Law enforcement push for stricter domain name rules

The changes would make it more difficult for criminals to register under false details for domain names

Law enforcement officials in the U.K. and U.S. are pushing the Internet Corporation for Assigned Names and Numbers to put in place measures that would help reduce abuse of the domain name system.

7 ways to protect your brand from cybersquatters

Now it is "ridiculously easy" to register a domain name under false details, said Paul Hoare, senior manager and head of e-crime operations for the U.K.'s Serious Organised Crime Agency (SOCA).

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Law enforcement officials in the U.K. and U.S. are pushing the Internet Corporation for Assigned Names and Numbers to put in place measures that would help reduce abuse of the domain name system.

7 ways to protect your brand from cybersquatters

Now it is "ridiculously easy" to register a domain name under false details, said Paul Hoare, senior manager and head of e-crime operations for the U.K.'s Serious Organised Crime Agency (SOCA).

Domain names can be used for all kinds of criminal activity, ranging from phishing to trademark abuse to facilitating botnets. Law enforcement often run into difficulty when investigating those domains, as criminals use false details and stolen credit cards.

The FBI and SOCA have submitted a set of recommendations to ICANN for how it could strengthen Registration Accreditation Agreements (RAA). The agreement is a set of terms and conditions that a registrar -- an entity that can accept domain name registrations -- would be subject to in order to run their business. ICANN's RAA applies to registrars for generic top-level domains (gTLD), such as ".com."

The ideas from the FBI and SOCA have not been publicly revealed but include stronger verification of registrants' name, address, phone number, e-mail address and stronger checks on how they pay for a domain name, Hoare said.

Those financial checks are already done for e-commerce transactions, so "there's no reason why the registries and domain registrars can't do the same thing," Hoare said. Many registrars and registries already do this, he said.

Such a system doesn't not mean false details won't still be found in WHOIS, the directory listing for who owns a domain name. However, "it means criminals have to do some more work to register," Hoare said.

The movement underscores long-running concerns about WHOIS. An ICANN-commissioned study released last month of 1,419 gTLDs found that only 23% of the WHOIS records were fully accurate. The current highly automated system "allow criminals to register domain names anonymously," Hoare said.

ICANN has formed a working group within the Generic Names Supporting Organization (GNSO), which formulates the organization's domain name policy, to evaluate proposals from law enforcement in addition to others, said Margie Milam, ICANN's senior policy counselor.

ICANN's RAA was amended in 2009, but some stakeholders felt the changes did not go far enough, Milam said. In contrast, larger registrars feel they are doing better in stopping domain name abuse and do not want to see something codified that may not be appropriate in the future, she said.

"There's a bit of resistance that some things are too onerous," Milam said.

The GNSO will work with registrars on the amendments and vote on the changes, which then must be approved by ICANN's board of directors, she said. The GNSO should issue a report on its progress in a few months, she said.

Some registries already have strong rules for their registrars. Nominet, which administers the country-code ".uk" domain names, doesn't allow the use of privacy services for domain name registrants, although it does allow registrants to mask their real address from the WHOIS, said Nick Wenban-Smith, senior legal counsel.

The IDG News Service is a Network World affiliate.