RealTime IT News

WHOIS Inaccuracies Hampering FTC

The Federal Trade Commission (FTC) needs better WHOIS information to track down Internet scams, one of its top directors told the House Judiciary Subcommittee on Courts, the Internet and Intellectual Property Wednesday.

But finding a solution is a conundrum registrars and registries won't be able to resolve for some time, if ever, said Internet Corporation for Assigned Names and Numbers (ICANN) Director of Communications Mary Hewitt.

WHOIS is a database containing the contact information of every domain owner on the Internet (example here for www.internetnews.com). The information includes domain name owner, phone number and mailing address of the person in charge of the Web site.

J. Howard Beales III, FTC bureau of consumer protection director, said correctly identifying domain owners through the WHOIS is the difference between stopping an illegal operation before too much damage is done and letting the scam artist off the hook.

"It is hard to overstate the importance of accurate WHOIS data to our Internet investigations," he told House members. "In all of our investigations against Internet companies, one of the first tools FTC investigators use to identify wrongdoers is the WHOIS database. We cannot easily sue fraudsters if we cannot find them."

Beales testimony underscores a weakness in the agency's understanding of what ails the WHOIS information process. He points to information privacy for domain owners on the database as a reason for WHOIS inaccuracies, when, in fact, it comes down to a matter of economics.

"A fraudster should not be permitted to hide from law enforcement authorities simply by claiming registration as an individual or by claiming registration for non-commercial purposes," he said.

As it stands today, the validity of contact information is essentially handled on the honor system, given a domain is purchased on a registrar's Web site using a form. Human contact is almost never an option: the Web form automatically reserves the domain for the individual, takes the credit card payment and processes the WHOIS information.

The information provided is included in the domain name's WHOIS account (most registrars opt for a completely transparent system), and should be enough for law enforcement to start tracking down the suspect -- given the information is correct.

The system is perfect for Internet scammers and others who conduct illegal operations on the Internet, such as warez sites, because oversight is non-existent in the beginning. Anything can be submitted on the Web form, and usually is in the case of illegal Web sites.

The only oversight comes after the fact, when a person or law enforcement agency complains of a Web site running a scam or containing bogus WHOIS information. At that point the registrar tries to contact the domain owner and, after an appropriate time for response, shuts down the Web site.

The FTC has asked ICANN to step up and "work with registrars to implement and enforce the provisions of its Registrar Accreditation Agreement that ensure the completeness and accuracy of WHOIS data," but the solution isn't that easy, ICANN's Hewitt said.

The solution would call for a complete overhaul in the registrar process, Hewitt said, from the front-end customer sign-up process to quality assurance staffers to ensure the information given was correct.

"We agree with the FTC that the domains need to be enforced (by the registars) and they need to abide by that, but until there's a less-expensive way for the registrar to verify them," it won't happen, she said.

Earlier this month ICANN issued an advisory to registrars, reminding them of their responsibilities in maintaining up-to-date and factual WHOIS information. The advisory reiterates Hewitt's statements above, namely requiring potential domain name owners to provide factual information and failure to do so would result in the domain's shutdown.