[At-Large] [WHOIS-WG] Fwd: WHOIS Policy Review Team Final Report

Derek Smythe derek at aa419.org
Wed May 16 21:04:14 UTC 2012


Patrick

I have no official standing in ALAC apart from my posts here. However;

* I have zero commercial interests in the registry business.
* I have a few domains that I registered as an ordinary user.
* I have been fighting abuse on the net since 1999, although I have
been involved in IT since 1981.
* My dealings are with any that will assist in protecting the ordinary
internet consumer and the internet users.
* In the process I work narrowly with victims and law enforcement.
* I also communicate with registrars and other internet service
providers on a regular abuse related basis.

I will reply to your comments inline.

On 5/16/2012 8:55 AM, Patrick Vande Walle wrote:
> 
> A fully open, public WHOIS condemns honest domain name registrants to
> be hurt by bad actors, like spammers. Being harassed on the phone, and
> see personal details exposed for all to see. 

Interestingly the only people to have harvested my details for abusive
reasons have been rouge registrars trying to sell me domain names I
dropped and similar domains in different TLDs and ccTLDs.

However a closed whois system will do more harm with the "current
mechanisms and implementations". Place note the last part of the phrase.

> I have no doubt experts in cybercrime would find the useful clues in
> the WHOIS.  I am all in favour of giving them access to the
> information they need, as long as they clearly identify themselves,
> the work they do and be transparent  who they work for, have a code of
> conduct, etc.    However, I consider that exposing the private details
> of millions of honest individual domain name  registrants to chase a
> few thousand criminals, who would fake their contact details anyway,
> is disproportionate from a human rights POV.

Taking the current status quo of the WHOIS system as a starting point;
Despite the data available in both thick and thin registries, with
more honest peoples' details exposed than the many fake details of a
few, those few cause more harm to the general internet populace and
affected third parties than harm is done to the registrants.

The current failing is the willingness to allow and tolerance for
invalid whois details in the registries, being another enabler in
internet fraud.

> 
> Note also that other registries, mostly ccTLDs, have privacy policies.
> Yet, they do not have more issues with counterfeiting and spam than
> the main gTLDs have.  What is disappointing  is that ICANN  (both the
> corporation and the community) does not want to question the model
> they use and learn from best practices developed elsewhere.

Admittedly the abuse is less, yet all ccTLDs are also not equal. Where
we find stricter registration requirements, the abuse is less. Where
we find more tolerant policies, an abuse report with evidence suffices
to have the domain cancelled.

Yet the .com .org .info are most popular with the abuse as far as I
see, but also for the bulk the most difficult to have abuse curbed.

It is also easy to say the abuse is at the hosting side. Yet a domain
is can be an instrument in crime. Unlike another tool that can be used
for crime where you have to be local to the victim and as such subject
to the same laws of the land, a domain used in international crime is
remote from the victim and separate disparate laws apply.

> Lastly, we should really distinguish between data collection and data
> display. The current  ICANN WHOIS policy does not. Collecting private
> details is legitimate.  Displaying them to everyone is not. I doubt
> there are many countries where one can consult the car registration
> database or obtain the details of an unlisted phone  number without
> showing the right credentials to access that data. Why should the
> domain name database be any different ?

Actually physical presence allows you to do a lot with the correct
evidence, including obtaining the details. Virtual presence is the
problem.

Why do the Europeans that are unhappy, not support the European ccTLDs?

In my country my details are also visible if I register a domain here.

The international domains are just that - international and
international rules should apply. How deal with the situation if
someone in reality from West Africa registers a domain with an address
in the USA at a Chinese registrar via a reseller in India paying by
Western Union, hosts in Malaysia, defrauds someone in Belgium?
Incidentally he uses AnchorFree that does not keep logs to connect to
Yahoo for emails. Then money mules and money laundering follows to
retrieve the proceeds of fraud. (I am referring to real issues here!).

If the domain registration details was not publicly visible, also due
to the smaller loss this would have been swept under the carpet as a
an isolated incident and the victim become a statistic. The victim
would have had no justice. However due to historic information in the
public domain and search engines, you suddenly find the registrant,
despite the fake whois, is also responsible for other losses and has
registered similar domains in the past. Whois details are a way of
linking related incident across different domains and countries.
Suddenly all those smaller losses adds up and law enforcement becomes
extremely interested. This has happened many times in the past and
will happen again. Additionally new suspicious domains can be
identified and links to past events, allowing for actioning BEFORE the
scammer has time to defraud.

Likewise I could use many more of these examples of how whois is used
for the public good.

As a caveat - the first time more than a few users discovered they
were victims to identity theft and credit card fraud, was when I
contacted them after finding their details in domain registration
details. One victim was alerted even before she received her statement
and could act immediately. Many registrars also appreciates such
information as they incur less losses later. Small bonuses.

....
> 
> Patrick
> 

The issue at hand is no checks are done at registration time apart
from ensuring valid payments, yet when we see the result and the
consequences, we want to treat domains as valuable. The problem is
"junk in, junk out". The Louis Vuitton issue is a good case in point.
 Simply removing public whois visibility from the current mess, would
simply inflate costs to other third parties and even further strain
scare resources, law enforcement included. Domain abuse will become
more rife and will be to the detriment of each and every user.
Currently the public can check and point out issues. These issues
allow registrars to do further checks and also to protect themselves
and the public. This does also make a small difference for the better
if the registrar lives up to the spirit of the RAA. Sadly too few do
in the TLD space.

However, if ICANN were to start enforcing their own policies and
immediately start ensuring the sanctioning any party where there is
clear evidence of fake registration details with "potential" harm
(lock domain and disable DNS until resolution?), also requiring for
more verification, we would suddenly start seeing a totally different
picture.  We are currently in a chicken-and-eggs situation. Were we to
implement stricter quality assurances at registration time and third
party abuse clauses, malicious domain counts would drop. Were domains
abused, there would be more accountability and those responsible
easier traceable. The cost to the abusers would sharply rise and would
would have a more stabilizing effect on the net.

Hopefully in three years time we can once again have this discussion
with less controversy. But we have to start somewhere. Sadly I'm not
holding my breath.


Derek




More information about the At-Large mailing list