Home / Blogs

ICANN's Contract Not Enforceable on WHOIS Accuracy

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Garth Bruen

This may or may not come as a shock to some of you, but ICANN's contract with the Domain Name Registrars, in terms of WHOIS inaccuracy is not enforceable. Bear with me. The ability of ICANN to enforce against a Registrar who fails to correct or delete a domain with false WHOIS does not exist.

There are two clauses to 3.7.8, the first can be completely ignored because it is conditional on non-existent "established policies":

Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information.

No policy, no way to actually enforce since the Registrar has no guidance or specifications. The use of "shall" here is a complete red-herring as it is conditional on the ephemeral.

The second clause is the one which is truly problematic:

Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

We have been operating under the false assumption that the Registrar has to correct the record and has to delete the domain if the record is not corrected. However, the only obligation here is for the Registrar to "take reasonable steps." There is no obligation to actually correct AND there is no obligation to delete if the record is not corrected. This is clarified in the 2003 advisory. This policy only gives the Registrar authority to delete the domain at their discretion. The Registrar cannot be compelled to delete the domain, and therefore cannot be held in breach for failing to do so.

The Registrar can say "we checked the WHOIS record, it's fine. Mickey Mouse lives at 1600 Pennsylvania Ave, we called him at 800-FLOWERS and he told us so."

So, walking backwards… because a Registrar cannot be held in breach for failing to correct or delete, a registrant cannot be obligated to correct inaccurate WHOIS data. Because there is no direct obligation on the registrant, any affirmation in the registrant agreement to provide truthful and accurate statements is pointless. WHOIS inaccuracy studies, enforcement efforts, can't go anywhere if the Registrar chooses to ignore them.

The implications are profound. A Registrar in a non-cooperative, lawless country can sponsor the most heinously illegal domains with fake WHOIS as long they "take reasonable steps" to investigate. This also renders the implied compact between ICANN, Registrar, registrant, and Internet consumer meaningless.

In a related release, KnujOn has published 12 case studies demonstrating this problem. The Twelve companies: Internet.BS (Bahamas), eNom (Washington/California, U.S.), URL Solutions (Panama), Moniker (Oregon/Florida, U.S.), OnlineNIC (California, U.S.), Joker (Germany), Core (Switzerland), UKRnames (Ukraine), NetLynx (India), PT Ardh (Indonesia), BizCN (China) and Net4India (India) were all officially notified between May and June 2011 that they were sponsoring illicit pharmacies with false WHOIS records. In the interest of fairness and full disclosure we gave the Registrars an opportunity to review this data. Only one responded before publishing to tell us they were out of the reach of police and lawyers and didn't care.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cybercrime, DNS, Domain Names, Registry Services, ICANN, Internet Governance, Law, Policy & Regulation, Security, Top-Level Domains, Whois



If only we had a regularly updated Phil Howard  –  Mar 12, 2012 2:51 PM PDT

If only we had a regularly updated list of domain names and which registrar the domain is registered under, then we could more easily block out the bad registrars via all of the domains registered there.

Regularly updated list of domain names = www.surbl.org Suresh Ramasubramanian  –  Mar 15, 2012 9:37 AM PDT

It would be interesting if SURBL were to also sort by registrar.

Another, smaller URI blocklist - URIBL - does this, but neither SURBL nor URIBL are restricted to the pharmacy domains Garth's currently interested in.


Rank Registrar Listed Active Percent
1 ENOM, INC.  2115 3478 60.81%
2 MONIKER ONLINE SERVICES, INC.  1964 2181 90.05%


Confirmation... Garth Bruen  –  Mar 13, 2012 11:20 AM PDT

We have just confirmed (again) that this is not enforceable in the current RAA because it is "being addressed" in the next version.

Confirmed again... Garth Bruen  –  Mar 13, 2012 2:40 PM PDT

This problem has been confirmed indirectly and directly in the last 6 hours. Will Official Confirmation follow soon?

"...to tell us they were out of Derek  –  Mar 13, 2012 5:16 PM PDT

"...to tell us they were out of the reach of police and lawyers and didn't care."

Indeed, that is a major problem. We actually find that a major reseller of hosting and domains and with their own registrar in the group, advertises their services as being out of reach of the authorities. However other compliance issues have caught up with this registrar. May we hope?

Then we also have the issue of bad resellers. We have resellers selling domains, offering privacy services etc. They themselves had a fake details in whois. The solution was to simply hide their own details behind the privacy services of another reseller. Eventually it took many law enforcement man hours to shut them down. However that was little consolation to the thousands of victims of the reseller's customer base.

Yet ICANN expects these registrars and their resellers to be little angels than will never do any bad?

It also begs the question: Is the ICANN RAA really worth anything. We have already seen what happened to clause as far as protecting the ordinary netizen.

So much for stability on the net I guess.

Further confirmation Garth Bruen  –  Jun 11, 2012 6:24 AM PDT

The unenforceable accuracy provision is also confirmed in the WHOIS Review Team Final Report on page 79. KnujOn has posted official support for the WIRT report. It's time for ICANN to confirm this publicly ahead of "reveal day." We will be publishing detailed information on related issues this week!

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name