Latest news of the domain name industry

Recent Posts

Registrants guilty until proven innocent, say UK cops

Kevin Murphy, August 19, 2015, 15:41:13 (UTC), Domain Registrars

UK police have stated an eyebrow-raising “guilty until proven innocent” point of view when it comes to domain name registrations, in comments filed recently with ICANN.

In a Governmental Advisory Committee submission (pdf) to a review of the Whois accuracy rules in the Registrar Accreditation Agreement, unspecified “UK law enforcement” wrote:

Internet governance efforts by Industry, most notably the ICANN 2013 RAA agreement have seen a paradigm shift in Industry in the way a domain name is viewed as “suspicious” before being validated as “good” within the 15 day period of review.

UK law enforcement’s view is that a 45 day period would revert Industry back to a culture of viewing domains “good” until they are proven “bad” therefore allowing crime to propagate and increase harm online.

The GAC submission was made August 13 to a public comment period that closed July 3.

The Whois Accuracy Program Specification Review had proposed a number of measures to bring more clarity to registrars under the 2013 RAA.

One such measure, proposed by the registrars, was to change the rules so that registrars have an extra 30 days — 45 instead of 15 — to validate registrants’ contact information before suspending the domain.

That’s what the UK cops — and the GAC as a whole — don’t like.

They have a point, of course. Criminals often register domains with bogus contact information with the expectation that the domains will not have a long shelf life. Fifteen days is actually quite generous if you want to stop phishing attacks, say.

The Anti-Phishing Working Group says phishing attacks have an average up-time of 29 hours.

Clearly, ICANN’s Whois accuracy program is doing little to prevent phishing as it is; a switch to 45 days would presumably have little impact.

But the number of domains suspended for lack of accuracy at any given time is estimated to be in the hundreds of thousands, and registrars say it’s mostly innocent registrants who are affected.

Verisign said this March that .com domains “on hold” grew from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.

In June 2014, registrars claimed that over 800,000 domains had been suspended for want of Whois accuracy in the first six months the policy was in place.

Tagged: , , ,

Comments (2)

  1. Volker Greimann says:

    Phishing and other abuse is “use”.
    Whois accuracy is “registration”.

    ICANN has a mandate over registration, but not (or only very limited) over use.

    Hence a report about incorrect whois details follows a procedure intended to allow registrants to correct these details.

    If someone wants to complaint about the use of a domain and wants a quick takedown, whois complaints are not the way to do it.

    And 15 days can be a very narrow time window to reach a registrant and hear back from him, especially during vacation time, or in cases of multiple resellers in between the registrant and the registrar.

    Obviously the GAC and LEAs have not looked at the arguments behind the change and are just pushing for their agenda, not realizing they are referring to a tool not intended or designed to do what they think it is for.

    • John Berryhill says:

      “And 15 days can be a very narrow time window to reach a registrant and hear back from him…”

      Opportune times are natural disasters, civil disturbances or acts of war.

      On 9/11, I was in a tall office tower on the east coast, having the National Arbitration Forum refuse to extend a filing deadline in a UDRP case so that I could evacuate the building with the rest of the staff.

      I had a client in New Orleans who received a UDRP when hurricane Katrina had taken out his place of business, along with the court of Mutual Jurisdiction, rendering it impossible to stay the proceeding.

      Policies with tight timelines like this provide all kinds of opportunities. The World Trade Center used to have its own zip code, so it was fairly easy after 9/11 to find and target domain names using that zip code for WHOIS accuracy complaints. When the US started bombing Iraq, there were some who were quick to take advantage of the sudden non-responsiveness of Iraqi domain registrants.

      You’d be surprised how often you can get lucky by checking the obituaries. One California lawyer noticed the death of an Ohio real estate agent having the same last name and filed a thoroughly bogus cybersquatting lawsuit right after the domain registrant kicked off, since the registrant would default. He got the name before the guy’s family knew what happened.

      Good fun these policies. Keep ’em coming.

Add Your Comment