An incredible 77 per cent of internet domains - nearly 90 million internet addresses - are registered with false, incomplete, or unverifiable information.
An extensive review of 1,419 representative domain names conducted by overseeing body ICANN, including direct contact with over 500 individual domain owners, produced some startling results (PDF). Example: only 23 per cent of domain registrations display the owner's correct name and physical address.
Worse, an extraordinary 29 per cent of domains are registered with patently false or suspicious information - a shady sign of online criminalty. The remaining 48 per cent of faulty registrations are in a grey area where people are either unaware or unwilling to hand over their identifying details.
But Jenny Kelly of the National Opinion Research Center (NORC), who headed the investigation, warned against making broad assumptions about the initegrity of the Whois system for registration data. "What we found was that 23 per cent of domains had good information that we could verify but there are many others where we were not able to confirm the content and so were not able to say they were good," she explained, citing as an example post-office boxes.
The survey found that Whois records for domains contain a lot of incomplete information - something that can be put down to the practices of different registrars. "The approach taken varies widely by registrar," Kelly explained.
"As part of my background preparation, I tried to register domains with different registrars. It was clear that some companies have good checks: checking your zip code is right for the city and state you entered, and likely checking credit card details against the registered address. But others did not apply such checks during the registration process, although whether or not they apply them subsequently I don't know."
The findings will have far-reaching implications for the domain-name system, which has spent the past five years working under the broad assumption that 95 per cent of domain information was at least partially accurate.
The report itself expressed surprise that no incidences of identity theft were found - but it concluded, incredibly, that this was because such theft wasn't needed. "It would seem that given the latitude that people have in choosing what information to provide when registering a domain name, identity theft may not be necessary. It is all too easy to enter any or no name, along with an unreliable or undeliverable address," the report reads.
The reasons behind the widespread failure of the Whois system, which is supposed to ensure accurate domain registration information, are complex - but they stretch beyond complaints about the privacy implications of people posting their information online for anyone to view.
There are no mandated standards for registrars to check whether the information provided is accurate. A large number of domain registrants are unaware that the service even exists, and until a few months ago, the system only accepted ASCII English, causing millions of registrants to register with best-guess information.
The report notes that the majority of the issues behind the inaccuracy are within the ICANN community's ability to fix. All registrars of generic top-level domains (such as .com or .info) have to sign a Registrar Accreditation Agreement (RAA) with ICANN and changes to that agreement can oblige registrars to improve the level of checking for domains.
ICANN is also in a position to provide ratings of different registrars so that consumers can be better informed about with whom they register their domain. However, both alterations in the RAA and the creation of a rating mechanism require a change in policy at ICANN - something to which registrars would need to agree.
Following the collapse of one registrar, RegisterFly, a few years ago that resulted in tens of thousands of individuals losing control of their domains, ICANN announced it would revise the RAA to make sure it didn't happen again. However, the end result of its review was watered down over time by the registrars themselves before they were agreed to. A new set of amendments are currently under discussion.
Improving accuracy of the Whois system would also come at a cost, the report warns. "The cost of ensuring accuracy will escalate with the level of accuracy sought, and ultimately the cost of increased accuracy would be passed through to the registrants in the fees they pay to register a domain."
Kelly wouldn't be drawn into discussing the cost of such a system, but she did note that heavy competition in the registrar market has driven down costs to less than $10 per domain per year. She hypothesised: "If registration cost $20 rather than $10, would it stop people from registering domains? And would we find that it enables more security?"
The report may help break a decade-long impasse over the Whois service, during which conflicting interests have ensured that no progress has been made on much-needed changes. The last time a full study (PDF) of Whois accuracy was commissioned - by the US Government Accountability Office (GAO) in 2005 - it was reported that only 5 per cent of domain names contained "missing or patently false information."
That report was dismissed by those in the know as being wildly inaccurate because it didn't look into the accuracy of information, but only whether it appeared normal. Today's report discovered roughly the same 5 per cent of nonsense information but found a far greater percentage of wrong or false information by looking at the actual data itself.
ICANN is obliged under its Affirmation of Commitments with the US government to maintain the Whois service as well as "assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust."
ICANN's management has also clearly signalled that it intends to use the report to break the Whois impasse, with its Chief Operating Officer Doug Brent telling us: "Ultimately, any solution reached for Whois accuracy must be closely tied to ICANN’s contractual enforcement mechanisms which today go no further than requiring investigation of inaccuracy complaints.
"Sometimes, the thorniest problems are the most important to address, and we hope that putting some facts out on the table leads to a more informed debate, and an actual path to solutions.”
You can view public comment on the report - or submit your own thoughts - here. ®
Sponsored: Ransomware has gone nuclear