Hoo-ha erupts over WHOIS validation

International

Registrars and registrants alike have begun voicing concerns about the cost and impact of WHOIS validation procedures imposed under the 2013 Registrar Accreditation Agreement (RAA). This obligation to verify email contact addresses listed in the WHOIS of gTLD and new gTLD domain names has already resulted in some websites going offline and such cases will no doubt increase as the number of registrants receiving notices expands. The verification procedure itself has also unwittingly provided a prime opportunity for phishing scammers who have been quick to exploit a situation whereby registrants must either click on a link in an email or risk having their domain name suspended. As could be expected, this made for a hot topic for discussion at the recent ICANN meeting in Singapore.

The 2013 RAA was approved by ICANN in June 2013 and has since been gradually taken up by registrars, either voluntarily or upon expiry of their previous RAA. In incorporating new measures, such as registrant contact data verification and the retention of registrant data, it responded to calls for increased registrant accountability from IP rights advocates and law enforcement agencies. 

Under the 2013 RAA, and as of January 1 2014 domain name registrants receive an email domain validation notice in the following circumstances:

  • upon registering a new domain;
  • after transferring a domain name to another registrar;
  • upon changing the first name, last name or email address of a domain owner;
  • when a WHOIS Data Reminder Policy email bounces back; and
  • when the 30-day or five-day domain expiration notice emails bounce back.

All of this looks good on paper, but unfortunately, in the real world, validation emails can be misdirected to spam folders, be missed by domain name administrators or simply not received due to transitory or permanent problems with the contact email address. 

In the event that a domain name registrant does not respond to a WHOIS validation notice within a period ranging from 72 hours to 15 days (depending upon the registrar), the registrar is obliged to suspend the domain name, meaning that the domain name servers and any pointing to a website are disabled. The end result is that a domain name registrant can very easily find its website down, leading to a loss of business and other unpleasant consequences. Certain industry commentators have gone so far as to label the policy potentially more far-reaching and destructive than so-called Denial of Service (DoS) attacks, whereby high-profile web servers are targeted and taken down by hackers. 

There have already been reports of websites such as football betting sitehttp://fixtures365.com and IT and gaming roundup site ‘www.neowin.net suffering downtime, and it has been suggested that it is only a matter of time before a bigger and more high-profile website suffers the same fate. 

Equally problematic is the fact that most of the validation notices require the registrant to click on a link to confirm the validity of the relevant email address. However, clicking on links in unsolicited emails is something that IT professionals and the average internet user alike are strenuously discouraged from doing these days, given the common association of such emails with phishing. As such, even seasoned IT professionals could find themselves caught out by phishing emails as a result of their wish to ensure that the domain names and websites under their charge remain up and running. 

The additional cost to registrars involved in issuing the validation notices and suspending non-compliant customers led to a small outcry by registrar stakeholders at the recent ICANN meeting in Singapore. At this meeting, Tucows CEO Elliot Noss lambasted the ICANN board, stating that the measure had created a “demonstrable burden” for registrants and went on to add: "If you cared to hear operationally you would hear about tens and hundreds of thousands of terrible stories that are happening to legitimate businesses and individuals."

Even ICANN CEO Fadi Chehade stated at the ICANN meeting in Durban in July 2013 that ICANN would not accept any further requests for more WHOIS verification until law enforcement agencies had demonstrated that the current policies had produced benefits. For their part, registrar representatives have stated that they are currently gathering statistics to illustrate the scale of the problem for them and their customers, so it will be interesting to see if this can be offset by tales of the benefits the measures have brought in relation to law enforcement.

The bottom line for domain name registrants is that they should remain extremely vigilant with regard to ensuring that the data associated with their domain name registrations remains up to date and fully functional and that email accounts associated with domain names are regularly monitored. Registrants should make attempts to familiarise themselves with their registrar's procedures and, in case of doubt about the legitimacy of any communications, check with their registrar.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris

Get unlimited access to all WTR content