On Sep 14, 2009, at 11:36 AM, Evan Leibovitch wrote:
The high-level problem has always been fairly easy to identify: bad actors go out of their way to obscure, hide or fake contact information so that they cannot be held accountable for their actions. Please correct me if this core assumption is incorrect.
While the contractual contact information between registrant and registrar is most likely accurate (to protect the registrar), it is confidential to the transaction between them and does not serve the public good. It is WHOIS -- the direct interface between name owner and the public -- that is being obscured, hidden and faked.
Both of these assumptions aren't totally accurate. Criminals are registering domains using stolen identity information, including name, address and cc data. What do you think they do with the cc data they are phishing? They are either testing it so that they can do bulk sales of valid cc data to third parties, or they are using it register domains that they use to further support their own criminal endeavors. The big fish aren't using invalid data, they are using stolen data. Take a look at the data that the average cc phish asks for and then compare it to the data that you need to register a domain - you will see almost a 100% match. Further, the prescription misses the fact that a bug chunk of the fraud is emanating from .cn and other cc's where ICANN has little control over the problem. I still maintain that the policy process should find the solution. Go into the discussion with a specific view of what the solution to the problem is will only force people to take positions in an attempt to defend their interests. Instead, framing up a set of problems that the policy process needs to resolve, i.e. policy goals, will allow the participants to take a more collaborative role in the process. i.e. Example policy objectives: - it is in the public interest to minimize the criminal use of domains. ICANN needs to have a clear policy that helps identify the source of criminal use of domains and minimize or eliminate the degree to which contracted parties directly or indirectly faciliate the registration of domain names for criminal use. Further more, the CCNSO should encourage its member registries to enact similar policies domestically and the GAC should be engaged to discuss inter- governmental solutions to these same problems. (noting that the GAC discussion should focus on helping further the understanding that the role of LE on an international basis needs to be highlighted for any solutions to be truly effective. Even with the best policies in place, ICANN can't put bad guys in jail, it can only make their life difficult) Example policy prescription: - gtld registrars should proactive screen and verify whois data at the time of purchase to prevent people from registering domain name using false or innacurate contact information. Again, going into the discussion with the latter statement only allows for a very limited range of policy outcomes - and I submit, does very little to actually deal with the real problem that Danny has identified. /r