Study on Whois Privacy & Proxy Service Abuse
24 September 2013 23:59 UTC
22 October 2013 23:59 UTC
Staff Report Due
12 November 2013 23:59 UTC
This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore, this study compares these privacy/proxy percentages to other methods used to obscure identity – notably, Whois phone numbers that are invalid.
These findings will help the community understand the role that privacy and proxy service abuse plays in obscuring the identities of parties engaged in illegal or harmful activities, including phishing, cybersquatting, hosting child abuse sexual images, advanced fee fraud, online sale of counterfeit pharmaceuticals, and more.
Section I: Description and Explanation
At the request of the GNSO Council, ICANN engaged the National Physical Laboratory (NPL) in the United Kingdom to test the hypothesis that "A significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator's identity."
To provide empirical data of use to Whois policy-making, NPL set out to measure whether the percentage of privacy/proxy use among domains engaged in various kinds of illegal or harmful Internet activities is greater than among domain names used for lawful Internet activities. Additionally, because privacy/proxy policy changes could prompt malicious registrants to elude contact in other ways, NPL also measured other methods used to obscure perpetrator identity – notably, invalid Whois phone numbers.
This study, led by Dr. Richard Clayton of the University of Cambridge, gathered large representative samples of domain names implicated in various illegal or harmful online activities, ranging from unsolicited phishing, typosquatting, and malware distribution to hosting child abuse sexual images, advanced fee fraud (also known as "419 scams"), and online sale of counterfeit pharmaceuticals. Key technical inputs were also provided by Professor Tyler Moore of Southern Methodist University and Dr Nicolas Christin of Carnegie Mellon University.
By examining sampled incidents and Whois data associated with domain names across the top five gTLDs – .biz, .com, .info, .net and .org – this study measured how often privacy or proxy services were abused by perpetrators (alleged and confirmed). Additionally, these results were compared to privacy/proxy use among domains engaged in lawful and harmless activities (e.g., banks and legal pharmacies), chosen to mirror studied illegal/harmful activities. Finally, researchers attempted to call registrants for a subset of these domain names not using privacy or proxy services, to determine whether they could in fact be contacted with only Whois data.
This draft report summarizes project activities, methodology, sampled data and findings, including statistical analysis of differences observed by the research team. These study findings will help the community understand the role that privacy and proxy service abuse plays in obscuring the identities of parties engaged in illegal or harmful Internet activities.
The GNSO Council is now seeking community review and feedback on the draft report. The purpose of this Public Comment period is to ensure that study results have been communicated clearly and to solicit feedback on desired clarifications (if any).
Section II: Background
As part of its effort to develop a comprehensive understanding of the gTLD Whois system, the GNSO Council expressed an interest in conducting an in-depth study of privacy and proxy service abuse among gTLD domain names registrants engaged in illegal or harmful Internet activities. At the GNSO's request, ICANN issued a Request for Proposal (RFP) in May 2010 describing a study to methodically analyze a representative sample of gTLD domains associated with a variety of illegal or harmful Internet activities. By comparing how often these "bad actors" use privacy/proxy services with overall privacy/proxy use, the GNSO hoped to prove or disprove its hypothesis that a significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services in order to obscure the perpetrator's identity.
After considering RFP responses received from researchers willing to undertake this Privacy/Proxy Abuse study, as well as questions raised by both researchers and reviewers, the GNSO Council decided to fund a somewhat revised study proposed by NPL. Specifically, NPL proposed studying many but not all of the illegal/harmful activities enumerated by the RFP, using samples obtained largely from "live feeds" and authoritative sources. NPL declined to study DoS attacks, DNS poisoning, IP theft, and on-line stalking using incidents submitted by victims, questioning their relevance and/or the ability to gather reliably representative samples.
In April 2011, this revised study was approved by the GNSO Council and awarded to NPL. When initiating this study, the GNSO Council asked that the study report expressly note that this study's purpose is only to analyze "bad actors". Notwithstanding the legal or harmless domain names studied here for comparison purposes, many legitimate privacy/proxy customers are unaccounted for within the scope of this study. This study does not attempt to measure privacy/proxy use or Whois accuracy across all gTLDs, as did broader studies such as that performed by NORC at the University of Chicago in 2010.
The findings from this study are intended to provide empirical data needed to understand the role that privacy and proxy service abuse plays in obscuring the identities of parties engaged in illegal or harmful activities. This empirical data will create a baseline for evaluating potential Whois and Privacy/Proxy service policy changes.
Section III: Relevant Resources
Whois Privacy and Proxy Service Abuse Study Draft Report [PDF, 624 KB]
Section IV: Additional Information
Whois Privacy/Proxy Abuse Study Terms of Reference [PDF, 321 KB]
Whois Privacy/Proxy Abuse Study Staff Report [PDF, 437 KB]
GNSO Council Motion April 2011
NPL Selected to Conduct a gTLD Whois Privacy and Proxy Abuse Study
Additional Whois studies have also been conducted at the request of the GNSO Council, as summarized at: http://gnso.icann.org/issues/whois/
Report of Public Comments