Woody Woodpecker on the way out
ICANN is in talks with registrars about finally implementing the requirement for true contact details in domain registrations. If this goes ahead, no longer will people be able to use made up addresses and register in the names of Donald Duck and Mickey Mouse.
Based in California, ICANN is the body which overseas internet number allocation and which accredits organisations to be Domain Name Registrars. ICANN will be meeting with major registrars in March and validity of registration details is on the agenda.
It is the accredited registrars who sell individual domain names, and who collect and maintain the owner information contact details, Most registrars do not check that contact information is accurate, and in many cases it is patently made up. Not only will you find domains registered in names such as Ivor Biggun, you will also find they have addresses such as Glasgow, Florida, Viet Nam. Even rudimentary checking systems would detect that these details were fake. There are plenty of others though where the address is bogus but plausible.
Why would people want to pay for a domain and yet supply fake details? The most obvious argument, and perhaps the most difficult argument, is privacy or confidentiality. If a political dissident is using a website to publish information critical of his or her government, they may not want the local police to be able to look up their name and address. The same might be true of someone publishing information about local crime lords. There are other good reasons too. Perhaps someone is publishing a site of their own personal experiences in drug addiction and doesn't want to be identified by the tabloid press, or perhaps a company is preparing a new product for launch or re-branding itself and doesn't want to tip off its competitors.
However, the other side of the coin, and the one that particularly concerns law enforcement and ICANN, is that we see far too many domains registered with bogus details for nefarious purposes. Some sites are apparently legitimate online shops selling in good faith, but the lack of any real contact information means that if anything goes badly wrong, they think they can safely hide behind a tangle of false trails, dead ends and fall guys. Others are planning on offering free downloads of material they don't own such as movies or pop songs, and whether or not they think they have the moral right to do this, they choose to do it anonymously to avoid the lawsuits. There are the out and out scammers, the people making tablets from flour, cement and food dyes which they pass off as pharmaceuticals, the people who sell goods at unbelievable prices which they have no intention of supplying, and the people who set up fake bank websites to support their scams against you. All of these people find it absurdly easy to register domains in whatever names they want, in any country they want.
When people legitimately want anonymity, this is far from insurmountable. At SKILLZONE we can, and have, purchased domain names from registrars on behalf of our customers who are launching new products and used our own contact details during the confidentiality phase. Most registrars also offer an "ex-directory" option whereby the owner details are not routinely visible. In these cases though, there is still a genuine point of contact which law enforcement can pursue.
So should registrars be held responsible for checking the contact details are valid? Many registrars argue their businesses have been built on bulk online selling at the lowest price, and that checking address details would massively increase their costs and increase bureaucracy, depending on the level of verification needed. Should registrars accept "accommodation addresses" for example, and if you are a registrar for com addresses based in Toronto, how are you going to know that "Suite 4, Floor 5, Belrovia Towers Business Park, London" is actually a box at a newsagents in West Kensington? Is it enough to verify the address supplied matches the credit card address, for instance? Will registrars require photocopies of passports, utility bills, and company headed notepaper to prove someone's identity before selling them a domain name? And if it is the latter, doesn't that also give new opportunities for identity thieves to obtain our documents? The danger is that we'll come up with a cumbersome, complicated and expensive system without actually solving anything.
In some ways, the registrars have brought this upon themselves. If they had taken the trouble over the years to reject registrations which used Mickey Mouse details, or done some basic checks that addresses were valid, then it might not have come to this. For instance, shouldn't they have been willing to turn away business or impose a verification surcharge when people try to register names which are obviously in bad faith, like variants of major bank names to be used for phishing fraud. However, any registrar trying to raise its standards is immediately undercut by another supplier who will sell you domain sans checks for fifty cents less. That's the free market for you, so perhaps more regulation from ICANN is the only answer.
27th February 2012
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.