I agree with Wilkinson is a complex problem that also the sanction of
suppression domain is disproportionate. I was not in the wording of RAA in
February but was seeing the problem of adaptation to the new laws whois
protection of personal data between the legal obligations which data is
collected are true.

  I understand it would be better, if possible, do not know if this is
possible, take such a drastic measure as suppression. For example, if
possible, a measure to suspend the use of the domain until the missing data
was obtained would be reasonable. When the person providing the data
suspension is completed. This will be fulfilling the law and harming both
the registrant. What force search faster solution. The problem is between
the law and maintain the service. The information campaign registrants is
very important. If you did not understand that it would be very favorable
to all parties as soon as possible be made and learned so as to achieve the
greatest possible number of registrants. You need the law to not incur
legal sanctions play, but give the information in a timely manner to
facilitate compliance.

Regards all

Aída Noblia


2014-07-04 6:18 GMT-03:00 Christopher Wilkinson <cw@christopherwilkinson.eu>
:

> Dear Rinalia Abdul Rahim:
>
> On 04 Jul 2014, at 04:14, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:
>
> > ... a bit of discussion would raise other questions as well.
> Thankyou for drawing this to our attention. A quick review of some of the
> available links indeed leads me to ask more questions than to make
> substantive comments or recommendations at this stage:
> 1.     What was the At Large participation in the preparation of the 2013
> RAA? What was the final ALAC position? Were missions of designated At Large
> participants to each of the relevant ICANN/GNSO meetings funded by ICANN?
> Were they in a position to report back to the At Large community?
> Why does the implementation of the 2013 RAA place a disproportionate
> burden on the individual registrants? The 15 day limit is clearly too
> short. The sanction of deleting the domain is optional, although it appears
> that the Registrars are deleting them all, anyway. Why?
> There should be a much more articulated procedure, including a longer
> delay, requirements for reminders and acknowledgement of receipt, proactive
> visits to the relevant website, actual physical addresses could be checked,
> etc. People go on holiday. Some e-mail addresses are monitored only
> intermittently e.g. an NGO without permanent secretariat etc. Some
> 'proxies' may well be even more inefficient than are the individual
> registrants!
>
> The balance of costs, prices and funding between Registrars, Registries
> and ICANN, in this area probably needs to be reviewed. (Since Registrars
> are evidently sufficiently profitable to be able to pay the exhorbitant
> ICANN fees for - sometimes multiple - new gTLDs, then they could reasonably
> be required at least to invest more in the appropriate care and maintenance
> of their existing portfolios.)
>
> If and when there is an agreed policy that actually works, how exactly do
> the Registrars ensure that their 'Resellers' (who do not have contracts
> with ICANN) effectively respect the RAA?
> What is the actual breakdown of the reported '800k.' deletions? Private
> individual users; SMEs, NGOs, Speculators and Cybersquatters?
>
> Personally, I would not mind if bulk registrations for speculative
> purposes with incorrect Whois data were to be deleted, en bloc. These are
> expropriated names which should be available, at the basic registration
> price, to individual registrants who wish to use them.
> What has been done about 'educating' the registrants in their new
> obligations under the 2013 RAA? (Although as a sample of one registrant,
> responsible for one gTLD domain, - not statistically significant ;-)) -
> nonetheless, I have seen nothing of that. My other domains are ccTLD. )
> Actually, the vade-mecum on the ICANN website is rather cute: the idea of
> millions of Registrants buzzing off to ICANN, spontaneously, to read all
> about updating their Whois data ... well, you get the point.
> Is it possible to resolve the current issue without reference to the EWG
> report and its eventual implementation?
>
> In that context, in the light of recent history, the proposed centralised
> database would obviously have to be outside US jurisdiction. Also, as long
> as the 'Legal Contact' data is 'outside the gate' - to use EWG parlance –
> the problem of incorrect data will persist for privacy reasons and a
> fortiori for misuse.
> How does any of all of the above apply in non-English languages and in the
> IDNs?
> More generally, these issues derive from a long history of cumulatively
> lax implementation of Whois accuracy by ICANN and gTLD Registries and
> Registrars. The backlog is considerable. That situation has been aggravated
> by continued breach of privacy laws – at least in the EU – through the open
> publication of gTLD registration data. Thus the interests of Law
> Enforcement and the trademark industry are, in practice, at loggerheads.
> Regards to you all
> Christopher Wilkinson
>
>
> On 04 Jul 2014, at 04:14, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:
>
> > The registrars are asking for data from law enforcement, and rightfully
> so.
> >
> > However, before I would charge off and recommend that the ALAC takes a
> position, I would like to see some data from registrars.
> >
> > 800,000 is a large number. But it is also just 0.5% of all gTLD
> registrations. In the past when the ALAC has raised issues related to
> similar problems (such as loss of registrations after accidental
> expiration), one of the replies from registrars has been that the number is
> only a tiny fraction of the registrations that are not lost. In my mind,
> the issue was not the percentage but the absolute number of people
> suffering problems, and it still is in this case.
> >
> > When we were looking at expiration issues, and how to alert a registrant
> that a name had expired, the PDP WG came to the conclusion that the best
> way to wake up a registrant who is either ignoring e-mails, or has e-mails
> directed to an invalid or dead e-mail box, it to take down the domain. Not
> working does catch people's attention! Yes, it is a harsh way to do this,
> but very effective. The first reports that we are getting from Contractual
> Compliance is that with these new measures in place, complaints are way
> down, as much as 50% for some expiration-related complaints.
> >
> > So I would want to understand something about where this 800,000 number
> comes from, and how it is broken down. Examples of questions that come to
> mind and should be explored are:
> > - how many of those 800,000 result in the registrant correcting the data
> and the domain goes live again
> > - how many are not due to bad registrant contact information, but bad
> contact information for the a privacy/proxy service or web hosting company
> >
> > I'm sure a bit of discussion would raise other questions as well.
> >
> > So I am all for the ALAC making a statement, But the content of that
> statement should be based on a better understanding of what is going on
> here.
> >
> > Alan
> >
> > Postscript: One of the issues that came up during the expiration renewal
> PDP was that many registrations use the domain in question for the contact
> e-mail. For example, the domain example.com might had a contact e-mail
> address of webmaster@example.com. If the domain stops working for any
> reason, the contact address is by definition useless. Registrant need to be
> educated to NOT use the domain being registered for its own contact
> address. The PDP recommended that registrars warn registrants about this.
> Perhaps it is being done, but I have not seen it.
> >
> > At 03/07/2014 06:36 AM, Rinalia Abdul Rahim wrote:
> >
> >> Dear ALAC,
> >>
> >> In reference to Joly MacFie's mail to the At-Large (see forwarded), the
> >> topic was also raised by Registrars during their meeting with the ICANN
> >> Board in London.
> >>
> >> Fadi posed a question to the Registrars on whether they have engaged
> with
> >> the At-Large on the matter. Fadi then raised the issue to the At-Large
> >> during his ATLASII Fayre speech.
> >>
> >> It would be important that the At-Large articulates its position on the
> >> issue (possibly via an ALAC statement) as it is being presented as a
> >> problem for Internet users.
> >>
> >> Best regards,
> >>
> >> Rinalia
> >> ---------- Forwarded message ----------
> >> From: "Joly MacFie" <<
> https://atlarge-lists.icann.org/mailman/listinfo/alac>joly at punkcast.com
> >
> >> Date: Jun 26, 2014 1:00 AM
> >> Subject: [At-Large] A million domains taken down by email checks
> >> To: "At-Large Worldwide" <<
> https://atlarge-lists.icann.org/mailman/listinfo/alac>at-large at
> atlarge-lists.icann.org>
> >> Cc:
> >>
> >> Fwd over from the NCSG list. I underdtand that this would have been
> >> > discussed in today's EWG and privacy sessions. Any comments?
> >> >
> >> >
> >> > <
> http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks
> >
> http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks
> >> >
> >> >  A million domains taken down by email checks
> >> > <
> >> > <
> http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks
> >
> http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks
> >> > >
> >> > Kevin Murphy <<http://domainincite.com/about>
> http://domainincite.com/about>, June 24, 2014, 14:34:25
> >> > (UTC), Domain Registrars
> >> > <<http://domainincite.com/category/domain-registrars>
> http://domainincite.com/category/domain-registrars>
> >> >
> >> > *Over 800,000 domain names have been suspended since the beginning of
> the
> >> > year as a result of Whois email verification rules in the new ICANN
> >> > Registrar Accreditation Agreement.*
> >> >
> >> > That’s according to the Registrars Stakeholder Group, which collected
> >> > suspension data from registrars representing about 75% of all
> registered
> >> > gTLD domain names.
> >> >
> >> > The actual number of suspended domains could be closer to a million.
> >> >
> >> > The 2013 RAA requires registrars to verify the email addresses listed
> in
> >> > their customers’ Whois records. If they don’t receive the
> verification,
> >> > they have to suspend the domain.
> >> >
> >> > The RrSG told the ICANN board in March that these checks were doing
> more
> >> > harm than good
> >> > <
> >> > <
> http://domainincite.com/16375-are-whois-email-checks-doing-more-harm-than-good
> >
> http://domainincite.com/16375-are-whois-email-checks-doing-more-harm-than-good
> >> > >
> >> > and today Tucows CEO Elliot Noss presented, as promised, data to back
> up
> >> > the claim.
> >> >
> >> > “There have been over 800,000 domains suspended,” Noss said. “We have
> >> > stories of healthcare sites that have gone down, community groups
> whose
> >> > sites have gone down.”
> >> >
> >> > “I think we can safely say millions of internet users,” he said.
> “Those are
> >> > real people just trying to use the internet. They are our great
> >> > unrepresented core constituency.”
> >> >
> >> > The RrSG wants to see contrasting data from law enforcement agencies
> and
> >> > governments ­ which pushed hard for Whois verification ­ showing that
> the
> >> > RAA requirement has had a demonstrable benefit.
> >> >
> >> > Registrars asked at the Singapore meeting in March that law
> enforcement
> >> > agencies (LEA) be put on notice that they can’t ask for more Whois
> controls
> >> > until they’ve provided such data and ICANN CEO Fadi Chehade said
> >> > <
> >> > <
> http://domainincite.com/16375-are-whois-email-checks-doing-more-harm-than-good
> >
> http://domainincite.com/16375-are-whois-email-checks-doing-more-harm-than-good
> >> > >
> >> > “It shall be done by London.”
> >> >
> >> > Noss implied that the majority of the 800,000 suspended names belong
> to
> >> > innocent registrants, such as those who had simply changed email
> addresses
> >> > since registering their names.
> >> >
> >> > “What was a lovely political win that we said time and time again in
> >> > discussion after discussion was impractical and would provide no
> benefit,
> >> > has demonstrably has created harm,” Noss said.
> >> >
> >> > He was received with cautious support by ICANN board members.
> >> >
> >> > Chair Steve Crocker wonder aloud how many of the 800,000 suspended
> domains
> >> > are owned by bad guys, and he noted that LEA don’t appear to gather
> data in
> >> > the way that the registrars are demanding.
> >> >
> >> > “We were subjected, all of us, to heavy-duty pressure from the law
> >> > enforcement community over a long period of time. We finally said,
> ‘Okay,
> >> > we hear you and we’ll help you get this stuff implemented,’”, he
> added.
> >> > “That creates an obligation as far as I’m concerned on their part.”
> >> >
> >> > “We’re in a ­ at least from a moral position ­ in a strong position
> to say,
> >> > ‘You must help us understand this. Otherwise, you’re not doing your
> part of
> >> > the job’”, he said.
> >> >
> >> > Chehade also seemed to support the registrars’ position that LEA
> needs to
> >> > justify its demands and offered to take their data and concerns to
> the LEA
> >> > and the Governmental Advisory Committee.
> >> >
> >> > “They put restrictions on us that are causing harm, according to these
> >> > numbers,” he said. “Let’s take this back at them and say, hey, you
> ask for
> >> > all these things, this is what happened.”
> >> >
> >> > “If you can’t tell me what good this has done, be aware not to come
> back
> >> > and ask for more,” he said. “I’m with you on this 100%. I’m saying
> let’s
> >> > use the great findings you seem to have a found and well-package them
> in a
> >> > case and I will be your advocate.”
> >> >
> >> > Director Mike Silber also spoke in support of the RrSG’s position.
> >> >
> >> > “My view is if what you are saying is correct, the LEA’s have blown
> their
> >> > credibility,” he said. “They’re going to have to do a lot of work
> before we
> >> > impose similar disproportional requirements on actors that are not
> proven
> >> > to be bad actors.”
> >> >
> >> > So what does this all mean for registrants?
> >> >
> >> > I don’t think there’s any ongoing process right now to get the Whois
> >> > verification requirements overturned ­ that would require a
> renegotiation
> >> > of the RAA ­ but it does seem to mean demands from governments and
> police
> >> > are going to have to be much more substantiated in future.
> >> >
> >> > Noss attempted to link the problem to the recommendations of the Whois
> >> > Expert Working Group (EWG), which propose a completely revamped,
> >> > centralized Whois system with much more verification
> >> > <<
> http://domainincite.com/16855-whois-killer-is-a-recipe-for-a-clusterfuck>
> http://domainincite.com/16855-whois-killer-is-a-recipe-for-a-clusterfuck>
> >> > and not much to benefit registrants.
> >> >
> >> > To paraphrase: if email verification causes so much harm, what harms
> could
> >> > be caused by the EWG proposal?
> >> >
> >> > The EWG was not stuffed with LEA or governments, however, so it
> couldn’t
> >> > really be characterized as another set of unreasonable demands from
> the
> >> > same entities.
> >> >
> >> >
> >> > --
> >> > ---------------------------------------------------------------
> >> > Joly MacFie  218 565 9365 Skype:punkcast
> >> > WWWhatsup NYC - <http://wwwhatsup.com>http://wwwhatsup.com
> >> >  http://pinstand.com - <http://punkcast.com>http://punkcast.com
> >> >  VP (Admin) - ISOC-NY - <http://isoc-ny.org>http://isoc-ny.org
> >> > --------------------------------------------------------------
> >> > -
> >> > _______________________________________________
> >> > At-Large mailing list
> >> > <https://atlarge-lists.icann.org/mailman/listinfo/alac>At-Large at
> atlarge-lists.icann.org
> >> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >> >
> >> > At-Large Official Site: <http://atlarge.icann.org>
> http://atlarge.icann.org
> > _______________________________________________
> > At-Large mailing list
> > At-Large@atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >
> > At-Large Official Site: http://atlarge.icann.org
> >
>
> _______________________________________________
> At-Large mailing list
> At-Large@atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
> At-Large Official Site: http://atlarge.icann.org
>



-- 
Aida Noblia

Thanks Michele. I thought as Christopher said domains had been deleted but is not. If the domains were not deleted then I agree with Carlton and Alan. The penalty was provided. At the time that the data was provided to the domain has been finally registered. Regards Aída 2014-07-05 18:20 GMT-03:00 Michele Neylon - Blacknight < michele@blacknight.com>:

Christopher

Just a few points in relation to your email:

Registrars did not pay ICANN for new TLDS - registries / new TLD applicants did. While some of the new TLDs are backed by companies that also happen to own registrars please do not conflate the two.

The 2013 RAA has quite a large section devoted to registrars' responsibilities with respect to their resellers. See section 3.12 for example: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

The domains referenced in Kevin's article were "suspended" not "deleted"

Regards

Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59 9183072 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Aida Noblia

I was actually surprised to hear Fadi's comments about this at the Fayre. I was both dismayed at the stance he took (I recall him saying the incident diminished the standing of "law enforcement") and his choice of venues (one of too many speeches delivered at a social event when many of the participants were winding down after a day of exhaustion). Had the issue been raised at a time where genuine interaction and thoughtfulness were called for, I suspect Fadi may not have received the anticipated response, as this incident clearly indicates how out of touch ICANN is with the rest of the world,. *Inside the ICANN bubble:* * "We are appalled that 800,000 domains were taken down for having non-responsive contact info" * *The rest of the world:* *"Did you just say that 800,000 domains have non-responsive contact info?"* The methods of verification and the speed of takedown could be tweaked to ensure that good actors with minor access problems (such as mail going into spam filters, increasing time to respond, forget to change after moving, etc) would not be adversely affected. But the end objective is absolutely welcomed from the non-registrant end-user point of view. So I personally have zero ethical qualms about the suspensions, noting that the issue has already been inflated for dramatic effect. A claim of 800,000 domains becomes a million in the headlines. And then there was this gem: *"We have stories of healthcare sites that have gone down,"*, chimes Elliot Noss in the CircleID article <http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks> . I don't know about the rest of you ... but given the sensitivity of information at healthcare sites regarding privacy and accuracy, that category of site is amongst those *most* in need of accurate contact info IMO. So if such sites have non-functional contact info, frankly, I couldn't suspend them fast enough until things are fixed. This attempt at media manipulation backfires. The salient point is that a contact address is just that, a way to make contact. If it won't work from the registrant's own registrar or registry -- a body with which whom the registrant has a contractual and financial relationship -- it certainly won't work if someone from the public has a question, complaint, or warrant to serve. If policy indicates that contact info must be accurate and current, then that is what needs to be enforced. When the interests of ICANN and contracted parties are hurt by inaction of registrants -- notably non-payment -- enforcement such as suspension is immediate, automated and non-controversial. (Indeed, it was even once gamed by some contracted parties, which is what led to the PEDNR <http://icannwiki.com/index.php/PEDNR> debate.) But here, the inaction indicates harm to the public interest while enforcement threatens financial loss to ICANN and contracted parties, so all hell breaks loose and Fadi lectures us at the Fayre. This isn't just a matter of law enforcement, and I am puzzled why that community is being singled out for recrimination. Sure, some chunk of those 800,000 are bad actors in the sense of intending to have unusable contact info. But how many of the others have bad contact info because the domains themselves are neglected and unused, squatted or speculated names that their registrants have just locked away and forgotten? How does that serve the interest of end users to have so many extant but useless domains? So, by all means, let's engage in a proper dialogue -- not one initiated, almost in passing, at a social event more than halfway into the ICANN meeting. We may all look at this incident and see within it a deep problem, but the problems At-Large identifies may be far different from those seen by the registrars. Be careful what you wish for. While registrars complaining loudly may score power points inside the bubble (at the expense of public-interest advocacy), outside it just reinforces ICANN's detachment from the rest of the Internet-using world. If news broke that there were 800,000 cars on the road with unusable contact info related to their license plates, public reaction would be loud and ugly no matter what proportion of those cars belonged to criminals. I look forward to any debate going forward on the issue in At-Large's Regulatory Issues Working Group, which is where I believe any future ALAC stance must be discussed and first formulated. - Evan

I agree, Christian. So the rationale goes like this.... Registrants pay money for a service, yet is required to go through EVERYONE having access to the records.  So now, the domain owner is spammed by EVERYONE because they can.  Then, when a legitimate email shows up, the owner is magically required to know that this is actually a legit email and a link must be clicked in order to keep your domain active. For real?  There is no reason.  None.  At all. For anyone to need a domain owner's contact information.  The information is stored with the registrar, and if it is necessary, the registrar can contact the owner.  If there is some majestic bot that is sending out bogus data or malicious code, the server rather than the domain itself is the responsible party.  Therefore, contact the server administrator/provider. My $0.02.... RJ Glass A@L On Monday, July 7, 2014 8:44 AM, Derek Smythe <derek@aa419.org> wrote:

Very well said Evan, +1

What this is essentially saying is that we have 800 thousand /1 million driverless vehicles moving about on our information super-highway. Definitely a scary place to drive ...

------------------ True story #1: An online shop in Canada is hacked. Phishers plant a phishing kit. Abuse reports are sent to the hoster/upstream. Nothing is done. An attempt is made to contact the registrant. Email bounces. Telephone number - fails.

Eventually the URL is well propagated to blacklists as to make it unusable for the phisher. He plants an new phish on the same server. This pattern is repeated many times.

Scarier still: This website is wide open to abuse with shell kits and other malware. A dump of buyer and account info is also visible - eead loss of privacy and personal information, data theft.

Eventually this was resolved outside normal channels after more than two months. --------------------

The above is not an isolated incident. Those on various mailing lists linked to anti-abuse will testify to it. There you will many times find requests for somebody at a provider to action ignored abuse reports. Trying to rely on hosting providers solely and/or law enforcement does not work to protect the causal internet user.

------------------ True story #2: My personal details are being sold in Ireland in violation of EU laws or our own. Not being Irish or living in the EU union, the Irish regulators aren't responding. All I received is an auto-responder response.

I guess they "are sorry to hear about MY problem".

This is despite them having much info I provided them on the responsible party using patently fake contact details. ------------------

This brings us to all those arguing that the actual owner couldn't be bothered with putting down real information for various reasons. My argument is that if they wish to have a domain name for whatever purpose, they should take responsibility for it. By not doing so, we could argue the same for abuse teams, any form of abuse reporting and the very safety of the net being "somebody else's" problem.

As for rights and responsibilities, the responsibility of the registrant to provide accurate and reliable contact data is, and has been, mandated in the RAA where the Registrar so specify this right from the start. In fact see https://archive.icann.org/en/nsi/icann-raa-04nov99.htm#IIJ7

...

a. The SLD holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the SLD registration

Many registrars have since then deliberately chosen to game/ignore this clause and definitely not live up to the spirit of this agreement, which in turn has led to much harm.

Sadly most of the common internet users can't be bothered with these issues, until such a time that they are affected by them. Having to explain "why" a domain that has harmed them can exist with invalid contact details despite all the so called agreements, really does not reflect well on the credibility of the DNS system.

Further, considering that email addresses are probably the most accurate/legitimate part of domain registration details, this whole issue paints a scary picture for the casual internet user.

Why does a registrant register a domain with a drdrb.net email address, to only later pop up in places like VirusTotal? I guess it is to protect his privacy and more.

There may be many reasons why an email address may fail, some of them innocent, but ultimately it is the registrant's responsibility to ensure it is accurate and reliable. It does not help demonizing law enforcement in this regard. There is a reason why we got to this point and it started well before the newest provisions in the RAA. I also wonder how many innocents were spared misfortune by the proactive steps to suspend the domains.

I do however suggest we start a separate topic on reliable email address, as this is of concern to many registrants and has a different focus than this. I also see a business opportunity in this that registrars could use to give them a competitive edge.

Derek Smythe

On 2014-07-06 05:57 PM, Evan Leibovitch wrote:

...

I was actually surprised to hear Fadi's comments about this at the Fayre.

I was both dismayed at the stance he took (I recall him saying the incident diminished the standing of "law enforcement") and his choice of venues (one of too many speeches delivered at a social event when many of the participants were winding down after a day of exhaustion).

Had the issue been raised at a time where genuine interaction and thoughtfulness were called for, I suspect Fadi may not have received the anticipated response, as this incident clearly indicates how out of touch ICANN is with the rest of the world,.

*Inside the ICANN bubble:*

* "We are appalled that 800,000 domains were taken down for having non-responsive contact info" * *The rest of the world:* *"Did you just say that 800,000 domains have non-responsive contact info?"*

The methods of verification and the speed of takedown could be tweaked to ensure that good actors with minor access problems (such as mail going into spam filters, increasing time to respond, forget to change after moving, etc) would not be adversely affected. But the end objective is absolutely welcomed from the non-registrant end-user point of view.

So I personally have zero ethical qualms about the suspensions, noting that the issue has already been inflated for dramatic effect. A claim of 800,000 domains becomes a million in the headlines. And then there was this gem:

*"We have stories of healthcare sites that have gone down,"*, chimes Elliot Noss in the CircleID article <http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks> .

I don't know about the rest of you ... but given the sensitivity of information at healthcare sites regarding privacy and accuracy, that category of site is amongst those *most* in need of accurate contact info IMO. So if such sites have non-functional contact info, frankly, I couldn't suspend them fast enough until things are fixed. This attempt at media manipulation backfires.

The salient point is that a contact address is just that, a way to make contact. If it won't work from the registrant's own registrar or registry -- a body with which whom the registrant has a contractual and financial relationship -- it certainly won't work if someone from the public has a question, complaint, or warrant to serve. If policy indicates that contact info must be accurate and current, then that is what needs to be enforced.

When the interests of ICANN and contracted parties are hurt by inaction of registrants -- notably non-payment -- enforcement such as suspension is immediate, automated and non-controversial. (Indeed, it was even once gamed by some contracted parties, which is what led to the PEDNR <http://icannwiki.com/index.php/PEDNR> debate.) But here, the inaction indicates harm to the public interest while enforcement threatens financial loss to ICANN and contracted parties, so all hell breaks loose and Fadi lectures us at the Fayre.

This isn't just a matter of law enforcement, and I am puzzled why that community is being singled out for recrimination. Sure, some chunk of those 800,000 are bad actors in the sense of intending to have unusable contact info. But how many of the others have bad contact info because the domains themselves are neglected and unused, squatted or speculated names that their registrants have just locked away and forgotten? How does that serve the interest of end users to have so many extant but useless domains?

So, by all means, let's engage in a proper dialogue -- not one initiated, almost in passing, at a social event more than halfway into the ICANN meeting. We may all look at this incident and see within it a deep problem, but the problems At-Large identifies may be far different from those seen by the registrars.

Be careful what you wish for. While registrars complaining loudly may score power points inside the bubble (at the expense of public-interest advocacy), outside it just reinforces ICANN's detachment from the rest of the Internet-using world. If news broke that there were 800,000 cars on the road with unusable contact info related to their license plates, public reaction would be loud and ugly no matter what proportion of those cars belonged to criminals.

I look forward to any debate going forward on the issue in At-Large's Regulatory Issues Working Group, which is where I believe any future ALAC stance must be discussed and first formulated.

- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

...

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

One of the problems that the spam filters does not solve, unless there is a way that I am ignorant about, is that even if the incoming messages are put in a separate folder, I still have to pay for the connection time while the junk is downloaded. This is not a problem when I am at home, or when I have a WiFi connection, but is a problem indeed when I am travelling to places with slow or/and expensive connection. Cheers, R.

-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di John Levine Inviato: martedì 8 luglio 2014 21:53 A: RJ Glass Cc: at-large@atlarge-lists.icann.org Oggetto: Re: [At-Large] [ALAC] Fwd: A million domains taken down by email checks

...

Registrants pay money for a service, yet is required to go through EVERYONE having access to the records. So now, the domain owner is spammed by EVERYONE because they can.

Aw, come on. I have put real e-mail addresses on all my domains for over 20 years, and those addresses remain completely usable. Feel free to write to me at my WHOIS contact addresses if you don't believe me.

I certainly believe that your mail provider has crummy spam filters, but that's not an argument for anything other than finding a more competent mail provider.

Regards, John Levine, john.levine@cauce.org CAUCE North America

John, I am ready to admit my ignorance - and as a matter of fact if you would be so kind to send me a private message explaining what to do, I would appreciate. However, for the time being I need to download the messages in the spam folder if I want to check that something important did not get trapped in it. But what puzzles me is that sometimes we assume Internet users are smart, sometimes not. Why is it that it should be considered a given that users know how to deal with spam and know about MUAs, but on the other hand we assume that they will be victims of all kind of Internet frauds? Cheers, R.

-----Messaggio originale----- Da: John Levine [mailto:john.levine@cauce.org] Inviato: sabato 12 luglio 2014 23:28 A: Roberto Gaetano Cc: at-large@atlarge-lists.icann.org Oggetto: Re: R: [At-Large] [ALAC] Fwd: A million domains taken down by email checks

...

One of the problems that the spam filters does not solve, unless there is a way that I am ignorant about, is that even if the incoming messages are put in a separate folder, I still have to pay for the connection time while the junk is downloaded.

Aw, come on. MUAs that let you specify which folders to download have only been available for about 20 years.

Regards, John Levine, john.levine@cauce.org CAUCE North America

Thanks for the tip. r.

-----Messaggio originale----- Da: John Levine [mailto:john.levine@cauce.org] Inviato: mercoledì 16 luglio 2014 19:59 A: Roberto Gaetano Cc: at-large@atlarge-lists.icann.org Oggetto: Re: [At-Large] [ALAC] The usual spam argument, was Fwd: A million domains

...

Why is it that it should be considered a given that users know how to deal with spam and know about MUAs, but on the other hand we assume that they will be victims of all kind of Internet frauds?

Because that matches our experience. I talk to bank security people and law enforcement a lot.

I believe that you are sometimes on connections where data transfer is expensive. But I don't think that situtation is so common that we need to globally optimize for it, and I also think that if the bandwidth of downloading spam is a problem, hiding your WHOIS e-mail address won't make the problem go away.

Regards, John Levine, john.levine@cauce.org CAUCE North America

Tech tip: set up your mail program to use IMAP rather than POP, and configure it to download only the interesting folders for offline operation. Pretty much every phone and tablet mail program works this way, and desktop programs like Outlook and Thunderbird can do it, too.

Robotic suspensions between renewals based purely on email failures are the abuse that needs fixing here - no? This is not or most certainly should not be about numbers or percentages as a proportion of overall domain holdings but whether there is a real registrant who needs support but is being swamped from fair treatment by the mass speculation in the DNS. Christian

Yes it should be... but Many domain registrants I know do not know about DNS or ICANN or registrars. They do not really care. They got a name helped by a friend or small local IT provider for their hobby, book, artwork, photos, family site. In time that friend moves on or dies, the records in DNS suffer the usual entropy and fail to keep up. It is not they are bad actors - just that the way the DNS is managed is completely bonkers from their perspective and they just don't know that their email used is with a provider that stopped providing email and is no longer working or even that it is still the registered email for the domain or even there is a registrar site they got login details for three or five years ago where they can manage all of that. Christian Bill Silverstein wrote:

On Fri, July 4, 2014 9:06 am, Christian de Larrinaga wrote:

...

Robotic suspensions between renewals based purely on email failures are the abuse that needs fixing here - no?

This is not or most certainly should not be about numbers or percentages as a proportion of overall domain holdings but whether there is a real registrant who needs support but is being swamped from fair treatment by the mass speculation in the DNS.

I disagree. It should be is there a real registrant who provided truthful and valid information.

Has anyone looked at the numbers to see if there was valid information and valid registrants?

...

Christian

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Christian de Larrinaga FBCS, CITP, MCMA ------------------------- @ FirstHand ------------------------- +44 7989 386778 cdel@firsthand.net -------------------------

I have no idea what ALAC cares about. John, your point is an aunt sally. The fact remains that abuse happens with or without a domain name. Cyber bullying is not something associated particularly with the ownership or control of a DNS record for instance. The list goes on and on. It would actually be far better if we the Internet communities managed to entice more of those 99 whatever percent of people who use Internet in one form or another to participate more fully and move from being consumers to real participants. I won't go so far as to say having a domain of your own is necessary for that but it is a useful step for many along that road. The trouble is that the bureaucracy and costs and general mayhem around using a name on the Internet is a significant barrier to entry to fuller participation. That is the barrier that needs to be addressed. The cost of domain names you mention is one of those barriers. A cost to Internet users that is far in excess of cost of maintaining a record in a database. C John Levine wrote:

...

Robotic suspensions between renewals based purely on email failures are the abuse that needs fixing here - no?

Thanks for clarifying that the interest of the ALAC is only with domain registrants, and we care nothing about the 99.9% of Internet users who have never registered a domain, but have to put up with abuse from people who do.

By the way, I hear that many registries robotically suspend a domain purely on failure to pay for renewal. Surely we should object to that, too.

Regards, John Levine, john.levine@cauce.org CAUCE North America _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Christian de Larrinaga FBCS, CITP, MCMA ------------------------- @ FirstHand ------------------------- +44 7989 386778 cdel@firsthand.net -------------------------

John Levine wrote:

...

I have no idea what ALAC cares about.

Um, someone using your address just said it was the handful registrants with bogus e-mail addresses. rubbish

...

John, your point is an aunt sally. The fact remains that abuse happens with or without a domain name. Cyber bullying is not something associated particularly with the ownership or control of a DNS record for instance.

You know, I deal daily with actual researchers and law enforcement who deal with actual crime and abuse, and they use WHOIS information, including the e-mail address all the time. Cyber bullying is one issue they sometimes deal with, and they certainly contact the operators of the domains the bullies ues.

Really? You are out by a long way on this. Most "bad actors" are not registrants themselves they are using or passing through services that are resolved using a domain name or possibly several.

Your argument appears to be that if a measure isn't 100% effective at stopping abuse, or if it has any side effects at all (keeping in mind that 99.6% of domains are not affected by this issue), we shouldn't bother. If that's not it, please clarify.

I am saying that a registrant of a domain name does not equate to responsibility for content on the Internet. It might but it also very likely does not. In fact if your statistic is correct that 99.9% of people using the Internet do not themselves own or control a domain name it would sort of prove my point. Regards,

John Levine, john.levine@cauce.org CAUCE North America

Christian

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Christian de Larrinaga FBCS, CITP, MCMA ------------------------- @ FirstHand ------------------------- +44 7989 386778 cdel@firsthand.net -------------------------

To clarify the issue a little, registrars know which of their customer domains have bad e-mail addresses since they send the verification notices. If they wanted, they could try to contact those customers in other ways and tell them that they need to update their e-mail address. They could send paper mail to the WHOIS address, or call the phone number, or for the large fraction paid by credit card, send mail to the address provided with the credit card. They don't want to do any of those things because it would cost money. Like all arguments at ICANN that appear to be about principle, when you dig down a little, it's just about the money. Regards, John Levine, john.levine@cauce.org CAUCE North America

I know where the fundamental rights are defined.

Indeed, but registering a 2LD is not one of them. I wish people in the ALAC would realize that it's 2014, and arguing that you need a 2LD to speak on the Internet is like arguing you need an oil well to drive a car. Regards, John Levine, john.levine@cauce.org CAUCE North America

Thought I should share. Last Monday I registered a domain and purchased some web space from one of larger internet providers. On Tuesday I got an email saying that as part of their verification exercise they want a scanned copy of one of my IDs and also a scanned copy of my credit card. Clearly I didn't do it fast enough for their liking because by Thursday my account was suspended. no second email/warning etc. I raised all kinda hell but... I am beginning to resign myself to the reality that access to the internet at a certain level is a privilege...not a right. On Fri, Jul 4, 2014 at 4:59 PM, Carlton Samuels <carlton.samuels@gmail.com> wrote:

...Hmmmmmm. I would say they are binary and always yoked, even if uneasily so! One long-time jurist had a pithy response in one instance; freedom of speech has an attached responsibility of not "falsely shouting fire in a crowded theatre".

Here's another of my favourites. I'm for freedom of religion, so long as you're responsible enough not to insist I must bend a knee to your damned foolish one.

I could go on.....but the 'right' to a domain name instituted in a commons surely does have responsibilities! At least, in the public interest.

-Carlton

============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================

On Fri, Jul 4, 2014 at 3:28 PM, Avri Doria <avri@acm.org> wrote:

...

On 04-Jul-14 10:42, Carlton Samuels wrote:

...

Rights and responsibilities must be in balance.

I know where the fundamental rights are defined. I do not know where the fundamental responsibilities are defined. The only responsibilities I know of are the ones the States have taken on to defend people's rights.

People are forever coming up responsibilities with which to counter rights, but they have never shown how these responsibilities were agreed upon or made binding.

What I do see is a need to balance rights, they are the foundation we need to build on.

avri _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Lance Hinds Chief Technology Officer BrainStreet Group 287 'C' Albert St. Georgetown Guyana This message contains information that may be privileged and/or confidential and is the property of BrainStreet Technologies or BrainStreet Learning. The information contained herein is intended only for the individual or entity to whom it is addressed and others authorized to receive it . If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or take any action in reliance to the contents of this information or any part thereof and it may be unlawful to do so. If you receive this message in error, please notify the sender immediately and delete all copies of this message from your system. BrainStreet Technologies or BrainStreet Learning are neither liable for the proper and complete transmission of the information contained in this communication nor any delay in its receipt.