Home / Blogs

A Confession About The ICANN WHOIS Data Reminder Policy

Thomas Roessler

With all the recent attention to WHOIS, it's time for a confession: I'm somewhat guilty for the infamous WHOIS Data Reminder Policy. With hindsight, it's a bad policy, and it needs to die.

The year was 2002. ICANN's DNSO (soon to be renamed as the GNSO) had a WHOIS Task Force, and was trying to extract policy choices from an ill-conceived and worse-executed survey of assorted self-selected stakeholders. As today, the topics at hand included privacy protections, compliance (and graduated sanctions for non-complying registrars), and accuracy of WHOIS records.

To get the discussion going, I threw a few of the proposals that had come up in the survey into a draft report as straw men; I probably made up a few more policy proposals out of whole cloth. Alas, there it was: The seemingly-innocuous concept that having an annual data reminder might be good customer service, and that it might somehow help to increase data accuracy. Next to graduated sanctions and other proposals on the table at the time, this idea had the attraction of saving face in the accuracy area, while not being an obviously bad idea by the standards of that particular task force. And so we inflicted it on the gTLD registrars and registrants of the world. And on ICANN's not-yet nascent compliance department.

The policy appears to be implemented by most registrars in the form of an e-mail notification to registrants (even though it doesn't have to be in email). By definition, these notifications include almost entirely public information. They're therefore a first-rate phishing vector: For example, send a notification with slightly (but embarrassingly) wrong WHOIS data, give a link to fix the data, and hope that people will click that link and hand over the credentials that they're using to manage their registration.

More generally, this policy exhibits a few flaws that are symptomatic for the broken policy process of the time: It micro-managed a particular piece of registrars' interactions with their customers. It didn't have a sunset date. It had no clear success metrics (e.g., number of corrections traceable to notices) that would have permitted ICANN to phase it out if unnecessary. It had no proper review for its security impact on registrants.

Even the WHOIS Review Team acknowledges that the policy is probably ineffective.

It's time for the GNSO to propose to the Board to repeal this policy. Should be a slam dunk of a task force.

Originally posted on my personal blog.

By Thomas Roessler, Mathematician. More blog posts from Thomas Roessler can also be read here.

Related topics: ICANN, Whois


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Don't blame yourself John Levine  –  Jul 20, 2012 7:58 AM PDT

It's been as least as effective as people at airports asking if you're carrying a bomb for someone you don't know.

>even though it doesn't have to be Charles Christopher  –  Jul 23, 2012 12:06 PM PDT

>even though it doesn't have to be in email

Somewhere in my email archive I have an exchange with ICANN that is in conflict with that statement. We are a private registrar, I talk to my partners on the phone. There is no "admin panel".

When I responded to the the first ICANN whois compliance survey that no emails were sent and all whois checks were perform BY PHONE, the response was that our registrar was out of compliance and demanded our plan to come into compliance or face termination of our contract.

From memory my response was something like:

"Please confirm ICANN's position that email is a more effective confirmation of registrant identity and whois accuracy than email".

I never got a response.

ICANN never followed up on their threat of terminating our registrars. However, next year's whois compliance survey left open the possibility of confirming whois by methods OTHER than email.

Slam dunk? Volker Greimann  –  Jul 03, 2015 7:09 AM PDT

I doubt it would be slam dunk. There are enough forces at play that oppose any reduction in whois obligations that would make this effort very tough to complete.

Great article! I actually came here from Online TV Show Man  –  Dec 10, 2015 7:30 PM PDT

Great article! I actually came here from a "reminder email" that I googled the subject line and ended up here, and realized it was most likely a phishing attempt. It's a very easy con for beginners and people new to domain ownership.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Domain Management Handbook from MarkMonitor

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Dyn Comments on ICG Proposal for IANA Transition

Independent Review Panel Favored DotConnectAfrica Trust Against ICANN Ruling Over .Africa Domain

TLD Security, Spec 11 and Business Implications

ICANN Business Constituency Elects Elisa Cooper of MarkMonitor as Chair

ICANN's Registry Audits Begin Next Week. Are You Prepared?

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Video Interviews from ICANN 51 in Los Angeles

ICANN Los Angeles Recap Webinar

Afilias Director Wins ICANN's 2014 Leadership Award

Auctions Update: MMX Wins .law and .vip