Hi all,

Following up on the white paper that Libby Baney just circulated, and as we wrap up our discussion regarding distinguishing between commercial and non-commercial use, I thought it might be helpful to provide a concrete example of a domain name that (I trust we can all agree) is being used for commercial purposes. Perhaps we can collectively think through whether it makes sense for this domain name to be afforded privacy protection. For simplicity, I am only using one domain name as an example, but there are thousands like this in our database alone. I hope that a concrete example will be helpful to the discussion.

Let’s take the domain name medsindia.com. First, as you can verify with a Whois query, it is using proxy/privacy services.  

Registrant Name: General (c/o Rebel.com Privacy Service)
Registrant Organization: Private Domain Services
Registrant Street: 300-12 York Street
Registrant City: Ottawa
Registrant State/Province: ON
Registrant Postal Code: K1N 5S6
Registrant Country: CA
Registrant Phone: +1.866-497-3235
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: IVP1JQKYRM3LQED1@rebelprivacy.com

How is it being used? It’s fairly straightforward: it sells addictive (controlled substances) and other prescription drugs without a valid prescription. But that’s not all: 
  • As noted, it sells prescription drugs, including controlled substances, without requiring a valid prescription. 
  • The drugs are not sold by a pharmacy licensed or otherwise recognized in the patient’s jurisdiction, as is the standard requirement. 
  • The drugs are considered unapproved or falsified, depending on the regulatory language in the jurisdiction. Part of the reason is that they are illegally imported into the customers’ jurisdiction and thus unregulated for safety or authenticity. 
To be clear, this domain name is not being used for legal commercial purposes in any jurisdiction. (Despite its claim to be using a licensed pharmacy in India, not even in India, for reasons I can explain separately if anyone wants to know.) I choose this domain name because I do not think its unlawful or dangerous use can be disputed. I would further argue that the use of the p/p protection allows the unlawful actor to continue operating, as I explain below.  

Being privacy protected, of course, we can’t immediately tell who is operating the website. Can we get law enforcement or courts in the registrar’s jurisdiction to do anything –– e.g., go to the registrar and ask or require them to reveal the identity of the registrant? No. Try to buy a drug such as Xanax from this website. This Internet pharmacy will ship anywhere in the world except to Canada –– where its registrar and servers are located. To protect its ability to sell drugs globally, the registrant has sacrificed sales to a single country, and chosen a registrar and servers there, to create a safe haven. Consequently, Canadian law enforcement cannot point to a violation of Canadian law: no drugs are being shipped into Canada –– just everywhere else around the world. (Which, we can infer, is why this registrant removed Canada from their shipping destinations.) And, the reverse is true –– a court order or law enforcement request from outside of Canada can simply be ignored by the registrar and server companies in Canada. Those who have argued that the best way to deal with p/p use by illegal actors is simply to get a court order are not accounting for this quite common scenario.

Being able to hide their identity in the Whois record is also the perfect set up for another reason: many registrars have said in the past that they only way that they can (or perhaps, will) take action on a domain name is if the Whois record is falsified. But how would we know? It is privacy protected. That removes the WDPRS as a mechanism for dealing with abusive behavior. 

Does this commercial registrant have a legitimate need for p/p services? I would argue that that is not the question to be answered. The question is: Does a consumer, consumer protection firm, government agency, etc. have the right to know who is operating this website? I would submit to this group that it is incumbent upon us to recommend a thoughtful, balanced policy that prevents this sort of “perfect set up” for Internet criminals to hide their identity as this one has. Keep in mind that, as pointed out in the circulated paper, no such right exists in the offline world –– rather, consumers have the right to know who they are dealing with. Ample requirements exist for business registrations to do business transparently. There should be no difference in the online world. 

Finally, recall that the Affirmation of Commitments (AoC) requires "timely, unrestricted and public access to accurate and complete WHOIS information." The AoC goes on to state that WHOIS policy and its implementation needs to meet "the legitimate needs of law enforcement and promote consumer trust." I ask the group, is ICANN fulfilling its commitment, not only to law enforcement but especially to promote consumer trust, if it allows websites like this to continue using p/p services?

Thank you for your consideration.  

John Horton
President, LegitScript
 


Follow LegitScript: LinkedIn  |  Facebook  |  Twitter  |  YouTube  |  Blog  |  Google+



On Mon, May 12, 2014 at 11:40 PM, Libby Baney <libby.baney@fwdstrategies.com> wrote:
All --

I appreciate the dialogue the group has begun regarding WHOIS transparency for entities engaged in commercial activity. With the hope of encouraging discussion on the merits of the issue, I am pleased to share the attached white paper: Commercial Use of Domain Names: An Analysis of Multiple Jurisdictions. 

As you'll see, the paper addresses the following question: Should domain name registrants who sell products or services on their websites should be able to conceal their identity and location in the domain name registration? The paper argues that they should not. Rather, the authors find that requiring domain name registrants engaged in commercial activity to provide transparent WHOIS information falls squarely in line both with ICANN’s commitment to Internet users and existing global public policy to keep businesses honest and consumers safe. Accordingly, the paper recommends an approach that balances personal privacy and consumer protection rights. On the one hand, domain names used for non-commercial purposes (e.g., personal blogs) should, the authors believe, be permitted to utilize privacy or proxy registration. This reflects a fundamental right to privacy of domain name registrants not engaged in commerce. However, the authors do not believe the same right exists for registrants of websites engaged in commerce – a conclusion borne out by our research. 

It goes without saying that this group is divided on the issue of requiring WHOIS transparency for sites engaged in commercial activity. As some in the PPSAI WG have commented, these issues may be complicated but they nonetheless merit our full consideration. We hope the attached white paper stimulates further thinking and group discussion on the issues. 

I look forward to continuing the discussion tomorrow.

Libby

--
Libby Baney, JD
President
FWD Strategies International


_______________________________________________
Gnso-ppsai-pdp-wg mailing list
Gnso-ppsai-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg