Latest news of the domain name industry

Recent Posts

Are Whois email checks doing more harm than good?

Kevin Murphy, April 2, 2014, 12:36:58 (UTC), Domain Registrars

“Tens of thousands” of web sites are going dark due to ICANN’s new email verification requirements and registrars are demanding to know how this sacrifice is helping solve crimes.

These claims and demands were made in meetings between registrars and ICANN’s board and management at the ICANN 49 meeting in Singapore last week.

Go Daddy director of policy planning James Bladel and Tucows CEO Elliot Noss questioned the benefit of the 2013 Registrar Accreditation Agreement during a Tuesday session.

The 2013 RAA requires registrars to verify that registrants’ email addresses are accurate. If registrants do not respond to verification emails within 15 days, their domains are turned off.

There have been many news stories and blog posts recounting how legitimate webmasters found their sites gone dark due to an overlooked verification email.

Just looking at my Twitter stream for an “icann” search, I see several complaints about the process every week, made by registrants whose web sites and email accounts have disappeared.

Noss told the ICANN board that the requirement has created a “demonstrable burden” for registrants.

“If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals,” he said.

Noss told DI today that Tucows is currently compiling some statistics to illustrate the scale of the problem, but it’s not yet clear what the company plans to do with the data.

At the Singapore meeting, he asked ICANN to go to the law enforcement agencies that demanded Whois verification in the first place to ask for data showing that the new rules are also doing some good.

“What crime has been forestalled?” he said. “What issues around fraud? We heard about pedophilia regularly from law enforcement. What has any of this done to create benefits in that direction?”

Registrars have a renewed concern about this now because there are moves afoot in other fora, such as the group working on new rules for privacy and proxy services, for even greater Whois verification.

Bladel pointed to an exchange at the ICANN meeting in Durban last July, during which ICANN CEO Fadi Chehade suggested that ICANN would not entertain requests for more Whois verification until law enforcement had demonstrated that the 2013 RAA requirements had had benefits.

The exact Chehade line, from the Durban public forum transcript, was:

law enforcement, before they ask for more, we put them on notice that they need to tell us what was the impact of what we did for them already, which had costs on the implementers.

Quoted back to himself, in Singapore Chehade told Bladel: “It will be done by London.”

Speaking at greater length, director Mike Silber said:

What I cannot do is force law enforcement to give us anything. But I think what we can do is press the point home with law enforcement that if they want more, and if they want greater compliance and if they want greater collaborations, it would be very useful to show the people going through the exercise what benefits law enforcement are receiving from it.

So will law enforcement agencies be able to come up with any hard data by London, just a few months from now?

It seems unlikely to me. The 2013 RAA requirements only came into force in January, so the impact on the overall cleanliness of the various Whois databases is likely to be slim so far.

I also wonder whether law enforcement agencies track the accuracy of Whois in any meaningfully quantitative way. Anecdotes and color may not cut the mustard.

But it does seem likely that the registrars are going to have data to back up their side of the argument — customer service logs, verification email response rates and so forth — by London.

They want the 2013 RAA Whois verification rules rethought and removed from the contract and the ICANN board so far seems fairly responsive to their concerns.

Law enforcement may be about to find itself on the back foot in this long-running debate.

Tagged: , , , , , , ,

Comments (12)

  1. Domain Observer says:

    I did not even get the email from the registrar. When I logged into the registrar site, I saw a message they sent an email for verification. I asked them to resend the email.

    • Rob Golding says:

      @Domain Observer – that happens regularly and is one of the major flaws of wanting to verify email addresses by email.

      The possibilities are:
      * typo in the email address
      * blocked by your host filters
      * caught as a phishing scam as it asks you to ‘click’ things
      * misfiled by your email program
      * a-n-other reason

      Best to take to your registrar about it

      • Domain Observer says:

        Thanks for explaining the possible reasons. I think I was lucky to log into the registrar site and see their message and have my email address verified successfully. It was pure luck. I am afraid there may be some innocent domain registrants who are not so lucky and completely unaware of the verification email. This should be an issue.

  2. Check the WHOIS for love.com (non-existent). I submitted a WHOIS inaccuracy complaint on March 12, 2014, and it still hasn’t been fixed. ICANN doesn’t seem to take its own responsibilities very seriously.

    • Luc says:

      George,

      They never did. I’ve submitted whois inaccuracy complaints several times over the last decade and they NEVER got corrected.

      However, here, I think the situation is different because domains will get deleted if they are not verified.

      There should be a better way to do this.
      Luc

      • Louise says:

        You don’t get it: the Syndicate is coming for your dot coms.

        the domains will not get deleted. Just selected ones that the Syndicate want.

      • Luc: what should happen is that the *registrar* should be penalized in some way (not the registrant). Clearly love.com belongs to AOL, who transferred it from their prior registrar. But, the current registrar (CSC Corporate Domains, which has many top companies as clients) doesn’t seem to realize that the transfer to them succeeded, so they still think the domain shouldn’t be in their WHOIS database.

  3. James says:

    “Are Whois email checks doing more harm than good?”

    This is an excellent question. Can we measure the benefits of these new measures against the very real disruptions they are causing in the industry?

    We were told that these changes were necessary to catch criminals, phishers, spammers, peodophiles. Is this being done? Or are they just being used to go after IP infringement?

  4. The mandatory emails for whois checks and notifications about domain expiries are scaring and confusing our customers.
    Since they were introduced we get questions and complaints on a daily basis. The workload for our support dept. has increased dramatically.

    Is that what ICANN intended ?

  5. Greg Shatan says:

    It seems to me that the ICANN and the registrars may not be doing a good enough job of publicizing the verification requirements to registrants. It may also signal that registrars need to have methods of communicating with registrants that will be viewed as more secure and reliable. It’s ironic that between spam and phishing and spoofing (not to mention promotional emails), registrants won’t open, can’t be bothered to open or simply can’t find their notifications.

    It may also be that the system and timeline of consequences for failure to verify could be tweaked to minimize inadvertent failures. But the requirement should not be thrown out because it could be improved — instead it should be improved, and registrars should be more creative in contacting registrants. For instance — when the commissioner for my fantasy baseball league has not paid the annual fee to the website that hosts the league, a big red flag comes down when ever I access the website. Or perhaps a notice similar to a “certificate error” notice should be generated.

    None of this is to minimize the issue. Rather it is to suggest that the “solution” sought is rather too drastic. Verification is a big step in the right direction; it should not be rolled back.

Leave a Reply to Rob Golding