At the beginning of 2014, the terms of the ICANN (Internet
Corporation for Assigned Names and Numbers) 2013 Registrar Accreditation Agreement went into effect, bringing with it a
flurry of unintended consequences. With an increased focus on keeping WHOIS
records up to date, registrars are now being held to higher standards in
verifying the information supplied by registrants. The
proscribed way in which verification occurs is ham-fisted, and many registrars
in the European Union (EU) have yet to sign the agreement amid concerns that the
information collecting requirements are in violation of EU privacy laws.

The bumpy road to legal inquiry

For registrars renewing their agreement with ICANN, the 2013
RAA went into effect on January 1, 2014. The previous registrar accreditation
agreement, published in 2009, remains in effect five years from the date it was
signed. As such, not all registrars are currently bound to the new rules
delineated in the 2013 RAA. Not agreeing to the 2013 RAA presently prevents registrars from selling new top-level domains
(TLDs), while allowing the 2009 RAA to lapse prevents registrars from selling
global TLDs such as .com. Some registrars, most notably registrars in the
EU, are biding their remaining time on the previous agreement.

The reasoning behind this is quite clear. Throughout the
process of drafting the 2013 RAA, concerns were raised about the data collection and retention required of registrars violating privacy protection laws in the EU (PDF). The 2013 RAA requires
registrars to preserve IP address, transaction details, including credit card
data, and telephone numbers of registrants at the time of registration, for 180
days. Cognizant of the issues which this raises for such privacy-minded
localities in the EU, ICANN offered waivers on this requirement in
October 2013, six months after the final draft of the RAA was published.

In an article at Domain Name Wire, Michele Neylon of Ireland-based Blacknight, notes “That EU based
companies need to even go through this process is laughable, as we are
effectively being asked to request permission to not break our own laws.” Neylon
also notes the investment in retaining counsel to document the need for these
waivers, while the EU Data Protection Authorities (DPAs) have informed ICANN
that “the clauses in question are not compatible.”

More accurate WHOIS records for more effective spamming

The changes in the 2013 RAA have effects that reach further
than the EU; registrars now face the burden of forcing
registrants to supply accurate and up-to-date WHOIS records of registered
domains. As part of this initiative, upon receipt of a complaint that the WHOIS
data is inaccurate, registrars must contact the registrant and force the
registrant to update the data. Failure of the registrant to do so will result in the DNS entries being changed
to a parking page until the registrant takes action. The timeframes for
this policy vary among registrars; ICANN requires within 14 days, while some
registrars, such as Domain.com, require
action to be taken within 72 hours. This new policy has resulted in an interruption
in service of PC gaming enthusiast website Neowin, and a soccer betting website owned by British Sky Broadcasting (BSkyB)
called Fixtures365.

The mode of verification is email. Naturally, this verification step is a delectable
target for email phishing. Emails asking you to update your profile with banks
or payment processors have been common for years, and end users are
generally conditioned to ignore such requests as being an attempt at identity
theft.

Requiring verification for a newly-registered domain is
probably a trivial matter, and something that should likely be done during
checkout to ease the process. The primary problem lies in the arbitrary
requirement to verify a domain well after registration, wherein an easily
ignored, suspicious-looking email request to verify WHOIS records (which
contain a great deal of personal information) will result in the complete cessation of services until
such verification can be achieved. This could be catastrophic for any
established website, and presenting a registrar verification page in lieu of
the intended content of the website will result in less-informed end users thinking that the website is either illegitimate, or that their computer has been compromised as a result of this action.

This is achieved by changing the DNS
entries for the domain in question. Even after verification, domain name
holders are still subject to 24-48 hours of unavailability due to the nature of
DNS propagation, with no means to recourse for the service interruption. If
this length of downtime were to happen at the data center level for a large and
well-established website, I expect that trucks would be rented and entire racks
would be pulled for preposterously poor performance.

Spam and profiteering in internet startups

The need for public WHOIS data is itself specious. From a
personal standpoint, the only correspondence I have received for having public
WHOIS records are from unscrupulous registrars looking for me to renew (in reality, transfer) my domains with
their service for the low, low price of
only $99.99 per year. These solicitations are a minor nuisance at best, and
at worst a predatory practice that should be a far higher priority of ICANN to
prevent. However, the present preoccupation of ICANN will make the mass
harvesting of WHOIS records for spamming purposes a more tantalizing treat
for troublemakers.

Getting overly personal

Has your website, or the website of a client, been suspended
pending registrar WHOIS verification? Has the disclosure of your personal
information resulted in peculiar phone calls at odd hours of the morning? Have
offers of domain transfers arrived in your physical mailbox and subsequently
your recycling bin? Let us know in the comments section.