In Ian Flemming's Thunderball M sends 007 to the Bahamas on a hunch that SPECTRE is hiding something there. Well, it's been our hunch for a while that the Bahamas "office" for the Registrar Internet.BS does not exist. Now we have confirmation of such. It has been documented in an explosive undercover expose (Internet.BS: A Safe Haven for Drug-Related Cybercrime?) by LegitScript that Internet.BS address as stated could not be verified, could not accept mail, and that the business itself could not actually be found in the Bahamas. Interestingly, Internet.BS does not offer the .BS domain extension, so it seems they may not be adding a penny to the Bahamas economy while prominently using the country's name. The official responses to this report from Internet.BS indicate they are really in Panama.
Unfortunately, the problem of Registrar obfuscation is not a new one for ICANN. The concern is that this yet another phantom with an unverifiable location like Parava Networks, OnlineNIC and EstDomains. These are egregious examples but the problem is truly pervasive and KnujOn has been tracking the invalidity and unavailability of Registrar contact information for a long time as many Registrars are run from unknown locations or post boxes. It has been a major agenda of governments, law enforcement and security experts to improve Registrar transparency by requiring full disclosure of location, ownership, and proof of local licensure but there has been significant pushback on this from the Registrars. The 2009 RAA was amended to require Registrars post contact information on their websites and ICANN compliance issued an official letter to me in 2010 which stated "ICANN is planning to incorporate website checks into its 2011 registrar audit schedule", but KnujOn found 10 new Registrars created in 2011 which have no address posted. We understand that in the modern virtual world businesses run from multiple locations but this not the situation here. We are talking about an industry which is by mandate supposed to be transparent but it is in fact opaque beyond acceptability. To be clear, the address in this case does apparently exist but cannot be verified. An address which does not exist is a clear violation, but an address that cannot be verified as a legitimate business has different purpose as a front.
Behind the front here is possibly the largest collection of illicit pharmacy domains, one-third according to the LegitScript report and possibly 44% according to the National Association of Boards of Pharmacy (NABP). In fact the NABP issued a letter today to ICANN to encourage them to act on this issue. It was NABP requests which encouraged Google, Yahoo and Bing to stop accepting advertising from illicit pharmacies. This is specific to KnujOn's work and ICANN as we conducted a case study on an Internic.BS sponsored illicit pharmacy with false WHOIS which the Registrar kept online after the deletion deadline.
ICANN's potential response to the NABP could be problematic as its enforcement ability is compromised by internal politics, conflicts of interest, and a general collapse of contractual authority. It has been revealed over the last few days that the RAA is not enforceable on a fundamental level, in terms of registrar enforcement of WHOIS accuracy. For many of us this was the last tool keeping rampant domain abuse at bay. Now it seems that there are no limits what a rogue Registrar can do. This is not a good model for public trust and discussions on abusive registrars seem taboo within ICANN. This could be the biggest policy and security failure on the general Internet as it touches everyone. The literal difficulties presented by this could be seen in the Verizon v. DirecNIC suit where a Registrar operating in Louisiana, listed in Caymans, owned by someone in Florida, with shell companies in other unknown locations simply could not be found. The case collapsed because of a lack of clear jurisdiction. This is a godsend for companies like Internet.BS who can operate with impunity everywhere and nowhere like the mythical SPECTRE.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines