For review - updated templates Cat B, questions 1 and 2
Dear All, Following our call yesterday, please find attached the updated templates for Category B questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika
Thanks, Marika. As an added note, for people who are wondering, you are correct that Question 2 was not on the agenda. We got through the scheduled items in 35 minutes and decided to move forward rather than cut the call short. Unless there is significant objection, we will continue to take that approach because we have an ambitious schedule. Besides, it’s a precaution if we topics take longer than expected later. Don From: Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> Date: Wednesday, February 26, 2014 at 5:39 AM To: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org>wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
So this means that the 2013 RAA whois details verification obligation to which registrars are bound should be sufficient then. Or am I missing something? For example if someone registers a domain name using a privacy service set of details and their address got anonymised (from luc@seufer.mail<mailto:luc@seufer.mail> to privacycustomers12345689997@privacy.mail<mailto:privacycustomers12345689997@privacy.mail> the latter forwarding to the former), the fact remains that both addresses need to be functioning or the verification process will fail and the registrar will suspend their services for this domain name. Therefore aside from the verification of the underlying postal address - for which ICANN and registrars are still seeking a realistic method of implementation - the registrar’s validation should act as the proverbial birds-killer stone. Luc On Feb 28, 2014, at 0:32, John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg ________________________________ -------------------------------------------------------- This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone. Think of the environment: don't print this e-mail unless you really need to. --------------------------------------------------------
Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B -- questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B -- Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
* What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net>wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org>wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
On Fri, Feb 28, 2014 at 12:44 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem?
My question as well...although backed into...maybe from a different philosophical perspective. Just one clear distinction. My view makes no distinction between a registrar as P/P provider or a non-registrar providing a P/P service; so far as I care, its the service that must be regulated, and same rules apply, regardless of origin or primary business of the provider. The risk is directly connected to service provision. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
Well, I still subscribe to the opinion that the domain registration in and of itself has no criminal or abusive element and the "risk" lies with the hosting service provider and the person or group of persons providing the content. Not the domain name is harmful, the content may however be.... Volker Am 28.02.2014 19:35, schrieb Carlton Samuels:
On Fri, Feb 28, 2014 at 12:44 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem?
My question as well...although backed into...maybe from a different philosophical perspective.
Just one clear distinction. My view makes no distinction between a registrar as P/P provider or a non-registrar providing a P/P service; so far as I care, its the service that must be regulated, and same rules apply, regardless of origin or primary business of the provider. The risk is directly connected to service provision.
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 <tel:876-818-1799> /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Exactly. On Feb 28, 2014, at 2:17 PM, "Volker Greimann" <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Well, I still subscribe to the opinion that the domain registration in and of itself has no criminal or abusive element and the "risk" lies with the hosting service provider and the person or group of persons providing the content. Not the domain name is harmful, the content may however be.... Volker Am 28.02.2014 19:35, schrieb Carlton Samuels: On Fri, Feb 28, 2014 at 12:44 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? My question as well...although backed into...maybe from a different philosophical perspective. Just one clear distinction. My view makes no distinction between a registrar as P/P provider or a non-registrar providing a P/P service; so far as I care, its the service that must be regulated, and same rules apply, regardless of origin or primary business of the provider. The risk is directly connected to service provision. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verf?gung. Mit freundlichen Gr??en, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Gesch?ftsf?hrer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur f?r den angegebenen Empf?nger bestimmt. Jede Form der Kenntnisgabe, Ver?ffentlichung oder Weitergabe an Dritte durch den Empf?nger ist unzul?ssig. Sollte diese Nachricht nicht f?r Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is *inaccurate* (not "accurate"). John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org
wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Stephanie, easy answer: It does not. Volker Am 28.02.2014 20:07, schrieb Stephanie Perrin:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 <tel:876-818-1799> /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B -- questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B -- Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
* What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
That is what I think. So even if I was dead wrong on the 95-5 split, it makes no difference to the fundamental point. Further verification is not going to deter malfeasance. Domain name registration processes should have a very limited role in attempting to police malfeasance. I totally agree that Mickey Mouse should not be registering so many domain names, but once you have a basic common sense verification, there are other (better) ways to catch bad actors. cheers SP On 2014-02-28, at 2:19 PM, Volker Greimann wrote:
Hi Stephanie,
easy answer: It does not.
Volker
Am 28.02.2014 20:07, schrieb Stephanie Perrin:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" < stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is *inaccurate* (not "accurate").
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings < marika.konings@icann.org> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Sorry, but I can’t seem to find any 3.1.8 on the version on the ICANN website. Admittedly, the numbering in that document is pretty confusing…would you mind citing the section to which you refer in your last paragraph (train having left station). SP On Feb 28, 2014, at 10:39 PM, Tim Ruiz <tim@godaddy.com> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Stephanie, Sure -- it's actually Section 3.18, here<http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13...> (sub-sections 3.18.1 and 3.18.2, primarily). It's most helpful to read it in conjunction with Section 1.13. Cheers, John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 8:10 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
Sorry, but I can't seem to find any 3.1.8 on the version on the ICANN website. Admittedly, the numbering in that document is pretty confusing...would you mind citing the section to which you refer in your last paragraph (train having left station). SP
On Feb 28, 2014, at 10:39 PM, Tim Ruiz <tim@godaddy.com> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" < stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is *inaccurate* (not "accurate").
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings < marika.konings@icann.org> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Thanks, clearly I need new glasses. I am even more confused now though....that is a very circular definition of illegal activity, but it seems to focus on use of a domain name prohibited by applicable law. So does a law prohibiting, for instance, the trafficking of illegal drugs, have to have a clause in it specifically prohibiting sale over the INternet for this to kick in? And who is a quasi-governmental body? and are there policy regulations that stipulate exactly what reasonable action a registrar, operating an abuse contact point, is supposed to take? I am comforted by the line stating that the registrar does not have to break the law to do this, but a bit of clarity about exactly what they must do would be welcome to newbies such as myself. It looks as if they just have to publish what they do, and keep all records. I am sorry to ask these basic questions, but I find, from a data protection perspective, these procedures to be remarkably one-sided in favor of investigation, less so on the data protection side. Doubtless the data retention requirements act in favour of innocent, law abiding registrants, in cases where their website or data has been misused, but it is still remarkably intrusive. Apologies for all the naive questions. Stephanie
Hi Stephanie,
Sure -- it's actually Section 3.18, here (sub-sections 3.18.1 and 3.18.2, primarily). It's most helpful to read it in conjunction with Section 1.13.
Cheers,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 8:10 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: Sorry, but I can’t seem to find any 3.1.8 on the version on the ICANN website. Admittedly, the numbering in that document is pretty confusing…would you mind citing the section to which you refer in your last paragraph (train having left station). SP
On Feb 28, 2014, at 10:39 PM, Tim Ruiz <tim@godaddy.com> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton: > Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). > > In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. > > Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. > > But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) > > One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. > > The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. > > Thanks, > > John Horton > President, LegitScript > > > Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+ > > > On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: > Dear All, > > Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. > > The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: > What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? > Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? > In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? > Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? > Best regards, > > Marika > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
No, not at all. I think those are all really excellent questions. I'm not sure anyone has definitive answers to all of those questions at present. Some of the areas where there isn't anything explicit in the RAA (e.g., what constitutes "reasonable actions") may simply become apparent over time depending on how it's handled by ICANN, etc. John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Sat, Mar 1, 2014 at 8:45 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
Thanks, clearly I need new glasses. I am even more confused now though....that is a very circular definition of illegal activity, but it seems to focus on use of a domain name prohibited by applicable law. So does a law prohibiting, for instance, the trafficking of illegal drugs, have to have a clause in it specifically prohibiting sale over the INternet for this to kick in? And who is a quasi-governmental body? and are there policy regulations that stipulate exactly what reasonable action a registrar, operating an abuse contact point, is supposed to take? I am comforted by the line stating that the registrar does not have to break the law to do this, but a bit of clarity about exactly what they must do would be welcome to newbies such as myself. It looks as if they just have to publish what they do, and keep all records. I am sorry to ask these basic questions, but I find, from a data protection perspective, these procedures to be remarkably one-sided in favor of investigation, less so on the data protection side. Doubtless the data retention requirements act in favour of innocent, law abiding registrants, in cases where their website or data has been misused, but it is still remarkably intrusive. Apologies for all the naive questions. Stephanie
Hi Stephanie,
Sure -- it's actually Section 3.18, here<http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13...> (sub-sections 3.18.1 and 3.18.2, primarily). It's most helpful to read it in conjunction with Section 1.13.
Cheers,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 8:10 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
Sorry, but I can't seem to find any 3.1.8 on the version on the ICANN website. Admittedly, the numbering in that document is pretty confusing...would you mind citing the section to which you refer in your last paragraph (train having left station). SP
On Feb 28, 2014, at 10:39 PM, Tim Ruiz <tim@godaddy.com> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" < stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is *inaccurate* (not "accurate").
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com/>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings < marika.konings@icann.org> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Just to add a bit from the Oz perspective. For a perspective registrant to get a .com.au name, s/he must produce an ABN (Australian business number). To get one of those one has to walk into one of the corporate regulator's offices, with 2 pieces of photo ID plus a bit of money. So when that person then applies for a .com.au name, the registrar can easily check on the regulator' data base to match the name, contact details and ABN number with the applicant's details. Does that mean the person will not use the ABN number in committing corporate criminality/fraud - no. Indeed, does that mean the person is who they say they are (and have IDs for) - no. But it does make it more difficult to get a .com.au name. It's not perfect. But it puts a few roadblocks up. Once those roadblocks have been overcome, then I agree with Stephanie - once there are reasonable tests for verification that have been met - in compliance with the 2013 RAA requirements - go after the miscreant. Holly On 01/03/2014, at 2:39 PM, Tim Ruiz wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Holly, just a few points off the top of my head: 1) Not all countries have such an easily accessible online database, in fact most countries do not. 2) This does not in any way prevent anyone to steal the identification number. 3) Criminals have a way of quickly finding their way around roadblocks, but the normal users tend to get caught up in them. Volker Am 01.03.2014 05:30, schrieb Holly Raiche:
Just to add a bit from the Oz perspective.
For a perspective registrant to get a .com.au name, s/he must produce an ABN (Australian business number). To get one of those one has to walk into one of the corporate regulator's offices, with 2 pieces of photo ID plus a bit of money. So when that person then applies for a .com.au name, the registrar can easily check on the regulator' data base to match the name, contact details and ABN number with the applicant's details. Does that mean the person will not use the ABN number in committing corporate criminality/fraud - no. Indeed, does that mean the person is who they say they are (and have IDs for) - no. But it does make it more difficult to get a .com.au name. It's not perfect. But it puts a few roadblocks up. Once those roadblocks have been overcome, then I agree with Stephanie - once there are reasonable tests for verification that have been met - in compliance with the 2013 RAA requirements - go after the miscreant.
Holly
On 01/03/2014, at 2:39 PM, Tim Ruiz wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 <tel:876-818-1799> /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton: > Thanks, Marika. I also wanted to provide a comment > pertaining to Question 2 in the attachments > (relating to periodic checks). > > In a few of the recent discussions, there's been > some reference to criminals always or nearly always > being untruthful in their Whois records (even if > privacy-protected), leading to the conclusion that > there is little purpose in having a registrar or any > third party have to verify or re-verify the > information (especially if it is difficult to prove > that the data is falsified). I wanted to share our > experience and observations on that point, in the > hope that it's relevant to future discussion > regarding Question 2. > > Our consistent observation has been that when it > comes to a particular sub-category of criminal > activity, spam, phishing, malware, and so forth, > it's probably safe to say that that statement is > true -- the registrant's Whois information is nearly > always inaccurate. Even in cases, such as some where > we've worked with law enforcement, when the Whois > record for a domain name involved in spam, phishing > or malware is privacy-protected and is subsequently > unmasked, the Whois record is still not accurate > behind the privacy curtain. There are probably > exceptions, but that's what we've seen well over 95% > of the time. On occasion, it's a real address and > phone number, just not one genuinely connected to > the registrant. > > But there are other types of criminal activity where > the Whois record is not so regularly obfuscated. For > example, we investigate a lot of websites selling > tainted dietary supplements that end up containing > some toxin or adulterant that harms people. In those > cases, we've overwhelmingly seen that even if the > Whois record is privacy-protected, the trend is that > the underlying Whois record is accurate. The same > has been true for illegal or counterfeit medical > device websites that we've researched. On illegal > Internet pharmacies not engaged in spam, it's > probably 50-50. (It might be a shell corporation, > but that's still valuable information.) > > One important point to consider is that the Whois > registration can be relevant information from a > banking perspective for commercial entities. That > is, some banks are going to look at an online > merchant's domain name registration record and if > it's either inaccurate or protected, they may > require disclosure, or ask about any discrepancy, > which can be an incentive for criminals selling > products online who nevertheless want to get paid > via credit card to have an accurate Whois. Hackers, > malware providers and spammers will find a way > around that, but they don't necessarily constitute > "most" criminal activity. > > The point here is, I think verification can still be > a useful and necessary tool in either scenario, even > if it doesn't uncover useful information a portion > of the time. I realize that only pertains to a > portion of the issues related to Question 2, but I > hope that our observations on that are relevant. > > Thanks, > > John Horton > President, LegitScript > > > *FollowLegitScript*: LinkedIn > <http://www.linkedin.com/company/legitscript-com> | > Facebook <https://www.facebook.com/LegitScript> | > Twitter <https://twitter.com/legitscript> | YouTube > <https://www.youtube.com/user/LegitScript> | _Blog > <http://blog.legitscript.com/>_ |Google+ > <https://plus.google.com/112436813474708014933/posts> > > > On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings > <marika.konings@icann.org > <mailto:marika.konings@icann.org>> wrote: > > Dear All, > > Following our call yesterday, please find > attached the updated templates for Category B -- > questions 1 & 2. Please review these templates > to make sure the WG discussions have been > accurately reflected and feel free to share any > comments / edits you may have with the mailing > list. We've created a page on the wiki where > we'll post the templates that have been > finalised for now (noting that for some of these > the WG will need to come back to the template at > a later date), see > https://community.icann.org/x/ihLRAg. > > The WG will continue its deliberations on > Category B -- Question 2 next week. Some of the > questions that came up during the conversation > yesterday and which you are encouraged to share > your views on (and/or add additional questions > that need to be considered in this context) are: > > * What would be the arguments for not using > the same standards / requirements for > validation and verification as per the 2013 > RAA? > * Should there be a requirement for > re-verification, and if so, what instances > would trigger such re-verification? > * In case of affliction between the P/P > service and the registrar, if the > registration information has already been > verified by the registrar, should this > exempt the P/P provider from doing so? > * Should the same requirements apply to > privacy and proxy services or is there a > reason to distinguish between the two? > > Best regards, > > Marika > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Tim and all, It is not clear to me what you (or Volker or Stephanie) are suggesting as an alternative. As a newbie to the ICANN world I’ve not had the pleasure of being involved in privacy/proxy related conversations for the past several years (perhaps I should be grateful) so I admit I may be missing some context. Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don’t believe you are, but its far from clear and I don’t want to make assumptions. IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case. As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Thanks for the great debate - I continue to learn every day. Alex Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile) On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Alex: I believe Tim, Volker and others are saying the verification requirements for PP services should be the same as those for Registrars under the 2013 RAA. Nothing more, and nothing less. J. From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Friday, February 28, 2014 at 22:57 To: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Tim and all, It is not clear to me what you (or Volker or Stephanie) are suggesting as an alternative. As a newbie to the ICANN world I’ve not had the pleasure of being involved in privacy/proxy related conversations for the past several years (perhaps I should be grateful) so I admit I may be missing some context. Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don’t believe you are, but its far from clear and I don’t want to make assumptions. IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case. As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Thanks for the great debate - I continue to learn every day. Alex Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile) On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Yes, that is ultimately my point. Although I do feel even the requirements of the 2013 RAA are over reaching and ultimately inaffective in solving any real problems, it is a done deal. Going beyond that though makes no sense whatsoever. Tim On Mar 1, 2014, at 4:20 AM, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: Hi Alex: I believe Tim, Volker and others are saying the verification requirements for PP services should be the same as those for Registrars under the 2013 RAA. Nothing more, and nothing less. J. From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Friday, February 28, 2014 at 22:57 To: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Tim and all, It is not clear to me what you (or Volker or Stephanie) are suggesting as an alternative. As a newbie to the ICANN world I’ve not had the pleasure of being involved in privacy/proxy related conversations for the past several years (perhaps I should be grateful) so I admit I may be missing some context. Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don’t believe you are, but its far from clear and I don’t want to make assumptions. IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case. As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Thanks for the great debate - I continue to learn every day. Alex Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile) On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Ultimately, I would even go one step further and say that the requirements need not be the same but can be lower than that of a registrar in certain cases, namely when the required verification has already been performed by the registrar. So I am lookijng for language that would for example say that the provider is required to ensure that the underlying data is checked in a manner consistent with the requirements of the obligations of the registrar. If the registrar has already checked the underlying data, there is no need to check it again. Best, V. Am 01.03.2014 15:40, schrieb Tim Ruiz:
Yes, that is ultimately my point. Although I do feel even the requirements of the 2013 RAA are over reaching and ultimately inaffective in solving any real problems, it is a done deal. Going beyond that though makes no sense whatsoever.
Tim
On Mar 1, 2014, at 4:20 AM, "James M. Bladel" <jbladel@godaddy.com <mailto:jbladel@godaddy.com>> wrote:
Hi Alex:
I believe Tim, Volker and others are saying the verification requirements for PP services should be the same as those for Registrars under the 2013 RAA. Nothing more, and nothing less.
J.
From: "Alex_Deacon@mpaa.org <mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org <mailto:Alex_Deacon@mpaa.org>> Date: Friday, February 28, 2014 at 22:57 To: Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> Cc: "gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Tim and all,
It is not clear to me what you (or Volker or Stephanie) are suggesting as an alternative. As a newbie to the ICANN world I've not had the pleasure of being involved in privacy/proxy related conversations for the past several years (perhaps I should be grateful) so I admit I may be missing some context.
Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don't believe you are, but its far from clear and I don't want to make assumptions.
IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case.
As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I'm not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case.
Thanks for the great debate - I continue to learn every day.
Alex
*Alex Deacon *Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org <mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile)
On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
> ..which seems to me all about risk management on part of > the provider. Its the results that matter. > > So, for all the possible permutations, in line with > those enumerated by Volker, might it not be more useful > to refer 'verified credentials' as a requirement on the > provider, allow them to accept the business risk and > leave it to them to decide how to do it.......and, > inherently, the risks acceptable to them for > provisioning the service? > > -Carlton > > > ============================== > Carlton A Samuels > Mobile: 876-818-1799 <tel:876-818-1799> > /Strategy, Planning, Governance, Assessment & Turnaround/ > ============================= > > > On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann > <vgreimann@key-systems.net > <mailto:vgreimann@key-systems.net>> wrote: > > Hi John, > > I am having a bit of a hard time understanding your > point here. > > You are describing three different cases here, two > of which will not benefit from verification in the > least bit and one might, but only in some cases: > > a) The data is accurate, but stolen: Here > verification would not uncover any issues with the > data as it is essentially correct and will most > likely be identified as accurate. > b) The data is false: Here, depending on the methods > used, the inaccuracy may be uncovered and would lead > to an automated request to provide updated data or > deactivation after a set time. Remember, in order to > keep providing services in a sensible manner, this > needs to be automated in some form, i.e. no > individual record would likely see any manual review. > c) The data is already accurate: If the data is > already correct, what purpose does verification > fulfill? The data cannot become more accurate. > Verification in this case seems like an exercise in > self-gratification. > > That said, even if there is a benefit to be derived > from verification, such benefits are achieved once > verification concludes. Re-verification of already > verified data fulfills no purpose whatsoever. So if > a set of data has already been verified by the > registrar, there is no need for the p/p provider to > again verify the same data. Only if no verification > is or can be performed on the registrar level does > verification by providers come into play. > > Volker > > Am 28.02.2014 00:32, schrieb John Horton: >> Thanks, Marika. I also wanted to provide a comment >> pertaining to Question 2 in the attachments >> (relating to periodic checks). >> >> In a few of the recent discussions, there's been >> some reference to criminals always or nearly always >> being untruthful in their Whois records (even if >> privacy-protected), leading to the conclusion that >> there is little purpose in having a registrar or >> any third party have to verify or re-verify the >> information (especially if it is difficult to prove >> that the data is falsified). I wanted to share our >> experience and observations on that point, in the >> hope that it's relevant to future discussion >> regarding Question 2. >> >> Our consistent observation has been that when it >> comes to a particular sub-category of criminal >> activity, spam, phishing, malware, and so forth, >> it's probably safe to say that that statement is >> true -- the registrant's Whois information is >> nearly always inaccurate. Even in cases, such as >> some where we've worked with law enforcement, when >> the Whois record for a domain name involved in >> spam, phishing or malware is privacy-protected and >> is subsequently unmasked, the Whois record is still >> not accurate behind the privacy curtain. There are >> probably exceptions, but that's what we've seen >> well over 95% of the time. On occasion, it's a real >> address and phone number, just not one genuinely >> connected to the registrant. >> >> But there are other types of criminal activity >> where the Whois record is not so regularly >> obfuscated. For example, we investigate a lot of >> websites selling tainted dietary supplements that >> end up containing some toxin or adulterant that >> harms people. In those cases, we've overwhelmingly >> seen that even if the Whois record is >> privacy-protected, the trend is that the underlying >> Whois record is accurate. The same has been true >> for illegal or counterfeit medical device websites >> that we've researched. On illegal Internet >> pharmacies not engaged in spam, it's probably >> 50-50. (It might be a shell corporation, but that's >> still valuable information.) >> >> One important point to consider is that the Whois >> registration can be relevant information from a >> banking perspective for commercial entities. That >> is, some banks are going to look at an online >> merchant's domain name registration record and if >> it's either inaccurate or protected, they may >> require disclosure, or ask about any discrepancy, >> which can be an incentive for criminals selling >> products online who nevertheless want to get paid >> via credit card to have an accurate Whois. Hackers, >> malware providers and spammers will find a way >> around that, but they don't necessarily constitute >> "most" criminal activity. >> >> The point here is, I think verification can still >> be a useful and necessary tool in either scenario, >> even if it doesn't uncover useful information a >> portion of the time. I realize that only pertains >> to a portion of the issues related to Question 2, >> but I hope that our observations on that are relevant. >> >> Thanks, >> >> John Horton >> President, LegitScript >> >> >> *FollowLegitScript*: LinkedIn >> <http://www.linkedin.com/company/legitscript-com> | >> Facebook <https://www.facebook.com/LegitScript> | >> Twitter <https://twitter.com/legitscript> | YouTube >> <https://www.youtube.com/user/LegitScript> | _Blog >> <http://blog.legitscript.com/>_ |Google+ >> <https://plus.google.com/112436813474708014933/posts> >> >> >> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings >> <marika.konings@icann.org >> <mailto:marika.konings@icann.org>> wrote: >> >> Dear All, >> >> Following our call yesterday, please find >> attached the updated templates for Category B >> -- questions 1 & 2. Please review these >> templates to make sure the WG discussions have >> been accurately reflected and feel free to >> share any comments / edits you may have with >> the mailing list. We've created a page on the >> wiki where we'll post the templates that have >> been finalised for now (noting that for some of >> these the WG will need to come back to the >> template at a later date), see >> https://community.icann.org/x/ihLRAg. >> >> The WG will continue its deliberations on >> Category B -- Question 2 next week. Some of the >> questions that came up during the conversation >> yesterday and which you are encouraged to share >> your views on (and/or add additional questions >> that need to be considered in this context) are: >> >> * What would be the arguments for not using >> the same standards / requirements for >> validation and verification as per the 2013 >> RAA? >> * Should there be a requirement for >> re-verification, and if so, what instances >> would trigger such re-verification? >> * In case of affliction between the P/P >> service and the registrar, if the >> registration information has already been >> verified by the registrar, should this >> exempt the P/P provider from doing so? >> * Should the same requirements apply to >> privacy and proxy services or is there a >> reason to distinguish between the two? >> >> Best regards, >> >> Marika >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org >> <mailto:Gnso-ppsai-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg >> >> >> >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > -- > Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. > > Mit freundlichen Grüßen, > > Volker A. Greimann > - Rechtsabteilung - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> > Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> > Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> > > Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/> > > Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: > www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems> > > Geschäftsführer: Alexander Siffrin > Handelsregister Nr.: HR B 18835 - Saarbruecken > Umsatzsteuer ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu <http://www.keydrive.lu/> > > Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. > > -------------------------------------------- > > Should you have any further questions, please do not hesitate to contact us. > > Best regards, > > Volker A. Greimann > - legal department - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> > Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> > Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> > > Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/> > > Follow us on Twitter or join our fan community on Facebook and stay updated: > www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems> > > CEO: Alexander Siffrin > Registration No.: HR B 18835 - Saarbruecken > V.A.T. ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu <http://www.keydrive.lu/> > > This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. > > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
I agree. Thanks Volker. On Mar 3, 2014, at 4:56 AM, "Volker Greimann" <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Ultimately, I would even go one step further and say that the requirements need not be the same but can be lower than that of a registrar in certain cases, namely when the required verification has already been performed by the registrar. So I am lookijng for language that would for example say that the provider is required to ensure that the underlying data is checked in a manner consistent with the requirements of the obligations of the registrar. If the registrar has already checked the underlying data, there is no need to check it again. Best, V. Am 01.03.2014 15:40, schrieb Tim Ruiz: Yes, that is ultimately my point. Although I do feel even the requirements of the 2013 RAA are over reaching and ultimately inaffective in solving any real problems, it is a done deal. Going beyond that though makes no sense whatsoever. Tim On Mar 1, 2014, at 4:20 AM, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: Hi Alex: I believe Tim, Volker and others are saying the verification requirements for PP services should be the same as those for Registrars under the 2013 RAA. Nothing more, and nothing less. J. From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Friday, February 28, 2014 at 22:57 To: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Tim and all, It is not clear to me what you (or Volker or Stephanie) are suggesting as an alternative. As a newbie to the ICANN world I’ve not had the pleasure of being involved in privacy/proxy related conversations for the past several years (perhaps I should be grateful) so I admit I may be missing some context. Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don’t believe you are, but its far from clear and I don’t want to make assumptions. IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case. As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Thanks for the great debate - I continue to learn every day. Alex Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile) On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi alex, welcome to the wonderful world of ICANN.
Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don't believe you are, but its far from clear and I don't want to make assumptions. This pretty much describes the status quo, so any request for additional obligations that change the status quo needs to be justified.
What I was suggesting however was more along the lines of thought that duplication of tasks should be avoided, so if a registrar has already checked a certain set of data there would be no need for the provider to check it again.
IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case.
I agree that a domain owner should be contactable, however I disagree with the notion of a right to a response. It is entirely within the remit of the registrant to decide whether or not to respond to the communication. About half of the complaints we receive on our privacy service abuse inbox are relating to the complainant not receiving an answer to whatever complaint they sent to the forwarding email proxy address. We always have to tell them that they have no right to a response from the registrant.
As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I'm not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case.
Grounded in DNSSEC? So you believe this effort will ever take off and see widespread adoption? From what we as registrars see is that there is zero interest in DNSSEC services from our customers. The only time they take it is when we bundle it with the domain name in connection with a rebate program from the registries, i.e. when they can get the domains cheaper than normal. And I dare say that is then only to get the better price, not to get the DNSSEC. When offering DNSSEC and normal registrations side by side, at the same time, 99% of customers do not go for DNSSEC. So basing any policy requirements to a product that has a single digit market adoption percentile with no visible sign of that ever changing seems unreasonable. Volker
*Alex Deacon *Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org <mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile)
On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 <tel:876-818-1799> /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton: > Thanks, Marika. I also wanted to provide a comment > pertaining to Question 2 in the attachments > (relating to periodic checks). > > In a few of the recent discussions, there's been > some reference to criminals always or nearly always > being untruthful in their Whois records (even if > privacy-protected), leading to the conclusion that > there is little purpose in having a registrar or any > third party have to verify or re-verify the > information (especially if it is difficult to prove > that the data is falsified). I wanted to share our > experience and observations on that point, in the > hope that it's relevant to future discussion > regarding Question 2. > > Our consistent observation has been that when it > comes to a particular sub-category of criminal > activity, spam, phishing, malware, and so forth, > it's probably safe to say that that statement is > true -- the registrant's Whois information is nearly > always inaccurate. Even in cases, such as some where > we've worked with law enforcement, when the Whois > record for a domain name involved in spam, phishing > or malware is privacy-protected and is subsequently > unmasked, the Whois record is still not accurate > behind the privacy curtain. There are probably > exceptions, but that's what we've seen well over 95% > of the time. On occasion, it's a real address and > phone number, just not one genuinely connected to > the registrant. > > But there are other types of criminal activity where > the Whois record is not so regularly obfuscated. For > example, we investigate a lot of websites selling > tainted dietary supplements that end up containing > some toxin or adulterant that harms people. In those > cases, we've overwhelmingly seen that even if the > Whois record is privacy-protected, the trend is that > the underlying Whois record is accurate. The same > has been true for illegal or counterfeit medical > device websites that we've researched. On illegal > Internet pharmacies not engaged in spam, it's > probably 50-50. (It might be a shell corporation, > but that's still valuable information.) > > One important point to consider is that the Whois > registration can be relevant information from a > banking perspective for commercial entities. That > is, some banks are going to look at an online > merchant's domain name registration record and if > it's either inaccurate or protected, they may > require disclosure, or ask about any discrepancy, > which can be an incentive for criminals selling > products online who nevertheless want to get paid > via credit card to have an accurate Whois. Hackers, > malware providers and spammers will find a way > around that, but they don't necessarily constitute > "most" criminal activity. > > The point here is, I think verification can still be > a useful and necessary tool in either scenario, even > if it doesn't uncover useful information a portion > of the time. I realize that only pertains to a > portion of the issues related to Question 2, but I > hope that our observations on that are relevant. > > Thanks, > > John Horton > President, LegitScript > > > *FollowLegitScript*: LinkedIn > <http://www.linkedin.com/company/legitscript-com> | > Facebook <https://www.facebook.com/LegitScript> | > Twitter <https://twitter.com/legitscript> | YouTube > <https://www.youtube.com/user/LegitScript> | _Blog > <http://blog.legitscript.com/>_ |Google+ > <https://plus.google.com/112436813474708014933/posts> > > > On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings > <marika.konings@icann.org > <mailto:marika.konings@icann.org>> wrote: > > Dear All, > > Following our call yesterday, please find > attached the updated templates for Category B -- > questions 1 & 2. Please review these templates > to make sure the WG discussions have been > accurately reflected and feel free to share any > comments / edits you may have with the mailing > list. We've created a page on the wiki where > we'll post the templates that have been > finalised for now (noting that for some of these > the WG will need to come back to the template at > a later date), see > https://community.icann.org/x/ihLRAg. > > The WG will continue its deliberations on > Category B -- Question 2 next week. Some of the > questions that came up during the conversation > yesterday and which you are encouraged to share > your views on (and/or add additional questions > that need to be considered in this context) are: > > * What would be the arguments for not using > the same standards / requirements for > validation and verification as per the 2013 > RAA? > * Should there be a requirement for > re-verification, and if so, what instances > would trigger such re-verification? > * In case of affliction between the P/P > service and the registrar, if the > registration information has already been > verified by the registrar, should this > exempt the P/P provider from doing so? > * Should the same requirements apply to > privacy and proxy services or is there a > reason to distinguish between the two? > > Best regards, > > Marika > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
On 3 Mar 2014, at 6:11 pm, Volker Greimann <vgreimann@key-Systems.net> wrote:
As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Grounded in DNSSEC? So you believe this effort will ever take off and see widespread adoption? From what we as registrars see is that there is zero interest in DNSSEC services from our customers. The only time they take it is when we bundle it with the domain name in connection with a rebate program from the registries, i.e. when they can get the domains cheaper than normal. And I dare say that is then only to get the better price, not to get the DNSSEC. When offering DNSSEC and normal registrations side by side, at the same time, 99% of customers do not go for DNSSEC.
If security based on DANE was more widespread, then there might be more adoption of DNSSEC. DANE potentially provides a reason to get DNSSEC, just as SSL/TLS currently provides a reason to get a certificate. If there was significant browser and service support for DANE, I'd be using it, and ensuring I had DNSSEC for that purpose. I do think that there are use cases for DANE that don't require WHOIS, just as there are use cases for SSL with self-issued certificates. I would, for example, trust the DNSSEC and DANE for a domain I control, regardless of what is in my WHOIS, and so could use that to get my own webmail securely etc. Or you may simple want to communicate securely with the registrant of a particular domain. Or you may otherwise have other knowledge about the domain (such as content published on that domain) that gives you a reason to trust some things about the domain, regardless of WHOIS. SO, I don't think we should write off DNSSEC - but DANE/DNSSEC isn't a very strong argument for WHOIS data verification. David
So basing any policy requirements to a product that has a single digit market adoption percentile with no visible sign of that ever changing seems unreasonable.
Volker
Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org +1.415.802.9776 (mobile)
On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com> wrote:
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
> ..which seems to me all about risk management on part of the provider. Its the results that matter. > > So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? > > -Carlton > > > ============================== > Carlton A Samuels > Mobile: 876-818-1799 > Strategy, Planning, Governance, Assessment & Turnaround > ============================= > > > On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: > Hi John, > > I am having a bit of a hard time understanding your point here. > > You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: > > a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. > b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. > c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. > > That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. > > Volker > > Am 28.02.2014 00:32, schrieb John Horton: >> Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). >> >> In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. >> >> Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. >> >> But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) >> >> One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. >> >> The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. >> >> Thanks, >> >> John Horton >> President, LegitScript >> >> >> Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+ >> >> >> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: >> Dear All, >> >> Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. >> >> The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: >> What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? >> Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? >> In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? >> Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? >> Best regards, >> >> Marika >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org >> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg >> >> >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org >> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > -- > Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. > > Mit freundlichen Grüßen, > > Volker A. Greimann > - Rechtsabteilung - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.: +49 (0) 6894 - 9396 901 > Fax.: +49 (0) 6894 - 9396 851 > Email: vgreimann@key-systems.net > > Web: www.key-systems.net / www.RRPproxy.net > www.domaindiscount24.com / www.BrandShelter.com > > Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: > www.facebook.com/KeySystems > www.twitter.com/key_systems > > Geschäftsführer: Alexander Siffrin > Handelsregister Nr.: HR B 18835 - Saarbruecken > Umsatzsteuer ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu > > Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. > > -------------------------------------------- > > Should you have any further questions, please do not hesitate to contact us. > > Best regards, > > Volker A. Greimann > - legal department - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.: +49 (0) 6894 - 9396 901 > Fax.: +49 (0) 6894 - 9396 851 > Email: vgreimann@key-systems.net > > Web: www.key-systems.net / www.RRPproxy.net > www.domaindiscount24.com / www.BrandShelter.com > > Follow us on Twitter or join our fan community on Facebook and stay updated: > www.facebook.com/KeySystems > www.twitter.com/key_systems > > CEO: Alexander Siffrin > Registration No.: HR B 18835 - Saarbruecken > V.A.T. ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu > > This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. > > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Volker, On Mar 3, 2014, at 2:11 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi alex, welcome to the wonderful world of ICANN. [Alex] Thanks! Are you suggesting privacy/proxy provider need not do any validation on registrant data? I don’t believe you are, but its far from clear and I don’t want to make assumptions. This pretty much describes the status quo, so any request for additional obligations that change the status quo needs to be justified. [Alex] The 2013 RAA was top of mind in this regard. What I was suggesting however was more along the lines of thought that duplication of tasks should be avoided, so if a registrar has already checked a certain set of data there would be no need for the provider to check it again. [Alex] Agreed. As I mentioned in another thread we can’t assume the privacy/proxy provider is always affiliated with a registrar, so this will boil down finding the right language to handle all cases. IMO the goal here is to ensure registrant data is accurate in the case contact and communication is to be made with the owner of the domain. And ultimately that we get a response from the owner of the domain. We as a working group are not trying to create a solution that somehow vets or makes a value (or liability) judgement of what they do/sell/say/etc on their website. As Stephanie mentioned we have regimes to deal with this case. I agree that a domain owner should be contactable, however I disagree with the notion of a right to a response. It is entirely within the remit of the registrant to decide whether or not to respond to the communication. About half of the complaints we receive on our privacy service abuse inbox are relating to the complainant not receiving an answer to whatever complaint they sent to the forwarding email proxy address. We always have to tell them that they have no right to a response from the registrant. As an aside, I believe its important to also think beyond managing the misuse scenario (which seems to be the current/only focus), and look further into the future where we have a DNS system, grounded in DNSSEC, that enables additional trust services such as DANE. DANE relies on a trusted identity provided and validated DNSSEC. I’m not sure how this system can be ultimately successful (assuming one believes this is a goal) without some assurance that the WHOIS data is accurate in the direct WHOIS case or can be found/proven to be accurate in the privacy/proxy case. Grounded in DNSSEC? So you believe this effort will ever take off and see widespread adoption? From what we as registrars see is that there is zero interest in DNSSEC services from our customers. The only time they take it is when we bundle it with the domain name in connection with a rebate program from the registries, i.e. when they can get the domains cheaper than normal. And I dare say that is then only to get the better price, not to get the DNSSEC. When offering DNSSEC and normal registrations side by side, at the same time, 99% of customers do not go for DNSSEC. So basing any policy requirements to a product that has a single digit market adoption percentile with no visible sign of that ever changing seems unreasonable. [Alex] I suggest we talk about the adoption and future of DNSSEC over a beer or three in Singapore if you plan to attend. :) Clearly this is out of scope of this WG and mailing list. I do however believe its important to be forward looking in this regard. Alex Volker Alex Deacon Senior VP, Internet Technology Motion Picture Association of America Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> +1.415.802.9776 (mobile) On Feb 28, 2014, at 7:39 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access. Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management. In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case. Thanks— J. From: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services. Thanks-- J. Sent from my iPad On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access. Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management. In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case. Thanks— J. From: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one: Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations. To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test. Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side. Todd ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org <gnso-ppsai-pdp-wg-bounces@icann.org> on behalf of James M. Bladel <jbladel@godaddy.com> Sent: Saturday, March 1, 2014 6:30:35 AM To: Tim Ruiz Cc: PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services. Thanks-- J. Sent from my iPad On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access. Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management. In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case. Thanks— J. From: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.RRPproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.BrandShelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
I don’t think we agree that there is more risk with P/P services, which is kind of a fundamental disagreement. We even have rival studies backing us up. As to the analogies, they are useful but limited, as they can capture our imaginations in ways which are not in accord with the facts. My analogy for a p/p registration would not be a tractor trailer licence, it would be a small car with tinted windows. Stephanie On Mar 1, 2014, at 3:52 PM, Williams, Todd <Todd.Williams@turner.com> wrote:
I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one:
Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations.
To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test.
Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side.
Todd From: gnso-ppsai-pdp-wg-bounces@icann.org <gnso-ppsai-pdp-wg-bounces@icann.org> on behalf of James M. Bladel <jbladel@godaddy.com> Sent: Saturday, March 1, 2014 6:30:35 AM To: Tim Ruiz Cc: PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services.
Thanks--
J.
Sent from my iPad
On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com> wrote:
In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access.
Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management.
In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case.
Thanks—
J.
From: Tim Ruiz <tim@godaddy.com> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton: > Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). > > In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. > > Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. > > But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) > > One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. > > The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. > > Thanks, > > John Horton > President, LegitScript > > > Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+ > > > On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: > Dear All, > > Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. > > The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: > What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? > Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? > In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? > Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? > Best regards, > > Marika > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
I think this analogy fits better indeed. The only difference between a "normal" registration and a private one is that with the first everyone can see (to a certain extent) who is at the wheel. So our main task to keep with the analogy is to define when those windows have to be lowered and how messages directed at the driver have to reach him. Volker Am 01.03.2014 22:28, schrieb Stephanie Perrin:
I don't think we agree that there is more risk with P/P services, which is kind of a fundamental disagreement. We even have rival studies backing us up. As to the analogies, they are useful but limited, as they can capture our imaginations in ways which are not in accord with the facts. My analogy for a p/p registration would not be a tractor trailer licence, it would be a small car with tinted windows. Stephanie On Mar 1, 2014, at 3:52 PM, Williams, Todd <Todd.Williams@turner.com <mailto:Todd.Williams@turner.com>> wrote:
I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one:
Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations.
To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test.
Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side.
Todd ------------------------------------------------------------------------ *From:* gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> <gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>> on behalf of James M. Bladel <jbladel@godaddy.com <mailto:jbladel@godaddy.com>> *Sent:* Saturday, March 1, 2014 6:30:35 AM *To:* Tim Ruiz *Cc:* PPSAI *Subject:* Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services.
Thanks--
J.
Sent from my iPad
On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com <mailto:jbladel@godaddy.com>> wrote:
In just one sentence, Tim has captured the essence of the problem. Which isn't about determining the "right" answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access.
Here's something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management.
In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn't the case.
Thanks---
J.
From: Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com <mailto:tim@godaddy.com>> wrote:
It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
> ..which seems to me all about risk management on part of > the provider. Its the results that matter. > > So, for all the possible permutations, in line with > those enumerated by Volker, might it not be more useful > to refer 'verified credentials' as a requirement on the > provider, allow them to accept the business risk and > leave it to them to decide how to do it.......and, > inherently, the risks acceptable to them for > provisioning the service? > > -Carlton > > > ============================== > Carlton A Samuels > Mobile: 876-818-1799 <tel:876-818-1799> > /Strategy, Planning, Governance, Assessment & Turnaround/ > ============================= > > > On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann > <vgreimann@key-systems.net > <mailto:vgreimann@key-systems.net>> wrote: > > Hi John, > > I am having a bit of a hard time understanding your > point here. > > You are describing three different cases here, two > of which will not benefit from verification in the > least bit and one might, but only in some cases: > > a) The data is accurate, but stolen: Here > verification would not uncover any issues with the > data as it is essentially correct and will most > likely be identified as accurate. > b) The data is false: Here, depending on the methods > used, the inaccuracy may be uncovered and would lead > to an automated request to provide updated data or > deactivation after a set time. Remember, in order to > keep providing services in a sensible manner, this > needs to be automated in some form, i.e. no > individual record would likely see any manual review. > c) The data is already accurate: If the data is > already correct, what purpose does verification > fulfill? The data cannot become more accurate. > Verification in this case seems like an exercise in > self-gratification. > > That said, even if there is a benefit to be derived > from verification, such benefits are achieved once > verification concludes. Re-verification of already > verified data fulfills no purpose whatsoever. So if > a set of data has already been verified by the > registrar, there is no need for the p/p provider to > again verify the same data. Only if no verification > is or can be performed on the registrar level does > verification by providers come into play. > > Volker > > Am 28.02.2014 00:32, schrieb John Horton: >> Thanks, Marika. I also wanted to provide a comment >> pertaining to Question 2 in the attachments >> (relating to periodic checks). >> >> In a few of the recent discussions, there's been >> some reference to criminals always or nearly always >> being untruthful in their Whois records (even if >> privacy-protected), leading to the conclusion that >> there is little purpose in having a registrar or >> any third party have to verify or re-verify the >> information (especially if it is difficult to prove >> that the data is falsified). I wanted to share our >> experience and observations on that point, in the >> hope that it's relevant to future discussion >> regarding Question 2. >> >> Our consistent observation has been that when it >> comes to a particular sub-category of criminal >> activity, spam, phishing, malware, and so forth, >> it's probably safe to say that that statement is >> true -- the registrant's Whois information is >> nearly always inaccurate. Even in cases, such as >> some where we've worked with law enforcement, when >> the Whois record for a domain name involved in >> spam, phishing or malware is privacy-protected and >> is subsequently unmasked, the Whois record is still >> not accurate behind the privacy curtain. There are >> probably exceptions, but that's what we've seen >> well over 95% of the time. On occasion, it's a real >> address and phone number, just not one genuinely >> connected to the registrant. >> >> But there are other types of criminal activity >> where the Whois record is not so regularly >> obfuscated. For example, we investigate a lot of >> websites selling tainted dietary supplements that >> end up containing some toxin or adulterant that >> harms people. In those cases, we've overwhelmingly >> seen that even if the Whois record is >> privacy-protected, the trend is that the underlying >> Whois record is accurate. The same has been true >> for illegal or counterfeit medical device websites >> that we've researched. On illegal Internet >> pharmacies not engaged in spam, it's probably >> 50-50. (It might be a shell corporation, but that's >> still valuable information.) >> >> One important point to consider is that the Whois >> registration can be relevant information from a >> banking perspective for commercial entities. That >> is, some banks are going to look at an online >> merchant's domain name registration record and if >> it's either inaccurate or protected, they may >> require disclosure, or ask about any discrepancy, >> which can be an incentive for criminals selling >> products online who nevertheless want to get paid >> via credit card to have an accurate Whois. Hackers, >> malware providers and spammers will find a way >> around that, but they don't necessarily constitute >> "most" criminal activity. >> >> The point here is, I think verification can still >> be a useful and necessary tool in either scenario, >> even if it doesn't uncover useful information a >> portion of the time. I realize that only pertains >> to a portion of the issues related to Question 2, >> but I hope that our observations on that are relevant. >> >> Thanks, >> >> John Horton >> President, LegitScript >> >> >> *FollowLegitScript*: LinkedIn >> <http://www.linkedin.com/company/legitscript-com> | >> Facebook <https://www.facebook.com/LegitScript> | >> Twitter <https://twitter.com/legitscript> | YouTube >> <https://www.youtube.com/user/LegitScript> | _Blog >> <http://blog.legitscript.com/>_ |Google+ >> <https://plus.google.com/112436813474708014933/posts> >> >> >> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings >> <marika.konings@icann.org >> <mailto:marika.konings@icann.org>> wrote: >> >> Dear All, >> >> Following our call yesterday, please find >> attached the updated templates for Category B >> -- questions 1 & 2. Please review these >> templates to make sure the WG discussions have >> been accurately reflected and feel free to >> share any comments / edits you may have with >> the mailing list. We've created a page on the >> wiki where we'll post the templates that have >> been finalised for now (noting that for some of >> these the WG will need to come back to the >> template at a later date), see >> https://community.icann.org/x/ihLRAg. >> >> The WG will continue its deliberations on >> Category B -- Question 2 next week. Some of the >> questions that came up during the conversation >> yesterday and which you are encouraged to share >> your views on (and/or add additional questions >> that need to be considered in this context) are: >> >> * What would be the arguments for not using >> the same standards / requirements for >> validation and verification as per the 2013 >> RAA? >> * Should there be a requirement for >> re-verification, and if so, what instances >> would trigger such re-verification? >> * In case of affliction between the P/P >> service and the registrar, if the >> registration information has already been >> verified by the registrar, should this >> exempt the P/P provider from doing so? >> * Should the same requirements apply to >> privacy and proxy services or is there a >> reason to distinguish between the two? >> >> Best regards, >> >> Marika >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org >> <mailto:Gnso-ppsai-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg >> >> >> >> >> _______________________________________________ >> Gnso-ppsai-pdp-wg mailing list >> Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > -- > Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. > > Mit freundlichen Grüßen, > > Volker A. Greimann > - Rechtsabteilung - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> > Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> > Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> > > Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/> > > Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: > www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems> > > Geschäftsführer: Alexander Siffrin > Handelsregister Nr.: HR B 18835 - Saarbruecken > Umsatzsteuer ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu <http://www.keydrive.lu/> > > Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. > > -------------------------------------------- > > Should you have any further questions, please do not hesitate to contact us. > > Best regards, > > Volker A. Greimann > - legal department - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> > Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> > Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> > > Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.rrpproxy.net/>www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.brandshelter.com/> > > Follow us on Twitter or join our fan community on Facebook and stay updated: > www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems> > > CEO: Alexander Siffrin > Registration No.: HR B 18835 - Saarbruecken > V.A.T. ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu <http://www.keydrive.lu/> > > This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. > > > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg > > > _______________________________________________ > Gnso-ppsai-pdp-wg mailing list > Gnso-ppsai-pdp-wg@icann.org > <mailto:Gnso-ppsai-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Thanks Stephanie. To first respond to Michele's point in the attached: as I mentioned below, I don't think the argument depends on there being anything "inherently suspicious" or "nefarious" about P/P services or their users (any more so than tractor-trailers or their drivers are "inherently suspicious"), simply a recognition of the risks posed. Which then gets to your bigger point Stephanie that the "fundamental disagreement" between the "2013 RAA" camp and the "more" camp (as referenced below) is as to this question: whether there is in fact more "risk posed" by P/P services. But there are different ways to assess the "risk posed", right? One is to ask: "Is the risk higher that users of P/P services will engage in abusive behavior?" I think that is what you are referring to when you say that we have a fundamental disagreement with rival studies. But I also think that we can put that disagreement to the side for now, because I don't think we need to get that far when assessing the "risk posed." Rather, I think there is a second question that we should also ask when assessing the "risk posed" by P/P services, which is this: "Once a user of a P/P service does engage in abusive behavior (however frequently or infrequently that happens), will the fact that they are using a P/P service increase the risk that such abuse will not be successfully addressed/corrected/stopped, etc.?" The answer to this second question has to be yes, for the reason that Steve mentioned in our last call: the P/P service introduces at least some element of delay to the enforcement process. I suppose that we can debate the magnitude of the risk posed by that delay, and I suppose that it will also be related to the parameters that we put in place for relay/reveal etc. procedures down the road. But the magnitude is not zero. From: Stephanie Perrin [mailto:stephanie.perrin@mail.utoronto.ca] Sent: Saturday, March 01, 2014 4:29 PM To: Williams, Todd Cc: James M. Bladel; Tim Ruiz; PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 I don't think we agree that there is more risk with P/P services, which is kind of a fundamental disagreement. We even have rival studies backing us up. As to the analogies, they are useful but limited, as they can capture our imaginations in ways which are not in accord with the facts. My analogy for a p/p registration would not be a tractor trailer licence, it would be a small car with tinted windows. Stephanie On Mar 1, 2014, at 3:52 PM, Williams, Todd <Todd.Williams@turner.com<mailto:Todd.Williams@turner.com>> wrote: I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one: Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations. To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test. Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side. Todd ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> <gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org>> on behalf of James M. Bladel <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> Sent: Saturday, March 1, 2014 6:30:35 AM To: Tim Ruiz Cc: PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services. Thanks-- J. Sent from my iPad On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: In just one sentence, Tim has captured the essence of the problem. Which isn't about determining the "right" answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access. Here's something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management. In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn't the case. Thanks- J. From: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript [Description: Image removed by sender.] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript [Description: Image removed by sender.] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [Description: Image removed by sender.] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Regarding you last assumption, actually I believe that there is a delay is debatable. It is just that the process is different. But even if we give you that argument (and I'm not), the fact that there are more successful and consistent results when a problem involves a p/p service cancels out the perceived delay. This is based on my experience with DBP. Tim On Mar 3, 2014, at 10:21 AM, "Williams, Todd" <Todd.Williams@turner.com<mailto:Todd.Williams@turner.com>> wrote: Thanks Stephanie. To first respond to Michele’s point in the attached: as I mentioned below, I don’t think the argument depends on there being anything “inherently suspicious” or “nefarious” about P/P services or their users (any more so than tractor-trailers or their drivers are “inherently suspicious”), simply a recognition of the risks posed. Which then gets to your bigger point Stephanie that the “fundamental disagreement” between the “2013 RAA” camp and the “more” camp (as referenced below) is as to this question: whether there is in fact more “risk posed” by P/P services. But there are different ways to assess the “risk posed”, right? One is to ask: “Is the risk higher that users of P/P services will engage in abusive behavior?” I think that is what you are referring to when you say that we have a fundamental disagreement with rival studies. But I also think that we can put that disagreement to the side for now, because I don’t think we need to get that far when assessing the “risk posed.” Rather, I think there is a second question that we should also ask when assessing the “risk posed” by P/P services, which is this: “Once a user of a P/P service does engage in abusive behavior (however frequently or infrequently that happens), will the fact that they are using a P/P service increase the risk that such abuse will not be successfully addressed/corrected/stopped, etc.?” The answer to this second question has to be yes, for the reason that Steve mentioned in our last call: the P/P service introduces at least some element of delay to the enforcement process. I suppose that we can debate the magnitude of the risk posed by that delay, and I suppose that it will also be related to the parameters that we put in place for relay/reveal etc. procedures down the road. But the magnitude is not zero. From: Stephanie Perrin [mailto:stephanie.perrin@mail.utoronto.ca] Sent: Saturday, March 01, 2014 4:29 PM To: Williams, Todd Cc: James M. Bladel; Tim Ruiz; PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 I don’t think we agree that there is more risk with P/P services, which is kind of a fundamental disagreement. We even have rival studies backing us up. As to the analogies, they are useful but limited, as they can capture our imaginations in ways which are not in accord with the facts. My analogy for a p/p registration would not be a tractor trailer licence, it would be a small car with tinted windows. Stephanie On Mar 1, 2014, at 3:52 PM, Williams, Todd <Todd.Williams@turner.com<mailto:Todd.Williams@turner.com>> wrote: I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one: Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations. To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test. Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side. Todd ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> <gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org>> on behalf of James M. Bladel <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> Sent: Saturday, March 1, 2014 6:30:35 AM To: Tim Ruiz Cc: PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services. Thanks-- J. Sent from my iPad On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access. Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management. In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case. Thanks— J. From: Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess. Tim On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Hi all, Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services. In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important. One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities. As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name. Thanks, John Horton President, LegitScript <image001.jpg> Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com<mailto:tim@godaddy.com>> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few. Tim On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote: Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable. Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate"). John Horton President, LegitScript <image001.jpg> Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin On 2014-02-28, at 12:29 PM, Carlton Samuels wrote: ..which seems to me all about risk management on part of the provider. Its the results that matter. So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service? -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799<tel:876-818-1799> Strategy, Planning, Governance, Assessment & Turnaround ============================= On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript <image001.jpg> Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com/> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg <RE [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2>
THanks for this response. Re your last line, In all risk assessment, the first thing we must do is accept that we live in a world of risk. Getting to Zero risk means being dead. Re your second last line, we do have to quantify the magnitude of risk increased by delay, or new risks created by delay. Otherwise, delay could be still ok. So the operative questions are, how big is the risk? HOw likely is it? What is the impact? HOw is it sensitive to time ( ie does it compound)? can I tolerate it or do I have to transfer it? Are there reasonable mitigations that I can afford? Can I get somebody else to mitigate my risk, preferably at no cost to myself? What I see is going on here, from my position of very limited knowledge of the day to day life of registrars, but a slightly larger experience of risk management (Michele will back me up here when I say I am not actually this modest, but for the purposes of this list I am trying to be well behaved, albeit overly talkative)....IS that we are asking registrars and proxy/privacy service providers to mitigate a few risks for other stakeholders. I don't find that fair, unless it can be proven that it is the most cost effective way to mitigate a risk that all stakeholders recognize exists at a high enough level to warrant significant cost and effort. Since we in NCSG purport to speak for civil society and the common person, that means there has to be a risk to them, as far as I am concerned, before new costs and risks start coming their way. I dont think the case has been made that the risk is high enough, or cannot be better mitigated other ways, and I think the registrars and p/p providers have made an eloquent case that loading the verification and the policing function on them is a workload out of scale with the purported benefits. I also guess it will drive new risks, worse than the old ones, as malfeasant actors adjust to new constraints. Put more concisely: the risk is that people do bad things when they get a domain name. That risk cannot be mitigated by demanding verification of ID, it drives ID theft. It cannot be mitigated by reveal requests, response would likely be more spurious reveal requests, or revelation of bad data, or good data that still wont get you a warrant. Worst case scenario risks (my personal fav is trafficking of women from websites) are much better treated through standard traffic analysis techniques, or tackling the ISPs. (in the case of trafficking women, forget the domain registration data and follow the Johns). Doubtless my views are still very uninformed but I have not seen evidence to change my mind yet....we need, I think, a comprehensive risk assessment where we list and evaluate all the risks. That would help a lot. cheers SP On 2014-03-03, at 10:20 AM, Williams, Todd wrote:
Thanks Stephanie. To first respond to Michele’s point in the attached: as I mentioned below, I don’t think the argument depends on there being anything “inherently suspicious” or “nefarious” about P/P services or their users (any more so than tractor-trailers or their drivers are “inherently suspicious”), simply a recognition of the risks posed.
Which then gets to your bigger point Stephanie that the “fundamental disagreement” between the “2013 RAA” camp and the “more” camp (as referenced below) is as to this question: whether there is in fact more “risk posed” by P/P services. But there are different ways to assess the “risk posed”, right? One is to ask: “Is the risk higher that users of P/P services will engage in abusive behavior?” I think that is what you are referring to when you say that we have a fundamental disagreement with rival studies. But I also think that we can put that disagreement to the side for now, because I don’t think we need to get that far when assessing the “risk posed.”
Rather, I think there is a second question that we should also ask when assessing the “risk posed” by P/P services, which is this: “Once a user of a P/P service does engage in abusive behavior (however frequently or infrequently that happens), will the fact that they are using a P/P service increase the risk that such abuse will not be successfully addressed/corrected/stopped, etc.?” The answer to this second question has to be yes, for the reason that Steve mentioned in our last call: the P/P service introduces at least some element of delay to the enforcement process. I suppose that we can debate the magnitude of the risk posed by that delay, and I suppose that it will also be related to the parameters that we put in place for relay/reveal etc. procedures down the road. But the magnitude is not zero.
From: Stephanie Perrin [mailto:stephanie.perrin@mail.utoronto.ca] Sent: Saturday, March 01, 2014 4:29 PM To: Williams, Todd Cc: James M. Bladel; Tim Ruiz; PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
I don’t think we agree that there is more risk with P/P services, which is kind of a fundamental disagreement. We even have rival studies backing us up. As to the analogies, they are useful but limited, as they can capture our imaginations in ways which are not in accord with the facts. My analogy for a p/p registration would not be a tractor trailer licence, it would be a small car with tinted windows. Stephanie On Mar 1, 2014, at 3:52 PM, Williams, Todd <Todd.Williams@turner.com> wrote:
I agree with James that using analogies/illustrations can be helpful to frame issues in these discussions, and I think his airport illustration does a nice job of that. But I would offer a different one:
Couldn't we say that registering a "standard" domain (without a P/P service) is to using a P/P service as driving a car is to driving a tractor-trailer? Everybody recognizes that there is a baseline floor of verification that should be required before you can get a driver's license. But everybody also recognizes that because the potential risk from "bad" tractor-trailer drivers is greater than that of "bad" car drivers (I'm leaving "bad" undefined here intentionally, because it doesn't matter whether it's abusive/malicious/incompetent, etc.), some EXTRA level of verification is needed before you can get a license to drive a tractor-trailer. In other words, nobody would argue that the same test should be used to get a standard driver's license as to get a license to drive tractor-trailers, because the latter by definition carries more risk. So too with "standard" domain registrations vs. P/P registrations.
To James's last point: note that the analogy doesn't depend on there being anything "inherently suspicious" about tractor-trailer drivers (in the normative sense); simply a recognition that what they are doing poses higher risks for the roadways. Note too that it wouldn't be much of an argument to say that because the extra verification required of tractor-trailer drivers wouldn't always catch "bad" drivers ahead-of-time, we should instead simply rely on the standard driver's license test.
Of course, this doesn't address just how far beyond the 2013 RAA floor our verification/re-verification requirements should go, or what additional measures would or wouldn't be effective. This is just to say that if the choice we're wrestling with now is between the 2013 RAA vs. "more" (however "more" is defined), I don't understand the argument on the 2013 RAA side.
Todd From: gnso-ppsai-pdp-wg-bounces@icann.org <gnso-ppsai-pdp-wg-bounces@icann.org> on behalf of James M. Bladel <jbladel@godaddy.com> Sent: Saturday, March 1, 2014 6:30:35 AM To: Tim Ruiz Cc: PPSAI Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
So my last sentence doesn't make much sense, unless I substitute "it" with the idea of having differing verification/validation standards for Registrars and PP services.
Thanks--
J.
Sent from my iPad
On Mar 1, 2014, at 9:35, "James M. Bladel" <jbladel@godaddy.com> wrote:
In just one sentence, Tim has captured the essence of the problem. Which isn’t about determining the “right” answer, but attempting to strike a balance between security vs. ease of use and barriers to legitimate access.
Here’s something we can all relate to: Back in 2001, some jerk tried to blow up a plane with his shoe. As a result, now 650 million passengers have to remove their shoes before boarding an airplane in the US. Is this reasonable? As a society, we have determined that it is, but would we feel the same if it was something more, like a full body search? Probably not. Our privacy service routinely investigates and suspends perhaps a thousand domain names in a year. Sounds like a lot, and it certainly keeps the Abuse team busy, but ultimately represents a tiny fraction of the tens of millions of domain names under management.
In any event, I see no compelling reason why the verification requirements for a PP service should be any different than those of a registrar. First, as I believe some in this thread have pointed out, it would allow the service to leverage code, personnel, & processes developed by the affiliated registrar. And it creates a perception that there is something inherently suspicious about subscribing to a PP service, or wanting the equivalent of an unlisted phone number, which simply isn’t the case.
Thanks—
J.
From: Tim Ruiz <tim@godaddy.com> Date: Friday, February 28, 2014 at 21:39 To: John Horton <john.horton@legitscript.com> Cc: PPSAI <gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
So to make your invsetigation of 150 cases easier (which I question in any event) millions of users are needlessly hassled. Makes perfect sense in today's world I guess.
Tim
On Feb 28, 2014, at 5:32 PM, "John Horton" <john.horton@legitscript.com> wrote:
Hi all,
Verification and re-verification of registration data would be enormously useful and important in identifying, mapping and deterring malfeasance. Just to share our background to put our comments in context, we've assisted in over 150 drug or supplement investigations by conducting cybercrime research, and each project typically involved research into dozens, hundreds or even thousands of Whois records plus corresponding IP/NS/MX etc. information. There are numerous instances in which either 1) the accurate Whois data (including, accurate data behind a Whois privacy/proxy service) "broke open" the case, or 2) submitting a WDRPS complaint in instances where we could show that the Whois data was inaccurate resulted in modified Whois information that then "broke open" the case, either by virtue of the modified Whois information itself, or from derivative information (e.g., additional reverse queries on Whois, name server, IP address or other records). Keep in mind too that sometimes showing that the Whois record is falsified results in the suspension of the domain name, which also has the effect of stopping the harmful use of that particular domain name. Verification would result in some instances of inaccurate registration data becoming accurate, or alternatively, of discontinuing registration services.
In the interests of brevity, I hope that summary is enough explanation, but if anyone still doesn't understand how (or agree that) verified registration data -- or by extension, verification and some sort of periodic re-verification -- is useful, I'm happy to provide a couple of real life examples of investigations we've worked on where either the a) accuracy of the Whois record or b) response to the inaccuracy finding was extremely useful, although I'll modify the domain names. Again, I'm happy to provide real-life examples, with redacted information. It's not just occasionally or mildly useful. It's enormously important.
One additional point: keep in mind that when researching criminal networks, there are typically multiple (hundreds or even thousands) of domain names at play, and even if -- as Tim pointed out -- the verified email and phone number have nothing to do with the person's real identity, good cybercrime research across the thousands of Whois records can often result in derivative information pointing to the real identity of the criminal entities.
As to the point that the domain name isn't harmful but the content may be, I suspect that there are minds that won't be changed in this group on both sides of that argument. :) But, I'd point out that that train has left the station, so to speak: Section 3.18 of the 2013 RAA clearly contemplates harmful use of a domain name.
Thanks,
John Horton President, LegitScript <image001.jpg>
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 12:36 PM, Tim Ruiz <tim@godaddy.com> wrote: It doesn't. I can use perfectly good information, including a verifiable phone number and email address, that has nothing to do with who I really am. As we have tried to argue before, unsuccessfully, is that all verification does is push the "miscreants" to be better at obfiscating who they are (and it just isn't that hard). As you said, it only results in making it difficult for everyone for the acts of a few.
Tim
On Feb 28, 2014, at 2:07 PM, "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca> wrote:
My apologies I totally mis-read that. So how does verification catch that then? On 2014-02-28, at 1:52 PM, John Horton wrote:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is inaccurate (not "accurate").
John Horton President, LegitScript <image001.jpg>
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote: I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net> wrote: Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript <image001.jpg>
Follow LegitScript: LinkedIn | Facebook | Twitter | YouTube | Blog | Google+
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org> wrote: Dear All,
Following our call yesterday, please find attached the updated templates for Category B – questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B – Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
<RE [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2.eml>
Well, tracing the IP and contacting the hosting provider would be one way of getting to the responsible party. Volker Am 28.02.2014 19:52, schrieb John Horton:
Well, because absent an accurate Whois record, it can be difficult to know who to hold accountable.
Stephanie, to clarify: I was saying that 95% of Whois data in a certain sub-category of criminal or miscreant behavior (spam, malware, phishing) is _inaccurate_ (not "accurate").
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Fri, Feb 28, 2014 at 9:44 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it is all about risk...but what risk are we really talking about? I dont understand why a P/P provider should be forced to take on more risk than other registrars. Further,why should the registrar be accountable for verified data, once the original data verification is done. If John is correct and in 95% of cases the data from the P/P service provider was proven accurate, then how does any amount of data verification solve the problem? The accountability for miscreant behaviour of all kinds rests with the domain name user. IF the data is inaccurate, ramp up the penalties if it can be shown that the data was rendered inaccurate for the purposes of fraudulent activity. At the risk of sounding overly philosophical, It seems to me that the Internet ecosystem is somehow being held to account for the actions of individuals. It is the individuals that should be held to account. Not the domain name, or the company that issued it. Particularly, I think that if products sold are tainted, then there is plenty of other consumer protection law that applies...why are we trying to solve that problem? Cheers Stephanie perrin
On 2014-02-28, at 12:29 PM, Carlton Samuels wrote:
..which seems to me all about risk management on part of the provider. Its the results that matter.
So, for all the possible permutations, in line with those enumerated by Volker, might it not be more useful to refer 'verified credentials' as a requirement on the provider, allow them to accept the business risk and leave it to them to decide how to do it.......and, inherently, the risks acceptable to them for provisioning the service?
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 <tel:876-818-1799> /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
On Fri, Feb 28, 2014 at 6:29 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com/>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B -- questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B -- Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
* What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net/> /www.RRPproxy.net <http://www.RRPproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> /www.BrandShelter.com <http://www.BrandShelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Hi Volker, Sure, happy to clarify, and also provide a few comments in response to yours. I think re-verification actually does serve a purpose. One of the questions before the group is whether "ICANN-accredited privacy/proxy service providers (should) be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?" There has been some argument that criminals always falsify their Whois information, and therefore re-verification in general is pointless because criminals would lie anyway. My first point is that that isn't true: rather, it depends on the type of criminal activity in question. So, to the extent that's being used as an argument against re-verification (or, for that matter, against verification), it shouldn't be. My second point is that there is value in re-verification or periodic checks. Let me offer some thoughts on the value of re-verification at some intervals. - First -- and certainly let me know if I'm wrong on this, since I think you helped negotiate the 2013 RAA and surely are more familiar with it than I am! -- I think it's fair to say that the Registrar's verification requirement as specified in the *Whois Accuracy Program Specification <http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13-en.htm#whois-accuracy>*doesn't constitute comprehensive verification of all fields. That is, most of the verification requirements pertain to the format of the data, with additional verification that the email and telephone numbers are responsive correlated with the registrant. One of the questions before the group is whether P/P entities should engage in the same level of verification, or some different level. Reasonable minds can differ on this, but some members of this group have suggested an additional level of verification. - Second, addresses can change over time: people and businesses move, and they may forget to update their registration data. Re-verification serves to highlight cases where the contact information has changed and, even if not malicious, is no longer accurate. (So, although data can't become "more accurate" as you point out, it can certainly become "more inaccurate" over time.) - Third, I would also assume (as you do) that verification and re-verification will need to be heavily automated, and to the extent that external data sets (for example, here in the US, postal data) are used to help highlight -- for example -- non-existent addresses or inaccurate correlations, those external data sets are likely being improved or updated over time. So, if errors or inaccurate data aren't caught in the first round, re-verification may catch them simply due to the verification tools being improved, or the underlying data being updated, over time. - Fourth, in an ideal world, the verification process used by Registrars would catch 100% of inaccuracies, but that probably won't be the real-world result. Additional and periodic re-verification by P/P providers provides another layer of assurance. - Fifth, as to the problem of inaccurate correlations with real data (what you correctly refer to as "the data is accurate, but stolen") I would concur that this might present more of a challenge, but I don't think I'd agree that the inaccurate correlation wouldn't ever be uncovered, depending upon the verification algorithm and approach. We actually do look for this in our ongoing monitoring and have seen instances of inaccurate correlations but with real data. I think that those are some arguments in favor of why re-verification by the P/P provider has merit at periodic intervals. I think there's a reasonable question of whether the Registrar's verification of the email and phone number should be sufficient for those portions of the P/P service provider's verification process within a limited time frame after the Registrar's verification occurs. (Perhaps that eliminates some redundancy.) John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Fri, Feb 28, 2014 at 3:29 AM, Volker Greimann <vgreimann@key-systems.net>wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org>wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
- What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? - Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? - In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? - Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi John,
Sure, happy to clarify, and also provide a few comments in response to yours. I think re-verification actually does serve a purpose.
One of the questions before the group is whether "ICANN-accredited privacy/proxy service providers (should) be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?" There has been some argument that criminals always falsify their Whois information, and therefore re-verification in general is pointless because criminals would lie anyway. My first point is that that isn't true: rather, it depends on the type of criminal activity in question. So, to the extent that's being used as an argument against re-verification (or, for that matter, against verification), it shouldn't be. This may very well be the case but I do not follow how re-verification of already verified data will help anyone. The result will in all likelyhood be the same.
My second point is that there is value in re-verification or periodic checks. Let me offer some thoughts on the value of re-verification at some intervals.
* First -- and certainly let me know if I'm wrong on this, since I think you helped negotiate the 2013 RAA and surely are more familiar with it than I am! -- I think it's fair to say that the Registrar's verification requirement as specified in the *Whois Accuracy Program Specification <http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13-en.htm#whois-accuracy>* doesn't constitute comprehensive verification of all fields. That is, most of the verification requirements pertain to the format of the data, with additional verification that the email and telephone numbers are responsive correlated with the registrant. One of the questions before the group is whether P/P entities should engage in the same level of verification, or some different level. Reasonable minds can differ on this, but some members of this group have suggested an additional level of verification.
First of all, it is: email _or_ telephone! This mistake is often made when quoting the obligation, so I feel I have to correct it to prevent this from spreading. ;-). Second, there is no real difference between the underlying data of the registrant with a p/p service and the public data with a registrar. If anything the quality of the hidden data is usually better than the public data. I fail to see why it would need to be treated differently.
* Second, addresses can change over time: people and businesses move, and they may forget to update their registration data. Re-verification serves to highlight cases where the contact information has changed and, even if not malicious, is no longer accurate. (So, although data can't become "more accurate" as you point out, it can certainly become "more inaccurate" over time.)
Not updating outdated data is a violation of the registration agreement and can lead to the suspension or deletion of the domain name. For this reason, registrars are required to inform registrants annually about the data they have on file and request the data is checked. And I would suggest that enforcement of such "outdated whois" violations usually hits legitimate registrants more than illegitimate ones.
* Third, I would also assume (as you do) that verification and re-verification will need to be heavily automated, and to the extent that external data sets (for example, here in the US, postal data) are used to help highlight -- for example -- non-existent addresses or inaccurate correlations, those external data sets are likely being improved or updated over time. So, if errors or inaccurate data aren't caught in the first round, re-verification may catch them simply due to the verification tools being improved, or the underlying data being updated, over time.
Currently, all that is required under the RAA is sanity checks of address data (is the format correct) and trigger-response verification of either email or phone address. ICANN has not provided access to any international database that could be used for data checks. But even then, such checks would not ever be able to differentiate between stolen data and accurate data.
* Fourth, in an ideal world, the verification process used by Registrars would catch 100% of inaccuracies, but that probably won't be the real-world result. Additional and periodic re-verification by P/P providers provides another layer of assurance.
Actually, the checks that return false positives worry me more, because those cause real work, customer confusion, etc. Any "solution" resulting in a significant amount of false positives is simply unacceptable.
* Fifth, as to the problem of inaccurate correlations with real data (what you correctly refer to as "the data is accurate, but stolen") I would concur that this might present more of a challenge, but I don't think I'd agree that the inaccurate correlation wouldn't ever be uncovered, depending upon the verification algorithm and approach. We actually do look for this in our ongoing monitoring and have seen instances of inaccurate correlations but with real data.
The only way it can be uncovered it the good old "hey, what is my data doing there" complaint (and we get one of those from time to time). And that requires no verification whatsoever, that only requires someone googling his name and finding the whois record.
I think that those are some arguments in favor of why re-verification by the P/P provider has merit at periodic intervals. I think there's a reasonable question of whether the Registrar's verification of the email and phone number should be sufficient for those portions of the P/P service provider's verification process within a limited time frame after the Registrar's verification occurs. (Perhaps that eliminates some redundancy.)
I do not follow these arguments. Re-verification will just add costs, confusion and annoyance to an already cumbersome process and will bring no benefits. Please note that I am specifically excluding from the term re-verification those cases where the registrar is compelled to recheck because of notifications or positive knowledge of incorrect or outdated data. Volker
On Fri, Feb 28, 2014 at 3:29 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Hi John,
I am having a bit of a hard time understanding your point here.
You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases:
a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification.
That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play.
Volker
Am 28.02.2014 00:32, schrieb John Horton:
Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks).
In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2.
Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant.
But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.)
One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity.
The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant.
Thanks,
John Horton President, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>
On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Following our call yesterday, please find attached the updated templates for Category B -- questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg.
The WG will continue its deliberations on Category B -- Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are:
* What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two?
Best regards,
Marika
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>
Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
We have to bear in mind that we are working on an accreditation process that would be applicable both to p/p service providers that are alter egos for registrars, and those that are not. In the former case, the assertion that "if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data" may be relevant. In the latter case, it is not. Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. There are other issues going to the degree of verification of registrant data that is required under the RAA, but my point here is that even if the registrar's data verification obligations are to be used as the model for the verification obligations of the p/p service provider, they don't all map from one context to the other. Steve Metalitz From: gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 28, 2014 6:29 AM To: gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi John, I am having a bit of a hard time understanding your point here. You are describing three different cases here, two of which will not benefit from verification in the least bit and one might, but only in some cases: a) The data is accurate, but stolen: Here verification would not uncover any issues with the data as it is essentially correct and will most likely be identified as accurate. b) The data is false: Here, depending on the methods used, the inaccuracy may be uncovered and would lead to an automated request to provide updated data or deactivation after a set time. Remember, in order to keep providing services in a sensible manner, this needs to be automated in some form, i.e. no individual record would likely see any manual review. c) The data is already accurate: If the data is already correct, what purpose does verification fulfill? The data cannot become more accurate. Verification in this case seems like an exercise in self-gratification. That said, even if there is a benefit to be derived from verification, such benefits are achieved once verification concludes. Re-verification of already verified data fulfills no purpose whatsoever. So if a set of data has already been verified by the registrar, there is no need for the p/p provider to again verify the same data. Only if no verification is or can be performed on the registrar level does verification by providers come into play. Volker Am 28.02.2014 00:32, schrieb John Horton: Thanks, Marika. I also wanted to provide a comment pertaining to Question 2 in the attachments (relating to periodic checks). In a few of the recent discussions, there's been some reference to criminals always or nearly always being untruthful in their Whois records (even if privacy-protected), leading to the conclusion that there is little purpose in having a registrar or any third party have to verify or re-verify the information (especially if it is difficult to prove that the data is falsified). I wanted to share our experience and observations on that point, in the hope that it's relevant to future discussion regarding Question 2. Our consistent observation has been that when it comes to a particular sub-category of criminal activity, spam, phishing, malware, and so forth, it's probably safe to say that that statement is true -- the registrant's Whois information is nearly always inaccurate. Even in cases, such as some where we've worked with law enforcement, when the Whois record for a domain name involved in spam, phishing or malware is privacy-protected and is subsequently unmasked, the Whois record is still not accurate behind the privacy curtain. There are probably exceptions, but that's what we've seen well over 95% of the time. On occasion, it's a real address and phone number, just not one genuinely connected to the registrant. But there are other types of criminal activity where the Whois record is not so regularly obfuscated. For example, we investigate a lot of websites selling tainted dietary supplements that end up containing some toxin or adulterant that harms people. In those cases, we've overwhelmingly seen that even if the Whois record is privacy-protected, the trend is that the underlying Whois record is accurate. The same has been true for illegal or counterfeit medical device websites that we've researched. On illegal Internet pharmacies not engaged in spam, it's probably 50-50. (It might be a shell corporation, but that's still valuable information.) One important point to consider is that the Whois registration can be relevant information from a banking perspective for commercial entities. That is, some banks are going to look at an online merchant's domain name registration record and if it's either inaccurate or protected, they may require disclosure, or ask about any discrepancy, which can be an incentive for criminals selling products online who nevertheless want to get paid via credit card to have an accurate Whois. Hackers, malware providers and spammers will find a way around that, but they don't necessarily constitute "most" criminal activity. The point here is, I think verification can still be a useful and necessary tool in either scenario, even if it doesn't uncover useful information a portion of the time. I realize that only pertains to a portion of the issues related to Question 2, but I hope that our observations on that are relevant. Thanks, John Horton President, LegitScript [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257d...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube<https://www.youtube.com/user/LegitScript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Following our call yesterday, please find attached the updated templates for Category B - questions 1 & 2. Please review these templates to make sure the WG discussions have been accurately reflected and feel free to share any comments / edits you may have with the mailing list. We've created a page on the wiki where we'll post the templates that have been finalised for now (noting that for some of these the WG will need to come back to the template at a later date), see https://community.icann.org/x/ihLRAg. The WG will continue its deliberations on Category B - Question 2 next week. Some of the questions that came up during the conversation yesterday and which you are encouraged to share your views on (and/or add additional questions that need to be considered in this context) are: * What would be the arguments for not using the same standards / requirements for validation and verification as per the 2013 RAA? * Should there be a requirement for re-verification, and if so, what instances would trigger such re-verification? * In case of affliction between the P/P service and the registrar, if the registration information has already been verified by the registrar, should this exempt the P/P provider from doing so? * Should the same requirements apply to privacy and proxy services or is there a reason to distinguish between the two? Best regards, Marika _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V.
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V.
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not. Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
So the reasonable option would be to only compel the p/p provider to verify those details in cases this party has not already verified them in its capacity as registrar? Whereas we don’t have a re-verification but two separate ones that can be merged to avoid redundancy. Any opposition to that? Luc On Mar 4, 2014, at 5:47, Holly Raiche <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>> wrote: I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not. Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg ________________________________ -------------------------------------------------------- This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone. Think of the environment: don't print this e-mail unless you really need to. --------------------------------------------------------
..the objective is 'verified' contact datum/data. Make the rule for the general case; we need not be prescriptive here. We know the RAA 2013 requirements. So in instant case, I'd define 'verified'. Then I'd avoid all of that predetermination - that 'messiness' for determining whether the p/p provider is registrar or not you'd import into this interface and, what should apply in each case - simply by making the requirement one for 'verified' contact data. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Tue, Mar 4, 2014 at 3:18 AM, Luc SEUFER <lseufer@dclgroup.eu> wrote:
So the reasonable option would be to only compel the p/p provider to verify those details in cases this party has not already verified them in its capacity as registrar?
Whereas we don't have a re-verification but two separate ones that can be merged to avoid redundancy.
Any opposition to that?
Luc
On Mar 4, 2014, at 5:47, Holly Raiche <h.raiche@internode.on.net<mailto: h.raiche@internode.on.net>> wrote:
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not.
Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto: gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
________________________________
--------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone.
Think of the environment: don't print this e-mail unless you really need to.
-------------------------------------------------------- _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Actually, the objective is validate some data points and verify one of two others. These terms have been defined in the RAA and to avoid confusion we should adopt those here. It makes no sense to re-define either term here, resulting in different definition across policies and agreements. Consistency should be an aim here as well... Volker Am 04.03.2014 19:37, schrieb Carlton Samuels:
..the objective is 'verified' contact datum/data. Make the rule for the general case; we need not be prescriptive here.
We know the RAA 2013 requirements.
So in instant case, I'd define 'verified'. Then I'd avoid all of that predetermination - that 'messiness' for determining whether the p/p provider is registrar or not you'd import into this interface and, what should apply in each case - simply by making the requirement one for 'verified' contact data.
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 /Strategy, Planning, Governance, Assessment & Turnaround/ =============================
On Tue, Mar 4, 2014 at 3:18 AM, Luc SEUFER <lseufer@dclgroup.eu <mailto:lseufer@dclgroup.eu>> wrote:
So the reasonable option would be to only compel the p/p provider to verify those details in cases this party has not already verified them in its capacity as registrar?
Whereas we don't have a re-verification but two separate ones that can be merged to avoid redundancy.
Any opposition to that?
Luc
On Mar 4, 2014, at 5:47, Holly Raiche <h.raiche@internode.on.net <mailto:h.raiche@internode.on.net><mailto:h.raiche@internode.on.net <mailto:h.raiche@internode.on.net>>> wrote:
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not.
Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org><mailto:gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org><mailto:Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org><mailto:Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
________________________________
--------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone.
Think of the environment: don't print this e-mail unless you really need to.
-------------------------------------------------------- _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
...when I say 'verified' I mean the result, not process. But then again my argument has always been 'avoid going into the weeds here'. Could not agree more with using definitions already established, like, for example, in the RAA 2013. That's all good for the guy who's already party to the RAA....except in the case of p/p service provisioning we would be remiss in making that assumption. The caution must be to write rules that are standalone, even if referent on RAA 2013. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Tue, Mar 4, 2014 at 3:00 PM, Volker Greimann <vgreimann@key-systems.net>wrote:
Actually, the objective is validate some data points and verify one of two others. These terms have been defined in the RAA and to avoid confusion we should adopt those here. It makes no sense to re-define either term here, resulting in different definition across policies and agreements. Consistency should be an aim here as well...
Volker
Am 04.03.2014 19:37, schrieb Carlton Samuels:
..the objective is 'verified' contact datum/data. Make the rule for the general case; we need not be prescriptive here.
We know the RAA 2013 requirements.
So in instant case, I'd define 'verified'. Then I'd avoid all of that predetermination - that 'messiness' for determining whether the p/p provider is registrar or not you'd import into this interface and, what should apply in each case - simply by making the requirement one for 'verified' contact data.
-Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Tue, Mar 4, 2014 at 3:18 AM, Luc SEUFER <lseufer@dclgroup.eu> wrote:
So the reasonable option would be to only compel the p/p provider to verify those details in cases this party has not already verified them in its capacity as registrar?
Whereas we don't have a re-verification but two separate ones that can be merged to avoid redundancy.
Any opposition to that?
Luc
On Mar 4, 2014, at 5:47, Holly Raiche <h.raiche@internode.on.net<mailto: h.raiche@internode.on.net>> wrote:
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not.
Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto: gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
________________________________
--------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone.
Think of the environment: don't print this e-mail unless you really need to.
-------------------------------------------------------- _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUPwww.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Holly, "people should not have access to domain names without someone verifying their details"? Really? So you are saying that over 100 million domain names should not have been registered to their registrants? The status quo for 99.99% of all registrations to date is non-verification and that has worked just fine for now. Sure, there is abuse but so far I have seen no studies that show that increased verification or validation leads to less abuse. Volker Am 04.03.2014 05:47, schrieb Holly Raiche:
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not.
Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because“the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve.
*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:*Monday, March 03, 2014 5:32 AM *To:*Metalitz, Steven;gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:*Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
If the objective of identity verification is to crack down on online abuse, then the harms involving email addresses (gmail, yahoo, etc.) would significantly outweigh those caused by domain names. But our industry appears to be an easier target, I suppose. J. From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Date: Tuesday, March 4, 2014 at 3:29 To: Holly Raiche <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Holly, "people should not have access to domain names without someone verifying their details"? Really? So you are saying that over 100 million domain names should not have been registered to their registrants? The status quo for 99.99% of all registrations to date is non-verification and that has worked just fine for now. Sure, there is abuse but so far I have seen no studies that show that increased verification or validation leads to less abuse. Volker Am 04.03.2014 05:47, schrieb Holly Raiche: I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not. Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net>www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net>www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Actually that is true. Free email address service providers being more regulated would solve many problems. Volker Am 04.03.2014 15:19, schrieb James M. Bladel:
If the objective of identity verification is to crack down on online abuse, then the harms involving email addresses (gmail, yahoo, etc.) would significantly outweigh those caused by domain names. But our industry appears to be an easier target, I suppose.
J.
From: Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> Date: Tuesday, March 4, 2014 at 3:29 To: Holly Raiche <h.raiche@internode.on.net <mailto:h.raiche@internode.on.net>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>> Cc: "gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Holly,
"people should not have access to domain names without someone verifying their details"? Really?
So you are saying that over 100 million domain names should not have been registered to their registrants? The status quo for 99.99% of all registrations to date is non-verification and that has worked just fine for now. Sure, there is abuse but so far I have seen no studies that show that increased verification or validation leads to less abuse.
Volker
Am 04.03.2014 05:47, schrieb Holly Raiche:
I have to agree with Steve on this. People should not have access to a domain name without someone verifying their details - regardless of whether those details are made public or not.
Holly On 04/03/2014, at 5:51 AM, Metalitz, Steven wrote:
Thanks Volker. It is precisely because“the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve.
*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:*Monday, March 03, 2014 5:32 AM *To:*Metalitz, Steven;gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:*Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.netwww.domaindiscount24.com /www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.netwww.domaindiscount24.com /www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Monday, March 03, 2014 5:32 AM *To:* Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy :
Hi Steven,
if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many.
Volker
Am 03.03.2014 19:51, schrieb Metalitz, Steven:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Monday, March 03, 2014 5:32 AM *To:* Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.net www.domaindiscount24.com /www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.net www.domaindiscount24.com /www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Kathy, on the Nominet study, please note the information in the updated template for Cat B question 2 that was circulated last week. (see attached). I reached out to Lesley Cowley last week and she informed me that unfortunately the study is not publicly available. However, should there be any specific questions in relation to the data on opt-out, she would be do her best to try and assist. Best regards, Marika From: Kathy Kleiman <kathy@kathykleiman.com> Date: Tuesday 4 March 2014 14:23 To: "gnso-ppsai-pdp-wg@icann.org" <gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy :
Hi Steven,
if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many.
Volker
Am 03.03.2014 19:51, schrieb Metalitz, Steven:
Thanks Volker. It is precisely because ³the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,² that there should be an independent obligation on the part of the p/p service provider to validate its customer¹s contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pd p-wg
Marika, Tx you for checking with Lesley! But the results of that study *were *shared with the Whois Review Team, so the idea that "it is doubtful if these claims could be independently audited or verified" is not true. It has been checked - in this field and many others. People have less incentive to mislead when they know their interests (including privacy) are protected. I'm happy to work with you on finding additional studies, and summaries of studies, but the opinion in the paper does need to be updated or removed. Tx, Kathy :
Kathy, on the Nominet study, please note the information in the updated template for Cat B question 2 that was circulated last week. (see attached). I reached out to Lesley Cowley last week and she informed me that unfortunately the study is not publicly available. However, should there be any specific questions in relation to the data on opt-out, she would be do her best to try and assist.
Best regards,
Marika
From: Kathy Kleiman <kathy@kathykleiman.com <mailto:kathy@kathykleiman.com>> Date: Tuesday 4 March 2014 14:23 To: "gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me.
As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected!
So I think we are already headed towards more accurate data... Best, Kathy :
Hi Steven,
if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many.
Volker
Am 03.03.2014 19:51, schrieb Metalitz, Steven:
Thanks Volker. It is precisely because "the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant," that there should be an independent obligation on the part of the p/p service provider to validate its customer's contact information.
Steve.
*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Monday, March 03, 2014 5:32 AM *To:* Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.netwww.domaindiscount24.com /www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystemswww.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net
Web:www.key-systems.net /www.RRPproxy.netwww.domaindiscount24.com /www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystemswww.twitter.com/key_systems
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi, First, thanks for the great discussion on weekly call this morning. The presentations were very helpful. Second, a quick yet fundamental question - prompted by a statement made by Kathy below. Does the scope of our work include *only” privacy/proxy providers affiliated with registrars? I was working under the impression that any privacy/proxy provider - affiliated or not - was in scope i.e we are the PPSAI PDP WG and not the RAPPSAI PDP WG. Thanks. Alex On Mar 4, 2014, at 5:23 AM, Kathy Kleiman <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy : Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Alex: Because ICANN cannot compel un-contracted parties to become accredited, it instead included the requirement in the 2013 RAA that registrars will only use ICANN-accredited PP services. The PP service could be affiliated with a registrar, or independent… However, if a registrar becomes aware that an un-accredited PP service was operating on its network (registering domain names for use by 3rd parties unknown to the Registrar), then they would have to take action against those names/registrants, or risk being in breach of their 2013 RAA. This is my current understanding… Thanks— J. From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Tuesday, March 4, 2014 at 16:45 To: "kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>" <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: [Gnso-ppsai-pdp-wg] Registrar affiliated p/p services? (was Re: For review - updated templates Cat B, questions 1 and 2) Hi, First, thanks for the great discussion on weekly call this morning. The presentations were very helpful. Second, a quick yet fundamental question - prompted by a statement made by Kathy below. Does the scope of our work include *only” privacy/proxy providers affiliated with registrars? I was working under the impression that any privacy/proxy provider - affiliated or not - was in scope i.e we are the PPSAI PDP WG and not the RAPPSAI PDP WG. Thanks. Alex On Mar 4, 2014, at 5:23 AM, Kathy Kleiman <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy : Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Hi Alex the WG Charter does not expressly limit the work of this WG to only P/P services provided by entities affiliated with a Registrar. Perhaps the 2013 RAA has created a bit of confusion in this respect. It requires Registrars and those of its Affiliates that offer P/P services to comply with the terms of the temporary P/P Specification (with Affiliates defined in terms of corporate control). It also requires that a Registrar's Resellers comply with the Specification until such time as ICANN establishes a P/P Accreditation Program. As such, the 2013 RAA as currently written applies to affiliated P/P services (including any distributed through a Reseller). The RAA does seem to envisage that "Among other features, the Proxy Accreditation Program [to be established by ICANN] may require that: (i) proxy and privacy registration services may only be provided in respect of domain name registrations by individuals or entities Accredited by ICANN pursuant to such Proxy Accreditation Program; and (ii) Registrar shall prohibit Resellers from knowingly accepting registrations from any provider of proxy and privacy registration services that is not Accredited by ICANN pursuant the Proxy Accreditation Program." (see Section 3.12.4 of the 2013 RAA) I hope this helps. Cheers Mary Mary Wong Senior Policy Director Internet Corporation for Assigned Names & Numbers (ICANN) Telephone: +1 603 574 4892 Email: mary.wong@icann.org * One World. One Internet. * From: "Alex_Deacon@mpaa.org" <Alex_Deacon@mpaa.org> Date: Tuesday, March 4, 2014 5:45 PM To: "kathy@kathykleiman.com" <kathy@kathykleiman.com> Cc: "gnso-ppsai-pdp-wg@icann.org" <gnso-ppsai-pdp-wg@icann.org> Subject: [Gnso-ppsai-pdp-wg] Registrar affiliated p/p services? (was Re: For review - updated templates Cat B, questions 1 and 2)
Hi,
First, thanks for the great discussion on weekly call this morning. The presentations were very helpful.
Second, a quick yet fundamental question - prompted by a statement made by Kathy below.
Does the scope of our work include *only² privacy/proxy providers affiliated with registrars? I was working under the impression that any privacy/proxy provider - affiliated or not - was in scope i.e we are the PPSAI PDP WG and not the RAPPSAI PDP WG.
Thanks. Alex
On Mar 4, 2014, at 5:23 AM, Kathy Kleiman <kathy@kathykleiman.com> wrote:
What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me.
As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected!
So I think we are already headed towards more accurate data... Best, Kathy :
Hi Steven,
if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many.
Volker
Am 03.03.2014 19:51, schrieb Metalitz, Steven:
Thanks Volker. It is precisely because ³the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,² that there should be an independent obligation on the part of the p/p service provider to validate its customer¹s contact information.
Steve.
From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2
Hi Steven,
Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified.
This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA.
Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant.
V.
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net <http://www.key-systems.net/> / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> / www.BrandShelter.com <http://www.brandshelter.com/>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net
Web: www.key-systems.net <http://www.key-systems.net/> / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com <http://www.domaindiscount24.com/> / www.BrandShelter.com <http://www.brandshelter.com/>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu/>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai- pdp-wg
_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
If I understand Carlton correctly, he is saying that we, the WG, should just state what the end result is that we want - validated/verified data as per the 2013 RAA. Then leave the actual implementation - if the p/p is registrar affiliated then..., if they are not then... - to the follow on implementation process/WG. I would agree with that. Tim On Mar 4, 2014, at 6:09 PM, "Mary Wong" <mary.wong@icann.org<mailto:mary.wong@icann.org>> wrote: Hi Alex – the WG Charter does not expressly limit the work of this WG to only P/P services provided by entities affiliated with a Registrar. Perhaps the 2013 RAA has created a bit of confusion in this respect. It requires Registrars and those of its Affiliates that offer P/P services to comply with the terms of the temporary P/P Specification (with Affiliates defined in terms of corporate control). It also requires that a Registrar's Resellers comply with the Specification until such time as ICANN establishes a P/P Accreditation Program. As such, the 2013 RAA as currently written applies to affiliated P/P services (including any distributed through a Reseller). The RAA does seem to envisage that "Among other features, the Proxy Accreditation Program [to be established by ICANN] may require that: (i) proxy and privacy registration services may only be provided in respect of domain name registrations by individuals or entities Accredited by ICANN pursuant to such Proxy Accreditation Program; and (ii) Registrar shall prohibit Resellers from knowingly accepting registrations from any provider of proxy and privacy registration services that is not Accredited by ICANN pursuant the Proxy Accreditation Program." (see Section 3.12.4 of the 2013 RAA) I hope this helps. Cheers Mary Mary Wong Senior Policy Director Internet Corporation for Assigned Names & Numbers (ICANN) Telephone: +1 603 574 4892 Email: mary.wong@icann.org<mailto:mary.wong@icann.org> * One World. One Internet. * From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Tuesday, March 4, 2014 5:45 PM To: "kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>" <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: [Gnso-ppsai-pdp-wg] Registrar affiliated p/p services? (was Re: For review - updated templates Cat B, questions 1 and 2) Hi, First, thanks for the great discussion on weekly call this morning. The presentations were very helpful. Second, a quick yet fundamental question - prompted by a statement made by Kathy below. Does the scope of our work include *only” privacy/proxy providers affiliated with registrars? I was working under the impression that any privacy/proxy provider - affiliated or not - was in scope i.e we are the PPSAI PDP WG and not the RAPPSAI PDP WG. Thanks. Alex On Mar 4, 2014, at 5:23 AM, Kathy Kleiman <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy : Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
Thanks Mary and James for the response. Alex On Mar 4, 2014, at 3:08 PM, Mary Wong <mary.wong@icann.org<mailto:mary.wong@icann.org>> wrote: * PGP - S/MIME Signed by an unverified key: 03/04/2014 at 03:08:34 PM Hi Alex – the WG Charter does not expressly limit the work of this WG to only P/P services provided by entities affiliated with a Registrar. Perhaps the 2013 RAA has created a bit of confusion in this respect. It requires Registrars and those of its Affiliates that offer P/P services to comply with the terms of the temporary P/P Specification (with Affiliates defined in terms of corporate control). It also requires that a Registrar's Resellers comply with the Specification until such time as ICANN establishes a P/P Accreditation Program. As such, the 2013 RAA as currently written applies to affiliated P/P services (including any distributed through a Reseller). The RAA does seem to envisage that "Among other features, the Proxy Accreditation Program [to be established by ICANN] may require that: (i) proxy and privacy registration services may only be provided in respect of domain name registrations by individuals or entities Accredited by ICANN pursuant to such Proxy Accreditation Program; and (ii) Registrar shall prohibit Resellers from knowingly accepting registrations from any provider of proxy and privacy registration services that is not Accredited by ICANN pursuant the Proxy Accreditation Program." (see Section 3.12.4 of the 2013 RAA) I hope this helps. Cheers Mary Mary Wong Senior Policy Director Internet Corporation for Assigned Names & Numbers (ICANN) Telephone: +1 603 574 4892 Email: mary.wong@icann.org<mailto:mary.wong@icann.org> * One World. One Internet. * From: "Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>" <Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org>> Date: Tuesday, March 4, 2014 5:45 PM To: "kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>" <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> Cc: "gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: [Gnso-ppsai-pdp-wg] Registrar affiliated p/p services? (was Re: For review - updated templates Cat B, questions 1 and 2) Hi, First, thanks for the great discussion on weekly call this morning. The presentations were very helpful. Second, a quick yet fundamental question - prompted by a statement made by Kathy below. Does the scope of our work include *only” privacy/proxy providers affiliated with registrars? I was working under the impression that any privacy/proxy provider - affiliated or not - was in scope i.e we are the PPSAI PDP WG and not the RAPPSAI PDP WG. Thanks. Alex On Mar 4, 2014, at 5:23 AM, Kathy Kleiman <kathy@kathykleiman.com<mailto:kathy@kathykleiman.com>> wrote: What Volker writes below makes sense to me, All. Provided the agreed upon 2013 RAA review of data has been done by someone, I don't see why we should duplicate it. The scope of our WG is p/p providers affiliated with registrars -- so coordination of the review of the data, per the ICANN rules, in conjunction with the Registrar makes perfect sense to me. As does a "no-privacy penalty." What we have found (Nominet and others -- BTW no one on staff reached out to me to help dig out this study, can we do that this week?) is that when people know their data is private and protected, it is more accurate. That makes sense and complies with government advice from all corners. Even the US Federal Trade Commission says not to give out your name and phone number in a way that is open and unprotected! So I think we are already headed towards more accurate data... Best, Kathy : Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/>www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg * Mary Wong <mary.wong@icann.org<mailto:mary.wong@icann.org>> * Issuer: DigiCert Inc - Unverified * PGP Unprotected * text/plain body * PGP Unprotected _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg * PGP - S/MIME Signed by an unverified key: 03/04/2014 at 03:08:34 PM * text/plain body * text/html body * Mary Wong <mary.wong@icann.org> * Issuer: DigiCert Inc - Unverified
Agree we should seek to avoid needless duplication. I look forward to learning more about how registrars verify contact details of non-registrants e.g. Customers of p/p services. Do they have any obligation under 2013 RAA to do so ? Sent from my iPhone On Mar 4, 2014, at 4:25 AM, "Volker Greimann" <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi Steven, if we can limit that obligation to those cases where no validation of the underlying data has been performed by the registrar of record, we might be getting somewhere. An independent obligation that duplicates work already done will help no one and confuse many. Volker Am 03.03.2014 19:51, schrieb Metalitz, Steven: Thanks Volker. It is precisely because “the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant,” that there should be an independent obligation on the part of the p/p service provider to validate its customer’s contact information. Steve. From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Monday, March 03, 2014 5:32 AM To: Metalitz, Steven; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2 Hi Steven, Even when this assertion is relevant, it may not be persuasive, for a number of reasons. For example, the Whois data reminder obligation applies to the registrant of record. In the case of a proxy service, the registrant or record is the service, not its customer. If a Whois data reminder is sent to a non-proxy registrant and bounces back, then the RAA requires the registrar to re-verify. But a data reminder sent to a proxy service will almost never bounce back, and therefore there may be no RAA obligation to re-verify. This is so even if the customer data provided to the service is inaccurate or outdated. In this circumstance it is up to the p/p service accreditation standards to specify the conditions under which customer data must be re-verified. This depends on how the service is set up. One could suggest that if such required messages from the registrar do not reach the registrant, it could become the providers' obligation to perform the information requirements on its own. The registrar could then rely on the provider to perform its duties under the accreditation agreement with ICANN just at it performs its own obligations under the RAA. Please also remember that the registrars obligation only extends to the registrant of record, not to anyone who may use the domain name with permission of that registrant. V. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
participants (16)
-
Alex_Deacon@mpaa.org -
Carlton Samuels -
David Cake -
Don Blumenthal -
Holly Raiche -
James M. Bladel -
John Horton -
Kathy Kleiman -
Luc SEUFER -
Marika Konings -
Mary Wong -
Metalitz, Steven -
Stephanie Perrin -
Tim Ruiz -
Volker Greimann -
Williams, Todd