Home / Blogs

Solving the .US Registrant Data Directory Services (RDDS) Conundrum

Recently ten Democratic Members of Congress wrote a letter to Alan Davidson, head of the NTIA, requesting that the “NTIA immediately cease the public disclosure of personal information about users of .US” country code top-level domain (ccTLD). This communication highlights a significant concern regarding domain registration data: the need to protect the privacy rights of Registrants. However, an equally significant concern regarding registration data was raised by Rick Lane in an article he wrote in response to that communication: the need for access to this data to combat domain abuse. The conundrum confronting the secure, stable and inclusive operation of the .US country code top-level domain (ccTLD) is that these concerns may come into conflict yet must both be addressed. Moreover, parties have failed to consider a third significant concern that is fundamental to addressing the other two: the need to ensure the accuracy of registration data, which has greatly impeded resolution of this problem to date.

This is not an isolated problem

This problem of addressing the accuracy of, and access to, registrant data (historically referred to as Whois data) by legitimate third parties is not unique to the .US namespace. ICANN has struggled with the same problem within generic top-level domains (gTLDs) namespace since its foundation last century. ICANN’s failure to address the accuracy of registrant data has been the biggest impediment to finding a solution to the problem. In fact, ICANN’s Accuracy Scoping Team was unable to even reach consensus on the definition of the term “accuracy” after debating the issue for over a year.

Concerns over the need to protect the privacy of registrants expressed in the Democratic communication are valid. As someone that has previously been inundated with unwanted phone calls and email after registering a domain name, I personally would have liked a little enhanced privacy “by design”—and not through the payment of an additional privacy/proxy fee. However, as an attorney that has been combating domain abuse and illegal activity online for over two decades, I see firsthand how the access to accurate registrant data has been decreasing. Rick Lane’s concerns about how this data going dark has impeded legitimate third parties, such as law enforcement and intellectual property owners, from gaining timely access to this data are equally valid.

Why the accuracy of registrant data is so important

In an ideal world, only honest people would register domain names and only legitimate third parties would access registrant data, and there would be no problems. Unfortunately, we are far removed from that utopia. Instead, we have criminals, both foreign and domestic, that are registering .US domain names and causing harm. At the same time, we have honest individuals and businesses registering .US domains with true and accurate registrant information, which is then being illegally mined and used to inundate them with unwanted communications. Having accurate registrant data heightens the legitimate privacy concerns voiced in the Democratic letter to NTIA, while simultaneously supporting the legitimate cybersecurity interests documented in Rick Lane’s article.

NTIA should be following CISA’s leadership in balancing privacy and cybersecurity

Since taking over operation of the .GOV top-level domain from the General Services Administration (GSA), the Cybersecurity and Infrastructure Security Agency (CISA) has implemented several operational changes. These changes include enhanced KYC requirements, multi-factor authentication, enhanced privacy protection of registrant data, and several other security features while reducing the annual cost of a domain name for qualifying U.S.-based government organizations from $400 per year to free.

Under GSA operation, queries for information associated with .GOV domains returned a range of information, including personal identifying information (PII), similar to the current .US practice. Under the revised operation of CISA, a query for information associated for the NTIA.GOV domain returns the following five elements: (1) Agency: Department of Commerce; (2) Organization: National Telecommunications and Information Administration; (3) Domain Name: NTIA.GOV; (4) Status: Active; and (5) Security Contact Email: [email protected].

The CISA is providing enhanced privacy protection for .GOV registrants in exchange for registrants undergoing enhanced KYC and security requirements. This equitable quid pro quo is lacking in the current .US registry policies.

A constructive path forward

Simply requiring registrant verification is not enough. As noted in Rick Lane’s article, there are many compelling circumstances in which the public interest weighs in favor of disclosing the identity of an individual and/or business. Unfortunately, the Democratic communication did not address either the accuracy of registrant data or how legitimate third parties would gain timely access to it. But a constructive path forward should involve the following two actions.

First, NTIA should research and publish best practices used by other ccTLD operators to ensure that .US is best in class regarding data accuracy and data privacy. Following the publication of this research, NTIA should hold a formal public consultation seeking input from all stakeholders (individuals, businesses, as well as other government agencies) on how best to promote the security, stability, and inclusiveness of the .US namespace.

Second, the .US and .GOV TLDs should both be clearly recognized as critical national infrastructure. The importance of this critical national infrastructure is not Democratic or Republic issue but a United States national security interest. The European Union has clearly recognized this importance of TLD registries as essential Digital Infrastructure under its revised Network and Information Security (NIS) Directive (NIS 2.0). The US Congress should consider holding hearings on this issue to foster a bipartisan position to advance a common cybersecurity position.

By Michael D. Palage, Intellectual Property Attorney and IT Consultant

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Part of the problem Volker Greimann  –  Oct 7, 2022 2:09 AM

You make it sound like you were not even there when you decry the failure of ICANN to agree on the definition of accuracy, yet you were the chair of the ICANN accuracy scoping team, on more times than one contributing to or initiating disagreement rather than working towards agreement.

Not helpful Klaus Stoll  –  Oct 8, 2022 12:54 AM

Since when making it personal constitutes a constructive comment? The readers of CircleID and the article author deserve better. We need to contribute and implement solutions, no more, no less.

Solutions without a measurable problem? Volker Greimann  –  Oct 11, 2022 7:26 AM

You seem to assume that there is an actual problem to solve. In all the months we spent scoping the issue of accuracy, we have not seen a single piece of evidence that suggested that accuracy is in fact a widespread issue that needs to be addressed. To the contrary, the data trail prior to GDPR in ICANNS WHOIS ARS program showed a measurable trend of registration data becoming more accurate over time. We do not need solutions that address a non-existing or irrelevant problem. While there will always be instances where single elements of data or whole data sets are incorrect (mostly combined with cases where there are also other issues with the registration) there is no evidence this extends to such a significant percentage of overall registrations that further work would be warranted.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign