Banning the use of privacy and proxy services to hide details of domain name registrants would scarcely inconvenience criminals but would have privacy implications for lawful users of those services, according to a study.
The Whois system, a distributed database containing the contact details of companies and individuals who have registered domain names, is under review by its operator, the Internet Corporation for Assigned Names and Numbers (ICANN). The organization says privacy and proxy services play a role in obscuring the identities of parties engaged in illegal or harmful activities such as phishing, typosquatting, hosting child abuse sexual images, advanced fee fraud, or the online sale of counterfeit pharmaceuticals.
ICANN wants to make the Whois system more transparent by introducing an Online Accuracy Reporting System to identify potentially inaccurate contact data.
However, mandating that contact details in the Whois database are valid would affect between a quarter and two thirds of existing legitimate domain registrations which don’t provide valid contact details, researchers said.
One of the researchers, Richard Clayton of the security group at the University of Cambridge Computer Laboratory, published a study into the abuse of Whois privacy and proxy services on Sunday.
The study, commissioned by ICANN, found that while criminals do use proxy and privacy services more than average, many legitimate businesses and individuals are using them too to protect their privacy.
For instance 28 percent of banks and 44 percent of adult websites used a privacy or proxy service to hide the real registrant of the domain, while use of these services by criminals varied between 29 and 55 percent, depending on the type of illegal activity, the researchers found.
Abolishing these services “would affect a substantial amount of lawful activity, while criminals currently using these services might be expected to adopt the methods of their peers and instead provide incomplete and inaccurate data,” the researchers found. Insisting that domain registration data was always complete and accurate would mean a great many lawful registrations would need to be updated, they added.
“Clearly there’s a lot of people … who consider them useful and generally pay a premium for the service; so yes they should stay,” said Clayton in an email. But it would be desirable for them to be more clear that when served with appropriate paperwork they will divulge what data they hold to law enforcement, he said.
“Secondly, they should be checking that the details they have are at least superficially correct—and if it turns out that they are not making such checks then ICANN should suspend their ability to provide services for a while,” Clayton said, adding that these are complex matters running across multiple jurisdictions, making it difficult to get agreement to do better.
Other studies have also found that a high proportion of registrations have incorrect contact details in them, Clayton said, adding that this study underlines the others.
An ICANN spokeswoman could not immediately comment on the researcher’s findings. The organization is scheduled to kick off the development of its Online Accuracy Reporting System on July 15.