[RAA-WG] [At-Large] Open letter to ICANN

[Derek Smythe]

Vittorio, I disagree and agree. Understanding what is happening here 
depends on the depth of understanding.

Sorry, this reply is longer much, much longer than anticipated. I will 
touch on some deeper realities not known to those who often work with 
these same issues.

Vittorio Bertola wrote:
> Derek Smythe ha scritto:
>> Hi
....
> I think you are making a fundamental mistake here - you want a frauding
> website taken down by ICANN because it has incorrect Whois information.
> What you should want is rather that a frauding website is taken down by
> its country's police because it violates its country's laws.

Which country's police would that be? Where? This website has been 
reported to the authorities more than once.

> 
> I would be very, very, very concerned if ICANN staff started to take
> decisions on whether a website is "criminal" or not, possibly just by
> having a quick look at its home page or because of blanket assumptions
> like those made in the complaint, such as "Site gathers personal
> information on insecure form. Legitimate businesses do not gather this
> type of information without security precautions".

If you received a phishing email, would you make an assumption about 
it if it asked you to log in to your account at some strange location?

In one of the examples given - safe-wayonline, no assumptions are 
required. Reports are not based on "quick looks".

The official legal entities publish more than enough data to verify 
that this website is not legitimate. The same resources can be used to 
verify it is abusing another real company's registration number. A 
third official one states that other websites has stolen the company 
registration and abuses it on their sites, targeting jewelry auctions.

More than enough reports of attempted fraud and fraud are available 
online.

Ask a bank or similar financial services provider or even a financial 
regulator what would happen if they were to suddenly start doing 
banking or similar without at least using some security protocol like 
https.

I agree partly - no, it is not ICANN's task to take down scam 
websites, but where evidence as per ICANN advisory dated 3 April 2003 
is available, this an issue for prompt action. That responsibility 
lies with the registrar. ICANN is to ensure this is done and is 
covered under security and stability of the internet, also trust in 
the internet.

As for the mentioned Godaddy domains, the true owner of the address 
denies any knowledge of the registrant. ICANN was also made aware of 
this.  Other domains by the same registrant still exist with a 
fictitious addresses; example NATWSECMAIL.INFO.

How would you judge http://ubsflorida.homelandssecurities.com ?
The answer would be to judge it via the whois and circumstances. In 
this case this is history repeating itself for the N-th time;
  http://db.aa419.org/fakebankslist.php?psearch=BHFINDONESIA.COM
...
using payment processor Graphcard.com in whois to register a domain 
with 007names.com, despite Graphcard not accepting responsibility and 
007Names being made aware of this.
http://forum.aa419.org/viewtopic.php?t=29427

Yet I have personally phoned Joyce at 007names a few months ago who 
ignored my emails where I explained what was happening. She then asked 
I send her another email. The result is there for all to see. We have 
headless bank spoofs running around with the registered address owner 
not accepting responsibility. I could probably write a ten page 
"summary" on this - but I will spare you ;)

Sorry for the elaborate examples, but the bottom line is that 
judgments are not made lightly. There are many tests a domain must 
fail before it can be declared fraudulent.

In fact many domains are monitored for months before revealing their 
true nature. Understanding the situation makes the situation extremely 
predictable.

I wish to welcome to kdbuk.com which was monitored for over nine 
months. If I was a betting man I would have been rich. Without ever 
showing web content, I could tell you what it was. I note it 
references NATWSECMAIL.INFO for email. It's a small world, but once 
again I will spare you a ten page summary :)

However, the bottom line is these domains use fake whois details, or 
abuse privacy mechanisms like the last example. This IS covered in the 
RAA.


> 
> I would also be very concerned if ICANN started to disable domain names
> on the grounds that "the postal code entered is incorrect".

As explained, the postal code is the smallest part of it. It should 
have been verified before November 2008 if the system was working. But 
it does raise a red flag - why was it not investigated? At least we 
owe an answer to the later victims of this scam.

> 
> However, I concur with the letter that the WDPRS is a useless service
> that appears to have been deployed more as a token effort than for real.
> I think it should just be dropped - if people suspect that a website is
> doing fraud, they should call the police, not ICANN. If there is the
> need for cross-national cooperation, the various polices should just do
> their job and get organized to cooperate quickly and effectively. If
> there are countries that do not cooperate, then this is definitely a
> matter for national diplomacies to sort out - the US was able to impose
> its flavour of intellectual property regulation to the whole world
> through TRIPs and bilateral agreements, don't tell me that it is not
> strong enough to get cooperation on cybercrime.

The sad fact is the world currently does not have enough trained 
police resources to look at each and every domain trying to scam 
internet users. Jurisdiction is also a problem. Anonymous proxies etc 
do not help. The same facilities legitimate internet users provide to 
protect their privacy are the same ones internet criminals use. Right 
now pre-paid American debit/gift cards are being sold in Africa (in a 
country nobody wants to deal with) complete with fake American address 
and used extensively for registering domains.

I am not saying law enforcement do not do the best, in fact the 
opposite! Given the bad registration info, the are doing brilliantly 
udner the circumstances despite ICANN and the registrars. We find 
doors being kicked down in the early hours of the morning half way 
around the world to the victims. A small example: Netherlands, Romania 
etc, but this is only the tip of the iceberg.

Sadly some countries try and improve their image without resolving 
real issues that affects the rest of the world. This is a reality we 
have to accept and build upon.

However, the golden rule of internet fraud from a victim perspective: 
When the money is lost, it is lost forever.

Personally I believe more money is stolen through fraud on the 
internet, than made by registrars and ICANN. Nobody knows the true 
extent of it and costs.


> 
> ICANN, in any case, should care more about Internet fraud and be more
> cooperative - but possibly by referring these (very valid and important)
> complaints to the appropriate law enforcement agencies depending on the
> countries involved. It could act as an information clearinghouse that
> could be very useful.

Agreed. Same for registrars. Some might be in for a massive surprise 
though.

> 
> Finally - about the "general internet user perception of ICANN":
> 
> The "general internet user perception of ICANN" is non-existing - users
> don't know that ICANN exists.

The people that know about ICANN and try and use the systems. Do you 
think Brenda who originally reported safe-wayonline.com will give 
ICANN another chance? From her perspective she wasted her time.
> 
> If you refer to "active users" and user groups, however, the perception
> is then much different according to the part of the world. For example,
> in Europe ICANN is usually perceived as an instrument to further the
> U.S. control over the Internet, for example by removing from the
> Internet the privacy that is guaranteed to European citizens by their
> national laws. And please don't be upset about this - it is not
> advocacy, it is just a fact that derives from cultural differences.
> 
> Ciao,

However, if WDPRS reports were taken seriously by "all" registrars and 
processed by them, a lot of these issues can be avoided.

Also it begs the question; why should any specific registrar comply 
with the RAA and examine bogus whois information if other registrars 
do not?

Regards

Derek