Registering a domain name might become a lot more time intensive in the future.
Negotiations between ICANN and registrars to amend the registrar accreditation agreement are ongoing, and law enforcement agencies are asking for some pretty big changes to how domains are registered today.
Law enforcement proposals relate to verifying whois information and tracking more information about registrants. Law enforcement agencies that have been involved in consultations include:
Australian Federal Police
Department of Justice (US)
Federal Bureau of Investigation (US)
New Zealand Police
Royal Canadian Mounted Police
Serious Organised Crime Agency (UK)
The latest recommendations from law enforcement agencies are:
* In order to register a domain name you’ll need to phone and email verify. First you’ll receive an email with a link to a verification page. When you go to the page you’ll enter more information including verifying your phone number. You will then get an SMS code or voice message to your phone with a PIN, which you will then need to enter at the registrar’s web site before your domain is added to the zone.
* Law enforcement wants your IP address recorded at time of registration/verification.
* For annual whois updates, registrants will have to take action by completing some sort of verification. If you don’t verify/confirm your details, your domain might be suspended. This verification step will also record the registrant’s IP address.
* An alternative suggestion from law enforcement agencies is for ICANN to run a central verification system.
The silly thing about all of this is it won’t stop a criminal from doing what he or she does today. Sidestepping these systems is very easy. Just ask anyone who has created a phone verification system how many bogus requests they get from Google Voice phone numbers.
Adding these verification steps will certainly increase the cost of domain registrations and lead to massive cart abandonment at domain registrars.
Of course, this is merely a wish list from law enforcement. We’ll see what happens. You can follow the RAA negotiations here.
John Berryhill says
It is absolutely brilliant that these organizations have finally come up with at least a definite model they want, instead of pounding the table and saying “we want verification” in the absence of any definition of what constitutes “verification”.
Given another two years, the author of this document might even figure out that domain names are transferable from one party to another, and that the current registrant of a domain name is not necessarily the original registrant of that domain name.
And, the policy change to “annual confirm your whois or have the domain name suspended” will be a source of great amusement, when it starts happening to corporate IT departments which use a single email address for all domain registrations, have established corporate protocols for managing domain names based on existing policy, and do not pay a whole lot of attention to the flood of spam which is sent to WHOIS email contacts.
The relevant systems management questions are – what is the target ratio of legitimate registrants who cannot use their domain name to criminal activities reduced by the policy, and what model was used to project that ratio? Of course, there will be no engineering answer to those questions, but I’ll bet that anyone actually familiar with domain registrant behavior knows that the ratio is will be well in excess of unity.
rob sequin says
Sounds great. More government. That’s always good for business.
Also, probably just a matter of time before the IRS and local governments assess a value to your domain name and internet business so they can hit you with taxes.
Why not? We all pay real estate and personal property taxes where the town assesses a value.
Vote for Obama and we’ll get all this.
RaTHeaD says
@rob sequin…my biggest fear is that the government will look through all the domains i own and assess their value at $87 dollars total. sure i’d save money on taxes but that would make me sad.
Lily Ngyun says
This is super simple stuff. For years now banks, online email, and eCommerce site have let people telesign by providing phone verification. You can also see what type of phone the person is using with a phone identification tool to make sure that domain owners provide a mobile or landline instead of a VOIP number.
This is protection is good for all of us.
John Berryhill says
The other fantastic and wonderful idea is right here:
“As part of the annual WHOIS data accuracy reminder, registrants must complete an e-mail verification link”
Now, Lily, I want you to pay close attention to me here:
Whenever you receive an email telling you to click on a link and complete the instructions, then I want you to do exactly what that email tells you to do. And I want you to know that you need to click on any link in any email that says your domain name will be deleted if you don’t click on that link and follow the instructions.
Do you understand?
Always click on links in email messages, and then do whatever the webpage tells you to do.
This was seriously the work product of people who profess to know something about internet crime?
Because… why? Some guy got a liberal arts degree, a JD and a badge, and thinks this scheme is not going to be phishing city?
DomainersChoice.com says
“You can also see what type of phone the person is using with a phone identification tool to make sure that domain owners provide a mobile or landline instead of a VOIP number.”
You can by a prepaid phone on every corner, without providing an ID, so it doesn’t matter if the verification system can detect the difference between landline/moblie and voip or not.
Michele says
@Lily
Unless you work for Telesign your comment doesn’t make a whole lot of sense.
@John
It’ll be interesting to hear what some of the security professionals think of a proposal involving clicking on links in emails 🙂
Andrew Allemann says
As a matter of fact, one of the most common phishing scams against Go Daddy is a whois verification request…
John Berryhill says
“You can by a prepaid phone on every corner”
Yes, but the telecom industry has much better lobbyists. That is why I get telephone fraud and spam calls all day long, and there is no way of ever figuring out who is at the other end of a telephone call with anywhere near the reliability one can currently obtain with domain names and IP addresses.
But, yes, pay cash, get a sterile phone at a location without security cameras – or have someone buy the phone for you – verify your fake whois data, and throw away the phone.
JP says
Soon the will be selling a bypass system in which you pay law enforcement an annual fee and they fingerprint and verify you and give you a code or device or something to use when checking out so when you buy the domain you can skip the process because you are pre-verified.
Rob says
this is a great idea. may do well to reduce online fraudsters. but i understand some of the potential problems outlined above.
how about this then… instead of verifying individual domains, what about verifying the domain accounts? EVERY account at EVERY registrar must have a valid/verified registrant, email and phone number. these crucial details can only be amended again by verification. going further, unverified accounts cannot register or have domains pushed to them. simple as that. this way, we just need to do it once and then we are back to normal. the fraudsters however will at the very least be inconvenienced considerably, if not thwarted.
i think it’s a small price to pay.
Rob says
oh, and on the topic of buying prepaid phones on every corner… then maybe the rules in the US are a bit slack. in many other countries you need to give photo id to get any kind of sim card.
Domainer Extraordinaire says
>>But, yes, pay cash, get a sterile phone at a location without security cameras
John are you planning a murder? 🙂
Fraud-fighter says
I believe what Lily Ngyun was saying is that that the leading companies in their respective verticals are giving users the appropriate additional layer of authentication and security by implementing some form of 2FA (two-factor authentication) where you can telesign into your account. Making access to accounts and transaction verification more secure without unreasonable complexity. And I agree I definitely think this is the way of the future!
Volker says
German Data Protection to the rescue:
http://www.domainnamenews.com/legal-issues/federal-commissioner-for-data-protection-says-law-enforcements-requests-for-new-raa-are-against-german-laws/10779
The link includes a brief summary of the better (and longer) German summary of the review by the German Federal Commissioner on Data Protection.