ICANN Law Enforcement Recommendations for Domain Registration and WHOIS Data Collection Revisions

The following documentation from the Internet Corporation for Assigned Names and Numbers (ICANN) relates to recommended changes to the standard agreements with registrars for collecting WHOIS data from registrants.  The changes were recommended by several international law enforcement agencies including the FBI, Royal Canadian Mounted Police, Serious Organizsed Crime Agency and the Australian Federal Police as a way to combat online crime.  A letter sent by European Commission Article 29 Data Protection Working Group to ICANN in late September stated that some of the proposed changes are likely illegal under European privacy law.  More information on the proposals and an upcoming “community consultation” on the proposed changes is available via ICANN.

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence 7 pages October 18, 2010 Download
ICANN Board – GAC Consultation: Law Enforcement Due Diligence Recommendations—Due Diligence and Registrar Accreditation Agreement 10 pages February 21, 2011 Download
Law Enforcement Due Diligence Recommendations for ICANN- Revisions to Part I, (9) – Collection and Maintenance of Registrant Data 2 pages May 14, 2012 Download
Law Enforcement Due Diligence Recommendations for ICANN- Revisions to Part I, (10) – Validation of Registrant Data 2 pages May 14, 2012 Download
ICANN Proposed Draft Registration Data Directory (WHOIS) Specification 6 pages June 3, 2012 Download
ICANN Proposed Draft WHOIS Accuracy Program Specification 2 pages June 3, 2012 Download
ICANN Proposed Draft Data Retention Program Specification 2 pages June 3, 2012 Download

Below are: 1) suggested amendments to the RAA and; 2) due diligence recommendations for ICANN to adopt in accrediting registrars and registries. Both are supported by the following international law enforcement agencies:

– Australian Federal Police;
– Department of Justice (US);
– Federal Bureau of Investigation (US);
– New Zealand Police;
– Royal Canadian Mounted Police;
– Serious Organised Crime Agency (UK)

The amendments are considered to be required in order to aid the prevention and disruption of efforts to exploit domain registration procedures by Criminal Groups for criminal purposes. The proposed amendments take account of existing EU, US, Canadian and Australian legislation and those countries commitment to preserving individual’s rights to privacy. These amendments would maintain these protections whilst facilitating effective investigation of Internet related crime.

I. Proposed Amendments to the RAA (May 21, 2009 version)

1) The RAA should not explicitly condone or encourage the use of Proxy Registrations or Privacy Services, as it appears in paragraphs 3.4.1 and 3.12.4. This goes directly against the Joint Project Agreement (JPA) ICANN signed with the United States Department of Commerce on September 25, 2006 which specifically states “ICANN shall continue to enforce existing (Whois) policy”, i.e., totally open and public WHOIS, and the September 30, 2009, Affirmation of Commitments, paragraph 9.3.1 which states “ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information.” Lastly, proxy and privacy registrations contravene the 2007 GAC Principles on WHOIS. If there are proxy and/or privacy domain name registrations, the following is recommended concerning their use:

a. Registrars are to accept proxy/privacy registrations only from ICANN accredited Proxy Registration Services;

b. Registrants using privacy/proxy registration services will have authentic WHOIS information immediately published by the Registrar when registrant is found to be violating terms of service, including but not limited to the use of false data, fraudulent use, spamming and/or criminal activity.

2) To RAA paragraph, language should be added to the effect “or knowingly and/or through gross negligence permit criminal activity in the registration of domain names or provision of domain name WHOIS information…”

9) Registrars and all associated third-party beneficiaries to Registrars are required to collect and securely maintain the following data:

(i) Source IP address

(ii) HTTP Request Headers

(a) From
(b) Accept
(c) Accept‐Encoding
(d) Accept‐Language
(e) User‐Agent
(f) Referrer
(g) Authorization
(h) Charge‐To
(i) If‐Modified‐Since

(iii) Collect and store the following data from registrants:

(a) First Name:
(b) Last Name:
(c) E‐mail Address:
(d) Alternate E‐mail address
(e) Company Name:
(f) Position:
(g) Address 1:
(h) Address 2:
(i) City:
(j) Country:
(k) State:
(l) Enter State:
(m) Zip:
(n) Phone Number:
(o) Additional Phone:
(p) Fax:
(q) Alternative Contact First Name:
(r) Alternative Contact Last Name:
(s) Alternative Contact E‐mail:
(t) Alternative Contact Phone:

(iv) Collect data on all additional add‐on services purchased during the registration process.

(v) All financial transactions, including, but not limited to credit card, payment information.

Share this: