<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I think this analogy fits better indeed. The only difference between
a "normal" registration and a private one is that with the first
everyone can see (to a certain extent) who is at the wheel. So our
main task to keep with the analogy is to define when those windows
have to be lowered and how messages directed at the driver have to
reach him.<br>
<br>
Volker<br>
<br>
<br>
<div class="moz-cite-prefix">Am 01.03.2014 22:28, schrieb Stephanie
Perrin:<br>
</div>
<blockquote
cite="mid:BC4BF655-8C0A-4386-9FB7-34391A1C75CD@mail.utoronto.ca"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
I don’t think we agree that there is more risk with P/P services,
which is kind of a fundamental disagreement. We even have rival
studies backing us up.
<div>As to the analogies, they are useful but limited, as they can
capture our imaginations in ways which are not in accord with
the facts. My analogy for a p/p registration would not be a
tractor trailer licence, it would be a small car with tinted
windows. </div>
<div>Stephanie<br>
<div>
<div>On Mar 1, 2014, at 3:52 PM, Williams, Todd <<a
moz-do-not-send="true"
href="mailto:Todd.Williams@turner.com">Todd.Williams@turner.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="auto">
<font style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">I agree with James that using
analogies/illustrations can be helpful to frame issues
in these discussions, and I think his airport
illustration does a nice job of that. But I would offer
a different one:<br>
<br>
Couldn't we say that registering a "standard" domain
(without a P/P service) is to using a P/P service as
driving a car is to driving a tractor-trailer? Everybody
recognizes that there is a baseline floor of
verification that should be required before you can get
a driver's license. But everybody also recognizes that
because the potential risk from "bad" tractor-trailer
drivers is greater than that of "bad" car drivers (I'm
leaving "bad" undefined here intentionally, because it
doesn't matter whether it's
abusive/malicious/incompetent, etc.), some EXTRA level
of verification is needed before you can get a license
to drive a tractor-trailer. In other words, nobody would
argue that the same test should be used to get a
standard driver's license as to get a license to drive
tractor-trailers, because the latter by definition
carries more risk. So too with "standard" domain
registrations vs. P/P registrations.
<br>
<br>
To James's last point: note that the analogy doesn't
depend on there being anything "inherently suspicious"
about tractor-trailer drivers (in the normative sense);
simply a recognition that what they are doing poses
higher risks for the roadways. Note too that it wouldn't
be much of an argument to say that because the extra
verification required of tractor-trailer drivers
wouldn't always catch "bad" drivers ahead-of-time, we
should instead simply rely on the standard driver's
license test.
<br>
<br>
Of course, this doesn't address just how far beyond the
2013 RAA floor our verification/re-verification
requirements should go, or what additional measures
would or wouldn't be effective. This is just to say that
if the choice we're wrestling with now is between the
2013 RAA vs. "more" (however "more" is defined), I don't
understand the argument on the 2013 RAA side.
<br>
<br>
Todd</font>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"><b>From:</b>
<a moz-do-not-send="true"
href="mailto:gnso-ppsai-pdp-wg-bounces@icann.org">gnso-ppsai-pdp-wg-bounces@icann.org</a>
<<a moz-do-not-send="true"
href="mailto:gnso-ppsai-pdp-wg-bounces@icann.org">gnso-ppsai-pdp-wg-bounces@icann.org</a>>
on behalf of James M. Bladel <<a
moz-do-not-send="true"
href="mailto:jbladel@godaddy.com">jbladel@godaddy.com</a>><br>
<b>Sent:</b> Saturday, March 1, 2014 6:30:35 AM<br>
<b>To:</b> Tim Ruiz<br>
<b>Cc:</b> PPSAI<br>
<b>Subject:</b> Re: [Gnso-ppsai-pdp-wg] For review -
updated templates Cat B, questions 1 and 2</font>
<div> </div>
</div>
<div>
<div>So my last sentence doesn't make much sense, unless
I substitute "it" with the idea of having differing
verification/validation standards for Registrars and
PP services. <br>
<br>
Thanks--
<div><br>
</div>
<div>J.</div>
<div>
<div><br>
</div>
<div>Sent from my iPad</div>
</div>
</div>
<div><br>
On Mar 1, 2014, at 9:35, "James M. Bladel" <<a
moz-do-not-send="true"
href="mailto:jbladel@godaddy.com">jbladel@godaddy.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>In just one sentence, Tim has captured the
essence of the problem. Which isn’t about
determining the “right” answer, but attempting to
strike a balance between security vs. ease of use
and barriers to legitimate access.</div>
<div><br>
</div>
<div>Here’s something we can all relate to: Back in
2001, some jerk tried to blow up a plane with his
shoe. As a result, now 650 million passengers
have to remove their shoes before boarding an
airplane in the US. Is this reasonable? As a
society, we have determined that it is, but would
we feel the same if it was something more, like a
full body search? Probably not. Our privacy
service routinely investigates and suspends
perhaps a thousand domain names in a year. Sounds
like a lot, and it certainly keeps the Abuse team
busy, but ultimately represents a tiny fraction of
the tens of millions of domain names under
management. </div>
<div><br>
</div>
<div>In any event, I see no compelling reason why
the verification requirements for a PP service
should be any different than those of a registrar.
First, as I believe some in this thread have
pointed out, it would allow the service to
leverage code, personnel, & processes
developed by the affiliated registrar. And it
creates a perception that there is something
inherently suspicious about subscribing to a PP
service, or wanting the equivalent of an unlisted
phone number, which simply isn’t the case.</div>
<div><br>
</div>
<div>Thanks—</div>
<div><br>
</div>
<div>J.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family: Calibri; font-size: 11pt;
text-align: left; border-width: 1pt medium
medium; border-style: solid none none; padding:
3pt 0in 0in; border-top-color: rgb(181, 196,
223);">
<span style="font-weight:bold">From: </span>Tim
Ruiz <<a moz-do-not-send="true"
href="mailto:tim@godaddy.com">tim@godaddy.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday,
February 28, 2014 at 21:39 <br>
<span style="font-weight:bold">To: </span>John
Horton <<a moz-do-not-send="true"
href="mailto:john.horton@legitscript.com">john.horton@legitscript.com</a>><br>
<span style="font-weight:bold">Cc: </span>PPSAI
<<a moz-do-not-send="true"
href="mailto:gnso-ppsai-pdp-wg@icann.org">gnso-ppsai-pdp-wg@icann.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Gnso-ppsai-pdp-wg] For review - updated
templates Cat B, questions 1 and 2<br>
</div>
<div><br>
</div>
<div>
<div dir="auto">
<div>So to make your invsetigation of 150
cases easier (which I question in any event)
millions of users are needlessly hassled.
Makes perfect sense in today's world I
guess.</div>
<div><br>
</div>
<div>Tim</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>On Feb 28, 2014, at 5:32 PM, "John
Horton" <<a moz-do-not-send="true"
href="mailto:john.horton@legitscript.com">john.horton@legitscript.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
Hi all,</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
Verification and re-verification of
registration data would be enormously
useful and important in identifying,
mapping and deterring malfeasance.
Just to share our background to put
our comments in context, we've
assisted in over 150 drug or
supplement investigations by
conducting cybercrime research, and
each project typically involved
research into dozens, hundreds or even
thousands of Whois records plus
corresponding IP/NS/MX etc.
information. There are numerous
instances in which either 1) the
accurate Whois data (including,
accurate data behind a Whois
privacy/proxy service) "broke open"
the case, or 2) submitting a WDRPS
complaint in instances where we could
show that the Whois data was
inaccurate resulted in modified Whois
information that then "broke open" the
case, either by virtue of the modified
Whois information itself, or from
derivative information (e.g.,
additional reverse queries on Whois,
name server, IP address or other
records). Keep in mind too that
sometimes showing that the Whois
record is falsified results in the
suspension of the domain name, which
also has the effect of stopping the
harmful use of that particular domain
name. Verification would result in
some instances of inaccurate
registration data becoming accurate,
or alternatively, of discontinuing
registration services.<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
In the interests of brevity, I hope
that summary is enough explanation,
but if anyone still doesn't understand
how (or agree that) verified
registration data -- or by extension,
verification and some sort of periodic
re-verification -- is useful, I'm
happy to provide a couple of real life
examples of investigations we've
worked on where either the a) accuracy
of the Whois record or b) response to
the inaccuracy finding was extremely
useful, although I'll modify the
domain names. Again, I'm happy to
provide real-life examples, with
redacted information. It's not just
occasionally or mildly useful. It's
enormously important. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
One additional point: keep in mind
that when researching criminal
networks, there are typically multiple
(hundreds or even thousands) of domain
names at play, and even if -- as Tim
pointed out -- the verified email and
phone number have nothing to do with
the person's real identity, good
cybercrime research across the
thousands of Whois records can often
result in derivative information
pointing to the real identity of the
criminal entities. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
As to the point that the domain name
isn't harmful but the content may be,
I suspect that there are minds that
won't be changed in this group on both
sides of that argument. :) But, I'd
point out that that train has left the
station, so to speak: Section 3.18 of
the 2013 RAA clearly contemplates
harmful use of a domain name. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
<br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;
color:#073763">
Thanks, </div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr"><font color="#073763"
face="arial,helvetica,sans-serif">John Horton<br>
President, LegitScript</font>
<div> <img moz-do-not-send="true"
src="https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257dc6dfc34.png"
width="96" height="21"><br>
<div>
<div>
<div style="margin: 0px;
font-style: normal;
font-variant: normal;
font-weight: normal;
font-size: 12px;
line-height: normal;
font-family: Helvetica;"><br>
</div>
<div style="margin: 0px;
font-style: normal;
font-variant: normal;
font-size: 12px;
line-height: normal;
font-family: Helvetica;">
<b><font color="#444444">Follow</font><font
color="#0b5394"> </font><font>Legit</font><font
color="#0b5394">Script</font></b>:
<a moz-do-not-send="true"
href="http://www.linkedin.com/company/legitscript-com" target="_blank"
style="font-weight:normal">
<font color="#cc0000">LinkedIn</font></a>
| <a
moz-do-not-send="true"
href="https://www.facebook.com/LegitScript"
target="_blank"
style="font-weight:normal"><font
color="#6aa84f">Facebook</font></a>
| <a
moz-do-not-send="true"
href="https://twitter.com/legitscript"
target="_blank"
style="font-weight:normal"><font
color="#674ea7">Twitter</font></a>
| <a
moz-do-not-send="true"
href="https://www.youtube.com/user/LegitScript"
target="_blank"
style="font-weight:normal"><font
color="#bf9000">YouTube</font></a>
| <font color="#ff9900"><u><a
moz-do-not-send="true" href="http://blog.legitscript.com/"
target="_blank">Blog</a></u></font>
|<font color="#ff9900"> <font
style="font-weight:normal"><a moz-do-not-send="true"
href="https://plus.google.com/112436813474708014933/posts"
target="_blank">Google+</a></font></font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<br>
<div class="gmail_quote">On Fri, Feb
28, 2014 at 12:36 PM, Tim Ruiz <span
dir="ltr">
<<a moz-do-not-send="true"
href="mailto:tim@godaddy.com"
target="_blank">tim@godaddy.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;
border-left:1px #ccc solid;
padding-left:1ex">
<div dir="auto">
<div>It doesn't. I can use
perfectly good information,
including a verifiable phone
number and email address, that
has nothing to do with who I
really am. As we have tried to
argue before, unsuccessfully,
is that all verification does
is push the "miscreants" to be
better at obfiscating who they
are (and it just isn't that
hard). As you said, it only
results in making it difficult
for everyone for the acts of a
few.</div>
<span><font color="#888888">
<div><br>
</div>
<div>Tim</div>
</font></span>
<div>
<div>
<div><br>
</div>
<div><br>
On Feb 28, 2014, at 2:07
PM, "Stephanie Perrin"
<<a
moz-do-not-send="true"
href="mailto:stephanie.perrin@mail.utoronto.ca"
target="_blank">stephanie.perrin@mail.utoronto.ca</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>My apologies I
totally mis-read that.
So how does verification
catch that then?<br>
<div>
<div>On 2014-02-28, at
1:52 PM, John Horton
wrote:</div>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div
style="font-family:arial,helvetica,sans-serif;
color:#073763">Well,
because absent
an accurate
Whois record, it
can be difficult
to know who to
hold
accountable.</div>
<div
style="font-family:arial,helvetica,sans-serif;
color:#073763"><br>
</div>
<div
style="font-family:arial,helvetica,sans-serif;
color:#073763">Stephanie,
to clarify: I
was saying that
95% of Whois
data in a
certain
sub-category of
criminal or
miscreant
behavior (spam,
malware,
phishing) is
<u>inaccurate</u> (not
"accurate"). </div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div dir="ltr"><font
color="#073763" face="arial,helvetica,sans-serif">John Horton<br>
President,
LegitScript</font>
<div> <img
moz-do-not-send="true"
src="https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257dc6dfc34.png"
width="96"
height="21"><br>
<div>
<div>
<div
style="margin-top:0px;
margin-right:0px;
margin-bottom:0px;
margin-left:0px;
font:normal
normal normal
12px/normal
Helvetica">
<br>
</div>
<div
style="margin-top:0px;
margin-right:0px;
margin-bottom:0px;
margin-left:0px;
font-style:normal;
font-variant:normal;
font-size:12px;
line-height:normal;
font-family:Helvetica">
<b><font
color="#444444">Follow</font><font
color="#0b5394"> </font><font>Legit</font><font color="#0b5394">Script</font></b>:
<a
moz-do-not-send="true"
href="http://www.linkedin.com/company/legitscript-com" target="_blank"
style="font-weight:normal">
<font
color="#cc0000">LinkedIn</font></a>
| <a
moz-do-not-send="true"
href="https://www.facebook.com/LegitScript" target="_blank"
style="font-weight:normal"><font
color="#6aa84f">Facebook</font></a> | <a moz-do-not-send="true"
href="https://twitter.com/legitscript"
target="_blank" style="font-weight:normal"><font color="#674ea7">Twitter</font></a>
| <a
moz-do-not-send="true"
href="https://www.youtube.com/user/LegitScript" target="_blank"
style="font-weight:normal"><font
color="#bf9000">YouTube</font></a> | <font color="#ff9900"><u><a
moz-do-not-send="true"
href="http://blog.legitscript.com/" target="_blank">Blog</a></u></font>
|<font
color="#ff9900">
<font
style="font-weight:normal"><a
moz-do-not-send="true"
href="https://plus.google.com/112436813474708014933/posts"
target="_blank">Google+</a></font></font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<br>
<div
class="gmail_quote">On
Fri, Feb 28,
2014 at 9:44
AM, Stephanie
Perrin <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank">stephanie.perrin@mail.utoronto.ca</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0 .8ex;
border-left:1px
#ccc solid;
padding-left:1ex">
<div
style="word-wrap:break-word">I
agree, it is
all about
risk...but
what risk are
we really
talking about?
I dont
understand why
a P/P provider
should be
forced to take
on more risk
than other
registrars.
Further,why
should the
registrar be
accountable
for verified
data, once the
original data
verification
is done. If
John is
correct and in
95% of cases
the data from
the P/P
service
provider was
proven
accurate, then
how does any
amount of data
verification
solve the
problem? The
accountability
for miscreant
behaviour of
all kinds
rests with the
domain name
user. IF the
data is
inaccurate,
ramp up the
penalties if
it can be
shown that the
data was
rendered
inaccurate for
the purposes
of fraudulent
activity.
<div>At the
risk of
sounding
overly
philosophical,
It seems to me
that the
Internet
ecosystem is
somehow being
held to
account for
the actions of
individuals.
It is the
individuals
that should be
held to
account. Not
the domain
name, or the
company that
issued it.
Particularly,
I think that
if products
sold are
tainted, then
there is
plenty of
other consumer
protection law
that
applies...why
are we trying
to solve that
problem? </div>
<div>Cheers
Stephanie
perrin
<div>
<div><br>
<div>
<div>On
2014-02-28, at
12:29 PM,
Carlton
Samuels wrote:</div>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div
style="font-family:comic
sans
ms,sans-serif;
font-size:large">..which seems to me all about risk management on part
of the
provider. Its
the results
that matter.</div>
<div
style="font-family:comic
sans
ms,sans-serif;
font-size:large"><br>
</div>
<div
style="font-family:comic
sans
ms,sans-serif;
font-size:large">So, for all the possible permutations, in line with
those
enumerated by
Volker, might
it not be more
useful to
refer
'verified
credentials'
as a
requirement on
the provider,
allow them to
accept the
business risk
and leave it
to them to
decide how to
do
it.......and,
inherently,
the risks
acceptable to
them for
provisioning
the service?</div>
<div
style="font-family:comic
sans
ms,sans-serif;
font-size:large"><br>
</div>
<div
style="font-family:comic
sans
ms,sans-serif;
font-size:large">-Carlton </div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div><br>
==============================<br>
Carlton A
Samuels<br>
Mobile: <a
moz-do-not-send="true"
href="tel:876-818-1799" value="+18768181799" target="_blank">876-818-1799</a><br>
<i><font
color="#33CC00">Strategy,
Planning,
Governance,
Assessment
&
Turnaround</font></i><br>
=============================</div>
<br>
<br>
<div
class="gmail_quote">On
Fri, Feb 28,
2014 at 6:29
AM, Volker
Greimann <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0 .8ex;
border-left:1px
#ccc solid;
padding-left:1ex">
<div
bgcolor="#FFFFFF">Hi
John, <br>
<br>
I am having a
bit of a hard
time
understanding
your point
here.<br>
<br>
You are
describing
three
different
cases here,
two of which
will not
benefit from
verification
in the least
bit and one
might, but
only in some
cases:<br>
<br>
a) The data is
accurate, but
stolen: Here
verification
would not
uncover any
issues with
the data as it
is essentially
correct and
will most
likely be
identified as
accurate.<br>
b) The data is
false: Here,
depending on
the methods
used, the
inaccuracy may
be uncovered
and would lead
to an
automated
request to
provide
updated data
or
deactivation
after a set
time.
Remember, in
order to keep
providing
services in a
sensible
manner, this
needs to be
automated in
some form,
i.e. no
individual
record would
likely see any
manual review.<br>
c) The data is
already
accurate: If
the data is
already
correct, what
purpose does
verification
fulfill? The
data cannot
become more
accurate.
Verification
in this case
seems like an
exercise in
self-gratification.<br>
<br>
That said,
even if there
is a benefit
to be derived
from
verification,
such benefits
are achieved
once
verification
concludes.
Re-verification
of already
verified data
fulfills no
purpose
whatsoever. So
if a set of
data has
already been
verified by
the registrar,
there is no
need for the
p/p provider
to again
verify the
same data.
Only if no
verification
is or can be
performed on
the registrar
level does
verification
by providers
come into
play.<br>
<br>
Volker<br>
<br>
<div>Am
28.02.2014
00:32, schrieb
John Horton:<br>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">
<div
style="font-family:arial,helvetica,sans-serif;
color:rgb(7,55,99)">
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">Thanks,
Marika. I also
wanted to
provide a
comment
pertaining to
Question 2 in
the
attachments
(relating to
periodic
checks).</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><span style="color:rgb(7,55,99);
font-family:arial,helvetica,sans-serif">In
a few of the
recent
discussions,
there's been
some reference
to criminals
always or
nearly always
being
untruthful in
their Whois
records (even
if
privacy-protected),
leading to the
conclusion
that there is
little purpose
in having a
registrar or
any third
party have to
verify or
re-verify the
information
(especially if
it is
difficult to
prove that the
data is
falsified). I
wanted to
share our
experience and
observations
on that point,
in the hope
that it's
relevant to
future
discussion
regarding
Question 2.</span><br>
</div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">Our
consistent
observation
has been that
when it comes
to a
particular
sub-category
of criminal
activity,
spam,
phishing,
malware, and
so forth, it's
probably safe
to say that
that statement
is true -- the
registrant's
Whois
information is
nearly always
inaccurate.
Even in cases,
such as some
where we've
worked with
law
enforcement,
when the Whois
record for a
domain name
involved in
spam, phishing
or malware is
privacy-protected
and is
subsequently
unmasked, the
Whois record
is still not
accurate
behind the
privacy
curtain. There
are probably
exceptions,
but that's
what we've
seen well over
95% of the
time. On
occasion, it's
a real address
and phone
number, just
not one
genuinely
connected to
the
registrant. </font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">But
there are
other types of
criminal
activity where
the Whois
record is not
so regularly
obfuscated.
For example,
we investigate
a lot of
websites
selling
tainted
dietary
supplements
that end up
containing
some toxin or
adulterant
that harms
people. In
those cases,
we've
overwhelmingly
seen that even
if the Whois
record is
privacy-protected,
the trend is
that the
underlying
Whois record
is accurate.
The same has
been true for
illegal or
counterfeit
medical device
websites that
we've
researched. On
illegal
Internet
pharmacies not
engaged in
spam, it's
probably
50-50. (It
might be a
shell
corporation,
but that's
still valuable
information.)</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">One
important
point to
consider is
that the Whois
registration
can be
relevant
information
from a banking
perspective
for commercial
entities. That
is, some banks
are going to
look at an
online
merchant's
domain name
registration
record and if
it's either
inaccurate or
protected,
they may
require
disclosure, or
ask about any
discrepancy,
which can be
an incentive
for criminals
selling
products
online who
nevertheless
want to get
paid via
credit card to
have an
accurate
Whois.
Hackers,
malware
providers and
spammers will
find a way
around that,
but they don't
necessarily
constitute
"most"
criminal
activity.</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">The
point here is,
I think
verification
can still be a
useful and
necessary tool
in either
scenario, even
if it doesn't
uncover useful
information a
portion of the
time. I
realize that
only pertains
to a portion
of the issues
related to
Question 2,
but I hope
that our
observations
on that are
relevant. </font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif"><br>
</font></div>
<div
style="color:rgb(34,34,34);
font-family:arial"><font color="#073763"
face="arial,helvetica,sans-serif">Thanks, </font></div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div dir="ltr"><font
color="#073763" face="arial,helvetica, sans-serif">John Horton<br>
President,
LegitScript</font>
<div> <img
moz-do-not-send="true"
src="https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257dc6dfc34.png"
width="96"
height="21"><br>
<div>
<div>
<div
style="margin-top:0px;
margin-right:0px;
margin-bottom:0px;
margin-left:0px;
font:normal
normal normal
12px/normal
Helvetica">
<br>
</div>
<div
style="margin-top:0px;
margin-right:0px;
margin-bottom:0px;
margin-left:0px;
font-style:normal;
font-variant:normal;
font-size:12px;
line-height:normal;
font-family:Helvetica">
<b><font
color="#444444">Follow</font><font
color="#0b5394"> </font><font>Legit</font><font color="#0b5394">Script</font></b>:
<a
moz-do-not-send="true"
href="http://www.linkedin.com/company/legitscript-com" target="_blank"
style="font-weight:normal">
<font
color="#cc0000">LinkedIn</font></a>
| <a
moz-do-not-send="true"
href="https://www.facebook.com/LegitScript" target="_blank"
style="font-weight:normal"><font
color="#6aa84f">Facebook</font></a> | <a moz-do-not-send="true"
href="https://twitter.com/legitscript"
target="_blank" style="font-weight:normal"><font color="#674ea7">Twitter</font></a>
| <a
moz-do-not-send="true"
href="https://www.youtube.com/user/LegitScript" target="_blank"
style="font-weight:normal"><font
color="#bf9000">YouTube</font></a> | <font color="#ff9900"><u><a
moz-do-not-send="true"
href="http://blog.legitscript.com/" target="_blank">Blog</a></u></font>
|<font
color="#ff9900">
<font
style="font-weight:normal"><a
moz-do-not-send="true"
href="https://plus.google.com/112436813474708014933/posts"
target="_blank">Google+</a></font></font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<br>
<div
class="gmail_quote">On
Wed, Feb 26,
2014 at 2:39
AM, Marika
Konings <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:marika.konings@icann.org" target="_blank">marika.konings@icann.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0 .8ex;
border-left:1px
#ccc solid;
padding-left:1ex">
<div
style="font-size:14px;
font-family:Calibri,sans-serif;
word-wrap:break-word">
<div>Dear All,</div>
<div><br>
</div>
<div>Following
our call
yesterday,
please find
attached the
updated
templates for
Category B –
questions 1
& 2.
Please review
these
templates to
make sure the
WG discussions
have been
accurately
reflected and
feel free to
share any
comments /
edits you may
have with the
mailing list.
We've created
a page on the
wiki where
we'll post the
templates that
have been
finalised for
now (noting
that for some
of these the
WG will need
to come back
to the
template at a
later date),
see <a
moz-do-not-send="true"
href="https://community.icann.org/x/ihLRAg" target="_blank">https://community.icann.org/x/ihLRAg</a>. </div>
<div><br>
</div>
<div>The WG
will continue
its
deliberations
on Category B
– Question 2
next week.
Some of the
questions that
came up during
the
conversation
yesterday and
which you are
encouraged to
share your
views on
(and/or add
additional
questions that
need to be
considered in
this context)
are:</div>
<ul>
<li>What would
be the
arguments for
not using the
same standards
/ requirements
for validation
and
verification
as per the
2013 RAA?
</li>
<li>Should
there be a
requirement
for
re-verification,
and if so,
what instances
would trigger
such
re-verification?
</li>
<li>In case of
affliction
between the
P/P service
and the
registrar, if
the
registration
information
has already
been verified
by the
registrar,
should this
exempt the P/P
provider from
doing so?
</li>
<li>Should the
same
requirements
apply to
privacy and
proxy services
or is there a
reason to
distinguish
between the
two?
</li>
</ul>
<div>Best
regards,</div>
<div><br>
</div>
<div>Marika</div>
</div>
<br>
_______________________________________________<br>
Gnso-ppsai-pdp-wg
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a><br>
<a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg"
target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Gnso-ppsai-pdp-wg mailing list
<a moz-do-not-send="true" href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a><a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></pre>
</blockquote>
<br>
</div>
</div>
<pre cols="72">--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20901" value="+4968949396901" target="_blank">+49 (0) 6894 - 9396 901</a>
Fax.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20851" value="+4968949396851" target="_blank">+49 (0) 6894 - 9396 851</a>
Email: <a moz-do-not-send="true" href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>
Web: <a moz-do-not-send="true" href="http://www.key-systems.net/" target="_blank">www.key-systems.net</a> / <a moz-do-not-send="true" href="http://www.rrpproxy.net/" target="_blank">www.RRPproxy.net</a><a moz-do-not-send="true" href="http://www.domaindiscount24.com/" target="_blank">www.domaindiscount24.com</a> / <a moz-do-not-send="true" href="http://www.brandshelter.com/" target="_blank">www.BrandShelter.com</a>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
<a moz-do-not-send="true" href="http://www.facebook.com/KeySystems" target="_blank">www.facebook.com/KeySystems</a><a moz-do-not-send="true" href="http://www.twitter.com/key_systems" target="_blank">www.twitter.com/key_systems</a>
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
<a moz-do-not-send="true" href="http://www.keydrive.lu/" target="_blank">www.keydrive.lu</a>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20901" value="+4968949396901" target="_blank">+49 (0) 6894 - 9396 901</a>
Fax.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20851" value="+4968949396851" target="_blank">+49 (0) 6894 - 9396 851</a>
Email: <a moz-do-not-send="true" href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>
Web: <a moz-do-not-send="true" href="http://www.key-systems.net/" target="_blank">www.key-systems.net</a> / <a moz-do-not-send="true" href="http://www.rrpproxy.net/" target="_blank">www.RRPproxy.net</a><a moz-do-not-send="true" href="http://www.domaindiscount24.com/" target="_blank">www.domaindiscount24.com</a> / <a moz-do-not-send="true" href="http://www.brandshelter.com/" target="_blank">www.BrandShelter.com</a>
Follow us on Twitter or join our fan community on Facebook and stay updated:
<a moz-do-not-send="true" href="http://www.facebook.com/KeySystems" target="_blank">www.facebook.com/KeySystems</a><a moz-do-not-send="true" href="http://www.twitter.com/key_systems" target="_blank">www.twitter.com/key_systems</a>
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
<a moz-do-not-send="true" href="http://www.keydrive.lu/" target="_blank">www.keydrive.lu</a>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
</pre>
</div>
<br>
_______________________________________________<br>
Gnso-ppsai-pdp-wg
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a><br>
<a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg"
target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
Gnso-ppsai-pdp-wg
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a><br>
<a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg"
target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Gnso-ppsai-pdp-wg
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a><br>
<a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg"
target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Gnso-ppsai-pdp-wg
mailing list</span><br>
<span><a
moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org" target="_blank">Gnso-ppsai-pdp-wg@icann.org</a></span><br>
<span><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg"
target="_blank">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</span></div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Gnso-ppsai-pdp-wg mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org">Gnso-ppsai-pdp-wg@icann.org</a></span><br>
<span><a moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></span></div>
</blockquote>
</div>
</div>
_______________________________________________<br>
Gnso-ppsai-pdp-wg mailing list<br>
<a moz-do-not-send="true"
href="mailto:Gnso-ppsai-pdp-wg@icann.org">Gnso-ppsai-pdp-wg@icann.org</a><br>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Gnso-ppsai-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-ppsai-pdp-wg@icann.org">Gnso-ppsai-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: <a class="moz-txt-link-abbreviated" href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a> / <a class="moz-txt-link-abbreviated" href="http://www.RRPproxy.net">www.RRPproxy.net</a>
<a class="moz-txt-link-abbreviated" href="http://www.domaindiscount24.com">www.domaindiscount24.com</a> / <a class="moz-txt-link-abbreviated" href="http://www.BrandShelter.com">www.BrandShelter.com</a>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
<a class="moz-txt-link-abbreviated" href="http://www.facebook.com/KeySystems">www.facebook.com/KeySystems</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/key_systems">www.twitter.com/key_systems</a>
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
<a class="moz-txt-link-abbreviated" href="http://www.keydrive.lu">www.keydrive.lu</a>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: <a class="moz-txt-link-abbreviated" href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a> / <a class="moz-txt-link-abbreviated" href="http://www.RRPproxy.net">www.RRPproxy.net</a>
<a class="moz-txt-link-abbreviated" href="http://www.domaindiscount24.com">www.domaindiscount24.com</a> / <a class="moz-txt-link-abbreviated" href="http://www.BrandShelter.com">www.BrandShelter.com</a>
Follow us on Twitter or join our fan community on Facebook and stay updated:
<a class="moz-txt-link-abbreviated" href="http://www.facebook.com/KeySystems">www.facebook.com/KeySystems</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/key_systems">www.twitter.com/key_systems</a>
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
<a class="moz-txt-link-abbreviated" href="http://www.keydrive.lu">www.keydrive.lu</a>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
</pre>
</body>
</html>