ICANN ICANN Email List Archives

[whois-accuracy-study]


<<< Chronological Index >>>    <<< Thread Index >>>

Comments on the NORC Study

  • To: whois-accuracy-study@xxxxxxxxx
  • Subject: Comments on the NORC Study
  • From: Garth Bruen at KnujOn <gbruen@xxxxxxxxxx>
  • Date: Fri, 09 Apr 2010 09:00:35 -0700

In reference to ?NORC: Draft Report for the Study of the Accuracy of
WHOIS Registrant Contact Information.? This report reveals information
widely suspected and previously confirmed: that vast and deliberate
inaccuracies plague the domain registration system, and that criminals
use WHOIS fraud as a regular tool of concealment. Once this fact is
accepted the issue is that of addressing the problem. Previous reports,
and even congressional testimony, have indicated serious problems with
WHOIS inaccuracy especially related to fraud and criminal infiltration
of the DNS. The response to these studies has been to conduct more
studies (A selection of previous studies, starting in 2002, is listed at
the end). 

The NORC study, while thorough on process is drastically weak on data.
One might describe it as ?a mile-wide and an inch deep.? According to
the NORC report page 14: ?All contacts were made between June and
October 2009, using experienced interviewers at NORC?s offices in
Chicago.? So, in five months they reviewed 1,419 WHOIS records which is
approximately 14 records per workday apparently distributed among
several staff members. This is an extremely disappointing outcome
considering systems currently exist that could validate 70,000 to
100,000 per day. One of the major flaws of this study is that it does
not indicate which Registrars have the bulk of the WHOIS inaccuracies
which would be useful since it is with the Registrars that ICANN has
obligated influence, not registrants (Our full criticism of the NORC
study is attached). 

The idea that the entire gTLD WHOIS record set cannot be validated is a
fallacy. This has always been a question of will and not possibility. A
common response to suggestions of validating the entire record set is
flat-out denial, that "there are too many records". Yet consider the
following. The Library of Congress has 130 million cataloged books.
Wikipedia has 19.5 million pages. Visa processed an average of 549
million transactions each day. Astronomers count and catalog stars with
400 billion estimated in the Milky Way alone. A common bank coin
counting machine can record 864,000 coins per day. How much of human
history has been spent counting, tabulating, and sorting? As for
verification, over 2 million U.S. students take the dreaded SATs for
college entry each year with hundreds of their answers scored by
machine, their essays read and graded. 

It flies in the face of reality that the body created to oversee the
gTLD Internet cannot effectively track and certify the core record set
of the gTLD space. The suggestion that registration verification will
add significant cost to Registrar operations is also a fallacy. Besides
the fact that adding standard verification to electronic registration
forms is commonplace and simple programming, the Registrars already have
incredibly dynamic web interfaces that allow bulk purchases and return
lists of calculated domain name suggestions to customers. 

We fundamentally believe that it is possible to validate the entire
WHOIS record for the gTLD space, even if the number of domains were to
double in the next year. We (KnujOn) have built, and continue to expand,
a system capable of processing and detecting massive collections of
illicit sites and rapidly validating the WHOIS record set, and we plan
to use it to great effect. So there is no confusion, this is not simply
an observational project but a plan to change the status quo. All found
WHOIS inaccuracies will be reported and all criminal activity will be
exposed. 

An interface will be created so anyone who wants to support this effort
can participate and contribute. We will provide ongoing status reports
as to the development of the report in a public space. Free to contact
us about this project.

Seriously, Garth Bruen

2002 - Large-Scale Intentional Invalid WHOIS Data:
http://cyber.law.harvard.edu/archived_content/people/edelman/invalid-whois/

2003 - US House Committee on the Internet, and Intellectual Property
http://cyber.law.harvard.edu/archived_content/people/edelman/pubs/Judiciary-090403.pdf

2005 - Prevalence of False Contact Information for Registered Domain
Names http://www.gao.gov/new.items/d06165.pdf

Attachment: KnujOn Review of NORC Proposal 072909.pdf
Description: Adobe PDF document



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy