Domain Name Registration: Data at the Crossroads
Internet users of all kinds rely on public domain name registration data services for accurate and up-to-date operational and registration information for vital and legitimate purposes, from business correspondence and technical problem solving with domain owners to victim notification following a security event, and for legal and social accountability as well. Historically, Internet users obtained these data by querying registration databases using WHOIS services. The many dependencies on WHOIS is obvious from the query volume of more than 66 billion per month.
ICANN oversees domain name registries and registrars that maintain and publish that registration data. Over the last two years, access to domain name registration data has been drastically curtailed as a result of ICANN policies, data privacy laws, and in no small part due to practices by registrars and registry operators. ICANN is also directing a migration to a new technical protocol, the registration data access protocol, RDAP, that may soon replace WHOIS access.
The report measures the effectiveness and impact of ICANN's registration data access policies and procedures by examining the practices of 23 registrars, which collectively sponsor more than two-thirds of the registrations in the generic top-level domains (gTLDs). This study determines whether they comply with ICANN's policies and related contractual obligations, and also to the European Union's General Data Protection Regulation (EU GDPR).
The study attempted to answer five questions for each registrar:
Does the registrar have a WHOIS service that functions properly and meets contractual obligations?
Does the registrar have an RDAP service that functions properly and meets contractual obligations?
Does the registrar comply with ICANN's policy to allow compliance with the EU GDPR (the “Temporary Specification for gTLD Registration Data”)?
Can Internet users always find information in the WHOIS and RDAP services that allows them to reach out to a domain contact?
Does the registrar's contactability mechanism actually work? Is it possible to use the contact mechanism, and are the messages delivered to the domain contacts?
The study found widespread problems: most notably,
Registrars fail to meet their contractual obligations. A significant portion of the registrar industry is still not running reliable and compliant WHOIS services.
After one-and-a-half years, a significant percentage of registrars do not fully comply with ICANN's Temporary Specification.
A number of registrars mis-handle their obligations under GDPR.
Some registrars prevent people from reaching out to domain owners for any purpose. Some registrars do not make the required contactability information available as required. Others have deployed procedures that make it unnecessarily difficult for people to contact their registrants. In some cases, the contactability mechanisms provided by registrars literally fail to deliver.
Some registrars even constrain access to non-sensitive domain registration data (the “public data set”). This set contains no personally identifiable information, so there is no need to protect it, and restricting access to it prevents its use for important and legal purposes, such as cybersecurity.
RDAP services are not yet technically reliable enough for use. RDAP became mandatory for registrars and registry operators to provide in August 2019, but as of March 2020 the rollout is moving very slowly, and there are notable operational and noncompliance problems.
Overall, there is a failure to provide the domain name registration data access, predictability, and reliability that ICANN exists to deliver, and registrars are obligated to provide.
For the past 15 years ICANN has tried, and failed, to deliver domain name data policies that balance legitimate needs, applicable legal obligations, and ICANN's Commitments and Core Values. The findings of this study clearly illustrate the extent to which the current regime is broken. ICANN and its community stand at a crossroads: can they develop and implement policies that meet the vital needs of the Internet?
Comments can be submitted to feedback@interisle.net.
The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.