Originally published at https://monstadomains.com/blog/us-domain-privacy-protection-risks/
In April 2026, the US National Telecommunications and Information Administration quietly released a draft RFP to find a new operator for America’s .US country-code domain. Most domain buyers ignored it. But for anyone who cares about staying anonymous online, this story matters — it exposes a truth the industry rarely admits: US domain privacy protection does not exist, has never existed, and this contract reshuffle will not fix it. If you are considering a .US address, here is what the NTIA’s procurement process reveals about your real exposure.
The NTIA Is Searching for a New .US Operator
Domain Name Wire reported on April 1, 2026 that the NTIA published a draft RFP to replace GoDaddy Registry as operator of the .US ccTLD. GoDaddy Registry took over the contract after acquiring it from Neustar. The draft contains three eligibility requirements: the new operator must be a US-based company, must have previously managed a namespace of at least 2 million domains, and cannot own a registrar that actively sells .US domains to end users.
That third rule effectively disqualifies GoDaddy Registry and Identity Digital — the two most qualified candidates. The only remaining contender is VeriSign, which runs .COM at $10.26 per registration and may be unwilling to propose lower .US pricing that undercuts the justification for its flagship product’s higher fees. The procurement process may stall entirely. Meanwhile, the absence of US domain privacy protection continues without a single word of reform in the draft RFP.
The WHOIS Ban That Was Built In From the Start
Why No Registrar Can Offer You a Fix
Generic top-level domains — .COM, .NET, .ORG, and most new extensions — allow registrars to provide proxy or privacy services that replace your personal data in the public WHOIS record with generic contact information. With those TLDs, you can register a domain without your home address becoming publicly accessible. US domain privacy protection works differently, which is to say it does not work at all. The .US registry policy, established by the Department of Commerce through NTIA, explicitly prohibits the use of privacy proxy services for .US registrations.
This is not a registrar limitation you can shop your way around. It is a policy mandate embedded in the .US registry infrastructure. No registrar — regardless of how privacy-focused its own practices are — can offer you WHOIS privacy protection on a .US domain. When you register one, your legal name, mailing address, email, and phone number are published in a publicly accessible database. Every data broker, every surveillance system, every person who runs a basic WHOIS query sees your real details. This is the intended outcome, not a bug.
The Nexus Requirement Makes It Worse
The .US Nexus Policy compounds the privacy problem significantly. To register a .US domain, you must be a US citizen, permanent resident, or an organization lawfully established within the United States. You must certify this at registration, and your contact data must be accurate and current at all times. This means using placeholder or anonymized information is a policy violation, not just a technical workaround. The nexus requirement and the WHOIS publication mandate together guarantee that any .US domain is permanently tied to a verified, real-world identity. There is no structural pathway to US domain privacy protection within the current .US policy framework.
The Scale of Personal Data Sitting in Plain View
According to NTIA data cited by Domain Name Wire, approximately 2.4 million .US domains are currently registered, generating around $15 million annually at the current $6.50 wholesale fee. That means roughly 2.4 million registrants have their personal details — names, addresses, phone numbers, email addresses — sitting in a publicly queryable database with no legal mechanism for removal or masking while the domain remains active. The transition from legacy WHOIS to RDAP has not improved this situation for .US holders. As documented in our analysis of the ICANN RDAP transition, RDAP makes structured data queries faster and more machine-readable than the old protocol — which means automated harvesting of .US registrant data at scale is now easier and faster than it has ever been.
Why a New Registry Operator Will Not Fix This
Even if a new operator wins the .US contract — whether VeriSign or a dark-horse bidder who somehow clears the eligibility bar — the privacy policy will almost certainly remain unchanged. Registry operators do not set .US policy. The NTIA controls the policy framework and delegates only operational responsibility to the contracted registry. Lifting the proxy prohibition or relaxing the WHOIS publication requirement would require the Department of Commerce to revise the .US policy documents directly. That process has faced no serious regulatory pressure in years, and the current draft RFP contains zero language signaling any intent to revisit US domain privacy protection rules.
The EFF has documented extensively how WHOIS data flows into surveillance ecosystems well beyond what most registrants anticipate. Data brokers scrape public WHOIS regularly. Law enforcement agencies query it without warrants in many jurisdictions. Marketers harvest contact information for unsolicited outreach. Stalkers and harassers use it to locate individuals. The forced-disclosure architecture of .US turns every domain registration into a permanent, public record of your identity — by design. A new registry operator inheriting this architecture changes nothing about that dynamic.
TLD Alternatives That Actually Protect You
If anonymity or even basic privacy matters to your use case, .US is the wrong choice. Dozens of alternatives give you what .US structurally cannot.
Generic TLDs — .COM, .NET, .ORG, .IO, .CO, and the majority of new generic extensions — allow registrars to provide proxy services that replace your real contact data with generic registrar information in the public WHOIS. A stalker or data broker running a query on your domain sees a forwarding email and a registrar address, not your home. This is the minimum acceptable standard for anyone who does not want their domain registration tied to their physical location. The complete absence of US domain privacy protection on .US makes it categorically inferior to almost any gTLD for privacy-conscious registrants.
Certain country-code TLDs outside US government jurisdiction also permit privacy proxy services and impose no nexus requirements. Extensions like .IO (administered under British Indian Ocean Territory) and .AI (Anguilla) are used by privacy-minded registrants partly for this reason. Policies can shift, so always verify a specific ccTLD’s current rules before committing. The broader point is simple: you have dozens of extensions to choose from where real privacy is structurally possible. .US is not one of them.
What Privacy-First Domain Registration Actually Requires
Choosing the right TLD is the first layer of protection. The registrar you use is the second — and it matters just as much. Most mainstream registrars run a standard data-collection pipeline: they capture your name, address, and payment details at registration; verify your identity; store everything for years; and comply with data requests from government agencies and civil litigants. Your anonymity is only as strong as your registrar’s willingness — and ability — to protect it.
A genuinely privacy-first registrar collects nothing it does not need. No identity documents. No address verification. No credit card details tied to your real name. MonstaDomains operates on a zero-KYC, crypto-only model — including Monero support for complete transaction privacy. Combined with WHOIS proxy protection on eligible TLDs, this is what anonymous domain registration actually looks like in practice: a structural design that prevents your personal data from existing in the registrar’s systems to be leaked, subpoenaed, or harvested in the first place.
Forced Disclosure Is a Feature, Not a Bug
The absence of US domain privacy protection on .US domains is not a historical accident waiting to be corrected. It is policy architecture built with deliberate intent. When the Department of Commerce established the .US framework, mandatory registrant disclosure was a design choice — one that reflects a broader governmental preference for linking online presence to verified real-world identities. This same preference drives regulatory proposals elsewhere: EU data retention directives, Australia’s domain data collection requirements, and recurring ICANN-level pushes for expanded registrant verification across all TLDs.
The direction of travel — absent active opposition — is always toward more surveillance, not less. The .US contract shuffle happening in 2026 is a procurement exercise, not a privacy reform. Whoever wins the contract will inherit the same anti-privacy infrastructure and operate within the same policy constraints. The only reliable approach is structural: register domains in TLDs that permit privacy proxies, use a registrar that never collects your identity, and pay with cryptocurrency that leaves no traceable financial record linking your name to your domain.
What to Do Before Your Next Registration
If you already own a .US domain with real personal data in the WHOIS record, there is no privacy remedy available within that extension. You can transfer the domain to a different TLD where proxy protection is permitted, or accept that your contact information is and will remain publicly accessible for as long as the domain is registered. There is no in-place fix. The .US policy does not allow one.
If you are planning a new registration and anonymity matters to your situation — whether you are an activist, journalist, whistleblower, or simply someone who does not want their home address attached to a public database — skip .US entirely. Choose an extension where WHOIS protection is available, use a registrar that requires no identity verification, and pay with privacy-preserving crypto. The .US contract drama will unfold over the coming months. Your privacy decision needs to happen before you click register — not after.
Top comments (0)