The Security Skeptic

My Interisle partners and colleague Greg Aaron have published a detailed study that measures the effectiveness and impact of ICANN's registration data access policies and procedures. This study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS).

These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic.

In our Press Release I make the comment that, “The COVID-19 pandemic has led to a recent explosion of cybercrime, with thousands of new domain names using terms like ‘covid’ or ‘corona’ being used to perpetrate spam, phishing, malware campaigns and to peddle fake products,” and

“Investigators need quick, unencumbered access to domain registration data to disrupt COVID-themed attacks before they cause losses and harm. The problems our study exposes have made that all but impossible.”

COVID-themed attacks are current events that call attention to problems that have persistently interfered with efforts to mitigate cyberattacks. 

Greg Aaron, author of the work, also quoted in the press release, adds, “Domain registration data is supposed to be available in guaranteed, reliable ways. Unfortunately, we documented widespread failures, both technical and legal,” said Greg Aaron, the author of the study. “These problems make it hard to distinguish bad Internet actors from good, severely impacting public security. And they make it harder to communicate and solve a range of other problems, eroding trust on the Internet.”

We examined the practices of 23 registrars, which collectively sponsor more than two-thirds of the registrations in the generic top-level domains (gTLDs) to determine whether they comply with ICANN's policies and related contractual obligations, and also to the European Union's General Data Protection Regulation (EU GDPR).

The study found widespread problems: most notably,

• Registrars fail to meet their contractual obligations. A significant portion of the registrar industry is still not running reliable and compliant WHOIS services.
• After one-and-a-half years, a significant percentage of registrars do not fully comply with ICANN's Temporary Specification.
• A number of registrars mis-handle their obligations under GDPR.
• Some registrars prevent people from reaching out to domain owners for any purpose. Some registrars do not make the required contactability information available as required. Others have deployed procedures that make it unnecessarily difficult for people to contact their registrants. In some cases, the contactability mechanisms provided by registrars literally fail to deliver.
• Some registrars even constrain access to non-sensitive domain registration data (the “public data set”). This set contains no personally identifiable information, so there is no need to protect it, and restricting access to it prevents its use for important and legal purposes, such as cybersecurity.
• RDAP services are not yet technically reliable enough for use. RDAP became mandatory for registrars and registry operators to provide in August 2019, but as of March 2020 the rollout is moving very slowly, and there are notable operational and noncompliance problems.

These and other findings show that access to critical registration data has been significantly curtailed over the past two years, and ICANN compliance problems. The report also recommends actions that can be taken to ensure a healthy Internet and naming system. The full report can be found at: http://interisle.net/sub/DomainRegistrationData.pdf .