Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ICANN’s Rolling Controversy: Verification of WHOIS Registration Data

For years, the Internet Corporation for Assigned Names and Numbers (ICANN) has had a thorny issue to contend with – the accuracy and use of WHOIS data to identify domain registrants.

For years, the Internet Corporation for Assigned Names and Numbers (ICANN) has had a thorny issue to contend with – the accuracy and use of WHOIS data to identify domain registrants.

Intended to be a source of information about domain owners, WHOIS has become a lightning rod for controversy over the years, much of which is aimed at registrars and ICANN for failing to properly crack down on domain owners with inaccurate WHOIS data. Wary of bad actors supplying false data to avoid detection, ICANN however is hoping to improve the process of resolving issues tied to registration data.

ICANN LogoJust recently, the ICANN Board of Directors ordered CEO Fadi Chehadé to launch a new effort to re-examine the purpose of collecting, maintaining and providing access to generic Top-Level Domain (gTLD) registration data. The board also directed Chehadé to fully enforce contractual conditions related to the current collection, access and accuracy of gTLD registration data and to increase outreach to promote compliance with existing WHOIS policies.

According to Rod Rasmussen, chief technology officer of Internet Identity and a member of ICANN’s Security and Stability Advisory Committee, the move follows a busy year and a half of efforts to improve compliance with the implementation and enforcement of WHOIS data policy.

“We’ve got some registrars…there’s the good ones, and the not so good ones,” Rasmussen said. “But there is a real emphasis within ICANN right now to figure out who those problem registrars are and get them to clean up their act, or clean them out. And that’s not just with ICANN corporate; that’s with the registrar constituency itself because they are pretty tired of having law enforcement and others beat on them when the majority of members are doing just fine.”

Advertisement. Scroll to continue reading.

A recent report by Knujon encapsulates some of the issues at play. Under the rules of the Registrar Accreditation Agreements [RAA] registrars have with ICANN, registrars are required to take “reasonable steps” to investigate reports of inaccurate WHOIS data and get domain owners to correct any misinformation. Yet in an examination of nine complaints submitted to ICANN’s WHOIS Data Problem Reporting System (WDPRS) in the past year, the report revealed what Knujon President and report author Garth Bruen referred to as general problems with ICANN’s complaint tracking and policy enforcement, including a failure to adhere to/enforce mandated response timelines and a lack of documentation of the responses.

“Some [registrars] do the right thing and have effective policies so you never hear about them,” said Bruen, who is a frequent critic of ICANN regarding WHOIS issues. “For the rest, there is no incentive. If they delete domains they lose money and customers. If they don’t delete, nothing happens.”

Weak language in the contracts between ICANN and registrars hinders enforcement regarding WHOis policies, he contended, and any suspension or deletion of a domain is at the discretion of the registrar.

“What you end up with are hundreds of ad-hoc and inconsistent policies at each registrar,” he argued. “For us, people concerned about abuse and cybercrime, there is no certainty or guarantee that the Internet will be policed. For the domain consumer there is no clear policy of what violates their terms, so the consumer can have a domain deleted and there is no recourse for them.”

Fred Felman, chief marketing officer of MarkMonitor, said ICANN’s compliance organization historically has not been very well funded and has been criticized for being unable to take care of the needs of the community when it comes to enforcing contractual compliance. However, he said progress has been made since 2011, with ICANN bolstering the team and bringing in new leadership.

In addition, ICANN put together a WHOIS Policy Review Team that issued a 92-page report earlier this year that detailed the results of an 18-month review of the effectiveness of ICANN’s WHOIS policy and whether the needs of law enforcement and consumers are met. Citing an ICANN-commission study on WHOIS data accuracy undertaken by the National Opinion Research Council at the University of Chicago (NORC), the policy review team’s report noted that only 23 percent of WHOIS records were found to have met the study’s criteria for “No Failure”, while more than 20 percent were classified as “Full Failure” or “Substantial Failure.”

Some of the reasons cited for inaccurate data include a lack of understanding of the importance of maintaining accurate WHOis data and lax of enforcement of penalties for having outdated or false information. Michele Neylon, CEO of registrar Blacknight Internet Solutions, said that registrars also receive false complaints that have to be sifted through.

Domain Name Verification Data“One of the problems that some registrars have complained about is that the reports they’re receiving are invalid,” he said. “This may have been addressed recently, but if a registrar has 200 complaints to deal with and 80 percent of them are bogus then the “real” complaints might not get the amount of the attention they deserve.”

“There’s also been quite a lot of work on WHOIS in general and one of the stickier points that is being discussed is around registrant validation/verification,” he continued. “It’s a lot more complex than some people might like you to believe. The key problem at the moment is that there is an emphasis on “accuracy” as opposed to “quality.” They’re two very different things.” 

“Improving the overall quality of WHOIS is much easier to do for all parties concerned, but some people seem to have a fixation on accuracy which I think is not the correct way to address the perceived issues,” he said. “If you focus solely on accuracy you can easily end up with a lot of bad data points in relation to the issues.” 

According to Felman, the contentiousness of the issue comes down to competing interests. On the one hand are privacy and free speech advocates concerned that WHOis data can be used for repression, and on the other hand is the law enforcement and business communities, who are concerned with tracking down counterfeiters and others. This has become a source of controversy as the new RAA is being negotiated, he said.

“They’re asking for validation by accredited registrars of registrants – and that’s whether or not they are using a proxy service to hide their identity,” he said. “They need to know who these folks are…that’s what elements of the community and elements of law enforcement are asking for. Registrars in some cases aren’t very excited about providing this service, and are concerned about a registrant in Egypt who is maybe running a website that has gay content – which is not very well appreciated in Egypt – being discovered by the government.”

“So there’s concern on one side about this protection of free speech and free use of the Internet and there’s this concern on the other side that this is a vector for incredible abuse and criminals and criminality are advanced as a result of this anonymity. And that’s the balance that is trying to be struck right now.

When it’s all said and done, he said, compromise will probably leave all the different sides on these issues with some things they want, and some things they don’t.

“My guess is that at the end of this, like most subjects where there are very widely divergent opinions about something, no one will be [totally] happy in the end,” he said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.