Domain registrars plead for data as websites go dark thanks to whois verification requirements.It has been almost a year since most large domain name registrars have been required to verify certain elements of domain name whois information.
For now, it’s pretty simple. Your registrar sends an email to the whois contact on your domain and asks you to click a button to verify.
It’s simple in theory, anyway. The reality is that people aren’t seeing and aren’t getting these verification emails, which are sent for new registrations and when changes are made to whois records. Over one million domain names have been suspended because their owners didn’t verify.
Suspended domains equal broken websites.
Domain name registrars have been pleading with ICANN to get law enforcement to say what good this is doing. How is this helping them stop criminals? It it helping them enough to justify taking down over one million domain names?
The issue came to a head again at the ICANN meeting in Los Angeles last week after talk of increasing the verification requirements. Registrars might have to do cross-field validation of whois records in the future. This means they will have to verify that the address in whois is correct. This is difficult to do even in the United States, and much harder in some other countries.
Cross-field validation will result in more suspensions, and it would probably significantly increase the cost of registering a domain name.
What good will it do?
During the Registrar Stakeholders Group meeting with ICANN’s board last week, GoDaddy VP of Policy James Bladel asked the board for a status on getting the data from law enforcement that it has been asking for.
Akram Attalah, President of ICANN’s Global Domains Division, tried to quell registrar’s fears about increased validation requirements.
“…We are not going to try to impose things that are not feasible; nobody wins,” he said. “So let’s continue the dialogue and see how we can progress it.”
A continued dialogue is not what registrars were asking for.
Bladel interject, “…I’m sorry. I was specifically asking: Have we requested a statistical analysis of any kind from law enforcement as we were committed to one year ago last summer, that it would be ready by London. So what’s the status of that request?”
“I don’t know of any requests of law enforcement,” Atallah responded. “Law enforcement is not somebody that we can go call and ask them to do this for us. But we could try to approach a few members of law enforcement that we negotiated with and see if they are willing to do that. But I am not very optimistic about this.”
ICANN board member Mike Silber went on the defensive.
“…Law enforcement is not a single entity that you can go to and say, ‘Please deliver the stats’,” he said. “It’s a loose affiliation of law enforcement agencies from a variety of countries who operate in different manners.”
(Later, Jeff Eckhaus of Rightside pointed out that “law enforcement” seemed to be a group when they made their initial requests.)
Silber asked for a “position document” that could be presented to law enforcement agencies. He says he’s “asked twice for the registrars to please give us a position paper that we can start with.”
This was followed by a testy exchange between Silber and ICANN CEO Elliot Noss, with Silber again being defensive:
“Where is the papers? When you guys have asked for other things, I have seen the documents, the letters, the correspondence. Where is it? You were supposed to do that for me last time.”
If he has asked for such a paper, it has not been within the past couple registrar/board pow-wows during ICANN meetings. The registrars have asked for data at both the Singapore and London meetings.
During the Singapore meeting, Silber said ICANN can’t force law enforcement to provide data, but, “Whether they will give us specific metrics in time for London, well, that’s up to them. We can only request it and encourage it.”
Chairman Crocker seems to be on the registrar’s side on this issue. Discussing his interactions with law enforcement when they were making demands, he said:
… I had somewhat regular interactions with some of the law enforcement people ‐‐ I asked the question: And how will we know that this is going to have an effect? What are the metrics, or how do you know? No good answers coming back.
Now we’ve instituted them, and now we’ve seen statistics come about, the measurable harm that is being done to the ‐‐ to us, the good guys, if you will. And, again, we ask the question: How can we tell? And I’ve tried to have sensible conversations at multiple points with various people in law enforcement…
…And the other quite straightforward, pragmatic response that I got in a more recent discussion is they don’t keep statistics that relate to the questions that we’re asking. You cannot go and get crime breakdowns from the FBI or from others that tell you exactly which ones were because of abuse of domain names and so forth.
And therein lies the truth that everyone knows. The registrars know it. The board knows it. Law enforcement knows it: having someone verify their email address isn’t going to cut down on crime.
Neither will verifying physical addresses. Do you think criminals can’t figure out how to look up valid addresses on the internet? Get a free throw away email address and phone number?
The only people hurt by the verification schemes are innocent bystanders.