How a certification authority handles whois data

I just got a call from someone at comodo.com and the call went something like this1:

co: I am [some name here] from comodo and looking for the owner of halfthetruth.de. me: That’s me. co: Great. First I want to let you know that the ssl-certificate for halfthetruth.de has expired, did you know that? me: Jep.

Then a never ending story about what ssl-certs can do for you and your business and how many clients you’ll get by buying a “so great and cheap certificate from comodo.com” – for only 300 euros (I forgot the exact number) per year.

So I told her, that halfthetruth.de is, as you can see, no business and I don’t have clients to that not existing business and I just don’t need a certificate from comodo.

co: Ok, can I ask you how much you paid for your certificate? me: Nothing, it’s for free. pause co: Ok well, and how much do you pay for renewing the certificate? me: It’s for free as well, I can renew it anytime for free.[2] pause co: Than you obviously don’t need a certificate from comodo. me: Absolutely right, just one question: Where did you get my phone number? co: We have a research team doing that kind of stuff. me: But I didn’t post my phone number on my website or somewhere else publicly available. co: Our research team is doing this, I got your phone number from them..

Then she asked me, if I want to give her my contact information so that she can forward some information regarding comodo and certificates and stuff. I declined politly and hang up. Apparently, they got my phone number from the whois service, but the information from the whois is not meant for advertising as you can see from the terms of use:

Terms and Conditions of Use The data in this record is provided by DENIC for informational purposes only. DENIC does not guarantee its accuracy and cannot, under any circumstances, be held liable in case the stored information would prove to be wrong, incomplete or not accurate in any sense. All the domain data that is visible in the whois service is protected by law. It is not permitted to use it for any purpose other than technical or administrative requirements associated with the operation of the Internet. It is explicitly forbidden to extract, copy and/or use or re-utilise in any form and by any means (electronically or not) the whole or a quantitatively or qualitatively substantial part of the contents of the whois database without prior and explicit written permission by DENIC. It is prohibited, in particular, to use it for transmission of unsolicited and/or commercial and/or advertising by phone, fax, e-mail or for any similar purposes.

Footnotes: 1 I cannot quote the exact words. 2 I’m using a certificate from CAcert, which is free of charge and really great by the way.

«
»