Home / Blogs

Invalid WHOIS Data: Who Is Responsible?

Benjamin Edelman

Suppose you wanted to know who operates a website at a given domain name. Perhaps you suspect that the domain name is pointing to a website that offers illegal content, or you may just want to send a comment to its authors. Conveniently, the Internet provides a so-called "WHOIS" system that ordinarily provides contact information for each registered domain. But in the case of many hundreds of thousands of domains, the WHOIS data just isn't accurate.

A Taxonomy of the Problem

WHOIS errors tend to fall into three distinct categories. First, a number of errors are unintentional or accidental, reflecting a good-faith mistake or a technical glitch. Some errors may develop due to the complexity of the series of suppliers that must coordinate to register a domain name — registry, registrar, and in some instances a reseller. Other WHOIS inaccuracies reflect that addresses naturally develop errors over time — as registrants move to new mailing addresses and change their phone numbers and email addresses. In addition, for registrants who don't typically do business in English, the registration process itself may have brought about certain mistakes; though some registrars offer interfaces in other languages, many aspects of the registration process continue to anticipate serving English speakers.

Other WHOIS errors result from registrants intentionally, but in good faith, entering invalid data. Some registrants may have submitted erroneous data in an attempt to keep their names, addresses, and phone numbers confidential. Their privacy concerns are well-founded, but ICANN policies and registrar contracts nonetheless require that WHOIS data provide an accurate contact for each registrant. (To comply with the rules, privacy-wary users must instead designate a third party for listing in WHOIS; that entity must in turn convey official communications to and from the actual registrant.) In the past these services have been hard to find, but registrars such as Go Daddy have recently developed private registration systems.

A final group of registrants submit extensive erroneous WHOIS data in an attempt to keep their true ide/url]ntities secret. These large-scale registrants are often connected to behavior of disputed legality: Some conduct large-scale reregistration of domains previously allowed to lapse by their prior registrants. Others may be associated with more traditional acts of cybersquatting or domain name warehousing. At least some apparently use invalid WHOIS data to attempt to conceal behavior considered fraudulent by the FTC.

What Can Be Done About the Problem

With the growth in commercial use of the Internet, registries and registrars have faced pressure to improve WHOIS data accuracy. The FTC reports that law enforcement agencies consistently rely on WHOIS data, and the House Committee on the Judiciary has held multiple hearings on the subject. A series of advisories, committees, surveys, and task forces have further considered the problem, but until recently these efforts produced little progress.

One approach to increasing WHOIS accuracy is to flag specific domain names with inaccurate contact information. But it's not often easy to find the domains at issue, and even when these problems are posted to a mailing list or discussion board, often nothing happens in response. Indeed, when I previously reported some 2500+ domains registered with a variety of inaccurate contact data, no action was taken by registrars, registries, or ICANN. When ICANN itself investigates invalid WHOIS data, it is somewhat more effective: Earlier this fall, ICANN staff sent a letter to VeriSign, noting seventeen domains registered through the company's registrar that continue to offer invalid WHOIS data despite prior warnings to VeriSign. VeriSign promptly reported that it addressed the problems. Even when successful, this approach is largely symbolic; these few names are only a tiny portion of the invalid registrations at issue. Nonetheless, the associated publicity — of ICANN's letter and, I'd like to think, my earlier report — reminded registrars of the need to act on WHOIS complaints received.

ICANN subsequently implemented the WHOIS Data Problem Report system, a form that lets Internet users report domains with false WHOIS data. The idea is a good one — harnessing the distributed power of the Internet by receiving problem reports from anyone interested, and passing allegations directly to appropriate registrar contacts for investigation. But the system may not set the necessary incentives to assure registrar compliance; it lacks public reporting of usage or of complaint resolution rate. Indeed, I submitted a complaint and four weeks later have yet to see any change in the disputed WHOIS records, nor have I received notification of any pending investigation. But the system at least establishes a standardized process for submitting allegations of inaccuracy — a significant improvement over the previously-undocumented requirements of a myriad of registrar contacts.

Common to the prior systems is a requirement of individual investigation of each complaint received, a time-consuming process no doubt prone to error. Against this background comes a new service from Alice's Registry. When implemented by a registrar, AR's Fraudit system quickly inspects all proposed registrations, confirming the presence of required data as well as cross-checking address, country, and phone number. Registrars can select the degree of verification required, and registrations failing the selected verifications can be automatically denied or subjected to review by registrar staff. These are major improvements, greatly increasing registrars' ability to detect and prevent fraud. Of course, registrars must pay for this service — and if millions of domains were to be checked, the process could become quite expensive. It is also difficult to fully verify registrations from certain countries; American registrants can be checked against an extensive database of addresses, but such information is not available for all countries worldwide, making inspection of such registrants less rigorous. Nonetheless, for its sensible use of automated systems, Fraudit's approach seems to me the most innovative technique to date.

The Fraudit service confirms that registrars — the companies in closest contact with domain registrants — hold the key to improvements in WHOIS accuracy. But will they willingly take on this additional task? Enforcing WHOIS restrictions means turning away some would-be customers as well as increasing the complexity and back-end costs of the registration service. The past three years of competitive registrar operations show little progress in accuracy, and in a competitive market where many registrars literally struggle to survive, it may be unreasonable to expect registrars to do this work voluntarily. Instead, if WHOIS accuracy is truly as important as the FTC and others have suggested, regulation — whether by ICANN or by governments — may be required to bring about improvements.

By Benjamin Edelman, Assistant Professor, Harvard Business School

Related topics: Cybercrime, Cybersquatting, DNS, Domain Names, ICANN, Policy & Regulation, Privacy, Whois

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Cybersecurity

Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016