The Porkbun ID Controversy: What's Really Happening?
If you're in the self-hosted community, you've probably seen the uproar. Porkbun—the registrar many of us trusted for its straightforward approach—now wants your government ID. Not for some special service. Not for a high-risk transaction. Just to register or manage domains. The announcement hit like a privacy gut punch, and the reaction has been... well, let's just say passionate.
Here's what you need to know: Starting in early 2026, Porkbun began requiring government-issued ID verification for all new domain registrations and certain existing account actions. No grandfathering. No exceptions for low-risk domains. Just upload your driver's license, passport, or other official ID, or you can't complete your purchase.
But here's the kicker—and this is what really has people angry—there's no specific law or ICANN regulation that mandates this level of verification for all domains. Porkbun's own knowledge base article (the one that started this firestorm) admits they're going beyond what's legally required. They call it "proactive compliance" and "enhanced security." The self-hosted community calls it something else entirely: privacy erosion.
Why Porkbun Says They Need Your ID
Let's give Porkbun their due. They didn't make this decision lightly, and their stated reasons aren't completely unreasonable on the surface. According to their documentation, they're facing three main pressures:
First, there's the evolving regulatory landscape. While no single law says "verify every domain registrant," there's a patchwork of anti-money laundering (AML) and know-your-customer (KYC) regulations that are getting stricter globally. Financial institutions have dealt with this for years, but now it's creeping into the domain space.
Second, payment processors are getting nervous. When fraud happens with domains (think phishing sites, scam operations), the payment providers sometimes get stuck with the bill. They're pushing registrars to implement stronger verification to reduce chargebacks and fraudulent transactions.
Third—and this is the most legitimate concern—there's actual domain abuse. Malicious actors register domains for spam, phishing, or other illegal activities. Proper verification theoretically makes this harder, though whether it stops determined bad actors is debatable.
Porkbun's position is essentially: "We'd rather be safe than sorry, and we're implementing this uniformly to avoid discrimination." But that uniformity is exactly what bothers privacy advocates. Why should someone registering a personal blog need the same verification level as someone buying hundreds of domains for commercial use?
The Self-Hosted Community's Real Concerns
Now let's talk about why people are genuinely upset. This isn't just knee-jerk privacy paranoia. There are specific, practical concerns that affect real users.
For starters, many in the self-hosted community operate on principles of minimal data collection. We run our own services specifically to avoid handing personal data to corporations. Now one of the few registrars that seemed to respect that philosophy is asking for the most sensitive document most of us own.
Then there's the security of the data itself. Porkbun says they encrypt and protect your ID, but let's be real—every company says that until they have a breach. Government IDs contain exactly the information identity thieves need: your full name, date of birth, address, and a unique identification number. That's the holy grail for fraud.
But here's what really stings: the timing and communication. Porkbun rolled this out with relatively little warning. Existing customers woke up to find they couldn't make changes to their domains without verification. Some reported being locked out of their accounts entirely until they uploaded ID. That's not just a policy change—that's holding people's digital property hostage.
And let's address the elephant in the room: what happens if you refuse? If you're uncomfortable handing over your government ID (and many of us are), you essentially lose access to domains you've paid for. There's no graceful exit. No easy transfer without verification. It's comply or lose your digital assets.
Is This Actually Required by Law or ICANN?
This is the million-dollar question, and the answer is more nuanced than you might think.
ICANN (the Internet Corporation for Assigned Names and Numbers) does require some level of verification, but it's not what Porkbun is implementing. ICANN's 2013 Registrar Accreditation Agreement requires registrars to "take reasonable steps to investigate" inaccurate WHOIS data. The 2026 updates add some teeth to this, but they still don't mandate government ID for every registration.
What ICANN actually requires is verification that the contact information is valid. That typically means sending an email and getting a response. Some registrars might add a phone verification step. But a scanned government ID? That's well beyond ICANN's current requirements.
As for specific laws, it varies by country. The EU's GDPR actually makes collecting unnecessary personal data illegal. The US doesn't have comprehensive privacy laws at the federal level, though some states like California have their own regulations. Australia has stricter AML laws that might justify verification for commercial domains, but not necessarily personal ones.
Porkbun's argument seems to be that they're getting ahead of future regulations. They'd rather implement one strict policy globally than try to navigate different requirements country by country. From a business perspective, that makes sense. From a privacy perspective, it feels like overreach.
What This Means for Domain Privacy Services
Here's where things get really interesting for the privacy-conscious. Many of us use WHOIS privacy services (now often called RDAP privacy) to keep our personal information out of public databases. Porkbun offers this service themselves. But now there's a contradiction.
Think about it: you're paying to keep your information private from the public, but you have to give even more sensitive information to the registrar itself. It creates what privacy experts call a "single point of failure." Instead of your email and maybe a PO box being in one database, now your government ID sits there too.
And there's another concern: what happens with this data if you do use privacy services? Porkbun becomes the legal registrant on your behalf. They need to verify their own customer (you) to satisfy their obligations as the registrant. But now they have your ID on file indefinitely.
Some registrars handle this better than others. A few use third-party verification services that don't store the actual ID—they just get a "verified" or "not verified" response. Others, like Porkbun apparently, are storing the documents themselves. That distinction matters for your risk assessment.
The bottom line? Domain privacy services still have value—they keep your information out of public databases that are scraped by marketers and spammers daily. But they can't protect you from the registrar's own data collection policies. That's a new reality we all need to grapple with.
Practical Alternatives: Where to Go From Here
So you're uncomfortable with Porkbun's new policy. What are your actual options? Let's break them down realistically.
First, you could comply. If you only have a few domains and you trust Porkbun's security practices, maybe uploading your ID isn't the end of the world. Many financial services already have this information anyway. But if you're in the self-hosted community, chances are you value privacy enough that this feels like a betrayal.
Second, you could transfer your domains elsewhere. This is trickier than it sounds because Porkbun may require verification to initiate transfers. Some users have reported being able to transfer by verifying with a credit card instead of ID, but your mileage may vary. If you go this route, here are some registrars still taking a more privacy-friendly approach as of 2026:
- Njalla: Based in Nevis, they register domains in their name and don't require your personal information. You're essentially renting the domain from them.
- OrangeWebsite: Icelandic registrar that benefits from strong privacy laws and doesn't require ID for most registrations.
- Gandi: While they've had some policy changes, they still don't require government ID for standard registrations as of this writing.
Third, consider using a business entity. If you register domains under an LLC or corporation, you can often use business verification instead of personal ID. This adds a layer of separation between your personal identity and your domains. It's more paperwork and potentially more expense, but for serious self-hosters with multiple domains, it might be worth it.
Finally, there's the nuclear option: decentralized naming systems. Services like ENS (Ethereum Name Service) or Handshake offer alternative naming systems that don't rely on traditional registrars at all. They're not yet replacements for .com or .net domains for most uses, but for personal projects or experimental services, they're worth exploring.
How to Protect Yourself If You Stay with Porkbun
Maybe you have too many domains with Porkbun to transfer easily. Or maybe you actually like their interface and pricing aside from this one policy. If you're going to stay and comply, here's how to minimize your risk:
First, consider what ID you use. A passport is often better than a driver's license because it doesn't have your address. Some countries offer identity cards that show less information. Check what Porkbun accepts and choose the document that reveals the least.
Second, use masking if possible. Some privacy-conscious users add a transparent overlay with text like "For Porkbun verification only" and the date. This won't stop a determined attacker if Porkbun's systems are breached, but it might prevent casual misuse if the document leaks.
Third, enable every security feature Porkbun offers. Two-factor authentication is an absolute must. Use an authenticator app, not SMS. Review your account activity regularly. Treat your Porkbun account with the same seriousness as your bank account, because it now contains similarly sensitive information.
Fourth, consider separating your domains. Use one registrar for personal projects where privacy matters most, and another for commercial or less-sensitive domains. Don't put all your digital eggs in one basket.
And here's a pro tip that few people consider: if you're technically inclined, you could use a service like Apify to monitor Porkbun's policy pages for changes. Set up a scraper to alert you if their verification requirements get even stricter, or if they announce a data breach. Being the first to know gives you options.
Common Questions and Misconceptions
Let's clear up some confusion I've seen in the discussions:
"Is this just Porkbun, or are all registrars doing this?" As of 2026, Porkbun is definitely on the stricter end. GoDaddy requires verification for some transactions but not all registrations. Namecheap has similar requirements to Porkbun for certain domains. Google Domains (before its shutdown) was relatively lenient. It's a spectrum, not a universal standard.
"Can they legally require this?" Yes, as a private company, they can set their own terms of service. You agree to those terms when you use their service. The question isn't legality—it's whether it's necessary or reasonable.
"What if I use a VPN or fake information?" Don't. If Porkbun discovers false information (and they have ways to check), they can suspend your domains without refund. You'd lose everything. If privacy matters this much to you, use a legitimate privacy-focused registrar instead of trying to game the system.
"Will this stop domain abuse?" Probably not completely. Determined bad actors can steal IDs or use sophisticated fraud. What it will stop is casual abuse and make investigations easier when abuse does happen. Whether that trade-off is worth the privacy cost depends on your perspective.
"What about existing domains?" This is where it gets messy. Some users report being able to manage existing domains without verification, while others get prompted for ID when trying to make changes. Porkbun's implementation seems inconsistent, which is frustrating for everyone.
The Bigger Picture: Where Domain Registration Is Heading
Porkbun's move isn't happening in a vacuum. It's part of a broader trend toward more verification across the internet. We've seen it with social media (real name policies), with financial services (KYC everywhere), and now with domain registration.
Some of this is driven by legitimate concerns: fraud, spam, phishing, and other abuses that make the internet worse for everyone. But some of it feels like mission creep—collecting data because we can, not because we need to.
For the self-hosted community, this represents a fundamental tension. We value the open, decentralized internet where anyone can publish anything. But we also recognize that bad actors abuse that openness. Where do we draw the line?
Personally, I think there's a middle ground. Risk-based verification makes sense: more scrutiny for bulk registrations, commercial domains, or historically problematic TLDs. Less for personal blogs and experimental projects. But implementing that fairly is hard, and companies often take the path of least resistance: verify everyone.
What's clear is that the days of anonymous domain registration are fading. Whether that's a necessary evolution for a safer internet or the erosion of digital privacy depends on who you ask. But it's happening, and we all need to decide how to respond.
Making Your Decision in 2026
So where does this leave you? Facing a classic privacy-versus-convenience trade-off, with your domains in the balance.
If maximum privacy is your priority, start planning your exit from Porkbun. Research alternatives, check their current policies (because these things change), and begin transferring domains before you're forced to verify. Consider decentralized alternatives for projects where traditional domains aren't essential.
If you value Porkbun's features and pricing enough to accept their verification, take steps to protect yourself. Use the least-revealing ID possible, enable all security features, and monitor your account like a hawk. Maybe even consult with a privacy professional if you have significant digital assets at stake.
And whatever you decide, make your voice heard. Companies do respond to customer feedback, especially when it affects their bottom line. The Reddit discussion that inspired this article has hundreds of comments from angry users. That kind of collective pushback matters.
The internet we get in the coming years depends on decisions like these—both the decisions companies make about our data, and the decisions we make about where to take our business. Porkbun has made their choice. Now it's time to make yours.
