NordVPN Promotion

Home / Blogs

ICANN Board Approves ‘Thick’ Whois Requirement for .COM and .NET

The ICANN Board has approved the community recommendation that “the provision of Thick Whois services should become a requirement for all gTLD registries, both existing and future.” We have long supported the migration from ‘thin’ to ‘thick’ Whois, which will improve both quality and ease of access to Whois data, thereby further facilitating intellectual property enforcement online.

The ICANN community has debated the merits of migration from ‘thin’ to ‘thick’ Whois for years, as part of the larger Whois Review process. A ‘thick’ Whois, which is currently required of all new gTLDs, and will now be required of all existing gTLDs as well, provides domain name information and registrant information in one place, with the authoritative database for all information stored at the Registry level. By contrast, the few remaining ‘thin’ Whois registry information models (including .COM, where the majority of domain registrations lie, and consequently the most abuse occurs), separate the data by registrar and registry, with the former holding registrant information and the latter holding domain name registration data.

The ICANN Board resolution adopted the recommendations made by the Thick Whois Policy Development Process Working Group in its Initial Report, released in June of last year. The findings, with which MarkMonitor and other leaders in the intellectual property protection community agree, are as follows:

Requiring a Thick Whois would, among other things:

  • Improve response consistency
  • Improve Whois stability
  • Improve access to Whois data
  • Provide a more level playing field for competitive purposes; and
  • Improve access to escrowed data in the event of failure

For brand owners, the benefits are simple. Easier, quicker access to stable and consistent Whois information means quicker responses to and resolution of disputes involving websites which contain the sale of counterfeit goods and pirated copyrighted materials, the distribution of phishing, malware and destructively operating botnets, and content which infringes on trademarks.

MarkMonitor will continue to participate in and monitor the implementation plan for migration from ‘thin’ to ‘thick’ Whois, which will affect over 120 million domain name registrations. However, we are pleased to note that the Thick Whois Policy Development Process Working Group fully examined the issue, and found no significant possibility of detrimental effects.

By Kiran Malancharuvil, Internet Policy Counselor at MarkMonitor

Filed Under

Comments

Kudos Doug Mehus  –  Feb 26, 2014 5:43 PM

I’ve been a huge fan of so-called “thick” WHOIS data provisioning for ALL gTLDs and I had always wondered why this model was not adopted when VeriSign moved the COM and NET registries to EPP protocol (from the previous protocol, whose name escapes me, so perhaps if you knew what that was, that would be appreciated) in the mid-2000s. Unfortunately, it seems the COM and NET registries were still required to only display “thin” information upon looking up a domain name, forcing us to use third-party “WHOIS aggregation services” or go directly to that particular registrar’s WHOIS database. This problem was compounded last year when GoDaddy.com, the largest domain name registrar, started displaying only registry-level information on its own WHOIS database, potentially in breach of its registrar accreditation agreement.

I’d like to see ALL of the gTLD registry operators add the best CAPTCHA technology to the registry-level databases, for enhanced security of personal information and to prevent “scraping” or “harvesting” by “spambots”.

A “thick” WHOIS model, as you said, has many benefits, the primary one being enhanced access to registrant data supposedly held in escrow. Registrars, as I understand it, are supposedly required to escrow all of their data with a third-party so that, in the event of their failure, ICANN can reach out to the appropriate customers and transfer them to an alternative registrars. The problem is:  can we trust what data the registrant is placing in escrow is reliable and done regularly? Are multiple revisions of that data kept? One question I have, for those customers using WHOIS privacy services, is the the underlying data of the registrants required to be held in escrow still?

Finally, when do you expect VeriSign to adopt the “thick” WHOIS model?

Cheers,
Doug M.

P.S. Also, why won’t CIRA adopt the “thick” WHOIS model?

Previous Protocol, CAPTCHA Response, etc Anthony Eden  –  Mar 4, 2014 4:19 PM

from the previous protocol, whose name escapes me, so perhaps if you knew what that was, that would be appreciated

The previous protocol was RRP: https://tools.ietf.org/html/rfc2832

I’d like to see ALL of the gTLD registry operators add the best CAPTCHA technology to the registry-level databases, for enhanced security of personal information and to prevent “scraping” or “harvesting” by “spambots”.

No, that’s a bad idea. CAPTCHA is not the solution. Any system that attempts to prevent abuse will be gamed when there is enough value at stake.

can we trust what data the registrant is placing in escrow is reliable and done regularly?

If registrars want to keep their accreditation, then it would seem they are obliged to escrow. Of course this assumes that someone is patrolling that data, and only ICANN knows that.

Are multiple revisions of that data kept?

That probably depends on the escrow service. You would think that each revision would be kept.

One question I have, for those customers using WHOIS privacy services, is the the underlying data of the registrants required to be held in escrow still?

Yes. Same for whois proxy, at least according to the latest RAA.

Sincerely,
Anthony Eden

P.S. Because CIRA doesn’t need to adopt it and maybe doesn’t want to centralize such a significant amount of valuable personal data?

Some thoughts Doug Mehus  –  Mar 4, 2014 6:43 PM

The previous protocol was RRP: https://tools.ietf.org/html/rfc2832

Ah, yes, RRP. I remember that now. Thanks, Anthony! :)

No, that’s a bad idea. CAPTCHA is not the solution. Any system that attempts to prevent abuse will be gamed when there is enough value at stake.

Well, the registrars’ WHOIS databases already use CAPTCHA technology (or, rather, largely they do), what’s wrong with adopting this at the registry level, at least until a better technological solution comes along? GoDaddy.com has already stopped displaying its own formatted registrar-level WHOIS in favour of data from the registry. The problem is, VeriSign’s COM and NET gTLD registries don’t yet display all of the data. In absence of a “better” solution, I’d still argue we need to adopt CAPTCHA technology at the registry level now. :)

If registrars want to keep their accreditation, then it would seem they are obliged to escrow. Of course this assumes that someone is patrolling that data, and only ICANN knows that.

That’s exactly what I’m questioning. Does ICANN not regularly review the accuracy of data stored in escrow and whether multiple revisions are being kept? In particular, especially in terms of underlying data held in escrow from the WHOIS privacy services, does ICANN review this data accuracy at all? It’s easy to say, “if registrars want to keep their accreditation, they’ll do x,” but as a former customer of the RegisterFly mess and eNom’s role in the whole debacle of not taking action sooner against their reseller, registrars have a particularly shoddy history at WHOIS data accuracy. ;)

Cheers,
Doug

That's exactly what I'm questioning. Does ICANN Anthony Eden  –  Mar 4, 2014 10:08 PM

That's exactly what I'm questioning. Does ICANN not regularly review the accuracy of data stored in escrow and whether multiple revisions are being kept? In particular, especially in terms of underlying data held in escrow from the WHOIS privacy services, does ICANN review this data accuracy at all?
It's a good question. One of these days I'll end up at an ICANN meeting and I'll ask someone. :-)

Sounds good! :)Cheers,Doug Doug Mehus  –  Mar 5, 2014 1:20 AM

Sounds good! :) Cheers, Doug

Why should CIRA not have to adopt the latest WHOIS accessibility standards? Doug Mehus  –  Mar 4, 2014 7:03 PM

Because CIRA doesn’t need to adopt it and maybe doesn’t want to centralize such a significant amount of valuable personal data?

I used to support ccTLD registry autonomy in decision making, but one thing I don’t like about CIRA’s governance in particular is their complete lack of transparency. Sure, they may offer online voting and yes I am a CIRA member, but where they gain points for that, they lose them in their complete lack of disclosure in terms of policy discussions at the board level and WHOIS accessibility. Intellectual property holders should have a right to find out when someone is using a second-level domain .CA domain name in contravention of their rights. The general public should have a right to look up who owns a .CA second-level name, a key Canadian strategic digital asset. Everyone should have a right to find out who .CA domain squatters are. Plain and simple. I’m not certain how anyone could argue against these views. Anything else is tantamount to less democratic regimes, like China, holding Internet data private. :(

That said, I am in generally in favour of WHOIS privacy services for those that wish to protect their WHOIS data, at a nominal cost, provided the underlying data is escrowed and that escrowed data is periodically reviewed by registry-appointed auditors, presumably, on a “random sample” basis.

It’s for the above-noted reasons CIRA gets, at best, a C in overall transparency and governance and one of the reasons I’d like to see IANA (which is currently managed by ICANN under contract, or another body) given additional broad powers to set master ccTLD registry policies and a “framework” that is a sort of minimally-accepted standards by which ALL ccTLD registries must operate or risk losing their registry operation contracts. The governments would retain their right to appoint a new registry operator, of course, but IANA (or that other body) would act as a “ccTLD arbiter” of sorts of when a ccTLD registry operator is acting in contravention of that framework and, after x number of warnings, ICANN could essentially suspend/terminate its ability to act as a ccTLD registry operator, forcing the country’s government to appoint a new operator. Registry operators would be, of course, free to set their own registry and registrar policies, as long as they achieve the minimum stated aims of the “global ccTLD registry framework”.

I realize it takes away some country autonomy, but the gains in standardization in terms of governance and transparency on a global level, more than outweight any losses in country autonomy over its namespace, don’t you think? As we’ve seen time and again, countries (including Canada) don’t make the best decisions vis a vis its strategic digital assets. ;)

Cheers,
Doug

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

NordVPN Promotion