Yahoo! Private Domain Registration: If it’s broken, don’t fix it?

January 25th, 2007 by Alex Selkirk

Recently I setup a temporary personal web site that I was concerned might see a traffic spike, and rather than going through my usual registrar and web host, I tried a cheap off-the-shelf package from Yahoo! instead.

Yahoo! offers an add-on service called “Private Domain Registration” where they hide your contact information from the WHOIS database for an additional $0.75/month. Familiar with WHOIS spam, the service sounded great to me and at that price it was practically a free lunch.

Everything worked smoothly (6 Months, 0 Spam) until I shut the site down and decided to transfer the domain from Yahoo! Domains to my normal registrar. The following is a true story about how I learned that Yahoo! Private Domain Registration is broken and is effectively holding my contact info for ransom.

******

The process of transferring a domain between registrars is designed to avoid fraudulent transfers by people trying to steal domains. There are several authorization steps, one is: The new registrar (Tucows) sends an email to the the current owner of the domain registration (me). When I got to that step in the process my new registrar informed me that their repeated attempts to do so had failed.

Sigh.

So, I contact Yahoo! Domains support over email, assuming that they are having a problem with their mail servers, or that the authorization emails are being blocked by a spam filter. Instead, Yahoo! informs me that the service is working exactly as expected:

I understand that you want to transfer the domain registration to “Tucows”, but you are unable to receive the mail sent by them to your Admin email address “contact@myprivateregistration.com”.

Regarding your issue, I have checked the record and found that you have activate the Private domain registration on your domain “[domain removed]”, in order to conceal your personal information from unwanted solicitors by listing contact information for Yahoo!’s domain name registration partner, Melbourne IT, in place of your own registrant, administrative, technical, and billing contact information in the public WHOIS database. [sic] Your own contact information will remain associated with your domain in Yahoo!/MelbourneIT’s database but will not be made available in the public WHOIS.

So, in order to show your actual information in the public WHOIS record, you have to disable the private domain registration.

Yahoo! Domains Support doesn’t expect you to receive any email when you have “Private Domain Registration” turned on. In order to complete the registration, I need to turn off the privacy feature and expose my real email address.

Quality.

My initial reaction is: I have misunderstood the feature. I read up on the service offering, as well as the slightly more detailed help content, and it turns out that I’m right; something is wrong with the service.

From the Yahoo! Private Domain Registration marketing page (my bold):

How Does Private Domain Registration Work?

  • When you sign up, our partner Melbourne IT updates your registration listing with generic contact information that points to MelbourneIT’s offices.
  • Whenever someone looks up your domain and tries to contact you, Melbourne IT receives the call, email, or letter and screens the information on your behalf.
  • Melbourne IT forwards prescreened communications to you, so you can reply as you see fit.

What does this mean? In practice Yahoo!, with the help of MelbourneIT, replaces your contact email address with contact@myprivateregistration.com, your address with a PO Box in Emeryville, CA, and your phone number with their phone number, all for $0.75/month. How could they possibly afford to do that?

I reply to the support mail explaining the discrepancy between the feature list and the service I have been experiencing, and ask for a refund for the last 6 months of service.
Later that week…

1. Yahoo! still has not responded to my email. Several more attempts have been made by my registrar to contact me through the pre-screening service.

2. I decide to call the Yahoo! support phone number. To my surprise, someone promptly answers the phone, and within 10 minutes I have my answer: The mails are getting blocked by spam filters, but Yahoo has no control over their own spam filters, so nothing can be done about my problem. I am surprised that this is an acceptable answer, but I let it go and allow myself to be forwarded to billing to request a refund.

3. Billing listens to my complaint, and then spends several minutes trying to transfer me back to tech support to help resolve my issue. I re-explain that tech support has already given up on resolving it. There is some confusion on the line.

I am disconnected, apparently unintentionally.

4. I call back, and this time ask for billing support immediately. I am transferred to Yahoo! Personals support, where the operator informs me that I have called the wrong number, and gives me a new number to call.
5. Finally, I get another billing support agent on the phone, and this time make it clear up front that I want a refund for the service. The agent I speak with informs me that when I cancel the service, I will be refunded a pro-rated amount for the remainder of the month. As for the past six months of service they have already provided, no refund would be supplied, as the service has already been rendered.

As far as I am concerned, this is not acceptable. The way I see it, the 6 months of privacy “protection” they provided are about to be voided because their service doesn’t work the way it’s supposed to, which in turn makes it impossible for me to transfer my domain registration away from Yahoo! without exposing my personal contact info.

I point out to them that this amounts to blackmail – my privacy is being held hostage to keep me a Yahoo! customer. There is a pause on the other end of the line when I mention to her that I will be writing this up as a blog entry.Finally she says “The bottom line is, I can’t refund you for more than the current month.”

I asked her to escalate my complaint, and she puts me on hold for a few minutes. When she returns she informs me that I will receive an email with a “decision”.

I sit grumbling, hammering out this blog post as the best way to escalate the issue, when I think of another approach. I send a mail quickly to contact@myprivateregistration.com. It bounces back immediately. (Try it yourself.) This wasn’t about registrar mails getting bounced, nor did it seem to be about spam filters; I am quite certain now that all mails get bounced, regardless of content.

What’s more, in writing the test email, I realize something else that should have been obvious to me before: Everyone with the Private Domain Registration service gets the same generic contact@myprivate…email address. Ditto for the PO Box and the phone number. Meaning, in order for the pre-screening service to work, some system or person would have to scan each individual communication in order to decide which ones were directed at which domain owners.

How could that possibly work for $0.75/month? Hmmm…the free lunch is sounding less and less like lunch.

Anyway, the all-mails-bounce problem seems like a more concrete issue for the tech support folks to chew on, so I call back.

6. This time, I get a helpful support agent on the line, repeat my story, and even get him to send a mail to see it bounce with his own eyes. His initial response is also that the service is working as expected, and I direct him to the URL that describes the service so that he can understand my problem. After much ado, he decides that the problem is with their partner MelbourneIT, (a diagnosis I agree with) and that therefore I should contact them to resolve the issue.

HEADS UP, BIG BUCK PASSIN’ THROUGH!

Then he gives me a long distance phone number to Australia that he suggests I call. I laugh. He also thinks this is silly, and hopes, for my sake, that they speak English over there.

I try another tack: I explain to him that from Yahoo!’s perspective, this isn’t about my individual complaint, but that everyone who is paying for this service is being affected. I recommend that he escalate this to his manager, and he seems to understand what I am saying, but is also reaching the end of his patience. I can tell that whomever he’s working with on his side is not as sympathetic. He puts me on hold again, and I go to the MelbourneIT website to check out their online support.

As it turns out, MelbourneIT has a nifty support tool that allows me to identify my problem and domain. I write a quick note and submit the request.

Minutes later, while still on hold with Yahoo!, I get an automated reply to my complaint (my bold):

THIS IS A SYSTEM GENERATED MESSAGE

A Melbourne IT Reseller manages the domains specified in your message.

Please contact this reseller using the details below for any assistance you require. If the person you contact refers you back to us, ask them if they would please contact us on your behalf.

Reseller details:

Yahoo Inc.
Web address: domains.yahoo.com
Email address: domains-support@cc.yahoo-inc.com

Genius! An automatic buck passer. Lucky for me, I’m still on the phone with Yahoo!

When my Yahoo! support agent comes back to the phone, he says that a “special note” has been added to my case to indicate that this issue may affect other Yahoo! customers, and re-recommends that I contact MelbourneIT.

He is quite disappointed when I read him the automated reply from MelbourneIT.

I try explaining to him why I think MelbourneIT is right – after all, Yahoo! contracts MelbourneIT to provide the service – MelbourneIT doesn’t know who I am as an individual. I pay Yahoo!, Yahoo! pays MelbourneIT – if I have a problem, I ask Yahoo! to fix it. If Yahoo! has a problem with MelbourneIT, they ask MelbourneIT to fix it. Who do I want a refund from? Yahoo! Who’s holding my privacy hostage? Yahoo!

At this point, I decide that a blog post is a more effective use of my time and energy, but I let the support agent put me on hold one last time to get a final response from his management.

After several minutes he comes back with, no surprise, a restatement that the problem is on MelbourneIT’s side. But to sweeten the deal he throws in a final gem. He gives me the phone number-equivalent of contact@myprivate…, the phone number that is listed for every Yahoo! Private Domain and suggests I give that number a call, since it is a US phone number. In a manner of speaking, he suggests I try giving myself a call.
Yeah, right, I think, thank him and hang up.

Just for kicks, I dial the number:

Sorry, the mailbox is full and there is not enough space to leave a message. To leave a message for another subscriber, enter the area code or phone number for that subscriber.

LOL! Don’t believe me? Try it yourself. (510-595-2002)

So, in closing: If you sign up for Yahoo! Private Domain Registration, it works great – you won’t get any emails, or phone calls…and though I haven’t tested it, I wouldn’t expect too much mail to make it through that PO Box in Emeryville either.
So, am I missing something? Or is this service a farce at best? Is it anything more than an attempt by Yahoo! to appear to care about user privacy?

No? Well it would just be a good joke if this broken service didn’t also block Yahoo! customers from switching off of the Yahoo! Domains service and on to a competitor’s. Isn’t that a form of extortion?

Update February 26, 2008

I recently discovered that the above story does actually get worse: Yahoo! Private Domain Debacle Part II: Can’t Keep a Secret.

Tags: , , ,

22 Responses to “Yahoo! Private Domain Registration: If it’s broken, don’t fix it?”

  1. sunlite says:

    I had a good laugh. This is so funny.

    I have had dealings with the phone company also. Many of the staff just wish that you would just go away.

    I think the humans are losing to the machines. We humans cannot keep up with technology.

  2. eric reising says:

    My domain hosting expired I would like another year subscrition.Please let me know where to send payment thanks. Eric

  3. Magdalena Donea says:

    Good job drilling through and exposing the problem. I would be really interested in finding out the solution, should you ever find it. As it is, it does seem as if the service is seriously broken.

    Question: is it possible to turn off private registration only for a very short time, enough time to just transfer the domain, then just turn it back on at the other registrar after the domain has safely transfered over?

  4. aselkirk says:

    Hi Magdalena – To answer your question, yes, I think that it is possible to turn off the private registration only for a short period of time, (this is the direction that the customer support folks pushed me in) though I have not tried it myself.

    The mechanics of the transfer (various email confirmations, logins, verifications) are such that I think that the end user’s ability to make the exposure as brief as possible is limited by mail delays, registrar automated server responses and the like. (I would imagine that even when carefully timed this would require at least several minutes, and possibly many hours to complete.)

    I am not familiar with how frequently the WHOIS database is being mined, who has the ability to snapshot it, or if those snapshots are available somewhere, but I think its not unreasonable to assume that even a momentary exposure is all that is necessary to make your information “not-private”.

  5. Magdalena Donea says:

    Hmm. I think you’re right that you cannot trust data miners to not find your data in the brief span of time that it’ll be exposed. Now that you mention it, I wouldn’t do that either.

    Perhaps a middling solution then? Edit your email address first and change it to a disposable one for the duration of the process, then unconver it, then re-cover it and change it to something better, after the fact?

    I admit that I’ve never seen this before. Domains-by-proxy, which is GoDaddy’s “contact obfuscation” vendor, creates a contact record e-mail address of the sort customer-domain.com@domainsbyproxy.com – for my one or two pseudonymous domains, I do get registration information and the like. It seems to me that either MelbourneIT is doing something very wrong, or else their agreement with Yahoo! allows for something very wrong to happen. Either way, it’s a problem with their entire offering and not just you, and merits a bit of publicity. Slashdot? 🙂

  6. aselkirk says:

    Your solution is a good and practical one, and actually the mail address I set up behind the private registration is just a forwarding address that I can shutoff. But as you say, mostly something is “very wrong” with the Yahoo service.

    Domains-by-proxy seems like the right implementation of this functionality – next time I need this I’ll have to take a look.

    As for Slashdot, I also thought this was deserving of some publicity, but nothing came of my slashdot submission. I also dropped it on Digg a while back (http://digg.com/security/Yahoo_Private_Domain_Registration_is_Broken_and_Not_Private) but it hasn’t gotten much attention.

  7. Scott says:

    I have the same problem with Yahoo right now. Even when you try to “turn off” private registration it does not work. From what I’ve found “turning off” private registration at Yahoo does nothing. I figured if I made things public I would as least control the email address for the transfer conformation letter… that did not work.

    Has anyone figured out a way to get a domain off of Yahoo? They are holding my domain hostage too.

  8. Magdalena Donea says:

    Something that came across the news wires in the last few days reminded me of your problem with the private domain:

    http://arstechnica.com/news.ars/post/20070824-whois-privacy-reform-reaches-dead-end.html
    (OK, it’s not exactly on-topic, and the news is “more of same! stay tuned!” but it’s nice to know that someone, somewhere continues to at least think about this)

    Did you ever get this situation resolved?

  9. Manuel says:

    I’m there too. A client of ours wanted to transfer his domains to our account at godaddy, and we are stuck with the bogus email address. Has anyone found a solution yet?

  10. J.S. says:

    I’m trying to switch out of yahoo and couldnt figure out why i wasnt getting the authorization email. so did an online search and found this blog entry. UNBELIEVABLE!!! but what can we do??? nothing, and they know it, that’s why they dont care. thanks for exposing this so I know im not alone!

  11. j.u.p says:

    I have run into this same problem. Can’t get yahoo to let go of this domain. I was wondering what was taking so long, then my provider showed the email address that the request was sent to. Did a search on that addy and this page comes up.

    This is complete B.S.

  12. Solo says:

    Great blog. I will inform others to stay away from Yahoo hosting.

  13. jonas says:

    Guess what, after paying for I think two years of Yahoo “Private” registration, I found out that it’s bullshit. It’s NOT private. They leave your name on the WHOIS! Yes, your real name. All the other stuff is the private registration stuff, but how can they think that you want your name on it if you want everything else private? I am so upset about this. And then they had the audacity to bill me for a domain name that they didn’t renew in time.

    Everybody, stay away from Yahoo domain name registration!!!

  14. TigerKen says:

    It’s ridiculous that they do it this way. I work for a small web hosting company, and the way we do it is that every now and then we set each domain’s public contact email address to a new one made up of random characters. Any email sent to that address gets forwarded to our customer (if it passes our anti-spam filters). And when we change the public address again later, the old one becomes invalid and therefore bounces any messages. (This is useful to avoid spam sent to old harvested lists.)

    We also filter mail sent through the USPS: junk mail is trashed, but legal notices and other registered mail are forwarded to the customer.

  15. NewGuy says:

    I just read all this brew-ha-ha today, back into 2007, and later I will scurry over and see if I have any of the same problems. Likely I will.
    What I want to know from y’all, and especially Alex Selkirk (much raucous applause for your good work getting your letter all over the web!) is this:

    Has anyone begun trying to bust Yahoo! legally for this, and how is it going? This is sounds like huge fraud to me. *Someone* should take this on.

  16. joyinliving says:

    We went the Yahoo route to register a domain, but without the “privacy” feature you’ve been discussing. I, also, attempted to transfer our domain from Yahoo / MelbourneIT to no avail. I’d love to see someone force their hand to play fair.

  17. […] email response I can’t help you. You will have to rectify the above two things before proceeding. Read here about Yahoo! having some issues regarding forwarded […]

  18. Laura says:

    I didn’t pay for the privacy service and yahoo has changed my admin e-mail to the contact@myprivateregistration.com.

    It is aggravating trying to get this domain transferred when yahoo is changing my admin e-mail.

  19. Andy Bush says:

    I don’t trust US based private domain registrars. I have read they easily give out your personal info and even steal domains! I stick with offshore registrars like http://www.yohost.org This site does not even ask for personal details, just an email.

  20. […] posts by the person mentioned above whose data ended up in the WHOIS database after cancellation: 1, […]

  21. Manok says:

    A bouncing Email address and a non-functioning telephone number, for hundreds or thousands of web sites, and this is okay for ICAN? I get a 3-monthly reminder from Network Solutions that if anything in my domain name info is not right, it can be canceled!!

    Wouldn’t it be the same if we just give some spoof info for our web sites? (Apart from a valid Email address?) Okay, with any dispute, or “accident” (e.g. Email address unavailable), you have a weak position, but it’ll save 10 bucks a year. This does not sound a lot, but for 5 domain names, it adds up!

  22. […] 1) Yahoo offers a “private registration” option, which allows you to keep your real name and mailing address out of the WHOIS database. It is impossible to transfer one of these private domains to another registrar. Ever. (See my post from last year, or this guy’s post from 2007.) […]


Get Adobe Flash player