The state of domain registration data services
Internet users rely on domain name registration information for vital purposes, including security, problem solving, and legal and social accountability. The data is so big that users make more than two billion WHOIS queries every day. ICANN has implemented new data policies over the past two years and is also leading a migration to a new technical protocol, RDAP, which will replace WHOIS access in the near future. So, at this critical juncture, how is this all happening?
To find out, Interisle Consulting Group conducted a new study on the state of access to domain registration data, “Domain name registration data at a crossroads.” The report examines compliance with current ICANN policies and operational standards. The investigation revealed widespread compliance and technical failures, leading to a decrease in basic access and an erosion of reliability and predictability.
The report examines the practices of 23 registrars, which collectively sponsor more than two-thirds of domain names in generic top-level domains (gTLDs). The study answers five questions for each registrar:
- Does the registrar have a functioning WHOIS service that meets contractual obligations?
- Does the registrar have an RDAP service that is functioning properly and meeting contractual obligations?
- Does Registrar comply with ICANN’s current data processing and display policy, the “Temporary Specification for gTLD Registration Data”?
- Can Internet users still find information in the WHOIS and RDAP services allowing them to reach a domain contact?
- Does the registrar contactability mechanism actually work? Is it possible to use the contact mechanism, and are messages delivered to domain contacts?
Findings from the study include:
- Registrars failed to meet contractual obligations and reachability targets in 40% of the cases studied. There were problems in an additional 16% of cases
- A significant portion of the registrar industry still does not offer reliable and compliant WHOIS services.
- After a year and a half, a significant percentage of registrars are not fully compliant with ICANN’s Temporary Specification.
- A number of registrars mismanage their GDPR obligations.
- Some registrars prevent people from contacting domain owners. Some registrars do not make required contact information available as required. Others have rolled out procedures that make it difficult for people to contact their registrants. In some cases, the contactability mechanisms provided by registrars literally fail.
- Some registrars limit access to non-sensitive domain registration data (the “Public Dataset”). This set does not contain any personally identifiable information, so there is no reason to protect it. Restricting its access prevents its use for important and legally permitted purposes, such as cybersecurity.
- RDAP services are not yet technically reliable enough to be used. RDAP became mandatory for registrars and registry operators in August 2019, but as of March 2020 the rollout has been progressing very slowly and there are operational and compliance issues.
- The issues raise questions about ICANN’s compliance practices.
The study also provides examples of how these issues have real-world implications for internet security, stability and trust, including detecting and mitigating cybercrime during the current COVID-19 pandemic. The report also provides a set of recommendations for positive change.