In spite of the hoo-ha surrounding ICANN's letter to Verisign on WHOIS accuracy, one should keep in perspective that the 15 day verification rule has long been official policy. Some registrars have been quietly responding to WHOIS accuracy queries and deleting offending registrations for quite some time, some registrars pull the name out of the .com zone and keep the registration, and some registrars do nothing. How well this policy has worked in practice has depended to some extent on just who is doing the asking, who they ask, and how they are doing the asking. The 15 day fuse has always been ticking on domain name registrations, but by shining a spotlight on it, and at least making a pretense of doing something about, ICANN has once again set the stage for a classic ICANN policy train wreck."

WHOIS accuracy enforcement is a perfect example, when viewed in light of the Wait List Service (WLS) and the Redemption Grace Period (RGP). The Wait List Service is a soon-to-be introduced registry service which will guarantee that a subscriber will obtain a domain name when it is deleted from the current registrant. The RGP is a policy which is supposed to avoid situations where a registrant is caught unawares by having their domain name deleted and registered to someone else by the WLS if, for example, the registrant doesn't pay their renewal fee.

Of course, the primary reason for registrants inadvertently failing to renew their domain names is that they had a problem with their contact data. For example, when a large Internet Service Provider folds, all of their customer's email addresses become inoperative. This recently happened to millions of people who subscribed to @home cable internet and had home.com email addresses. Sometimes people move or change phone numbers. Sometimes the techie who registered a company's domain name has changed employers. What happens in these situations is that people forget that their domain name is tied to the stale contact data. They don't get reminders, and the domain name expires. Also, some registrars require that people have access to now-inoperative email addresses, or long-forgotten passwords, in order to renew, transfer, or otherwise update their domain name.

Consider, for example, the administrative contact currently listed in the Verisign WHOIS data for thebeast.com:

Domain Name: THEBEAST.COM

 Administrative Contact:
  Mittal, Ashok  (AMI320)		
  TheBEAST.COM, Inc.
  One World Trade Center 80th Floor, Suite
  8067
  80th Floor, Suite 8067
  NY , NY 10048
  212-602-4214 (FAX) 212-602-4225

Somehow this contact information managed to avoid inclusion in Mr. Touton's hit parade of inaccurate contact data about which he chose to complain to Verisign.

Now, let's suppose that ICANN is serious about having registrars resolve WHOIS data issues within 15 days, and to delete domain names which are not in compliance within that period, as the contracts have always required. This opens up a number of opportunities.

First of all, how does a registrar determine whether WHOIS data is bad? As noted in the ICANN letter to Verisign, it should be immediately obvious that the registrant named "Toto" does not live in "Oz". In point of fact, Toto returned to Kansas with Dorothy. However, every registrar is required to be able to verify the existence of any address anywhere on the planet. Presumably the registrar attempts to contact the registrant at the address provided, and if there is no response, then the domain is deleted. Or perhaps, as in the example above, mail is returned as undeliverable.

Now, here's the train wreck. Enforcement of this policy effectively undoes most of the reasoning supporting the Redemption Grace Period. Obviously, if the registrant couldn't respond to a domain renewal notice, they are likewise not going to respond to a WHOIS confirmation inquiry. So, if you put this together with the WLS, then you've got an ICANN-provided roadmap to highjacking domain names (or at least short-circuiting the RGP) which, unlike illegal highjacking schemes, is perfectly legitimate and leaves the registrant with no recourse.

Here's how it works. You mine whois data for domains having bad contact data (i.e. home.com email addresses, relocated businesses, people who might be on a two week vacation or otherwise unavailable, people whose email server has been hacked, etc.).

Once you have your collection of targets, you take out WLS subscriptions on the domain names. The real beauty is that you will get a jump on all of the folks who are going to be taking out speculative WLS positions in bulk on domain names which are approaching expiration (oh, yeah, in the imagination of ICANN, these people don't exist either, but they've already decided to make WLS subscriptions cheaper than the techniques currently in use to register expiring domain names, which undoes a primary policy rationale for WLS, but I digress). Be creative. Pick people whose incoming email you would like to read. Like, say, a US defense contractor.

Now you are ready to declare Jihad, um, I mean, light the 15-day fuses on the domain names you have selected. Complain to the registrar, complain to ICANN, complain to the Federal Trade Commission, do whatever you can to start that 15 day registrar verification cycle.

If all goes well, at the end of 15 days, you will have shaken a lovely bounty from the branches of the domain name tree into your waiting WLS net, without the annoyance of the Redemption Grace Period, and below the radar of circling expiring domain name vultures.

Among fruitful fields to pick are the thousands of domain name registrants who had subscribed to Verisign's "dot com biz card" service, which provided several bundled services along with a domain name, and which can be identified by the characteristic email address: no.valid.email@worldnic.com that Verisign assigned to these registrations, since Verisign handled all administrative services for these domain names. Mr. Touton and ICANN are apparently totally unaware of the extent of domain names having this email address as the administrative contact address, which was specifically singled out by Mr. Touton as a false email address, and hence these thousands of domain names are ripe for the picking.

Happy hunting. Incidentally, Mr. Mittal, and all of the employees of TheBeast.com are alive and well. His Verisign handle contact data will hopefully reach the top of his to-do list before it reaches someone else's.

whois -h whois.crsnic.net joesworld.com

Domain Name: JOESWORLD.COM
Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Referral URL: http://www.yesnic.com
Name Server: No nameserver
Updated Date: 16-apr-2002

whois -h whois.yesnic.com joesworld.com

No record found for domain joesworld.com.

In point of fact, I have no idea what is the purpose behind ICANN's letter to Verisign, but I doubt that the motivation had anything to do with improving services provided to domain name registrants or enhancing "stability" of the internet domain name system. Registrars are required to do a lot of things in accordance with the registrar accreditation agreement. They often do not. There is not a week which goes by where I am not a witness to unauthorized registrar transfers, domain hi-jackings, or other inexplicable registrar behavior in violation of the registrar accreditation agreement. As I noted, there have always been registrars who followed the 15 day verification policy, and it was a useful policy for dealing with certain spammers and some cybersquatters who used false contact data. If you provided the information to the registrar, along with some indication of what motivated the report, many registrars would exercise reasonable discretion in evaluating the report.

With the report form at internic.net, what we now have is a tool for unanticipated gamesmanship, especially in combination with the WLS. You can also use the report form for sending spam, since one function of the form is to send an email message to whatever email address is typed into the "reporter" field.

And don't kid yourself if you don't believe there are eager-beaver lawyers out there who consider failure to respond to a cease-and-desist letter, or to return their emails and phone calls, as a positive sign that the contact data is "bad". Some lawyers don't understand their relative social unpopularity, I suppose....

ICANN has indeed come out swinging at Verisign, but why THIS issue, and why now? Certainly this swing is not directed at routine policy violations that relate to issues of importance to domain name registrants (e.g. transfers, slamming, and hi-jacking). It is a characteristic feature of ICANN that the interests of domain name registrants are a distant runner behind policies designed to satisfy those interests which have a seat at the policy table, and also behind ICANN's own self preservation instincts.

Please don't get me wrong. Any hint from ICANN that they might someday have an interest in actually seeing whether people abide by their ICANN contracts is a welcome movement. Again, I have seen registrar representatives expressly laugh a the idea that ICANN would enforce accreditation terms, including a registrar who just last week told Mr. Touton personally what he could do with his interpretation of ICANN transfer policy.

Maybe I am too pessimistic, and maybe next week ICANN will turn its enforcement attention to terms of the accreditation agreement which are regularly ignored and which, if enforced, would inure to the benefit of domain name registrants. But I am not holding my breath.

In the meantime, however, we at least have the entertainment of playing WHOIS "gotcha" with people who are having problems updating their contact data. And I will keep beating the same dead horse that legitimate government is one which derives its authority from those governed. I'm not talking about some amorphous category of "internet users". Domain name registrants have no place at the very table at which the terms of their contracts are negotiated. And it will be a cold day in a warm place before ICANN enforces any of the conditions designed to protect those few interests of domain name registrants which are reflected in the relevant contracts. I will reserve the registrar data escrow rant for later, but it is a sure bet that one of the non-escrowed registrars will go belly-up long before the escrow system - also required by the accreditation contracts - is in place. You can take that to the bank.