- James E. Farnan
- Deputy Deputy Assistant Director, Cyber Division, Assistant Director, Cyber Division
- Federal Bureau of Investigation
- Before the House Judiciary Subcommittee, Subcommittee on Courts, the Internet and Intellectual Property
- Washington DC
- September 04, 2003
Good afternoon. I would like to thank Chairman Smith, Ranking Member Berman, and members of the Subcommittee for the opportunity to testify today. We welcome your Subcommittee's leadership in dealing with the issues associated with use of the "Whois" database.
Cyber Division investigators use the Whois database almost every day. Querying of domain name registries is the first step in many cybercrime investigations. This task may help identify the entity responsible for operating an Internet web site. For instance, law enforcement may receive a complaint that a web site is being used to solicit personal credit card financial information from victims. The first task for law enforcement is to identify the operator of that site. This may be accomplished by querying the domain name registry where the target domain is registered. If the information in the registry is accurate, then it will show the name, location, and contact information for the operator of that site. With this information in hand, law enforcement knows where to direct the appropriate legal process (a subpoena, court order, or other process) if additional information is required.
Sometimes the publicly available identifying information in the Whois database is inaccurate but the non-public payment information used to purchase the domain name is valid and legitimate. In those instances, serving a subpoena on the registrar can yield the real identity of the domain owner . Unfortunately, not every domain name registrar authenticates credit card or other payment information at the time the domain name is registered. Therefore, a suspect using a stolen credit card may be able to purchase a domain name with fictitious identifying information which is never checked or verified. Obviously we would prefer that registrars take steps to increase the reliability of the Whois database, but as I will describe in a moment, there are other tools available to law enforcement to supplement the information found in the Whois records.
Allow me to set forth the facts of a typical case in which Cyber Division investigators and analysts have used the Whois database, along with other tools, to quickly identify the targets of an investigation.
Recently, the National Center for Missing and Exploited Children (NCMEC) and the FBI received information that a particular web site contained images of child pornography. Analysts with the FBI checked the Whois database to ascertain the identity of the Internet Service Provider (ISP) hosting the web site. (Note that this information is readily available from other public sources as well.) A subpoena for information pertaining to the web site’s owner/operator was soon obtained. Two weeks later, the subpoena generated a response which provided significant leads, including web logs which indicated activity in foreign countries, as well as a name for the owner/operator of the original web site. There was no other identifying information on the owner/operator.
Analysts continued to search other databases to locate any other possible businesses or locations affiliated with the subject. Eventually, a link was made between the subject and a previously unknown web site. Matching the name of the new web site against the subject’s name, and again using the Whois database, analysts were able to completely identify the subject, including a geographic location.
Additionally investigators use the Whois database in investigations ranging from online fraud, threat, to computer intrusion cases. The information obtained from the Whois database is often used to generate investigative leads and is the starting point for utilizing other investigative techniques.
As the above example shows, the publicly accessible Whois database of domain name registrations can be a useful tool in law enforcement investigations. That is not to say that Whois is indispensable, however. As I’ve indicated, sometimes the Whois data is inaccurate, incomplete, outdated, or deliberately falsified. If the Whois data leads to a dead-end, the FBI has other tools at its disposal to obtain information concerning the identity of domain owners. Some of those tools include publicly available sources of information similar to the Whois records. For example, in addition to the Whois database covering domain name registrations, there is an entirely different set of records covering the assignment of Internet Protocol (IP) addresses. The IP address assignment records tend to be more accurate than the Whois domain name records, and in most cases they will lead us either to the domain owner’s ISP or to the Web hosting company. The publicly available sources also include technical tools such as traceroute, which “traces” the electronic path to a Website, and domain name service (“DNS”) lookups, which again usually reveal the ISP or the Web hosting company. Once we know the ISP or the Web hosting company, law enforcement can serve subpoenas or court orders to obtain personally identifying information for the domain name owner, or to gain leads on other useful information.
Obviously it is quicker to use Whois to obtain instant electronic access to data that could identify the perpetrator of a crime, as opposed to serving a subpoena or court order and waiting on a third party to deliver the same information. In addition, although international cooperation is improving for computer crime and terrorism investigations, there is always the possibility of delay in getting responses to formal legal process whenever our investigations cross international boundaries. Whois can be useful in those cases, assuming the Whois data is accurate and complete, which it often is not.
The Justice Department is aware of efforts currently underway to enable the Internet Corporation for Assigned Names and Numbers (ICANN) to address some of the public policy issues associated with the Whois database. We are aware of these discussions and have tried to ensure that law enforcement interests are clearly understood by the participants in the ICANN process. The Justice Department has stated that it does not endorse any particular solution among those now being considered by ICANN. Anything that limits or restricts the availability of Whois data to law enforcement agencies will decrease its usefulness in FBI investigations, while anything that increases the accuracy and completeness of Whois data will improve timeliness and efficiency in our cases.
I thank you for your invitation to speak to you today and, on behalf of the FBI, I look forward to working with you on this topic.