Barry, On Jul 19, 2025, at 11:50 AM, b...@theworld.com wrote: > On July 18, 2025 at 19:39 nanog@lists.nanog.org (David Conrad via NANOG) > wrote: >> My somewhat cynical answer: if you relied on domain (and likely IP >> address/ASN in the future) registration data, it might be worthwhile >> figuring out alternatives to that reliance. Les cynically: pragmatically, >> given the vast majority of contact information these days points to privacy >> providers or is redacted, I’m unclear there will be significant impact — the >> data is already pretty useless. > Even if 90% were useless it would still be of use, possibly > critically, in the other 10% of cases and I don't think it's anywhere > near 90%.
I’ve not done an exhaustive survey myself, but the “majority of contact information” comment was taken from my interactions with law enforcement and I believe it is the result of most if not all Registrars defaulting to “privacy” for registrations since GDPR was enacted. However, since the law enforcement folks I deal with are mostly interested in current activities, e.g., phish/botnet/etc., it’s likely they focus on recently registered domains so there may be a selection bias. As such, I won’t argue the point. > Particularly if one can consider legitimate "privacy providers" useful > as they can be contacted, subpoenaed, etc. which you seem to count as > being in the "useless" category. As mentioned, ICANN still requires registrars to collect valid contact information, however that information is not provided to the public as it once was. It is, of course, still subject to subpoena/court order (depending on jurisdiction, of course) and it’s theoretically possible, if you can make your case to the registrar, that they’ll provide registration information to you if you can demonstrate “legitimate interest” (at the registrar’s discretion and risk, of course). > Whatever happened to "if your registration data is fraudulent, > obsolete, or incorrect you stand to have your registration canceled"? AFAIK, it remains a contractual requirement despite ICANN undertaking a law suit in Germany to enforce it for admin-c and tech-c and losing (if interested, see https://www.afslaw.com/perspectives/the-fine-print/recent-lawsuit-icann-against-german-domain-registrar-highlights). However, this gets into an “interesting” (or “infuriating”, depending on your POV) discussion about what contact information “accuracy” means. ICANN Accredited Registrars’ view (which I provide without comment) is at https://rrsg.org/wp-content/uploads/2024/03/RrSG-Approach-to-Registration-Data-Accuracy-March-2024.pdf. > This seems like an admission that this policy was not enforced. Not sure how you got there. Registrars (or their lawyers) will (have, and do) argue that they abide by the policy (see the Registrar’s position above). ICANN Contractual Compliance argues that they enforce the policy (see pretty much any statement by the head of ICANN CC). I have my opinions, but they’re not particularly relevant. Since GDPR, the flagging of inaccurate registration has unsurprisingly tanked, so it’s difficult for the public to determine if registration information is accurate or inaccurate (for whatever value of the variable “accurate" you want to use). Perhaps somewhat relevant, see sections 5.2 and 6.4 of https://www.icann.org/en/system/files/files/inferential-analysis-maliciously-registered-domains-08nov24-en.pdf, but that probably doesn’t help that much. Regards, -drc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VTC33LVNIQ6ZCHVXL3YLRFCTTDJ6TEHN/
