[At-Large] Privacy and domain abuse vs the IP constituency

Derek Smythe derek at aa419.org
Sat May 7 15:58:49 UTC 2011 

On 2011/05/07 13:59, Patrick Vande Walle wrote:
> Derek,
> 
> There can be no bargaining on  fundamental, constitutional or legal rights for individuals, in favour of the commercial interests of a few corporations.  
> 
Bargaining? Few? Who said anything about bargaining or few?

As for constitutional or legal rights - nobody has the right to use a
domain and/or it's privacy to defraud - that is not your
constitutional/god given or whatever right - thought the Internet and
the way things are implemented currently has made some parties think
so because they have been doing it for years abusing international
jurisdictional issues and are getting away with it without
repercussions, in fact becoming quite wealthy in the process at the
cost of international consumers.

Example: Is LE going to chase down a "Malaysian" provider repsonsible
for a VPS full of scam domains. Example:
http://www.adamscolechambers.com/law/people.html
Why should this not of concern to us, the average John Doe?
Simple - because the target is not the site that is being plagiarized
http://www.chartlands.org/people.php (right down to images of the
actual lawyers).

These scams have been going on to target the average small people that
may be cluesless, yes, but they do not deserve the right to be
defrauded by anonymous miscreants.

As for the legitimate chartlands.org, do they have the right to have
their designs stolen, the images stolen and added to fictitious names?

Arguably they would use intellectual property laws etc to take down
this domain (and they should) and end up forming part of the "evil" IP
constituency en the end.

Here both the average user and the IP constituency have common ground
- which is the point I'm trying to make!

Now rinse and repeat this scam thousands of times over and the victims
accumulate quickly....


> If such thing were to happen, that would be through the form of a proper, accountable, legislative process, not a parallel enforcement, judicial system set up by private sector companies in order to protect their vested interests. 
> This is not the wild west anymore: we have institutions that are in charge of chasing, arresting and judging people who do things against the law. If these institutions do not do their job, talk to your congressman, vote for another party at the next election, i.e exercise your democratic rights as a citizen to influence the society and the administration that runs it.

The wild west? Congressman? Parallel enforcement? ....
I think you should take a breath and ask why these are successful. My
"congressman" is exactly at the heart of the problem. We do not have
those here, we have members of parliament etc. Further it is not their
problem either, since the actors in the above illustrated issue have
nothing to do with it. Yet we may sit with victims. So where do we go,
Malaysia where the DNS leads us to? What a (whois) joke, fake whois
details!

Here we have international issues at play. I have no say other than
continuously bugging the law enforcement officers in the USA regarding
hosting accounts, pointing out issues to the relevant hosting
providers etc since this malicious party abuses USA hosting providers
and the protection they offer.

As for the country he resides in, Nigeria, they have different
priorities and even though illegal in their country under the "419"
statue, the rate at which these are growing and abusing the DNS system
shows how efficient their enforcement system is. Why, it has grown way
beyound the prolific cottage industry of a few years back and has it
become an accepted. Do you not think the domain usage in these scams
are playing a role? Yes they do and we need to ask ourselves why the
use is continued and growing.

So, to answer your statement. "My" congressman or equivalent member of
parliament, law enforcement etc can only do so much, but at the end of
the day international escalations exist and are followed. Itis up to
the recipient country to action. If they do not ... we have what we
have. So no, it is not a wild west but disparate laws and remote
differing priorities that causes situations like the current to exist.

But then again I think you know that as this issue has certainly been
beaten to death.

> And please ask yourself: who you buy a Rolex from a stranger in the street ? If you did, you would only have to blame yourself for your foolishness. Would you buy a Rolex from a stranger on the Internet ?  The same answer applies. The only remedy against stupidity is education. 

Wow! Now it is okay to be defraud foolish people? So much for the
promise of the internet, lets start all over again.

Here is a little reality check for you since you wish to equate this
to non-virtual issues; In all other non-virtual systems their is much
more responsibility/accountability and maturity. We had examples
regarding proxies on this list re buying cars etc. Their is a
responsible party. That responsibility ensure you make very sure you
know who you are proxying for if you have to accept responsibility for
his actions. Equate that to the net?


The average "foolish" user equates to most of the populace on the
planet. The believe that domains registrations is a normal real world
process with all the checks and balances as they find in their every
day lives. We on this list know better.

So are we to start another ICANN group? The "foolish" group with real
responsible world expectations?

> 
> I must say I am disappointed to read on a mailing list targeting the interests of individuals that they should give up one of their constitutional rights in order to be friendly to the IP constituency. 

Friendly? No, I'm saying we should not self blind at all costs. Thus
far it has resulted in a stalemate that cost us individuals quite a
lot. And we can expect more of the same.

Ask yourself, why are some of the biggest supporters of open whois
details LE? Is it not because they also rely on the public to make
them aware of issues?  How many abusers on the internet have been
arrested based on leads that came from the non-badged public?

Even fake whois has it's values. I suggest you read the ICANN archives
on this issue.

> Many lawyers in Europe consider the provisions regarding WHOIS in the RAA to be illegal in Europe. I know of at least one registrar that is under investigation of the data protection office in its country for possibly breaking the local privacy laws for individuals. It is only a matter of time before these provisions will not be enforceable in this part of the world. 

Yes, hiding whois details may alleviate some problems in as far as
there may be less reports of arrests. Take a guess why? Simply because
the public will not be able to point out issues/trends/etc to LE.

> Registrars can be part of the solution, indeed. It only requires legitimate authorities to ask them, as long as they don't break the law. If they are asked by unaccountable vigilantes, asking things against the law, like revealing personal data,  don't be surprised they ignore them. 

I would agree is we had a system where the obfuscated whois details
were real. But as it is currently, we have a system that is seriously
broken, that criminalelementsrely on for their success, and quite
successfully so.

So now we are to hide this problem, roll out more TLDs and expect the
interests of all be better served? Wow, where is the reality in that?
I know the interests of registries/regisrars will be served


If we are to fix the system, it's simple, though painful.
a) Do not allow unverified proxy registrations (tossing in a free SSL
certificate as you go). Only do it once you have full verification of
the registrants. Forget about instant gratification register a domain
in 5 seconds. It satisfies some, harms the majority. Purge the junk
details. If may cost more.

How can we also expect our/other authorities to protect us if we give
them a trashed system to start off with?


b) Ensure that proxy providers themselves are legitimate. Why, one of
them "lives in a tree", hotel, are proxied themselves over a period of
time, targets German users (victims?), hosts in Russia, targets
"foolish" users worldwide in scams/DDoS attacks etc and has the legal
authorities running around in circles trying to fulfill their duties.

c) Identify bad actors in the DNS system and give it credibility by
denying them access to it. It is not your god given/constitutional
right to register abusive domain after abusive domain, year after year
to target third parties, however "foolish" they may be. This should
also not be tokenism; being seen to be doing something, just enough to
avoid criticism, but not enough to distract the bad actors. Rather the
registries/registrars should be agreeing on a code of conduct where
their registrants should not abuysing the system to target and abuse
the system, allowing it to harm third parties in cross jurisdictional
issues that leads to much harm.

Here we may work with the IP constituency, not "befriending them"
necessarily. At time to time we have common ground. Lets not self
blind and merrily follow the piper across the cliff.

On this, caveat: Yes: there are issues such as human rights where
exposure of serious human rights issues such as genocide etc should be
exposed. But if we are to be serious on this issue, a new sponsored
TLD can be set up where the registration etc can be managed by human
rights specialists. Registration should also not attract a fee for the
precise reasons this TLD should exist.


By following this process, we could rapidly cut out abuse, give the
system credibility and protect the interests of legitimate users.

There is nothing wild west in this system. We do not have to be
botanical specialist to discern an apple from an orange, likewise a
scam domain from a legitimate domain (I am not talking a
hijacked/hacked domain - different issue).


Derek



> Patrick Vande Walle
> 
> 
> 
> On 07 May 2011, at 00:41, Derek Smythe wrote:
> 
>> Hi Folks
>>
>> Here is a more than excellent example of why domain abuse issues
>> belongs at the registrar and why true privacy will not be possible
>> until abusers are taken care of.
>>
>> It all started off with a report of a phishing site. Doing a reverse
>> lookup on the IP the domain was hosted on, we get the list included below.
>>
>> Spending a bit of time on the search engines quickly shows numerous
>> frauds related to the relevant domains. Digging a bit deeper keeps on
>> leading to a specific "hosting provider" with a track record of these
>> type of domains and even SSL certificate abuse.
>>
>> Now, looking a bit closer at them in terms of whois details, we find
>> gross privacy abuse for the domains used in fraud and fraud attempts.
>>
>> For those that know how, looking very closely at them leads to victims
>> to this fraud and details showing them all to be of the same origin as
>> regards certain design elements.
>>
>> Now, considering the background of the hosting provider, he
>> specializes in these.
>>
>> How do we counter the the IP constituency if they throw these examples
>> at us?
>>
>> How do we deal with this form of domain abuse? The authorities are in
>> the know for a more than a while know. The SSL certificate providers
>> are in the know as well. The domain registrars are in the know.
>>
>> Doing a bit of backtracking leads to this post:
>> http://www.jaguarpc.com/forums/showthread.php?t=24529
>>
>> Now here is the sad part;
>> Since that post, the hosting was terminated and simply moved to
>> another IP at the same hoster, later we have two more more victims in
>> Australia after this move.
>>
>> http://www.rbol-uk.com/INT-UK/ (as I said, those that know how ...)
>>
>> In fact the Nigerian hosting provider is simply moving hosting once
>> caught out. In the meantime the "free one year privacy" is abused to
>> for anonymity and to make tracking more difficult. Without finding,
>> stopping and disabling these domains, the misery they create at the
>> hands of the abusers continues.
>>
>> As you will see, there is no easy way to do a 1-to-1 mapping of domain
>> name against the spoofed domain, so more TLDs will just compound the
>> issue.
>>
>> It also does not help if we claim that domain names have no special
>> meaning, in the eyes of the "ordinary user", how can
>> http://www.barclaysonlineservice.com not be part of Barclays Bank PLC?
>>
>>
>>
>>
>> Now ask yourself: what number of legitimate domain owners are targeted
>> by lack of domain privacy vs what number of the public are victimized
>> by domain "anonymity"? Which is the lesser of the two evils?
> 
> 
> 
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> 
> At-Large Official Site: http://atlarge.icann.org
>

More information about the At-Large mailing list