NordVPN Promotion

Home / Blogs

Invalid WHOIS Data: Who Is Responsible?

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Suppose you wanted to know who operates a website at a given domain name. Perhaps you suspect that the domain name is pointing to a website that offers illegal content, or you may just want to send a comment to its authors. Conveniently, the Internet provides a so-called “WHOIS” system that ordinarily provides contact information for each registered domain. But in the case of many hundreds of thousands of domains, the WHOIS data just isn’t accurate.

A Taxonomy of the Problem

WHOIS errors tend to fall into three distinct categories. First, a number of errors are unintentional or accidental, reflecting a good-faith mistake or a technical glitch. Some errors may develop due to the complexity of the series of suppliers that must coordinate to register a domain name—registry, registrar, and in some instances a reseller. Other WHOIS inaccuracies reflect that addresses naturally develop errors over time—as registrants move to new mailing addresses and change their phone numbers and email addresses. In addition, for registrants who don’t typically do business in English, the registration process itself may have brought about certain mistakes; though some registrars offer interfaces in other languages, many aspects of the registration process continue to anticipate serving English speakers.

Other WHOIS errors result from registrants intentionally, but in good faith, entering invalid data. Some registrants may have submitted erroneous data in an attempt to keep their names, addresses, and phone numbers confidential. Their privacy concerns are well-founded, but ICANN policies and registrar contracts nonetheless require that WHOIS data provide an accurate contact for each registrant. (To comply with the rules, privacy-wary users must instead designate a third party for listing in WHOIS; that entity must in turn convey official communications to and from the actual registrant.) In the past these services have been hard to find, but registrars such as Go Daddy have recently developed private registration systems.

A final group of registrants submit extensive erroneous WHOIS data in an attempt to keep their true ide/url]ntities secret. These large-scale registrants are often connected to behavior of disputed legality: Some conduct large-scale reregistration of domains previously allowed to lapse by their prior registrants. Others may be associated with more traditional acts of cybersquatting or domain name warehousing. At least some apparently use invalid WHOIS data to attempt to conceal behavior considered fraudulent by the FTC.

What Can Be Done About the Problem

With the growth in commercial use of the Internet, registries and registrars have faced pressure to improve WHOIS data accuracy. The FTC reports that law enforcement agencies consistently rely on WHOIS data, and the House Committee on the Judiciary has held multiple hearings on the subject. A series of advisories, committees, surveys, and task forces have further considered the problem, but until recently these efforts produced little progress.

One approach to increasing WHOIS accuracy is to flag specific domain names with inaccurate contact information. But it’s not often easy to find the domains at issue, and even when these problems are posted to a mailing list or discussion board, often nothing happens in response. Indeed, when I previously reported some 2500+ domains registered with a variety of inaccurate contact data, no action was taken by registrars, registries, or ICANN. When ICANN itself investigates invalid WHOIS data, it is somewhat more effective: Earlier this fall, ICANN staff sent a letter to VeriSign, noting seventeen domains registered through the company’s registrar that continue to offer invalid WHOIS data despite prior warnings to VeriSign. VeriSign promptly reported that it addressed the problems. Even when successful, this approach is largely symbolic; these few names are only a tiny portion of the invalid registrations at issue. Nonetheless, the associated publicity—of ICANN’s letter and, I’d like to think, my earlier report—reminded registrars of the need to act on WHOIS complaints received.

ICANN subsequently implemented the WHOIS Data Problem Report system, a form that lets Internet users report domains with false WHOIS data. The idea is a good one—harnessing the distributed power of the Internet by receiving problem reports from anyone interested, and passing allegations directly to appropriate registrar contacts for investigation. But the system may not set the necessary incentives to assure registrar compliance; it lacks public reporting of usage or of complaint resolution rate. Indeed, I submitted a complaint and four weeks later have yet to see any change in the disputed WHOIS records, nor have I received notification of any pending investigation. But the system at least establishes a standardized process for submitting allegations of inaccuracy—a significant improvement over the previously-undocumented requirements of a myriad of registrar contacts.

Common to the prior systems is a requirement of individual investigation of each complaint received, a time-consuming process no doubt prone to error. Against this background comes a new service from Alice’s Registry. When implemented by a registrar, AR’s Fraudit system quickly inspects all proposed registrations, confirming the presence of required data as well as cross-checking address, country, and phone number. Registrars can select the degree of verification required, and registrations failing the selected verifications can be automatically denied or subjected to review by registrar staff. These are major improvements, greatly increasing registrars’ ability to detect and prevent fraud. Of course, registrars must pay for this service—and if millions of domains were to be checked, the process could become quite expensive. It is also difficult to fully verify registrations from certain countries; American registrants can be checked against an extensive database of addresses, but such information is not available for all countries worldwide, making inspection of such registrants less rigorous. Nonetheless, for its sensible use of automated systems, Fraudit’s approach seems to me the most innovative technique to date.

The Fraudit service confirms that registrars—the companies in closest contact with domain registrants—hold the key to improvements in WHOIS accuracy. But will they willingly take on this additional task? Enforcing WHOIS restrictions means turning away some would-be customers as well as increasing the complexity and back-end costs of the registration service. The past three years of competitive registrar operations show little progress in accuracy, and in a competitive market where many registrars literally struggle to survive, it may be unreasonable to expect registrars to do this work voluntarily. Instead, if WHOIS accuracy is truly as important as the FTC and others have suggested, regulation—whether by ICANN or by governments—may be required to bring about improvements.

By Benjamin Edelman, Assistant Professor, Harvard Business School

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

NordVPN Promotion