ICANN Logo Letter from Louis Touton to Bruce Beckwith Regarding Breach of VeriSign Registrar's Accreditation Agreement (Whois Data Accuracy)
3 September 2002

3 September 2002

Via FedEx, Fax, and E-mail

Bruce Beckwith
Network Solutions, Inc. Registrar
505 Huntmar Park Drive
Herndon, VA 20170
Tel: 1-703-742-4817

Re: Notice of Breach of ICANN Registrar Accreditation Agreement

Dear Bruce:

This letter is a formal notice of seventeen instances of breaches of sections 3.3 and 3.7.8 of the Registrar Accreditation Agreement (RAA) that Network Solutions, Inc. Registrar (VeriSign Registrar) signed in May 2001. Under section 5.3.4 of the RAA, VeriSign Registrar has fifteen working days to cure the breaches described in this letter. If the breaches are not cured in that period, then ICANN may give notice of termination of the RAA, after which VeriSign Registrar may initiate arbitration to determine the appropriateness of termination.

Under section 3.3 of the RAA, each ICANN-accredited registrar has agreed to provide free public Whois service giving information about the registrations it sponsors in the registry. Among other elements, the information must include:

  • The name and postal address of the Registered Name Holder;
  • The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and
  • The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name.

Section 3.7.8 of the RAA sets forth the obligations of ICANN-Accredited Registrars regarding the accuracy of Whois data. It provides as follows:

3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

This notice of breach concerns VeriSign Registrar's obligations under section 3.3, under which VeriSign agreed to provide specified Whois information for each sponsored domain name. It also concerns the second and third sentences of section 3.7.8 quoted above. In summary, in those sentences VeriSign Registrar agreed to take reasonable steps to investigate and correct its Whois data in response to any reported inaccuracy. Despite these promises, VeriSign Registrar appears frequently to publish incomplete Whois data, and to routinely ignore reports of inaccurate and incomplete contact data in its Whois database. The following are seventeen examples of VeriSign's failure to comply with its contractual obligations:

1. yorkstreethardware.com: On 21 February 2001, ICANN's Chief Registrar Liaison, Dan Halloran, sent you an e-mail pointing out that the contact details for yorkstreethardware.com were inaccurate. According to VeriSign's Whois data, the domain was registered to "Toto", residing at "the yellow brick road" in "Oz, KS 06750". (We also noted that you might want to consider whether the registrant's provision of that obviously false data constituted "willful provision of inaccurate or unreliable information," which is a breach of VeriSign's service agreement and a basis for cancellation of the registration.) On 21 May 2001, we sent you a follow-up note regarding the still-inaccurate data for this domain. Included was a link to a story in that day's NY Times in which the registrant admitted that she had registered the name with false data as a test "to see how easy it is." We asked you, some three months after the initial report, if you had indeed been able to confirm that the domain had been registered to "Toto", and if not if you could please "re-initiate the process of investigating and correcting the inaccuracy." It is now more than eighteen months after we notified you of the inaccuracy, and the domain is still registered to Toto at the yellow brick road, Oz, KS 06750. We have not even received any explanation of what specific steps VeriSign Registrar has taken to investigate and correct this situation.

2. kokorouta.net: On 15 June 2001, we forwarded a report to you indicating that VeriSign Registrar's Whois shows an apparently invalid e-mail address for the administrative contact for kokorouta.net: "no.valid.email@worldnic.com". It has been more than fifteen months since we sent the report, but the invalid e-mail address is still included in your Whois data today. And once again, we have no indication of the specific steps VeriSign Registrar took to resolve the inaccurate information.

3. dundjerski.com: On 24 January 2002, I wrote to VeriSign (Miriam Sapiro, Roger Cochetti, and Phil Sbarbaro) regarding the Whois data for dundjerski.com. A story in that morning's Los Angeles Times reported that the registrant of that domain had been told by a VeriSign representative that she could not have her personal information removed from the Whois database, but that she was given the following advice by VeriSign: "But they did tell me to just make up an address and put it in there. So that's what I did." My 24 January message to VeriSign noted that VeriSign's Whois database indicated that the mailing address for the administrative contact was "000 Blank St., No city, XX 00000" with a phone number of "123-123-1234". In that message I "strongly urge[d] VeriSign to take prompt and decisive actions to ensure that its Registrar business operates in a more responsible manner than reflected in the article, and to publicly reaffirm its commitment to accurate Whois data." You replied over a month later, on 5 March 2002, stating that VeriSign takes the subject of Whois accuracy "extremely seriously." You indicated that VeriSign was sending the registrant a letter requesting verification, and that "if no reply or update is received shortly, the domain will be deleted, in accordance with our existing procedures and contractual requirements." It has been almost six months since you wrote that, but the administrative contact address is still "000 Blank St., No city, XX 00000", and the phone number is still "123-123-1234".

4. internic-backbone.org: On 6 March 2002, we sent you a report concerning inaccurate contact data for internic-backbone.org. The data for that registration had what appeared to be an incomplete mailing address, and the telephone number for the contacts was listed only as "Restricted." We sent you reminders concerning this reported inaccuracy on 14 May 2002 and 18 June 2002. When the data still had not been corrected on 22 August 2002, we sent you (and your attorneys) a "final informal request" asking you to provide information about the status of your investigation. We finally did receive a status report on 27 August 2002, but it indicated (by copy of a letter to the registrant) that VeriSign Registrar had not even begun to take action to correct this data until 26 August 2002, nearly six months after you received the initial report.

5. sunnyside.com: On 24 April 2002, we sent you a report concerning the false telephone number for the administrative contact for sunnyside.com: "650-555-1212". We sent you a follow-up inquiry about the same problem on 14 May 2002. You wrote back on 16 May 2002 and told us to "feel assured that it is being addressed in as an expeditious manner as possible." It is now more than three months later, and the data still has not been corrected.

6. jaxx.net: On 7 May 2002, we sent you an e-mail requesting that you investigate and correct the whois data for jaxx.net. We pointed out that the administrative contact's telephone number was listed as "000-000-0000". It has been over three months since that notification, yet the false telephone number listing has not been corrected in VeriSign Registrar's Whois data, nor has VeriSign advised us what specific steps have been taken to investigate and correct the inaccuracies.

7. visosite.com: On 15 May 2002, we forwarded to you a report concerning inaccurate data for visosite.com. The report indicated that the mailing address for the registrant and contacts was inaccurate (the report included a link demonstrating that there is no "Walker Way" in Orangeburg, NY) and that the telephone number for the administrative contact was not functioning. Although over three months have passed since VeriSign Registrar received this report, it has not corrected the false data, nor has it advised us what steps have been taken to investigate and correct the situation.

8. fufus.com: On 18 May 2002, we directed to you a report concerning an invalid e-mail address in the Whois data for fufus.com: "no.valid.email@worldnic.com". On 27 May 2002, we sent you another note on this issue, including a copy of a message from a VeriSign Customer Service Representative who declined to investigate the inaccuracy – stating that "It is up to the current registrant to keep the domain information current." We asked you to carefully review this. It has been over three months, and the false data is still being published in VeriSign's Whois service. VeriSign has not stated what steps it has taken, nor given any explanation as to why its representative stated that it would not fulfill the promise it made in its registrar accreditation agreement to investigate and correct false data.

9. digeronimo.com: On 21 May 2002, we sent you a note concerning an invalid e-mail address in the Whois data for digeronimo.com: "no.valid.email@WORLDNIC.NET". Over three months have passed since that notification, yet VeriSign has not corrected the false data. Nor has VeriSign advised us what specific steps it has taken to investigate and correct the false data.

10. kasparatisco.com: On 23 May 2002, we forwarded to you a report concerning inaccurate contact details for kasparatisco.com. The report indicated that the information listed for the administrative contact was invalid – the law firm that answers at the telephone number listed for the administrative contact has never heard of the administrative contact, Sally Jocks. Although over three months have passed, this invalid data still had not been corrected as of the time of the sending of this letter. Nor have we been advised of the specific steps (if any) taken by VeriSign to investigate and correct this false data.

11. nsi-direct.com: On 13 June 2002, we sent you an e-mail asking VeriSign Registrar to correct inaccurate Whois data in the record for nsi-direct.com. The administrative contact e-mail address for that registration is still listed as "no.valid.email@WORLDNIC.NET". We sent a test message to that address last week – it bounced back with an indication that the address was not valid. Over two months after the initial report, the invalid data is still being reported in VeriSign's Whois service.

12. city-guide.com: On 18 June 2002, we forwarded to you an e-mail we had received that indicated that the telephone number for the contacts for city-guide.com ("813-562-5354") was disconnected. More than two months later, the telephone number has still not been updated VeriSign Registrar's Whois listings. Calling the listed number results in a message that "your call cannot be completed as dialed."

13. aboutsrichinmoy.com: On 10 July 2002, we sent you an e-mail reporting an inaccuracy in the Whois data for aboutsrichinmoy.com. As of today's date, over six weeks later, the registrant mailing address for that name is still listed as "1 xxx, NY, NY, 11432". We have not received any indication of the specific steps that VeriSign Registrar has taken to investigate and correct this clearly false data.

14. stepup.net: On 17 July 2002, we sent you a message indicating that VeriSign Registrar's Whois database was completely missing any data for stepup.net. As of today, the registry still reports that VeriSign Registrar sponsors this domain, but VeriSign Registrar's Whois server still reports no match. Your server still returns only the cryptic message "Domain not found locally, but Registry points back to local DB. Local Whois DB must be out of date."

15 and 16. animerica.com and japanh.com: On 19 July 2002, we sent you a report indicating that the contact details for animerica.com and japanh.com were inaccurate. The administrative contact telephone number for animerica.com was listed as all three's: "333-333-3333". The administrative contact telephone number for japanh.com was listed as all one's: "111-111-1111". The fax number was all two's: "222-222-2222". Each of these numbers (and also the phone number for the technical contact that they share) is inoperative. This data still had not been corrected as of the time this letter was being prepared – over one month later.

17. namezero.com: On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".) We asked you to investigate and correct this inaccurate information pursuant to RAA § 3.7.8. It has been over thirty days and the data still has not been corrected.

As noted above, section 5.3.4 of the Registrar Accreditation Agreement agreed in May 2001 between VeriSign and ICANN provides that notice of termination of VeriSign Registrar's accreditation may be given if these breaches are not cured within fifteen working days.

The pattern of neglect demonstrated by the above circumstances is troubling. In its May 2001 accreditation agreement (as well as in that agreement's predecessor), VeriSign agreed to publish complete Whois data, to undertake reasonable efforts to investigate every notification of Whois data inaccuracy it receives from any person, and to correct any inaccuracies found. The above recitation demonstrates that VeriSign Registrar has repeatedly taken what appears to be a cavalier attitude toward the promises it made.

As outlined in ICANN's recent "Registrar Advisory Concerning Whois Data Accuracy" http://www.icann.org/announcements/advisory-10may02.htm, registrars have a vital role in maintaining the accuracy of Whois data. We believe that advisory gives valuable guidance to registrars how they can act responsibly toward the public as well as complying with their contractual obligations. VeriSign Registrar's conduct has fallen far short of both its responsibilities to the public and its agreements. We therefore provide this formal notice of breach of VeriSign Registrar's accreditation agreement with ICANN.

ICANN's goal in this matter is to promote accuracy of Whois data, which requires cooperative efforts by VeriSign Registrar in meeting its obligations. We hope that VeriSign Registrar will act promptly to cure the breaches outlined in this letter, and will become more responsive and cooperative in dealing with data inaccuracies as they are discovered. Please feel free to contact me if you have any questions.


Best regards,


Louis Touton
Vice-President and General Counsel
ICANN

cc: W.G. Champion Mitchell, Executive Vice President and General Manager, VeriSign Mass Markets Division (by e-mail)
Bobby Turnage, Esq., VeriSign, Inc. (by FedEx, fax, and e-mail)
Phil Sbarbaro, Esq., VeriSign, Inc. (by e-mail)
Stuart Lynn, President and CEO, ICANN (by e-mail)


Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 04-Sep-2002
©2002 The Internet Corporation for Assigned Names and Numbers. All rights reserved.