You’ll want to pay very close attention to those annoying emails you get every year asking you to verify your Whois information – because failure to follow-up with those emails can mean that ICANN will force your Domain Name Registrar to suspend access to your site.
If that sounds like some kind of sick joke or like I’m over-reacting, then you may not have heard about how disastrous ICANN’s new WAP policy is. Let me explain what we're all in for.
ICANN’s Whois Accuracy Program (WAP)
At a high level, the Whois Accuracy Program means that whenever you register or transfer a domain – or change any of the contact info associated with that domain – you’ll get an email with a link that you have to click on to ‘verify’ that your Whois info is correct. Likewise, if an administrative email from your Domain Name Registrar bounces (say, a renewal reminder notice), you’ll then be sent a verification email as well. Failure to click on the link within 15 days means that your registrar MUST suspend the domain name in question.
If your domain gets suspended, you’ll then have to figure out how to verify your Whois information, and once you do so, your domain name will be released within 24 to 48 hours. An obvious best practice here would be to ensure that if you own domain names, your Whois contact info isn’t using mail-servers attached to the domain name in question.
Of course, if that sounds a bit scary (and it is), it’s also worth pointing out that owning a domain name has never been exactly trivial. Sure, anyone can do it, but if you’re not careful or diligent, you can and will miss any ‘renewal notices’ for your domain and can actually let your registration lapse. In one sense, the idea or notion of having to click on a link to verify your Whois information might not seem like that big of a problem or an imposition. But if you think very long about it, this new policy will likely have disastrous consequences.
For starters, what if this verification email gets snagged by your spam filter? Or, what if you’re finally on that two-week vacation you’ve been promising yourself for the past decade? Or, if you’re battling cancer? Or a whole host of other life-gets-in-the-way things? These what-if worries open up a whole new world for phishing attacks – especially for non-technical people who end up being paranoid that their domain name might end up being suspended.
As such, it’s not hard to see why some people are up in arms about this new policy. In fact, some of the best overviews of this policy come from a Domain Name Registrar – EasyDNS – who have done a great job of raising a warning cry about how terribly short-sighted this policy is – and about how disastrous it can and will be for domain name owners caught in the ‘crossfire’. One of their initial posts on this subject was entitled As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program – where they call out that despite all the forms of high-availability and redundancy that developers and sysadmins might throw at a web-site to keep it up, ICANN’s new policy can result in a web site being taken down by simply failing to click on a link sent in an email.
In a follow-up post, EasyDNS covers some additional details about this new policy – and outlines a huge number of concerns about ways in which this policy can, and will, backfire. Quite elegantly, they’ve summed this whole policy quite succinctly when they say that if you’re confused or concerned about this whole WAP policy, you can “Thank ICANN”:
You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendy, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We're simply out of our league here.
Granted, it’s arguable that complaining about this new policy is like screaming that the sky is falling – because maybe it won’t be THAT hard for domain name owners to get and click on emails with links to verify Whois info – and maybe non-technical users can be trained to watch out for phishing attacks that look like verification requests. My problem with the whole policy though, is that it’s next to useless and won’t do anything.
WAP is a Flawed Concept
By way of analogy, a few years ago the United States enacted a policy requiring all U.S. children venturing into Canada to have their own passports in order to regain access into the United States. Justification for this change in policy was that it would cut down on human trafficking – which, of course, is a lofty goal.
My hunch, though, is that this policy hasn’t even scratched the surface of the human trafficking problem over the border between Canada and the United States – simply because the criminals involved in these schemes don’t end up using legitimate border crossings like law-abiding tourists do. The end result is that politicians get to claim that they’re taking a “tough stance on crime,” law-abiding citizens bear the brunt of additional bureaucracy, and the slave trade continues unabated.
ICANN’s new policy smacks of the same sort of bureaucratic short-sightedness. Criminals or con artists who want to game the system only need wait a few days after purchasing new domains or changing contact info, click on a link that lets’ them “swear or affirm” that the bogus info they’ve provided is “accurate”, and then they’re free to perpetrate whatever evil they’ve done in the past.
In short, nothing has changed, other than giving criminals an extra hoop to jump through while legitimate, non-criminal, domain name owners have to bear the brunt of the inconvenience.
ICANN’s WAP policy won’t improve Whois data accuracy. And given the legitimate problems this policy can and will place on legitimate domain name owners, it is a disaster.