Monitoring DNS Traffic (presentation)
digital defense (presentation)

Debunking myths about domain registration data (Whois) accuracy obligations

L1The adoption and implementation of the 2013 Registrar Accreditation Agreement (RAA13) continues, and so continues debate regarding new obligations. Certain of the obligations related to improving Whois accuracy have been criticized and the criticisms noted.

Several of these discussions mischaracterize the purpose of Whois accuracy obligations.  Let’s explore these.

RAA13 accuracy obligations were conceived by law enforcement

While law enforcement indeed advocated for accuracy obligations, many were identified and recommended by ICANN's SSAC, GNSO, ALAC, ICANN's security team or security subject matter experts:

  • SAC 007 advises registrants about the importance of maintaining accurate registration contact information. SAC 040 characterized threats against registrants, suggests that registrants maintain accurate contact information as part of domain portfolio risk management and even recommends monitoring Whois for unauthorized changes.
  • A joint GNSO ALAC report recommended, “verification process registrars are required to undertake after receiving report of false Whois data”, concurs with SSAC’s registrar abuse contact recommendation, and lends clarity to privacy/proxy registration service obligations.
  • The WHOIS Review Team emphasized the importance of registration data accuracy, saying, "The low level of accurate WHOIS data is unacceptable, and decreases consumer trust in the WHOIS, in the industry which ICANN provides rules for and coordinates, and therefore in ICANN itself. The organization’s priority in relation to WHOIS should be to improve WHOIS data accuracy and sustain improvement over time."
  • Finally, clause 9.3.1 of ICANN’s Affirmation of Commitments (AOC) obliges ICANN to enforce policy to maintain accurate and complete Whois “including registrant, technical, billing, and administrative contact information”.

RAA13 accuracy obligations only benefit law enforcement

Private sector actors perform much of the Internet's operational security and counter ecrime activity. The security and operations communities thus benefit more so than law enforcement when registration contact information is accurate. Criminal actors do indeed register domains, often with false contact information, and preventing such registrations is helpful. However, it is also common for criminal actors to use compromised web sites to host phishing pages. Inaccurate registration contact information in such incidents hampers takedowns of these pages: private sector actors have no direct means to contact the registrant or the hosting operator and must find alternative means. Delays incurred while phishing interveners attempting to contact registrants aid the criminals because the phishing site uptime is longer. 

Other private sector actors benefit from accurate registration contact information, too:

Whois

  • Intellectual Property and Copyrights community members use these data to protect brand and to protect the public from fraud or harm from the online sale of counterfeit goods or illegal pharmaceuticals.
  • Web administrators use registration contact data for problem resolution. Many web sites rely on content published outside their domain; for example, it’s quite common for news or information portals to pull content from affiliate sites, or content delivery networks, and resources such as web forms or scripts may be hosted outside the local domain (e.g., at sites like jotform). Registration contact data play roles in resolving events where these content feeds are interrupted.
  • Network operators may use registration contact information to request “upstream” assistance if they fall victim to a DDoS attack.
  • Mail system admins may use registration contact information to resolve mail delivery interruptions.

Problem resolution examples such as these remind us of the original, intended purposes of Whois and illustrate why accuracy is important in use cases beyond combatting crime.

RAA 13 Whois validation obligations have a disrupting effect on legitimate registrants

Yes, registrants may be affected as registrars implement validation measures never seen before. The RAA13 requires that registrants "provide accurate information for publication in directories such as WHOIS, and promptly update this to reflect any changes", but this is not a new responsibility for registrants. However, the risk from non-compliance for registrants has changed. Subsection 3.7.7.1 through 3.7.7.12 in RAA13 add that failure to do provide accurate contact information is “a material breach of the Registered Name Holder-registrar contract and a basis for suspension and/or cancellation of the Registered Name registration”. Disrupting effects on legitimate registrants as a result of the Whois accuracy obligations, while unfortunate, are no different from the submission of false or inaccurate data to any registration system. Failure to provide accurate information for a driver's license or automobile registration, passport, credit card account, mortgage or loan has a similar penalty: suspension or loss of the registration or card, and the related privileges. In all these cases, the contract party reacts in response to a breach of contract: RAA13 obliges registrars to respond in a similar manner.

Improvements to Whois accuracy are not achievable nor necessary

Inherent in the creation of any database is the need to record or publish *useful* data. Modern registration databases – from passports to driver or automobile registrations to customer billing databases and postal addresses– are most useful when they contain quality data.

No one would argue that other databases that ICANN administers or delegates – from assigned number registries to delegated top level domain registries to root zone data – have even the smallest tolerance for inaccuracy. Are domain name registration databases any less important?

Law enforcement should provide proof that Whois accuracy obligations are having an impact

The debate over the need for Whois accuracy obligations in the RAA13, and most importantly, the suggestions that any single ICANN stakeholder or community of interest should be responsible for demonstrating the effects of accuracy checks, overlooks the many examples I’ve described in this post where registration contact information accuracy is important.

The widely publicized loss statistics on phishing, fraud, or counterfeit goods illustrate that Internet users, financial institutions, online merchants and governments have shouldered the costs of malicious registrations having fraudulent Whois. Having registrars act to prevent these registrations shifts the burden. A next step is to assure that the shift is measured and equitable. 

R1Understanding the cost-benefit associated with improving accuracy may merit efficacy data studies, but if so, the studies should consider benefits across all communities of Whois data consumers. Such a study would not single out or unfairly burden any stakeholder or community member, and studies of this kind would shed light on the effects of validation in more use cases than cybercrime.

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)