WHOIS Contact Data Availability and Registrant Classification Study

Interisle Study Reveals Excessive Withholding of Internet Whois Data

ICANN policy suppresses contact data needed to maintain a secure and interoperable Internet

January 25, 2021
Interisle Consulting Group today announced the publication of a major new research report, the WHOIS Contact Data Availability and Registrant Classification Study. The report presents an in-depth analysis of how contact data for Internet domain names — which make all web sites, email, and apps work-has disappeared from public access, impeding cybercrime investigation, consumer protection, Internet security, and online commerce.

Contact data identifies who registered and controls a domain name, and this information has long been available in a public lookup system called WHOIS. The European Union's General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS.

The Interisle study finds that ICANN's GDPR-driven policy has resulted in the redaction of contact data for 57% of all generic Top-level Domain (gTLD) names. ICANN's policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR-perhaps five times as much. Including ‘proxy-protected’ domains, for which the identity of the domain owner is deliberately concealed, 86.5% of registrants can no longer be identified via WHOIS-up from 24% before the ICANN policy went into effect. The implications of this ICANN policy change are profound: consumers can no longer use WHOIS to confirm the identities of parties they may want to transact with on the Internet, it is harder for law enforcement personnel and security professionals to identify criminals and cybercrime victims, and brand owners face greater challenges defending misuse of their intellectual property.

Interisle's analysts visited 3,000 domain names to see if the web site owners could be identified. “More than half of gTLD domain names-51.7%-are now controlled by unidentifiable parties,” said Lyman Chapin, an Interisle partner and co-author of the study. “These are domains that cannot be attributed to a registrant or site owner, either via WHOIS or by examining their web site content. Before GDPR and ICANN's policy, only about 18% of domains were controlled by unidentifiable parties. This seriously impedes timely response to criminal activity and efforts to find and help the victims of cybercrime.”

“A study like this was long overdue,” said Greg Aaron, an Interisle associate and principal analyst of the study. “ICANN's stated goal was to ‘ensure compliance with the law while preserving the current information contained in WHOIS to the greatest extent possible.’ The new study demonstrates that ICANN has not met this goal. The result has deprived parties of data they need to help maintain a secure and interoperable Internet. The study gives policy-makers inside and outside of ICANN the data they need to make adjustments.”

Comments can be submitted to feedback@interisle.net

The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.

Previous
Previous

Domain Security: A Critical Component of Enterprise Risk Management

Next
Next

Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing