• United States



by Paul Kerstein

2.3M Domain Names Registered with False Data

Dec 12, 20053 mins
CSO and CISOData and Information Security

Approximately 2.3 million domain names have been registered with obviously false information, such as (999) 999-999 for a telephone number or “XXXXX” for a postal zip code, and another 1.6 million were registered with incomplete information, according to a report released yesterday by the U.S. Government Accountability Office.

The GAO said individuals or organizations registering the names of their Web sites may have provided inaccurate information to domain name registrars to hide their identities or prevent the public from contacting them. The 3.9 million wrong or incomplete registrations represents 8.6 percent of the 44.9 million the agency was asked to check by Congress.

Contact information is made available online through a service known as Whois. Data accuracy in the Whois service can help law enforcement officials investigate the misuse of intellectual property and online fraud, as well as identify the source of spam and help Internet operators resolve technical network issues, the GAO said.

The GAO was asked to determine the prevalence of patently false or incomplete contact information in the Whois service for the .com, .org and .net domains. It was also asked to determine how much of the wrong information was corrected within a month of being reported to the Internet Corporation for Assigned Names and Numbers (ICANN), the regulatory group that oversees the Internet’s technical infrastructure. In addition, the GAO was asked to describe the steps taken by the U.S. Department of Commerce and ICANN to ensure the accuracy of contact data in the Whois database.

Since 1998, the Commerce Department has been party to a Memorandum of Understanding (MOU) with ICANN that recognizes it as the private-sector not-for-profit corporation that should assume a set of technical coordination and related policy development responsibilities for the Internet.

The GAO said it found 45 error reports in a random sampling of 900 registrations and submitted those 45 error reports to ICANN for further investigation. The GAO said it determined that 11 of those 45 domain name holders provided updated contact information that was not patently false within 30 days. One domain name, which had already been pending deletion, was terminated after the GAO submitted the error report. The remaining 33 were not corrected at all within that time frame, the GAO said.

According to the GAO, the Commerce Department and ICANN generally agreed with the report and have taken steps to ensure the accuracy of the contact data in the Whois database.

One such move includes implementation of a Registrar Accreditation Agreement requiring registrars to investigate and correct any reported inaccuracies in contact information. And the 1998 MOU has been amended to require ICANN to assess the operation of the Whois service and implement measures to improve the accuracy of the contact information in it.

ICANN could not be reached for comment Thursday.

THE GAO also identified two tools intended to help reduce false contact information in the Whois database. The Internet Registry Information Service protocol, which provides tiered access to sensitive contact information, could be used to restrict public access to that information in the Whois database. That, in turn, could encourage individuals or organizations to submit more accurate information.

The other tool is Support Intelligence’s Trust Factor screening product, which could be used to assess the validity of contact information against public information stored in commercial databases.

While both tools have the potential to help reduce false contact information, neither is widely implemented by registrars and registries, the GAO said.

The GAO did not determine the effectiveness of such technologies in reducing inaccuracies in the Whois service.

By Linda Rosencrance – Computerworld (US online)