Home / Blogs

Domain Name Registrar Allows Completely Blank WHOIS

In a very casual and low-key footnote over the weekend, ICANN announced it would be further bypassing the Affirmation of Commitments and ignoring the WHOIS Review Team Report. There will be no enhanced validation or verification of WHOIS because unidentified people citing unknown statistics have said it would be too expensive. Here is the exact quote sent to the Accountability and Transparency Review Team:

Regarding the WHOIS verification goals for the 2013 RAA, while it is true that ICANN initially sought more expansive WHOIS validation/verification requirements, questions were raised related to the costs associated with implementing them on a global basis.

As a topic which has burned untold hours of community debate and development, the vague minimalist statement dismisses every ounce of work put in by stakeholders. For an organization that loves studies, there is no study cited here which demonstrates how the process would be too expensive. And which process? Has ICANN ever requested proposals to develop a validation process? Without actual proposals to review how does ICANN determine it would be too expensive? We all know that WHOIS inaccuracy has been a bone of contention for over a decade now which lead to the AoC section stating:

existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information

But, now ICANN just decided not to do it.

One of the major outcomes of the AoC was the creation of the WHOIS Review Team to find a path for ICANN to tackle WHOIS. This cross-constituency working group issued a 92 page report which recommended WHOIS become a strategic priority for ICANN (but that would be too expensive). The review team said ICANN should reduce the number of inaccurate WHOIS records by 50% every year (too expensive). But, let me take a step back. ICANN doesn’t actually say validation would be too expensive, they merely state that questions were raised related to the costs.” So questions raised by persons unknown is enough to thwart years of effort by the Internet community. Does anyone get to ask questions about the costs associated with bad WHOIS? Are the six phantom compliance employees ready to deal with this?

So, what does this get us? It gets records like the one for the illicit pharmacy site nobledrugstore[DOT]com which is completely BLANK:

Using WHOIS server whois.dattatec.com, port 43, to find nobledrugstore.com
Datttatec.com - Registration Service Provided By: Dattatec.com
Contact: +54 341 599000
Email: [email protected]
Website: http://www.dattatec.com

Domain name: nobledrugstore.com
Creation Date: 2012-07-25
Expiration Date: 2016-01-23

Status(es):
clientDeleteProhibited
clientTransferProhibited

Domain Name servers(es):
ns2.ipnames.net
ns1.ipnames.net

Registrant conatct:
Name:
Company:
Email:
Address:
- ( zip: )
Phone : -

Admin conatct:
Name:
Company:
Email:
Address:
- ( zip: )
Phone : -

Billing conatct:
Name:
Company:
Email:
Address:
- ( zip: )
Phone : -

Tech conatct:
Name:
Company:
Email:
Address:
- ( zip: )
Phone : -

Hashtag: TheNewICANN

By Garth Bruen, Internet Fraud Analyst and Policy Developer

Filed Under

Comments

I am totally fine with the blankness jeroen  –  Oct 7, 2013 11:45 AM

I am totally fine with the blankness of it, otherwise there would just be useless data anyway (“Private person” or “POBox XYZ” etc)

It would be better if it was structured and standardised to state “No details provided” with a standardised WHOIS element.

We could then easily create a RBL or RPZ zone for these domains and presto, not worry about them anymore. A browser/otherutility could query such a RBL/RPZ and inform the user of the status of that domain; or people could use the RPZ zone in their recursors and never have to bother going there in the first place.

Well, this comment goes to the meat Garth Bruen  –  Oct 7, 2013 12:06 PM

Well, this comment goes to the meat of the matter. What is ICANN doing to promote consumer trust, consumer protection, and reduce malicious abuse? Nothing. At least the system you are proposing limits the exposure of the Internet user.

The footnote says "...while it is true Greg Aaron  –  Oct 7, 2013 4:17 PM

The footnote says “...while it is true that ICANN initially sought MORE expansive WHOIS validation/verification requirements…”  (emphasis added)  I think it means that ICANN wanted more expansive requirements at one point, but ended up with what is in the 2013 RAA.  The 2013 RAA does contain both form validation and WHOIS verification requirements on registrars, and is more demanding about WHOIS accuracy than anything that’s come before.  The form validation bit alone should in the future prevent the blank WHOIS that Garth cites.

So I think the question is: What does Garth mean by “enhanced” validation or verification?  Clearly it must be something above and beyond what’s in the 2013 RAA.  Garth, what validation requirements would you have preferred?

A lot of ideas were tossed around by a lot of people over a couple of years—including the idea that every gTLD registrant should be required to provide a copy of his or her identity papers before being allowed to register a domain name.  That’s clearly expensive to execute, and clearly onerous for the ordinary registrant, especially when most ccTLDs don’t go that far.

More about current policy Garth Bruen  –  Oct 11, 2013 2:53 PM

Thanks Greg. These issues are completely addressable under the current contract (and even the previous one) - Dattatech is plainly violating the entirety of RAA 3.3.1. We can't just look to the future for answers because then it will be put off for the next version. That the new version is "more demanding" sounds like "double-secret-probation". It's demanding now, but only as good as ICANN's ability or willingness to enhance. This has never truly been policy issue as much as an execution or process issue. ICANN wont or functionally cannot perform the task. This is also about ICANN making big flourishes about doing something and then quietly not doing it. There is very little (no) transparency to the statement that "questions were raised" is the executor of policy. Idea's being tossed around is the approach ICANN should be taking, it should be soliciting real solutions. I have already come up with an algorithm for ensuring valid WHOIS based on existing technology and without going to the extreme step of requiring identity papers, I have never offered that as a solution. It's not brain surgery, I know dozens of coders who would submit RFPs if ICANN would accept them seriously. When the validation project started I thought it was completely inappropriate to task the registrars with developing and funding such a system. This should not cost the registrars or the registrants a penny more and should not have to. There should be standard to implement at low cost and not a hundred standards with varying levels of effectiveness. ICANN isn't serious about doing this, that's the problem.

I have long thought that whois for domain names is long obsolete Karl Auerbach  –  Oct 7, 2013 7:30 PM

I was on the net when the domain name whois was essentially a club roster of colleagues.  That was OK.  And in the 1970’s we did have reason to pick up the phone or drop an email when something went awry - there were no support desks in those days.

But that era has long since become history.

To a large degree the whois system has beccome something like Megan’s Law in reverse - whois publishes the names of potential victims to those who would like to take advantage.

I have long thought that anyone who wants to penetrate the business record that we call DNS “whois” ought to leave a written calling card - identifying himself, proving that identity, and stating an accusation of what specific rights of the accessor are being violated by the accused and backing that with specific evidence, and perhaps even leaving a bit of money to add some friction to slow down frivolous inquiries and also to create at least some compensation in case those accusations should prove to have been false or made with negligence or reckess indifference.

If one has a serious accusation the proper path is to invoke the legal process which has rules to manage this kind of accusation and to block data mining.  If one thinks that the legal system is to slow then the path is to fix the legal system, not to penetrate everyone’s privacy.

About a decade ago, for demonstration purposes rather than a serious endevour, I created a skeleton prototype of a TLD that did not have any whois at all and used cryptographic certificates to demonstrate “ownership” of a name.  It also eliminates other silly ICANN limitations such the ten year limit on registrations.  A zone for this TLD has been active in my own name servers for more than a decade (but I’ve had other things that have kept me from finishing the registry code and deploying it.)

http://cavebear.com/eweregistry/

I now routinely use a registrar that protects privacy.  But it will probably take years for the daily rain of junk phone calls to phone numbers taken from non-private whois records to fade.

If you're not part of the solution ??? Fred Showker  –  Oct 8, 2013 5:20 PM

Am I understanding correctly, that you think your privacy and comfort is more important than the general population. You don't think every owner of a domain should have a paid up, license on record. You don't think they should be held accountable for their actions? I'm obviously not as old as you. However, when InterNIC was properly operated and functioning properly, there was little cybercrime, because each domain owner had a specific, trackable identity. Am I correct in understanding that you use one of those masking services? The ones owned and operated by the cybercrime industry to protect their operatives? Am I hearing you correctly? If so, I'd like to hear your take on domaining and domain kiting ... where that fits into your TLD "zones" . . . Would you freely allow an unknown entity to register 10,000 domains in a half-second, without a WhoIS, and then give them up a week later without paying?

I do not presume that people are crooks - I require an accusation backed by evidence Karl Auerbach  –  Oct 8, 2013 5:54 PM

In .ewe yes, I value privacy more than conjured fears. I am not among those who presume that anyone who registers a domain name is a criminal. Nor do I believe that speculation is an offence against humanity. And I believe in fair and due process - I reject vigilante methods. One may ask "What specifically do I mean by fair and due process?" Here's what I've long proposed: If someone has violated your legal rights, then you ought to be able to make an accusation, stating onto a permanent record who you are, the nature of your legal rights, how they were violated, you you believe violated those rights, and why you believe it is that accused person rather than someone else. Moreover you should be obligated to agree to an agreement, to which the domain registrant has clear third party beneficiary rights of enforcement, that any information obtained will be used for the sole and exclusive purpose of redressing the asserted violation of your rights and will not be transferred to any third party. All of that information and entry into the limited-use agreement should be set down *before* one gets any access. If one can't meet that rather minor hurdle or make a promise of limited use then why should we violate the privacy of domain registrants? My purpose with .ewe was to demonstrate several of the fallicies ICANN pulled out of thin air and constructed into the foundation of its rules. Why should domain names be sold on the basis of yearly rental? Why a maximum of ten years? Why should updates of domain information be bundled with the yearly rent? Why should there be registrars? Why should ICANN be an arm of the trademark industry? Why should business transactions of non-dangerous instrumentalities be published to any and all without even giving the data subject a list of who inquired? You can read more on this at: http://www.cavebear.com/cbblog-archives/000331.html

Sir, we seem to agree . . . Fred Showker  –  Oct 8, 2013 7:13 PM

I agree with everything you say. * I am ALSO not among those who presume that anyone who registers a domain name is a criminal (after all, I own dozens of domains). * I ALSO do not believe that speculation is an offense against humanity. * I ALSO believe in fair and due process. Yet we seem to disagree on what is reality and what is not reality. The process you propose is almost as faulty as ICANN's. And it would be a miracle to enforce either. That's part of today's problem. By the time you did that diligence (which I agree, in a perfect world should be required) the crooks are gone. "Excuse me sir, you'll need to make a legal accusation that you've been denied your legal rights before we can treat your gunshot wound and pursue the criminal who robbed your convenience store. Can you sign this limited-use agreement? Ooooops, I'm sorry, you've lost consciousness... oh sir, oh sir..." I realize that is a fairly silly metaphor, but when a felony has clearly been committed, it's difficult to expect both parties to agree to anything before action can be taken. There's a bridge for sale in San Francisco. But it sounds like you are suggesting that "accountability" is the same as "responsibility" ?? ... I believe they are different. We both believe that everyone should be responsible. But there are those in the world who are not responsible to do the right thing because there is no accountability. People are basically lazy, self-centered and greedy. They're not going to do the responsible thing unless they're held accountable to do so. You seem to be at least somewhat concerned with the state of the domain system. Help me understand why you believe : > If one can't meet that rather minor hurdle or make a > promise of limited use then why should we violate > the privacy of domain registrants? Example : I am completely capable of meeting that minor hurdle... yet my privacy is being violated and I'm being computer harassed to the tune of approx. 300 computer breakins a day (Close to 4,000 in the past 10 days) by the SAME cybercrime cartel maybe in Russia, maybe in the U.S. I've reported them more than 70 times to their provider, their host, their secondary host, their registrar and ICANN. All I get is a note saying that ICANN will allow the registrar 45 days to respond. Can you think of one reason why nothing's done? I knew you could . . . of course : because they don't have to. Nobody is holding them accountable. Just read Garth's complaints to ICANN. Why aren't they regulating those domains and registrars like they're supposed to? Are these the people you are sticking up for? So I've followed ALL of the requirements you dictate for your proposal. Everything you say should be done has been done. Everything. Now what? You thought all that up, but you didn't come up with what happens "next" ... In your proposal, what do you do if they don't comply? Who is going to make the OTHER guy toe the rope? So I used the 'official' complaint forms. I gave all my personal info they asked for ... I made myself fully accountable. Here's who is asking. At the end of the 45 days I'll get a canned message from ICANN saying they've checked it and the Registrar confirms the information accurate. (Except we called the phone, and it doesn't exist, we tracked the address in New York, which is the parking lot for a Guitar company, and we emailed the owner and "Google" sez that address doesn't exist.) I agree with you. ICANN and the WhoIS are BOTH worthless -- except for making money for someone. I believe strongly that ICANN should be disbanded and replaced with a working system that makes ALL domain owners accountable. Not just you. Not just me. But ALL domain owners -- every single last one of them. We both agree to reject vigilante methods. We both agree there needs to be fair and due process in place. But we don't seem to have a "what next" statement -- what makes our other two agreements function? I proposed the "ISP Self-Regulatory Initiative" in year 2000 for the FTC Spam Forums held in Washington. It gave the what, how, what if, and then statements in no uncertain terms. Middle school students understand it. However, it would work if and only if the big five providers took the initiative and adhered to it. Don't you think they would? To end all that bandwidth and security waste? Well, they didn't. In fact they wouldn't dare. Because they're all making too much money off cybercrime. Imagine Google making their users be accountable . . . when 40% of the phishing and cybercrime email today comes through gmail accounts, and Google uses the metrics and numbers to sell the big advertisers. We're talking billions of dollars in profits here. There is a huge industry out there that doesn't want anyone to tamper with the Domain or DNS system. And they're making sure it keeps on just like it is. You see where this is going, right? Because in today's internet society there IS NO ACCOUNTABILITY nor RESPONSIBILITY, nor HONOR. It's all about the dollar and how much they're making off the miserable state of affairs. Network Solutions has 2,000,000 domains they paid 80-cents for but charged $35 for. Hello? Anybody home? So we can all sit back and watch that house burning but not do anything about it. Help is NOT on the way. The answer to all your questions is "No, they shouldn't -- they don't need to." Yet all of your questions are totally irrelevant to the issue at hand -- the intelligent, effective management of the DOMAIN system. So you ask : > Why should business transactions of non-dangerous > instrumentalities be published to any and all without > even giving the data subject a list of who inquired? Why did you buy tags for your car? (assuming you did) Why should my ownership of your car be published to any and all without even giving you a list of who wants to know? Why should radio stations register for their band width? Why should your business address be published to any and all without even giving you a list of who inquired? Why should anything be regulated? Why can't we buy the drugs we want? Why can't we sell the drugs we want? Why shouldn't we send 25 million false emails a day? Why can't we just register any name we want? Why should there be registrars? Why should ICANN be an arm of the trademark industry? (Are they? NO.) Are these questions for civilized people? I am glad that we both agree. But not glad that it's the way it is and nothing's being done about it. Good day

What would the internet be like had there been no ICANN? Fred Showker  –  Oct 8, 2013 7:19 PM

Sir, just wanted to add one thing ... I must stay that after reading the "CaveBear Blog" article -- I quite like what I read, and quite agree with what you're saying. Truer words were never spoken: THE ROAD WE DID NOT TAKE WOULD HAVE BEEN THE BETTER CHOICE. It's the same thing I've been preaching. Thank you Mr. Clinton and Algore.

I think you may be overthinking the machinery that I have proposed Karl Auerbach  –  Oct 8, 2013 8:32 PM

All of what you wrote is completely valid and of concern. Please don't think that I'm diminishing or dismissing your concerns. I hate a lot of the junk and scams and crimes that are on the internet today and the people who do it - I've proposed (in jest) some draconian punishments - http://www.cavebear.com/cbblog-archives/000236.html Let's distinguish between the rather hypothetical approach that I took in .ewe (the digital bearer certificate with no whois) versus the potentially more possible method in which a person asking for access to whois information has to say who he is, make an accusation, and agree to a limited use agreement. Let's ignore .ewe for the moment - it isn't likely to happen beyond a negligable prototype. And let's focus on the other stuff. When I first proposed the calling-card+accusation+contact method of access to whois I also had a requirement that the accusation and evidence be reviewed by a third party (human now, hopefully automated in the future). But that review machine makes things too inefficient and expensive to be feasible or practical. So my mental image today is this: Suppose you have reason that you want to inquire into whois, here's what you'd need to do: 1. Go to a web page 2. Give your name and some sort of proof of that identity. (This will take some creativity to make this easy. And for those who go to whois frequently there could be shortcuts such as pre-arranged credentials.) 3. Say why you want to look at the data - essentially make an accusation that some right of yours has been violated and give some particulars. Much of this could simply be a drop-down on a web page. Simply saying "I am curious" would not be sufficient. *However*, I do not see any strong argument for allowing the curious person to have access to a version of the whois data that has been stripped of some details - for instance only a telephone country code+city code rather than the full phone number, postal code rather than the full address, etc. 4. Click agreement to a terms-of-service that obligates you to use the information to be disclosed only to pursue a remedy to the situation described in step 3 above and that you won't use the data for other purposes or disclose it to any third pary (except perhaps your legal counsel.) 5. You get the data. This is not a lot more burden than today's largely unfettered whois access. But it would add some friction, hopefully enough to keep out the data miners. And another upside is that if there is that kind of protection then those of us who use privacy-enhanced registrars might be willing to forego that protection.

Size of club makes it more serious Garth Bruen  –  Oct 8, 2013 6:58 PM

As the Internet "club" is now a billion strong I would argue it is more imperative than ever to have a clear accountability structure. The WHOIS records in question are behind sites selling controlled substances, doesn't the consumer have a right to know who they are doing business with? Keeping in mind we are talking about a very specific subset of domains - ones engaging in commercial activity which in all other aspects of society are required to have public disclosure. I am not talking about the ordinary domain owner. As someone who sued ICANN to get their records, are you not concerned about the records for such sites? Does the consumer have the money or the wherewithal to engage in a legal process? This is about the consumer being able to make a decision and contact the party behind a site when there is an abuse issue.

The domain name system is a hinting system, not an authentication system Karl Auerbach  –  Oct 8, 2013 7:11 PM

The DNS was designed to give a hint, not an iron clad "this must be who I want to talk to" answer. There has been much confusion because the DNS protocols contain an "authoritative" bit - but that merely means that the server that is answering has the zone file directly rather than having picked up the data indirectly (via plucking data from other queries.) The internet architecture is missing a layer - which a layer that allows mutual identification and authentication. If one used a telephone directory in the way that people use DNS, we'd be dialing numbers and without even asking the other end who they are we'd shout out our innermost secrets. But we know better to do that on the telephone. We should know better than to do that on the internet. When you connect to something on the internet you can require actual proof - such as by shared SSH keys or PGP/GPG keys or by back-chaining up through SSL certificates and by validating DNSSEC. We should not throw privacy aside in order to obtain a bad solution for a problem that can be solved by people using the identification and authentication tools that are already present. Besides, if you don't know with whom you are interacting then the solution is simple - don't interact, or at least don't give away your store. By-the-way, do you know about the other Whois system - the one for IP addresses? That one is far more reliable when tracking down those who you are accusing of ill deeds. Also by the way, as one of the few people who have won a legal action against ICANN - I would suggest that the information being tossed about on this thread regarding legal actions is - how shall I put it nicely? - not very good.

Delving further Garth Bruen  –  Oct 11, 2013 3:09 PM

Besides, if you don't know with whom you are interacting then the solution is simple - don't interact, or at least don't give away your store.
Karl, it's not that simple. The consumer today is faced with the most cleverly deceptive processes run against them by sophisticated criminals with fake sites, hijcaking and scareware. They too often believe they are dealing with their bank or some other legitimate entity. It is only after the fact that they find false WHOIS when researching the issue and then find out ICANN wont do anything and the registrar wont help. ICANN has made a pledge to promote consumer trust but is doing nothing to demonstrate this.
By-the-way, do you know about the other Whois system - the one for IP addresses? That one is far more reliable when tracking down those who you are accusing of ill deeds.
But why is this the case? Because the various authorities on the IP site have better standards. This reliability isn't an accident.

It *is* that simple Karl Auerbach  –  Oct 11, 2013 3:36 PM

You make the immediate jump from "there are criminals" to the conclusion that every one of us on the internet with a domain name should be naked to the world because we just might be one of those criminals. Guilt by mere accusation is not a good way to run a railroad, an internet, or a society. Rather, as I see it if one can not articulate a prima facie case of accusation against someone they one ought not be given a can opener into the affairs of that someone. And any opening into those affairs of an accused must be constrained to only those purposes reasonably related to resolving the wrongs described in the accusation. The problem of people being mislead by scammers will not be solved by simplistic accusations and mass violations of privacy. Rather the problem is that the internet technical development community has ignorred known lessons of network security - particularly the issues of mutual identification and authentication - for forty years. Yes, forty years - that's when I first worked on network protocols that would prevent connectivity on the ARPAnet until the two ends enunciated their identities and proved those identities to one another's satisfaction. The technical elements of the solution you want is not to be found in Whois. Rather it is to be found in missing layers of the internet architecture. There are, of course, social aspects - bodies such as ICANN are leading internet users astray by using misleading (and technically incorrect) phrases such as "the authoritative DNS". This self-aggrandizing on the part of bodes such as ICANN gives users the false belief that the domain name system is in some way a fount of pure data when, in technical fact, DNS merely gives hints that say "try this address in hope of finding what you are looking for." In addition I suspect that the world is rather the opposite of what you paint - that the reality is that the DNS Whois database is used by sales people to find (and annoy) prospects and for scammers to find victims. As for IP address Whois - it is more reliable than DNS data because among the community of people who have addresses and the people deal with internet routing there is real operational value received by publishing contact information. So we tend to keep it up to date and also have not experienced much abuse of our data.

Hmmm...not what I said Garth Bruen  –  Oct 11, 2013 4:58 PM

You make the immediate jump from "there are criminals" to the conclusion that every one of us on the internet with a domain name should be naked to the world because we just might be one of those criminals.
Were this even remotely close to what I'm talking about I might be inclined to agree with the rest of it. I cannot open a bank, pharmacy, auto dealership, clothing store or other commercial venture without being transparent to the public. Disclosure in the commercial context extends to every aspect of our world, the idea that domains should be different does not wash. I want a balance. There is none. The "de facto" privacy scheme is just that, made up on the fly and does not ultimately protect anyone.
In addition I suspect that the world is rather the opposite of what you paint - that the reality is that the DNS Whois database is used by sales people to find (and annoy) prospects and for scammers to find victims.
Agreed, but there is, again, an ICANN policy for this which has never been given structure, process or enforcement.

Huh? Karl Auerbach  –  Oct 11, 2013 5:21 PM

I don't know what jurisdiction you are in but just yesterday I created a new corporation with nary a whit of public information about who the real owner (me) is. In fact it is extremely common for businesses to be established or property owned via intermediaries that have nothing more than a designated recipient to receive legal process. "Balance" consists of something different than the wide open door, naked domain name registrants, you are advocating. "Balance" means obligations on both sides - and the approach you are advocating imposes no obligation on those who want to access data. A balanced approach would require the making of a prima facie case, with presentation of evidence, that the accused name is doing some specific act that is causing a specific legally cognizable harm to a specific right of the person making the accusation. And "balance" would also give the accused the chance to rebut the accusation and would limit use of the data to resolve that situation.

GarthHave you submitted complaints to ICANN about Michele Neylon  –  Oct 8, 2013 4:39 PM

Garth

Have you submitted complaints to ICANN about this or other domains’ whois?

I assume you are one of the users of ICANN’s bulk whois inaccuracy reporting tool, so have you been using that for reporting issues with this domain and others with the same registrar?

Regards

Michele

Sent before the article was posted Garth Bruen  –  Oct 8, 2013 6:51 PM

Thanks for asking, yes, before the article was posted Compliance was notified but there has been no acknowledgement of the issue at this registrar. I have little faith in Compliance at this point since they have not been square with the public about something so trivial as to how many employees they have. As far as their ability to actually process complaints, this is highly questionable.

GarthAs a "contracted party" with ICANN we Michele Neylon  –  Oct 8, 2013 7:45 PM

Garth As a "contracted party" with ICANN we are subject to complaints that are handled by ICANN's Compliance team. ICANN do act on them and do address them and we are bound to respond and deal with them. I've also submitted complaints to ICANN about whois issues both where the entire registrar's whois was not functional and where the data was "suspect". In both cases ICANN has been responsive, as have the affected 3rd parties. I'm not sure how long ago you submitted complaints about the issue you outlined, but I'm yet to come across an actionable issue that was being ignored by Compliance. So you are saying that this complaint was submitted as part of a bulk whois inaccuracy complaint? Regards Michele

Different access and perspective Garth Bruen  –  Oct 11, 2013 3:01 PM

Michele, I think you are in a unique position as a contracted party who is actually engaged in the process and the dialogue. On the one hand you are required and will respond to ICANN, as you know there are registrars who don't and not much happens after that. In terms of your complaints to compliance, they get more attention than the ordinary netizen would. The ultimate question is how does ordinary consumer get real response from a problematic registrar when ICANN wont help? I'm engaged at the highest levels here and it is still difficult. The ordinary user should not have to work so hard. -Garth

I HAVE SUBMITTED COMPLAINTS Fred Showker  –  Oct 8, 2013 5:03 PM

... actually I’ve submitted dozens and dozens of complaints.  The form does not work. I get a response saying they’ll give the registrar 45 days to respond. In 45 days I get a canned reply saying they’ve found nothing wrong, case closed. I go directly to that record and HELLO, it’s still blank.  Hello? Is there any intelligent life at ICANN at ALL ???? 

If accountability was returned to the DOMAIN system, 99% of cybercrime would end. Period. Since ICANN has evidenced no interest in righting the wrongs being done in their system—when they are completely capable of doing so - does that suggest to you that they are linked in with cybercrime? 

So can somebody tell me exactly what ICANN says when law enforcement wants to know the name and address of an in-progress cybercrime?  The above domain is actively selling illegal drugs to minors.  That’s a class one felony.  What does ICANN say? They are the guardian of the WhoIS. When it’s blank we need to find out who’s side ICANN is on.

I agree that ICANN's response to complaints is inadequate Karl Auerbach  –  Oct 8, 2013 6:00 PM

I agree that ICANN's response to complaints is inadequate - witness things like the RegistryFly debacle. On the other hand, if "law enforcement" shows up on ICANN's door with a valid warrant or subpoena then ICANN has no choice but to respond. Has the illicit drug sitution to which you allude resulted in such a legal order? If not then it is not ICANN that is to blame, it is the law enforcement authorities who are not doing their jobs.

KarlICANN changed a LOT of policies and Michele Neylon  –  Oct 8, 2013 6:04 PM

Karl ICANN changed a LOT of policies and processes after RegisterFly - I don't think that it helps anyone to look at past issues like this. Michele

Really? Karl Auerbach  –  Oct 8, 2013 9:08 PM

I've also made recent (within the last year) multiple complaints to ICANN about ill behaved registrars - for example one that made it nearly impossible to transfer away and took weeks to complete its side of the transaction. ICANN's response: nil. In the great scheme of things has ICANN's enforcement improvement amounted to anything significant? My view is based on anechdotal evidence - a statistically meaningless sample, but it's what I have. I sense that those who deploy new TLDs under ICANN's new TLD program may be more active than either ICANN or the incumbent registries as they have to build their brand image and need to make sure that their TLD's don't become tarnished by ill acting registrars.

Graham - I'm glad you responded Fred Showker  –  Oct 8, 2013 7:50 PM

You have no idea how glad I am that you posted that reply. No attorney willing to take the case. Two attorneys have advised me it’s a useless battle I cannot possibly win. :-(

Evidence, please The Famous Brett Watson  –  Oct 9, 2013 8:39 AM

In comment #8, Fred Showker said:

However, when InterNIC was properly operated and functioning properly, there was little cybercrime, because each domain owner had a specific, trackable identity.

Can you provide evidence that the publication of identity was actually the cause, as opposed to some other explanation, such as, “criminals had not yet identified the Internet as a venue for crime?”

Likewise, in comment #7, Fred Showker said:

If accountability was returned to the DOMAIN system, 99% of cybercrime would end. Period.

Can you back up that assertion with anything remotely verifiable? How do you arrive at the figure of 99%, as opposed to 1%, say? Show your working.

I challenge outlandish assertions about the efficacy of identity as a matter of course. It’s just an odd little hobby of mine.

Evidence I got Fred Showker  –  Oct 9, 2013 6:48 PM

Thank you for asking those questions.
Those are important questions to ask.

No ... this field won’t hold enough characters, and you cannot afford to hire me to publish the papers.

HOWEVER, you are correct, I misspoke.

Calling the point I went back over the last ten days and checked and it is really NOT 99%.  It’s actually working out to 91 to 95%.  But hey ... if 91 out of the next hundred people you meet want to kill you, the next nine after that don’t really mean much, do they?

Second, You misunderstood the first one.
In the days of the NIC, EVERYONE had to have an identification in order to obtain a domain—“publication of identity” had nothing to do with it.
Criminals knew because there were several transactions where a false email or address or hijacked charge card would have stopped the transaction—not to mention the renewal. Criminals do not stick around to authenticate and reply to an email. Nothing more serious than a chain letter.

With ICANN running things with rogue registrars, however, the criminals no longer have to validate anything at all. They can ‘taste’ a thousand domains, spam 25 million victims, and give the domains back in four days—or they employ a botnet to constantly register domains using charge cards they’ve already stolen at sites like the Joker and GoDaddy who don’t care, and don’t check the validity of the buyer.

Back in 2000 for the SpamCon Forums in Washington I made the most rediculous proposal ever heard : each new domain purchased required the buyer to mail the check, and wait for the certificate of domain via reply mail.  Everyone laughed. But can you think of a more effective way to stop all the domain abuse? And save a hundred-trillion gigs of bandwidth?  I’m willing. Are you?  Yes, stupid idea. But the best stupid idea in the history of the internet.  Would there be malware sites? Would there be child rape video sites? Would there be terrorist bomb making sites? No, of course not. Who’s going to mail in their check, and wait to receive their certificate back for “RapeTube.com” ????? Yes, it would slow things down. But sometimes “SLOW” is a good thing.

(Someone up the chain up there didn’t understand the purpose of renewals—in the beginning it was for validation and accountability the original mailing address was used. TWO PEOPLE were required. Criminals do not usually publish a reliable mailing address where they’ll be able to pick up their mail, nor have a second person validate their registration. Some terrorist in a hole in the hills of Afganistan is not going to have a P.O. Box. Duh.)

>> “criminals had not yet identified the Internet as a venue for crime?”

They had, alright—as far back as I can remember—during Arpanet, Bitnet, Compuserve and Delphi days. But at that point it usually did not involve having control of a domain. (Oooops, there were no domains!) It was fraud or extortion the old fashioned way like the old 408s. Only with the advent of the “web,” “http” and domains were they now able to ‘cheat’ the law.  They could already falsify the smtp, but not http. There had to be a page out there on somebody’s server for them to put their scheme. 

  >>  Can you back up that assertion with anything remotely verifiable?

Sure. provide a dropbox account where I can upload several gigs of data so you can see that 95% of the serious/damaging cybercrime being purveyed today via email requires a DOMAIN. I received 234 today and only 6 of them did not. (Oooops okay, that’s 97.6%) Provide your email address, and I’ll send you all of those for your own checking.

Since the advent of ICANN, and removal of accountability in the domain system, phishing sites, drive-by malware sites, kill sites, terrorist sites, rape sites, illegal drug sites, and nearly all other forms of dangerous cyber criminal activity have had to rely on getting their hands on domains quickly and for FREE, or for very little cost—without any check on the owners actual identity or location. Most of the bad identity theft and drive-by malware crime cartels harvest blogs under Blogger or WordPRess because they are easy to break in to, then plant their web page, use them for 24 hours, then dump them to avoid tracking.  They always redirect. But they still need to “own” the bidness page. So they’ll get bulk

Of 4000+ identity theft scam emails trapped in the past 10 days, only 145 did not rely on a domain. I can send you all of those too.

Or, if you like, I can upload to you my Knujon report which clearly shows the number of spams reported and the number of crime domains reported. That might be the easiest way to provide proof.

For everyone else in the batch up there who really doesn’t have a clue as to the validity of the grave situation Garth, Knujon, SpamCop and others are battling you can see just the tip of the iceberg at : http://www.spamcop.net/spamstats.shtml

I know there are very smart people reading this, a lot smarter than me—like Mr. Famous Bret Watson up there

. . . but most of those people have their systems on high-lock, and never see the real misery going on around them so they think there’s no cause for alarm. 
“I never see any spam these days . . . ”

But folks, guess what. 100% of cancer victims didn’t see the cancer start either—until it had to be treated.  Mr. Watson, you can check me on that statistic too!

We should all be thanking Garth for his work on everyone’s internet behalf.

Good day.

Evidence of EFFICACY, please The Famous Brett Watson  –  Oct 10, 2013 10:40 AM

... I can upload several gigs of data so you can see that 95% of the serious/damaging cybercrime being purveyed today via email requires a DOMAIN. I received 234 today and only 6 of them did not.
This is about what I expected, but there is a problematic gap between your data and your actual claim. Your actual claim was, "if accountability was returned to the DOMAIN system, 99% of cybercrime would end." I'm not going to argue the few percentage points between your data and the 99% figure that you claim; rather, I'm questioning whether rigid identification processes would actually stop the crime, rather than simply force the criminals in question to adjust their modus operandi to suit the new landscape. Countermeasures of this sort tend to discourage only the least competent adversaries: the others adapt and carry on. Spammers, scammers, and other online menaces have been adapting to the countermeasures we place in their path for years. That's not to say that the countermeasures haven't provided benefits, but they certainly haven't eliminated the problem. Your working assumption seems to be that imposing rigid and cumbersome requirements on the domain registration process would stop the crime in its tracks. That is the assumption I wish to challenge. I will take your statistics about the actual use of domain names as given, but I require evidence that imposing the barriers you propose will have the outcome you predict. Your claim that your proposal would end 99% of cybercrime is classic "silver bullet" talk. I think that kind of claim is pretty much self-discrediting, but in the interests of a fair hearing, I'm inviting you to substantiate your claims. So, what evidence do you have that your solution would be as efficacious as you claim?

yada, yada, yada . . . Fred Showker  –  Oct 10, 2013 2:09 PM

I cannot believe that you don't believe that the dangerous cybercrime launched on the general public does not rely on a domain. That shows how disconnected you are from the real problem. You've probably got a provider using a really good spam filter or black hole. I cannot even begin to count the times I've heard that exact same rationalization and arguement in SpamCop report rebuttals from rape-site owners, hackers, stalkers, predators, phishers, and a score of Nigerians ... not to mention Senators, Congressmen, CERN employees, Google employees, AOL employees and college professors. They all seem to want to make it easier and cheaper -- maybe even FREE -- for everyone to have a domain. Yada, yada. Duh. Did you think nobody knows that the cybercrime industry doesn't adapt? Hello, we were fighting those people on Compuserve. Sure they adapt, it's their job. The key is make it too difficult or too expensive for them to adapt. > but I require evidence that imposing the barriers you > propose will have the outcome you predict. The evidence is seen in the original system. BEFORE the Clinton administration and Algore. You just didn't have domain abuse. Period. Inarguable evidence. And that's if we just simply disbanded ICANN and put it back the way it started. You must not have been around then. There was seriously no real abuse of any kind. Oh, a few bedroom crooks from time to time, but they were shut down immediately -- because they were trackable. But the discouraging thing is I'm down here in the trenches, tracking, recording and reporting thousands of criminal web sites and criminals, adding them to the big five black holes, working with Garth and Knujon -- taking hours and hours a week since 1995 to help do something about the increasing problem. To no avail. So let's see your proof that the claims are NOT accurate. You see, all the bitchers, moaners, left-anarchists, and free-this/free-that belly-achers very rarely ever come up with even spending two minutes on the problem -- much less thousands of hours helping everyone else be safe by bolstering THEIR spam filters. > Your working assumption seems to be that imposing rigid and > cumbersome requirements on the domain registration process > would stop the crime in its tracks. So, while I'm not putting YOU into the above categories, . . . pick one: [__] Prove that it wouldn't work [__] come up with a better plan that will work [__] Get off the tracks and stop holding everyone else up. Like my first post : If you're not part of the solution, you're part of the problem. Okay . . . no, I take all that back. I'm sorry I ever started posting here. Never mind.

OKAY : how about this : Fred Showker  –  Oct 10, 2013 2:54 PM

Okay ... scrap all those other ideas -- you're probably right -- you cannot prove or provide any evidence that tightening the DNS/Domain system would ever help reduce cybercrime. Okay let's assume you are correct. How about this: A legislated taskforce is set up to monitor/analyze/extinguish threats. Maybe an office of 25 people with 100% immediate control. They casually follow feeds of email traffic filtering the spam and criminal activities into their system. Based on a set of hard-and-fast rules with oversight, (that all ISPs and registrars should be adhering to) they validate that the email is in fact, a criminal activity. (This is a no brainer.) Blink. Each of the task force officers is armed with two buttons. The first propagates the suspect to two other officers. The second approves the suspect posted by other officers for extinction. When they get three votes, that IP ... and/or IP block, suddenly is gone. No longer live and can no longer be used. Period. The domain is locked. Period. ("Russianchildrape.com" and "freeRolexwatches.com" or "getamuchbiggerpenis.com" cease to exist. 404.) They go on a couple of months like this, and the cyber criminals, opportunists, profiteers, belly-achers and anarchists are all screaming bloody murder, the press picks it up and it becomes a huge media thing. But continues. A group of six to eight could effectively squash 50 to 100 per day. I know, I have run the numbers. If too many, like the current ViaGrow campaign are all broadcast from the very same servers, ukrnames.com, campnet.ru and publicservers.ru, you just take out their entire IP range. BAM. Black. 404. Suddenly the phones are ringing. Innocent businesses are being hurt. Of course, Mr. Ukrnames, when you clean it up we'll hook you back up. See remedies below. Then one of the big ones -- everybody thinks is innocent -- gets taken out. BLACK. BLANK. GONE. Period. WOW. News gets out on all that and suddenly the ISP / Registrar industry is going crazy -- or to court. "Hey . . . we'd better clean up our ranks or it's going to happen to us!" GoDaddy is now forced to actually prevent criminal elements from using the service since so many of their innocent customers are at stake. Presto! Crooks gone from GoDaddy. Google is losing thousands upon thousands of email users now escaping to reliable, iron-clad "REAL" email providers. The criminal element begins to fade away. Joker.com gets rid of 50,000 crime domains just out of fear of getting IP blocks (most of Ambsterdam) shut off. ukrnames.com, optima.ua, and some of the others who's only purpose is to propagate crime disappear from the planet. Doesn't matter who sent the email, or if the site was hijacked. The task force is savvy enough to trace the trail, the money trail, to the suspect and act upon THAT entity. Innocent sites would not be affected at all, unless hosted on an IP that also hosts the criminal. And that's the ISP's responsibility -- once those innocent victime start screaming at their provider . . . or move their sites to another. But then somebody throws up a red flag and goes to court. Fine. There's an easy, two step remedy to all those woes: Their blocks get reinstated as soon as they provide a) a renewal fee, in the form of a valid cashier's check drawn on a U.S. bank, passed, and b) written validation that they are not the criminal web site that got shut down -- or else the criminal sites are gone never to be seen again. Once claims are proofed -- the Task Force replies (in writing, via U.S. Postal Service) with the password to get their IP turned back on. Bingo! They're back in business. Do you think they'll think twice before launching another crime site? I'll bet they will, and I have absolutely no evidence to prove that ... just gut feeling. Now, myself as a domain owner and IP owner would not mind this system. I'm honest and have nothing to hide. I don't host crime or use the internet to hurt or take advantage of anyone else for my own financial gains. How then would the crime industry react and adapt ???? "Your honor, this task force is taking away hundreds of thousands of dollars by shutting down our phishing ecommerce pages -- how can we extract the private information and money from citizens on the internet !!!" Or "Your honor, there is nothing wrong with our child rape sites! It's freedom of speech! The task force is causing us to lose ten-thousand dollars a day!" "Your honor, we're suing these guys because we can no longer fund our terrorist activities around the world! Sheesh, supplies and arms are expensive!" How long it would take, I don't know. But surely the honorable ISP and Registrar industry would be very willing to play according to the rules. Where would the others go? We don't know. And, probably wouldn't care. :-) PS : in the time it took to write this, our spam traps received 87 new spams ... all of which are illegal, and all of which rely on a domain to host the spam site. Hmmmmmmmm. 100%.

Summing up The Famous Brett Watson  –  Oct 11, 2013 9:20 AM

Fred, I have asked you to provide evidence that your remedies will work in accordance with your claims. You have responded with two messages. The first consists of the following points. 1. An accusation that I am disconnected from the real problem 2. A variation on the genetic fallacy, stating that you've heard the same objection from disreputable sources. 3. "The key is make it too difficult or too expensive for them to adapt," without analysis of what that will actually take, or what unintended side-effects will follow. 4. Reference to the extremely early Internet as strong supporting proof, based on the unsubstantiated assertion that its lack of domain abuse is properly explained by the governance model of the time, rather than other factors, such as its relatively small number of users. 5. A bit of a rant about being in the trenches, and a challenge that I should be the one to prove you wrong. The second message gives an outline of the powers and methods of a hypothetical anti-abuse police force, and offers speculative scenarios as to how and why it might be effective. I'm not going to rebut these messages: I am satisfied to summarise them, and allow them to stand on their own merits. For those who happen to be interested in a counter-argument, I refer you to my discussion of "barriers to entry" on pp.88--89 of my PhD thesis. Just bear in mind that the thesis is about designing protocols for abuse-resistance in general, not the prevention of malicious activity associated with domain names in particular, and adjust accordingly.

Thank you Fred Showker  –  Oct 11, 2013 2:03 PM

Now I understand where you're coming from. I read your referenced work, and found it most interesting as a thesis paper. We really do agree in principle -- although a little tedious, it makes a convincing case. The fundamental difference in our opinions falls somewhere between law enforcement practice and academia. You call protocol design "folklore" ... but you couldn't argue with the convenience store robbery metaphor. That's because when he's on the sidewalk bleeding, it's too late for academic pondering. ALL PhDs know speculation never has evidence until tested. You said so yourself. Surprising you'd expect me to furnish you all the data to support my theory. Theoretic science is never exact. But the guy bleeding, or the child abducted are hard to argue with. I talk to people who feel the same way. They hear about it, but just simply cannot believe that this stuff goes on, because they have no direct experience with it. You really don't believe that something as horrible as a child rape sites can exist until you work with law enforcement to get a child rape cartel shut down. People pontificate about it long and hard. The academics have a hey-day with hundreds of thousands of pages of posturing. The criminals laugh. I shocked an audience at my "safenetting" session at Macworld SanFran in 2002 with actual screen captures of child rape sites. We traced the history of working with Bedford Law Enforcement Task Force to squash those low-lifes. The audience was agast. We taught parents how to deal with the ever-growing threat eminating from the internet. My brother and partner in SafeNetting authored and implemented the curricula and programs now implemented in the middle school systems across Virginia. http://www.ugnn.com/safenetting/macworld/macworld_presentations.jpg http://www.rockingham.k12.va.us/highlights/highlightsjoeshowker.html But all chatter aside, what are YOU doing about your thesis? How many hours a week do you spend on getting it promoted into action? Are you a member of Knujon? Are you a member of Spamcop? Who all have you pitched this theory to? It sounds like a pretty convincing band-aid. I would think that after you put so much effort and time into it -- and you're so passionate about it, you would be pushing it into reality. Who have you contacted? Congressmen? Law enforcement? Where and what channels are you using to get it pushed into practice? Why hasn't the anti-spam, anti-cybercrime community heard of it before? I do not remember you presenting at Spamcon or the Spam Forums in Washington. Where have you presented? We have presented to congressment and legislators. We presented to the Attorney General of Virginia and after several years work have gotten some good educational programs enstated. I cannot remember your name at the Internet Caucus at the Capital. Are you acting on it today -- currently? What do you do today? Are you actively involved in internet policy making? Security enforcement? What? This says you were in school as a PhD candidate in 2010. The thesis is a major work. I applaud your efforts. While monumental in theory, implementation may be more difficult than my simple ideas. I will certainly pass your paper along to my channels. Let's hope it gets some traction because just like my "ISP Self-Regulating Initiative" presented to the FTC in 2000 -- until it is implemented . . . it's still just a paper. It was fun. Thanks for the exchange. Good luck and keep on fighting the good fight. http://www.ugnn.com/UCE/initiative.html

Autobiographical details, if you insist The Famous Brett Watson  –  Oct 12, 2013 3:45 AM

... although a little tedious, it makes a convincing case.
If it's only a little tedious, it's doing well for a thesis.
You call protocol design "folklore" ...
Radia Perlman calls protocol design "folklore". I merely agree with her.
Surprising you'd expect me to furnish you all the data to support my theory. Theoretic science is never exact.
I simply expect the strength of your assertions to be in proportion to the evidence behind them. When one has strong assertions backed by weak evidence, one is making an exaggerated claim. I make a habit of challenging claims that appear to be exaggerated.
But the guy bleeding, or the child abducted are hard to argue with.
Drawing attention to the (alleged) magnitude of the problem does not justify an exaggerated claim about possible solutions: it simply serves to distract people from your lack of supporting evidence. In the worst case, it consists of using one exaggeration to draw attention away from another, multiplying the error. Politicians do this all the time, and I shrug off their rhetoric as typical of their ilk, but I hold fellow technologists to a higher standard.
But all chatter aside, what are YOU doing about your thesis? How many hours a week do you spend on getting it promoted into action?
Aside from the occasional passing mention in a venue like this, none at all. I spent around seven years, full time, working on that thesis, with either little or no income. It was an uphill battle, met primarily with scepticism, mostly regarding the form of the thesis, which was considered "philosophical" -- a term of disapproval in the sciences, these days. The usual word limit for a computing thesis at that university is sixty thousand words. The upper limit for the university as a whole is one hundred thousand. My first submission came in slightly under the sixty thousand limit, and was rejected as "needing more work". The final submission, which was accepted, was closer to ninety-five thousand words. At the end of the process, there were no obvious venues in which to pursue the matter further, and I was weary of the uphill battle in any case. The text is freely available on the Internet, where the interested may find it of their own accord. I went back to being a developer-for-hire, and have been making up for years of sacrificed earning opportunity ever since.
I do not remember you presenting at Spamcon or the Spam Forums in Washington. Where have you presented?
The first conference on Email and Anti-Spam (CEAS 2004). I spoke on problems that would persist in an email system with reliable sender identification. I got to meet with Eric Allman after my talk, which was pretty much the highlight of the event for me. I tried submitting to a couple of others after that, but not successfully. I haven't felt inclined to play that game since then -- doubly so given that I would be doing it at my own expense now. I also live in Australia, which probably goes some way to explaining why I haven't been involved with all the other US-based venues you mention.
I will certainly pass your paper along to my channels. Let's hope it gets some traction ...
I'm still interested in discussing the work with interested parties. I'm just not putting a lot of effort into finding those parties at the moment. Mundane financial considerations, like "having an income", take priority for now.

Bravo Fred Showker  –  Oct 10, 2013 1:41 PM

Thanks Graham. You are correct.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC