Domain-name abuse proliferates; rogue registrars turn a blind eye
Yet another article on domain name abuses (1). At one point the article quotes Ram Mohan as saying, "ICANN, which has overall responsibility for the Whois database of registration information, has to find a way to validate the entries." Perhaps Ram wasn't aware that the very first RAA (1999) contained this language: "Registrar shall abide by any ICANN-adopted policies requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with an SLD registration sponsored by Registrar or (b) periodic re-verification of such information." Time-of-registration-whois-verification is a policy that is long overdue. Is the at-large prepared to bring this issue forward? (1) http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B
On Sep 14, 2009, at 9:11 AM, Danny Younger wrote:
Time-of-registration-whois-verification is a policy that is long overdue. Is the at-large prepared to bring this issue forward?
I encourage you to be thoughtful about the issues as you bring this forward. What I mean is, try and take some time to think about the actual issue vs. a prescription. Whois data verification pre-registration will be exactly as useful as credit card billing information verification at the time of registration (which is, in my opinion, not very - the bad guys have all the data they need to pass most verification schemes). Framing up the issue in terms of the problem (as opposed to the solution) will help focus the discussion on a range of outcomes, rather than focusing it on an already overloaded and contentious framework (whois). /r
Hi Ross, I view time-of-registration contact data verification as a matter that is in the public interest. I tend to place the public interest ahead of registrar self-interest. As a community we have to ask ourselves if ICANN is doing enough to make sure that contact data is reasonably accurate. At the moment such data isn't as accurate as it could be, and clearly more could be done. This is not an unreasonable step to take, and will certainly result in some degree of improved accuracy. What harm to the public interest do you believe would accrue if such a policy was put in place? regards, Danny --- On Mon, 9/14/09, Ross Rader <ross@tucows.com> wrote:
From: Ross Rader <ross@tucows.com> Subject: Re: [NA-Discuss] Domain-name abuse proliferates; rogue registrars turn a blind eye To: "Danny Younger" <dannyyounger@yahoo.com> Cc: "NA Discuss" <na-discuss@atlarge-lists.icann.org> Date: Monday, September 14, 2009, 9:44 AM
On Sep 14, 2009, at 9:11 AM, Danny Younger wrote:
Time-of-registration-whois-verification is a policy that is long overdue. Is the at-large prepared to bring this issue forward?
I encourage you to be thoughtful about the issues as you bring this forward.
What I mean is, try and take some time to think about the actual issue vs. a prescription. Whois data verification pre-registration will be exactly as useful as credit card billing information verification at the time of registration (which is, in my opinion, not very - the bad guys have all the data they need to pass most verification schemes).
Framing up the issue in terms of the problem (as opposed to the solution) will help focus the discussion on a range of outcomes, rather than focusing it on an already overloaded and contentious framework (whois).
/r
You are missing my point and assuming motive. I'm simply saying that the public interest will be better served if the questions are asked in terms of identifying the problems that exist and then looking for solutions to them as part of the policy development process. Your original note identified a very limited and prescriptive set of solutions which may or may not be helpful in dealing with the problems that I think you are identifying. In other words, this has little to do with whois data verification and everything to do with protecting the public, registrants, etc. from criminals who are abusing the registration system. If you want to harp on whois accuracy, that's fine - I'm not going to stand in your way, but I think if you are serious about getting something done, you will need to open up the discussion to what is likely going to be a larger range of solutions than the ones you described in your note earlier this morning. /r On Sep 14, 2009, at 10:55 AM, Danny Younger wrote:
Hi Ross,
I view time-of-registration contact data verification as a matter that is in the public interest. I tend to place the public interest ahead of registrar self-interest.
As a community we have to ask ourselves if ICANN is doing enough to make sure that contact data is reasonably accurate. At the moment such data isn't as accurate as it could be, and clearly more could be done.
This is not an unreasonable step to take, and will certainly result in some degree of improved accuracy.
What harm to the public interest do you believe would accrue if such a policy was put in place?
regards, Danny
--- On Mon, 9/14/09, Ross Rader <ross@tucows.com> wrote:
From: Ross Rader <ross@tucows.com> Subject: Re: [NA-Discuss] Domain-name abuse proliferates; rogue registrars turn a blind eye To: "Danny Younger" <dannyyounger@yahoo.com> Cc: "NA Discuss" <na-discuss@atlarge-lists.icann.org> Date: Monday, September 14, 2009, 9:44 AM
On Sep 14, 2009, at 9:11 AM, Danny Younger wrote:
Time-of-registration-whois-verification is a policy that is long overdue. Is the at-large prepared to bring this issue forward?
I encourage you to be thoughtful about the issues as you bring this forward.
What I mean is, try and take some time to think about the actual issue vs. a prescription. Whois data verification pre-registration will be exactly as useful as credit card billing information verification at the time of registration (which is, in my opinion, not very - the bad guys have all the data they need to pass most verification schemes).
Framing up the issue in terms of the problem (as opposed to the solution) will help focus the discussion on a range of outcomes, rather than focusing it on an already overloaded and contentious framework (whois).
/r
Ross Rader wrote:
I'm simply saying that the public interest will be better served if the questions are asked in terms of identifying the problems that exist and then looking for solutions to them as part of the policy development process. Your original note identified a very limited and prescriptive set of solutions which may or may not be helpful in dealing with the problems that I think you are identifying.
The high-level problem has always been fairly easy to identify: bad actors go out of their way to obscure, hide or fake contact information so that they cannot be held accountable for their actions. Please correct me if this core assumption is incorrect. While the contractual contact information between registrant and registrar is most likely accurate (to protect the registrar), it is confidential to the transaction between them and does not serve the public good. It is WHOIS -- the direct interface between name owner and the public -- that is being obscured, hidden and faked. Of course there are privacy issues at hand, but some reasonable proposals -- such as allowing personal registrants to keep their information protected by escrow, but still accurate and accessible by the legal system -- have attempted to address this. There seems to me to be no good reason *not* to verify and enforce the accuracy of WHOIS data. We can debate about who has access to it if the owner has a privacy concern, but there is absolutely no excuse for the data itself to be wrong or missing. One could argue that, since registrars already have accurate contact information, they have the ability to keep WHOIS accurate even if the registrant themselves do not. The case is being made that registrars should thus bear at least partial responsibility for ensuring that WHOIS data is accurate. The issue of who has access to this WHOIS data, in case of a legitimate need for privacy, is different from the need to at least have accurate data *somewhere*. (IMO if the cost to do all this is passed down from registrar to registrant -- even if it doubles the price of domains -- this would not bother me. Registrants who own a handful of domains for their own identity would not be heavily impacted, but domain speculators would. And that's fine with me....) There may be other ways of enabling the public to identify and track down bad actors, and I for one would love to hear them. But enforcing WHOIS accuracy requires no new technical protocols, is already within ICANN's mandate, and is doable should the will exist.
If you want to harp on whois accuracy, that's fine - I'm not going to stand in your way, but I think if you are serious about getting something done, you will need to open up the discussion to what is likely going to be a larger range of solutions than the ones you described in your note earlier this morning.
I'm all ears. If not accurate WHOIS, then what? IMO, enforcing WHOIS accuracy may not solve all problems in tracking down bad actors, but it seems to me to be an extremely good -- and comparitively easy to implement -- start. - Evan
On Sep 14, 2009, at 11:36 AM, Evan Leibovitch wrote:
The high-level problem has always been fairly easy to identify: bad actors go out of their way to obscure, hide or fake contact information so that they cannot be held accountable for their actions. Please correct me if this core assumption is incorrect.
While the contractual contact information between registrant and registrar is most likely accurate (to protect the registrar), it is confidential to the transaction between them and does not serve the public good. It is WHOIS -- the direct interface between name owner and the public -- that is being obscured, hidden and faked.
Both of these assumptions aren't totally accurate. Criminals are registering domains using stolen identity information, including name, address and cc data. What do you think they do with the cc data they are phishing? They are either testing it so that they can do bulk sales of valid cc data to third parties, or they are using it register domains that they use to further support their own criminal endeavors. The big fish aren't using invalid data, they are using stolen data. Take a look at the data that the average cc phish asks for and then compare it to the data that you need to register a domain - you will see almost a 100% match. Further, the prescription misses the fact that a bug chunk of the fraud is emanating from .cn and other cc's where ICANN has little control over the problem. I still maintain that the policy process should find the solution. Go into the discussion with a specific view of what the solution to the problem is will only force people to take positions in an attempt to defend their interests. Instead, framing up a set of problems that the policy process needs to resolve, i.e. policy goals, will allow the participants to take a more collaborative role in the process. i.e. Example policy objectives: - it is in the public interest to minimize the criminal use of domains. ICANN needs to have a clear policy that helps identify the source of criminal use of domains and minimize or eliminate the degree to which contracted parties directly or indirectly faciliate the registration of domain names for criminal use. Further more, the CCNSO should encourage its member registries to enact similar policies domestically and the GAC should be engaged to discuss inter- governmental solutions to these same problems. (noting that the GAC discussion should focus on helping further the understanding that the role of LE on an international basis needs to be highlighted for any solutions to be truly effective. Even with the best policies in place, ICANN can't put bad guys in jail, it can only make their life difficult) Example policy prescription: - gtld registrars should proactive screen and verify whois data at the time of purchase to prevent people from registering domain name using false or innacurate contact information. Again, going into the discussion with the latter statement only allows for a very limited range of policy outcomes - and I submit, does very little to actually deal with the real problem that Danny has identified. /r
participants (3)
-
Danny Younger -
Evan Leibovitch -
Ross Rader