New laws and market developments focus attention on the accuracy of registration data
Data validation is a trending topic in the ICANN community
Globally, most domain names are registered without the registrant's details being validated. High registration volumes, combined with the low cost of the average domain name, leave little scope for thorough identity checking. However, it looks as if the landscape may soon be changing. Various regulatory developments suggest that companies active on the domain name market will be given significant registrant data validation responsibilities in the years ahead. What are the implications for organisations thinking of applying for their own domain name extensions?
Spotlight on domain name abuse
With criminals increasingly moving their activities online, interest in DNS abuse -- the abuse of domain names for criminal purposes -- has intensified. Particular attention has focused on phishing, botnet deployments and spam. Although the Domain Name System (DNS) isn't where criminal activity takes place, fraudsters use the DNS to cover their tracks or present themselves as legitimate businesses. Furthermore, domain names can be useful for tracing cybercriminals. In 2020, for example, SIDN BrandGuard detected more than 30,000 potential phishing websites. The ability to quickly validate registrant data is vital for tackling such sites.
Legislation in the pipeline
European Commission proposal on accuracy of registration data raises numerous questionsEvery year, the cost of cybercrime increases. And, around the world, legislation and regulations are being tightened in response. In December, for example, the European Commission proposed a Revised Directive on the Security of Network and Information Systems (NIS2), with increased focus on the role of the DNS. The Commission's proposal highlights the importance of accurate and complete registrant data for the prevention of DNS abuse (albeit without clarifying what 'accurate and complete' implies). Our Legal and Policy Advisor, Maarten Simon, recently wrote a blog post on the topic.
Growth of business applications
Regulatory change isn't the only factor driving interest in registrant data validation. More and more applications depend on a domain name's registrant being who they say they are. An obvious example being SSL certificates. Knowing for sure who owns a domain name makes it easier for a certificate authority to issue a certificate promptly. Dutch service provider Mijndomein presented an initiative in that context at a recent ICANN GeoTLD session.
Technical progress makes validation easier
In all parts of the world, validation is becoming easier, as reliable electronic ID systems come on line. In the Netherlands, for example, we now have eHerkenning. It's no coincidence that countries that have good systems for the online identification of people and organisations also lead the way in registrant validation. Before long, the old practice of scanning and mailing passports will probably be consigned to history.
Validation is a key success factor for new TLDs
Against that background, anyone looking to set up a new TLD is well advised to consider whether and, if so, how they will ultimately validate registrant data. Validation is unlikely to be relevant to brand TLD operators, since all registered domain names will normally belong to the brand owner and its affiliates. However, more open TLDs will have a difficult balance to strike. How can the operator and registrars validate registrant data in a way that's consistent with effective DNS abuse prevention, without making the registration process unwieldy? The ability to achieve that delicate balance may be a deciding factor in the selection of a registry service provider.
