Cloud

ICANN sends registrars and domain owners into panic with 2013 RAA

The 2013 Registrar Accreditation Agreement includes new requirements for preserving the accuracy of WHOIS records that run afoul of EU privacy protections, and introduce potential security vulnerabilities.
 
icann_021514.jpg
 
At the beginning of 2014, the terms of the ICANN (Internet Corporation for Assigned Names and Numbers) 2013 Registrar Accreditation Agreement went into effect, bringing with it a flurry of unintended consequences. With an increased focus on keeping WHOIS records up to date, registrars are now being held to higher standards in verifying the information supplied by registrants. The proscribed way in which verification occurs is ham-fisted, and many registrars in the European Union (EU) have yet to sign the agreement amid concerns that the information collecting requirements are in violation of EU privacy laws.

The bumpy road to legal inquiry

For registrars renewing their agreement with ICANN, the 2013 RAA went into effect on January 1, 2014. The previous registrar accreditation agreement, published in 2009, remains in effect five years from the date it was signed. As such, not all registrars are currently bound to the new rules delineated in the 2013 RAA. Not agreeing to the 2013 RAA presently prevents registrars from selling new top-level domains (TLDs), while allowing the 2009 RAA to lapse prevents registrars from selling global TLDs such as .com. Some registrars, most notably registrars in the EU, are biding their remaining time on the previous agreement.

The reasoning behind this is quite clear. Throughout the process of drafting the 2013 RAA, concerns were raised about the data collection and retention required of registrars violating privacy protection laws in the EU (PDF). The 2013 RAA requires registrars to preserve IP address, transaction details, including credit card data, and telephone numbers of registrants at the time of registration, for 180 days. Cognizant of the issues which this raises for such privacy-minded localities in the EU, ICANN offered waivers on this requirement in October 2013, six months after the final draft of the RAA was published.

In an article at Domain Name Wire, Michele Neylon of Ireland-based Blacknight, notes "That EU based companies need to even go through this process is laughable, as we are effectively being asked to request permission to not break our own laws." Neylon also notes the investment in retaining counsel to document the need for these waivers, while the EU Data Protection Authorities (DPAs) have informed ICANN that "the clauses in question are not compatible."

More accurate WHOIS records for more effective spamming

The changes in the 2013 RAA have effects that reach further than the EU; registrars now face the burden of forcing registrants to supply accurate and up-to-date WHOIS records of registered domains. As part of this initiative, upon receipt of a complaint that the WHOIS data is inaccurate, registrars must contact the registrant and force the registrant to update the data. Failure of the registrant to do so will result in the DNS entries being changed to a parking page until the registrant takes action. The timeframes for this policy vary among registrars; ICANN requires within 14 days, while some registrars, such as Domain.com, require action to be taken within 72 hours. This new policy has resulted in an interruption in service of PC gaming enthusiast website Neowin, and a soccer betting website owned by British Sky Broadcasting (BSkyB) called Fixtures365.

The mode of verification is email. Naturally, this verification step is a delectable target for email phishing. Emails asking you to update your profile with banks or payment processors have been common for years, and end users are generally conditioned to ignore such requests as being an attempt at identity theft.

Requiring verification for a newly-registered domain is probably a trivial matter, and something that should likely be done during checkout to ease the process. The primary problem lies in the arbitrary requirement to verify a domain well after registration, wherein an easily ignored, suspicious-looking email request to verify WHOIS records (which contain a great deal of personal information) will result in the complete cessation of services until such verification can be achieved. This could be catastrophic for any established website, and presenting a registrar verification page in lieu of the intended content of the website will result in less-informed end users thinking that the website is either illegitimate, or that their computer has been compromised as a result of this action.

This is achieved by changing the DNS entries for the domain in question. Even after verification, domain name holders are still subject to 24-48 hours of unavailability due to the nature of DNS propagation, with no means to recourse for the service interruption. If this length of downtime were to happen at the data center level for a large and well-established website, I expect that trucks would be rented and entire racks would be pulled for preposterously poor performance.

Spam and profiteering in internet startups

The need for public WHOIS data is itself specious. From a personal standpoint, the only correspondence I have received for having public WHOIS records are from unscrupulous registrars looking for me to renew (in reality, transfer) my domains with their service for the low, low price of only $99.99 per year. These solicitations are a minor nuisance at best, and at worst a predatory practice that should be a far higher priority of ICANN to prevent. However, the present preoccupation of ICANN will make the mass harvesting of WHOIS records for spamming purposes a more tantalizing treat for troublemakers.

Getting overly personal

Has your website, or the website of a client, been suspended pending registrar WHOIS verification? Has the disclosure of your personal information resulted in peculiar phone calls at odd hours of the morning? Have offers of domain transfers arrived in your physical mailbox and subsequently your recycling bin? Let us know in the comments section.

 

About

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware. James is currently an education major at Wichita State University in Kansas.

4 comments
Freelancealot
Freelancealot

Yes, unfortunately we had a client who's business website and email went down about ten days ago. As soon as the client contacted us to say his email wasn't working, we tracked it down to the domain being suspended. Turned out the verification email went to an old Hotmail address the client no longer used. We were able to login to the registrar control panel and request another verification email be sent to his new email address. Luckily the process was very quick and our client's website was up and running within about 20 minutes. But there was a mad panic to check our own domains and those of our clients---all were okay as it turned out. So far anyway.


Not sure exactly how they are allowed to suspend a domain name  resulting in businesses being blocked from their email communications and effectively stopping an online service operating their business when the owner of the domain hasn't done anything but not receive an email from ICANN. 


It's certainly not a great way for ICANN to make friends with business owners. 


Tracy

ttsquare
ttsquare

James - so, why is ICANN pursuing this WHOIS accuracy? What is the rationale? Clearly there are consequences, which you show, but there is no explanation of the the potential benefit driving the ICANN rule.

ttsquare
ttsquare

James - So, why is ICANN so focused on this WHOIS accuracy? While I understand the consequences, which were clearly shown, at no point was the 2013RAA rationale explained. What does ICANN think they are achieving with this?

jackinthebox100
jackinthebox100

@Freelancealot How they're allowed is very simple. It is their property, why wouldn't they be allowed to control their services. You talk about them stopping your clients business except you don't realize that it's irrelevant whether it's a business making billions of dollars using ICANNs services or if someones using it to host a blog read by 3 people, they are still using another companies services and are bound by the rules in the contracts they agreed to in order to use ICANNs services. Your client broke a rule which comes with his domain name being suspended until it's fixed all stipulated in the contract he agreed to when he decided to use ICANNs services. If your clients relied on you to make sure all the rules were followed then they should fire you for not doing your job. Just like you don't stick with an accountant that can't properly do their job because the client ends up being the one that gets screwed by the helps incompetence.

The internet is not run by a government. You have no legal rights to ICANNs services nor do they have any legal requirement to provide you with they services. Just because you make your business reliant on ICANNs services doesn't mean you have some kind of right to them. It is a risk for any business to be reliant on another businesses services and the greater the reliance the greater the risk.



If someone doesn't like ICANNs rules they are free to not use their services. Just because 99.99% of the worlds networks use ICANNs DNS services and IP address allocations doesn't mean you have to. Your free to built a network with your own DNS services and IP addresses allocations if you want complete control over it but if your gonna use ICANNs then you play by their rules(which btw are all spelled out and agreed to when you decide to use they're services).

Editor's Picks