Comments on the NORC Study
In reference to ?NORC: Draft Report for the Study of the Accuracy of WHOIS Registrant Contact Information.? This report reveals information widely suspected and previously confirmed: that vast and deliberate inaccuracies plague the domain registration system, and that criminals use WHOIS fraud as a regular tool of concealment. Once this fact is accepted the issue is that of addressing the problem. Previous reports, and even congressional testimony, have indicated serious problems with WHOIS inaccuracy especially related to fraud and criminal infiltration of the DNS. The response to these studies has been to conduct more studies (A selection of previous studies, starting in 2002, is listed at the end). The NORC study, while thorough on process is drastically weak on data. One might describe it as ?a mile-wide and an inch deep.? According to the NORC report page 14: ?All contacts were made between June and October 2009, using experienced interviewers at NORC?s offices in Chicago.? So, in five months they reviewed 1,419 WHOIS records which is approximately 14 records per workday apparently distributed among several staff members. This is an extremely disappointing outcome considering systems currently exist that could validate 70,000 to 100,000 per day. One of the major flaws of this study is that it does not indicate which Registrars have the bulk of the WHOIS inaccuracies which would be useful since it is with the Registrars that ICANN has obligated influence, not registrants (Our full criticism of the NORC study is attached). The idea that the entire gTLD WHOIS record set cannot be validated is a fallacy. This has always been a question of will and not possibility. A common response to suggestions of validating the entire record set is flat-out denial, that "there are too many records". Yet consider the following. The Library of Congress has 130 million cataloged books. Wikipedia has 19.5 million pages. Visa processed an average of 549 million transactions each day. Astronomers count and catalog stars with 400 billion estimated in the Milky Way alone. A common bank coin counting machine can record 864,000 coins per day. How much of human history has been spent counting, tabulating, and sorting? As for verification, over 2 million U.S. students take the dreaded SATs for college entry each year with hundreds of their answers scored by machine, their essays read and graded. It flies in the face of reality that the body created to oversee the gTLD Internet cannot effectively track and certify the core record set of the gTLD space. The suggestion that registration verification will add significant cost to Registrar operations is also a fallacy. Besides the fact that adding standard verification to electronic registration forms is commonplace and simple programming, the Registrars already have incredibly dynamic web interfaces that allow bulk purchases and return lists of calculated domain name suggestions to customers. We fundamentally believe that it is possible to validate the entire WHOIS record for the gTLD space, even if the number of domains were to double in the next year. We (KnujOn) have built, and continue to expand, a system capable of processing and detecting massive collections of illicit sites and rapidly validating the WHOIS record set, and we plan to use it to great effect. So there is no confusion, this is not simply an observational project but a plan to change the status quo. All found WHOIS inaccuracies will be reported and all criminal activity will be exposed. An interface will be created so anyone who wants to support this effort can participate and contribute. We will provide ongoing status reports as to the development of the report in a public space. Free to contact us about this project. Seriously, Garth Bruen 2002 - Large-Scale Intentional Invalid WHOIS Data: http://cyber.law.harvard.edu/archived_content/people/edelman/invalid-whois/ 2003 - US House Committee on the Internet, and Intellectual Property http://cyber.law.harvard.edu/archived_content/people/edelman/pubs/Judiciary-090403.pdf 2005 - Prevalence of False Contact Information for Registered Domain Names http://www.gao.gov/new.items/d06165.pdf Attachment:
KnujOn Review of NORC Proposal 072909.pdf |