Very well said Evan, +1 What this is essentially saying is that we have 800 thousand /1 million driverless vehicles moving about on our information super-highway. Definitely a scary place to drive ... ------------------ True story #1: An online shop in Canada is hacked. Phishers plant a phishing kit. Abuse reports are sent to the hoster/upstream. Nothing is done. An attempt is made to contact the registrant. Email bounces. Telephone number - fails. Eventually the URL is well propagated to blacklists as to make it unusable for the phisher. He plants an new phish on the same server. This pattern is repeated many times. Scarier still: This website is wide open to abuse with shell kits and other malware. A dump of buyer and account info is also visible - eead loss of privacy and personal information, data theft. Eventually this was resolved outside normal channels after more than two months. -------------------- The above is not an isolated incident. Those on various mailing lists linked to anti-abuse will testify to it. There you will many times find requests for somebody at a provider to action ignored abuse reports. Trying to rely on hosting providers solely and/or law enforcement does not work to protect the causal internet user. ------------------ True story #2: My personal details are being sold in Ireland in violation of EU laws or our own. Not being Irish or living in the EU union, the Irish regulators aren't responding. All I received is an auto-responder response. I guess they "are sorry to hear about MY problem". This is despite them having much info I provided them on the responsible party using patently fake contact details. ------------------ This brings us to all those arguing that the actual owner couldn't be bothered with putting down real information for various reasons. My argument is that if they wish to have a domain name for whatever purpose, they should take responsibility for it. By not doing so, we could argue the same for abuse teams, any form of abuse reporting and the very safety of the net being "somebody else's" problem. As for rights and responsibilities, the responsibility of the registrant to provide accurate and reliable contact data is, and has been, mandated in the RAA where the Registrar so specify this right from the start. In fact see https://archive.icann.org/en/nsi/icann-raa-04nov99.htm#IIJ7
a. The SLD holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the SLD registration
Many registrars have since then deliberately chosen to game/ignore this clause and definitely not live up to the spirit of this agreement, which in turn has led to much harm. Sadly most of the common internet users can't be bothered with these issues, until such a time that they are affected by them. Having to explain "why" a domain that has harmed them can exist with invalid contact details despite all the so called agreements, really does not reflect well on the credibility of the DNS system. Further, considering that email addresses are probably the most accurate/legitimate part of domain registration details, this whole issue paints a scary picture for the casual internet user. Why does a registrant register a domain with a drdrb.net email address, to only later pop up in places like VirusTotal? I guess it is to protect his privacy and more. There may be many reasons why an email address may fail, some of them innocent, but ultimately it is the registrant's responsibility to ensure it is accurate and reliable. It does not help demonizing law enforcement in this regard. There is a reason why we got to this point and it started well before the newest provisions in the RAA. I also wonder how many innocents were spared misfortune by the proactive steps to suspend the domains. I do however suggest we start a separate topic on reliable email address, as this is of concern to many registrants and has a different focus than this. I also see a business opportunity in this that registrars could use to give them a competitive edge. Derek Smythe On 2014-07-06 05:57 PM, Evan Leibovitch wrote:
I was actually surprised to hear Fadi's comments about this at the Fayre.
I was both dismayed at the stance he took (I recall him saying the incident diminished the standing of "law enforcement") and his choice of venues (one of too many speeches delivered at a social event when many of the participants were winding down after a day of exhaustion).
Had the issue been raised at a time where genuine interaction and thoughtfulness were called for, I suspect Fadi may not have received the anticipated response, as this incident clearly indicates how out of touch ICANN is with the rest of the world,.
*Inside the ICANN bubble:*
* "We are appalled that 800,000 domains were taken down for having non-responsive contact info" * *The rest of the world:* *"Did you just say that 800,000 domains have non-responsive contact info?"*
The methods of verification and the speed of takedown could be tweaked to ensure that good actors with minor access problems (such as mail going into spam filters, increasing time to respond, forget to change after moving, etc) would not be adversely affected. But the end objective is absolutely welcomed from the non-registrant end-user point of view.
So I personally have zero ethical qualms about the suspensions, noting that the issue has already been inflated for dramatic effect. A claim of 800,000 domains becomes a million in the headlines. And then there was this gem:
*"We have stories of healthcare sites that have gone down,"*, chimes Elliot Noss in the CircleID article <http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks> .
I don't know about the rest of you ... but given the sensitivity of information at healthcare sites regarding privacy and accuracy, that category of site is amongst those *most* in need of accurate contact info IMO. So if such sites have non-functional contact info, frankly, I couldn't suspend them fast enough until things are fixed. This attempt at media manipulation backfires.
The salient point is that a contact address is just that, a way to make contact. If it won't work from the registrant's own registrar or registry -- a body with which whom the registrant has a contractual and financial relationship -- it certainly won't work if someone from the public has a question, complaint, or warrant to serve. If policy indicates that contact info must be accurate and current, then that is what needs to be enforced.
When the interests of ICANN and contracted parties are hurt by inaction of registrants -- notably non-payment -- enforcement such as suspension is immediate, automated and non-controversial. (Indeed, it was even once gamed by some contracted parties, which is what led to the PEDNR <http://icannwiki.com/index.php/PEDNR> debate.) But here, the inaction indicates harm to the public interest while enforcement threatens financial loss to ICANN and contracted parties, so all hell breaks loose and Fadi lectures us at the Fayre.
This isn't just a matter of law enforcement, and I am puzzled why that community is being singled out for recrimination. Sure, some chunk of those 800,000 are bad actors in the sense of intending to have unusable contact info. But how many of the others have bad contact info because the domains themselves are neglected and unused, squatted or speculated names that their registrants have just locked away and forgotten? How does that serve the interest of end users to have so many extant but useless domains?
So, by all means, let's engage in a proper dialogue -- not one initiated, almost in passing, at a social event more than halfway into the ICANN meeting. We may all look at this incident and see within it a deep problem, but the problems At-Large identifies may be far different from those seen by the registrars.
Be careful what you wish for. While registrars complaining loudly may score power points inside the bubble (at the expense of public-interest advocacy), outside it just reinforces ICANN's detachment from the rest of the Internet-using world. If news broke that there were 800,000 cars on the road with unusable contact info related to their license plates, public reaction would be loud and ugly no matter what proportion of those cars belonged to criminals.
I look forward to any debate going forward on the issue in At-Large's Regulatory Issues Working Group, which is where I believe any future ALAC stance must be discussed and first formulated.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org