[At-Large] 9th Circuit Court ruling on ICANN Contract.
derek at aa419.org
Sun Jan 9 19:04:38 UTC 2011
How can you put all the responsibility and risk on one party, yet have
no risk on the other side for those pill spammers/money mules/....
I post a $100,000, get no reply from data registrant, as such no
access too the data.
In the meantime the address in the registration is fake, a groups of
trees (as was the case for a privacy proxy).
Or the provider is a one stop shop - send money only and an email
address, no registration data required, we give you a domain and
hosting (and access to our own attorneys in obscure offshore
On 2011/01/09 20:37, John R. Levine wrote:
> Sigh. In what fantasy world do you imagine that there is a process to
> implement this?
> Also, in this world, we routinely identify and turn off a thousand
> or more domains at a time used by criminals, so make sure it scales.
> If you're saying I have to post a $100,000 bond to track down a pillz
> spammer, no thanks.
> On the other hand, if you're proposing that people have to appear in
> person to a government official and verify their identity before they can
> register a domain, that's not a bad idea.
>>> For years I have advocated that penetration of domain registrations
>>> should require the person making the request do several things:
>>> 1. They should announce their identity, personal and organizational
>>> (including contact information), and proofs of that identity, which
>>> would be recorded, permanently, into an access log.
>> As long as the same requirements are put on registrants (also see
>> point 6).
>>> 2. A bond (small, perhaps $100) should be posted to indemnify the
>>> data subject should the access be ill founded, vexatious, or made with
>>> reckless disregard of facts known, or readily knowable to, the accessor.
>>> (There are lots of ways that this requirement could be streamlined to
>>> accommodate the needs of consumers - for example the bond could be
>>> waived for the first 10 accesses during any 12 month period.)
>> The same for the registrant, he should also post a bond. If any
>> allegations are found to be justified, there should be punitive
>> measures in place.
>>> 3. They should make a concise and concrete accusation, into the
>>> permanent log, that states why they believe rights they process towards
>>> the domain name are being violated. This accusation must be backed by
>>> evidence. This accusation could act as an estoppel against the accessor
>>> making contrary assertions at a later date
>> Semi agreed. Those accusations should be recorded and be held for at
>> least a period of five years. The records of accusations should be
>> available to to all parties; law enforcement, recognized anti-abuse
>> groups, registrars, registries etc). Just remember the accusation may
>> not only be against the domain name, but may span a range of issues
>> (botnets herders, fake shopfronts ...)
>> Should the accusation be found to be correct, the registrar or his
>> agent shall upon request by the accuser, also supply all other domain
>> names registered to the same party. This may also be used at other
>> registrars/privacy proxies and like.
>>> 4. They should be required to enter into a legally binding agreement,
>>> with the data subject being granted explicit third party beneficiary
>>> rights of enforcement, that constrains the use of the data obtained so
>>> that it may not be further disseminated or used for any other purpose
>>> than to initiate a dialog with the data subject on the question whether
>>> the accusation is well founded or specious.
>> The data should also be allowed to be shared with legal authorities
>> and recognized anti-abuse groups, along with any pertinent data (also
>> accusation in point 3). A response is required from the data subject
>> in 24 to 48 hrs maximum for a legal person, 7 days for a natural
>> person. If no such response is forthcoming, the data will be made
>> available as if an affirmative response was received.
>> Should the registration data be found to be grossly inaccurate (bogus
>> registration details, identity theft etc) then all domains linked to
>> those grossly inaccurate registration details will immediately be
>> suspended. This requirement will be mandatory and span all registrars
>> and registries.
>> Should a proxy have been used that accept registrations for domains
>> where no registration data is required of the registrant, only the
>> funds for the domain, that proxy provider will be held liable for any
>> harm done by that domain (we have been seeing a lot of these providers
>> of late)
>> The proxy provider itself may not be registered via another proxy
>> provider. A proxy provider must have a physical address at the stated
>>> 5. The data subject should be given notice of the access, including
>>> the identity of the accessor and the content of the accusation. The
>>> data subject would have the right to make that accusation and the
>>> identity of the accessor public.
>> Not sure how that would work for law enforcement and like legitimate
>>> 6. On a periodic basis the log of access should be processed so that
>>> the name of each accessor, and the number of accesses made, is published
>>> to the public. This will help identify access trolls.
>> Naturally the accessor has the same rights as the registrant. As such
>> he is also allowed to use proxy providers. Based on the work some
>> inquirers do ,they might have more reason to use such mechanism as
>> mere personal privacy, rather personal safety.
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> At-Large Official Site: http://atlarge.icann.org
More information about the At-Large