Security Experts:

ICANN's Rolling Controversy: Verification of WHOIS Registration Data

For years, the Internet Corporation for Assigned Names and Numbers (ICANN) has had a thorny issue to contend with – the accuracy and use of WHOIS data to identify domain registrants.

Intended to be a source of information about domain owners, WHOIS has become a lightning rod for controversy over the years, much of which is aimed at registrars and ICANN for failing to properly crack down on domain owners with inaccurate WHOIS data. Wary of bad actors supplying false data to avoid detection, ICANN however is hoping to improve the process of resolving issues tied to registration data.

ICANN LogoJust recently, the ICANN Board of Directors ordered CEO Fadi Chehadé to launch a new effort to re-examine the purpose of collecting, maintaining and providing access to generic Top-Level Domain (gTLD) registration data. The board also directed Chehadé to fully enforce contractual conditions related to the current collection, access and accuracy of gTLD registration data and to increase outreach to promote compliance with existing WHOIS policies.

According to Rod Rasmussen, chief technology officer of Internet Identity and a member of ICANN's Security and Stability Advisory Committee, the move follows a busy year and a half of efforts to improve compliance with the implementation and enforcement of WHOIS data policy.

"We've got some registrars…there's the good ones, and the not so good ones," Rasmussen said. "But there is a real emphasis within ICANN right now to figure out who those problem registrars are and get them to clean up their act, or clean them out. And that's not just with ICANN corporate; that's with the registrar constituency itself because they are pretty tired of having law enforcement and others beat on them when the majority of members are doing just fine."

A recent report by Knujon encapsulates some of the issues at play. Under the rules of the Registrar Accreditation Agreements [RAA] registrars have with ICANN, registrars are required to take "reasonable steps" to investigate reports of inaccurate WHOIS data and get domain owners to correct any misinformation. Yet in an examination of nine complaints submitted to ICANN's WHOIS Data Problem Reporting System (WDPRS) in the past year, the report revealed what Knujon President and report author Garth Bruen referred to as general problems with ICANN's complaint tracking and policy enforcement, including a failure to adhere to/enforce mandated response timelines and a lack of documentation of the responses.

"Some [registrars] do the right thing and have effective policies so you never hear about them," said Bruen, who is a frequent critic of ICANN regarding WHOIS issues. "For the rest, there is no incentive. If they delete domains they lose money and customers. If they don't delete, nothing happens."

Weak language in the contracts between ICANN and registrars hinders enforcement regarding WHOis policies, he contended, and any suspension or deletion of a domain is at the discretion of the registrar.

"What you end up with are hundreds of ad-hoc and inconsistent policies at each registrar," he argued. "For us, people concerned about abuse and cybercrime, there is no certainty or guarantee that the Internet will be policed. For the domain consumer there is no clear policy of what violates their terms, so the consumer can have a domain deleted and there is no recourse for them."

Fred Felman, chief marketing officer of MarkMonitor, said ICANN's compliance organization historically has not been very well funded and has been criticized for being unable to take care of the needs of the community when it comes to enforcing contractual compliance. However, he said progress has been made since 2011, with ICANN bolstering the team and bringing in new leadership.

In addition, ICANN put together a WHOIS Policy Review Team that issued a 92-page report earlier this year that detailed the results of an 18-month review of the effectiveness of ICANN's WHOIS policy and whether the needs of law enforcement and consumers are met. Citing an ICANN-commission study on WHOIS data accuracy undertaken by the National Opinion Research Council at the University of Chicago (NORC), the policy review team's report noted that only 23 percent of WHOIS records were found to have met the study's criteria for "No Failure", while more than 20 percent were classified as "Full Failure" or "Substantial Failure."

Some of the reasons cited for inaccurate data include a lack of understanding of the importance of maintaining accurate WHOis data and lax of enforcement of penalties for having outdated or false information. Michele Neylon, CEO of registrar Blacknight Internet Solutions, said that registrars also receive false complaints that have to be sifted through.

Domain Name Verification Data"One of the problems that some registrars have complained about is that the reports they're receiving are invalid," he said. "This may have been addressed recently, but if a registrar has 200 complaints to deal with and 80 percent of them are bogus then the "real" complaints might not get the amount of the attention they deserve."

"There's also been quite a lot of work on WHOIS in general and one of the stickier points that is being discussed is around registrant validation/verification," he continued. "It's a lot more complex than some people might like you to believe. The key problem at the moment is that there is an emphasis on "accuracy" as opposed to "quality." They're two very different things." 

"Improving the overall quality of WHOIS is much easier to do for all parties concerned, but some people seem to have a fixation on accuracy which I think is not the correct way to address the perceived issues," he said. "If you focus solely on accuracy you can easily end up with a lot of bad data points in relation to the issues." 

According to Felman, the contentiousness of the issue comes down to competing interests. On the one hand are privacy and free speech advocates concerned that WHOis data can be used for repression, and on the other hand is the law enforcement and business communities, who are concerned with tracking down counterfeiters and others. This has become a source of controversy as the new RAA is being negotiated, he said.

"They’re asking for validation by accredited registrars of registrants – and that's whether or not they are using a proxy service to hide their identity," he said. "They need to know who these folks are…that's what elements of the community and elements of law enforcement are asking for. Registrars in some cases aren't very excited about providing this service, and are concerned about a registrant in Egypt who is maybe running a website that has gay content – which is not very well appreciated in Egypt – being discovered by the government."

"So there's concern on one side about this protection of free speech and free use of the Internet and there's this concern on the other side that this is a vector for incredible abuse and criminals and criminality are advanced as a result of this anonymity. And that's the balance that is trying to be struck right now.

When it's all said and done, he said, compromise will probably leave all the different sides on these issues with some things they want, and some things they don't.

"My guess is that at the end of this, like most subjects where there are very widely divergent opinions about something, no one will be [totally] happy in the end," he said.