Whois Verification Proposals

Several law enforcement groups have been petioning ICANN to require WHOIS verification.  Currently anyone can put anything in a domain registration record.  however, whois proposals have corculated for years with no changes to the basic structure.

The data provided by domain name registrants will be validated to ensure the registrant is providing correct, complete, and valid data upon domain name registration and subsequent renewals.

• The verification process is designed to establish that a prospective registrant meets the registration criteria. A variety of automated and manual procedures will be utilized for verification, including preauthentication by designated Authentication Providers (for example, Representative organizations) or a cross check of registration against information held by designated Authentication Providers.

• When a prospective registrant submits a registration request, the Registry will send a unique HTML link to the registrant’s email of record or to the email of record of the beneficial registrant.

• The registrant/beneficial registrant must then follow the link, and provide supplementary information that will permit registrar to verify the registrant, including phone number. This process inherently identifies the IP address of the registrant/beneficial registrant. • Registrar will call or SMS the phone number provided during the registration form.

• In that phone call, Registrar will provide the person with a PIN # (real time) and the applicant will input the PIN# in the designated area in the registration link. • If the automatic verification process does not provide verification, the request will be referred to Registrar’s compliance staff, which will attempt to verify the registrant/beneficial registrant manually.  No domain name will be placed into the zone file and will not resolve until the account e-mail and telephone number have been verified.

• Registrar will ensure all WHOIS fields are filled completely by the registrant, including but not limited to, email (RFC 5322), telephone number (ITU-T E. 123) and physical address (UPU S 42). 2

• As part of the annual WHOIS data accuracy reminder, registrants must complete an e-mail verification link to ensure the address on the account is updated. This serves multiple purposes: it ensures that the verified account info does not go stale, it prompts them to actually pay attention to the WHOIS data accuracy reminder, and it provides a more recent opportunity for obtaining source IP data, to the extent which has the potential of avoiding retaining data for long periods of time that may run counter to data retention regulations. If there is no completion of the annual e-mail verification, registered domain names could be suspended. This could be included in the terms of use to put registrants on notice. Moreover, it could be mandatory (instead of voluntary) for the registrant to affirmatively check a box indicating that the WHOIS data for each of its domain names is accurate.

• Alternate Suggestion: To offset costs for registrars, ICANN could operate a centralized verification system. Once ICANN verifies registrant, registrant can receive ICANN account ID, which registrant can go to registrar’s site to confirm registration, at which point the domain name goes in the zone file.

The German Privacy Commissioner has stated that some of these proposals may violate privacy laws.

ICANN CEO found using fake whois data