Client wants false data on WHO IS - legal?

A client has requested we change all of their data on all of their domains (approx 6-7 domains!) to false names and addresses.

Apparently there’s been some sort of hack on their personal emails or some kind of security breach and they want this info changed (probably to avoid having a home address on the WHO IS as they have no commercial premises).

  • Is this legal? (I know no one here is ‘legally trained or qualified to provide legal advice’ so just after opinions here!)
  • How would you charge for this time?
  • Can or Should we do it - from an ethical standpoint?

Where does the responsibility lie in terms of who is liable or at fault here, us or the client should the likes of Nominet find out?

Many Thanks

[FONT=Verdana]If they’re UK domains, then Nominet’s T&Cs apply:

What you must do

  1. You have various responsibilities set out generally in this contract. You must also:

4.1 give and keep us notified of your correct name, postal address and any phone, fax or e-mail information and those of your contacts (if you appoint any, see condition 5.2). This duty includes responding quickly and correctly to any request from us to confirm or correct the information on the register;

4.2 notify us at once about any court proceedings which involve the domain name; and

4.3 notify us of the details of name servers for the domain name which you are allowed to use and which respond promptly and correctly about the domain name at all reasonable times.

Their definition:

‘correct’ – This means that the information must be good enough to allow us to contact you quickly at any reasonable time without having to get information from anywhere else, must not be deceptive, and (if possible for that type of information) must clearly identify you. For your name this also means that the information must be detailed enough that we can tell exactly who you are (in legal terms, exactly which legal entity we have this contract with).

Personally, I would never get involved in any kind of deception on behalf of a client, no matter how trivial it might seem or how plausible their reason for asking.[/FONT]

Don’t most registrars have a privacy option now? Where their name wouldn’t show up on a WHOIS?

If so, do that. That’s what the option is there for.

Otherwise, no. If you change the information, then you are probably also liable for any legal dung flinging that might be coming their way.


[FONT=Verdana]There is no privacy option for .uk domains, but there is an opt-out from the WHOIS, available in limited circumstances.

Who can opt out?

Only domain name holders that are non-trading individuals can opt out of having their address details published on the WHOIS. In other words, if the registrant is not a business or organisation and, in the case of domain names registered to individuals, you do not use or plan to use your domain name for business, trade (such as pay per click advertising, etc.) or professional transactions, you may opt out of having your address displayed.

Thanks guys

  • What about .com’s and their T&Cs?

The privacy option is defninitely one I will investigate and propose

[FONT=Verdana]A quick search found this article, which includes (my bold)

During the domain registration process, you will be required to give contact information that will be publicly available through the WHOIS database. Anyone can go to a WHOIS search engine and enter a domain name to see who has registered it. Registrars require that this information be accurate and true. If you feel uncomfortable providing personal information, there are some registrars that will act as your proxy, supplying their information in place of your own as the contact for the domain. There may be a small fee for this service and potential drawbacks to balance against the ability to maintain your privacy, so read the Terms and Conditions carefully before deciding to opt for a domain by proxy.

Given that you are entering into a contract by registering a domain, I would guess that providing false information might well invalidate the contract. In the event of a dispute, how will you ever prove who owns the domain, if the registration details are false?[/FONT]

This is from Networksolutions:

I know I can hardly register a domain name anymore that whatever registrar doesn’t try to sell me this service. It’s annoying. I guess it’s only annoying until you need it.

Agree - one option is to set up whois privacy If they insist on false details instead, let them do it themselves.

However, if they run a business, why don’t they just use a business email and address? They can ‘hire’ an address for little money annually, or use a PO Box (assuming registrars allow this). TBH I often check whois details of some sites if I’m thinking of purchasing from them, and whois privacy always seems a little suspect. Same goes for the site itself - no address on the site = red flag, so it may be beneficial to sort something out regardless.

Pick your battles (but not this one).

Tell the client they can register the domain however they like, and send them instructions about how to alter the information associated with their domain. It’s just filling out a form, after all. Also tell them that they can buy private registration for a few bucks.

Then disengage the situation and let them do whatever they want.


I’d be very careful how you word that. If they go ahead and give false information, and it comes back to bite them at a later date, you don’t want them to blame you for giving bad advice. :wink:


Thanks for the info and advice guys.
I’ll be recommending the privacy options on all valid domains, and refusing to do anything else citing the Nominet Ts&Cs.

Extract what you may from the above. I know that the place you register the domains which for the contact information to be accurate. More seriouscompanies will let you know that they take this seriously, other companies might not run it in your face as much, in either case the contact information is very important to either getting in-touch with you, and/or tracking the responsible person in-case of criminal activity.

Can you not just register the domain to your name? I have done this on more than one occation when I did not have the clients address. In many cases they are okay with it.

Personally I am somewhat lost a little faith in our industry and am seriously considering whether to pursue other paths as financially it’s not working, so I might not be the best person for how you would go about charging. I would probably not charge them if they had a support package with me. If they don’t (which all my customers have support), then I would put them on one. I charge small support chunks, or yearly support, depending on the website.

From an ethical standpoint you should either register the domain name to yourself, as the person of contact, or not at all. As long as you let them know, then they are likely not to have an issue with this.

Off Topic:

Cypriot domain names are far worse. They need a valid company registration certificate for all domains. If you don’t have a company register in Cyprus with that name, then you can’t register your Cypriot domain. Personal domains are ONLY for CYPRIOTS and are limited to ONE domain. Companies can have up to 10 domains, until validation of your certificate. :slight_smile: Talk about red-tape, I’d love to see the customer get round this one!


There was a web designer locally who registered all his clients’ domains in his own name as a matter of course. There was no problem at all - until he died suddenly, and they were all left trying to get “their” domains back.


[FONT=verdana]On a related point, if the company is a business and operates in the EU, then they are legally required to display their official company information on the site itself. They must clearly show their registered company name, registered office address, registrations details, and possibly the names of their directors. This is in addition to the domain registration requirements discussed in this thread.

(It’s also good business sense to show this sort of information.)


That’s horrible!

I’ve never heard of anybody inheritting an email or domain name when they pass. I would think they would contact your family, and your family would more than most likely work alongside another web designer to use your laptop to get all their login details. A very awkward scenario, let’s just hope I don’t die any time soon.

There are two contacts for an email address. A technical contact, which is the web designer, and the owner, which should be the client. On occations clients are slow in giving personal information, and in this case you’re left with little option but to put your own until you get round to changing this, if you’re still up for it.

On a related point, if the company is a business and operates in the EU, then they are legally required to display their official company information on the site itself. They must clearly show their registered company name, registered office address, registrations details, and possibly the names of their directors. This is in addition to the domain registration requirements discussed in this thread.

(It’s also good business sense to show this sort of information.)


This needs to be displayed in the privacy page. There are times when companies go out of their way to make this information less accessible, but the real question you should be asking yourself is why?

Why would you want to concele your identity to begin with? Bottom line is, if the client is not happy putting their contact information, then why shiould you? You could get in trouble if they start doing questionnable things on their domain. You should seriously ask youself why they want to concele themselves in the first place. Truth be told I have registered a clients domain in my name, but the client never requested it, if they did there is a good chance I would have declined their request.

In terms of their ‘hack’ on their email account. They can create another email address. To be, it sounds like a bad excuse. It’s more likely that they are fearing getting in legal bother, so they feel that a change in the WHOIS information will avoid detection. Further could be from the truth, as you can easily see backlogs of who the domain belonged to.

Looking at your situation, this doesn’t smell right, and you should question their motives.