Home / Blogs

Don't Make Us Treat Our Customers Like Criminals!

Michele Neylon

Crime, fraud, scams etc., they're all very bad things. They're also not going to go away anytime soon.

As a domain name registrar and hosting provider we're constantly "at risk", as we sell a lot of services that are both cost-effective and also give criminals the tools they need to attack 3rd parties.

Again, this isn't exactly news.

We've always taken a very pro-active approach to dealing with criminal activity and network abuse. If your website gets compromised, for example, you might get an email from our technical team asking you to fix it. If you don't act on our notification we might go so far as taking the website offline until you fix it.

And we like to get paid by our clients, so we've implemented our own anti-fraud checks. It makes sense. We want to get paid. We don't want people paying us with stolen credit card details.

Any and all of the things we do in order to keep our network clean and our operations running is done with the least amount of disruption to our clients.

But recently I've been losing sleep.

What's Going On?

Let me explain.

We are an ICANN accredited registrar. That means we are one of the relatively small number of companies in the world that has a contract, or "license", both with ICANN and the various domain name registries such as Verisign to provide domain names. The contract we have with ICANN is like the "bible" for how we are meant to conduct ourselves. It includes a combination of obligations and rights for both us, as a registrar and you, as a registrant (the person who registers domains).

The contract is called the Registrar Accreditation Agreement or RAA for short and we signed ours most recently in 2009. It's now under review and while some of the changes being proposed aren't going to have a negative impact on either us or you, our clients, there are several aspects of the proposals that simply do not sit right with me.

I am personally very concerned about some of the proposals being pushed by Law Enforcement and ICANN, which, if successful, would mean that we'd be forced to demand a LOT more information from our clients than we should have to. It's not reasonable and some of the requests could put us in direct conflict with Irish and EU law.

Just for the sake of transparency I'm posting the two documents outlining the proposals as PDFs further down this page and you can read more about what's being going on over here.

There's quite a bit of legal mumbo jumbo but the bottom line is that Law Enforcement want us to gather a LOT of information about you when you register a domain name.

They also want us to validate a lot of the information you provide.

Both of these concepts aren't abhorrent at some levels, but when you take them too far and make them a binding obligatory part of our contract with ICANN they result in me losing sleep. (And in case you're asking if this change is made then it'll impact ALL .com domain registrations whether you do it directly via a registrar like us or via a reseller like a lot of the smaller hosting providers etc., out there)

There's a lot of issues with both concepts, but let's take them one at a time.

Data collection...

Collecting data that you need to do what you're asked to do i.e. register a domain name for someone, is fine, but asking for a whole lot more data is an issue. Not only are we expected to collect it, but we're also expected to hold on to it for way longer than you'd normally retain transaction data. (Remember a domain can be registered for up to 10 years and the registrant can renew it for up to 10 years at any time. )

In several jurisdictions (including Ireland) there are limitations on the amount of non-essential data that you can collect as part of a transaction. Take a look at any UK website since the beginning of this week and you'll see what they're being forced to do when they want to collect cookies, which, in many cases, are fairly innocuous. How we can be expected to collect data about how you might use your domains is beyond me. And I don't even see that is being within the scope of ICANN's role.

You can read over the document here: LE_Rec_coll2012 (it's a PDF)

Validation & Verification

The other side of the "coin" is the entire validation/verification thing.

Now don't get me wrong. I don't have an issue with there being better data in systems. I just think that there are ways to improve data quality without making the entire domain registration process akin to pulling teeth.

Law Enforcement have provided an explanation on what they'd like to see us doing (see: LEA Validation). Some of the stuff they're asking about isn't abhorrent as a concept, but forcing us to conduct this kind of validation and verification on every single domain name registrant is going to have a detrimental impact on the entire domain name system. (And note the usage of terminology — a "registrant" might be a customer of ours, but it could be a friend, or customer of one of our clients.

Our account holders, however, are our clients and we'd have a pretty good idea if they were up to no good as we do vet them)

A couple of highlights, or low points from the document… (take your pick)

When a prospective registrant submits a registration request, the Registry will send a unique HTML link to the registrant's email of record or to the email of record of the beneficial registrant

Couple of issues with this. First off the "registry" doesn't have the registrant data or access to it if the domain in question is a .com. And asking registrars to send emails to thousands of people who've never had any direct dealings with them is going to cause more issues than it solves.

Registrar will call or SMS the phone number provided during the registration form.

So you can only register a domain name if you have a mobile phone number? And who is going to pay for all these phone calls and texts? Validating registrants for .xxx costs in the region of $7 per domain, so you'd easily see the price of a .com rise to €30 or €40, which doesn't benefit us, ICANN or anyone else. (And did I mention it won't actually stop online crime?)

But the real kicker is this bit:

No domain name will be placed into the zone file and will not resolve until the account e-mail and telephone number have been verified

Translation — unless you jump through hoops you don't get your domain name and it won't actually work until you do backflips for it.

Note how we got over 10 thousand businesses to go online over the last year (for free)? And that they went with the quickest and easiest route a .com, .eu or .biz domain name.

Putting extra barriers in the way of ordinary individuals and businesses when they want to take their business online is a bad idea.

Are The Criminals Winning?

Why vilify the majority for fear of a minority?

The Internet is one of the few areas where business is still thriving. For a lot of people and businesses taking themselves online offers them a chance of survival.

Or if you want to get into other areas of this I can sum it up with two words: digital divide.

When you get into an arena where you're demanding that people handover loads of data AND that they already have working email AND working phones AND verifiable physical addresses etc., you're immediately narrowing the field. You're stopping some people from getting online. And these are innocent bystanders. They haven't committed any crimes, but they're being treated like criminals. In fact we all are and we're being forced to play "piggy in the middle".

This is not a good move and if we're forced to sign a new agreement with ICANN which includes these kind of terms I can only see negative outcomes.

Comments, questions and general feedback welcome!

By Michele Neylon, MD of Blacknight Solutions. More blog posts from Michele Neylon can also be read here.

Related topics: Cybercrime, Domain Names, Registry Services, ICANN, Internet Governance, Policy & Regulation, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Criminals, such as fleeing bank robbers, might Phil Howard  –  May 30, 2012 6:50 AM PDT

Criminals, such as fleeing bank robbers, might you the roads and highways.  So we should close them, or at least put a checkpoint every kilometer to verify the email address or telephone number of at least the driver of everyone passing through.

Emails can be faked.  You know nothing about a person when at one point in time they were able to receive a code sent to that address.  It could have been briefly broken into.  Also, lots of people have given up on email due to the spam problem.  Tell ICANN to solve the spam problem before they try to require email.

Oh, BTW, I've now got a new kind of email address.  It looks a lot like an HTTPS URL.  In fact, it works by accessing an HTTPS web site and typing in the email.  Their are graphical human tests every step of the way.  There's no SMTP.  It's web interface in and out.  I expect in the future they might catch on to avoid spam.  If that is to be used, don't expect to automate the process.

And of course there are those anonymous email sites.  And many freemail sites don't require any authentication other than being matched to the authentication used to sign up, and hence are effective anonymous, especially with Tor in the mix.

Some people don't have telephones, now, thanks to some cool new technology called the internet.  They used to have TTY/TDD.  But the internet made that obsolete.  Yay internet.  It's now even more difficult to no discriminate against a class of people, both hearing impaired, and speech impaired.

Some domains need some verifications Alessandro Vesely  –  Jun 05, 2012 11:53 PM PDT

Email addresses seem to be going to be the credential of choice, nearly ubiquitously on the Internet.  They ought to be classified so as to make it clear whether they can lead to the identification of a natural person, otherwise it makes little sense to verify them, as far as prevention of criminal activity is concerned.

Anonymous domain registration has to be allowed, and I believe it is.  However, domains that sell goods and/or send email must not be anonymous, IMHO.  To be effective, such discrimination needs to be enforced by network providers.  Presumably, they can lookup the domain's WHOIS record and act accordingly.  Currently, a VAT number seems to be a necessary and sufficient condition for acquiring an IP number.  Do they verify your email address when you apply for those?

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

General Availability Kicks Off for .Website, .Press and .Host

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

Sponsored Topics