WHOIS Background Information

          Provided to the WHOIS Policy Review Team by

           Liz Gasster, Senior Policy Counselor, ICANN Policy Support

           Pam Little, Senior Director, ICANN Contractual Compliance

           Denise Michel, Advisor to ICANN President & CEO

1.  Background

2.  Selected Whois Accuracy Work by Compliance

3.  Overview of Selected Whois Policy Activity (historical)

4.  Overview of Current Whois Policy Activity

5.  IANA and Whois

6.  Two Whois-related sessions in Cartagena

7.  Additional Information

Annex A -- Links to Other Reports and References

Annex B -- Status of GNSO Council-requested WHOIS studies – November 2010 Update

Annex C -- Adoption of RAA Revisions

________________________________________________________________________________________________________________________________________________

1.  Background

1.1 General

  • Whois protocol is ~25 years old (RFCs 812/954/3912 from 2004) (Use IETF RFC "quick search" for RFC text)
  • ICANN requirements for gTLD registries and registrars are largely unchanged since 1999
  • 10+ years of task forces, working groups, workshops, surveys and studies have resulted in a few policy changes (see Section III -- Overview of historical Whois policy activity)
  • Basic policy issues of concern: access,  accuracy, privacy, obsolescence of protocol, costs to change
  • General Policy Page on Whois:  http://gnso.icann.org/issues/whois/

1.2  Whois Registry Data ("thick" vs. "thin"):

  • "Thin" registries display technical data (e.g., nameservers, expiration/creation dates, registrar)
  • "Thick" registries display technical and personal data (e.g., contact names, addresses, email addresses, telephone numbers)
  • gTLD registrars display technical and personal data for all names in Whois
  • Thick registries promote SRS continuity in event of failed/non-compliant registrars

1.3  Registrar Accreditation Agreement (RAA) Registrar Obligations: 

  • Provide free access via webpage and a port 43 service
  • Eight Whois data elements
  • Comply with any Whois specification or policy
  • Provide third-party bulk access
  • Maintain Whois for 3 years
  • Escrow data with ICANN approved escrow agent
  • Freeze data in certain UDRP disputes
  • Take reasonable steps to investigate and correct inaccuracy claims

1.4  RAA Registrant Obligations:

  • Provide accurate and reliable Whois contact details
  • Failure to do so shall constitute a breach and is grounds for cancellation of the domain name
  • Licensor to a third party (i.e., proxy or privacy service) is the Registered Name Holder of record
  •  Licensor must disclose privacy data given evidence of harm or be liable

2.  Selected Whois Accuracy Work by Compliance

2.1 Compliance Complaint Escalation Process:  http://www.icann.org/en/compliance/archive/compliance-newsletter-200805.html#escalation

2.2 Registrar Whois Data Inaccuracy Investigation Audit: http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf

2.3 Registrar Website Compliance Audit (including web-based Whois service): http://www.icann.org/en/compliance/reports/registrar-web-compliance-audit-report-17may07.htm

2.4 Registrar Data Escrow Program:

http://www.icann.org/en/announcements/announcement-2-09nov07.htm

http://www.icann.org/en/compliance/archive/compliance-newsletter-200805.html#advisory

https://charts.icann.org/public/index-registrar-escrow.html

2.5 Whois Data Reminder Policy (WDRP) Audit: 

http://www.icann.org/en/compliance/reports/contractual-compliance-report-27feb09-en.pdf

http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-29jul08-en.pdf

http://www.icann.org/en/whois/wdrp-report-30nov06.pdf

http://www.icann.org/en/whois/wdrp-survey-report-30nov05.pdf

2.6 Registrar Advisory Concerning Whois Data Accuracy: http://www.icann.org/en/announcements/advisory-10may02.htm

2.7 Registrar Advisory Concerning the "15-day Period" in Whois Accuracy:  Requirements:  http://www.icann.org/en/announcements/advisory-03apr03.htm

2.8 ICANN Whois Data Reminder Policy: http://www.icann.org/en/registrars/wdrp.htm

2.9 Draft Report for the Study of the Accuracy of WHOIS Registrant Contact Information: http://www.icann.org/en/announcements/announcement-3-15feb10-en.htm

2.10 Study on the Prevalence of Domain Names Registered Using a Privacy or Proxy Registration Service: http://www.icann.org/en/announcements/announcement-14sep10-en.htm

3.  Overview of Selected Whois Policy Activity (historical)

3.1 GNSO Policy Work (please see Whois Policy web page for complete listing)

  • 2001 – 2002 – Whois Task Force -- Mission to consult with community to determine whether a review of WHOIS policy is due and, if so, how best to address.  Conducted survey described further just below.
  • 2002 -- Whois Task Force Final Report on Survey Findings to the DNSO Names Council -- Results of survey of registrants and users of Whois about how and why they use it, the utility of data, key concerns about accuracy, uniformity, searchability use of public data for marketing, privacy.
  • 2002 – 2004 – GNSO convened three Whois task forces as follows:
    • Whois Task Force 1 -- Charged with determining how best to protect registrant contact data from mining for marketing. Led to Board approval of a new consensus policy prohibiting bulk access to Whois for marketing purposes (see Board action on 27 March 2003 below).
    • Whois Task Force 2 -- Purpose was to determine:
      • How best to inform registrants that their domain registration information is publicly available and options they have to restrict access and/or receive notification of its use?
      • What changes, if any, should be made to the data elements that must be collected at registration to achieve an acceptable balance between access and privacy protection?
      • Should registrants be allowed to block selected contact information from public access, and if so, what elements, by which registrants, and what contractual changes (if any) are required?
    • Whois Task Force 3 -- Charged with developing mechanisms to improve the quality of contact data collected at registration.
  • 2003 (27 March) -- The ICANN Board approved four policy recommendations on Whois from the GNSO:
    1. Establishment of an annual "Data Reminder Policy", designed to improve Whois accuracy (this was implemented effective 31 October 2003);
    2. A Restored Names Accuracy Policy that applies when names have been deleted on the basis of submission of false contact data or non-response to registrar inquiries, also intended to improve Whois accuracy (effective date 12 November 2004);
    3. A prohibition against bulk access to Whois information for marketing purposes; and
    4. Additional prohibitions against resale or redistribution of bulk WHOIS data by data users (both #3 and #4 were effective 12 November 2004).
  • 2005 – (June) – GNSO Council combined remaining work of three TFs into a single Task Force to:
    1. Define the purpose of WHOIS in the context of ICANN's mission and core values, international and national privacy laws, and other specified factors; and
    2. Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected.
  • 2006 – (15 March) -- Preliminary Task Force Report on the Purpose of Whois and of Whois Contacts -- Looked at the purpose of WHOIS contacts (registered name holder, administrative and technical contacts); what data should be publicly accessible and how to access data that is not publicly accessible; and how to improve the process for investigating and correcting inaccurate data.
  • 2007 – (12 March) -- Final Task Force Report on Whois Services -- In the course of deliberation, several Registrars offered an "Operational Point of Contact (OPOC)" proposal, in which every registrant would identify an operational contact who would be identified in WHOIS in lieu of the registrant's information currently displayed. In case of an issue with the domain name, the OPOC would contact the registrant to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name. When the GNSO Council met on 28 March 2007, it created a WHOIS Working Group to further examine the OPOC proposal. The Council considered the results of that report on 31 October 2007, and opted to pursue further studies of Whois rather than recommend to the Board that the OPOC proposal be adopted.
  • 2007 -- (31 October) -- The GNSO Council rejected the Operational Point of Contact proposal and decided, based on input from the GAC and others, that studies of Whois should be conducted to inform future policy development. The Council solicited community recommendations and received over 40 suggestions, including 17 from the GAC (see more on Whois studies in 4.1 below).
  • 2008 -- (17 January) -- Implementation date -- ICANN Procedure For Handling WHOIS Conflicts with Privacy Law .  Effort began in 2003, when WHOIS TF 2 recommended developing a procedure to allow gTLD registry/registrars to demonstrate when they are prevented by local laws from complying with ICANN contract terms regarding personal data in WHOIS. In November 2005, the GNSO concluded a PDP recommending such a procedure. On 10 May 2006, it was approved by the ICANN Board which directed ICANN staff to develop and publicly document a procedure.  This is the completion of that work.
  • 2008 -- (March - May) -- The GNSO Council convened a study group to recommend which studies to analyze for costs and feasibility.  No agreement reached on whether further studies should be done.
  • 2008 -- (July – August) -- Another small group was convened to rework the proposals for studies, including the GAC proposals, into testable hypotheses. See current work on Whois studies 4.1 below.

 3.2  Selected SSAC Reports on Whois: 

3.3  Selected GAC Communiqués on Whois:

4.  Overview of Current Whois Policy Activity

4.1  Whois studies:

The GNSO Council is undertaking studies of WHOIS.  Topics include:

  • Misuse of public WHOIS Data – GMSO Council decided 8 September 2010 to proceed with this study
  • Registrant Identification Information – Under consideration by the GNSO Council
  • Proxy and Privacy "Abuse" – Under consideration by the GNSO Council
  • Proxy and Privacy "Relay" and "Reveal" – RFP pending, deadline of 30 November for responses.

The Board approved FY 2011 budget contains at least the Council-recommended funding of $400,000 for studies. The Council is considering further which additional studies should be done.

See Annex B for updated status of study areas.

4.2  Proposed Whois Amendments to the RAA:

A joint GNSO-ALAC working group on 18 October 2010 completed a Final Report on Improvements to the RAA in which they identify quite a number of Whois related changes to the RAA that most working group participants view as a high or medium priority to improve.  Though there was not full consensus on these points, following are some examples of Whois related changes that were viewed by many WG members as important to consider:

  • Strengthening the obligations of proxy and privacy service providers to "relay" or reveal" contact information about the registered name holder or licensee of the domain
  • Require Registrars to cancel registrations made by proxy and privacy services for non-compliance with relay and reveal
  • Define circumstances under which Registrar is required to cancel registration for false Whois data and set reasonable time limits for Registrar action
  • Spell out registrar "verification" process after receiving false Whois data report
  • Require links to Whois Data Problem Reporting System on Whois results pages and on registrar home page
  • Service Level Agreement on Whois availability

The GNSO Council will discuss next steps at its upcoming meeting in Cartagena.

ICANN Staff provided input to the WG:  

4.3  Joint SSAC-GNSO Working Group on Whois Internationalized Registration Data:

In June 2009 the ICANN Board approved a resolution (2009.06.26.18) requesting that the GNSO and SSAC  convene an Internationalized Registration Data Working Group (IRD-WG) comprised of individuals with knowledge, expertise, and experience in this area to study the feasibility and suitability of introducing display specifications to deal with the internationalization of registration data.  An interim report will be presented in Cartagena (see summary and link below).

4.4  July 2010 -- Recent WHOIS Service Requirements Inventory Report to the GNSO Council --

In May 2009, the GNSO Council requested that staff collect and organize a comprehensive list of potential WHOIS service requirements, based on current policies and previous policy discussions. A Final WHOIS Service Requirements Report was completed on 29 July 2010.  Examples of the technical capabilities identified in the report include:

  • Mechanism to find authoritative Whois servers
  • Structured queries
  • Well-defined schema for replies
  • Standardized errors
  • Standardized set of query capabilities
  • Quality of domain registration data
  • Internationalization
  • Security
  • Thick vs. Thin WHOIS
  • Registrar abuse point of contact

The Council has not yet discussed this report and will be considering next steps.

5.  IANA and Whois

IANA, the Internet Assigned Numbers Authority, provides a WHOIS server at whois.iana.orgwhich provides the ability to lookup information for a certain subset of domains, most notably the details of top-level domains. 

On 20 May, 2010, IANA announced the launch of an experimental Whois test server and encouraged the community to try it and provide feedback. See: http://blog.icann.org/2010/05/test-iana-whois/

 

6.  Two Whois-related sessions in Cartagena

  • Thursday 9 December 9:30 AM local time – Internationalized Registration Data Working Group Interim Report -- Interim Report describes four possible models for internationalizing registration data and seeks guidance from the community as to whether other options should also be considered, and input on the benefits and limitations of the various models presented.
  • Thursday 9 December 11:00 AM local time -- Technical Evolution of the Whois Service -- In this workshop, ICANN staff will present an overview of the technical shortcomings of the WHOIS protocol, and describe three potential options to address technical deficiencies.  While there may also be other options to consider, staff examined: 1) extending the existing WHOIS protocol; 2) migrating from WHOIS to the IRIS protocol; and 3) migrating from WHOIS to a HTTP-based Representational State Transfer protocol-based service ("RESTful Whois", or RWS). 

 

Annex A – Links to Other Reports and References

2005 (November) -- U.S. Government Accountability Office Report on the "Prevalence of False Contact Information for Registered Domain Names  -- GAO 06-165, a report to the Subcommittee on Courts, the Internet and Intellectual Property, Committee on the Judiciary, U.S. House Of Representatives.

GAO was asked to:

  1. Determine the prevalence of false or incomplete contact data in Whois for.com, .org, and .net domains;
  2. Determine the extent to which false data are corrected within 1month of being reported to ICANN; and
  3. Describe steps the Department of Commerce and ICANN have taken to ensure the accuracy of contact data in the Whois database.
    • Based on a survey of 900 domain names (300 each in .com, .net and .org), GAO concluded that 2.31 million domain names (5.14%) were registered with patently false data (data that appeared obviously and intentionally false) in one of more of the required contact information fields.
    • GAO also found that 1.64 million (3.65%) were registered with incomplete data in one or more of the required fields. In total, GAO estimates that 3.89 million domain names (8.65%) had at least one instance of false or incomplete data in required Whois fields.
       

2002 -- Ben Edelman's analysis: Large-Scale Intentional Invalid WHOIS Data: A Case Study of "NicGod Productions" / "Domains For Sale"  *http://cyber.law.harvard.edu/people/edelman/invalid-whois/\* (http://cyber.law.harvard.edu/people/edelman/invalid-whois/*)

  • Conducts a case study of 2754 registrations of a single firm all of which included intentionally invalid Whois contact information. Edelman draws several possible conclusions. He notes that of registrants providing intentionally-invalid Whois contact information, at least some register and hold a large number of domains.

2002 (November) – U.S.  Federal Trade Commission Study on email address harvesting – FTC investigators "seeded" 175 Internet locations with 225 new "undercover" email addresses and tracked the resulting spam for a six-month period. The following chart summarizes harvesting by forum, http://www.ftc.gov/bcp/conline/edcams/spam/pubs/harvestchart.pdf. The study found no instance of email harvesting from a domain name registration.

[OTHER – TBD – as Review Team identifies needs]

Annex B -- Status of GNSO Council-requested WHOIS studies – November 2010 Update

 

Study Area/Topic

Specific studies defined (work in progress)

Current status

Other Information

1.     WHOIS Misuse Studies
Extent to which publicly displayed WHOIS data is misused

1.     Experimental: register test domains and measure harmful messages resulting from misuse
2.     Descriptive: study misuse incidents reported by registrants,  researchers/ law enforcement

Council decided 8 Sept 2010 to proceed with this study.
Cost: 150,000
Time estimate: 1 year
Contract negotiations underway.

§  Can count and categorize harmful acts attributed to misuse and show data was probably not obtained from other sources
§  Some acts might be difficult to count
§  Cannot tie WHOIS queries to harmful acts, which makes it difficult to prove that reductions in misuse were caused by specific anti-harvesting measures
§  Difficult to assess whether misuse is "significant"

2.     WHOIS Registrant Identification Study

1.     Gather info about how business/commercial domain registrants are identified
2.     Correlate such identification with use of proxy/privacy services

5 RFP responses received.  Staff analysis to Council on 23 March 2010.
Cost: 150,000
Time estimate: 1 year

§  Can classify ownership and purpose of what appear to be commercial domains without clear registrant information, and measure how many were registered using a P/P service
§  Might provide insight on why some registrants are not clearly identified
§  Use of P/P services by businesses

3.     WHOIS Privacy and Proxy "Abuse" Study

Compare broad sample of P/P-registered domains associated with alleged harmful acts with overall frequency of P/P registrations
http://gnso.icann.org/issues/whois/

gnso-whois-pp-abuse-studies-
report-05oct10-en.pdf

3 RFP responses received.  Staff analysis to Council on 5 October 2010.
Cost: 150,000
Time estimate: < 1 year

§  Can sample many harmful acts to assess how often alleged "bad actors" try to obscure identity in WHOIS
§  Compare bad actor P/P abuse rate to control sample and to alternatives like falsified WHOIS data, compromised machines, and free web hosting
§  Some kinds of acts not sampled due to irrelevance and/or difficulty
§  Cannot reliably filter out "false positive" incident reports

4.     WHOIS Privacy and Proxy "Relay & Reveal" Study

Analyze relay and reveal requests sent for P/P-registered domains to explore and document how they are processed

RFP posted on 29 September, responses due 30 November 2010.

RFP and Terms of Reference:
http://www.icann.org/en/announcements/

announcement-29sep10-en.htm

5.     non-ASCII registration information

Technical analysis of how non-ASCII registration information is displayed. 

On hold pending work of Internationalized Registration Data WG.

IRD WG Workshop was conducted in Brussels. Interim report to be presented in Cartagena. See: Internationalized Registration Data Working Group Interim Report

6.     WHOIS service requirements

Compile a list of WHOIS service requirements based on current + previous policy discussions

Final report complete.

http://gnso.icann.org/issues/whois/whois-service-requirements-final-report-29jul10-en.pdf

Note:  Study areas 1-5 reflect all the studies initially requested by the GNSO Council 4 March, 2009.  Study area 6 was requested by the Council 7 May, 2009.

Annex C -- Adoption of RAA Revisions

The ICANN Board approved the revisions to the RAA in 21 May 2009. The revised (or "new form") RAA applies to all new registrars, registrars that renew after 21 May 2009, and all registrars that voluntarily adopt the new contract prior to their renewal date.

RAA STATISTICS

Report date: 23 November 2010
Using Registry Data from: September 2010

Total Accredited Registrars: 966
Total Domains: 125,151,250

2001 RAA Data
Registrars on 2001 RAA: 221  (22.88%)
Registrars Under 2001 – New RAA Pending: 4
Domains Under 2001 – New RAA Pending: 145,808  (0.12%)
2001 RAA Extension: 1
   (93) GKG.NET, INC.

2009 RAA Data
Domains Covered by 2009 RAA: 119,232,721  (95.27%)
Registrars on 2009 RAA: 745  (77.12%)
   Early Adoption:  355  (47.65%)
   Renewal:  307  (41.21%)
   New:  79  (10.60%)
   Assignment:  4  (0.54%)

  • No labels