[At-Large] Privacy and domain abuse vs the IP constituency

Antony Van Couvering avc at avc.vc
Sun May 8 10:33:23 UTC 2011

In my role as uniform purveyor, If I report an impersonator to the police, presumably they arrest him.  If they don't, *and* they tell me they're still looking for him, *and* he shows up again, then I call them again.   If I call them ten times and they still don't arrest him, eventually I figure that either (a) he's innocent or (b) they don't care or (c) both. 

What I don't do is tell every customer who comes into my shop that because I reported someone once, everyone is under suspicion, and I'm going to be sending all of their names to the police, and collecting and verifying their address and other particulars before I sell them a uniform.  

I'm not a cop, and my customers (and probably the general public) don't want me to act as a cop.  I'm not trained, I don't know the law, and I'm not given any powers by the state.  

Furthermore, I would be out of business in a week, because all my customers would be (rightly) offended and seek another uniform shop.  

If I recognize a malefactor, I will happily drop a dime on him.  If it's someone I don't know, the presumption is that he's not a malefactor.  

The key is recognition.  It's very easy to fake your identity on the Internet, it's very hard to verify that people are who they say they are. The cops can't seem to do it, how am I, a guy who sells uniforms, supposed to do it?  

I can walk into any Walmart in the country and buy a 12-inch hunting knife that I can eviscerate somebody with, or a bow and arrow that will kill a human being at a great distance.  I can buy gasoline to set someone's house on fire.  I can buy a variety of poisons, or the ingredients for poison, at any drug store or hardware store.  They don't ask me who I am, where I live, or any such thing.  If I do any of these things, the cops will come after me, but they're not going to hold the person who sold me my tools of evil responsible, simply because they are evil because of my actions, not in themselves.    The vast majority of domain names are used for useful and legitimate purposes, just as gasoline is, or ammonia and chlorine bleach.  

Personally I have a hard time justifying a regime that would treat sellers of domain names as criminal accomplices, or impose on them a duty of verification that doesn't exist for ISPs, or email providers, or IP address providers.  I certainly don't see anyone lining up to indemnify registrars against lawsuits because they deny someone a domain name unjustly.


On May 8, 2011, at 7:34 AM, Derek Smythe wrote:

> A domain is many things to many people.
> Sadly it's also part and parcel of the scammers/spammers/... bag of
> tricks. It's their entrance ticket to the web for certain types of
> crime. Add to that lookalike domains. Ask yourself why we find all
> those derivative names used in scams. No matter what we may say here,
> it is how the general public perceives domains that makes the
> difference to domain abusers.
> What should the shop owner selling uniforms do after he was informed
> what you are doing with those uniforms? After he was shown how you mug
> people in the street outside his shop, abusing the implied power that
> uniform gives you?
> Obviously report it to the law enforcement authorities for a start.
> But should/would he again sell you the next uniform (unless requested
> to do so by the authorities)?
> Let's take it one step further, your uniforms you buy are for a
> country just across the border, what should the shop owner do if the
> shop labels were collected on the scene of a cross border crime along
> with a fake ID used at said shop? Or being cross-border make that make
> it okay? Remember, the shop owner has the closest visible link to you
> from a public perspective.
> Add registration details to the mix. Today you are Joe Bloggs,
> tomorrow John Smith, the next day Dick Turpin and you present theze
> bogus registrations details when you buys your goods. Why did the
> authorities ask the shop owners for registration details in the first
> place if they are not collected or they don't bother verifying them in
> a bid to chase efficiency and simply don't care. Luckily many shop
> owners care, but others do not. To alleviate the issue, some shop
> owners creates an unverified proxy system, advertises it and sell even
> more uniforms. When the authorities come knocking, he simply shrugs
> his shoulders and blames you.
> Let's change the uniforms to money. Money laundering? Know your
> client? Likewise trade issues. Maybe a bit extreme example, but what
> are scams about? Money. Take it a bit further and the reason for the
> money laundering legislation. Funding for terrorism, drugs and what
> not is not a horror story. It is very real.
> Why do we expect domains to be different? Virtual maybe, but not the
> potential for harm through deception.
> Domains are only part and parcel of the bigger issue at hand, but
> vital in some instances.
> Let's rather ask why domains should be exempt from normal real world
> issues?
> On 2011/05/08 00:52, Antony Van Couvering wrote:
>> Derek,
>> Why is this a "domain" issue?  You seem to be describing criminal behavior but I'm not entirely sure why you're grabbing on the domain end of the stick.  
>> If I impersonate a police officer, it's my behavior that's criminal -- there isn't (and shouldn't be) any liability attached to the shop that sells the uniforms. 
>> Antony
>> On May 7, 2011, at 11:58 PM, Derek Smythe wrote:
>>> On 2011/05/07 13:59, Patrick Vande Walle wrote:
>>>> Derek,
>>>> There can be no bargaining on  fundamental, constitutional or legal rights for individuals, in favour of the commercial interests of a few corporations.  
>>> Bargaining? Few? Who said anything about bargaining or few?
>>> As for constitutional or legal rights - nobody has the right to use a
>>> domain and/or it's privacy to defraud - that is not your
>>> constitutional/god given or whatever right - thought the Internet and
>>> the way things are implemented currently has made some parties think
>>> so because they have been doing it for years abusing international
>>> jurisdictional issues and are getting away with it without
>>> repercussions, in fact becoming quite wealthy in the process at the
>>> cost of international consumers.
>>> Example: Is LE going to chase down a "Malaysian" provider repsonsible
>>> for a VPS full of scam domains. Example:
>>> http://www.adamscolechambers.com/law/people.html
>>> Why should this not of concern to us, the average John Doe?
>>> Simple - because the target is not the site that is being plagiarized
>>> http://www.chartlands.org/people.php (right down to images of the
>>> actual lawyers).
>>> These scams have been going on to target the average small people that
>>> may be cluesless, yes, but they do not deserve the right to be
>>> defrauded by anonymous miscreants.
>>> As for the legitimate chartlands.org, do they have the right to have
>>> their designs stolen, the images stolen and added to fictitious names?
>>> Arguably they would use intellectual property laws etc to take down
>>> this domain (and they should) and end up forming part of the "evil" IP
>>> constituency en the end.
>>> Here both the average user and the IP constituency have common ground
>>> - which is the point I'm trying to make!
>>> Now rinse and repeat this scam thousands of times over and the victims
>>> accumulate quickly....
>>>> If such thing were to happen, that would be through the form of a proper, accountable, legislative process, not a parallel enforcement, judicial system set up by private sector companies in order to protect their vested interests. 
>>>> This is not the wild west anymore: we have institutions that are in charge of chasing, arresting and judging people who do things against the law. If these institutions do not do their job, talk to your congressman, vote for another party at the next election, i.e exercise your democratic rights as a citizen to influence the society and the administration that runs it.
>>> The wild west? Congressman? Parallel enforcement? ....
>>> I think you should take a breath and ask why these are successful. My
>>> "congressman" is exactly at the heart of the problem. We do not have
>>> those here, we have members of parliament etc. Further it is not their
>>> problem either, since the actors in the above illustrated issue have
>>> nothing to do with it. Yet we may sit with victims. So where do we go,
>>> Malaysia where the DNS leads us to? What a (whois) joke, fake whois
>>> details!
>>> Here we have international issues at play. I have no say other than
>>> continuously bugging the law enforcement officers in the USA regarding
>>> hosting accounts, pointing out issues to the relevant hosting
>>> providers etc since this malicious party abuses USA hosting providers
>>> and the protection they offer.
>>> As for the country he resides in, Nigeria, they have different
>>> priorities and even though illegal in their country under the "419"
>>> statue, the rate at which these are growing and abusing the DNS system
>>> shows how efficient their enforcement system is. Why, it has grown way
>>> beyound the prolific cottage industry of a few years back and has it
>>> become an accepted. Do you not think the domain usage in these scams
>>> are playing a role? Yes they do and we need to ask ourselves why the
>>> use is continued and growing.
>>> So, to answer your statement. "My" congressman or equivalent member of
>>> parliament, law enforcement etc can only do so much, but at the end of
>>> the day international escalations exist and are followed. Itis up to
>>> the recipient country to action. If they do not ... we have what we
>>> have. So no, it is not a wild west but disparate laws and remote
>>> differing priorities that causes situations like the current to exist.
>>> But then again I think you know that as this issue has certainly been
>>> beaten to death.
>>>> And please ask yourself: who you buy a Rolex from a stranger in the street ? If you did, you would only have to blame yourself for your foolishness. Would you buy a Rolex from a stranger on the Internet ?  The same answer applies. The only remedy against stupidity is education. 
>>> Wow! Now it is okay to be defraud foolish people? So much for the
>>> promise of the internet, lets start all over again.
>>> Here is a little reality check for you since you wish to equate this
>>> to non-virtual issues; In all other non-virtual systems their is much
>>> more responsibility/accountability and maturity. We had examples
>>> regarding proxies on this list re buying cars etc. Their is a
>>> responsible party. That responsibility ensure you make very sure you
>>> know who you are proxying for if you have to accept responsibility for
>>> his actions. Equate that to the net?
>>> The average "foolish" user equates to most of the populace on the
>>> planet. The believe that domains registrations is a normal real world
>>> process with all the checks and balances as they find in their every
>>> day lives. We on this list know better.
>>> So are we to start another ICANN group? The "foolish" group with real
>>> responsible world expectations?
>>>> I must say I am disappointed to read on a mailing list targeting the interests of individuals that they should give up one of their constitutional rights in order to be friendly to the IP constituency. 
>>> Friendly? No, I'm saying we should not self blind at all costs. Thus
>>> far it has resulted in a stalemate that cost us individuals quite a
>>> lot. And we can expect more of the same.
>>> Ask yourself, why are some of the biggest supporters of open whois
>>> details LE? Is it not because they also rely on the public to make
>>> them aware of issues?  How many abusers on the internet have been
>>> arrested based on leads that came from the non-badged public?
>>> Even fake whois has it's values. I suggest you read the ICANN archives
>>> on this issue.
>>>> Many lawyers in Europe consider the provisions regarding WHOIS in the RAA to be illegal in Europe. I know of at least one registrar that is under investigation of the data protection office in its country for possibly breaking the local privacy laws for individuals. It is only a matter of time before these provisions will not be enforceable in this part of the world. 
>>> Yes, hiding whois details may alleviate some problems in as far as
>>> there may be less reports of arrests. Take a guess why? Simply because
>>> the public will not be able to point out issues/trends/etc to LE.
>>>> Registrars can be part of the solution, indeed. It only requires legitimate authorities to ask them, as long as they don't break the law. If they are asked by unaccountable vigilantes, asking things against the law, like revealing personal data,  don't be surprised they ignore them. 
>>> I would agree is we had a system where the obfuscated whois details
>>> were real. But as it is currently, we have a system that is seriously
>>> broken, that criminalelementsrely on for their success, and quite
>>> successfully so.
>>> So now we are to hide this problem, roll out more TLDs and expect the
>>> interests of all be better served? Wow, where is the reality in that?
>>> I know the interests of registries/regisrars will be served
>>> If we are to fix the system, it's simple, though painful.
>>> a) Do not allow unverified proxy registrations (tossing in a free SSL
>>> certificate as you go). Only do it once you have full verification of
>>> the registrants. Forget about instant gratification register a domain
>>> in 5 seconds. It satisfies some, harms the majority. Purge the junk
>>> details. If may cost more.
>>> How can we also expect our/other authorities to protect us if we give
>>> them a trashed system to start off with?
>>> b) Ensure that proxy providers themselves are legitimate. Why, one of
>>> them "lives in a tree", hotel, are proxied themselves over a period of
>>> time, targets German users (victims?), hosts in Russia, targets
>>> "foolish" users worldwide in scams/DDoS attacks etc and has the legal
>>> authorities running around in circles trying to fulfill their duties.
>>> c) Identify bad actors in the DNS system and give it credibility by
>>> denying them access to it. It is not your god given/constitutional
>>> right to register abusive domain after abusive domain, year after year
>>> to target third parties, however "foolish" they may be. This should
>>> also not be tokenism; being seen to be doing something, just enough to
>>> avoid criticism, but not enough to distract the bad actors. Rather the
>>> registries/registrars should be agreeing on a code of conduct where
>>> their registrants should not abuysing the system to target and abuse
>>> the system, allowing it to harm third parties in cross jurisdictional
>>> issues that leads to much harm.
>>> Here we may work with the IP constituency, not "befriending them"
>>> necessarily. At time to time we have common ground. Lets not self
>>> blind and merrily follow the piper across the cliff.
>>> On this, caveat: Yes: there are issues such as human rights where
>>> exposure of serious human rights issues such as genocide etc should be
>>> exposed. But if we are to be serious on this issue, a new sponsored
>>> TLD can be set up where the registration etc can be managed by human
>>> rights specialists. Registration should also not attract a fee for the
>>> precise reasons this TLD should exist.
>>> By following this process, we could rapidly cut out abuse, give the
>>> system credibility and protect the interests of legitimate users.
>>> There is nothing wild west in this system. We do not have to be
>>> botanical specialist to discern an apple from an orange, likewise a
>>> scam domain from a legitimate domain (I am not talking a
>>> hijacked/hacked domain - different issue).
>>> Derek
>>>> Patrick Vande Walle
>>>> On 07 May 2011, at 00:41, Derek Smythe wrote:
>>>>> Hi Folks
>>>>> Here is a more than excellent example of why domain abuse issues
>>>>> belongs at the registrar and why true privacy will not be possible
>>>>> until abusers are taken care of.
>>>>> It all started off with a report of a phishing site. Doing a reverse
>>>>> lookup on the IP the domain was hosted on, we get the list included below.
>>>>> Spending a bit of time on the search engines quickly shows numerous
>>>>> frauds related to the relevant domains. Digging a bit deeper keeps on
>>>>> leading to a specific "hosting provider" with a track record of these
>>>>> type of domains and even SSL certificate abuse.
>>>>> Now, looking a bit closer at them in terms of whois details, we find
>>>>> gross privacy abuse for the domains used in fraud and fraud attempts.
>>>>> For those that know how, looking very closely at them leads to victims
>>>>> to this fraud and details showing them all to be of the same origin as
>>>>> regards certain design elements.
>>>>> Now, considering the background of the hosting provider, he
>>>>> specializes in these.
>>>>> How do we counter the the IP constituency if they throw these examples
>>>>> at us?
>>>>> How do we deal with this form of domain abuse? The authorities are in
>>>>> the know for a more than a while know. The SSL certificate providers
>>>>> are in the know as well. The domain registrars are in the know.
>>>>> Doing a bit of backtracking leads to this post:
>>>>> http://www.jaguarpc.com/forums/showthread.php?t=24529
>>>>> Now here is the sad part;
>>>>> Since that post, the hosting was terminated and simply moved to
>>>>> another IP at the same hoster, later we have two more more victims in
>>>>> Australia after this move.
>>>>> http://www.rbol-uk.com/INT-UK/ (as I said, those that know how ...)
>>>>> In fact the Nigerian hosting provider is simply moving hosting once
>>>>> caught out. In the meantime the "free one year privacy" is abused to
>>>>> for anonymity and to make tracking more difficult. Without finding,
>>>>> stopping and disabling these domains, the misery they create at the
>>>>> hands of the abusers continues.
>>>>> As you will see, there is no easy way to do a 1-to-1 mapping of domain
>>>>> name against the spoofed domain, so more TLDs will just compound the
>>>>> issue.
>>>>> It also does not help if we claim that domain names have no special
>>>>> meaning, in the eyes of the "ordinary user", how can
>>>>> http://www.barclaysonlineservice.com not be part of Barclays Bank PLC?
>>>>> Now ask yourself: what number of legitimate domain owners are targeted
>>>>> by lack of domain privacy vs what number of the public are victimized
>>>>> by domain "anonymity"? Which is the lesser of the two evils?
>>>> _______________________________________________
>>>> At-Large mailing list
>>>> At-Large at atlarge-lists.icann.org
>>>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>>> At-Large Official Site: http://atlarge.icann.org
>>> _______________________________________________
>>> At-Large mailing list
>>> At-Large at atlarge-lists.icann.org
>>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>> At-Large Official Site: http://atlarge.icann.org
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>> At-Large Official Site: http://atlarge.icann.org
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> At-Large Official Site: http://atlarge.icann.org

More information about the At-Large mailing list