ICANN told to clamp down on dodgy domain names

More than 8 percent of all Internet domain names are registered with false or incomplete information, according to a U.S. government study into the prevalence of phony Web sites.

The study, released Wednesday by the U.S. General Accountability Office, showed that 2.31 million domain names, or 5.14 percent of all domain registrations, have been registered with information "obviously and intentionally false" (such as a (999) 999-9999 telephone number, the report says). The GAO also found that 1.6 million, or 3.6 percent, contained incomplete data in one or more of the required fields.

The report drew a response from Rep. Lamar Smith, chairman of the Subcommittee on Courts, the Internet and Intellectual Property.

"Vendors unwilling to identify themselves publicly are more than likely fraudulent," Smith, a Republican from Texas, said in a statement released Wednesday.

Smith concluded that the Internet Corporation for Assigned Names and Numbers (ICANN), the standards body for Internet domain names, is failing to "weed out such fraudulent identifications."

The rise of phishing scams has prompted Congress to investigate. In such fraud schemes, Internet thieves lure consumers to counterfeit Web sites to dupe them out of vital information such as credit card numbers and passwords. Roughly one in four U.S. Internet users have been targets of phishing attacks, according to a study conducted by Time Warner.

Contact information for operators of Web sites is publicly available through the Whois Internet service. Data from Whois could help law enforcement officials track down Internet criminals--provided it's accurate.

The GAO said that ICANN is now requiring registrars to investigate and correct any reported inaccuracies in contact information. The Internet group continues to assess the operation of the registration process and look for ways to improve accuracy, according to the agency's report.

Attempts to reach an ICANN representative were not successful.

This is not the first time ICANN has been called on to monitor the accuracy of its registrations more closely. A study three years ago found that ICANN policies encouraged but did not require registration organizations, such as VeriSign or Go Daddy, to verify information from people who have submitted false information. It recommended that ICANN change those policies.

[tjonz]

Invalid phone numbers

It's worth noting that *some* of the invalid data cited in the GAO report was added to domain records by the registrars. For example, time was that domain contacts were not required to publish a telephone number; when ICANN decided to require this information, Verisign/NetSol (for one) inserted "999-999-9999" into all records that did not already include a phone number.

[sysadmin999]

Domain owners do not deserve any privacy!

Security is a priority on the web, unless you are a domain owner, in that case - according to ICANN rules, you should be fair game for every spammer and con artist out there.

As a sysadmin I cannot begin to tell you the number of security issues I have to deal with almost daily. Viruses, phishing, pharming, spam and even snail mail rip-off artists all attempting to con my clients. Every new domain I put up gets spammed with the first couple of days and the automated break in attempts begin shortly after that.

Knowing all these threats exist, how can ICANN insist domain owners publish their full, personal details online for all to see?

I belive domain registration information needs to be better protected and managed if ICANN wants to have any hope of compliance.

If ICANN truly feels all domain owners should comply with their out of date ARPANET rules then I suggest they should lead the compliance drive by publishing the full names, home addresses and home phone numbers of all the ICANN staff, including the board.

[TV James]

Protect the domain owners

Why can't more be done to solicit legitimate information from domain owners, but at the same time, do more to protect them?

I mean, just because I own a domain, why should everyone have instant access to my information? And at the same time, isn't it better to have the correct information in there?

Why not make some sort of policy that keeps the information private until the right kind of request is made? Like it's private until law enforcement requests it, or when you make a request, you have to provide your own information and the domain owner is notified of your request (they don't get to say yes/no, they just get informed)?

With both of these, I can think of many pros and cons. I'm not advocating either of these, but it seems like a taskforce could be convened to come up with some new thought on ownership registration, how to make it more verifiable and secure and private, balancing everyone's concerns?

[Mark Donovan]

ICANN leads the way

The issue is not the personal data of board and staff members. The issue is accurate data in domain registrations. That's not an unreasonable requirement.

ICANN's registration seems accurate and complete. In part, here it is. This is the minimum required for a domain registration.

Registrant ID:C4128112-RCOM
Name:(ICANN) Internet Corporation for Assigned Names and Numbers
Organization:Internet Corporation for Assigned Names and Numbers (ICANN)
Street1:4676 Admiralty Way, Suite 330
City:Marina del Rey
State/Province:CA
Postal Code:92092
Country:US
Phone:+1.3108239358
Phone Ext.:
FAX:+1.3108238649
FAX Ext.:
Email:icann@icann.org

There's nothing out-of-date about a requirement for accurate registration data. In fact, the need is greater now than during the ARPANET's early development because, now, much financial and business activity depends on it.

As for board and staff members, ICANN is quite open about who runs the organization.

http://www.icann.org/general/board.html

http://www.icann.org/general/staff.html

[katamari]

Good luck with that.

I'll be the first to blatently admit that I do not list legitimate contact methods (except for my Email address) for any of my domains. Yes, this violates ICANN specifications... so the question is, why do I do it?

Simple: to avoid spam. What kinds-of spam you ask? All forms.

There are shady registrars out there -- some of which who have been taken to court in Europe for their shady dealings -- who peruse the WHOIS database (despite it being against the law) and begin sending unsolicited snail mail to any of the contacts listed.

One such company, who still does this even today, is the "Domain Registry of America" (DROA). You can visit their site here: http://www.droa.com/

Look on Google and Usenet for references to this company. All you'll find are complaints about how they send you spam, send you false "invoices" when a domain you own (NOT WITH THEM!) is about to expire, yadda yadda. In one case, I even received a telephone call from some random registrar (it was an automated message, yapping about one of my domain names -- maybe it was the DROA, I don't know. They didn't provide their company name!).

But as I said, I do keep a legitimate Email address in my contact records. This is necessary in case my own registrar has issues and needs to contact me, or if someone has concerns. Of course, the amount of Email-based spam I get to this address is through the roof (so much for the "DON'T USE THIS DATABASE FOR UNSOLCITED EMAIL" warning WHOIS outputs...).

ICANN, if you want people to put legitimate information in their records, then you need to stop jerking off and do something about outfits like the DROA and many others. Until then, good luck getting myself and many others to put accurate snail mail or telephone contact information in our records...

[MahRain]

What about anonymous registrars?

There are some organizations who register domain names on their own name, and link the content of another person. These are specially designed constructions to conceil the identity of the domain owners.

Any way they could force them?

Terrible idea

Previous comments are spot on.

ICANN are promoting combine harvesting of email addresses & private information.

I would be happy to provide such information if it wasnt going to published to every tom, dick and spammer harry.

[inachu]

I'm 50/50 on this WHAT IF.....

What if its a girl hosting her Geocities website and
She posts pictures of herself and family and dog and
shows pictures of her new house and car sicne they won the million dollar lotto.

Then anyone can drive by their house and ask if they can have some money since they are so rich.
Or people would google them and then call them at all hours of teh night and pedos would be driving by and looking and using the registers email and add it to their instant messenger to hook up with them later online.....

ONLY THE NAME, CITY, STATE should be shown and
If you want to contact the domain owner then have it work like craigslist for permission and it will be the persons discretion if they want to talk or email with whomever.

If you are with a GOVT agency then network solutions or go daddy should have a form like MSN passport that lets you log in as the feds so you can bypass and see the domain info instantly.

This is soooooooo easy to do! Why hasn't anyone fixed it?!?!?!

[rogerstigers]

I agree with the privacy issues.

Truely the privacy issues here are important. As are the issues regarding abuse of domains. They really do need to enforce accurate records, but those records should be protected just like driver's license records. Government employees can get your DL records pretty easily, but if you are a civilian, it's a bit harder.

Please don't live under the illusion that your information is, or ever will be, totally safe and secure. It's the internet. So long as there is a challenging security wall up, there will be a thousand "security experts" trying to break in. I wonder just how often the NCIC gets cracked anyway?

[rob8888]

Spam Domains

Yes, the false information is a way that spammers hide their identity. The good news is that ICANN works with registrars and if they can't get in touch with the domain owner to have the false, incorrect information corrected, the domain will be taken offline.
Here is an article about it:
http://www.alovelinksplus.com/info/blacklist/how-to-combat-spam.htm
I have had success in having more than a dozen domains taken offline that I received SPAM from.

[Mark Donovan]

No anonymity for business domains

There may be a disconnect between personal domain registrations and business domains. While individuals may expect a level of confidentiality, anyone doing business using domain registrations has no right to anonymity.

Outside the Internet, business identities are public record. Here in the U.S. business registrations to state government are public information. The corporation commissions in many states make these records searchable on the Internet. U.S. corporations that are publicly owned must file information to the Security and Exchange Commission (SEC). See the SEC web site for the type of information that's public. Search for Ticker Symbol AAPL, for example.

http://www.sec.gov/edgar/searchedgar/companysearch.html

Moreover, it's unacceptable for a business, whether privately or publicly owned, to transact business anonymously. Revealing one's correct, verifiable contact information is the price of doing business with the public. Every business domain registration must be accurate and verifiable. Dealing with the possibilities of unwanted solicitations, fraudulent transactions, etc. is common to both offline and online business and can't be solved by allowing Internet anonymity.

[katamari]

You mean like...

...registrars such as Domains By Proxy (www.domainsbyproxy.com)?

There's no way to enforce this with them either. Sure, they claim to comply with law enforcement, but then again, it doesn't matter if you agree to comply or not -- you WILL comply with a subpoena. :-)

Companies like Domains By Proxy that exist solely *because* of the problems associated with putting up real information in one's WHOIS records. They admit this freely on their site. I'm disgruntled that someone's in the business of *making money* off of people's desire for privacy (it runs along the same lines as spam, in my opinion).

Proxy registrars should be shut down + taken offline. I'm amazed ICANN lets them stay around. You can't find any information about who owns their companies, either. I don't trust them simply because they don't disclose on their own site who calls the shots, where the money goes, who runs the place, yadda yadda. For all I know it's some IRC packet kid running a "business" out of his bedroom, collecting thousands upon thousands of credit cards which will eventually be sold to the highest bidder.

Wouldn't be the first time...

[aabcdefghij987654321]

But what about...

the person who is living under a repressive government that has registered a domain name and has posted information their government has deemed to be seditious?

This article and all the comments so far have only looked at one half of the story. It should be remembered that there may be good reasons to allow people to hide their identity even from governments as well.

The question then is how to set a balance between the need to shut down sites which prey upon people vs how to protect people against bad government.