The WHOIS saga continues


For all sorts of reasons there needs to be a list kept somewhere of the names and contact details of everyone who owns an internet domain name. This is what the WHOIS database is meant to be.

A building block 

WHOIS is one of the fundamental building blocks of the internet. It has been around more or less from the beginning of cyberspace. WHOIS is not elaborate. Doesn’t need to be. Comes down to a short online form people fill in to record the relevant information.

Normally one buys a domain name for a limited period of time, say one year but it could be longer. In any event there is an expectation that sooner or later it will have to be renewed. At such a renewal typically the owner will be asked to confirm their contact details, and there is a general expectation that in between times the information is kept up to date. All this is spelled out as best practice or is even stated as a contractual requirement. But…. read on.

The form used for these prosaic purposes first saw the light of day in 1982/3. It was later modified slightly. The one currently in use emerged in 1985, when the internet still existed by fiat of the US Department of Commerce.

Today the management of WHOIS is the responsibility of ICANN, the nearest we have to a world governing body for the internet. Originally ICANN itself was also a creature of the US Department of Commerce. In 2009 ICANN ostensibly broke free and became fully independent. The instrument of its emancipation was the grandly styled “Affirmation of Commitments”. Inter alia, in the Affirmation of Commitments ICANN promised Washington and the rest of the world that WHOIS would provide for the

…..timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.

In giving this promise ICANN’s leadership was merely repeating what for a long time had been publicly accepted should be the basis on which WHOIS operates i.e. it should be correct, complete and available to anyone. So far so obvious, and so sensible.

How hard can that be?

At the time the people giving the promise must have known what a challenge delivering on it could turn out to be. Why? Because  an exceptionally high level of inaccuracies had been discovered within WHOIS  or there was a high degree of opaqueness surrounding many entries. Neither was consistent with the idea of “accessible, accurate and complete”.

An ICANN working party, the WHOIS Policy Review Team, reported in 2011/12. It put the matter beyond peradventure. They estimated there were then about 220 million domain names of which only 23% were fully compliant i.e. accessible, accurate and complete. You’ve got to wonder whether or not a system in which more than three out of four entries are non-compliant can truly be described as a “database”.

The same report found over 45 million entries to be so inaccurate as to render them inaccessible for all practical purposes. There was also said to be evidence that between 20 and 55 million entries in WHOIS were non-compliant because the owners had chosen to utilise an “anonymising” or proxy service to mask some or all of their contact information.

Law enforcement often cannot get to first base

Thus in a great many cases where a criminal investigation needed to be instigated and it was necessary to determine who the owners of a particular web site might be, law enforcement officers could only get to first base if they were willing and able to deploy potentially complex, time-consuming and expensive technical and legal measures to uncover a truth that should have been there and available to them free in an instant.

Police forces from around the world were constantly berating ICANN about this situation because, in effect, it meant large numbers of cases that ought to have been investigated simply weren’t.

As we can see, in one part of the forest we have companies and organizations using up resources, going to a lot of trouble to advise us how to avoid being scammed and cheated by internet based criminals, or asking us to report illegal content we find on their virtual properties, while elsewhere a different set of companies and organizations are aiding and abetting the same rogues. You couldn’t make it up.

Incidentally, and I guess this is self-evident, but wherever I have referred to the difficulties faced by law enforcement then, of course, it could apply equally to private individuals or private entities who have an issue they want to take up with someone they think is infringing their rights or harming them in some other way.

Mr Carr goes to Brussels

Most of the bad guys hang out in the big generic and top level domains. As already mentioned, ICANN issues model terms which it asks to be applied throughout the supply chain but ICANN has never mandated any of its agents who work in the generic and top level domains space to verify or authenticate any of it. Neither has ICANN stepped in to ban or regulate anonymising or proxy services. In other words all the difficulties I have referred to were created entirely by ICANN alone or by its predecessors.

The only full ICANN meeting I have ever attended was in 2010 in Brussels. I appeared before its Government Advisory Committee (GAC). I was alongside the FBI and SOCA, with INTERPOL supporting. We were all saying the same thing: WHOIS is a disgrace. It is providing unwarranted cover for child pornographers, paedophiles and all manner of online villains. Deal with it quickly and deprive them of their refuge.

Who benefits?

With all the cleverness, power and resources available to the internet industry you would have thought something as simple as this could be solved very rapidly if there was any real appetite so to do.

Therein lies the problem. There is no such appetite and never has been. You don’t have to look too far to work out the reason. Money.

ICANN in effect is owned by the Registries and Registrars. They provide the great bulk of its finances. The status quo is just fine for them. Too many Registries and Registrars believe  any measures which make buying or renewing a domain name more time consuming, complicated or expensive will lead to a signigicant drop in their revenues. Why change a winning formula?

Evidence is always important, except when it isn’t

Given how often you hear ICANN people and their camp followers insisting on the importance of evidence in decision-making the absence of any published studies on the price elasticity of demand in the domain name business, and the paucity of data pointing to the likely consequences of insisting on more or better authentication of the identity of owners is truly remarkable.

Vested interest v public interest

Crucially, where does the public interest lie in this debate? It is clear to me the status quo is beyond the pale. The public interest unambiguously lies in there being traceable owners for every domain name. I accept there may be instances where ownership details could legitimately be withheld from an otherwise completely open database. That is a different matter. But there is no excuse at all for accepting or being indifferent towards lies, much less is there any merit in making a virtue out of lying, as do some of the defenders of the present arrangements.

Will the world economy or any national economy noticeably falter or deteriorate further, will the next Facebook, Google or eBay not materialize because a domain name costs US$8 instead of US$5 or if it takes 15 minutes for a final confirmation to be emailed through instead of 15 seconds?

Do we imagine that a totalitarian Government anxious to locate dissidents, or a powerful multinational keen to identify whistle blowers, will be long delayed in finding them because they had registered a domain name as belonging to Mickey Mouse? Police officers might lack the time or resources to do the needful. These sorts of cats do not.

I don’t think the internet exists solely to enrich the vested interests which are Registries and Registrars, but let’s say we accept it is important broadly to maintain their current income levels. Are there no other ways that could be achieved? Ones which do not depend upon a continuation of the present fiasco?

By how much would prices need to increase to finance the sort of robust online authentication systems now taken for granted, for example, by the UK’s gambling industry? If everybody had to do authentication nobody could gain a competitive advantage by not doing it or by only doing it half-heartedly. If the current prices of domain names were increased by 10%, 20%, 50%, 100%, 250% or whatever what would the impact be on demand and how would that feed through into the bottom line for Registries and Registrars?

If we cannot find an acceptable answer that the Registries and Registrars can live with maybe we will just have to look for an entirely different model to establish and maintain an efficient domain name distribution and management system, one that serves us all rather than the few who live off its fat?

Jet lag can do strange things to a guy

Not that long ago I met a senior official of ICANN at an event. I am not going to name the poor bloke because I sort of wondered if jet lag had got the better of him. It would be unfair of me to take advantage of someone who might temporarily have been almost non compos mentis. Anyway we were both at a Reception. His badge said he was from ICANN. I wasn’t wearing one and I had arrived late so hadn’t been announced or introduced. I walked up to this ICANN guy and asked what he thought about the WHOIS problem, and specifically about the promise to put it right made in the Affirmation of Commitments. I’m paraphrasing but in essence his reply was as follows

We had to give that promise to get the Affirmation of Commitments signed and out the door. No one really meant it, at least not on our side of the fence. It’s too disruptive of the existing business models on which major interests within ICANN are based.

More recently, at the IGF in Baku in early November, I attended a meeting where another ICANN big wig was present. He most certainly did not say anything even approximating to what his incautious confrère had said earlier but nonetheless he did raise questions about whether or not WHOIS is any longer fit for purpose. He said we ought now to look at who needs to know what about domain name owners and under what circumstances should particular interests e.g. law enforcement, be able to access some or all contact information?


I have to say the arguments advanced to justify this change of tack sounded plausible, even convincing, but I instinctively react against ICANN declaring a wish to change rules they  willingly signed up to not that long ago. In everything else they have done in this field they seem to have been driven solely by the narrow self interests of their paymasters. Why should it be any different now? ICANN and its acolytes plainly would rather not have to kill the golden goose at all but if they must they are going to do their best to ensure it has a long, slow and deliberate death. In that context suddenly deciding to embark upon a whole new way of looking at WHOIS sounds suspiciously like a pretext for further unwarranted, inordinate delay.

I was not deflected from this opinion to any appreciable degree when I read the ICANN Board Submission on their proposed response to the report of the WHOIS Policy Review Team. The response seems to me to be a model of non-communication, and it comes replete with Orwellian gaps in the texts, redactions which force you to ask where the words have gone and why?

Hubris! Thy name is ICANN

ICANN probably feels it is pretty much impregnable. For the reasons given the Registries and Registrars have blurred vision. The only other significant pole of authority within ICANN is the GAC. Sadly it may be beyond the political capacity of the GAC to speak in a sufficiently united way to get the ICANN Board to move, although I would not entirely bank on it.

If not the GAC or anyone else within ICANN then who? Beyond the bubble or magic circle that is ICANN no one seems to care enough about (geeky) WHOIS. No one feels it is their responsibility to push for a solution. The ball is always in someone else’s court. However, for as long as the shambles that is WHOIS continues the more it will fuel those who have quite different ambitions for the future management of the internet. It is a future in which ICANN might have no part at all.

This is not as hard as many would have us believe

To conclude, I have a couple of straightforward questions:

  1. Does ICANN intend to ensure that all of ICANN’s agents are obliged, both at the point of initial purchase and at all subsequent renewals, to ensure that they and their sub-agents collect, verify and maintain all necessary contact data for all existing domain name owners and all new ones? If “yes”, when will this be completed by, if “no”, why?
  2. Does ICANN intend to amend the promise given in the Affirmation of Commitments at least to the extent of setting out the terms on which anonymising or proxy services may operate or be offered?If “yes”, when will the announcement be made, if “no”, why?

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised.
This entry was posted in Consent, Default settings, ICANN, Internet governance, Regulation, Self-regulation. Bookmark the permalink.