Here under a very interesting exchange on Internet security and the perceptions of the discussants of ICANN's role. It at least makes for interesting reading, in my opinion. Carlton Samuels ======================================================================== 1. Re: [At-Large] Open letter to ICANN (Derek Smythe) ---------------------------------------------------------------------- Message: 1 Date: Tue, 07 Apr 2009 20:23:13 +0200 From: Derek Smythe <derek@aa419.org> Subject: Re: [RAA-WG] [At-Large] Open letter to ICANN To: raa-wg@atlarge-lists.icann.org Cc: Vittorio Bertola <vb@bertola.eu> Message-ID: <49DB9A11.1050303@aa419.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Vittorio, I disagree and agree. Understanding what is happening here depends on the depth of understanding. Sorry, this reply is longer much, much longer than anticipated. I will touch on some deeper realities not known to those who often work with these same issues. Vittorio Bertola wrote:

Derek Smythe ha scritto:

...

Hi .... I think you are making a fundamental mistake here - you want a frauding website taken down by ICANN because it has incorrect Whois information. What you should want is rather that a frauding website is taken down by its country's police because it violates its country's laws.

Which country's police would that be? Where? This website has been reported to the authorities more than once.

I would be very, very, very concerned if ICANN staff started to take decisions on whether a website is "criminal" or not, possibly just by having a quick look at its home page or because of blanket assumptions like those made in the complaint, such as "Site gathers personal information on insecure form. Legitimate businesses do not gather this type of information without security precautions".

If you received a phishing email, would you make an assumption about it if it asked you to log in to your account at some strange location? In one of the examples given - safe-wayonline, no assumptions are required. Reports are not based on "quick looks". The official legal entities publish more than enough data to verify that this website is not legitimate. The same resources can be used to verify it is abusing another real company's registration number. A third official one states that other websites has stolen the company registration and abuses it on their sites, targeting jewelry auctions. More than enough reports of attempted fraud and fraud are available online. Ask a bank or similar financial services provider or even a financial regulator what would happen if they were to suddenly start doing banking or similar without at least using some security protocol like https. I agree partly - no, it is not ICANN's task to take down scam websites, but where evidence as per ICANN advisory dated 3 April 2003 is available, this an issue for prompt action. That responsibility lies with the registrar. ICANN is to ensure this is done and is covered under security and stability of the internet, also trust in the internet. As for the mentioned Godaddy domains, the true owner of the address denies any knowledge of the registrant. ICANN was also made aware of this. Other domains by the same registrant still exist with a fictitious addresses; example NATWSECMAIL.INFO. How would you judge http://ubsflorida.homelandssecurities.com ? The answer would be to judge it via the whois and circumstances. In this case this is history repeating itself for the N-th time; http://db.aa419.org/fakebankslist.php?psearch=BHFINDONESIA.COM ... using payment processor Graphcard.com in whois to register a domain with 007names.com, despite Graphcard not accepting responsibility and 007Names being made aware of this. http://forum.aa419.org/viewtopic.php?t=29427 Yet I have personally phoned Joyce at 007names a few months ago who ignored my emails where I explained what was happening. She then asked I send her another email. The result is there for all to see. We have headless bank spoofs running around with the registered address owner not accepting responsibility. I could probably write a ten page "summary" on this - but I will spare you ;) Sorry for the elaborate examples, but the bottom line is that judgments are not made lightly. There are many tests a domain must fail before it can be declared fraudulent. In fact many domains are monitored for months before revealing their true nature. Understanding the situation makes the situation extremely predictable. I wish to welcome to kdbuk.com which was monitored for over nine months. If I was a betting man I would have been rich. Without ever showing web content, I could tell you what it was. I note it references NATWSECMAIL.INFO for email. It's a small world, but once again I will spare you a ten page summary :) However, the bottom line is these domains use fake whois details, or abuse privacy mechanisms like the last example. This IS covered in the RAA.

I would also be very concerned if ICANN started to disable domain names on the grounds that "the postal code entered is incorrect".

As explained, the postal code is the smallest part of it. It should have been verified before November 2008 if the system was working. But it does raise a red flag - why was it not investigated? At least we owe an answer to the later victims of this scam.

However, I concur with the letter that the WDPRS is a useless service that appears to have been deployed more as a token effort than for real. I think it should just be dropped - if people suspect that a website is doing fraud, they should call the police, not ICANN. If there is the need for cross-national cooperation, the various polices should just do their job and get organized to cooperate quickly and effectively. If there are countries that do not cooperate, then this is definitely a matter for national diplomacies to sort out - the US was able to impose its flavour of intellectual property regulation to the whole world through TRIPs and bilateral agreements, don't tell me that it is not strong enough to get cooperation on cybercrime.

The sad fact is the world currently does not have enough trained police resources to look at each and every domain trying to scam internet users. Jurisdiction is also a problem. Anonymous proxies etc do not help. The same facilities legitimate internet users provide to protect their privacy are the same ones internet criminals use. Right now pre-paid American debit/gift cards are being sold in Africa (in a country nobody wants to deal with) complete with fake American address and used extensively for registering domains. I am not saying law enforcement do not do the best, in fact the opposite! Given the bad registration info, the are doing brilliantly udner the circumstances despite ICANN and the registrars. We find doors being kicked down in the early hours of the morning half way around the world to the victims. A small example: Netherlands, Romania etc, but this is only the tip of the iceberg. Sadly some countries try and improve their image without resolving real issues that affects the rest of the world. This is a reality we have to accept and build upon. However, the golden rule of internet fraud from a victim perspective: When the money is lost, it is lost forever. Personally I believe more money is stolen through fraud on the internet, than made by registrars and ICANN. Nobody knows the true extent of it and costs.

ICANN, in any case, should care more about Internet fraud and be more cooperative - but possibly by referring these (very valid and important) complaints to the appropriate law enforcement agencies depending on the countries involved. It could act as an information clearinghouse that could be very useful.

Agreed. Same for registrars. Some might be in for a massive surprise though.

Finally - about the "general internet user perception of ICANN":

The "general internet user perception of ICANN" is non-existing - users don't know that ICANN exists.

The people that know about ICANN and try and use the systems. Do you think Brenda who originally reported safe-wayonline.com will give ICANN another chance? From her perspective she wasted her time.

If you refer to "active users" and user groups, however, the perception is then much different according to the part of the world. For example, in Europe ICANN is usually perceived as an instrument to further the U.S. control over the Internet, for example by removing from the Internet the privacy that is guaranteed to European citizens by their national laws. And please don't be upset about this - it is not advocacy, it is just a fact that derives from cultural differences.

Ciao,

However, if WDPRS reports were taken seriously by "all" registrars and processed by them, a lot of these issues can be avoided. Also it begs the question; why should any specific registrar comply with the RAA and examine bogus whois information if other registrars do not? Regards Derek