WHOIS data: challenges and perspectives
Nathalie Dreyfus of Dreyfus & Associates asks some key questions about the WHOIS system
WHOIS databases are particularly useful for finding information on domain name holders. Their name (who is) clearly indicates their purpose, which is to provide essential information about protagonists with regards to a domain name and especially concerning the name reservation date, the registrant, the administrative contact details, or the registry office of the domain name. In summary, WHOIS is the database of domain names registered with a registrar or a registry.
There are in fact two categories of WHOIS: the thin WHOIS and the thick WHOIS, based on the amount of information they contain. As an example, VeriSign has a thin WHOIS for the first level generic domains .com and .net. In fact, VeriSign does not store any personal information that relates to the domain name. The owner’s name, address or telephone number were logged directly with the registry that holds the thick WHOIS containing more detailed information. For national domains in the category of country code TLDs such as .fr and .de, generally speaking the registrar directly obtains the thick WHOIS.
What is the function of the WHOIS?
To guarantee the efficient functioning of a domain name’s system, the WHOIS fulfils administrative and technical functions. Firstly, the service identifies the domain name owner, the administrative agents and the registry office that handled the commercialisation of the domain name. Next, the WHOIS database contains the name status, in other words, its registration date, further updates and renewals, as well as its current status (either active, at renewal stage or being transferred).
In addition to this, the WHOIS specifies who the authorised domain name system servers for each domain name are. This function is essential since the DNS servers give the internet protocol address that corresponds to a host name, in other words, they ensure the resolution of the domain name that leads to an internet site or allows electronic mail to be sent. Without this, the domain name remains inactive. Lastly, the WHOIS service also has a commercial role since it enables internet users to find domain names that may interest them and also to identify anyone guilty of infringing their rights.
Who operates the WHOIS service?
In application of the Affirmative of Commitment (AoC) of 30 September 2009, the Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for implementing existing policy regarding the WHOIS, under the auspices of applicable legislation. ICANN is also required to implement the necessary measures to ensure public, free and rapid access to WHOIS information that must be accurate and complete, including details of the title holder, billing details, administrative contract information and technical support details.
By 2002, ICANN had already put in place a WHOIS Data Reminder Policy. Since then, registry offices must carry out an annual check of registrants’ details and correct them if inaccurate, failing which sanctions can be levied. In addition, they must send an email to domain name owners that requires them to check the accuracy of their details and update them if necessary.
To this effect, the Registrar Accreditation Agreement (RAA), a contract by which ICANN accredits a registry office, outlines their obligations, especially concerning the accuracy of WHOIS data. The latest accreditation contract, the RAA 2013, came into effect on 1 January. The registry office is required to take all reasonable measures in the event that inaccuracies within the WHOIS database are notified by “any parties”. The reasonable measures to be taken will vary according to the circumstances. Initially, this may take the form of an enquiry carried out by the registry office using all means at its disposal. Further to this, if the rights holder fails to reply after two weeks to questions relating to the accuracy of its WHOIS data, it may find that its registration has been cancelled.
Finally, if the results of the enquiry prove that data was inaccurate, and thereby reveal a deliberate violation of the registration contract, the registrant will lose its domain name registration.
Registrars must manage the domains for which they are responsible and oversee database updates, the accreditation of registry offices that commercialise domain names and also the registration of domains.
What’s in store for WHOIS in the future?
The changing commercial nature of the internet has led to misuse of the WHOIS service at several levels, and particularly with regards to the accuracy of data and access to this data. Questions have been raised concerning confidentiality and the improper use of data. The question is whether the current WHOIS concept meets the needs of today’s internet and also that of the future.
ICANN’s consultative committee for security and stability has recommended that registry offices and registrars publish contact information to flag cases of abuse. This contact person will be expected to reply to all claims of malpractice received by other registry operators, registry offices or recognised members of the community who are engaged in the fight against such abuses.
Since 1 January, registry offices that have signed the RAA 2013 must therefore add these contact details to their WHOIS databases in order to report malpractice.
The Cylab laboratory at the Carnegie Mellon University published a report on 26 November 2013 concerning misuse of WHOIS databases. This report outlined cases of malpractice in the exploitation of information contained in the WHOIS registers. In particular, there are cases of misuse of personal data, identity theft, phishing, cybersquatting, spamming and misuse of postal or electronic addresses. The existence of malevolent organisations seeking to extort funds was also highlighted.
WHOIS information was also misused to damage DNS servers by launching a phishing attack. Certain fraudsters make illegal use of a registrant’s information to register domain names.
The report showed that the misuse of data contained in the WHOIS register is rarely dealt with, although there is a significant amount of real misuse. This is due to the paucity of declarations relating to misuse of the WHOIS by registrants. Besides this, registry offices and registrars rarely reveal cases of misappropriation of WHOIS data. As a result, it is difficult to evaluate the specific impact of such misuse in practice.
Free or controlled access to WHOIS data?
The correlation between the publication of WHOIS data and its misuse has yet to be proven. In reality, it is obvious that spam and unauthorised contact on the internet are the inevitable consequences of having an online presence. We cannot be sure that the public nature of WHOIS information is the real or major cause of malpractice concerning data found on the internet. Moreover, limiting access to WHOIS information would not necessarily bring about a reduction in the misuse of WHOIS data. Access to the personal data of registrants is necessary to protect consumers. In addition, it is equally important to guarantee public access to accurate and reliable WHOIS data.
What of the protection of personal data in the context of WHOIS databases?
The WHOIS databases contain a compilation of personal data pertaining to the rights holder (surname, first name, telephone number, address). Consequently, there is a conflict of interest: the transparency of the WHOIS service versus the protection of personal data.
Where someone is represented by proxy or by a service providing anonymity, ICANN does not intervene. In other words, for ICANN, the person listed in the WHOIS database is considered to be the domain name title holder. The link between the registrant and private service is not taken into account. Moreover, several services providing anonymity refuse to be contacted or provide registrant details. This final obstacle runs contrary to the objectives of the WHOIS services as regards the traceability of domain names and the ability to directly contact rights holders. However, it is always possible for anonymity to be lifted if a Uniform Domain-Name Dispute-Resolution Policy (UDRP) procedure or a legal procedure is undertaken.
Furthermore, ICANN has proven to be reticent about services providing anonymity within WHOIS. In 2004, for example, they asked the VeriSign registrant to more accurately complete the WHOIS fields containing personal data. In 2006, Jon Leibowitz, commissioner at the Federal Trade Commission, an American government agency, reiterated ICANN’s position: “The WHOIS is often the primary source of information used by our investigators when they are working on an internet case.” Concerning the usefulness of WHOIS databases, he added that “where there is no contact information for website operators, consumers can turn to WHOIS to find out”. For ICANN, WHOIS data must be accessible without the applicants having to identify themselves.
What is the future of the current WHOIS service?
The present WHOIS service has a number of weaknesses and needs to be reformed to adapt to the digital world and e-commerce in particular. An expert working group was formed by ICANN in 2013 to examine the registration service for gTLDs. The aim is to replace the current service with another by which the data would only be collected, validated and shared for authorised purposes such as spot checks, domain name research or to protect personal data. In addition, only certain data would be available to authorised enquirers who would be held accountable for its use.
The working group will present the key elements of the new service model known as the Aggregated Registration Data Service (ARDS). Initially, each gTLD register will remain the official source for data collection. From there, users wishing to obtain registration details must request an access certificate from the ARDS. The ARDS will both grant and control access in order to limit malpractice and will be able to impose penalties. It will also deal with any complaints relating to the accuracy of data.
Recognising the need for accuracy and the protection of personal data, the working group intends to launch “secure and protected certificates”. Furthermore, they suggest the creation of an independent organisation accredited by ICANN, which would establish criteria for determining if the applicant can or cannot benefit from maximum protection.
Currently, this project has not been finalised since questions remain outstanding relating to costs and implications. The group is awaiting community feedback on its initial proposals before going further. And already a number of contentious issues have been raised. The project will need time to be developed and adapted before being launched. To be continued.