We all want to be safe online. Whether we’re browsing and shopping, interacting with people on social media, or hosting our own content, there’s a shared need for security.
As a domain name registrar, we think about this topic a lot. What processes and policies can we put in place to help protect our customers and prevent bad actors from misusing our services?
One tool in our toolbox is ensuring that the registration data we have is accurate.
How and why we collect registration data
We require accurate registration data in order to enter into a service contract with the domain owner, and so that we can contact them with important information about their domain.
In addition, ICANN policy requires that we ensure that registration data for gTLDs is accurate by validating and verifying the data. These two terms mean different things:
- “Validate” means that we ensure syntactical accuracy. For example, the phone number uses the right number of digits.
- “Verify” means that we ensure operational accuracy: for example, that the domain owner can be contacted at the email address they provided.
ICANN (and some ccTLD registries) require us to validate and verify registration data before completing a domain registration. Additionally, they mandate that we suspend the domain if the registrant fails to verify their data within a required timeframe.
We find these measures both effective at ensuring the data is accurate and, crucially, proportionate to the situation. Proportionality is an important data processing consideration.
Should we do more?
Some members of the ICANN Community think the existing accuracy measures are insufficient for deterring bad actors and have suggested that domain owners should be required to provide identification documents in order to purchase a domain.
We disagree: requiring domain owners to provide their identity documentation would cause more harm than good.
Proposing mandatory identity verification is described as an attempt to keep people safe online—and when you first encounter this idea, it can feel pretty intuitive. However, there’s no evidence to suggest it would be effective in achieving this goal (more on that below).
But what it most certainly would do is restrict people who deserve to fully participate in online discourse from doing so, ultimately rendering the free and open Internet all that much less free and open.
Mandating ID doesn’t actually prevent DNS Abuse
It sounds like it should work this way—people who have to show their ID are probably less likely to do bad things than those acting anonymously. But that isn’t what we’ve seen in effect. Instead, some TLDs that require government-issued ID have very high rates of abuse, and some TLDs that stick with the ICANN validation and verification processes have extremely low rates of abuse.
There are many factors that affect DNS Abuse rates, but checking ID has not proven to be one of them.
Collecting ID does not help registrars stop DNS Abusers
Registrars do not use the registrant’s governmentally-confirmed identity in addressing DNS Abuse. We don’t check ID against registration data when investigating a DNS Abuse report or mitigating abuse found on our platform.
Instead, we look at a host of other factors, including whether the domain is being used to perpetuate DNS Abuse, the evidence provided by the reporter, the registration information provided, the age of the domain, the reseller, the NS and MX records, and so on. We also have tools that help us review domains for potential abuse.
And while it might seem that mandating government-issued ID for domain registrations could make it easier for law enforcement to find bad actors and hold them accountable, the reality is that cybercriminals are smart. They’re unlikely to associate their own ID with a domain registration they intend to use for illegal or abusive purposes.
There are many tools used in stopping DNS Abuse, but checking ID has not proven to be one of them.
Not everyone has ID
Millions of people around the world1 do not hold government-issued identification documents—there are estimated to be about 500,000 undocumented immigrants in Canada alone2 (where we have our headquarters), about 1% of the population. Countless more people don’t have documentation for reasons unrelated to immigration (they may be too young to get a driver’s license or old enough to have given up their license and not replaced it with another form of ID); others hold documentation that does not match their preferred or presented name or other characteristics.
Requiring people to provide government documents in order to simply buy a domain name prevents those who lack government-issued identification from participating equally in the Internet. This significantly and disproportionately affects members of already marginalized communities, and it means that the rest of us lose out on their valuable perspectives.
Who can evaluate if an identification document is real?
Tucows is primarily a wholesale business, enabling resellers to sell domains (and other services) directly to their customers; we also have a smaller retail business. Our Support teams are highly trained in explaining our service offering and fixing issues as they arise, but one thing they’re not is experts in all the various types of identification documents issued by governments around the world—with nearly 200 countries (and theoretically multiple types of acceptable ID for each), that’s a lot of possible formats to stay on top of.
We could outsource this task to our resellers, but then they would have to become experts on international governmental identification. We could outsource it to a third party, but even among such vendors, none guarantee expertise in all jurisdictions. We could look at a generative AI solution, but that brings in a host of other concerns including, first and foremost, the reliability of the AI’s evaluation, as well as issues around privacy and security of the ID being reviewed.
Then there’s the question of fake documentation. This is not a new issue in the world—bouncers at bars have been dealing with it for decades—and a recent publication by EUROPOL shows how easy it is to spoof even biometric IDs. With generative AI in the mix, it’s become even easier to fake documentation. Plus, domain transactions are not happening in person. This isn’t like booking a flight, where your passport is scanned at the airport and checked against a government database, and your face is compared to that ID before boarding the plane. Instead, in the domain registration context, verification of government ID would necessarily rely on scans or photos of the ID and a picture of the registrant, both of which are easy to fake with generative AI.
Domain registration services are global in nature, so solutions for problems that affect all domains need to be similarly global. While one ccTLD operator may work with their local government to provide document verification, this is not currently available on a broad enough scale and with fast enough processing to be built into the gTLD registration flow without causing disruptions.
Unfortunately, only governments appear to be in a position to reliably evaluate digital identification documents.
What about the security and privacy implications?
Reviewing government-issued identity documentation is a data processing activity well beyond the minimum required to offer domain names. As a registrar, we need to know who we’re entering into a registration contract with, and we need to be able to contact the domain owner.
But having to confirm that the name on the domain matches the ID and that the face on the ID matches the face of the person buying the domain puts unreasonable obligations on everyone involved in the process, opens us and the domain owner to unnecessary risk, and imposes a level of scrutiny that treats every customer as a potential bad actor, regardless of context.
It also creates a very real security risk. Remember the problem with fake documentation we just talked about? Well, now every domain name registrar would have a whole database of real identification documents. This increases the risk that registrars, each with its own honey pot of digital IDs, would be targeted by hackers without offering a significant benefit.
And at what cost?
If the task of ID verification were imposed on registrars, the time and effort involved in reviewing documentation for every domain name would result in significant costs that we would have to pass along to our reseller partners and, ultimately, their registrant customers. For example, it would effectively double the cost of a .com domain name. The end result would be an increase in the cost of entry to being able to fully participate in the free and open Internet—in being able to express oneself online.
There are some ccTLDs that already require this type of document review, and we do work with vendors in those cases; the costs for these TLDs are commensurately higher. And it’s important to keep in mind that if someone doesn’t have the ID required to buy the ccTLD they want or can’t afford the higher price tag, they still have another option: they can register an open gTLD. If ICANN were to make ID review mandatory for gTLDs, this option would disappear.
Tucows has always believed in and fought for the free and open Internet. Limiting participation in the free and open Internet to people with government-issued IDs from jurisdictions that make it easy for us to verify those documents goes against both of those principles.
Final thoughts
We know this topic isn’t going away. Looking more broadly than the domain industry, we see that governments around the world have started requiring citizens to show their ID documents in order to access the Internet. In addition, popular websites and services are increasingly asking users to present their ID to verify their accounts. This has brought with it the same problems we discussed above in relation to domain ownership: inequity of access to the Internet, the use of fake IDs (often generated by AI) to get around requirements, valid IDs being mistakenly flagged as invalid, and security breaches where databases of ID documents are compromised.
It’s worth asking: what specific problems would a requirement for domain registrants’ ID address—and is there evidence that it would be effective?
We have seen no such evidence. Ultimately, requiring ID verification for domain owners does not improve online safety—and the drawbacks are significant.
For all of these reasons, Tucows continues to strenuously argue against the creation of ID document requirements.
1 https://pmc.ncbi.nlm.nih.gov/articles/PMC3084189/
2 https://search.open.canada.ca/qpnotes/record/cic,IRCC-2024-QP-00032