[At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

[Holly Raiche]

Hi Derek

Just to correct a few things.

First - this is NOT about collecting less WHOIS information - it is about MAKING PUBLIC less WHOIS information.

Next, it is NOT about not providing access to the WHOIS information for law enforcement agencies.  Generally, data protection law makes exceptions on access to personal information for law enforcement agencies and other, enumerated purposes.  So they WILL have access to the data - whether or not it is faked.  The idea is NOT to make it harder for LEA types to have access to data for legitimate purposes - it is to make it harder for just anyone for no reason to have access to that data. And really, what the waivers do is simply allow compliance with national laws - to manage personal information so that it is NOT generally publicly available, but is available for legitimate purposes - including LEA

Next - if you look at the 2013 RAA, there are enhanced requirements for registrars checking on data so that accuracy of data is improved. (read the Whois Review Final Report in relation to that issue).  It does not eliminate fake data - but makes it just that much harder to have registrars accept fake data.  So while the call is about respecting data protection laws in relation to making WHOIS data public, it is NOT about removing requirements for registrars taking steps to make sure that data is correct - and checking regularly to be sure.  Of course, rules are honoured in the breach.  Of course, there are registrars who do not follow ICANN rules on data accuracy.  But that should not be a call to ignore those rules  - it should be a call for more enforcement.

And yes, there are jurisdictions where the criminals can hide.  But that is about national sovereignty and the failure of governments to control their country codes - which is beyond ICANN’s jurisdiction.

So please, waivers are there to strike a balance between protecting personal information from general unregulated publication as against the legitimate needs of LEAs (and other institutions given access to personal information under enumerated circumstances) for access to that information.

Holly

On 18 Dec 2015, at 9:29 am, Derek Smythe <derek at aa419.org> wrote:

> On 2015-12-17 07:44 PM, John R. Levine wrote:
> 
>> People with no experience with large networks, which includes pretty
>> much everyone on the ALAC, often seem to believe that collecting less
>> information about domain registrants always improves the privacy of
>> Internet users.  The reality is much more subtle.
>> 
>> The vast majority of users have never registered a domain and never
>> will, so WHOIS doesn't affect them, while the vast majority of domains
>> are registered for commercial purposes, and a dismaying number for
>> criminal purposes.  A large registrar often turns off 10,000 domains a
>> day for malware, phishing, and other malevolent behavior.
>> 
>> The WHOIS information that most of the waivers concern is very useful
>> for identifying and dealing with criminals.  That is so even though a
>> lot of it is faked, since the crooks tend to have patterns when they
>> fake stuff. I'm not guessing about this, I talk to people every day at
>> network operators who are protecting their users and law enforcement
>> who are protecting their citizens.
>> 
>> Registrars should certainly comply with their national laws, and I
>> agree that some of ICANN's rules are silly, e.g., when they grant a
>> waiver, it should automatically apply to other registrars or
>> registries in the same jurisdiction.  But when you make it harder to
>> tell who's behind a domain, you're also making it easier for criminals
>> to siphon the money out of your grandmother's bank account.  That may
>> be a reasonable tradeoff, but it's a tradeoff and one that deserves
>> better than the kneejerk reeactions we always see here.
>> 
>> R's,
>> John
> 
> +1
> 
> To illustrate the point, search for "fjrasile at yahoo.com". Hint:
> Supplying bogus data has nothing to do with privacy. Also look at the
> period over which those domains were registered with the registrar
> constantly being made aware of the issue. You'll also find this party
> uses more than one registrar.
> 
> This is just one of many such.
> 
> We also do not wish to subject the public to domains such as
> eicu-ae.com (spoofing eic.ac.ae ); "beautiful" WHOIS not even meeting
> the basic sanity checks. Yet we wish to hide this with privacy? Such
> issues are seen daily on domains that are registered for purposes to
> the detriment of the ordinary innocent user.
> 
> The problem is the majority of registrants are not malicious. But a
> small handful are and they are extremely active in registering domains
> with ever changing fake WHOIS details. Even fake WHOIS details may
> leave patterns (as John said).
> 
> Ironically I've alerted victims of credit card fraud that their
> details are being abused by a fraudster in WHOIS where the the pattern
> did not match the other circumstances. Were it not for WHOIS, this
> would have slipped past the victim due to the small amounts involved.
> 
> Here's the problem. Unaccountable privacy is nothing more than
> anonymity and can be used to devastating effect against the ordinary
> innocent people using the internet. Some Registrars have shown
> themselves to not really do WHOIS sanity checks or care, some are
> deliberately obstructive and discourage reporting fake WHOIS, ignoring
> ongoing linked issues. The WDPRS system has shown itself to not be
> effective in such cases. Some registrars simply does not care.
> 
> Laws differ from country to country. Some Registrars and resellers use
> this as a strategic marketing tool to attract a certain type of
> client. Some openly attract clients practising what would be
> considered illegal activities, such a fraud, in Europe, the US and
> most parts of the word, simply due to a jurisdiction issues and they
> way local law is structured. So for a mere $10-$15 a repeat malicious
> registrant can go jurisdiction shopping, targeting whomever he wishes,
> even residents of the country he lives in.
> 
> E.g.: http://mediaon.com/Real-Whois-Protection.php
> Ironically the initial home of the German "Fake Shopkeeper Gang" who
> was responsible for Germany largest cyber fraud losses up to 2012.
> 
> The gang moved to 'Russian' reseller Heihachi (Home of the disavowed
> Wikileaks copy). Later both the German gang and the Austrian owner of
> Heihachi were arrested. The owner of Heihachi had a prior criminal
> record, yet was a reseller for one of America's largest Registrars,
> had fake whois details as was constantly pointed out to the registrar
> and ICANN. So the reseller was offered a WHOIS proxy service by the
> registrar. In turn Heihachi offered WHOIS proxy services for domains
> belonging to carders, botnet herders, malware creators and
> distributors etc.
> 
> Is this the Internet we we want?
> 
> The problem is law enforcement simply does not have the resources to
> cater for all of the abuse found on the net. Then there is the
> international social/political issues. This is no reflection on the
> authorities, rather the state of the net and certain realities. That
> is why the authorities rely on partnerships with other private groups.
> 
> Regards,
> 
> Derek Smythe
> Artists Against 419
> http://www.aa419.org
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> 
> At-Large Official Site: http://atlarge.icann.org