ICANN sends registrars and domain owners into panic with 2013 RAA

The 2013 Registrar Accreditation Agreement includes new requirements for preserving the accuracy of WHOIS records that run afoul of EU privacy protections, and introduce potential security vulnerabilities.

At the beginning of 2014, the terms of the ICANN (Internet Corporation for Assigned Names and Numbers) 2013 Registrar Accreditation Agreement went into effect, bringing with it a flurry of unintended consequences. With an increased focus on keeping WHOIS records up to date, registrars are now being held to higher standards in verifying the information supplied by registrants. The proscribed way in which verification occurs is ham-fisted, and many registrars in the European Union (EU) have yet to sign the agreement amid concerns that the information collecting requirements are in violation of EU privacy laws.

The bumpy road to legal inquiry

For registrars renewing their agreement with ICANN, the 2013 RAA went into effect on January 1, 2014. The previous registrar accreditation agreement, published in 2009, remains in effect five years from the date it was signed. As such, not all registrars are currently bound to the new rules delineated in the 2013 RAA. Not agreeing to the 2013 RAA presently prevents registrars from selling new top-level domains (TLDs), while allowing the 2009 RAA to lapse prevents registrars from selling global TLDs such as .com. Some registrars, most notably registrars in the EU, are biding their remaining time on the previous agreement.

The reasoning behind this is quite clear. Throughout the process of drafting the 2013 RAA, concerns were raised about the data collection and retention required of registrars violating privacy protection laws in the EU (PDF). The 2013 RAA requires registrars to preserve IP address, transaction details, including credit card data, and telephone numbers of registrants at the time of registration, for 180 days. Cognizant of the issues which this raises for such privacy-minded localities in the EU, ICANN offered waivers on this requirement in October 2013, six months after the final draft of the RAA was published.

In an article at Domain Name Wire, Michele Neylon of Ireland-based Blacknight, notes "That EU based companies need to even go through this process is laughable, as we are effectively being asked to request permission to not break our own laws." Neylon also notes the investment in retaining counsel to document the need for these waivers, while the EU Data Protection Authorities (DPAs) have informed ICANN that "the clauses in question are not compatible."

More accurate WHOIS records for more effective spamming

The changes in the 2013 RAA have effects that reach further than the EU; registrars now face the burden of forcing registrants to supply accurate and up-to-date WHOIS records of registered domains. As part of this initiative, upon receipt of a complaint that the WHOIS data is inaccurate, registrars must contact the registrant and force the registrant to update the data. Failure of the registrant to do so will result in the DNS entries being changed to a parking page until the registrant takes action. The timeframes for this policy vary among registrars; ICANN requires within 14 days, while some registrars, such as, require action to be taken within 72 hours. This new policy has resulted in an interruption in service of PC gaming enthusiast website Neowin, and a soccer betting website owned by British Sky Broadcasting (BSkyB) called Fixtures365.

The mode of verification is email. Naturally, this verification step is a delectable target for email phishing. Emails asking you to update your profile with banks or payment processors have been common for years, and end users are generally conditioned to ignore such requests as being an attempt at identity theft.

Requiring verification for a newly-registered domain is probably a trivial matter, and something that should likely be done during checkout to ease the process. The primary problem lies in the arbitrary requirement to verify a domain well after registration, wherein an easily ignored, suspicious-looking email request to verify WHOIS records (which contain a great deal of personal information) will result in the complete cessation of services until such verification can be achieved. This could be catastrophic for any established website, and presenting a registrar verification page in lieu of the intended content of the website will result in less-informed end users thinking that the website is either illegitimate, or that their computer has been compromised as a result of this action.

This is achieved by changing the DNS entries for the domain in question. Even after verification, domain name holders are still subject to 24-48 hours of unavailability due to the nature of DNS propagation, with no means to recourse for the service interruption. If this length of downtime were to happen at the data center level for a large and well-established website, I expect that trucks would be rented and entire racks would be pulled for preposterously poor performance.

Spam and profiteering in internet startups

The need for public WHOIS data is itself specious. From a personal standpoint, the only correspondence I have received for having public WHOIS records are from unscrupulous registrars looking for me to renew (in reality, transfer) my domains with their service for the low, low price of only $99.99 per year. These solicitations are a minor nuisance at best, and at worst a predatory practice that should be a far higher priority of ICANN to prevent. However, the present preoccupation of ICANN will make the mass harvesting of WHOIS records for spamming purposes a more tantalizing treat for troublemakers.

Getting overly personal

Has your website, or the website of a client, been suspended pending registrar WHOIS verification? Has the disclosure of your personal information resulted in peculiar phone calls at odd hours of the morning? Have offers of domain transfers arrived in your physical mailbox and subsequently your recycling bin? Let us know in the comments section.



James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox