Hi Jeff, Bill and all The problem as I see it, is that I am not a citizen of the USA. The structures set up by the USA are primarily aimed at protecting USA citizens. I can not fault this. However, what about a victim in the outback of Australia? The scammer is in Africa. The domain was registered via an Asian registrar. The whois details claims UK, but is known to be fake. The loss is about $40,000. I have many more real life examples. They have been reported via the appropriate authorities. Reality is it is not worthwhile launching an international investigation and LEA has limited resources and many reports of similar activity. This is a problem. This victim is doomed to become a statistic. LEA's across the world do not have the resources and many times do not the know how to deal with these criminals. This is hard reality. At the moment I am researching a criminal living in Nigeria that habitually registers spoof domains of UK banks, abuses hosting reseller accounts and populates them with content stolen from real banks, then sells domain and websites to 419 scam gangs. The evidence is easily verifiable. I am even able to supply his true identity. Fact is he has been extremely stupid and his Internet footprint is a mile wide. I have notified the appropriate parties with details, the banks spoofed, LEA in NG as well. Nothing, he merrily continues along. From the UK side, unless the spoofed bank takes action, nothing can be done. However, they are not the targets of the fraud. Alternatively a victim must file a complaint at LEA. However, LEA will most likely not investigate (see above), the victim is sure to loose his money since LEA will not recover the money, another fact of life. While I am sure we have some readers here with "special" contacts that could make something happen, the normal internet users do not. The bulk of the victims among these users will never have justice. Recently Izumu and others were discussing the meaning and merits of silence. In my case, it would either mean indifference, or total disgust. The current enforceable polices regarding online fraud can be likened to car manufacturers designing faulty cars, blaming drivers for for driving them and making it the responsibility of ambulances, paramedics and hospitals to take care of the victims. The problem starts long before fraud is reported. Results are reported to LEA. Why not try a bit of prevention? Regards Derek http://www.aa419.org Jeffrey A. Williams wrote:

Bill and all my friends,

Well Bill, you can always contact the opoc for any registrant that isn't specifically listed. As for reporting spam, use the FTC spam reporting Email address, spam@uce.gov to address your spamming problems. For phishing report you attempted recieved phishing to either or both US-CERT and antiphishing, see:http://www.us-cert.gov/nav/report_phishing.html for instructions and http://www.antiphishing.org/report_phishing.html accordingly.

Any and all ligitimate businesses or individuals should be very concerned regarding their privacy regarding personal information due to stalkers, ID thieves ect... This would include protecting their personal information from even LEA's. See for example:http://www.eff.org/blog and most especially from other businesses with well known online business recognition such as Google or LEA's such as the FBI, in some instances...

Bill Silverstein wrote:

...

...

In fact, registrant privacy is not good enough yet and needs strengthening. We also need to remember that all registrants are users as well... It depends on your definition of user. If it is user of ICANN services, then users are the same as registrants.

I am against Whois privacy, except in individual/non-commercial cases. I fight spam and I use whois as an attempt to track down spammers. No legitimate business operates anonymously. In the USA, a DBA is a public record -- If you operate a business, who the business is is public.

Law enforcement tends to be slow to act (unless it is a hot political item). Try getting law enforcement to take a report on an e-bay fraud, bad check, etc. In some places you practically have to put a gun to their head to take a report. If you look at the recent criminal prosecutions for spamming, you have Ralksy/Bradley who had been civilly sued a few times before the Feds got involved. With Robert Soloway, Microsoft and others had gotten judgments against him before the feds got involved.

Regards,

Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln

"Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org

At-Large Official Site: http://www.alac.icann.org ALAC Independent: http://www.icannalac.org

Hi all The strangest is that by law, the regulators of many countries specifically require all businesses to publish details regarding themselves on their website if they have one. Many do not, many have no other contact mechanism than a webform. However many of these sites have private registrations. This is a red flag. Remember not all criminals are just spammers and phishers. We also see websites selling non-existent goods, websites set up to act as escrow sites for the non-existent goods and websites pretending to be courier companies that will transport the non existent goods. The same gangs will also set up job scam sites where moneymules will be recruited. We see fake lotteries, fake banks, fake lawyers, even the United Nations, FBI, CIA and Interpol spoofed in other types of scams. These domains are registered with stolen credit card details, by Western Union or other untraceable means. Many of them are in fact hosted on fastflux networks. As such, not to distract from the seriousness of spamming and phishing websites, there are other types of criminal abuse of the internet. In fact many times the same parties are behind these scams as in spam, however each scam type is serving a different purpose and are just part of one larger machine to defraud victims. The biggest problem is that cyber criminals are the early adopters of new technology, privacy protection being no exception. This causes a major problem for the contemplated legitimate users of privacy protection in this case and is one of the reasons why we will most likely remain in a stalemate situation regarding whois privacy. Many registrars are reluctant to act on reports of fake whois and fraud. However fake whois and fraud is discussed in http://www.icann.org/announcements/advisory-03apr03.htm, deliberate fake whois details are also discussed in http://www.icann.org/announcements/advisory-10may02.htm Registrars and indeed the ICANN perspective is that this is a LEA issue and tend to pass the buck, forgetting we have fake whois issue. I have yet to see a criminal website set up with real and valid details, whois details included. At AA419 we have seen domains registered by innocent victims of identity theft, their details appearing in whois details for a domain they are not even aware of. Americans appear to be good prey! These details were not obtained via whois lookups, many of them do not even know how to register a domain. They would have been unaware of compromised credit cards and personal information, were it not for their details appearing in a domain registration. Reality is I am a great supporter of whois privacy. However, to make this work, we would first need to fix the current system and the problem of thousands of fake domain registrations flowing into the system, define mechanisms for dealing with fake whois, enforce immediate domain cancellations where we have clear proof criminal activity and setup the mechanisms to deal with these domains in a timely manner - remember two weeks or 15 days is a lifetime for a scam domain and not appropriate. We also need to identify mechanisms to deal with private registrations where such domains are used for criminal activity. We also need mechanisms to be able to contact the privacy provider themselves. We needs mechanisms to effectively escalate details of criminals activity worldwide. Only once we have this problem under control, can we actually proceed to whois privacy. Without this, we have a house without a foundation. The other aspect of this issue is that the methods used to defraud innocent people are changing daily, being dynamic is the nature of the internet. On the other hand policy makers are simply not dynamic enough. As far as I know, no country condones theft - stealing a victim's money here in this case. Why then should there be a problem formulating policy in this regard. Regards Derek Smythe http://www.aa419.org Jeffrey A. Williams wrote:

Bill and all my friends,

..... .....

Any and all ligitimate businesses or individuals should be very concerned regarding their privacy regarding personal information due to stalkers, ID thieves ect... This would include protecting their personal information from even LEA's. See for example:http://www.eff.org/blog and most especially from other businesses with well known online business recognition such as Google or LEA's such as the FBI, in some instances...

Derek and all my friends, My remarks and comments interspersed. Derek Smythe wrote:

Hi all

The strangest is that by law, the regulators of many countries specifically require all businesses to publish details regarding themselves on their website if they have one. Many do not, many have no other contact mechanism than a webform. However many of these sites have private registrations. This is a red flag.

Indeed true, but many more countries have been strengthening privacy regulations and laws accordingly especially in the EU. Reviewing archives of Whois WG's from ICANN should be aluminating for you, there have been 5 thus far sense 1999. See for instance: www.icann.org/committees/whois/ www.icann.org/gnso/whois-tf/report-19feb03.htm gnso.icann.org/issues/whois-privacy/ gnso.icann.org/issues/whois-privacy/tor.shtml gnso.icann.org/issues/whois-privacy/tor2.shtml and the list goes on and on and on...

Remember not all criminals are just spammers and phishers. We also see websites selling non-existent goods, websites set up to act as escrow sites for the non-existent goods and websites pretending to be courier companies that will transport the non existent goods. The same gangs will also set up job scam sites where moneymules will be recruited. We see fake lotteries, fake banks, fake lawyers, even the United Nations, FBI, CIA and Interpol spoofed in other types of scams. These domains are registered with stolen credit card details, by Western Union or other untraceable means. Many of them are in fact hosted on fastflux networks. As such, not to distract from the seriousness of spamming and phishing websites, there are other types of criminal abuse of the internet. In fact many times the same parties are behind these scams as in spam, however each scam type is serving a different purpose and are just part of one larger machine to defraud victims.

All too true indeed, I agree. In fact ICANN has contributed greatly to these problems with registrars such a Registryfly, now thankfully defunct, although much belated in the doing so. False organizations such as the IDNO, which collapsed upon its own false practices once exposed. Two previous questionable attempts by ICANN to create a @large, both of which once exposed for the fraud that they were, collapsed accordingly, and so forth and so on....

The biggest problem is that cyber criminals are the early adopters of new technology, privacy protection being no exception. This causes a major problem for the contemplated legitimate users of privacy protection in this case and is one of the reasons why we will most likely remain in a stalemate situation regarding whois privacy.

Whois privacy must be maintained and would benefit all users and registrants if strengthened significantly. There is not now nor has there ever been a real need for private and personal information regarding a registrant in order to address criminal activity, that is for the courts and LEA's to do with the many tools they already have at their disposal and is often done very effectively with same. Recent examples:Canadian Police Arrest 17 in Alleged Botnet Scheme http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html http://www.upi.com/NewsTrack/Top_News/2008/02/21/quebec_smashes_ring_of_17_c... http://www.darkreading.com/document.asp?doc_id=146639&WT.svl=news2_2 and "Man Gets Three Years Probation for eMail Harassment" http://sacramento.fbi.gov/filelink.html?file=dojpressrel/pressrel08/sc021308...

Many registrars are reluctant to act on reports of fake whois and fraud. However fake whois and fraud is discussed in http://www.icann.org/announcements/advisory-03apr03.htm, deliberate fake whois details are also discussed in http://www.icann.org/announcements/advisory-10may02.htm Registrars and indeed the ICANN perspective is that this is a LEA issue and tend to pass the buck, forgetting we have fake whois issue. I have yet to see a criminal website set up with real and valid details, whois details included.

Also indeed true, which only and significantly points up why ICANN itself needs to keep a very close eye and police its registrars as well as registries. This however is not a Whois issue but rather a registration issue.

At AA419 we have seen domains registered by innocent victims of identity theft, their details appearing in whois details for a domain they are not even aware of. Americans appear to be good prey! These details were not obtained via whois lookups, many of them do not even know how to register a domain. They would have been unaware of compromised credit cards and personal information, were it not for their details appearing in a domain registration.

Domain name registration data and Whois data may often times not be compatible or need to be so. Hence again this is not a Whois issue but rather a registrar registration data archive and accuracy problem. LEA's can get this data, but often times it cannot be trusted as accurate given the poor management of registrars of this registration data.

Reality is I am a great supporter of whois privacy. However, to make this work, we would first need to fix the current system and the problem of thousands of fake domain registrations flowing into the system, define mechanisms for dealing with fake whois, enforce immediate domain cancellations where we have clear proof criminal activity and setup the mechanisms to deal with these domains in a timely manner - remember two weeks or 15 days is a lifetime for a scam domain and not appropriate. We also need to identify mechanisms to deal with private registrations where such domains are used for criminal activity. We also need mechanisms to be able to contact the privacy provider themselves. We needs mechanisms to effectively escalate details of criminals activity worldwide.

The mechanisms of which you speak are already available in the registrars registration data which is supposed to be archived and kept for up to 3 years. However many registrars are not in compliance with this requirement and the Data Retention Act in the US and similar legal conscripts in other countries already in place, although in some instances those laws are recent.

Only once we have this problem under control, can we actually proceed to whois privacy. Without this, we have a house without a foundation.

The "House without a foundation" was the creation of ICANN and has existed sense 1999, when at that time and prior too, Whois data was more centralized yet often times not accurate.

The other aspect of this issue is that the methods used to defraud innocent people are changing daily, being dynamic is the nature of the internet. On the other hand policy makers are simply not dynamic enough.

I agree with the latter, which is why a strictly legal or regulation approach cannot and will never work. Proactive approaches are needed and the oversight that ICANN is supposed to be doing of its Registrars in particular is necessary but currently nonexistent.

As far as I know, no country condones theft - stealing a victim's money here in this case. Why then should there be a problem formulating policy in this regard.

Agree here as well. Which is why security of registrants personal data is paramount, and why Domain Name warehousing and Domain Name tasting is far more important avenue by which to begin to address such theft. But in order for this to occur, it is necessary for ICANN to uphold it's responsibilities fully fairly, and with gusto. So far such has not been the case..

Regards

Derek Smythe http://www.aa419.org

Jeffrey A. Williams wrote:

...

Bill and all my friends,

..... .....

...

Any and all ligitimate businesses or individuals should be very concerned regarding their privacy regarding personal information due to stalkers, ID thieves ect... This would include protecting their personal information from even LEA's. See for example:http://www.eff.org/blog and most especially from other businesses with well known online business recognition such as Google or LEA's such as the FBI, in some instances...

Regards, Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827

Bill and all my friends, My response interspersed below.. Bill Silverstein wrote:

...

Derek and all my friends,

My remarks and comments interspersed.

Indeed true, but many more countries have been strengthening privacy regulations and laws accordingly especially in the EU. Reviewing archives of Whois WG's from ICANN should be aluminating for you, there have been 5 thus far sense 1999. See for instance: www.icann.org/committees/whois/ www.icann.org/gnso/whois-tf/report-19feb03.htm gnso.icann.org/issues/whois-privacy/ gnso.icann.org/issues/whois-privacy/tor.shtml gnso.icann.org/issues/whois-privacy/tor2.shtml and the list goes on and on and on...

I would suspect that if you contractually agree to make information public, then it is permitted to make it public.

Yes, if an only if said contract is in compliance with relevant law, and/or does not require any reduction of privacy rights by law, regulation, or government policy. If any contract contains any language that restricts or requires the forfeit of said legal constraints, that contract, signed or not, is not valid to whatever extent such less than legal conscripts are being circumvented or otherwise suggested to be forfeit.

...

...

Remember not all criminals are just spammers and phishers. We also see websites selling non-existent goods, websites set up to act as escrow sites for the non-existent goods and websites pretending to be courier companies that will transport the non existent goods. The same gangs will also set up job scam sites where moneymules will be recruited. We see fake lotteries, fake banks, fake lawyers, even the United Nations, FBI, CIA and Interpol spoofed in other types of scams. These domains are registered with stolen credit card details, by Western Union or other untraceable means. Many of them are in fact hosted on fastflux networks. As such, not to distract from the seriousness of spamming and phishing websites, there are other types of criminal abuse of the internet. In fact many times the same parties are behind these scams as in spam, however each scam type is serving a different purpose and are just part of one larger machine to defraud victims.

All too true indeed, I agree. In fact ICANN has contributed greatly to these problems with registrars such a Registryfly, now thankfully defunct, although much belated in the doing so. False organizations such as the IDNO, which collapsed upon its own false practices once exposed. Two previous questionable attempts by ICANN to create a @large, both of which once exposed for the fraud that they were, collapsed accordingly, and so forth and so on....

ICANN has contributed by this greatly by refusing to enforce actions against registrars. I am of the opinion that ICANN (with a little work with registries) can implement a penalty against violating registrars. This penalty would be the prevention of that registrar from being able to register NEW domains names, but still able to renew and control currently registered domain names.

I fully agree, and to do so would require that the RAA contracts currently being used be modified accordingly, AND that in these contracts now extant, be to the degree legally and practically possible, be enforced without prejudice.

I have reported clearly invalid information to registrars and seen nothing done. ICANN has sent letters to Network Solutions regarding this and the information still is invalid.

Sadly, yes this if true. Same is so with the IETF, in which I have sent several Email letters to the IETF secretariat, posted the evidence to the GA forum on more than one occasion, and strongly requested that the ICANN Board or staff take corrective action. So far, no action appears to have been taken, and the mis configured DNS's remain mis Configured, and as such are to a degree, endangering users to a dangerous level.

...

...

The biggest problem is that cyber criminals are the early adopters of new technology, privacy protection being no exception. This causes a major problem for the contemplated legitimate users of privacy protection in this case and is one of the reasons why we will most likely remain in a stalemate situation regarding whois privacy.

Whois privacy must be maintained and would benefit all users and registrants if strengthened significantly. There is not now nor has there ever been a real need for private and personal information regarding a registrant in order to address criminal activity, that is for the courts and LEA's to do with the many tools they already have at their disposal and is often done very effectively with same. Recent examples:Canadian Police Arrest 17 in Alleged Botnet Scheme http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html

http://www.darkreading.com/document.asp?doc_id=146639&WT.svl=news2_2 and "Man Gets Three Years Probation for eMail Harassment"

Your reliance on LEA's and the court is misplaced. I have dealt with LEAs and the FTC with spammers. Robert Soloway had been involved in illegal spamming for a long time. It was not until I found that he used a stolen credit card and registered the domain name under the name of the credit card. Once I got that information to an agent, it took more than 6 months before he was arrested.

I disagree here. Indeed the law often times moves far too slowly. However the old saying 'the wheels of justice grind slowly, but they grind exceedingly fine", I believe still remains largely true. None the less given the lack of LEA manpower, slowness is indeed not wholly satisfactory.

For LEAs to do anything, it has to be sufficiently large. How many reports do you see (where they really have to investigate) that $2,000 USD (or even $20,000) was recovered? Even if the information is anonymous to the public, there needs to be some mechanism to assign a UNIQUE registrant handle so that if a wrongdoer and so that all the domain names registered to this individual (not corporate type entity) can be linked to this individual, and that the point of contact can accept service of process on behalf of this individual.

Often times the little guy or individual is not satisfied or his complaint is not given the desired consideration that complainant believes it should be, and sometimes he/she is correct in that assumption. Yet this in no reasonable way is justification for not using the means and methods under the law and with LEA's not to cooperate with them to the extent possible and in your best as well as the public at large's, interest. Private enterprise cannot substitute for LEA's and should not do so, but private enterprise can work in concert with LEA's as much as practicality and ability allows. This is where ICANN and individuals often times fall short of the mark in being part of the solution.

...

Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln

Regards, Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827