Home / Blogs

FTC Comment Period Emphasizes the Need for a Better WHOIS System

Late last year, the U.S. Federal Trade Commission—the governmental arm responsible for protecting Americans from unfair trade practices—opened a comment period on a proposed “Trade Regulation Rule on Impersonation of Governments and Businesses.” It’s no surprise that those who are victims of or are battling online impersonation saw this as an opportunity to highlight the importance of a working domain name registration data system (“WHOIS”)—one that at least would help more quickly track down the bad actors behind impersonation scams. This should be a wake-up call to the new leadership at ICANN to expect more regulatory proposals if access to WHOIS is not restored for legitimate purposes.

The comment forum showcased wide support—across multiple industry sectors—for a workable solution to this growing issue, including the availability of WHOIS data, domain name system (DNS) abuse mitigation requirements, and trusted notifier relationships. A sample of submitted comments reveals continued frustration over the over-aggressive interpretation of the European Union’s General Data Protection Regulation (GDPR) as it applies to WHOIS:


Anti-Phishing Working Group (AWPG)

  • The scope of the rule should include the use of domain names in impersonation schemes; Domain names are used for an ever-increasing number of impersonation-related criminal schemes, including phishing, online ad fraud, “knock-off” commercial product sales, and more.
  • WHOIS information is vital to the investigation of impersonation scams. The final rule should recognize the now acute issue of domain name registration data (“WHOIS”). While WHOIS data is critical to investigatory capability as it relates to online impersonation and crime, it unfortunately has been significantly truncated since the misinterpretation and over-implementation of the European Union’s General Data Protection Regulation (GDPR) by domain name registries and registrars. This underlines why a final rule is critically needed. (Emphasis added)

Coalition for a Secure and Transparent Internet (CSTI)

Clearly the connection between fraud and domain name registration information has enormous ramifications for not only identifying that an impersonation is taking place, but also ensuring that remedies can be pursued for the injured party.

The Department of Homeland Security’s Homeland Security Investigations (HSI) responded similarly to an identical inquiry from Rep. Latta (R-OH), noting:

“HSI views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud. Since the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow. If HSI had increased and timely access to registrant data, the agency would have a quicker response to criminal activity incidents and have better success in the investigative process before criminals move their activity to a different domain.” (Emphasis added)

USTelecom

One significant challenge to members’ efforts to combat website impersonation is the lack of access to complete Whois information. Available Whois information today either provides no information at all or points to registries and proxy services instead of the real persons or entities that register fraudulent and infringing domains. These registries and proxy services often are non-responsive to legitimate requests to access the underlying data, in turn allowing the fraud to continue to the detriment of consumers. Given the emergence of this challenge to companies’ efforts to protect consumers by themselves, it is all the more critical for government agencies to intervene. USTelecom therefore supports the FTC’s use of any new impersonation rule to protect consumers from fraud that relies on misappropriation of legitimate businesses’ brands, including but not limited to domain name abuse. (Emphasis added)

Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

This change presents huge challenges to online enforcement efforts. Meanwhile, bad actors continue to proliferate under the new privacy rules, harming the very consumers the privacy laws were intended to protect. Intellectual property assets are leveraged to sell online counterfeit goods, for phishing, and for other fraudulent schemes that dupe internet users. Without the information provided by Domain WHOIS to facilitate online enforcement efforts, brand owners are forced to find other ways to address online abuse—often adding substantial delay and costs. (Emphasis added)

The Toy Association

The Toy Association applauds the Commission for highlighting domain names and typosquatting as examples of impersonation. These are pervasive and are central to phishing schemes where the parties responsible typically use an online location (typically a fake website or email address set up to mirror a trusted website and email address) to convince consumers to provide credit card information, login credentials, or other personal information.

International Trademark Association

The net effect of making WHOIS registration information harder to find has been to enable the parties responsible for impersonation schemes to “perpetuate fraud, infringement and other illegal acts with impunity.” (Emphasis added)

The most commonly cited reason to withhold this information—privacy law—does not apply to commercial actors and privacy law is not intended to facilitate fraud. To prevent these phishing and other Internet-based impersonation scams, it is critical to ensure that such domain name information is available to the public to allow verification of the actor behind suspicious communications (before clicking on a suspect link or responding to a suspect email) and to the impersonated companies who have the means and incentive to take appropriate action when necessary. (Emphasis added)


After almost five years of virtually no WHOIS data, the input to governmental authorities about the importance of WHOIS has been accruing rapidly. Yet, hurdle after hurdle has been thrown in front of legitimate WHOIS access.

This is a new moment for ICANN Org, and one it should seize to move down a different path and actually help those being victimized by online impersonation and other scams. Org is under new leadership at the executive and board levels. The European Union’s NIS2 directive has set the stage for clarification of WHOIS data regulation. Now is the time for Org to use its unique position to actually deter further governmental incursion into the multistakeholder model and cooperate with the broader ICANN community to form a new, appropriately liberalized model for WHOIS data usage. It is important for ICANN to once again take up and act for the public interest—the very reason for its existence.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under

Comments

Good progress by regulators, poor execution by ICANN Frederick Felman  –  Feb 13, 2023 2:28 PM

Thanks for the comprehensive analysis, Mason. ICANN has waited nearly five years to protect internet users from fraudsters masquerading as businesses and governments by letting whois go dark. Now, as a result internet users, registrants and registrars will be subject to a patchwork of disparate regulations related to the transparency of registrant contact data for legitimate purposes. Proactive policy development could have led to policy that would have made it easier and safer for all concerned.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign