[RAA-WG] Private registration, ID theft - clarification required

Derek Smythe derek at aa419.org
Fri Sep 26 18:12:29 CDT 2008 

Hi Everybody

Against the background of recent events that have now died down, as 
well as observations of ongoing private registration abuse, I believe 
that some rules need to be spelled out for the privacy providers.

As per the RAA, item 3.7.7.3:
> 3.7.7.3 Any Registered Name Holder that intends to license use of a domain 
> name to a third party is nonetheless the Registered Name Holder of record 
> and is responsible for providing its own full contact information and for 
> providing and updating accurate technical and administrative contact 
> information adequate to facilitate timely resolution of any problems that 
> arise in connection with the Registered Name. A Registered Name Holder 
> licensing use of a Registered Name according to this provision shall accept 
> liability for harm caused by wrongful use of the Registered Name, unless it 
> promptly discloses the identity of the licensee to a party providing the 
> Registered Name Holder reasonable evidence of actionable harm.


The purpose of the whois details in a domain registration being 
publicly visible has been much discussed. Does this apply to a 
registrar who is providing privacy services?

In fact many times reports of fraud to the registrar and/or associated 
privacy provider are ignored. Alternatively a reply of "we are only 
the registrar and you need to contact the hosting provider" is received.


We are finding privacy providers that are extremely difficult to 
contact, we find despite notices of illegal domain usage to privacy 
providers, the stated emails may be returned undelivered or result in 
some alternative form of communication being suggested via email. 
Online systems leaves a party notifying a provider of privacy with no 
recourse and proof of having notified that provider. This form of 
communication also does not allow for copying to other appropriate 
parties such as the authorities.  Some communications are totally ignored.

We also find semi-private registrations where the registrant 
information is shown as a name, but the contact details all belong to 
a privacy provider. What is disheartening is that in this instance it 
happened while the same registrar was shown that mass fraud associated 
with identity theft used for domain registrations that's taking place 
at this registrar's reseller.  This leaves the public defenseless and 
is simply hiding an issue.

What does in fact happen in the case of semi-private registrations as 
mentioned? Especially based upon the background of the issues 
highlighted.

The fact is that blanket private registrations are offered for free 
and undesirable elements can and do abuse these facilities for 
criminal and spam domains. I am sure each and everyone of us can think 
of such abuse examples.

I believe that the increasing popularity and availability of, even 
free private  registrations requires that this issue is addressed 
properly in an advisory or similar official statement.

Another item that definitely needs addressing is where the 
registration details shown is bogus, but does in fact belong to a real 
person; name, address and telephone number is stolen. However it is 
linked to a free disposable address. This is a case of identity theft 
where the shown registrant never agreed to any agreement with the 
registrar, yet has his/her details displayed. There are some extremely 
serious repercussions here. Yet we find these domains are also not 
canceled immediately. I have numerous examples of these complete with 
emails from the real owners of the registrant details shown and that 
were passed on to the registrar.

Another problem is that even if such a domain were to be canceled, the 
damage is already done and the domain will show the stolen identity 
for a quite a time.

Something worth thinking about as well. In the case of a bogus domain 
registration where one party is fictitious by virtue of either bogus 
whois data or a stolen identity, a domain registration agreement is 
not valid. You cannot have an agreement with a fictitious party.

The nature of the internet today is such that in even 15 days 
considerable harm can be done. This issue was discussed in ICANN 
advisory dated 3 April 2003. However this issue occurs and the grace 
given to registrars to act as they deem appropriate simply results in 
a 15 day whois notice being given despite harm to the public.
Ref: http://www.icann.org/announcements/advisory-03apr03.htm

Based upon this background, I believe guidance should be given on
a) the obligations and responsibilities of a privacy provider. This 
may or may not be a registrar and as such may or may not be an RAA issue,
b) procedures to follow upon encountering identity theft and
c) more strongly phrased wording upon encountering abusive domains 
registered with fake or private whois.

Please note: Where I refer to domain abuse I am not referring to 
socially unacceptable websites which may vary based on demographics, 
rather websites used in online fraud, spam and malware distribution. 
These are issues affecting the stability of and faith in the Internet.


Thank you

Derek Smythe
http://www.aa419.org

More information about the Registrants-rights mailing list