Mr Nobody dodges ICANN WHOIS crackdown

International

The Internet Corporation for Assigned Names and Numbers (ICANN), which has been under considerable pressure for some time from governments and law enforcement agencies around the world to tighten up WHOIS data accuracy, appears to be moving steadily closer to finalising an amended Registrar Accreditation Agreement (RAA) aimed at tackling the problem.

The new RAA should include provisions that introduce an obligation for registrars to verify certain customer data to be listed in a domain name's WHOIS records. Some have predicted that this new RAA will be released in time for the April 2013 ICANN meeting in Beijing, but registrars will be under no obligation to comply until their current RAAs come up for renewal.

Mr Nobody and his friends (eg, Mr N O Body or Mr A Nonimous) actually hold quite a substantial portfolio of domain names, as do a number of fictional cartoon characters. Amusing as this may seem, it can present enormous problems for law enforcement agencies and intellectual property advocates seeking to track down criminals and infringers. Currently, although registrars are obliged to send regular reminders to their customers to maintain accurate WHOIS data, they are under no obligation to carry out any actual checks to ensure the veracity of their customers' published details. 

On September 24 2012 ICANN released an update on the status of the proposed RAA amendments, a set of 12 items including WHOIS data verification, which it has been discussing with its Government Advisory Committee, registrar representatives and law enforcement agencies since 2009. ICANN has reported that the registrars have now agreed to carry out checks on the accuracy of registrants' telephone and/or email addresses with the only point still under contention being whether registrars will be required to verify either email or telephone numbers or only one of these elements, and whether such checks should happen before or after the domain name is registered. ICANN has stated in its update that its negotiation position is "to support post‐resolution verification, provided that registrars verify two points of data (telephone and email)."

Whether they occur before or after registration, it seems that any WHOIS data accuracy checks will be automated processes that, one can only imagine, will have to rely on publicly available sources of data verification, such as online telephone directories and/or an obligation to respond to an email, as many newsletter subscriptions require. It remains unclear, however, how registrars will deal with such things as unlisted numbers or mobile telephone numbers. How, for example, will a registrar in the United States check the telephone number of a registrant in China or India? Naturally, many registrars have decried the additional expense that will be incurred in carrying out such checks and have warned of higher registration prices.

How these changes will square with data protection laws worldwide also remains to be seen. The Article 29 Working Party - a group made up of a representative from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission - has already voiced its concerns in a letter to ICANN dated September 26 2012. In this letter, the group puts the existence of phoney WHOIS details down to "the unlimited public accessibility of private contact details in the WHOIS database" and lays the blame squarely at ICANN's feet for failing to address this root problem. The group even goes on to state that "the proposed new requirement to annually re-verify both the telephone number and the email address and publish these contact details in the publicly accessible WHOIS database is excessive and therefore unlawful".

The new data verification measures will not affect registrars' ability to provide WHOIS privacy services, but other proposed amendments to the RAA are intended to regulate the registrars' obligations with regard to revealing underlying registrant data or even cancelling domain names where a privacy service refuses to reveal underlying data under the appropriate circumstances.

As it seems that the verification of postal addresses or other data elements such as the registrant name is now off the agenda for discussion, Mr Nobody of Nowheresville may yet be able to rest easy - provided he has a functioning email address and/or telephone number. It will be interesting to see how registrars deal with the logistical problems of data accuracy checks if and when the changes become formalised.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris

Get unlimited access to all WTR content