[At-Large] FW: Update on the RAA Negotiations Since Prague

Mon Sep 10 21:29:57 UTC 2012

I would normally agree, except this is not how it happens in reality.

We have the theory, but then there is reality....

You cannot expect Parliaments etc to really take notice and address
issues if the internet public themselves are self defeatist. The
current mantra is "privacy and anonymity at all costs". Essentially
this creates an environment that is totally unmanageable and creates a
threat to everyone. We need responsibility in this process.

What do you think happens currently? We find bullet proof hosters,
uncooperative registrars referring us to IC3's website and IC3 only
willing to address the worst of the worst. But what is teh worst, if
you can't link incidents?

The current implementation of the WHOIS policy allows a malicious
registrant to change names to perpetuate malicious activities. In the
process he uses VPNs that keep no logs, paid for by places totally
outside the recognized monetary systems. This leaves law enforcement
virtually powerless.

By the time victim losses eventually tally to the point where law
enforcement takes notice, much harm has been dome already.

In the past I mentioned Heihachi here, a "Russina" reseller for an
American registrar who refused to deal with the issue effectively. The
reseller themselves had fake WHOIS registration data, but were allowed
to act as a privacy proxy.

In the process they shielded a group known as the fake shopkeepers.
This resulted in what was described as Germany's largest cyber-scam
last month in the media when the perpetrators were sentenced;
  ~2000 victims opened cases,
  over 1m € losses,
  190 recorded fake shops.

Of those 190 shops, approximately half were domains via Turkish
registrar, the other half via American. It's not as if the reports
weren't flowing in before of fake whois and abuse.

The news reports ignore numerous DDoS attacks on servers worldwide,
from the USA to India and Germay, mixed with hacking attempts by this
gang using the Heihachi network.

Currently we have garbage going into the system, yet we are loathe to
clean up and wish to pass the buck. Many times privacy/anonymity is
used as an excuse for this garbage. "Due process" takes a lot of time
and money, all for the sake of an unverified $10 domain registration.
Who foots the bill for that? The victim? Why victimize a victim further?

Then off course there is the presumption that due process works across
international borders. Unfortunately we do not have a perfect world.

As the situation currently stands, the worst enemy of the ordinary
user is privacy and anonymity. Right now innocent peoples data is
being stolen and abused by a few anonymous players using domains and
resources purchased with anonymizing mechanisms.

I would strongly suggest that ICANN and a knowledgeable independent
party does a study on how bad actors were able to target innocent
users using the DNS system and associated anonymizing mechanisms. I
believe the fake shopkeeper saga in Germany would be a great case
study as this effected the stability of and trust in the net. The fact
that the owner of Heihachi was arrested eventually is small
consolation for those he harmed (he was not Russian, an open secret,
except no-one was willing to listen). Likewise the fake shop gang in
Germany who eventually got their day in court is small consolation.

My point:

It is easy to debate these issues without real experience or reference
points of what is happening in the abuse arena. In fact most law
enforcement officials and parliamentarians do not even understand the
real Internet and the threats the great unwashed are experiencing.

I can report domains that target users
On 9/10/2012 9:45 PM, Salanieta T. Tamanikaiwaimaro wrote:
> I should also add that the threats that accompany the TPP gives rise to
> what Holly mentions in terms of "private law enforcement" where IP mark
> holders by virtue of serving notice directly can have access. This is why
> laws need to be debated by people in Parliaments or Legislative
> Assemblies. What happens to "Due Process"? What constitutes a
> legal seizure of a Domain Name?
> 
> On Tue, Sep 11, 2012 at 3:58 AM, Carlton Samuels
> <carlton.samuels at gmail.com>wrote:
> 
>> Hi Holly:
>> Absolutely, the privacy issues you highlighted do attract spirited debate
>> and very emotional responses.  The ALAC has staked out its position and at
>> least for the last 3 years, that position has been consistently reiterated:
>> a recognition that in furtherance of free speech rights, some groups,
>> especially ones that might be politically inconvenient, do indeed deserve
>> some protection;  a formal community embrace of defined privacy services
>> and their providers; the conditions under which a privacy provider would be
>> authorised.
>>
>> Best,
>> - Carlton
>>
>>
>>
>> ==============================
>> Carlton A Samuels
>> Mobile: 876-818-1799
>> *Strategy, Planning, Governance, Assessment & Turnaround*
>> =============================
>>
>>
>> On Sun, Sep 9, 2012 at 8:47 PM, Holly Raiche <h.raiche at internode.on.net
>>> wrote:
>>
>>> Hi Carlton
>>>
>>> Privacy was one of the really hard issues that the Whois Review had to
>>> grapple with.  If you look at the initial report (as opposed to the Final
>>> and Final Final reports) two privacy issues are there. The first is how
>> to
>>> determine registrant eligibility for the privacy server.  Should it be
>>> confined to individuals, or include organisations (clear candidates would
>>> be human rights groups in many countries, womens' refuges etc)  Trying to
>>> define eligibility will be a challenge.   The other challenge is to
>> define
>>> who has legitimate access to the contact information held by the privacy
>>> server. 'Law enforcement agencies' was the initial thought.  But in some
>>> countries, private organisations also perform law enforcement tasks under
>>> contract to the agency.  They are performing legitimate law enforcement
>>> tasks but aren't themselves, agencies.  Should they have access.  Even
>> more
>>> difficult are the countries where the state itself is the oppressor - and
>>>  its 'law enforcement' agencies are the very reason for the need for
>>> privacy.
>>>
>>> I'm sure that is the reason the Final Final report backed away from any
>>> details on the proposal - and probably why discussion is being fostered
>> now.
>>>
>>> I suspect there will be many varied and divergent views within ALAC - all
>>> of them legitimate. Providing input on what is a complex, vexed issue
>> will
>>> be a challenge for GAC - and for ALAC.
>>>
>>> Holly
>>>
>>> On 08/09/2012, at 12:46 AM, Carlton Samuels wrote:
>>>
>>>> FYI.  Note the specific request for advice via GAC on data protection.
>>>> - Carlton
>>>>
>>>> ==============================
>>>> Carlton A Samuels
>>>> Mobile: 876-818-1799
>>>> *Strategy, Planning, Governance, Assessment & Turnaround*
>>>> =============================
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Kurt Pritz <kurt.pritz at icann.org>
>>>> Date: Thu, Sep 6, 2012 at 11:26 PM
>>>> Subject: [soac-discussion] FW: Update on the RAA Negotiations Since
>>> Prague
>>>> To: "soac-discussion at icann.org" <soac-discussion at icann.org>
>>>> Cc: Matt Serlin <matt.serlin at markmonitor.com>
>>>>
>>>>
>>>> Dear SO/AC Chairs,
>>>>
>>>> ****
>>>>
>>>> Recognizing the broad interest in the ICANN community on the RAA
>>>> negotiations,  we wanted to provide you with a brief update on the work
>>>> conducted since the Prague Meeting for you to share with your members.
>>>>
>>>> ****
>>>>
>>>> Since Prague, the negotiation teams have reviewed the input received
>> from
>>>> the Community in order to identify possible path forwards on the
>> complex
>>>> issues that have been put on the table in these negotiations.  Several
>>>> meetings have taken place and are scheduled prior to Toronto, including
>>>> plans to invite the GAC to provide input from data protection experts
>> on
>>>> several specific issues.  There is also an agreement among the
>>> negotiation
>>>> teams to begin analysis of a potential framework for a privacy/proxy
>>>> accreditation program to be explored with the broader ICANN community.
>>>>
>>>> ****
>>>>
>>>> For more information on these important negotiations, please visit the
>>>> ICANN wiki at:
>>>>
>>>
>> https://community.icann.org/display/RAA/Negotiations+Between+ICANN+and+Registrars+to+Amend+the+Registrar+Accreditation+Agreement
>>>>
>>>> ****
>>>>
>>>> Sincerely,
>>>>
>>>> ****
>>>>
>>>> Kurt Pritz (ICANN) and Matt Serlin (MarkMonitor)
>>>>
>>>> ****
>>>>
>>>> ****
>>>>
>>>> ****
>>>>
>>>> ****
>>>>
>>>> ****
>>>>
>>>> ****
>>>>
>>>> ** **
>>>> <smime.p7s>_______________________________________________
>>>> At-Large mailing list
>>>> At-Large at atlarge-lists.icann.org
>>>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>>>
>>>> At-Large Official Site: http://atlarge.icann.org
>>>
>>>
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>
>> At-Large Official Site: http://atlarge.icann.org
>>
> 
> 
> 