« October 2014 | Main | December 2014 »

November 2014

Monday, 03 November 2014

Debunking myths about domain registration data (Whois) accuracy obligations

L1The adoption and implementation of the 2013 Registrar Accreditation Agreement (RAA13) continues, and so continues debate regarding new obligations. Certain of the obligations related to improving Whois accuracy have been criticized and the criticisms noted.

Several of these discussions mischaracterize the purpose of Whois accuracy obligations.  Let’s explore these.

RAA13 accuracy obligations were conceived by law enforcement

While law enforcement indeed advocated for accuracy obligations, many were identified and recommended by ICANN's SSAC, GNSO, ALAC, ICANN's security team or security subject matter experts:

  • SAC 007 advises registrants about the importance of maintaining accurate registration contact information. SAC 040 characterized threats against registrants, suggests that registrants maintain accurate contact information as part of domain portfolio risk management and even recommends monitoring Whois for unauthorized changes.
  • A joint GNSO ALAC report recommended, “verification process registrars are required to undertake after receiving report of false Whois data”, concurs with SSAC’s registrar abuse contact recommendation, and lends clarity to privacy/proxy registration service obligations.
  • The WHOIS Review Team emphasized the importance of registration data accuracy, saying, "The low level of accurate WHOIS data is unacceptable, and decreases consumer trust in the WHOIS, in the industry which ICANN provides rules for and coordinates, and therefore in ICANN itself. The organization’s priority in relation to WHOIS should be to improve WHOIS data accuracy and sustain improvement over time."
  • Finally, clause 9.3.1 of ICANN’s Affirmation of Commitments (AOC) obliges ICANN to enforce policy to maintain accurate and complete Whois “including registrant, technical, billing, and administrative contact information”.

RAA13 accuracy obligations only benefit law enforcement

Private sector actors perform much of the Internet's operational security and counter ecrime activity. The security and operations communities thus benefit more so than law enforcement when registration contact information is accurate. Criminal actors do indeed register domains, often with false contact information, and preventing such registrations is helpful. However, it is also common for criminal actors to use compromised web sites to host phishing pages. Inaccurate registration contact information in such incidents hampers takedowns of these pages: private sector actors have no direct means to contact the registrant or the hosting operator and must find alternative means. Delays incurred while phishing interveners attempting to contact registrants aid the criminals because the phishing site uptime is longer. 

Other private sector actors benefit from accurate registration contact information, too:

Whois

  • Intellectual Property and Copyrights community members use these data to protect brand and to protect the public from fraud or harm from the online sale of counterfeit goods or illegal pharmaceuticals.
  • Web administrators use registration contact data for problem resolution. Many web sites rely on content published outside their domain; for example, it’s quite common for news or information portals to pull content from affiliate sites, or content delivery networks, and resources such as web forms or scripts may be hosted outside the local domain (e.g., at sites like jotform). Registration contact data play roles in resolving events where these content feeds are interrupted.
  • Network operators may use registration contact information to request “upstream” assistance if they fall victim to a DDoS attack.
  • Mail system admins may use registration contact information to resolve mail delivery interruptions.

Problem resolution examples such as these remind us of the original, intended purposes of Whois and illustrate why accuracy is important in use cases beyond combatting crime.

RAA 13 Whois validation obligations have a disrupting effect on legitimate registrants

Yes, registrants may be affected as registrars implement validation measures never seen before. The RAA13 requires that registrants "provide accurate information for publication in directories such as WHOIS, and promptly update this to reflect any changes", but this is not a new responsibility for registrants. However, the risk from non-compliance for registrants has changed. Subsection 3.7.7.1 through 3.7.7.12 in RAA13 add that failure to do provide accurate contact information is “a material breach of the Registered Name Holder-registrar contract and a basis for suspension and/or cancellation of the Registered Name registration”. Disrupting effects on legitimate registrants as a result of the Whois accuracy obligations, while unfortunate, are no different from the submission of false or inaccurate data to any registration system. Failure to provide accurate information for a driver's license or automobile registration, passport, credit card account, mortgage or loan has a similar penalty: suspension or loss of the registration or card, and the related privileges. In all these cases, the contract party reacts in response to a breach of contract: RAA13 obliges registrars to respond in a similar manner.

Improvements to Whois accuracy are not achievable nor necessary

Inherent in the creation of any database is the need to record or publish *useful* data. Modern registration databases – from passports to driver or automobile registrations to customer billing databases and postal addresses– are most useful when they contain quality data.

No one would argue that other databases that ICANN administers or delegates – from assigned number registries to delegated top level domain registries to root zone data – have even the smallest tolerance for inaccuracy. Are domain name registration databases any less important?

Law enforcement should provide proof that Whois accuracy obligations are having an impact

The debate over the need for Whois accuracy obligations in the RAA13, and most importantly, the suggestions that any single ICANN stakeholder or community of interest should be responsible for demonstrating the effects of accuracy checks, overlooks the many examples I’ve described in this post where registration contact information accuracy is important.

The widely publicized loss statistics on phishing, fraud, or counterfeit goods illustrate that Internet users, financial institutions, online merchants and governments have shouldered the costs of malicious registrations having fraudulent Whois. Having registrars act to prevent these registrations shifts the burden. A next step is to assure that the shift is measured and equitable. 

R1Understanding the cost-benefit associated with improving accuracy may merit efficacy data studies, but if so, the studies should consider benefits across all communities of Whois data consumers. Such a study would not single out or unfairly burden any stakeholder or community member, and studies of this kind would shed light on the effects of validation in more use cases than cybercrime.

 

Posted at 02:59 AM in Domain names and DNS | | Comments (0)

« Previous
Find me on Mastodon and Facebook

Spotlight Posts

  • New study: Cybercrime Supply Chain 2023
    Today, my Interisle colleagues and I released a study, Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. Criminals who perpetrate malware, spam, phishing and other serious cybercrimes enjoy an enormous economic advantage over defenders and responders. They can acquire resources from an online cybercrime supply chain where everything from phishing kits and malicious software, email lists and mobile numbers, domain names and Internet addresses, and places to host attacks are all readily and cheaply available. Our report examines these supply chains. We examined over 10M reports collected at the Cybercrime Information Center...
  • Interisle study reveals that phishing attacks have tripled since May 2020, situation worsening each year
    My colleagues at Interisle Consulting Group and I today announced the publication of an industry report, Phishing Landscape 2023, A Study of the Scope and Distribution of Phishing. We analyzed more than 11 million phishing reports collected from 1 May 2020 to 30 April 2023 to provide annual and triennial measurements of phishing. Our study identifies distinct, persistent exploitation and abuse of Internet resources, reveals that criminals can trivially acquire everything they need to phish. Among the major findings in the study, Interisle reports that: The number of phishing attacks has tripled since May 2020, and has increased 65% over...
  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.

Search

My Photo

Categories