After registering a domain in the zone .ru the owner-individual, checking it on the whois service, sees the entry: 'person: Private Person', and the soul becomes warm and reliable. Private - that sounds serious.
It turns out that this security is illusory, at least when it comes to the third largest domain name registrar in Russia, Registrator R01 LLC. And absolutely anyone can find out your personal data from him very easily.
At the beginning of spring 2020, I came across the following document concerning me:
I should note that my site is legal, and my name as the owner is indicated on it in the contacts. But I was surprised by the ease with which the domain registrar, in a deep curtsey, disclosed to third parties the information so carefully guarded by the state.
FAQ on the situation:
Who is Mr. Sozvariev A.A.?
I have no idea
What did he want?
In fact, extortion of money through blackmail, as it turned out later. But more on that in the next article.
Is it legal to release personal data upon such a request?
Phone and fax numbers and email addresses are not available. Full name and postal address - partly
What did they say in "R01"?
That everything is fine. Request by Sozvarieva A.A. refused to show.
What did Roskomnadzor say?
That the law on personal data has been violated, but the term for bringing to administrative responsibility has expired (3 months)
Fragment of the RKN response
A criminal with a criminal commits a crime, wait a little while until it is legalized, and, using illegally obtained, they live on.
What does the law say?
In this case, the law is not what the drawbar is, but it is not clear what.
The Law on Personal Data prohibits any transfer to third parties, except in special cases (requests from law enforcement agencies, courts, etc.).
But there are some Rules for registering domain names in the .RU and .Π Π€ domains, approved by the Administrator of the .RU top-level domain - Autonomous non-profit organization "Coordinating Center for the National Internet Domain".
And in these Rules there is clause 9.1.5., which says:
The registrar has the right to provide information about the full name (name) of the administrator and his location (residence) at a written reasoned request of third parties containing the obligation to use the information received solely for the purposes of filing a lawsuit.
It is absolutely incomprehensible how the internal rules of some ANO overlap the federal law. This is, in fact, the main question of interest at the moment.
Did Mr. Sozvariev A.A. sue me in court?
No
Did Mr. Sozvariev A.A. obtained information for other (non-judicial) purposes? Did he divulge it to others?
Yes
It turns out that any citizen can request information about the administrator of any domain registered in the zone .ru, promising to sue, and the registrar will issue it?
Yes. At least "Registrar P01"
There are two eternal Russian questions left. The answers to them are no longer factual, but in the form of my subjective opinion
Who is to blame?
Legislator.
The constitutional right of everyone to judicial protection implies that the victim should be able to obtain data on the name and address of the owner of the resource in order to indicate this in the claim. Therefore, this rule (on the issuance of the specified data by the registrar), of course, is needed. But the decision to extradite must be motivated.
I see the following sequence. The victim asks the registrar about the data of the owner of the site. He addresses the owner of the domain. Within a certain time he can write an objection. The registrar analyzes the request, objection and makes a decision to disclose the data (if there are grounds for litigation) or to refuse it. Report this to both parties. They already have the opportunity to appeal this decision (court, RKN, prosecutor's office). Everything is fair and just.
Even the ruthless Roskomnadzor, before blocking your resource, tries to contact you somehow, but here there is absolutely chaos.
What to do?
Do not have domains in zones .ru ΠΈ .ΡΡif possible and if you value your personal data.
In this whole story, the βRegistrar R01β was the most upset. Judging by the speed and thoughtfulness of their legal department's responses to my letters, they took the situation quite seriously, but did not want to admit the violation and apologize.
So, as promised, advertising on HabrΓ©:
buy domains at Registrar R01 LLC!
if you want your personal data to be merged with any trash
The lion's share of problems in family life, society, business, politics, crime is due to the psychological inability of a person to admit a mistake and apologize. But how much easier would be the relationship, and the whole life.
People, let's apologize for our jambs.
Addition
User Π² provided comprehensive information on the subject. Roskomnadzor back in 2018 that the issuance of personal data to a lawyer, even for filing a lawsuit without the consent of the domain administrator, is illegal.
Accordingly, clause 9.1.5. The rules for registering domain names in the .RU and .Π Π€ domains also contradict the provisions of the Law "On Personal Data".
Thus, it turns out that the affected person must receive all personal information about the domain administrator (if he does not agree to disclosure) through the court, involving the registrar as an administrative defendant.
Therefore, the fault for illegal disclosure lies entirely with the registrars, who use the short statute of limitations for administrative liability to avoid it.
Source: habr.com