The Internet’s users rely on domain name registration information for vital purposes, including providing security, problem-solving, and legal and social accountability. The data is so important that users perform more than two billion WHOIS queries every day. ICANN has instituted new data policies over the last two years, and is also directing a migration to a new technical protocol, RDAP, that will replace WHOIS access in the near future. So at this critical juncture, how is it all going?

To find out, Interisle Consulting Group has performed a new study of the state of domain registration data access, “Domain Name Registration Data at the Crossroads.” The report examines compliance with ICANN’s current policies and operational standards. The investigation found widespread compliance and technical failures, leading to decreased basic access, and an erosion of reliability and predictability.

The report examines the practices of 23 registrars, which collectively sponsor more than two-thirds of the domain names in the generic top-level domains (gTLDs). The study answers five questions for each registrar:

1. Does the registrar have a WHOIS service that functions properly and meets contractual obligations?
2. Does the registrar have an RDAP service that functions properly and meets contractual obligations?
3. Does the registrar comply with ICANN’s current data handling and display policy, the “Temporary Specification for gTLD Registration Data”?
4. Can Internet users always find information in the WHOIS and RDAP services that allows them to reach out to a domain contact?
5. Does the registrar’s contactability mechanism actually work? Is it possible to use the contact mechanism, and are the messages delivered to the domain contacts?

The study’s findings include:

• Registrars failed to meet the contractual obligations, and contactability goals in 40% of the cases studied. There were issues in an additional 16% of cases
• A significant portion of the registrar industry is still not running reliable and compliant WHOIS services.
• After one-and-a-half years, a significant percentage of registrars do not fully comply with ICANN’s Temporary Specification.
• A number of registrars mis-handle their obligations under GDPR.
• Some registrars prevent people from reaching out to domain owners. Some registrars do not make the required contactability information available as required. Others have deployed procedures that make it difficult for people to contact their registrants. In some cases, the contactability mechanisms provided by registrars literally fail to deliver.
• Some registrars constrain access to the non-sensitive domain registration data (the “public data set”). This set contains no personally identifiable information, so there is no privacy reason to protect it. Restricting access to it prevents its use for important and legally allowable purposes, such as cybersecurity.
• RDAP services are not yet technically reliable enough for use. RDAP became mandatory for registrars and registry operators to provide in August 2019, but as of March 2020 the rollout is moving very slowly, and there are operational and compliance problems.
• The problems raise questions about ICANN’s compliance practices.

The study also provides examples of how these problems have real-life implications for security, stability, and trust on the Internet, including for detecting and mitigating cybercrime during the current COVID-19 pandemic. The report also provides a set of recommendations for positive change.

The report and data is available in an Executive Summary, the full report, and the registrar scoring table.