact us on the number or email address below.

Kind regards,

Hannah Dawson

Now generally, in most companies, when there’s a pending complaint over the handling of an incident, and an action which can not be readily undone (in this case, exposing previously private personal information) would result, it’s normal to put a temporary halt on it, until the issues are resolved. A weeks hold on something that’s already been happening for 2+ years and which has had zero demonstrated harm is not unreasonable.

I had to immediately go out, and rent a PO Box to direct things to, then change the information. I also immediately filed a dispute using the online tool. Where I get the following email.

Subject: Your WHOIS opt-out appeal (case 1594954)
Date: Sat, 31 May 2014 01:56:40 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: [email protected]

=======================================================================
Registrant Name: KTetch Dureek
Domain names include: ktetch.co.uk
=======================================================================
Hi KTetch Dureek c/o M Carpenter,

Thank you for contacting me to appeal against the decision to opt in the above domains. I will investigate your claim and reply with a decision and explanation within 3 working days.

If you have any questions or have any further information that would help the investigation please contact me on 01865 332244, or by email at [email protected]

Kind regards,

Hannah Dawson

ARGH!!!!!!! It’s like the damned twilight zone.

Luckily, on the following Monday I get the following response

Subject: Re: Re: Your WHOIS opt-out appeal (case 1594954)
Date: Mon, 2 Jun 2014 16:03:47 +0100 (BST)
From: [email protected]
Reply-To: [email protected]
To: Andrew Norton <[email protected]>

Hi Andrew,

This case is now being looked after by Scott due to the formal complaints procedure. He will respond to your query tomorrow, Tuesday 3rd June 2014.

Kind Regards

Hannah Dawson

I awaited the response with anticipation. Be warned, it’s a bit long

Subject: Complaint regarding case 1594954
Date: Tue, 3 Jun 2014 09:43:41 +0000
From: Scott Jones <[email protected]>
To: ‘[email protected]’ <[email protected]>

Hi Andrew

Thank you for your email in relation to the domain name ktetch.co.uk. I am sorry to hear that you have not received the service you expected.

I have spoken to Hannah’s team leader about your concerns regarding the actions and attitudes displayed by Hannah and that has been addressed.

I would like to explain the process that Hannah undertook. We received a notification that the domain name ktetch.co.uk was opted out of the WHOIS and was not eligible to do so (anyone can do this, via our website at http://www.nominet.org.uk/uk-domain-names/about-domain-names/domain-lookup-whois/opt-out).

Hannah assessed the validity of the opt out and upon seeing that the domain name was not being used solely for personal use, started the process where you received the first notification from us. (I would just like to clarify that .uk domains can ‘opt-out’ of having their address shown on a WHOIS search ‘if the registrant is not a business or organisation and, in the case of domain names registered to individuals, you do not use or plan to use your domain name for business, trade (such as pay per click advertising, etc.) or professional transactions’.) The domain name ktetch.co.uk does have advertisements and there is also the option to donate to the site.

If the website for the domain continues to have these displayed, unfortunately you are not able to have the address for the domain opted out of a WHOIS search. I would like to highlight that if that’s the case and you wouldn’t be happy to have the PO box address displayed, you can use another address that we are able to contact you at, such as an address of your registrar.

Your complaint has highlighted a flaw in our process, in that you didn’t receive all the reasons that your domain name wasn’t able to opt out of the WHOIS in your first notification, so I apologise for that and we’ve changed our process here as a result of that.

Another issue that you’ve raised is the correspondence you received regarding the registrant name of ktetch.co.uk. We carry out a programme of data validation for all .uk domains and where the details given to us are not obvious or we’re unable to validate the registrant name and address, we then contact both the registrant and registrar asking for them to clarify the details or where necessary make the appropriate changes.

.uk domain names do need to be registered to a identifiable legal registrant, such as a person’s legal name or company name. Although you mention that you are also known as KTetch, this wouldn’t be sufficient to have KTetch Dureek as the legal registrant name as we don’t allow pseudonyms as the registrant for .uk domain names.

As that is the case, Hannah started a process where you will have received an email (on the 23rd May), please follow the instructions in that email to change the registration to your legal name.

Please contact me if you have any further queries regarding this.

Regards,

Scott Jones | Second Level Support and Abuse | Nominet UK
+44 (0)1865 332233 | [email protected] | www.nominet.org.uk

So, just to recap. Hannah done goofed. Badly. Kept changing reasons, including adding some more the day before the deadline. Hardly ”experienced in customer service management” and “striving to give the customer the very best.”

As for the ads, that’s the internet. Ads do not make a website a commercial business. Also, part of the complaint was that linking to business sites counts as a ‘commercial activity’ as well. Then there’s the sop about changing procedures. I strongly doubt it. I’ve worked customer service too, that’s the line you give when your staff screwed up and you don’t want to discipline.

I am ktetch nominetData validation. The pertinent question is ‘why’. Why must a domain name now have an identity that’s ‘verifiable’? It can’t be to contact, because they’ve proved that they’re more than capable of doing that with the pre-existing data, by contacting me.

It can’t be to ‘serve the legal representative of the site’, because it suggests ‘the address of the registrar’ (except the services to do just that, Nominet doesn’t allow)

So what’s left? Is it a case of trying to make their WHOIS database as attractive as possible for marketers? I hope not, since that would fall foul of the UK Data Protection Act. So the only reason that’s left is ‘government’. Now they don’t have to ask Nominet to release the information, because Nominet has forced the release of the information on everyone.

I have to say, I wasn’t too happy, so I sent a response back to Scott. I basically pointed out everything I’ve just said (so I won’t repeat it further) but I also added concern that in all the emails I received from them,  never once did I get an email with any digital signature, proving it was from who it is claimed to be. Since Nominet is an internet company, in fact THE internet company in the UK, that’s a massive security hole.

Here’s his response.

Subject: RE: Complaint regarding case 1594954
Date: Wed, 4 Jun 2014 07:58:56 +0000
From: Scott Jones <[email protected]>
To: ‘Andrew Norton’ <[email protected]>

Hi Andrew

Thank you for your email.

I feel that I have addressed all the points in your email, in my previous email to you, but I would like to agree with a point you raised ’pretty much ANY website is a ‘trading  website”. This is the case and it’s rare that a .uk domain name is able to opt-out of having their address details displayed. Where a .uk domain is being used for anything other than personal use, e.g. it has advertisements or taking donations for the upkeep of the site etc, the registrant should be traceable through a WHOIS search so visitors of the site are able to trace the person/company behind the domain name..

And there you have it. The privacy features of Nominet are DESIGNED to be impossible to comply with. Their privacy rules are designed to deny privacy.How this can be reconciled with UK and EU law I’ve no idea. Additionally, he’s just blown apart the idea of ‘having the registrar’s details’ he had proposed the day before.

Then he goes on a little more on the topic of digitally signed emails.

You also mention your concern that emails you’ve received from us have not been digitally signed. On the whole, we deal with two distinct customer bases, our registrars and registrants. When we email our registrars with emails from our system, these are PGP signed (as most registrars are familiar with this, in fact up until 7 years ago, all our registrars had to use PGP/GPG with our systems) so the registrar would know the email was from us and hasn’t been tampered with, but when we contact registrants, such as yourself, normally the registrant wouldn’t have access to (or even be familar with) PGP/GPG software, so would not know how to treat an email that had been signed.

Regards,

Scott Jones | Second Level Support and Abuse | Nominet UK
+44 (0)1865 332233 | [email protected] | www.nominet.org.uk

This would make sense, except for one thing. He’s replying to a message which is itself signed, as has every other email I’ve sent them (8 at that point), and I use in-line signing. So he’s perfectly capable of using digital signatures, but has deliberately chosen not to.

His reasoning also doesn’t add up. Every single email I’ve sent for the last 5 years (literally thousands of emails) is automatically signed, if it’s not encrypted. Only once has anyone even commented on it, and that was a lawyer asking how he could set it up. I’ve talked to everyone from government officials, to grannies, leading security experts to high school students, and no-one’s had an issue. And that’s with in-line signing where the cryptographic signature is embedded in the text of the message.

Luckily for Mr Jones, there’s a second way, and it’s called ‘PGP/MIME. Instead of adding the key in the text of the message, it works via a small attachment. The message itself is clean. It’s even less likely to confuse people. It’s not exactly new either, as it’s detailed in RFC 3156 “MIME Security with OpenPGP“, which is dated August 2001.

Seriously, for not just an internet company, but the domain registrar for a major company, Nominet really does seem pretty damned clueless about technology and security.

Since I doubt I’m going to get a resolution on this from Nominet (who, let’s face it, either don’t care or just don’t understand the issues) , I’m filing a complaint with the Information Commissioner. I’ll let you know how THAT goes.

 But which internet company hates your privacy the Most? It’s hard to say, but Nominet is certainly in the running.

UPDATE 6/6/2014:
It seems right around the time of the comment below, her linkedin profile was made private (I guess she is finally starting to grasp the whole ‘privacy’ issue. As I noted above though, ‘what’s on the net, stays on the net’, and that’s true here as well, you can see the full profile, as it appeared when this was first published, here. or in this image.

UPDATE 13/6/2014:
There’s now a part 2 to this story

  • Anonymous

    Your attempted character assassination of Ms Dawson by stalking her employment history was creepy and unnecessary.

    • ktetch

      I understand privacy. I understand technology. I *like* my privacy, and don’t make things up about technology.

      I did debate including her linkedin (which is information she has chosen to make public – no-one at Nominet forced it on her, as she attempted to with me.

      Also, the content of it was pertinent to the issue. That she had recently started there, and that her past ‘customer service’ experiences were in a direct retail environment, and that the only other ‘tech’ business she has worked for, was as a salesperson.
      When it comes to it, it provides necessary context for her statements.

      It’s also the very first entry on google for “Hannah Dawson nominet” although I notice in the last 30 mins it’s been locked down some. No matter, I’ll add the screencap I took yesterday – remember, what’s on the internet stays on the internet, which was kinda my point all along)

      Second, had I wished to ‘stalk’ her (or indeed facilitate others doing so) I could have posted far more information, mainly because she does NOT understand privacy (or why it’s needed)

      Finally, I’ve no need to attempt ‘character assasination’ of Miss Dawson, her emails did the job perfectly well on their own.

      • Anonymous

        Nonsense, her previous record of employment has nothing to do with the matter at hand.

        You’ve taken an argument against Nominet policy and, quite bizarrely, turned it into a personal attack on one of their employees.

        And your ire is completely misplaced, as she would not have even written this policy in the first place – clearly she has just been tasked with notifying customers about it.

        Your actions here are both disproportionate and inappropriate, and serve only to detract from the main point of your article.

    • notech

      It was not creepy neither unneccesary. And he did not make any character assassination.
      He just expressed his opinion how they put such people at such important positions.
      Actually nominet and .uk domain are in problem that do not choose the appropriate employees for handling such serious issues like deciding privacy issues.

      Ms Dawson choose to have her info public, so she did not have any problem about exposing her previous career. Maybe it was a reason of pride for her too.

      The shame goes to nominet.

  • Simon

    I can see why you’re annoyed but posting someones personal info when you want yours hidden is hypocritical, Is Ktetch your legal name?

    • ktetch

      I posted information she collated, and knowlingly published publicly.
      She published information of mine which was ‘personally identifyable information’ (address) which was provided on the basis of it being kept private as part of a business transaction.

      BTW, posting at work, Simon? More Nominet £ at work. Glad to see it has people’s attention now.

  • Frank

    Wow… what a small minded petty person you are. You have completely lost any sympathy I might have had to your plight by unfairly attacking a member of staff in a way that could impact her future job prospects for years to come because as you like to say “what’s on the internet stays on the internet”…
    Ok so you didn’t get perfect service from her but she is new as you so excitedly pointed out! It takes time to learn an industry especially one as complex as this, and even more time to learn all the ins and outs of company procedures no matter which firm it is you work for. If you have a beef with the level of customer service she gave you by all means make a formal complaint with her senior staff but do it offline, she didn’t create her training schedule before being let loose, she didn’t create the WHOIS process and procedure, and she probably only followed a guideline given to all staff when responding to cases like this.
    I had really poor service from Barclays once, the guy who had to deal with me that day in store must have wished he would have called in sick that day at the same time as hoping id drop dead in front of him. But as angry as I was I didn’t take it out on him, he was just doing as he was told, a puppet on a string, it was the crazy red tape bureaucracy that the powers to be at Barclays decided to implement which was the problem, not him, he was just being a good tax payer and working for a living rather than being a bum.
    I have personally only had good service from Nominet and wish more registries and registrars offered the same kind of friendly approachable service as them, but that doesn’t mean they are perfect. In my opinion you have lost all credibility by not taking the high ground in this argument and resulting to tactics like this. Its a shame because you seem like a switched on guy, but instead of being that cowardly kid in the playground who wants to be considered ‘ard by punching the meek kid in glasses who walks with a limp, summon up some courage and grow some nuts by going for the big guns at the top, you know the ones who can sue you for defamation if you over step the mark.

  • Pingback: Sanitising my Blog | The Blog of Fred

  • S

    Sounds more like an attempt to avoid looking totally incompetent than actual evil policies… But the thing that struck me was the requirement for the domain to registered to a “legal name”. So far as I’m aware, there is no concept of a legal name in UK law. It’s perfectly legal to call yourself whatever you like, provided it isn’t for fraudulent purposes.

  • Gary

    You might understand technology but you don’t understand
    design, white text on a black background…. Very unfriendly on the eyes!

    As for the points raised in this rant, sorry “blog”, I
    can understand the annoyance especially not being given all the reasons in one
    go up front, Nominet certainly need to look into that. However with all the
    scare stories and over dramatisation in the press and politics about people
    being safe online and accountability, I don’t reckon your do much good with the
    information commissioner to get this policy changed to allow more details about
    registrations to be hidden.

    I also echo the comments of other contributors that you
    attack on the customer service girl Hannah went too far, it was childish and
    nasty to someone that isn’t to blame in the grand scheme of things and you
    should be the bigger man now and make a public apology to her on your website
    and twitter account if you hope to have any respect from decent people.

    • not

      I have to agree. This color combination is bad.

      • ktetch

        I know. This was never intended to be the final design, it was supposed to be a temporary one while I created a new one.

        It’s been 15 months and I’ve just not had the time.

  • DocGerbil100

    Good god. Some thoughts, as they occur to me. Be aware that I mean no personal disrespect to people I do not know: these are just my honest immediate impressions, based on the communications I’ve just read.

    • Ktech isn’t my favourite person in the whole wide internet – IMO, his communications do tend towards bullying at times – but he’s fairly tame compared to some of the more unsavoury types out there. Ms Gordon is lucky she didn’t upset some of the real nutters. Whether the person you communicate with is anonymous or not, this is still the internet – anyone in a public-facing role online needs to have their shit sorted long before they go live with the public. They need to be secure and not wide open to attack, as Ms Gordon was (and, I suspect, still is, to some extent). They also need to have a better idea of what they’re talking about. Anonymous or not, the internet is rarely forgiving in any of these matters.

    • Just from reading the emails, Ms Gordon comes across as nothing more than a glazed-eyed marketer, with little grasp of or respect for technology or privacy (something only reinforced by her career summary). So do the commenters defending her here, most of whom I assume to be well-intentioned colleagues. I’m sure you’re all terribly nice, intelligent people in RL, but your online communications are terrible – you all come across as nothing more than meat for the grinder. Why is Nominet employing swathes of (please forgive this) internet-illiterates in its front-line positions? Is it purposefully trying to get its staff stalked and attacked? If you don’t know enough to do your job safely and without fear, then you need proper training, supervision and experience. Nominet staff do not seem to have enough of any of these things.

    • I’m not a lawyer and I’m not ploughing through Nominet’s user agreements, etc, but based on the policy as communicated by Ms Gordon, I’m fairly clear that Nominet is in serious breach of the DPA, which emphatically and repeatedly states that any disclosure of data to third-parties can only take place with the explicitly-given consent of the subject. Statutory law trumps any and all of a private company’s arbitrary definitions, policies or user agreements – and no court will tolerate a definition of a Commercial Site that effectively switches off statutory law for almost the entirety of the general public, especially when it involves changed or newly-invented policies that didn’t exist when consent was supposedly given. Ktech’s right not to be individually and publically identified in the manner described in Ms Dawson’s emails is almost certainly legally unassailable. Nominet’s liability is potentially bankruptcy-inducing and potentially prison-worthy for the owners.

    As I said at the beginning, these are my honest thoughts and no deliberate offence is intended.

    • ktetch

      thank you for your comment Doc, although what do you mean I’m not your favourite? Am I at least your favourite TorrentFreak comment moderator??? :-)

      Indeed, sometimes I do come across as bullying, but that’s because I have no tact (or so I’ve been told). I find that in ‘business’ work, I tend to get better results by being brutally honest, forthright and to-the-point. Does disconcert people. However, I can also honestly say that people always know what my intentions are at all times, and can never say I deceived them, except through their own assumptions.

      Just working on a new followup now, plus spoke to the Guardian’s tech editor yesterday.

    • DB

      I personally agree with large parts of the guardians article
      and it makes common sense to amend this policy to identify trading directly
      with a .uk domain name and how that is different to affiliate marketing or pay
      per click etc etc.

      However your comments saying that the employee should be grateful
      it was this individual she annoyed rather than others is pathetic, he should be
      condemned for his treatment of the individual because she was just doing her
      job and anyone with any decency in their bones would see that and not make them
      the focus of some petty revenge.

      As for your other comment about the staff in general I
      would like to add as a NON EMPLOYEE (talk about paranoia) Nominet staff and its
      customer service are a god send compared to virtually every Registrar & ISP’s
      front line staff I have had the misfortune to deal with, no long queue times,
      based in the UK, friendly, and when they don’t get it right (they are human after
      all) they hold their hands up apologies and fix it as soon as possible. If you
      want customer support from individuals with a wide vast spectrum of technical
      knowledge you better start campaigning for an increase in registration fees
      because those individuals won’t come cheap if you can even convince them to do
      a customer support role in the first place.

      Oh and anyone calling for Nominet to be brought under
      some kind of statutory control wants their heads seeing to! I have had personal
      dealings with the board at Nominet and can vouch for how approachable and
      welcoming they are, if you want change engage with them and make your case, if you
      can’t convince them then by all means publically campaign and go to the table
      again with more support, but keep government regulation and bureaucracy away
      from the .uk namespace if you want it to thrive rather than suffocate as that won’t
      help British Businesses either!!

      • DocGerbil100

        I have heard it said that while every answer is a reply, not every reply is an answer. Your reply fails to answer the main points I made. It does answer a number of points that I did not, in fact, make, or even suggest. Why do you think you’ve done that?

        • I did not suggest Ms Gordon should be grateful for anything. I said she was lucky not to upset someone truly dangerous, and she was, and I am correct. The various assertions hereabouts, of “petty revenge” and so forth, are really for Ktech to answer – his motivations here are his own and my view would be purest speculation. Considering the context – where Nominet has employed an internet novice to send emails threatening to (in my view) illegally expose Ktech’s private information – I don’t believe that Ktech’s response is too extreme.

        • I did not suggest that Ms Gordon should have a “wide vast spectrum of technical knowledge”, I said she – and her co-workers – should know the basics essential to their jobs: how to be safe online and what the law is regarding personal privacy and data protection being chief among them. These are not minor points: UK law explicitly requires all workers in this field to have a strong knowledge of data protection law – and unless someone has quietly inserted a clause into health and safety law that somehow excludes Nominet’s employees from responsibility, each of those individuals have first legal responsibility for ensuring that they are safe online. Based on Nominet’s communications above, their knowledge of such is weak, if it exists at all.

        By law, Nominet is legally required to ensure that it’s employees are fully aware of and capable of meeting all requirements in both areas – and it will have made numerous claims to have done so in it’s legal paperwork. That it does not appear to have done so in reality is not to their credit.

        • Regarding statutory control, this is not a debate in which I have participated.

  • John

    You are an internet hero.
    Thanks a lot.
    Hope that you will win the case.

    Don’t listen to narrow-minded people.

  • techy

    .uk domain is a no-go right now.

    The current situation holds back internet enterpreneurs to use other tlds.

  • techy

    The comments at Guardian http://www.theguardian.com/technology/2014/jun/11/nominet-new-rules-uk-domain-end-privacy were narrow minded
    To all these people I have to say:

    Please try to distinguish avoiding fraud with exposing private details to the public.

    There is big difference between just the government knowing about you, and everyone knowing about you.

    Nominet could know and verify all of registrants’ private details.

    The public though does not need to know details.

    This is to avoid discrimination, racism, attacks, bullying etc.

    If there is a real fraud case, then nominet could go after the person who has the site.

    Moreover, consumer should be take care and not buy anything from anywhere.

    And businesses that want extra trust could expose their addresses and have a verification seal.

    An eshop that sells goods directly and online to consumers should have its address online.

    But affiliate marketeers etc should be protected.

    Privacy must be the priority.

    There are many ways to fight fraud, that do not need always everything and everybody to be exposed.

    PS: Congratulation to Andrian Short for bringing this topic up. It’s essential

  • ggc

    https://www.123-reg.co.uk/order/whois-privacy
    Do you think this privacy is for real?

  • Pingback: Nominet’s new rules on .uk domains could mean the end to users’ privacy

  • bob

    this is possibly the most boring and pathetic thing I have ever read. Get a life, get over it, you beg for money, sell ads and sell a book via your site and then complain when someone says it is a commercial site?!

  • Pingback: Politics & P2P | Nominet and the Cult of Contradiction and Commercialism

  • Pingback: .UK Registrants Will Have Home Address Published

  • Pingback: .UK Registrants Will Have Home Address Published - Redomains

  • Pingback: Expodomain.com » Nominet’s new rules on .uk domains could mean the end to users’ privacy

  • Pingback: Expodomain.com » New .uk domain name passes 100000 registrations

generic cialis dosage | http://ktetch.co.uk/cheap-propecia-uk-online-pharmacy/ | http://ktetch.co.uk/dapoxetine-australia-/