Feature Njalla?

[lukateras]

Perhaps it would be nice to feature Njalla as an alternative to conventional domain registrars. It is the only option as far as I know that is guaranteed to not require identification and can be paid anonymously in Bitcoin (through onion service).

They also can encrypt all email sent to customer with a provided public GPG key, and domains can be registered without email at all via XMPP + OTP.

Their site also features Kopimi symbol which should be read as public domain dedication.

Dividing services into "proprietary" and "free" would be a stretch, but the same point applies to DNS category.

[Hillside502]

"When you purchase a domain name through Njalla, we own it for you..." https://news.ycombinator.com/item?id=14177597

[Zegnat]

Full quote:

When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.

In other words. You pay them to hold and manage your domain name, just so you yourself are never registered as an owner.

You’d be surprised how many domain registrars pull the same trick. This can lead to problems, so much so that Wikipedia has a “litigation” section on the issue. So it is a good idea to read the terms carefully, and to have some sort of trust in your middleman. But if you are looking to keep your name off of the registration, what other choice do you have?

Whether this is good or bad, I am not sure. Whether PRISM Break should get into linking to options for domain and hosting providers is another question.

[lukateras]

You’d be surprised how many domain registrars pull the same trick.

This is the only registrar that owns the domain, i.e. ICANN sees registrar's company and address in private information escrow, instead of customer's information.

Co-founder of Njalla is Peter Sunde, who is also co-founder of The Pirate Bay, founder of Flattr (the only service that continued to accept donations towards WikiLeaks back in the day) and co-founder of IPredator (VPN service and operator of several Tor exit nodes with largest throughput in the whole network). So I don't think trust is misplaced.

While for legal/privacy reasons they have to own domains of their users, in practice it's no different from conventional domain "ownership" (which is not ownership but rent). Transfers to and from service are supported.

This seems like an important battle to fight, given that currently one can't have their own site without showing ID to someone and entering their official name and address.

There's more value in pushing for federation/decentralization if hosting your own instance doesn't involve proving your identity to the most centralized entity on the internet there is, ICANN.

Whether PRISM Break should get into linking to options for domain and hosting providers is another question.

I think there are a lot of categories where it's not required to trust anyone, namely free software installed locally, and self-hosted services. But there are some things that by their very nature require a middleman to retain privacy, like VPNs, DNS services and domain registrars.

If Riseup and Autistici/Inventati VPN accounts are listed, and OpenNIC DNS resolution service is listed, and even Kolab Now is listed, I can't think of a valid reason to skip domain registrars given that they meet the same criteria:

• they run free software, and do not require users to run any proprietary software, perhaps including non-trivial JavaScript;
• they don't track and don't log;
• they don't require any kind of identification;
• service is gratis or can be paid for anonymously.

As far as I know, Njalla is the only domain registrar that meets these criteria.

More about Njalla and free/proprietary distinction: given that frontend is in public domain, the fact that backend is not available is not important since it can't be self-hosted, the service is in legal paperwork for the most part. This is similar to VPNs, where the service is mostly in having internet connection in a particular place, with other users to blend in, and not in software per se.

[Hillside502]

conventional domain "ownership" (which is not ownership but rent)

Precisely!

[Zegnat]

This is the only registrar that owns the domain, i.e. ICANN sees registrar’s company and address in private information escrow, instead of customer’s information.

(They aren’t a registrar, as far as I can find, but that’s pedantry and of no consequence.) They are not the only one according to the Wikipedia section I linked. One example is NameCheap, as described in one of the Wikipedia sources (PDF) (emphasis mine):

In addition to functioning as a registrar, NameCheap offers an anonymity service known as “WhoisGuard,” whereby NameCheap becomes the registered owner of a domain name desired by a customer, and licenses the domain name to the customer.

Otherwise, I do agree with basically everything you said. And I have even thought about getting a domain from Njalla myself. I also would trust them more than any randomly picked WHOIS privacy/guard service.

But in the same vein as the decision to stop updating recommended email services, I am not convinced PRISM Break is the right place to look into and verify different domain name registration and hosting services. But maybe other people don’t agree with me. I am looking forward to following this discussion and to someone changing my mind 😄

[Hillside502]

But in the same vein as the decision to stop updating recommended email services

If that is the case, PRISM Break shouldn't be listing Email Services at all

[lukateras]

One example is NameCheap [...]

I can't verify that they do not place licensee's personal data into ICANN escrow, it seems that this information is not publicly accessible: https://www.namecheap.com/security/whoisguard.aspx

Anyway, if they require any personal data at all, it doesn't matter whether they license out domains or just provide their Whois data.

But maybe other people don’t agree with me. I am looking forward to following this discussion and to someone changing my mind :smile:

I'll try to convince you, but I'll use a personal example. I've transfered a domain to Gandi just a week ago, and they required me to provide ID and certificate of residence:

From: Gandi Abuse abuse@support.gandi.net To: yegortimoshenko@riseup.net Reply-To: Gandi Abuse abuse@support.gandi.net Subject: [abuse #8872157] [GANDI] [GANDI-V5] [domain] [dn-buy] hackberryhike.com - yegortimoshenko Date: Tue, 27 Feb 2018 11:21:21 +0100

Dear Gandi customer,

Thank you for your mail.

Unfortunately, we have not been able to complete your order as requested.

Note that you will need to start your order over again in order for it to be once more entered into our database.

So that your order can pass this time, we require :

• a copy of a legal and valid photo ID (passport, drivers'license, national ID card) for " Yegor Timoshenko " and
• a current (less than 3 months) certificate of residence clearly stating the name and address listed in your Gandi account.

Please send these documents by responding to this email in PDF or JPG format.

Please accept our apologies for the inconvenience.

Best regards, Gandi Abuse team http://www.gandi.net/abuse/

I've argued with them for a while, but ended up committing mistake and giving them that data, because I thought I would never find a registrar that ultimately won't require that from me at some point, and that they donate to various free software projects and use Piwik for tracking and that's better than their competition.

Despite the fact that I've asked to anonymize Whois data, their Whois entry leaks my name (run whois hackberryhike.com and check Registrant Name), i.e. they've only hidden my physical address.

If PRISM Break had Njalla listed, I would not have committed this mistake. Similarly, if we were to unlist Riseup, many people would use Gmail and think that there is no better alternative.

Fortunately, in domain registry space, there is an alternative, and it doesn't infringe on privacy and meets every criterion that we apply to services I could come up with. It's not trivial to find; Njalla doesn't come up when I search for "privacy domain registrar".

And given that PRISM Break is a list of recommendations that re-enforce right to privacy (quote from the index page), and some kind of registrar is realistically required for many of recommendations listed on the site (like "If you have the technical aptitude, consider running your own mail server"), recommending a domain registrar seems to be very helpful, to me.

On a somewhat more political tangent, it's ridiculous and dystopian that someone needs a piece of paper from the state in order to host something in accessible manner, essentially. Additionally, it creates a conflict between decentralization and privacy, and the former is a prerequisite for the latter.

[Hillside502]

their Whois entry leaks my name

Depends on the domain name registry for the particular gTLD --- not the registrar (Gandi).

For example, I bought from Gandi a .emaildomain (Donuts registry) where my name was exposed in WHOIS --- and a .eu domain (EURid registry) where my name is hidden.

So,

hackberryhike.com

depends on the Verisign registry's policies.

[lukateras]

Depends on the domain name registry for the particular gTLD --- not the registrar (Gandi).

That has never been the case in .com TLD. I've transferred the domain from AWS Route 53, and they didn't leak my full name. Gandi does.

[Hillside502]

Looks like.com is treated differently from the newer gTLDs.