|
Imagine a California non-profit corporation providing material assistance to a criminal wanting to do you physical and financial harm. Then, imagine that corporation is ICANN.
Imagine no longer, because that is precisely what the ICANN Compliance department managed to pull off this week, in an all-too-common demonstration of the havoc they can cause by sheer ineptitude, without apology or concern.
This is the situation which crossed my desk this week.
A successful commercial photographer and owner of a US federal trademark registration has been pleased with the new TLD program that allowed her to register the exact match of their trademark in the .photo TLD. Like many businesses, she went to a trusted vendor of website services which offered hosting, publishing features, ecommerce tools and domain names.
The vendor owns a registrar, but not one accredited in all new TLDs, so they maintain a relationship with a reseller of a .photo accredited registrar. All was running smoothly, and the photographer grew her business.
One of the burdens of a successful business is addressing others who would attempt to exploit your reputation. Recently, the photographer noticed that a competitor in the US had registered a similar domain name to her US trademark, and was infringing the mark. Accordingly, the photographer sent the competitor a notice of her US trademark rights and advised the competitor to discontinue the infringement.
And that’s where the “fun” began. Rather than complying with the demand, the competitor began a campaign of electronic abuse and harassment of the photographer, up to and including threats of physical violence.
Two weeks later, the photographer’s domain name suddenly stopped resolving, and her website went dark. The hosting vendor initially thought there might be a DNS configuration error, but soon found that the name was no longer in the TLD zone file at all. At that point, the hosting vendor suggested the photographer get in touch with the registrar for the domain name. The registrar told her the registry had turned off the name. So she went to the registry. The registry determined that the name had been shut off due to a message from the registrar to do so, and of course would have no idea why.
Suddenly thrown into a circle of finger-pointing among companies she’d never heard of, she contacted her lawyer. Her lawyer suggested that maybe something was wrong with the domain name registration and so, using the reseller’s interface, they updated the admin contact email address to that of her lawyer. The lawyer promptly received, from the reseller, a confirmation notice pursuant to the 2013 RAA, and clicked the link to confirm receipt of the email.
Still, no luck.
Getting back in touch with the registrar, the lawyer was then informed that, even though the admin contact email address had been verified, there had been a previous WHOIS data problem report that was still “unresolved”. The registrar said they would issue a new confirmation email.
No email arrived at the admin contact email address.
Instead, on further investigation hours later, she found in the spam folder of her email account (which at this point was no longer the admin contact), several notices from a company of which she had never heard, urging her to click a link. Her only relationship had been with the hosting and ecommerce vendor, and had never heard of the registrar through which the domain name was registered. Hence, even if the WHOIS problem and subsequent confirmation emails had been seen, she is smart enough not to click on links sent to her by companies with which she has no relationship and of which she had never heard.
At this point, the procedure was already off the rails. One of the purposes of the WDRP system is to allow registrants an opportunity to correct and update problems with their WHOIS data upon notification. Since the admin contact email address had already been changed, and confirmed, there was no reason for the registrar to still be attempting to “confirm” the previous WHOIS information after the update had been received. So that part was a clear error on the part of the registrar. Despite having communicated repeatedly with the lawyer through the now-current admin contact email address, the registrar claimed that it was turning the name back on, but only as a temporary courtesy, claiming it still needed “verification” of unspecified WHOIS data.
In the meantime, three clients who had been interested in doing business with the photographer took their business elsewhere, since they were put off by the unreliability of being able to communicate via email or access the website.
At no point in any of this was the actual WHOIS problem report provided to the registrant, in order to determine whatever it was that led to the shutdown in the first place or what WHOIS data the registrar wanted “confirmed”, which was especially odd since they were telling this to her lawyer, now the admin contact, through the admin contact email address itself.
And here is where the stunning genius of ICANN Compliance comes into play. After two days of haranguing the registrar, they finally coughed up the WHOIS data problem report provided by ICANN, with the name of the reporter withheld by ICANN. As was stated in a memorable exchange at a Compliance session one fine day, ICANN prefers not to provide an identification WDRP reporters because “some people have threatened to sue them in retaliation”. Those people would be me, and you heard that right—ICANN will shield the identity of people who make false and abusive WDRP reports, because ICANN Compliance prefers to protect people actively engaged in fraudulent and abusive submission of false WDRP reports for illegal purposes.
The WHOIS data problem report in question is the crown jewel of this cybervandalism, and it is quoted here in its entirety. Every data field was marked “Nothing to Report” in terms of being incorrect. However, the sole comment in the report was:
“I’m not sure how much info is actually accurate but they are using an inaccurate phone number as they are registered in Virginia but the phone number is to someone else in Tennessee. They are harassing me from this domain name email address though.”
Leaving aside the fact that telephone numbers in the United States are portable, if anyone, at any point in this farce, picked up a telephone and called that number, they would be immediately connected with the named registrant of the domain name. Merely having a business address in one state, and a telephone number corresponding to an area code in another state is not an “inaccuracy” of any kind. It is a common circumstance. Heck, my office is in Pennsylvania, my residence is in Delaware, and I would not in a million years think that ICANN would believe that fact to be worth shutting down my business.
The report is interesting for what it does not say. It does not say the telephone number is inoperative. It does not say the registrant cannot be reached by that telephone number. It merely says the registrant has a mailing address in one state, a telephone number in a different area code, and claims with no support that the telephone number belongs to “someone else”.
So what?
The date of the WHOIS problem report? Oh, it was the same day that the trademark infringer began harassing and threatening violence against the domain registrant. That much was immediately obvious—once the actual report had been prised out of the hands of the registrar.
At no point did anyone from the ICANN Compliance department lift a finger or respond to any of the emails on the subject of this domain registrant’s victimization and loss of business. But, of course, why should they? Their mission is to bulk up the numbers of “compliance complaints resolved” so they can show pretty pictures at the ICANN meetings The harm left in their wake is someone else’s problem, and they have given immeasurable satisfaction to a violent criminal by allowing themselves to be used as an instrumentality of that victimization.
No one—not a single person in the chain from the hosting provider, reseller, registrar, or ICANN gave a tinker’s damn about this victim throughout the entire process, because the primary dynamic in these situations is that ICANN has no obligation to the domain registrant whatsoever, and the main concern of the registrar is to avoid a non-compliance notice from ICANN. After all, virtually every registrar has a “screw you” registration contract under which they are not liable to a domain registrant for anything in any amount, but the registrar can be put on the hooks by ICANN.
No one—not a single person—bothered to pick up a telephone and dial the WHOIS contact number. It takes all of ten seconds. ICANN couldn’t be bothered, and neither could the registrar. They have more important things to do than to figure out why someone is losing their livelihood as the hours tick by.
So the safe thing to do in all of these situations, for all concerned, is to screw the registrant. That’s the way it is, and that is the way it will remain. Above all, never admit error or offer help.
While someone’s business is going down in flames, this system should not depend on the registrant having a lawyer who is able to track down outside counsel for a registry, with enough familiarity to navigate the nonsense, wrong answers and often straight-up butt-covering that every other party in the chain—from the hosting provider, the reseller, the registrar and ICANN itself—throws up as a smokescreen once they realize someone has been screwed by the abuse the ICANN WDPRS system invites by its very design.
This is the system that the intellectual property interests and law enforcement interests wanted and got—one which provides a convenient instrumentality of abuse by a violent cybersquatting thug, and a cast of cowardly characters unable to give a straight answer to a simple question—why did this happen?
Congratulations, ICANN Compliance, take a bow.
And to all of you hackers and vandals reading this blog—all you need to do is go to the WHOIS report form, claim a contact telephone number belongs to “someone else”, and who knows how many websites you can take down in the process. To ICANN Compliance, that is a valid, complete and well-reasoned report which is perfectly worth taking down a clearly fully-featured website.
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com
This describes whois + ICANN compliance as a threat to the stability of the Internet. Has SSAC ever dealt with this threat or do they just focus on security?
This is a good start, on a related attack vector: https://www.icann.org/en/system/files/files/sac-028-en.pdf SAC 028 SSAC Advisory on Registrar Impersonation Phishing Attacks "This Advisory describes a form of phishing attack that targets domain name registrants. The attacker impersonates a domain name registrar and sends an expected or anticipated correspondence to a registrar’s customer (a registrant) regarding a domain name related matter. Examples of expected correspondence include a notice of pending expiration of a domain name registration, a promotional email, a notice informing the registrant of an account management issue, or generally, any correspondence that requires or encourages a customer’s immediate attention. The correspondence, however, is bogus." What is not addressed in that report in particular is the use of bogus inputs into the compliance channel resulting in unexpected, and actual, registrar communications requiring attention, under circumstances where it is known, likely, or possible, that it may not be noticed or acted upon by the registrant. This is particularly true given the required publication of the administrative contact email address which, as a published and confirmed-to-be-valid email address, attracts undesired email, thus requiring filtering controls or reduced trust in what comes its way. As I've published elsewhere, one can monitor natural or human disasters such as earthquakes, hurricanes, or civil/military unrest, or otherwise anticipate (or create) circumstances reducing the likelihood of registrant notice, and use the WDPRS to suspend domain names to compound or exploit such events. You don't have to phish the admin contact email address, you only have to reduce its reliability, such as by flooding it with spam or nuisance emails. The problem is generally addressed under "need for improved registrant education", which gave us the obligatory posting of the "Registrant Rights And Responsibilities" document, which reads more like a Miranda Warning than the Magna Carta. This case study is ICANN Compliance Ticket [~BYM-263-85860], but I guarantee you that every registrar can produce their own version of "The Compliance Ticket From Hell". Bizarrely, through two week long saga, I believe I was the first person to pick up a telephone, call the number, and see if it works, let alone who answers. But the "right people" are protected from this sort of thing in the first place. For example, upon noticing that eff.org was registered to: Registrant Name:System Administrator Registrant Organization:System Administrator ...I submitted a WDPRS complaint, as the domain name clearly does not identify a natural or corporate person as the registrant, in violation of the relevant ICANN requirements. As you can tell from the last-updated notation in WHOIS for eff.org, compared to my WDPRS complaint (which identified a valid inaccuracy), the WHOIS was updated, literally in less than 30 minutes to: Registrant Name:System Administrator Registrant Organization:Electronic Frontier Foundation I find it difficult to believe that ticket (QBJ-112-20103) went from compliance to the registrar, then to the registrant, was acknowledged by the registrant and then went back up to the registrar for notice to compliance - in under 30 minutes. Someone looked at the name, who it was, picked up a telephone, and resolved that inaccuracy in a rational manner. But as long as there is a velvet rope system that works for the right people, then whether ordinary domain name registrants are burned is simply not a problem of concern. And, to be clear, I perfectly understand the posture of registrars to these things. There is no tick-box on the "did you comply" form at ICANN for "this complaint looks like bullshit". Screw the registrant is the safest posture, unless it's "someone we know and don't want to upset".
This article should be required reading for the Board and the GAC.
Despite repeated and vociferous warning from many corners, particularly from registrars, ICANN has willfully allowed itself to be convinced by vague but apocalyptic warnings about Whois inaccuracy and the inevitable breakdown of global civilization as a result. And Avri’s right: robbing people of their domain name without any due process, and without any investigation of facts, has a direct and immediate bearing on ICANN’s responsibility to foster the security and stability of the Internet. Thanks to the extreme CYA behavior that has become an ICANN trademark (Hmmm, John - can someone get a trademark on a distinctive kind of behavior?), any anonymous troll can drop a dime on a legitimate domain holder and conspire with ICANN to ruin their livelihood with casual innuendo.
Thank you for bringing to the public a flesh-and-blood example of the collateral damage resulting from ICANN’s policy of making the Internet safe for cops and large intellectual property interests, without the slightest counterbalance in favor of the people who use the domain name system that ICANN is supposed to make serve.
Antony
Who is the “violent criminal” here?
Where’s the evidence that violence or criminality were involved in this case?
Whether threatening violence is itself a violent crime is, I suppose, a matter of definition. It could also be pointed out that "ICANN doesn't shut down domain names" which is likewise correct. What ICANN Compliance does is to provide a system that insulates vandals from the consequences of their actions by threatening registrars with breach notices based on anonymous accusations - in this instance, one which on its face did not directly claim any inaccuracy in the data. ICANN "didn't do anything wrong", they merely passed along the report and demanded a response from the registrar. The registrar "didn't do anything wrong", they merely issued a form email to the registrant (which is kind of odd, given that the complaint arguably related to the telephone number). The registrant "didn't do anything wrong", they properly ignored an email from a sender of which she had never heard, suggesting that she click a link. There is something broken in a system in which nobody does anything wrong, and a legitimate, compliant business is shut down. Every registrar can recount the frequently Kafkaesque dealings with ICANN Compliance. My previous favorite was one in which a WDPRS report was received by a registrar, relating to a domain name personally owned by the CEO of the registrar. The CEO saw the report, recognized his own contact information as correct, and reported back that the WHOIS data was accurate. That a known human being can recognize their own address, email and telephone number, was not comprehensible to ICANN Compliance, which continued to press for a documentation trail of some kind to the effect that the CEO of the registrar knows his own mailing address, email and telephone number; and continued to raise the threat of a breach notice, unless such documentation additionally showed that it was produced during the original 15 day period. Merely sending himself an email after the fact, asking himself if he is who he thinks he is, was also insufficient. Finally, we offered to recreate the act of him recognizing his own address while conducting a PET brain scan by a technician competent to identify brain activity consistent with recognizing one's own contact information, provided that ICANN help defray the cost of the scan. That one finally closed the ticket.
"Finally, we offered to recreate the act of him recognizing his own address while conducting a PET brain scan by a technician competent to identify brain activity consistent with recognizing one's own contact information, provided that ICANN help defray the cost of the scan. That one finally closed the ticket." lol Long ago on a WDRP audit I replied there were *NO* emails sent. We are a private registrar and all domains are ours no exceptions. I manually check our regs in our registrar once per month (phone call verification) and run an app to monitor whois changes daily. I received and out of compliance noticed. I responded asking ICANN to confirm email was a more secure method of verification than a phone call to someone who's voice I know. THAT closed our ticket. Next year I noticed the WDRP audit had the option to confirm whois by phone ... Who'da thunk it!
I've recently been doing work with automotive network systems. These tend to go under the heading "Vehicle To *" where * is either "vehicle" or "infrastructure" or something else. This is a world of embedded systems with too many embedded domain names. In the world wide web there are usually people behind web browsers - that tends to mean that failure is somewhat soft (but not necessarily harmless) because humans are pretty good at recognizing failures, or at least are better at it than most software. But in the automotive area - or in any area in which domain names are embedded into what are fairly well sealed industrial modules - anything that disturbs the assumptions built into the code can be dangerous. Yes, automotive/industrial code ought to use solid crypto based mutual identification and authentication. But ICANN has spent so many years spreading the false gospel that the domain name system is "authoritative" (which it never has been, not intended to be) that we can understand why programmers accept that at face value. All of this boils down to a concern that, like the inertia of a mass, a domain name in existence ought be allowed to remain in motion unless there is clearly imperative and concrete need to alter the registration of that domain name. ICANN's processes have tended to value expediency over other concerns - they favor fast and inexpensive procedures that do not have a lot of mandatory steps where human (and thus slow and expensive) reason and action are required. This, as the original article suggests, creates a nice opening for those who wish to sow discord. In the case of the internet of things, particularly automotive and industrial systems, that discord could potentially result in human injury or physical damage to property.
Oh my word, if that was for real I bet it was glorious.
"IF" it was for real? Kevin, this type of nonsense goes on every day at every registrar. The person in question replied directly to the WDPRS notice and confirmed it was his valid contact information. Somehow, that wasn't enough for ICANN Compliance: ------ (name), in his capacity as principal of the registrar, and as principal of the registrant, replied directly and immediately to the initial inquiry. We do not believe your claim that you do not have the email in which he responded and confirmed his identity and contact information. Upon receipt of the WHOIS data problem report, (name) identified the domain name as one of his own names, and is consciously aware of his own address. (name) did not send himself an email in order to ask himself to verify his contact information, nor did he call himself on the telephone in order to hold a conversation with himself for this purpose. (name) does not ordinarily send himself emails to ask himself questions, nor does he normally call himself on the telephone in order to ask himself questions. We do not believe this is a normal practice for anyone. However, the response you received from (name), confirming his own contact details and advising that the report was false, is itself a record of communications with the principal of the registrant in question. Accordingly, you already have that communication, which was sent directly from the principal of the registrant. It was sent directly to you, and we do not understand why you are claiming you do not have that communication. We are, at this time, attempting to locate an appropriate brain imaging facility in order to capture a record of (name)'s mind reading the problem report and identifying the domain name as registered to his own company, in order to obtain a printed record of the mental act of (name) asking himself if it is his own domain name with the WHOIS data at his own address. There is, unfortunately, not such equipment available (at location), so it will be necessary to transport him to an appropriate facility in order to capture the physical act of him thinking to himself "Is this my company name and address? Yes, it is." Accordingly, we would like your assistance in locating an appropriate brain imaging facility in order to provide a record of (name) recognizing his own address. Secondarily, as the report is facially false, we are interested in pursuing appropriate legal action against the person who made the report. The person who submitted the false report has consumed the resources of both ICANN and the registrant under fraudulent pretenses, and we intend to seek an appropriate judgment against this person. Please let me know when we might expect to receive an identification of the false reporter. ----- ICANN Compliance refused to identify the name of the malicious reporter, as they consistently shield the identities of malicious reporters. Given a choice between closing the ticket, or helping us to identify someone who had committed wire fraud in the submission of a willfully false WDPRS report, ICANN Compliance did as it always does - protect the identity of the criminal.
For the record, I was not questioning the veracity of the anecdote.
There is an obligation of everyone who processes complaints to check the validity of the complaint (and the complainer). That this is not being done reinforces a fallacy that dates back to the beginning of ICANN: that Registrants are bad, but those who accuse them of misdeeds can do no wrong.
In the soon-to-be-proposed rules for Proxy/Privacy Provider Accreditation, the Requester of the proxied Whois data will have to identify themselves, and further, identify under what authority they speak for Requester (e.g., staff, attorney, etc, for a large company). That will at least create a chain of responsibility back to those making false claims, and some ability to pursue them for misdeeds.
Should any less be required here?