February 6, 2021

NCOSE joins NTIA, Food & Drug Administration, Homeland Security, and more in asking Congress for more secure, accountable policy around WHOIS

The National Center on Sexual Exploitation stands with many respected stakeholders who are also calling on the U.S. Congress to take action for a safer, secure, and more accountable Internet by ensuring a “thick-WHOIS” process that allows law enforcement and other key entities access to contact information for owners of top-level domains.

Transparency and accountability are necessary for child safety, cybersecurity, consumer protection, intellectual property, and many other reasons.

ICANN, generally known as the nonprofit in charge of running the Internet, and some of its members have essentially enabled a “dark-WHOIS” on their own accord, which removes contact information for owners of domains. This makes it nearly impossible for law enforcement to stop bad actors.

The letters linked to below are from key stakeholders outlining their concerns with this move by ICANN.

Verisign, as the largest registry with exclusive management over the .com and .net  generic top-level domains, is leading the charge within ICANN to move to a dark WHOIS. While the letters below do not specifically name Verisign, The National Center on Sexual Exploitation is highlighting Verisign’s role by naming them to the 2021 Dirty Dozen List which highlights mainstream entities facilitating sexual abuse and exploitation.

More than 70% of all webpages identified as containing child sexual abuse images were found on the Verisign-managed .com and .net  domains according to the 2019 report from The Internet Watch Foundation. None of the other 1200+ generic top-level domains accounted for more than 1%.  While some other registries and registrars are working to disrupt domains associated with child sexual abuse material, Verisign refuses to take meaningful action and instead inhibits attempts to protect children. Verisign’s refusal to move towards a Thick WHOIS and their advocacy instead for a Dark WHOIS is example of this. This is particularly unacceptable given that Verisign is a publicly-traded U.S. company with 2019 annual revenues in excess of $1.23 billion.

We join with these following entities in calling on Congress to take action now.

Coalition for Online Accountability letter to U.S. House Committee on Energy and Commerce – January 2021

Read the full letter here

Excerpt:

“…Our prior letter described in detail how the ongoing lack of access to WHOIS data obstructs law enforcement investigations and those of organizations devoted to protecting consumers safety, child safety and intellectual property. The resulting dramatic increase in online abuse of all kinds, from child sexual abuse, to cybersecurity attacks, to COVID-9 related fraud, has been well documented…” 

U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) – December 2020

Read the full letter here.

Excerpt:

“…For many years, NTIA, under several different Administrations, has sought to ensure that WHOIS data is accurate and accessible. The importance of this data cannot be overstated. Having access to contacts for websites and domain names is essential for law enforcement, cybersecurity, and IP interests.

Specifically, the statement expressed the following public policy concerns about the recommendations:

  • Proposes a fragmented rather than centralized disclosure system,
  • Lacks enforceable standards to review disclosure decisions,
  • Fails to sufficiently address consumer protection and consumer trust concerns,
  • Does not offer reliable mechanisms for the System for Standardized Access/Disclosure (SSAD) to evolve in response to increased legal clarity, and
  • May impose financial conditions that risk an SSAD that calls for disproportionate costs for its users including those that detect and act on cyber security threats.

Moreover, the recommendations failed to address the following basic issues:

  • Measures to ensure data accuracy,
  • Policies to allow freely-given consent or objection to disclosure of data at the time ofdomain name registration,
  • Rules that distinguish between natural and legal entities and
  • Efforts to examine the feasibility of unique contacts to have a uniform anonymized email address.

Meanwhile, federal and local law enforcement, cybersecurity industries, and the business and IP communities continue to have their efforts hampered.

NTIA encourages the Committee to explore alternate approaches to providing federal and local law enforcement, cybersecurity industries, the business and the IP communities—as well as small businesses and the public— prompt and effective access to information they need to build a safe, secure, and trustworthy internet…”

The Coalition for a Secure & Transparent Internet Letter to U.S. Senate Committee on Commerce, Science & Transportation  – December 2020

Read the full letter here.

Excerpt:

“…WHOIS information has historically been used by law enforcement, consumer advocacy groups, third-party investigators, intellectual property holders and others to identify who is behind a domain name or website. If the registrant of a website or domain is conducting illegal or otherwise malicious activity, investigators can access information about the registrant to pursue legal avenues as well as identify other, potentially dangerous domains that are also attributed to that registrant. In this way, WHOIS is critical to our ability to identify, end as well as proactively prevent cybercrimes, exploitation, intellectual property theft and other harmful activity…”

U.S. Food & Drug Administration Letter to U.S. Rep. Robert E. Latta – August 2020

Read the full letter here.

Excerpt:

“Access to WHOIS information has been a critical aspect of FDA’s mission to protect public health.

WHOIS data has also been widely used in FDA’s criminal investigations to identify individuals and organizations selling online a variety of unapproved/uncleared/unauthorized products such as opioids, counterfeit or adulterated drugs as well as purported dietary supplements containing deleterious or undeclared ingredients. Most recently, lack of WHOIS transparency significantly hindered FDA’s ability to identify sellers of fraudulent and unproven treatments for COVID-19 as well as illegitimate test kits and counterfeit or substandard personal protective equipment. These cases range from a simple website marketplace to sophisticated transnational cybercrime networks involving thousands of websites, hidden servers, dark web applications and virtually linked co-conspirators. Many of these criminal conspiracies were linked or identified via historical WHOIS analysis…”

U.S. Immigration and Customs Enforcement Homeland Security Investigations (HSI) Letter to U.S. Rep. Robert E. Latta – July 2020

Read the full letter here.

Excerpt:

“…HSI uses domain name registration information, previously available via online WHOIS query, to aid in the identification of persons or entities responsible for registering domains that are used to conduct a wide variety of crimes, which include intellectual property crimes, cyber-crimes (such as theft of personally identifiable information [PII] and credit card information), crimes related to illegal importation and exportation of goods, and the promotion and distribution of child sex abuse material.

HSI used WHOIS data regularly prior to the implementation of GDPR in May 2018. Subsequent to GDPR, the inability to conduct instant electronic queries has added an extra step and slowed down the investigative process…”

U.S. Federal Trade Commission Letter to U.S. Rep. Robert E. Latta – July 2020

Read the full letter here.

Excerpt:

“…Before the GDPR took effect in May 2018, the FTC and other consumer protection and law enforcement agencies routinely relied on the publicly-available registration information about domain names in WHOIS databases to investigate wrongdoing and combat fraud. The FTC uses this information to help identify wrongdoers and their locations, halt their conduct, and preserve money to return to defrauded victims. Our agencies may no longer rely on this information because, in response to the GDPR, ICANN developed new policies that significantly
limit the publicly available contact information relating to domain name registrants. For example, before the GDPR went into effect, the FTC could quickly and easily obtain detailed information about the name, address, telephone number and email of the domain name registrant by typing a simple query. Since May 2018, however, we generally must request this information directly from the particular registrar involved. This can be a time-consuming and cumbersome process.

The FTC would benefit from greater and swifter access to domain name registration data…”

LEARN MORE AT EndSexualExploitation.org/verisign.

Further Reading

Related