Whois Audits and Verification

Whois Audits and Verification practices allow registrars to help target fake or incorrect Whois information. Whois validation and verification, now required by ICANN’s 2013 Registrar Accreditation Agreement (RAA), refers to the registrars’ responsibility to check the contact and personal information provided during registration. [1] The registrar must validate required items such as whether the street address the registrant provided exists and whether the provided email is correctly formatted.[1] Additionally, the registrar must verify the registrant's email address or phone number by asking the registrant to respond using a "unique code."[1]

This information is brought to you by
DNS Seal, a best practices wiki for DNS

Public Perception

The public perception of Whois auditing may be mixed because it is so common to use False Whois information, not necessarily to cover criminal activity but to avoid the risk of identity theft or maintain privacy.[2] However, in the case of a technical malfunction on the registrant's website or a Domain Name Hijacking attempt, it is important for the registrant's contact information to be correct so that they can be informed in a timely manner.

Outcome

More frequent Whois audits can encourage more open behavior in the domain name industry and provide accountability. Hopefully, people concerned about privacy and security will seek additional fee-based privacy or proxy services or sign up with a registrar that provides such services for free instead of risking their domain name by using false Whois information.[3]

Historical Use

  • ICANN requires that Whois information be correct and publicly available, which is supposed to increase transparency in addition to providing information on whom to contact in the case of emergency, abuse, or criminal investigation.[4] However, many people feel doubtful about providing personal information to the public, especially as phishers and spammers may take advantage of the Whois database.[2][5] Whois audits can be a means of combating illegal activity online in addition to providing important contact information.
  • Some registries, such as Nominet, have set supplemental guidelines regarding additional registrant information checks for their .uk selling registrars under a Good Practice Terms clause.[6]

ICANN Policy

  • 2013 Registrar Accreditation Agreement (RAA): as discussed above, this policy outlines the registrar's responsibility to check the personal and contact information provided by the registrant.
    • If the registration information is not correct, the registrar gives the registrant 15 days to fix any errors. If the information is not changed, then the account may be suspended or deleted.[1]
    • In addition, if the registrar believes that any information provided maybe be false or out of date, the registrar must re-verify the account email information.[1]
  • Whois Data Reminder Policy (WDRP): this 2003 policy requires that registrars send out yearly notices requesting updates to Whois information.[7] If no changes have occurred, no response is necessary.[7]
  • ICANN released a Draft Implementation Plan that would create a Whois program to report the accuracy of Whois information and to perform periodic audits.[8][9] The report is available for public comment until April 1.[8] The next step in implementing this program is an ICANN request for an official proposal.[8]
    • This plan is based on an experimental study performed by NORC and SSAC recommendations.[9]
    • ICANN would sample Whois information in gTLDs, rating them on this scale: "No Failure, Minimal Failure, Limited Failure, Substantial Failure, and Complete Failure."[9]
    • Whois entries would be judged in three major categories: syntactic accuracy, operational accuracy, and identity.[9] Syntactic accuracy would involve validating that all the fields are filled out and in the correct format. Operational accuracy would address whether or not the information is "applicable," and the identity category refers to validating that the Whois information "can be used to confirm the identity of the registrant."[9]
    • ICANN would also notify registrars with false or inaccurate Whois information.[9]

Legislation

Currently, there is no legislation that specifically addresses these practices.

Additional Resources

Related Articles

References

  1. 1.0 1.1 1.2 1.3 1.4 http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13-en.htm#whois-accuracy Internet Corporation for Assigned Names and Numbers (ICANN)
  2. 2.0 2.1 http://whois.icann.org/en/questions-answers WHOIS Beta, Internet Corporation for Assigned Names and Numbers (ICANN)
  3. http://www.publicdomainregistry.com/privacy-protection/ Public Domain Registry
  4. http://www.icann.org/en/resources/policy/background/whois Internet Corporation for Assigned Names and Numbers (ICANN)
  5. http://www.icann.org/en/news/public-comment/whois-misuse-27nov13-en.htm Internet Corporation for Assigned Names and Numbers (ICANN)
  6. http://www.nominet.org.uk/sites/default/files/nominet_registrar_resources_-_good_practice_terms_for_registrar_agreement_-_2012-07-03.pdf (PDF) Nominet
  7. 7.0 7.1 http://www.icann.org/en/resources/registrars/consensus-policies/wdrp Internet Corporation for Assigned Names and Numbers (ICANN)
  8. 8.0 8.1 8.2 http://www.icann.org/en/news/public-comment/whois-accuracy-reporting-11mar14-en.htm (March 11, 2014), Internet Corporation for Assigned Names and Numbers (ICANN)
  9. 9.0 9.1 9.2 9.3 9.4 9.5 http://www.icann.org/en/news/public-comment/whois-accuracy-reporting-11mar14-en.htm (PDF) titled WHOIS Online Accuracy Reporting System Implementation Plan, under the heading Section III: Document and Resource Links (March 11, 2014), Internet Corporation for Assigned Names and Numbers (ICANN)