[At-Large] Privacy and domain abuse vs the IP constituency

[Derek Smythe]

On 2011/05/08 12:33, Antony Van Couvering wrote:
> In my role as uniform purveyor, If I report an impersonator to the police, presumably they arrest him.  If they don't, *and* they tell me they're still looking for him, *and* he shows up again, then I call them again.   If I call them ten times and they still don't arrest him, eventually I figure that either (a) he's innocent or (b) they don't care or (c) both. 
I know for a fact that many registrars do escalate serious issues. In
fact I have had feedback via this loop on certain issues. When one
registrar changed hands in terms of the holding company, all feedback
stopped. Abuse using it's services shot up.

> What I don't do is tell every customer who comes into my shop that because I reported someone once, everyone is under suspicion, and I'm going to be sending all of their names to the police, and collecting and verifying their address and other particulars before I sell them a uniform.
Agreed, most surely not. However there is a requirement to collect
registration details and that part fo the registration agreement was
put there for a reason.

> I'm not a cop, and my customers (and probably the general public) don't want me to act as a cop.  I'm not trained, I don't know the law, and I'm not given any powers by the state.
Agreed, but you do not have to be a cop to recognize a mugging either.

> Furthermore, I would be out of business in a week, because all my customers would be (rightly) offended and seek another uniform shop.
They would do the same if they knew you knowingly kept on supply the
same mugger.

> If I recognize a malefactor, I will happily drop a dime on him.  If it's someone I don't know, the presumption is that he's not a malefactor. 
Agreed, this is not too much to ask. As for somebody you don't know,
if a continued abuse pattern develops over the years, you will know
something is wrong. In a normal business, would you accept the same
credit card continuously from the same party if it results in  a
charge back every time?

> 
> The key is recognition.  It's very easy to fake your identity on the Internet, it's very hard to verify that people are who they say they are. The cops can't seem to do it, how am I, a guy who sells uniforms, supposed to do it?  
It's not always a case of the cops not being able to do it, it's a
case of priorities. As one LE said it: "A 5 minute crime on the
internet can take years to fully prosecute". hat equates to resources
like finaces and manpower. That in itself causes a skewed cost in
terms of cross border issues. The verification of linked events is
actually not all that difficult as well either, even if not traceable
down to an actual perpetrators.

> I can walk into any Walmart in the country and buy a 12-inch hunting knife that I can eviscerate somebody with, or a bow and arrow that will kill a human being at a great distance.  I can buy gasoline to set someone's house on fire.  I can buy a variety of poisons, or the ingredients for poison, at any drug store or hardware store.  They don't ask me who I am, where I live, or any such thing.  If I do any of these things, the cops will come after me, but they're not going to hold the person who sold me my tools of evil responsible, simply because they are evil because of my actions, not in themselves.    The vast majority of domain names are used for useful and legitimate purposes, just as gasoline is, or ammonia and chlorine bleach.
Yet domains have a added requirement, a registration. There is also an
expectation under that general populace that somehow domains have a
special significance. I am not going to argue the merits of this
point, it is how it is. However do we tell them it is wrong when
domain are supposed to be registered.

> Personally I have a hard time justifying a regime that would treat sellers of domain names as criminal accomplices, or impose on them a duty of verification that doesn't exist for ISPs, or email providers, or IP address providers.  I certainly don't see anyone lining up to indemnify registrars against lawsuits because they deny someone a domain name unjustly.
In fact indemnity is an issue came up with a recent ICANN meeting. I
think the Godaddy's representative Christine Jones raised the issue.
The heartening fact is that many registrars are willing to stick their
necks out and do to stop abuse.

Many ISPs and other service providers nowadays requires verification.
I personally use a few of those. This is also happening more and more.
We need to ask ourselves why.

Verification has also been instituted by law in certain countries.
This in itself is a red flag for privacy, but under the circumstances
we cannot blame a country if it is in a genuine bid to protect it's
citizens. Howe can we counter it being later abused? However we as
general internet users set the stage for this scenario and we only
have ourselves to blame for where this could well lead to.

That is why it is of concern to me that we do not pass the buck in
terms of addressing bad actors in our midst and give them a hiding
place under the "privacy" flag while they prey on out fellow internet
users, also using privacy as an excuse for invalid whois details,
rather rather exposing them by reporting etc as allowed for.

However by denying the issues of domain abuse linked to domain privacy
or fake registration details, we are well on our way to forcing
ourselves into a choice of our constitutional privacy and not being a
registrant or having no privacy and being a domain registrant as the
only two legal options. If this sounds unrealistic, a related issue is
the banning of domain privacy on .US domains.

If in a bid to do the right thing we have to work with members of the
IP constituency, so be it for now. I have shown we have common ground.

Interesting reading:
http://voices.washingtonpost.com/posttech/2011/02/godaddycoms_christine_jones_ta.html

Derek