Invalid WHOIS Data: Where We Are & What Can Be Done About It

Title - Invalid WHOIS Data: Where We Are & What Can Be Done About It

Suppose you wanted to know who operates a given domain name. (You might suspect that the domain offered illegal content, or you might just want to send a comment to its authors.) Conveniently, the Internet provides a so-called "WHOIS" system that ordinarily provides contact information for each registered domain. But in the case of many hundreds of thousands of domains, WHOIS data just isn't accurate.

A Taxonomy of the Problem

WHOIS errors tend to fall into three distinct categories. First, a number of errors are unintentional or accidental, reflecting of a good-faith mistake or a technical glitch. Some errors may develop due to the complexity of the series of suppliers that must coordinate to register a domain name -- registry, registrar, and in some instances a reseller. Other WHOIS inaccuracies reflect that addresses naturally develop errors over time -- as registrants move to new mailing addresses and change their phone numbers and email addresses. In addition, for registrants who don't typically do business in English, the registration process itself may have brought about certain mistakes; though some registrars offer interfaces in other languages, many aspects of the registration process continue to anticipate serving English speakers.

Other WHOIS errors result from registrants intentionally, but in good faith, entering invalid data. Some registrants may have submitted erroneous data in an attempt to keep their names, addresses, and phone numbers confidential. Their privacy concerns are well-founded, but ICANN policies and registrar contracts nonetheless require that WHOIS data provide an accurate contact for each registrant. (To comply with the rules, privacy-wary users must instead designate a third party for listing in WHOIS; that entity must in turn convey official communications to and from the actual registrant. In the past these services have been hard to find, but Go Daddy recently announced the availability of a private registration system.)

A final group of registrants submit many erroneous WHOIS data in an attempt to keep their true identities secret. These large-scale registrants are often connected to behavior of disputed legality: Some conduct large-scale reregistration of domains previously allowed to lapse by their prior registrants. Others may be associated with more traditional cybersquatting or with domain warehousing. At least some apparently use invalid WHOIS data to attempt to conceal behavior considered fraudulent by the FTC.

What Can Be Done About the Problem

With the growth in commercial use of the Internet, registries and registrars have faced pressure to improve WHOIS data accuracy. The FTC reports that law enforcement agencies consistently rely on WHOIS, and the House Committee on the Judiciary has held multiple hearings on the subject. A series of advisories, committees, surveys, and task forces have further considered the problem, but until recently these many efforts have produced little progress.

One approach to increasing WHOIS accuracy is to flag specific domain names with inaccurate contact information. But it's not often easy to find the domains at issue, and even when these problems are posted to a mailing list or discussion board, often nothing happens in response. Indeed, when I previously reported some 2500+ domains registered with a variety of inaccurate contact data, no action was taken by registrars, registries, or ICANN. When ICANN itself investigates invalid WHOIS data, it is somewhat more effective: Earlier this fall, ICANN staff sent a letter to Verisign, noting seventeen domains registered through Verisign Registrar that continue to offer invalid WHOIS data despite prior warnings to Verisign; Verisign promptly reported that it addressed the problems. Even when successful, this approach is largely symbolic; these few names are only a tiny portion of the invalid registrations at issue. Nonetheless, the associated publicity -- of ICANN's letter and, I'd like to think, my earlier report -- reminded registrars of the need to act on WHOIS complaints received.

ICANN subsequently implemented the WHOIS Data Problem Report system, a form that lets Internet users report domains with false WHOIS data. The idea is a good one -- harnessing the distributed power of the Internet by receiving problem reports from anyone interested, and passing allegations directly to appropriate registrar contacts for investigation. But it may not set the necessary incentives to assure registrar compliance; the system lacks public reporting of usage or of complaint resolution rate. Indeed, I submitted a complaint four weeks later and have yet to see any change in the disputed WHOIS records, nor have I received any notification of pending investigation. But the system at least establishes a standardized process for submitting allegations of inaccuracy -- a significant improvement over the previously-undocumented requirements of a myriad of registrar contacts.

Common to the prior systems is a requirement of individual investigation of each complaint received, a time-consuming process no doubt prone to error. Against this background comes a new service from Alice's Registry. When implemented by a registrar, AR's Fraudit system quickly inspects all proposed registrations, confirming the presence of required data as well as cross-checking address, country, and phone number. Registrars can select the degree of verification required, and registrations failing the selected verifications can be automatically denied or subjected to review by registrar staff. These are major improvements, though the system remains imperfect: Registrars must license Fraudit and must pay a fee per registration, so the system may not be able to audit the millions of domains already registered. It is also difficult to fully verify registrations from certain countries; American registrants can be checked against an extensive database of addresses, but such information is not available for all countries worldwide, making inspection of such registrants less rigorous. Nonetheless, for its sensible use of automated systems, Fraudit's approach seems to me the most innovative technique to date.

The Fraudit service confirms that registrars -- the companies in closest contact with domain registrants -- hold the key to improvements in WHOIS accuracy. But will they willingly take on this additional task? Enforcing WHOIS restrictions means turning away some would-be customers as well as increasing the complexity and back-end costs of the registration service. The past three years of competitive registrar operations show little progress in accuracy, and in a competitive market where many registrars literally struggle to survive, it may be unreasonable to expect registrars to do this work voluntarily. Instead, if WHOIS accuracy is truly as important as the FTC and others have suggested, regulation -- whether by ICANN or by governments -- may be required to bring about improvements.

Benjamin Edelman is a Harvard Law School student and a researcher at its Berkman Center for Internet & Society. Ben previously oversaw webcasts and meeting technology for ICANN's Public Meetings; he has since written about domain name politics, particularly in the context of expired domain names subsequently used for pornography and registered with false WHOIS data. Ben's current research agenda includes evaluation of registrations in new TLDs (BIZ, INFO, etc.), a quantitative comparison of commercial and non-commercial uses of the Internet, and an examination of Internet filtering efforts by governments worldwide. Beyond domain names and ICANN, Ben's research interests include Internet filtering (in libraries, schools, and even entire countries), geolocation analysis, and file sharing.

--> disregard...

Whether accidental or intentional, WHOIS errors can interfere with the legitimate needs of consumer protection, law enforcement, and intellectual property content providers, and ?? (consumer protection) in investigating who's behind a given domain. Hence hearings by Congress, investigations by the FCC and certain attorneys general, and an ICANN task force.

With tens of millions of domain names, and without an obvious way to detect invalid WHOIS data, it just hasn't been easy to flag the domains at issue.

Several years experience Such tasks are unlikely to lead to additional profits, and while some registrars may nonetheless consider accuracy important, it may be unreasonable expect such care in a competitive marketplac, registrars are unlikely to take on this task voluntarily, and years of experience confirms that they have not done so to date. Though regulation is politically sensive and controversial, some sanction may yet be required to bring about compliance; registrars might act in response to revised rules from ICANN or in response to national or international law.