CircleID

This may or may not come as a shock to some of you, but ICANN's contract with the Domain Name Registrars, in terms of WHOIS inaccuracy is not enforceable. Bear with me. The ability of ICANN to enforce against a Registrar who fails to correct or delete a domain with false WHOIS does not exist.

There are two clauses to 3.7.8, the first can be completely ignored because it is conditional on non-existent "established policies":

Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information.

No policy, no way to actually enforce since the Registrar has no guidance or specifications. The use of "shall" here is a complete red-herring as it is conditional on the ephemeral.

The second clause is the one which is truly problematic:

Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

We have been operating under the false assumption that the Registrar has to correct the record and has to delete the domain if the record is not corrected. However, the only obligation here is for the Registrar to "take reasonable steps." There is no obligation to actually correct AND there is no obligation to delete if the record is not corrected. This is clarified in the 2003 advisory. This policy only gives the Registrar authority to delete the domain at their discretion. The Registrar cannot be compelled to delete the domain, and therefore cannot be held in breach for failing to do so.

The Registrar can say "we checked the WHOIS record, it's fine. Mickey Mouse lives at 1600 Pennsylvania Ave, we called him at 800-FLOWERS and he told us so."

So, walking backwards… because a Registrar cannot be held in breach for failing to correct or delete, a registrant cannot be obligated to correct inaccurate WHOIS data. Because there is no direct obligation on the registrant, any affirmation in the registrant agreement to provide truthful and accurate statements is pointless. WHOIS inaccuracy studies, enforcement efforts, can't go anywhere if the Registrar chooses to ignore them.

The implications are profound. A Registrar in a non-cooperative, lawless country can sponsor the most heinously illegal domains with fake WHOIS as long they "take reasonable steps" to investigate. This also renders the implied compact between ICANN, Registrar, registrant, and Internet consumer meaningless.

In a related release, KnujOn has published 12 case studies demonstrating this problem. The Twelve companies: Internet.BS (Bahamas), eNom (Washington/California, U.S.), URL Solutions (Panama), Moniker (Oregon/Florida, U.S.), OnlineNIC (California, U.S.), Joker (Germany), Core (Switzerland), UKRnames (Ukraine), NetLynx (India), PT Ardh (Indonesia), BizCN (China) and Net4India (India) were all officially notified between May and June 2011 that they were sponsoring illicit pharmacies with false WHOIS records. In the interest of fairness and full disclosure we gave the Registrars an opportunity to review this data. Only one responded before publishing to tell us they were out of the reach of police and lawyers and didn't care.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. Visit the blog maintained by Garth Bruen here.

Related topics: Cybercrime, DNS, Domain Names, Registry Services, ICANN, Internet Governance, Law, Policy & Regulation, Security, Top-Level Domains, Whois