Domain registrars plead for data as websites go dark thanks to whois verification requirements.
For now, it’s pretty simple. Your registrar sends an email to the whois contact on your domain and asks you to click a button to verify.
It’s simple in theory, anyway. The reality is that people aren’t seeing and aren’t getting these verification emails, which are sent for new registrations and when changes are made to whois records. Over one million domain names have been suspended because their owners didn’t verify.
Suspended domains equal broken websites.
Domain name registrars have been pleading with ICANN to get law enforcement to say what good this is doing. How is this helping them stop criminals? It it helping them enough to justify taking down over one million domain names?
The issue came to a head again at the ICANN meeting in Los Angeles last week after talk of increasing the verification requirements. Registrars might have to do cross-field validation of whois records in the future. This means they will have to verify that the address in whois is correct. This is difficult to do even in the United States, and much harder in some other countries.
Cross-field validation will result in more suspensions, and it would probably significantly increase the cost of registering a domain name.
What good will it do?
During the Registrar Stakeholders Group meeting with ICANN’s board last week, GoDaddy VP of Policy James Bladel asked the board for a status on getting the data from law enforcement that it has been asking for.
Akram Attalah, President of ICANN’s Global Domains Division, tried to quell registrar’s fears about increased validation requirements.
“…We are not going to try to impose things that are not feasible; nobody wins,” he said. “So let’s continue the dialogue and see how we can progress it.”
A continued dialogue is not what registrars were asking for.
Bladel interject, “…I’m sorry. I was specifically asking: Have we requested a statistical analysis of any kind from law enforcement as we were committed to one year ago last summer, that it would be ready by London. So what’s the status of that request?”
“I don’t know of any requests of law enforcement,” Atallah responded. “Law enforcement is not somebody that we can go call and ask them to do this for us. But we could try to approach a few members of law enforcement that we negotiated with and see if they are willing to do that. But I am not very optimistic about this.”
ICANN board member Mike Silber went on the defensive.
“…Law enforcement is not a single entity that you can go to and say, ‘Please deliver the stats’,” he said. “It’s a loose affiliation of law enforcement agencies from a variety of countries who operate in different manners.”
(Later, Jeff Eckhaus of Rightside pointed out that “law enforcement” seemed to be a group when they made their initial requests.)
Silber asked for a “position document” that could be presented to law enforcement agencies. He says he’s “asked twice for the registrars to please give us a position paper that we can start with.”
This was followed by a testy exchange between Silber and ICANN CEO Elliot Noss, with Silber again being defensive:
“Where is the papers? When you guys have asked for other things, I have seen the documents, the letters, the correspondence. Where is it? You were supposed to do that for me last time.”
If he has asked for such a paper, it has not been within the past couple registrar/board pow-wows during ICANN meetings. The registrars have asked for data at both the Singapore and London meetings.
During the Singapore meeting, Silber said ICANN can’t force law enforcement to provide data, but, “Whether they will give us specific metrics in time for London, well, that’s up to them. We can only request it and encourage it.”
Chairman Crocker seems to be on the registrar’s side on this issue. Discussing his interactions with law enforcement when they were making demands, he said:
… I had somewhat regular interactions with some of the law enforcement people ‐‐ I asked the question: And how will we know that this is going to have an effect? What are the metrics, or how do you know? No good answers coming back.
Now we’ve instituted them, and now we’ve seen statistics come about, the measurable harm that is being done to the ‐‐ to us, the good guys, if you will. And, again, we ask the question: How can we tell? And I’ve tried to have sensible conversations at multiple points with various people in law enforcement…
…And the other quite straightforward, pragmatic response that I got in a more recent discussion is they don’t keep statistics that relate to the questions that we’re asking. You cannot go and get crime breakdowns from the FBI or from others that tell you exactly which ones were because of abuse of domain names and so forth.
And therein lies the truth that everyone knows. The registrars know it. The board knows it. Law enforcement knows it: having someone verify their email address isn’t going to cut down on crime.
Neither will verifying physical addresses. Do you think criminals can’t figure out how to look up valid addresses on the internet? Get a free throw away email address and phone number?
The only people hurt by the verification schemes are innocent bystanders.
I would argue that if you own a “live” domain name, then you are the owner and person responsible for a bit of the infrastructure that makes up the Internet. As such, valid and accessible contact information for both abuse complaints, and other issues is vital for the health of the Internet overall. I think it absolutely makes sense that people who create domains must be contactable and accountable for the use of those domain names. If we have no way to verify the contact information, or as a registrar we don’t care to validate that information we end up with what we have today. Millions of domains with invalid whois data, and no way for security people and others to contact the owners when they are hosting malware or the like.
Simply put – Anyone owning Internet infrastructure, domains included, must be contactable for at least security and abuse issues.
i got a verification email today, no idea what registrar it was from or for what domains it was about. it was signed ‘your icann accredited registrar’. it smelled of some kind of phishing scam. the email address was [email protected]. stuff like this is what makes this whole thing not only pointless but potentially dangerous.
Many verification emails are totally blacklisted, or going to spam, most people never even get them. Enom’s don’t even show up half the time.
This is typical “Law Enforcement” modus operandi, appear very much connected as one group when making the request for new laws, and then make self scarce afterwards. The requirement is a scattergun approach as will only catch a few criminals and inconvenience many millions of innocent people. If you are going to lie it makes no difference anyway.
@Chris, the privacy option on domains puts a big hole in that “accessible” argument. How is an owner contactable then? Easy, the complainant obviously goes to the registrar directly if something is being done illegal. Which seems totally logical to me! A registrar can shut down a domain in a flash, so all this policing of domain contacts is stupid (or really another reason). Just look at the peaceful protests in Hong Kong this month. The “authorities” would love to have current up to date info on anyone not touting the party line on their own website. It should be obvious what these security people want with our current details… even when nothing illegal is being done! The news just reported that these same “authorities” now want back door access to our personal phones!
Jz is right.. there is a scam going around spoofing this information.. This system is flaud as criminals are now getting access through these emails.. Dont click on those adds and call your registrar direct. Law enforcement if smart would follow these guys around and catch them but dont click on those emails unless you want a nasty bug on your pc following your research and keystrokes…
Great job of exposing this ridiculous situation!! The whole concept has become ridiculous, fraught with problems and compounded by ICANN lethargic approach to “law enforcement. We’ll done Andrew.
Also the verification system is broken at godaddy.
I made the mistake of transferring a domain to godaddy and have so far received over 5 verification emails to verify my email address (that I obviously already verified when transferring the domain otherwise the domain would have not transferred to godaddy) and I have clicked the link 5 times and godaddy’s website says thanks for verification (so these are not phishing emails) but still the current situation is that a domain I paid over 1000 dollars to buy and which earned 5-10 dollars per week is disabled by godaddy.
ICANN needs to get a grip and mandate that there are no email verification requirements for domains that are already transferred since you can’t transfer a domain unless you have a working email.
These verifications should be per email NOT per domain so once email address is verified all the domains tied to that email are good.
Godaddy needs to also get a grip and fix their email verification which is compounding the problem.
Everybody who is harmed by this ridiculous over the top bureaucracy by ICANN should join together and take ICANN to court and ask for stopping this policy and ask for damages.
If 1000 businesses hurt by ICANN bungling would join together and sue ICANN that would be big news and put some public media pressure on ICANN.
This situation will happen if ICANN does not either fix the email verification mess they caused or stop the email verification alltogether and let the registrars do it like before when creating an account and when transferring domain:
Drudgereport 2015:
Pictures of the whole ICANN board in Drudge Report with the headline:
“These bureaucrats destroyed thousands of businesses through incompetence” and all the ICANN board listed with pictures and names.
ICANN created a bureaucratic non-solution that is destroying thousands of businesses.
This is not right my sites have been down over 2 weeks due to this. They never sent me any emails.