Internet Management
Prevalence of False Contact Information for Registered Domain Names Gao ID: GAO-06-165 November 4, 2005Individuals or organizations seeking to register the names of their Web sites may provide inaccurate contact information to registrars in order to hide their identities or to prevent members of the public from contacting them. Contact information is made publicly available on the Internet through a service known as Whois. Data accuracy in the Whois service can help law enforcement officials to investigate intellectual property misuse and online fraud, or identify the source of spam e-mail, and can help Internet operators to resolve technical network issues. GAO was asked, among other things, to (1) determine the prevalence of patently false or incomplete contact data in the Whois service for the .com, .org, and .net domains; (2) determine the extent to which patently false data are corrected within 1 month of being reported to ICANN; and (3) describe steps the Department of Commerce (Commerce) and ICANN have taken to ensure the accuracy of contact data in the Whois database.
Based on test results, GAO estimates that 2.31 million domain names (5.14 percent) have been registered with patently false data--data that appeared obviously and intentionally false without verification against any reference data--in one or more of the required contact information fields. GAO also found that 1.64 million (3.65 percent) have been registered with incomplete data in one or more of the required fields. In total, GAO estimates that 3.89 million domain names (8.65 percent) had at least one instance of patently false or incomplete data in the required Whois contact information fields. Of the 45 error reports that GAO submitted to the Internet Corporation for Assigned Names and Numbers (ICANN) for further investigation--one for each domain name with patently false contact data that GAO found in a random sample of 900--11 domain name holders provided updated contact information that was not patently false within 30 days after GAO submitted the error reports to ICANN. One domain name, which had been pending deletion before submission to ICANN, was terminated after GAO submitted the error report. The remaining 33 were not corrected. Commerce and ICANN have taken steps to ensure the accuracy of contact data in the Whois database. In addition to implementing a Registrar Accreditation Agreement that requires registrars to investigate and correct any reported inaccuracies in the contact information, they have amended their memorandum of understanding to require ICANN to continue assessing the operation of the Whois service and to implement measures to secure improved accuracy of data. Commerce and ICANN officials generally agreed with a draft of this report.
GAO-06-165, Internet Management: Prevalence of False Contact Information for Registered Domain Names
This is the accessible text file for GAO report number GAO-06-165
entitled 'Internet Management: Prevalence of False Contact Information
for Registered Domain Names' which was released on December 7, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO Highlights:
Highlights of GAO-06-165, a report to the Subcommittee on Courts, the
Internet, and Intellectual Property, Committee on the Judiciary, House
of Representatives:
Why GAO Did This Study:
Individuals or organizations seeking to register the names of their Web
sites may provide inaccurate contact information to registrars in order
to hide their identities or to prevent members of the public from
contacting them. Contact information is made publicly available on the
Internet through a service known as Whois. Data accuracy in the Whois
service can help law enforcement officials to investigate intellectual
property misuse and online fraud, or identify the source of spam e-
mail, and can help Internet operators to resolve technical network
issues.
GAO was asked, among other things, to (1) determine the prevalence of
patently false or incomplete contact data in the Whois service for the
.com, .org, and .net domains; (2) determine the extent to which
patently false data are corrected within 1 month of being reported to
ICANN; and (3) describe steps the Department of Commerce (Commerce) and
ICANN have taken to ensure the accuracy of contact data in the Whois
database.
What GAO Found:
Based on test results, GAO estimates that 2.31 million domain names
(5.14 percent) have been registered with patently false data”data that
appeared obviously and intentionally false without verification against
any reference data”in one or more of the required contact information
fields. GAO also found that 1.64 million (3.65 percent) have been
registered with incomplete data in one or more of the required fields.
In total, GAO estimates that 3.89 million domain names (8.65 percent)
had at least one instance of patently false or incomplete data in the
required Whois contact information fields. The table below shows the
estimated number of instances of patently false data for each of the
three types of contact information within each generic top-level domain.
Of the 45 error reports that GAO submitted to the Internet Corporation
for Assigned Names and Numbers (ICANN) for further investigation”one
for each domain name with patently false contact data that GAO found in
a random sample of 900”11 domain name holders provided updated contact
information that was not patently false within 30 days after GAO
submitted the error reports to ICANN. One domain name, which had been
pending deletion before submission to ICANN, was terminated after GAO
submitted the error report. The remaining 33 were not corrected.
Commerce and ICANN have taken steps to ensure the accuracy of contact
data in the Whois database. In addition to implementing a Registrar
Accreditation Agreement that requires registrars to investigate and
correct any reported inaccuracies in the contact information, they have
amended their memorandum of understanding to require ICANN to continue
assessing the operation of the Whois service and to implement measures
to secure improved accuracy of data.
Commerce and ICANN officials generally agreed with a draft of this
report.
Prevalence of Patently False Contact Information (in millions;
percentages in parentheses):
[See PDF for image]
Source: GAO analysis of test results.
Note: Margin of error is ±5 percent or less at the 95 percent
confidence level. Some domain names contained both patently false and
incomplete information and so percentages do not add up to 100.
[End of table]
What GAO Recommends:
www.gao.gov/cgi-bin/getrpt?GAO-06-165.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda Koontz, 202-512-
6250, koontzl@gao.gov, or Keith Rhodes, 202-512-6412, rhodesk@gao.gov.
[End of section]
Report to the Subcommittee on Courts, the Internet, and Intellectual
Property, House of Representatives:
November 2005:
Internet Management:
Prevalence of False Contact Information for Registered Domain Names:
GAO-06-165:
Contents:
Letter:
Appendix:
Appendix I: Prevalence of False Contact Information for Registered
Domain Names:
Abbreviations:
DNS: domain name system:
ICANN: Internet Corporation for Assigned Names and Numbers:
IP: Internet Protocol:
IRIS: Internet Registry Information Service:
MOU: memorandum of understanding:
RAA: Registrar Accreditation Agreement:
Letter November 4, 2005:
The Honorable Lamar Smith:
Chairman:
Subcommittee on Courts, the Internet, and Intellectual Property:
Committee on the Judiciary:
House of Representatives:
The Honorable Howard Berman:
Ranking Minority Member,
Subcommittee on Courts the Internet, and Intellectual Property:
Committee on the Judiciary:
House of Representatives:
Individuals or organizations seeking to establish sites on the World
Wide Web are required to register the names of the sites with
authorized domain name registrars. These registrars, who operate under
agreement with the Internet Corporation for Assigned Names and Numbers
(ICANN), also collect contact information from the registrants and make
the information publicly available on the Internet through a service
known as Whois. Although registrants are required to provide accurate
contact information during the domain name registration process, they
may supply false or incomplete information in order to hide their
identities or to shield themselves from being contacted by members of
the public.
This report responds to your request that we (1) determine the
prevalence of patently false[Footnote 1] or incomplete contact data in
the Whois service for the three "legacy" generic top-level domains
(.com, .org, and .net); (2) determine the extent to which patently
false data identified through our analysis were corrected within 1
month of being reported to ICANN and the types of businesses associated
with the domain names containing patently false data; (3) describe the
steps the Department of Commerce (Commerce) and ICANN have taken to
ensure the accuracy of contact data in the Whois database; and (4)
describe the tools and techniques intended to reduce the amount of
false information in the Whois service.
To address the first objective, we obtained "zone files" maintained by
Verisign, Inc., and the Public Interest Registry.[Footnote 2] These
files listed all registered Internet domain names for the three legacy
generic top-level domains as of February 2005. After selecting random
samples of 300 domain names from each of the three zone files for .com,
.net, and .org, we performed online Whois searches to obtain contact
information for each domain name. Finally, we assessed the contact
information for each domain name in our random samples to identify data
that are incomplete or patently false. To address the second objective,
we submitted error reports to ICANN for Whois data entries we
identified as patently false and re-examined the same entries after 30
days to determine whether actions had been taken to correct the false
data. For the third objective, we interviewed officials from federal
agencies and ICANN to identify actions taken to improve the accuracy of
contact data in the Whois database, and reviewed the memorandum of
understanding between Commerce and ICANN and other contractual
agreements. For the final objective, we obtained and documented
information from federal agency officials and selected registrars
regarding the availability of tools and technologies that could aid in
reducing the false contact data in the Whois service. We completed our
work in Washington, D.C. between December 2004 and August 2005 in
accordance with generally accepted government auditing standards.
In summary, we estimate that 2.31 million domain names (5.14 percent)
have been registered with patently false data in at least one of the
required contact information fields. In addition, we estimate that 1.64
million domain names (3.65 percent) have incomplete information in one
or more of the required fields. In total, we estimate that 3.89 million
domain names (8.65 percent) had at least one instance of patently false
or incomplete data in the required Whois contact information fields.
Of the 45 error reports that we submitted to ICANN for further
investigation--one for each domain name with patently false contact
data that we found in our random sample of 900--11 domain name holders
provided updated contact information that was not patently false within
30 days after we submitted the error reports to ICANN. One domain name,
which had been pending deletion before our submission to ICANN, was
terminated after we submitted the error report. The remaining 33 were
not corrected. Of the 45 domain names, 19 were Web sites that were
unavailable, under construction, or had no significant content, while 6
had unknown foreign-language content. The remaining 20 were associated
with a wide variety of businesses, including Web search portals, adult
content and merchandise, IT consulting services and information,
general information, retail merchandise, and other online services.
Commerce and ICANN have taken steps to ensure the accuracy of contact
data in the Whois database, including implementing a Registrar
Accreditation Agreement that requires registrars to investigate and
correct any reported inaccuracies in Whois contact information for the
domain names they register, and an amendment to their memorandum of
understanding that required ICANN to implement measures to improve the
accuracy of Whois data. ICANN has also published additional information
and guidance for registrars regarding their obligations to investigate
and correct data inaccuracies, and implemented a system to receive and
track complaints about inaccurate and incomplete data. ICANN recognizes
that more can be done and is planning to take further steps, including
enhancing the system, hiring additional staff to conduct follow-up to
ensure that reported inaccuracies are addressed, and seeking
recommendations from a task force formed to address data accuracy
issues.
We identified two technologies and tools intended to help reduce false
contact information in the Whois database. They are (1) the Internet
Registry Information Service protocol, which provides tiered access to
sensitive contact information and, thus, would encourage the submission
of more accurate information; and (2) Support Intelligence's Trust
Factor product, which could be used to assess the validity of contact
information against public information stored in commercial databases.
While both tools have the potential to help reduce false contact
information, neither is widely implemented by registrars and
registries. We did not determine the effectiveness of such technologies
and tools in reducing inaccuracies in the Whois service.
On August 30, 2005, we provided your staff with briefing slides on the
results of our study. This report provides you with the published
briefing slides, included as appendix I to this report. We received
comments, via E-mail, on a draft of this report from the Deputy Chief
Counsel of Commerce's National Telecommunications and Information
Administration, and ICANN's Deputy General Counsel. Both Commerce and
ICANN generally agreed with the information presented in the draft
report. A technical comment provided by Commerce has been addressed as
appropriate.
As we agreed with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution until
30 days from the date of this letter. At that time, we will send copies
of this report to the Secretary, Department of Commerce; Chairman and
Ranking Minority Members, House Committee on the Judiciary; and other
interested congressional committees. Copies of this report will also be
made available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at www.gao.gov.
If you or your staff have any questions concerning this report, please
contact Linda Koontz at (202) 512-6240 or [Hyperlink, koontzl@gao.gov];
or Keith Rhodes at (202) 512-6412, or [Hyperlink, rhodesk@gao.gov].
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. Other major
contributors to this report included James Ashley, Barbara Collier,
John de Ferrari, Mark Fostek, Wilfred Holloway, Steven Law, and Amos
Tevelow.
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
Director, Center for Technology and Engineering:
[End of section]
Appendixes:
Appendix I: Prevalence of False Contact Information for Registered
Domain Names:
[See PDF for images]
[End of slide presentation]
[End of section]
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
(310745):
FOOTNOTES
[1] For the purpose of this report, we define "patently false data" as
data that appeared obviously and intentionally false without
verification against any reference data.
[2] Verisign, Inc. is the designated administrator (called a registry)
that is responsible for managing domain names and setting policy for
the .net and .com top-level domains. The Public Interest Registry is
responsible for managing the .org domain.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
