Patrick I have no official standing in ALAC apart from my posts here. However; * I have zero commercial interests in the registry business. * I have a few domains that I registered as an ordinary user. * I have been fighting abuse on the net since 1999, although I have been involved in IT since 1981. * My dealings are with any that will assist in protecting the ordinary internet consumer and the internet users. * In the process I work narrowly with victims and law enforcement. * I also communicate with registrars and other internet service providers on a regular abuse related basis. I will reply to your comments inline. On 5/16/2012 8:55 AM, Patrick Vande Walle wrote:
A fully open, public WHOIS condemns honest domain name registrants to be hurt by bad actors, like spammers. Being harassed on the phone, and see personal details exposed for all to see.
Interestingly the only people to have harvested my details for abusive reasons have been rouge registrars trying to sell me domain names I dropped and similar domains in different TLDs and ccTLDs. However a closed whois system will do more harm with the "current mechanisms and implementations". Place note the last part of the phrase.
I have no doubt experts in cybercrime would find the useful clues in the WHOIS. I am all in favour of giving them access to the information they need, as long as they clearly identify themselves, the work they do and be transparent who they work for, have a code of conduct, etc. However, I consider that exposing the private details of millions of honest individual domain name registrants to chase a few thousand criminals, who would fake their contact details anyway, is disproportionate from a human rights POV.
Taking the current status quo of the WHOIS system as a starting point; Despite the data available in both thick and thin registries, with more honest peoples' details exposed than the many fake details of a few, those few cause more harm to the general internet populace and affected third parties than harm is done to the registrants. The current failing is the willingness to allow and tolerance for invalid whois details in the registries, being another enabler in internet fraud.
Note also that other registries, mostly ccTLDs, have privacy policies. Yet, they do not have more issues with counterfeiting and spam than the main gTLDs have. What is disappointing is that ICANN (both the corporation and the community) does not want to question the model they use and learn from best practices developed elsewhere.
Admittedly the abuse is less, yet all ccTLDs are also not equal. Where we find stricter registration requirements, the abuse is less. Where we find more tolerant policies, an abuse report with evidence suffices to have the domain cancelled. Yet the .com .org .info are most popular with the abuse as far as I see, but also for the bulk the most difficult to have abuse curbed. It is also easy to say the abuse is at the hosting side. Yet a domain is can be an instrument in crime. Unlike another tool that can be used for crime where you have to be local to the victim and as such subject to the same laws of the land, a domain used in international crime is remote from the victim and separate disparate laws apply.
Lastly, we should really distinguish between data collection and data display. The current ICANN WHOIS policy does not. Collecting private details is legitimate. Displaying them to everyone is not. I doubt there are many countries where one can consult the car registration database or obtain the details of an unlisted phone number without showing the right credentials to access that data. Why should the domain name database be any different ?
Actually physical presence allows you to do a lot with the correct evidence, including obtaining the details. Virtual presence is the problem. Why do the Europeans that are unhappy, not support the European ccTLDs? In my country my details are also visible if I register a domain here. The international domains are just that - international and international rules should apply. How deal with the situation if someone in reality from West Africa registers a domain with an address in the USA at a Chinese registrar via a reseller in India paying by Western Union, hosts in Malaysia, defrauds someone in Belgium? Incidentally he uses AnchorFree that does not keep logs to connect to Yahoo for emails. Then money mules and money laundering follows to retrieve the proceeds of fraud. (I am referring to real issues here!). If the domain registration details was not publicly visible, also due to the smaller loss this would have been swept under the carpet as a an isolated incident and the victim become a statistic. The victim would have had no justice. However due to historic information in the public domain and search engines, you suddenly find the registrant, despite the fake whois, is also responsible for other losses and has registered similar domains in the past. Whois details are a way of linking related incident across different domains and countries. Suddenly all those smaller losses adds up and law enforcement becomes extremely interested. This has happened many times in the past and will happen again. Additionally new suspicious domains can be identified and links to past events, allowing for actioning BEFORE the scammer has time to defraud. Likewise I could use many more of these examples of how whois is used for the public good. As a caveat - the first time more than a few users discovered they were victims to identity theft and credit card fraud, was when I contacted them after finding their details in domain registration details. One victim was alerted even before she received her statement and could act immediately. Many registrars also appreciates such information as they incur less losses later. Small bonuses. ....
Patrick
The issue at hand is no checks are done at registration time apart from ensuring valid payments, yet when we see the result and the consequences, we want to treat domains as valuable. The problem is "junk in, junk out". The Louis Vuitton issue is a good case in point. Simply removing public whois visibility from the current mess, would simply inflate costs to other third parties and even further strain scare resources, law enforcement included. Domain abuse will become more rife and will be to the detriment of each and every user. Currently the public can check and point out issues. These issues allow registrars to do further checks and also to protect themselves and the public. This does also make a small difference for the better if the registrar lives up to the spirit of the RAA. Sadly too few do in the TLD space. However, if ICANN were to start enforcing their own policies and immediately start ensuring the sanctioning any party where there is clear evidence of fake registration details with "potential" harm (lock domain and disable DNS until resolution?), also requiring for more verification, we would suddenly start seeing a totally different picture. We are currently in a chicken-and-eggs situation. Were we to implement stricter quality assurances at registration time and third party abuse clauses, malicious domain counts would drop. Were domains abused, there would be more accountability and those responsible easier traceable. The cost to the abusers would sharply rise and would would have a more stabilizing effect on the net. Hopefully in three years time we can once again have this discussion with less controversy. But we have to start somewhere. Sadly I'm not holding my breath. Derek