|
Today’s Wall Street Journal discusses the fight over Whois privacy. The article on the front page of the Marketplace section starts by discussing how the American Red Cross and eBay use the Whois database to track down scammers:
“Last fall, in the wake of Hurricane Katrina, the American Red Cross used an Internet database called “Whois” that lists names and numbers of Web-site owners to shut down dozens of unauthorized Web sites that were soliciting money under the Red Cross logo. Online marketplace eBay Inc. says its investigators use Whois hundreds of times a day to pursue scamsters. Insurance giant Transamerica recently used Whois to trace the owner of a Web site purportedly in the Middle East but actually U.S.-based—that was selling insurance by infringing on the Transamerica trademark.”
It discusses how proposed rules would allow Whois to list only a technical contact for each domain name. A technical contact could be a web hosting company rather than an individual owner.
This would make it difficult for trademark owners to send cease and desist letters to people they think are cybersquatting. Trademark owners would have to skip this step and go directly to a UDRP or get a subpoena. This could be bad for domainers, as typically the issue can be worked out at the cease and desist stage.
The Wall Street Journal article says that registrars would benefit from the Whois changes because more people would be willing to register domains. But it doesn’t address how the registrars are making millions from offering Whois privacy services. That revenue would completely disappear (although it is already being marginalized as registrars start offering privacy for free).
At last week’s Domain Roundtable, ICANN CEO Paul Twomey commented on Whois privacy. From my previous entry:
Twomey suggested that many people in the room are probably on the side of more privacy, not less privacy, in the Whois database. Twomey posed the question “what is your true business need for more privacy”. Without taking a side on the issue, Twomey urged that domainers look at the long term implications of privacy. He noted the importance of offering access to such information to law enforcement. If law enforcement doesn’t have access to this information and something big happens—say terrorism in which having access to this data is crucial—governments might make snap judgments that will hurt privacy even more.
I understand the need for privacy in certain circumstances. One way registrars sell Whois privacy is to tell domain registrants about the spam their email address will get if it’s listed in Whois. I recently changed the Whois email address for many of my domains to a unique email to track Whois spam (I’ll post about the results of my experiment later). But I also get dozens of calls to my number listed in Whois each month from people trying to sell me things. I propose that all email addresses in Whois be forwarding addresses. For example, domainnamewire.com would be something like [email protected]. This would allow ICANN or another body to track the biggest offenders of Whois spam.
If Whois requirements are changed I hope that registrants still have the option of listing themselves (other than as a technical contact). Whois is used frequently for unsolicited domain purchase offers. None of us would like to see those disappear!
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Forwarding addresses wouldn’t be a great solution to WHOIS spam. I wouldn’t want emails intended for me being monitored by ICANN or passing through their servers. ICANN wouldn’t be able to do much about spam, even if they did know the identity of the top spammers. Harsher penalties (even bounties), and greater transparency are much better ways to stop spam.
I agree with George Kirikos. It is important to try not to create new problems when resolving current ones. Rather than use ICANN to filter WHOIS SPAM, we should promote privacy of WHOIS data, which would block WHOIS SPAM as well.
As for law enforcement interests, I am not sure how a public WHOIS database has anything to do with fighting terrorism. The link is quite nebulous. Certainly, if we become persuaded that ICANN should keep WHOIS public for the purpose of fighting terrorism, then we also have the algorithm for obliterating privacy under all contexts where fear overpowers reason.
Both good points. I should mention that Paul Twomey also mentioned fighting child porn along with terrorism. As someone at the conference pointed out, however, law enforcement already has access to unlisted phone numbers when they try to fight these crimes.
Perhaps a better solution to Whois spam is to have the registrar be the filter, so a domain could be like .(JavaScript must be enabled to view this email address). However, you still have the issue of someone else being able to read your mail. If you set it up soley as a forward and only in Whois this should not be a big deal. Someone using your Whois e-mail address is either writing to buy your domain or sell you something. But I’m not trying to say this will stamp out spam completely.
I’ll let you guys know my results of changing my email addresss is Whois to a specific catchall.
And spam fighting as well - I’ve had it up to here with botnets being setup that cycle through a few hundred brand new domains a week.
Have whois privacy if you want, but as a necessary corollary, have registrars be a bit more responsible and proactive in cases of spam / abuse (trademark suits, dmca violations etc can and will need more careful handling obviously)
Prevent scripted registration of domains by abusers [who typically use stolen cards so I guess avoiding all the chargebacks is a bonus for the proactive registrar]
Make sure spammer, phisher etc domains are taken down promptly - and as needed, ALL domains registered by the same spammer are taken down. If its a phisher, botnet etc domain, the first 48 hours or earlier after creation is key for the scammer to rake in his profits.
That sort of thing can put a very pretty looking dent in a botmaster’s operations.
Yes, I know - some registrars do this routinely.
The worst problem is that quite a few registrars just don’t bother, or cite some quite vaguely defined ICANN rules, while quite a few other registrars are quite happy to operate under those rules to deactivate.
Suresh,
Responsible registrars do perform the task of shutting down spam domains, but the smaller guys often don’t have the resources or the resourcefulness to make it happen in a consistent fashion.
I have been told of a ~100,000 name registrar who operates with a 4 person staff. Kinda hard to keep doing it “right” with that size team.
-Ram
Its not rocket science. And a substantial part of it is building automated fraud warning systems.
It is not just the small shops by the way.
You’ll find very large registrars that have huge numbers of spammer / botnet etc domains signed up and zero action being taken on these.
WRT your comment on Levine’s post -
You’ll find that a handful of registrars are a major contributor to the problem I mentioned too.
Somehow, quite a few of the small two to four man outfits running a registrar out of their garage seem to do just fine in controlling abuse, and huge registrars do not - despite all the extra staff and resources they have.
Very interesting - I did not realize that the problem was not only widespread, but was perhaps more localized with the larger guys vs. the smaller ones.
At some time, I hope a code of conduct comes up for adoption…
Registrar policy enforcement is probably the weakest link in trying to fight net abuse right now
The problem is of course not the ISPs, registrars etc that do take action, it is those that just dont bother to do so.
You’re seeing massive abuses of things like the 5 day grace period for certain TLDs? Well, its not just typosquatters who signup for new domains. A lot of spammers do just that. All the time.
It is even more fun when the whois db gets updated maybe twice a day but a domain appears in dns the moment its registered, so that you cant trace a domain back to the spammer, or see that a whole bunch of different, randomly named domains that are spamming you are actually related.
Now how is that going to be countered if only some registrars bother to do something about it and there’s apathy (or perhaps ignorance) among several other registrars? ICANN can probably do something about it, perhaps just putting the question of what the registrars must do, to the registrars themselves, and trying to get some consensus.
Australia recently came up with an ISP industry suggested antispam / net abuse code of practice that got approved and endorsed by the government [and the australian laws & codes of practice on spam / net abuse are excellent]
The ITU has been suggesting that governments back antispam laws with an enforceable set of best current practices for ISPs
Now I know what most ISPs (and registrars) will say about government mandated regulation - but I fear that it wont be long coming if the current state of affairs persists.
One way to go would be for the industry to come together and form its own voluntarily applicable best current practices, and to follow them .. governments are not too likely to object to that
If ICANN actually takes the lead in something like this, you’ll manage to produce something thats quite useful. Achieving consensus on anything like this is difficult but it has to be done.
-suresh
Suresh, this seems worthy of mention to the GNSO Council chair (Bruce Tonkin), and perhaps also to the Registry & Registrar Constituencies. They have the werewithal to make it happen.
Sounds like a great thing for afilias to take the lead on, then.
Ram,
I ran on a platform that registrars can, and should do just what Suresh advocates, and lost. The problem isn’t dumb small registrars, its that ICANN’s budget dance was far too important for registrars to work on anything else, so amid great handwaving, the RC got some “new blood”. That guy just checked out after two years of ... budget stuff and an RC website rev.
Its just not going to happen. Fraud is here for keeps.
Cheers,