As you know, the Whois database is the popular name for a combination of
information directories containing registration information about website operators.PREPARED STATEMENT OF
THE FEDERAL TRADE COMMISSION ON
THE INTEGRITY AND ACCURACY OF THE
“WHOIS” DATABASE
_____________
Before the
SUBCOMMITTEE ON COURTS, THE INTERNET,
AND INTELLECTUAL PROPERTY
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES HOUSE OF REPRESENTATIVES
Washington, D.C.
May 16, 2002
________________
Mr. Chairman, I am Howard Beales, Director of the Bureau of Consumer Protection at
the Federal Trade Commission. I am pleased to be here today to discuss the importance of
accurate domain registration information in the Whois database to our consumer protection
mission.
As you know, the Whois database is the popular name for a combination of
information directories containing registration information about website operators.
The FTC’s consumer protection efforts include fighting Internet fraud. Because
fraudulent website operators can defraud consumers quickly and disappear quickly, we need to
move just as quickly to find them and stop them. The Whois database – when it is accurate – can
help law enforcers quickly identify wrongdoers and their location, halt their conduct, and
preserve money to return to defrauded consumers. Inaccurate Whois data, however, help Internet
scam artists remain anonymous and stymie law enforcement efforts.
The testimony will begin with a general overview of the FTC and its enforcement authority, the challenges we have faced in fighting Internet fraud, and how we work to overcome those challenges. Second, we will discuss the importance of the Whois database to these efforts and the problems we encounter when Whois information is inaccurate. Third, we will address current registrar practices with respect to Whois information. Finally, the testimony will close with a few words about the balancing of privacy interests of domain registrants and the interest of other stakeholders in the transparency of Whois information.
I. The FTC’s Fight Against Internet Fraud
A. The FTC’s Law Enforcement Authority
The FTC is an independent agency charged with protecting consumers and promoting a
competitive marketplace. The cornerstone of the Commission’s mandate is Section 5 of the
Federal Trade Commission Act, which prohibits “unfair methods of competition” and “unfair or
deceptive acts or practices.”
The FTC focuses on stopping actions that threaten consumers’
opportunities to exercise informed choice. The FTC halts deception through civil actions filed by
its own attorneys in federal district court, as well as through administrative cease and desist
actions.
B. The Challenges Posed by Internet Fraud
The Internet and e-commerce have seen dramatic growth. The number of American
adults with Internet access has grown, by one estimate, from approximately 88 million in mid-2000 to more than 174 million in March 2002.
The Census Bureau of the Department of
Commerce estimated that in the fourth quarter of 2001, not adjusted for seasonal, holiday, and
trading-day differences, online U.S. retail sales were more than $10 billion, an increase of 13.1
percent from the fourth quarter of 2000. Total e-commerce sales for 2001 were estimated at
$32.6 billion, an increase of 19.3 percent from 2000.
Unfortunately, but not surprisingly, the e-commerce boom of the last several years has
created fertile ground for fraud. In 2001, close to 50,000 complaints - roughly 41 percent of all
complaints logged into the FTC’s fraud database, Consumer Sentinel, by various organizations
that year - were Internet-related.
There is real danger that the benefits of the Internet may not be fully realized if consumers identify the Internet with fraud operators. We need to act quickly to stop fraud, both to protect consumers and to protect consumer confidence in e-commerce. We have therefore made fighting Internet fraud a top priority. Since 1994, the FTC has brought more than 225 Internet-related law enforcement actions against 688 defendants and respondents, stopping consumer injury estimated at more than $2.1 billion.
The Commission faces a host of novel challenges in its efforts to combat fraud and deception online. Traditional scams - such as pyramid schemes and false product claims - thrive on the Internet. A colorful, well-designed Web site imparts a sleek new veneer to an otherwise stale fraud; and the reach of the Internet also allows an old-time con artist to think - and act - globally. Moreover, the architecture of the Internet itself has given rise to new high-tech scams that were not possible before the development of the Internet. Both traditional scams and the innovative ones exploit the global reach and instantaneous speed of the Internet. In addition, the Internet enables con artists to cloak themselves in anonymity, which makes it necessary for law enforcement authorities to act much more quickly to stop newly-emerging deceptive schemes before the perpetrators disappear. And because the Internet transcends national boundaries, law enforcement authorities must be more creative and cooperative to successfully combat online fraud.
C. The FTC's Efforts to Fight Internet Fraud
Given the speed with which Internet fraudsters can con consumers, the Commission has worked to identify problems and go after perpetrators rapidly. In light of the challenges posed by the borderless nature of the Internet, the Commission has worked to gather information from international sources and cooperate with its foreign counterparts through multilateral and bilateral efforts. Some of the tools we have used to accomplish these goals include the following:
∙ Databases: To gather information quickly, the Commission has developed Consumer
Sentinel, a web-based consumer complaint database that is accessible to more than 420
law enforcement organizations in the U.S., Canada and Australia.
In 2001, numerous
organizations in the U.S. and Canada contributed more than 200,000 consumer
complaints to Consumer Sentinel.
These complaints can help us identify trends and
target fraudsters quickly and efficiently.
∙ International Cooperation: The Commission cooperates with its international
counterparts to meet the challenges posed by cross-border fraud. The FTC is a member
of the International Marketing Supervision Network (IMSN), a group of 30 consumer
protection enforcement agencies that meets twice a year to discuss cross-border
cooperation.
Fifteen IMSN countries have launched econsumer.gov, a public website
where consumers can file cross-border e-commerce complaints online that are accessible
to law enforcement agencies in the member countries. The site is available in English,
French, Spanish and German.
Complaints from econsumer.gov can help us identify
trends and fraudsters on an international level. The FTC has also signed consumer
protection cooperation agreements with Canada, the U.K. and Australia, which has
enhanced our cooperation with these countries.
∙ Surf Days: The Commission also coordinates law enforcement Surf Days to help identify international fraudsters. During a typical surf day, law enforcers at the federal, state, local and international levels “surf” the Internet for a specific type of claim or solicitation that is likely to violate the law. When a suspect site is identified, the page is downloaded and saved as potential evidence. Frequently, the operator of the site is sent a warning that explains the law and provides a link to educational information. Often, investigators obtain the e-mail or postal address from Whois information in order to send such warnings. A law enforcement team later revisits the previously warned sites to determine whether they have remedied their questionable claims or solicitations. Sites that continue to make unlawful claims are targeted for possible law enforcement action. Surf days achieve visible results: to date, more than 250 law enforcement agencies and consumer organizations around the world have joined the FTC in approximately 33 surf days; collectively, they have identified more than 6,000 Internet sites making dubious claims. In each of these efforts, a significant percentage of the Web site operators who received a warning came into compliance with the law, either by taking down their sites or by modifying their claims or solicitations.
∙ Sweeps: The FTC also coordinates law enforcement sweeps, both domestically and
internationally, and here too Whois information can play an important role. In our
experience, “sweeps” of a particular area can generate substantial publicity, which can in
turn provide meaningful consumer education and further deter fraudulent conduct in that
area. In “Operation Top Ten Dot Cons,” for example, law enforcement agencies from
nine countries announced 251 law enforcement actions against online companies. More
recently, the FTC announced earlier this month that it had joined forces with 12 other
U.S. and Canadian agencies to form an International Netforce targeting deceptive spam
and Internet fraud. The agencies brought 63 law enforcement actions against Web-based
scams, ranging from auction fraud to bogus cancer cure sites, and sent more than 500
warning letters to senders of deceptive spam.
∙ Internet Training: Recognizing that law enforcement officials have to be one step ahead of the technology used by scam artists, the FTC has also hosted Internet training seminars. Since FY 2001, the Commission has educated more than 1,750 law enforcement personnel from more than 20 countries, 38 states, 23 U.S. federal agencies, and 19 Canadian agencies.
∙ Internet-Based Tools: The Commission also provides its staff with the tools they need to investigate high-tech fraud quickly, anonymously, and efficiently. The FTC’s Internet Lab is an important example. With high speed computers that are separate from the agency’s network and equipped with current hardware and software, the Lab allows staff to investigate fraud and deception in a secure environment and to preserve evidence for litigation. Staff often conducts Whois searches in the Internet lab.
III. The Importance of Whois Data
You have asked us to discuss the importance of accurate Whois data to our work. Such a discussion necessarily takes place against the backdrop of discussions about ICANN reform. Interested stakeholders are actively discussing various reform proposals.
It is hard to overstate the importance of accurate Whois data to our Internet investigations. In all of our investigations against Internet companies, one of the first tools FTC investigators use to identify wrongdoers is the Whois database. We cannot easily sue fraudsters if we cannot find them. We cannot even determine which agency can best pursue them if we are unable to figure out the country in which they are located.
The pace of Internet fraud makes it necessary to obtain rapidly the basic identifying
information about the operator of a website. The existing Whois database does not serve this
function as well as it could. Indeed, one survey on e-commerce issues by the Australian Taxation
Office found that 10 to 15 percent of the data in the Whois database is inaccurate.
A. FTC Experience with Inaccurate Whois Data
FTC investigations are being hampered by registration information that is not only false,
but sometimes blatantly so. For example, Whois information for “taboosisters.com,” a website
targeted in FTC v. Pereira,
indicated that the domain name was registered to a company located
at “4 Skin” Street in Amsterdam, with “Amanda Hugandkiss” listed as the administrative
contact. In FTC v. J.K. Publications, Inc.,
a Whois query for a website operated by the
defendants provided a street address of “here there, ca 10001" for the administrative and
technical contacts.
These examples do not appear to be isolated incidents. An informal sampling of Whois queries conducted by FTC staff turned up a number of domain names with facially false address information registered to “hacker,” “FBI,” “Bill Clinton,” “Mickey Mouse,” and “God.” Several recent searches have turned up false phone numbers such as 555 555-5555 and 888 888-8888. One recent search for Whois information listed the organization, administrative, technical and zone contact as “xxxxxxxxxxxxxx.” Another listed U.S. address information for a business that in fact operated from another continent.
Besides hampering our law enforcement investigations, inaccurate Whois data decreases the effectiveness of our Surf Days. As described above, the FTC and its law enforcement partners often “surf” the Internet for particular types of claims and send warning messages to sites that make potentially deceptive or misleading claims, following up later to determine if enforcement action is appropriate. Surfers rely on Whois data to find addresses for this purpose. If the Whois data are not accurate, the utility of the Surf Day as a law enforcement tool is diluted.
Problems with inaccurate Whois data were illustrated in a surf conducted by the FTC and
its law enforcement partners in connection with the recent “International Netforce” initiative
described above. One part of this initiative was a surf to test compliance with “remove me” or
“unsubscribe” options.
The object of the surf was to test whether “remove me” or “unsubscribe” options in spam
were being honored. From e-mail forwarded to the FTC’s database of unsolicited commercial e-mails by the participating agencies, we culled more than 200 e-mails that purported to allow
recipients to remove their name from a spam list. The agencies set up dummy e-mail accounts to
test the pledges. We discovered that most of the addresses to which they sent the requests were
invalid. Most of the “remove me” requests did not get through. Based on information gathered,
the FTC sent 77 letters warning spammers that deceptive “removal” claims in unsolicited e-mail
are illegal. We sent the letters to addresses listed in the Whois database. Interestingly, 16 of the
77 letters, or approximately 21 percent, were sent back to us because the addresses we obtained
from the Whois database were inaccurate. We have notified the registrars of this inaccuracy and
have encouraged them to take appropriate action.
The importance of law enforcement officials having access to accurate contact
information for commercial website operators has also been recognized internationally. In 1999,
the Organization for Economic Cooperation and Development (OECD), an international
organization consisting of 30 countries, issued consensus Guidelines on Consumer Protection in
Electronic Commerce. These Guidelines recommend that “businesses engaged in electronic
commerce with consumers should provide accurate, clear and easily accessible information about
themselves sufficient to allow, at a minimum . . . location of the business and its principals by
law enforcement and regulatory officials.”
Where this information is not provided on the
registered websites, the Whois database can provide an important supplementary resource for law
enforcers.
B. Registrar Responsiveness
The problem of inaccurate Whois information is compounded when registrars fail to act
promptly to suspend domain names registered by registrants who have willfully provided
inaccurate contact information. Under Registrar Accreditation Agreements between registrars
and ICANN, registrars must collect contact information from registrants and post such
information on a Whois service.
Suspension of a domain name for willful failure to provide
accurate contact information is within the discretion of the registrar.
However, registrars have
little incentive to suspend a domain name. Their failure to suspend a domain name can allow
anonymous fraudsters to remain online and have their sites viewed by thousands of consumers in
a short period of time.
Here is an anecdote illustrating how difficult it can be to suspend a domain name. At the
most recent meeting of the OECD’s Committee on Consumer Policy, which FTC Commissioner
Mozelle Thompson now chairs, OECD staff presented a paper on its experience trying to contact
a cybersquatter.
The OECD had let its registration for its French language site www.ocde.org
lapse. A cybersquatter bought the domain name and used it to post a pornographic site with an
offer to sell the domain name.
The Whois database indicated that the site had been registered
by “Domain For Sale,” located in Armenia, but the administrative and technical contact was an
employee of the American Institute of Architects in Washington, D.C. The OECD called this
individual and found that Domain For Sale had falsely listed him as a contact. The OECD
demonstrated to the registrar that Domain For Sale had willfully provided false contact
information. Rather than suspend Domain For Sale’s registration, the registrar sent an e-mail to
Domain For Sale, giving it fifteen days to correct its registration.
Domain For Sale modified its registration information, but the new information was on
its face incomplete, as it did not list a person as a contact for the company, in violation of the
Registrar Accreditation Agreement.
The registrar offered to de-register Domain For Sale only
if OECD would indemnify the registrar for any breach of contract claim, the registrar’s legal
expenses in responding to OECD’s complaint, and two years potential loss of registration
business from Domain For Sale, which had 113 registrations with that particular registrar. The
OECD refused and submitted affidavits from Armenian government officials stating that there
was no legal entity registered at the address Domain For Sale had listed as its contact
information. Only after some additional correspondence between the OECD and the registrar
over a period of about one month was the registrar prepared to return the name to the OECD.
According to the OECD, the registrar failed to suspend the registration even after the
OECD had twice shown that the registrant willfully submitted false contact information. Thus,
OECD did not have access to www.ocde.org for almost two months.
By analogy, if a
fraudulent website remains posted for a two-month period, it could cause consumers substantial
injury.
IV. Current Registrar Practices with Respect to Whois Information
Current registrar practices with respect to accuracy of Whois information vary, depending
on the type of registrar at issue. All registrars for generic Top Level Domains (gTLDs),
including .com, .net, .org, .biz, .info and .name, are required to comply with ICANN’s Registrar
Accreditation Agreement.
This Agreement contains provisions requiring registrars to collect
accurate contact information from registrants and post such information on a Whois site. ICANN
does not currently have any contractual provisions in place for most country code Top Level
Domains (ccTLDs), such as .uk for the United Kingdom or .de for Germany. Registrar practices
for these ccTLDs vary widely.
The following discusses each of these areas in turn.
A. Generic TLDs
ICANN’s Registrar Accreditation Agreements with the gTLD registrars include some
noteworthy provisions that illustrate ICANN recognition of the benefits of accurate Whois data.
For example, the Agreement specifies that “a Registered Name Holder’s willful provision of
inaccurate or unreliable information, its willful failure promptly to update information provided
to Registrar, or its failure to respond for more than fifteen calendar days to inquiries by Registrar
concerning the accuracy of contact details associated with the Registered Name Holder’s
registration shall constitute a material breach of the Registered Name Holder-registrar contract
and be a basis for cancellation of the Registered Name registration.”
The Accreditation
Agreement also requires that, if registrars are notified of an inaccuracy in the registration
information, they should “take reasonable steps to investigate that claimed inaccuracy.”
The FTC Bureau of Consumer Protection letter to the ICANN DNSO Names Council
dated August 6, 2001, mentioned earlier, had asked ICANN to work with registrars to implement
and enforce the provisions of its Registrar Accreditation Agreement that ensure the completeness
and accuracy of Whois data. There is some room for improvement in the Registrar Accreditation
Agreements that could address our concerns.
First, it would be extremely useful if registrars would weed out blank or incomplete
registration forms, as well as some of the obviously false information that undermines the
integrity of the Whois database. Second, it would very be useful to us if registrars could be
required to suspend a domain registration upon wilful failure to provide accurate contact
information, or failure to correct inaccurate contact information, until accurate information is
obtained. The current ICANN Registrar Accreditation Agreements leave cancellation of a
domain registration in these circumstances to the registrar’s discretion.
This policy is
problematic for two important reasons. As noted above, registrars have little incentive to
suspend a domain name. Without a suspension requirement, scam artists are free to perpetrate
fraud anonymously. In addition, registrars that adopt relaxed policies on accurate contact
information may attract businesses seeking anonymity, creating havens for bad actors to shield
their true identity from law enforcement and others. The OECD experience described above
shows the consequences of lack of registrar cooperation: when registrars refuse to suspend
domain registrations, websites operating for nefarious purposes can continue to operate on the
Internet unchecked.
Although the Registrar Accreditation Agreements contain many important provisions for
ensuring accuracy of domain registration information, these provisions have not solved the
problem of inaccurate data described above. We believe it is worth examining whether registrars
should have additional obligations to suspend registrations for failure to provide accurate
information under Section 3.7.7.2 of the Registrar Accreditation Agreement and to implement
reasonable up-front verification procedures for accuracy of contact information provided.
B. Country-Code TLDs
Websites operating from the two-letter country-code top-level domains (ccTLDs) are likely to become increasingly important to our Internet fraud efforts. Websites operating from ccTLDs are viewable by U.S. consumers, and an increasing number of our actions involve foreign-based websites targeting U.S. consumers.
Registration of domain names within ccTLDs is administered by country-code registry
managers. The rules and policies for registering domain names in the ccTLDs vary significantly,
and the ccTLD registry managers do not have uniform rules on collection and publication of
contact information for domain registrants.
Thus, the policies on disclosure of Whois
information for domains registered with ccTLDs vary widely, and unavailability of such
information can hinder our investigations. For example, the public Whois database for the .uk
TLD (United Kingdom) only provides name of the registrar and no contact information for the
domain registrant.
The .ie (Ireland) public Whois service only provides the name of the person
who registered the website, but no contact information.
The .cn Whois service for China
provides virtually no public information.
ICANN’s existing ccTLD Sponsorship Agreements with Australia and Japan state that
ccTLD registry managers should obtain, maintain and provide public access to accurate and up-to-date contact information for domain name registrants consistent with ICANN policies.
Neither of these agreements prescribes detailed rules for what information should be collected
and what information should be published. The Australian ccTLD registry manager seems to
provide contact information, including name, address, telephone number, fax number and e-mail
address, for the registrant, whereas the Japanese ccTLD registry manager seems to only provide
the name of the registrant.
ICANN’s model ccTLD Sponsorship Agreement and ICANN’s
Governmental Advisory Committee Principles for Delegation and Administration of ccTLDs
Presented contain the same provision as the .jp (Japan) and .au (Australia) ccTLD sponsorship
agreements on public access to contact information of registrants.
It would be extremely useful for our law enforcement purposes for the ccTLD registry
managers to implement measures to improve accuracy and accessibility of Whois data for ccTLD
registrants. For the reasons that we have outlined, we will continue to work with businesses,
consumer groups, governments, international organizations and other stakeholders to advocate
internationally the importance of collecting accurate contact details for ccTLD registrants to
assist law enforcers in their efforts to protect consumers from Internet fraud.
V. Privacy Issues
Finally, there are tradeoffs between transparency of domain registrant information and
personal privacy. The FTC has a unique perspective on these issues, given that we are a law
enforcement agency that has committed substantial resources to protecting consumers’ privacy.
There are legitimate privacy interests at stake for websites, especially those developed for
personal or political purposes. At the same time, there are often legitimate reasons for making
such information available to law enforcers and/or the public.
For commercial websites, we believe the balance weighs in favor of public disclosure of
basic registrant contact information. Once a company decides to sell products on the Internet, it
should be accountable to the public so that the public can determine who the company is and
where it operates from. The OECD Guidelines on Electronic Commerce cited above affirm these
principles. The Guidelines state that consumers should have information about commercial
websites “sufficient to allow, at a minimum, identification of the business. . .[and] prompt, easy
and effective consumer communication with the business.
This provision represents a
consensus among the 30 member countries of the OECD as to the minimum information that
consumers should be able to obtain about businesses operating websites. Because some online
businesses do not provide sufficient identifying information on their websites, Whois information
can provide consumers with a useful supplement.
With respect to websites registered by individuals, such as websites registered under the
.name Top Level Domain,
or websites registered for non-commercial purposes, there are
different considerations to balance. On one hand, these individuals and website operators have
legitimate privacy concerns. On the other hand, a fraudster should not be permitted to hide from
law enforcement authorities simply by registering under the .name TLD or by claiming
registration for non-commercial purposes. It is also important in this context to consider both the
question of what disclosure to the public is warranted and the question of what disclosure to law
enforcement is warranted. We are continuing to work through international organizations,
businesses and consumer groups to develop workable solutions that balance the privacy interests
with the interests in transparency of Whois data.
VI. Conclusion
In short, our Internet fraud enforcement efforts require quick identification of problems, quick identification of perpetrators, and the ability to gather information about international entities and organizations. Accurate Whois data is essential to these efforts, and inaccurate data can significantly frustrate them. We look forward to continuing to work with this Subcommittee and all international stakeholders toward improving accuracy of Whois information.
Mr. Chairman, the FTC greatly appreciates this opportunity to testify. I would be happy to answer any questions that you and other Members may have.