[Gnso-ppsai-pdp-wg] Commercial Use - White Paper

Mon May 12 21:37:05 UTC 2014

Hi all,

Following up on the white paper that Libby Baney just circulated, and as we
wrap up our discussion regarding distinguishing between commercial and
non-commercial use, I thought it might be helpful to provide a concrete
example of a domain name that (I trust we can all agree) is being used for
commercial purposes. Perhaps we can collectively think through whether it
makes sense for this domain name to be afforded privacy protection. For
simplicity, I am only using one domain name as an example, but there are
thousands like this in our database alone. I hope that a concrete example
will be helpful to the discussion.

Let’s take the domain name medsindia.com. First, as you can verify with a
Whois query, it is using proxy/privacy services.

Registrant Name: General (c/o Rebel.com Privacy Service)
Registrant Organization: Private Domain Services
Registrant Street: 300-12 York Street
Registrant City: Ottawa
Registrant State/Province: ON
Registrant Postal Code: K1N 5S6
Registrant Country: CA
Registrant Phone: +1.866-497-3235
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: IVP1JQKYRM3LQED1 at rebelprivacy.com

How is it being used? It’s fairly straightforward: it sells addictive
(controlled substances) and other prescription drugs without a valid
prescription. But that’s not all:

   - As noted, it sells prescription drugs, including controlled
   substances, without requiring a valid prescription.
    - The drugs are not sold by a pharmacy licensed or otherwise recognized
   in the patient’s jurisdiction, as is the standard requirement.
   - The drugs are considered unapproved or falsified, depending on the
   regulatory language in the jurisdiction. Part of the reason is that they
   are illegally imported into the customers’ jurisdiction and thus
   unregulated for safety or authenticity.

To be clear, this domain name is not being used for legal commercial
purposes in any jurisdiction. (Despite its claim to be using a licensed
pharmacy in India, not even in India, for reasons I can explain separately
if anyone wants to know.) I choose this domain name because I do not think
its unlawful or dangerous use can be disputed. I would further argue that
the use of the p/p protection allows the unlawful actor to continue
operating, as I explain below.

Being privacy protected, of course, we can’t immediately tell who is
operating the website. Can we get law enforcement or courts in the
registrar’s jurisdiction to do anything –– e.g., go to the registrar and
ask or require them to reveal the identity of the registrant? No. Try to
buy a drug such as Xanax from this website. This Internet pharmacy will
ship anywhere in the world *except* to Canada –– where its registrar and
servers are located. To protect its ability to sell drugs globally, the
registrant has sacrificed sales to a single country, and chosen a registrar
and servers there, to create a safe haven. Consequently, Canadian law
enforcement cannot point to a violation of Canadian law: no drugs are being
shipped into Canada –– just everywhere else around the world. (Which, we
can infer, is why this registrant removed Canada from their shipping
destinations.) And, the reverse is true –– a court order or law enforcement
request from outside of Canada can simply be ignored by the registrar and
server companies in Canada. Those who have argued that the best way to deal
with p/p use by illegal actors is simply to get a court order are not
accounting for this quite common scenario.

Being able to hide their identity in the Whois record is also the perfect
set up for another reason: many registrars have said in the past that they
only way that they can (or perhaps, will) take action on a domain name is
if the Whois record is falsified. But how would we know? It is privacy
protected. That removes the WDPRS as a mechanism for dealing with abusive
behavior.

Does this commercial registrant have a legitimate need for p/p services? I
would argue that that is not the question to be answered.* The question is:
Does a consumer, consumer protection firm, government agency, etc. have the
right to know who is operating this website?* I would submit to this group
that it is incumbent upon us to recommend a thoughtful, balanced policy
that prevents this sort of “perfect set up” for Internet criminals to hide
their identity as this one has. Keep in mind that, as pointed out in the
circulated paper, no such right exists in the offline world –– rather,
consumers have the right to know who they are dealing with. Ample
requirements exist for business registrations to do business transparently.
There should be no difference in the online world.

Finally, recall that the Affirmation of Commitments (AoC) requires "timely,
unrestricted and public access to accurate and complete WHOIS information."
The AoC goes on to state that WHOIS policy and its implementation needs to
meet "the legitimate needs of law enforcement and promote consumer trust."
I ask the group, is ICANN fulfilling its commitment, not only to law
enforcement but especially to promote consumer trust, if it allows websites
like this to continue using p/p services?

Thank you for your consideration.

John Horton
President, LegitScript

*Follow LegitScript*:
LinkedIn<http://www.linkedin.com/company/legitscript-com>
|  Facebook <https://www.facebook.com/LegitScript>  |
Twitter<https://twitter.com/legitscript>
|  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
<http://blog.legitscript.com>*  |
Google+<https://plus.google.com/112436813474708014933/posts>

On Mon, May 12, 2014 at 11:40 PM, Libby Baney <libby.baney at fwdstrategies.com
> wrote:

> All --
>
> I appreciate the dialogue the group has begun regarding WHOIS transparency
> for entities engaged in commercial activity. With the hope of encouraging
> discussion on the merits of the issue, I am pleased to share the attached
> white paper: *Commercial Use of Domain Names: An Analysis of Multiple
> Jurisdictions. *
>
> As you'll see, the paper addresses the following question: Should domain
> name registrants who sell products or services on their websites should be
> able to conceal their identity and location in the domain name
> registration? The paper argues that they should not. Rather, the authors
> find that requiring domain name registrants engaged in commercial activity
> to provide transparent WHOIS information falls squarely in line both with
> ICANN’s commitment to Internet users and existing global public policy to
> keep businesses honest and consumers safe. Accordingly, the paper
> recommends an approach that balances personal privacy and consumer
> protection rights. On the one hand, domain names used for non-commercial
> purposes (e.g., personal blogs) should, the authors believe, be permitted
> to utilize privacy or proxy registration. This reflects a fundamental right
> to privacy of domain name registrants not engaged in commerce. However, the
> authors do not believe the same right exists for registrants of websites
> engaged in commerce – a conclusion borne out by our research.
>
> It goes without saying that this group is divided on the issue of
> requiring WHOIS transparency for sites engaged in commercial activity. As
> some in the PPSAI WG have commented, these issues may be complicated but
> they nonetheless merit our full consideration. We hope the attached white
> paper stimulates further thinking and group discussion on the issues.
>
> I look forward to continuing the discussion tomorrow.
>
> Libby
>
> --
> Libby Baney, JD
> President
> FWD Strategies International
> www.fwdstrategies.com
>  P: 202-499-2296
>
>
> _______________________________________________
> Gnso-ppsai-pdp-wg mailing list
> Gnso-ppsai-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140513/af32db26/attachment.html>