WHOIS Inaccuracies Hampering FTC

The Federal Trade Commission (FTC) needs better WHOIS information to track
down Internet scams, one of its top directors told the House Judiciary
Subcommittee on Courts, the Internet and Intellectual Property Wednesday.

But finding a solution is a conundrum registrars and registries won’t be
able to resolve for some time, if ever, said Internet Corporation for
Assigned Names and Numbers (ICANN) Director of Communications Mary Hewitt.

WHOIS is a database containing the contact information of every domain
owner on the Internet (example here for www.internetnews.com). The information includes domain name
owner, phone number and mailing address of the person in charge of the Web
site.

J. Howard Beales III, FTC bureau of consumer protection director, said
correctly identifying domain owners through the WHOIS is the difference
between stopping an illegal operation before too much damage is done and
letting the scam artist off the hook.

“It is hard to overstate the importance of accurate WHOIS data to our
Internet investigations,” he told House members. “In all of our
investigations against Internet companies, one of the first tools FTC
investigators use to identify wrongdoers is the WHOIS database. We cannot
easily sue fraudsters if we cannot find them.”

Beales testimony underscores a weakness in the agency’s understanding of
what ails the WHOIS information process. He points to information privacy
for domain owners on the database as a reason for WHOIS inaccuracies, when,
in fact, it comes down to a matter of economics.

“A fraudster should not be permitted to hide from law enforcement
authorities simply by claiming registration as an individual or by claiming
registration for non-commercial purposes,” he said.

As it stands today, the validity of contact information is essentially
handled on the honor system, given a domain is purchased on a registrar’s
Web site using a form. Human contact is almost never an option: the Web
form automatically reserves the domain for the individual, takes the credit
card payment and processes the WHOIS information.

The information provided is included in the domain name’s WHOIS account
(most registrars opt for a completely transparent system), and should be
enough for law enforcement to start tracking down the suspect — given the
information is correct.

The system is perfect for Internet scammers and others who conduct illegal
operations on the Internet, such as warez
sites
, because oversight is non-existent in the beginning. Anything
can be submitted on the Web form, and usually is in the case of illegal Web
sites.

The only oversight comes after the fact, when a person or law enforcement
agency complains of a Web site running a scam or containing bogus WHOIS
information. At that point the registrar tries to contact the domain owner
and, after an appropriate time for response, shuts down the Web site.

The FTC has asked ICANN to step up and “work with registrars to implement
and enforce the provisions of its Registrar Accreditation Agreement that
ensure the completeness and accuracy of WHOIS data,” but the solution isn’t
that easy, ICANN’s Hewitt said.

The solution would call for a complete overhaul in the registrar process,
Hewitt said, from the front-end customer sign-up process to quality
assurance staffers to ensure the information given was correct.

“We agree with the FTC that the domains need to be enforced (by the
registars) and they need to abide by that, but until there’s a
less-expensive way for the registrar to verify them,” it won’t happen, she
said.

Earlier this month ICANN issued an advisory to registrars, reminding them
of their responsibilities in maintaining up-to-date and factual WHOIS
information. The advisory reiterates Hewitt’s statements above, namely
requiring potential domain name owners to provide factual information and
failure to do so would result in the domain’s shutdown.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web