77% of domain registrations stuffed with rubbish

Whois in charge? ICANN't tell

High performance access to file storage

An incredible 77 per cent of internet domains - nearly 90 million internet addresses - are registered with false, incomplete, or unverifiable information.

An extensive review of 1,419 representative domain names conducted by overseeing body ICANN, including direct contact with over 500 individual domain owners, produced some startling results (PDF). Example: only 23 per cent of domain registrations display the owner's correct name and physical address.

Worse, an extraordinary 29 per cent of domains are registered with patently false or suspicious information - a shady sign of online criminalty. The remaining 48 per cent of faulty registrations are in a grey area where people are either unaware or unwilling to hand over their identifying details.

But Jenny Kelly of the National Opinion Research Center (NORC), who headed the investigation, warned against making broad assumptions about the initegrity of the Whois system for registration data. "What we found was that 23 per cent of domains had good information that we could verify but there are many others where we were not able to confirm the content and so were not able to say they were good," she explained, citing as an example post-office boxes.

The survey found that Whois records for domains contain a lot of incomplete information - something that can be put down to the practices of different registrars. "The approach taken varies widely by registrar," Kelly explained.

"As part of my background preparation, I tried to register domains with different registrars. It was clear that some companies have good checks: checking your zip code is right for the city and state you entered, and likely checking credit card details against the registered address. But others did not apply such checks during the registration process, although whether or not they apply them subsequently I don't know."

The findings will have far-reaching implications for the domain-name system, which has spent the past five years working under the broad assumption that 95 per cent of domain information was at least partially accurate.

The report itself expressed surprise that no incidences of identity theft were found - but it concluded, incredibly, that this was because such theft wasn't needed. "It would seem that given the latitude that people have in choosing what information to provide when registering a domain name, identity theft may not be necessary. It is all too easy to enter any or no name, along with an unreliable or undeliverable address," the report reads.

The reasons behind the widespread failure of the Whois system, which is supposed to ensure accurate domain registration information, are complex - but they stretch beyond complaints about the privacy implications of people posting their information online for anyone to view.

There are no mandated standards for registrars to check whether the information provided is accurate. A large number of domain registrants are unaware that the service even exists, and until a few months ago, the system only accepted ASCII English, causing millions of registrants to register with best-guess information.

The report notes that the majority of the issues behind the inaccuracy are within the ICANN community's ability to fix. All registrars of generic top-level domains (such as .com or .info) have to sign a Registrar Accreditation Agreement (RAA) with ICANN and changes to that agreement can oblige registrars to improve the level of checking for domains.

ICANN is also in a position to provide ratings of different registrars so that consumers can be better informed about with whom they register their domain. However, both alterations in the RAA and the creation of a rating mechanism require a change in policy at ICANN - something to which registrars would need to agree.

Following the collapse of one registrar, RegisterFly, a few years ago that resulted in tens of thousands of individuals losing control of their domains, ICANN announced it would revise the RAA to make sure it didn't happen again. However, the end result of its review was watered down over time by the registrars themselves before they were agreed to. A new set of amendments are currently under discussion.

Improving accuracy of the Whois system would also come at a cost, the report warns. "The cost of ensuring accuracy will escalate with the level of accuracy sought, and ultimately the cost of increased accuracy would be passed through to the registrants in the fees they pay to register a domain."

Kelly wouldn't be drawn into discussing the cost of such a system, but she did note that heavy competition in the registrar market has driven down costs to less than $10 per domain per year. She hypothesised: "If registration cost $20 rather than $10, would it stop people from registering domains? And would we find that it enables more security?"

The report may help break a decade-long impasse over the Whois service, during which conflicting interests have ensured that no progress has been made on much-needed changes. The last time a full study (PDF) of Whois accuracy was commissioned - by the US Government Accountability Office (GAO) in 2005 - it was reported that only 5 per cent of domain names contained "missing or patently false information."

That report was dismissed by those in the know as being wildly inaccurate because it didn't look into the accuracy of information, but only whether it appeared normal. Today's report discovered roughly the same 5 per cent of nonsense information but found a far greater percentage of wrong or false information by looking at the actual data itself.

ICANN is obliged under its Affirmation of Commitments with the US government to maintain the Whois service as well as "assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust."

ICANN's management has also clearly signalled that it intends to use the report to break the Whois impasse, with its Chief Operating Officer Doug Brent telling us: "Ultimately, any solution reached for Whois accuracy must be closely tied to ICANN’s contractual enforcement mechanisms which today go no further than requiring investigation of inaccuracy complaints.

"Sometimes, the thorniest problems are the most important to address, and we hope that putting some facts out on the table leads to a more informed debate, and an actual path to solutions.”

You can view public comment on the report - or submit your own thoughts - here. ®

3 Big data security analytics techniques

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.