Home / Blogs

Accountability, Transparency, and… Consistency?

Garth Bruen

ICANN Compliance now has two conflicting answers on record concerning the enforceability of RAA 378 on WHOIS inaccuracy. This is a topic of extreme importance and one we are trying to get to the bottom of. In response to the WHOIS Policy Review Team ICANN Compliance stated (on page 79): "there is no requirement in the RAA for registrars to ensure that WHOIS data is accurate" which is in line with the Review Team's own findings that "If data is found to be intentionally false registrars are not obligated to cancel the registration." However, in response to a request to clarify this issue ICANN Compliance stated in a presentation in Prague that "ICANN is authorized to breach a registrar for failure to delete or failure to correct inaccurate whois”. This Compliance statement is also in direct conflict with Compliance's advisory on the subject which states "[the RAA] does not require a registrar to cancel a registration.” Compliance was asked in session to cite the specific authority which allows them to "breach a registrar for failure to delete" but their answer did not address the question. This inconsistency needs to be resolved as it directly impacts the current RAA negotiations and certainly before new gTLDs are deployed.

This was not the only conflicting information which came out of the At-Large and Compliance meeting in Prague. In this discussion Compliance staff repeatedly asks At-Large representatives to cite specific examples of problems, but when a question concerning certain complaints (at minute 01:19:27) is asked and the room goes silent. To further the point, a specific case concerning BizCN is read aloud but not addressed specifically by Compliance. Compliance presented a number of process enhancements and improvements in automation at this meeting but the issue on the table was actual enforcement of the contract which seems to be lacking. Setting the tone for this missing enforcement was the apparent removal from ICANN's website of a flowchart entitled "ICANN Compliance Program for Registries and Registrars” which had no enforcement phase documented in the flow, only compliant dismissal, closure and circular shuffling. However, this has been replaced with three new charts which show significant improvement in stated process. Unfortunately, the question is still open as to if these processes will actually be used as stated. So far we do not have a good track record of real follow-through. The three legs of Compliance are Prevention through collaboration, Transparency through communication, and Enforcement. But it feels like this chair is going to drop us on the floor.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cybercrime, Domain Names, Registry Services, ICANN, Internet Protocol, Policy & Regulation, Security, Spam, Top-Level Domains, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

As far as I am concerned, the Derek  –  Jul 02, 2012 6:25 AM PDT

As far as I am concerned, the mechanisms in ICANN as it stands today, is all about protecting the registrars and ICANN, perhaps to a much lesser degree registrants, but definitely not the the casual internet user. The protection offered the user is nothing but an empty play on words.

The results of the WDPRS process you highlighted are not surprising and why I ignore this mechanism having tried it before. Initially I even had a domain dedicated to educating and trying to get users to submit WDPRS reports, but I could not let it survive in good faith. The WDPRS is nothing more than a placebo for the inetrnet user. If the registrar decides to not do anything, that is essentially where it ends. Compliance is a joke that lacks transparency. Your WDPRS results can be extrapolated to different types of fraud ranging from escrow scams though auction scams to 419 scams.

The easiest way today to commit fraud, is pay your $10 odd (most likely already stolen) to an "ICANN Accredited" registrar. Immediately you have a tool to be abused and the protection of a registrar and even ICANN. Heck, they may even add a free layer of protection in the form of a proxy registration (or privacy protection, while we are playing on words) for free and a few dollars more - a more than ideal value proposition for anyone with criminal intent.

Naturally ICANN and the registrars will say that illegal activity falls outside their gambit and you should report the issue to law enforcement, yet they knowingly accept invalid whois details and provide services for criminality and abuse. They then hold out for law enforcement to obtain court orders etc, also knowing the details they posses would frustrate law enforcement officials.  Sadly the lack those same acceptance rules resulting in a totally unbalanced system. You could not build a better system if you were a criminal even if you tried.

ICANN who is supposed to be overseeing compliance cannot say they are not aware of these ongoing growing issues. Way back commissioner J. Leibowitz of the FTC made them aware of this issue, likewise numerous other law enforcement officials trying to protect the ordinary internet user, However they have it all neatly bundled up in the RAA to sell $10 domains while holding themselves harmless under law.

What I am extremely curious about is how this will hold up in court? How could you allow a domain to resolve if you have evidence of it's criminal nature, knowing the registrations details you have are fake, yet assume that 3.7.7.12 of the RAA and like provisions still apply under these circumstances.

You cannot have a legitimate agreement with a fictitious registrant!

>Naturally ICANN and the registrars will say Charles Christopher  –  Jul 02, 2012 9:03 AM PDT

>Naturally ICANN and the registrars will say that illegal activity falls
>outside their gambit and you should report the issue to law enforcement,
>yet they knowingly accept invalid whois details and provide services for
>criminality and abuse.

There are MANY of us that became registrars for this very reason. We strongly believe in the internet but felt the need to avoid "retail registrar" predation (whois is just the tip of the iceberg).

So it bothers me when all registrars are lumped together.

Another change I'd like to see is a different class of registrar being available. That is anybody wanting to be the "registrar" of their own domains, and ONLY their domains (their domain whois SHALL match their registrar whois as provided by ICANN), would have access to a lower cost registrar model with less costly operational policies and procedures. Nothing solves problems like TRUE competition .... Gut the retail registrar system of their most profitable customers and they will be forced to clean up their act, or perish ....

@Charles - I'm definitely not lumping all Derek  –  Jul 02, 2012 1:27 PM PDT

@Charles - I'm definitely not lumping all registrars together. A sincere apology if you understand my comment as such. I have stood up for certain registrars in the past and will again, especially those who "really' frown on abuse and take positive steps to curb such abuse given valid proof, not supply mere lip service to such issues and hide behind terminology and legal departments. I would like to say numerous abuse departments at registrars/resellers and other service providers have shared in a mutual education process and has become a better company for it.

But "If it looks like a duck, swims like a duck and quacks like a duck" we all know what it is, especially if we are all farmers. No matter how much posturing and legalese you throw into the discussion, it is still what it was before. I'm referring to "those" registrars. Why I lump ICANN into the problem is some rather creative responses I've had from ICANN on serious WHOIS issues on registrar's ignoring the RAA.

Thanks for the clarification Derek. :)On the Charles Christopher  –  Jul 02, 2012 2:39 PM PDT

Thanks for the clarification Derek. :)
On the ICANN issue, I'd like to see:

1) Verisign move to a thick / centralized whois
2) Privacy whois NOT be allowed
- Note, we use privacy whois and I'd like nothing more than to be told we can't anymore
- Use a lawyer, or POB, etc., if privacy is needed.
3) Some type of whois challenge mechanism
- Perhaps a card sent via the mail, from the registry, ("out of channel", relative to the internet) with a ID code that must be entered into registrant admin panel. Said card may only be sent once every 6 months (?) if there is no contact record changes. Failure to enter the code dezones the domains - Probably need to allow a "retry" to.

>Why I lump ICANN into the problem is some rather creative
>responses I've had from ICANN on serious WHOIS issues on
>registrar's ignoring the RAA.

During the Sydney meet I and others asked (online) how registrants, the true "end users" of domain names, benefit from ICANN.

We were shamed by the ICANN rep for even asking the question.

.... I'm STILL waiting for a answer to the question .....

Let me give an example that fits with this thread. RegFly screwed a lot of registrants by stealing their domains, I was one they tried to steal from and I alerted other domainers. RegFly kept changing the Whois Contact info and few people ever noticed this. The result is the REQUIRED ICANN / Iron Mountain Whois Escrow system, which allows registrars to escrow privacy whois for their domains. So we have the illusion of protection, but no protection from EVIL registrars ...

So back to my question of how registrants benefit from ICANN as the whois escrow only protects registrants from HONEST registrars.

I think the free market can play a great roll dealing with the evil registrars, but to do that we need MORE registrars. And the ability for entities to "disconnect" from the system by being their own registrar (lower cost and complexity). This would be no different then the nTLD deployment underway right now.

I tend to agree with the gist Derek  –  Jul 02, 2012 4:21 PM PDT

I tend to agree with the gist of where you are going with your thoughts.

1) I'm a great proponent for thick WHOIS. I have seen WHOIS servers failing all too often.

2) Here I differ a tad :) Long term I would like real private registrations simply because nobody would dare try and dare play proxy without being held accountable under 3.7.7.3 of the current RAA. Naturally the proxy would have to be a real party, not some pseudo reseller with an address that resolves to a tree or hotel like we have seen.  But first we need to sort out the current mess that has been allowed to develop, then build accountability into the system, then only move forward. You would not let anyone buy a firearm/motor vehicle on your name if you do not know who he is, yet we allow this in the virtual world.

3) On the WHOIS lookup mechanism, perhaps. However upon establishing your credentials, you get access to a special server where you can do look-ups against the thick WHOIS server in (1). This is necessary to clean up messes where you suddenly find yourself having to validate massive amounts of data to simply reach a result, the cause being the registrant/reseller channel.

As for the the true "end users"? Why, even registrants are pulling on the short end of the stick. Consider the scam alert at http://www.adb.com.gh/en/scam-alert.php

Isn't http://www.adbnks-gh.com/retailbanking.htm pretty, isn't the WHOIS even prettier, considering the email domain admbi.com does not exist and we have an invalid telephone number and address? Do we afford the registrant the opportunity to fix his whois and then distance this froma WHOIS issue? Or are we going to recognize this as the proverbial "duck"?

Looking at http://www.adbofghana.com/contact.htm we see the same scam template, but now beautifully protected with domainidshield.com. A proxy has has ensured the domain now has valid WHOIS details.

Going through the reseller's account we find gems like KINGDOMSASSOCIATE.COM, JAMESBROWNASSOCIATE.COM ... (the mess I was referring to and all too sadly a regular occurrence).

But back to the real Agricultural Development Bank Limited. What about AGRICBANK.NET? It's not as if the registrant has been an angel and he has not previously registered ambankandtrustonline.com, bercoexpressdelivery.com, unsecurityfbc.com, unsecurityddc.com (these last two United Nations scams), santanderbank-online.com etc (27 domains found and counting since 2011-01-03) via Hostforweb.com (Enom reseller). By now that alarm should be sounding like a banshee!

Now does the real Agricultural Development Bank Limited launch a WDPRS? Or a UDRP? Or do they contact the registrars? Or law enforcement for each incident?

If I say I find the current situation sickening, I'm not exaggerating.

Now to get back to the true "end users" and public - how must they feel? Obviously defensive registrations do not scale to this onslaught on the legitimate users.

As for being your own registrar, I agree except that many users would not be able to manage the technical aspects of managing a TLD. We only need to look at the phishing spate the TimThumb exploit in WordPress themes has launched. It was discovered approximately a year ago, yet daily web sites of web consultants are being affected and I find them mentioned in my email, requesting me to update at bank accounts at banks I do not have.

But that said, we need some disincentive for the bad players and force them out of the market permanently. There I agree with you totally.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLD .WANG Launched - Here Is Why "Wang" Is Both "King" and "Net" to the Chinese

Public Interest Registry Announces Sunrise Period for New Internationalized Domain Names

General Availability Period for New .RED Top-Level Domain Opens

General Availability Period for New .BLUE Top-Level Domain Opens

General Availability Period for New .PINK Top-Level Domain Opens

New Chinese "Mobile" Top-Level Domain Now Available

New .KIM Domain Goes Live

Welcome .SHIKSHA! General Availability Now Open

Adrian Kinderis Appointed as Chair of Domain Name Association

Internet Reaches 271 Million Domain Names in the Fourth Quarter of 2013

The Future of Chinese Domain Names (a Panel Discussion)

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

.BUILD Enters Landrush with Support of ARI Registry Services

Radix Awards Contracts for .website, .host, .space, and .press to CentralNic plc

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Welcomes "Dot Chinese Online" and "Dot Chinese Website" Top-Level Domains to the Internet

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics