[WHOIS-WG] [At-Large] Whois privacy

Sat Feb 23 03:42:26 EST 2008

Derek and all my friends,

  My remarks and comments interspersed.

Derek Smythe wrote:

> Hi all
>
> The strangest is that by law, the regulators of many countries
> specifically require all businesses to publish details regarding
> themselves on their website if they have one. Many do not, many have
> no other contact mechanism than a webform. However many of these sites
> have private registrations. This is a red flag.

  Indeed true, but many more countries have been strengthening
privacy regulations and laws accordingly especially in the EU.
Reviewing archives of Whois WG's from ICANN should be
aluminating for you, there have been 5 thus far sense 1999.
See for instance: 
www.icann.org/committees/whois/
www.icann.org/gnso/whois-tf/report-19feb03.htm 
gnso.icann.org/issues/whois-privacy/
gnso.icann.org/issues/whois-privacy/tor.shtml
gnso.icann.org/issues/whois-privacy/tor2.shtml 
and the list goes on and on and on...

>
>
> Remember not all criminals are just spammers and phishers. We also see
> websites selling non-existent goods, websites set up to act as escrow
> sites for the non-existent goods and websites pretending to be courier
> companies that will transport the non existent goods. The same gangs
> will also set up job scam sites where moneymules will be recruited. We
> see fake lotteries, fake banks, fake lawyers, even the United Nations,
> FBI, CIA and Interpol spoofed in other types of scams. These domains
> are registered with stolen credit card details, by Western Union or
> other untraceable means. Many of them are in fact hosted on fastflux
> networks. As such, not to distract from the seriousness of spamming
> and phishing websites, there are other types of criminal abuse of the
> internet. In fact many times  the same parties are behind these scams
> as in spam, however each scam type is serving a different purpose and
> are just part of one larger machine to defraud victims.

  All too true indeed, I agree.  In fact ICANN has contributed
greatly to these problems with registrars such a Registryfly, now
thankfully defunct, although much belated in the doing so.  False
organizations such as the IDNO, which collapsed upon its own
false practices once exposed.  Two previous questionable attempts
by ICANN to create a @large, both of which once exposed for
the fraud that they were, collapsed accordingly, and so forth and
so on....

>
>
> The biggest problem is that cyber criminals are the early adopters of
> new technology, privacy protection being no exception. This causes a
> major problem for the contemplated legitimate users of privacy
> protection in this case and is one of the reasons why we will most
> likely remain in a stalemate situation regarding whois privacy.

Whois privacy must be maintained and would benefit all users
and registrants if strengthened significantly.  There is not now
nor has there ever been a real need for private and personal information
regarding a registrant in order to address criminal activity, that is
for the courts and LEA's to do with the many tools they already
have at their disposal and is often done very effectively with same.
Recent examples:Canadian Police Arrest 17 in Alleged Botnet Scheme
 http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html

http://www.upi.com/NewsTrack/Top_News/2008/02/21/quebec_smashes_ring_of_17_computer_hackers/8519

 http://www.darkreading.com/document.asp?doc_id=146639&WT.svl=news2_2
and "Man Gets Three Years Probation for eMail Harassment"

http://sacramento.fbi.gov/filelink.html?file=dojpressrel/pressrel08/sc021308.pdf

>
>
> Many registrars are reluctant to act on reports of fake whois and
> fraud. However fake whois and fraud is discussed in
> http://www.icann.org/announcements/advisory-03apr03.htm, deliberate
> fake whois details are also discussed in
> http://www.icann.org/announcements/advisory-10may02.htm
> Registrars and indeed the ICANN perspective is that this is a LEA
> issue and tend to pass the buck, forgetting we have fake whois issue.
> I have yet to see a criminal website set up with real and valid
> details, whois details included.

  Also indeed true, which only and significantly points up why
ICANN itself needs to keep a very close eye and police its
registrars as well as registries.  This however is not a Whois
issue but rather a registration issue.

>
>
> At AA419 we have seen domains registered by innocent victims of
> identity theft, their details appearing in whois details for a domain
> they are not even aware of. Americans appear to be good prey! These
> details were not obtained via whois lookups, many of them do not even
> know how to register a domain. They would have been unaware of
> compromised credit cards and personal information, were it not for
> their details appearing in a domain registration.

  Domain name registration data and Whois data may often times
not be compatible or need to be so.  Hence again this is not
a Whois issue but rather a registrar registration data archive
and accuracy problem.  LEA's can get this data, but often
times it cannot be trusted as accurate given the poor management
of registrars of this registration data.

>
>
> Reality is I am a great supporter of whois privacy. However, to make
> this work, we would first need to fix the current system and the
> problem of thousands of fake domain registrations flowing into the
> system, define mechanisms for dealing with fake whois, enforce
> immediate domain cancellations where we have clear proof criminal
> activity and setup  the mechanisms to deal with these domains in a
> timely manner - remember two weeks or 15 days is a lifetime for a scam
> domain and not appropriate. We also need to identify mechanisms to
> deal with private registrations where such domains are used for
> criminal activity. We also need mechanisms to be able to contact the
> privacy provider themselves. We needs mechanisms to effectively
> escalate details of criminals activity worldwide.

  The mechanisms of which you speak are already available in
the registrars registration data which is supposed to be archived
and kept for up to 3 years.  However many registrars are not
in compliance with this requirement and the Data Retention
Act in the US and similar legal conscripts in other countries
already in place, although in some instances those laws
are recent.

>
>
> Only once we have this problem under control, can we actually proceed
> to whois privacy. Without this, we have a house without a foundation.

  The "House without a foundation" was the creation of ICANN and has
existed sense 1999, when at that time and prior too, Whois data
was more centralized yet often times not accurate.

>
>
> The other aspect of this issue is that the methods used to defraud
> innocent people are changing daily, being dynamic is the nature of the
> internet. On the other hand policy makers are simply not dynamic enough.

  I agree with the latter, which is why a strictly legal or regulation
approach cannot and will never work.  Proactive approaches are needed 
and the oversight that ICANN is supposed to be doing of its Registrars 
in particular is necessary but currently nonexistent.

>
>
> As far as I know, no country condones theft - stealing a victim's
> money here in this case. Why then should there be a problem
> formulating policy in this regard.

  Agree here as well.  Which is why security of registrants personal
data is paramount, and why Domain Name warehousing and
Domain Name tasting is far more important avenue by which to
begin to address such theft.  But in order for this to occur, it
is necessary for ICANN to uphold it's responsibilities fully
fairly, and with gusto.  So far such has not been the case..

>
>
> Regards
>
> Derek Smythe
> http://www.aa419.org
>
> Jeffrey A. Williams wrote:
> > Bill and all my friends,
> >
> .....
> .....
> >   Any and all ligitimate businesses or individuals should be very concerned
> > regarding their privacy regarding personal information due to stalkers,
> > ID thieves ect...  This would include protecting their personal
> > information from even LEA's.  See for example:http://www.eff.org/blog
> > and most especially from other businesses with well known online
> > business recognition such as Google or LEA's such as the FBI, in
> > some instances...
> >

Regards,

Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1 at ix.netcom.com
My Phone: 214-244-4827