Billy Barnes is a JD candidate at the University of Toronto.
According to a report commissioned by ICANN, the organization that oversees the domain name system, less than one quarter of domain name ownership records are accurate. Recent statements by the FBI and the UK Serious Organized Crime Agency (SOCA) have drawn upon this report in calling for stricter identity verification when registering a domain. This article discusses the findings of the study, possible solutions and their drawbacks.
ICANN does not actually run the domain name system (DNS) itself. Instead, it accredits registries to oversee individual top-level domains (the part after the final dot, e.g., “.com”, “.info”, or “.ca”). ICANN itself acts as registry for the most common top-level domains. The registries then accredit registrars, the front-line companies that sell and manage individual domain names (e.g., “iposgoode.ca”). When a person registers a domain name, the registrar will ask them to provide contact information(name, post, email, phone). This information is—in most cases—available through a public whois service operated by the registry. In some cases, registrars will offer a proxy service where they submit their own contact information to the whois service and forward communications to the owner’s private address.
The study, conducted by the National Opinion Reporting Centre (NORC) at the University of Chicago, reached a number of interesting, though unsurprising, conclusions about whois accuracy. It checked for three criteria of accuracy: (1) the postal address existed and the phone number was in service, (2) the name, address, and phone number were independently verifiable through a phone book or similar means, (3) the individual was contacted and confirmed ownership. While there are deficiencies in the accuracy of whois databases, the problems are not quite as severe as has been reported.
Only 22.8% of the records surveyed contained wholly true, verifiable information. However, this does not mean that the rest are false. A further 24.6% of records were probably accurate: they matched up with directory information but the owner did not return their phone calls or emails. An additional 22.7% of domain name owners could be contacted by phone or email but their information could not be independently verified—either because it was false, out-of-date, or unlisted. The third category should be counted as probably accurate given the prevalance of unlisted cell phone numbers. In the end, only 8% of owners failed all three criteria. The study has a number of failure points: not everyone will respond to surveys, 14% of users registered their domains through a legitimate proxy, many people will have unlisted phone numbers or use P.O. boxes. That said, the team did go to great lengths to locate and contact owners.
Why is it a problem?
Inaccurate whois information poses a few problems. It makes it difficult for law enforcement to track down operators of illegal websites. For example, it is currently very easy to create phishing websites by registering a common mistyping of a popular domain name under a false name. The FBI and SOCA are particularly worried on this point. They submitted a set of recommendations to ICANN regarding improvements that may be made to increase the accuracy of whois databases. The recommendations have not been released publicly yet, but SOCA reports that Interpol and numerous other police agencies also support them. It is expected that ICANN will publish comments on the proposal in the coming months. In a similar vein, inaccuracy can slow down the process of removing a website that infringes upon a trademark and frustrate companies that may wish to pursue damages in court as well. Inaccuracy may also aid in theft of domains since the registrar’s notifications of ownership changes will go unnoticed.
Despite these problems, there are reasons why inaccuracy might be considered a useful evil. The foremost reason is privacy. There are certainly cases where a website owner may not want their home address and phone number associated publicly with their domain name. This concern, however, is largely addressed by the rise of proxy services offered by most registrars. In Canada, for example, all domains are private by default and CIRA (the “.ca” registry) provides a contact form on their website to forward inquiries to owners. These proxies, however, only conceal information from the general public. There are some (corporate whistleblowers, bloggers under oppressive regimes) for whom this may not be enough.
Addressing the problem
A solution to the problem would involve heightened verification practices for registrars. As the only entities in direct contact with the domain owners and being in contact before the domain goes live, registrars are in the best position to test the validity of contact information. Currently, the Registrar Accreditation Agreement governing registrars for the major top-level domains only specifies that the contract between registrar and domain owner must have a condition stating that all contact information is correct. If the information is incorrect, the registrar may choose to deactivate the domain name but there is no duty to enforce this condition. In addition, the databases of contact information are kept by the registrars and only queried when needed. Thus there is no easy way for ICANN to search for false entries.
Other approaches are used for other top-level domains. For example, Nominet, which runs the “.uk” top-level domain, requires that contact information be verified, does not allow the use of proxy services and maintains its own database of owner contact information. It has on occasion discredited registrars that did not comply with the rules. Eurid, the organization running “.eu”, also requires verification and has dedicated staff checking contact information.
The NORC report contained a few suggestions for improving the accuracy of the whois databases. Many of the errors they uncovered were merely due to carelessness on the part of the owners. A very common error was forgetting to notify the registrar of a change of address (I must admit that all of my domains are still listed with my last address). Periodic reminders and simplified update procedures would address this issue. Similarly, many errors appear to be due to users misreading the registration forms. They either misunderstood the information being requested or were uncertain of the differences between the four types of contacts they are asked to provide. The report dismissed the idea of checking addresses against credit card details: too many people use a personal credit card to pay but provide work contact information.
The report hinted at but did not actually suggest one particularly good method. It noted that most people using proxy services give accurate information to the proxy. It is possible that some of the intentional misrepresentations would be avoided if it weren’t automatically placed in a publicly accessible database. Many owners may choose to self censor the information they provide rather than pay for a proxy service. In the words of the report:
In most registry type systems which could reveal information about a person’s identity and address (motor vehicle registries, telephone directories, property ownership, credit status, medical records), there is an inherent tradeoff between the accuracy of the information and the degree of unrestricted and/or undocumented access.
It’s worth considering the need for so much information in relation to domain names. There may be valid technical, law enforcement or legal uses for the information, but it need not be instantly available to the most casual inquiry.
Such an approach would do little to prevent anyone who was determined to provide false information. It would not be impossible for registrars to undertake some more verification than they currently do. For example, there are automated services that verify phone numbers. Yet even this can be thwarted by a criminal with a stolen credit card and a pre-paid cell phone. It will, however, increase the transaction costs of cybersquatters who may register hundreds or thousands of domains. At the same time, those most in need of anonymity may be faced with a choice between exposing themselves and engaging in criminal activity to hide their identities. ICANN will have to carefully balance the need for authentication with the privacy of domain owners and the costs of registrars.