[gnso-rpm-wg] Identity Theft -- how it affects various proposals submitted

Paul Keating paul at law.es
Fri Sep 7 17:29:32 UTC 2018


George,

I wonder if the loser pays system might be a solution for GDPRand thus form a legal reason for identity disclosure......  :-)

Sent from my iPad

> On 7 Sep 2018, at 15:10, George Kirikos <icann at leap.com> wrote:
> 
> Hi folks,
> 
> Reviewing some of the proposals that were submitted by last night's
> deadline, I think that they'd encounter some very serious problems in
> terms of implementation, because of lack of WHOIS verification and
> vulnerabilities associated with identity theft.
> 
> For example, there were multiple "loser pays" submissions (I too am on
> the record as being strongly in favour of "loser pays" as a concept,
> but I qualified my support, noting (without going into too much
> detail):
> 
> https://mm.icann.org/pipermail/gnso-rpm-wg/2018-August/003226.html
> 
> that (in point #11) the system had to be carefully constructed, with
> systems of checks and balances in place.
> 
> While I made submissions on other topics, folks will note I didn't
> submit one on "loser pays" at this time, because I realized that in
> order to properly implement a loser pays system one would need to
> solve a whole series of other problems first. And to solve those other
> problems first might become a monumental task (I'd be up to that
> monumental task, but not sure the rest of the PDP members would be
> willing to do it! If the rest of the group does want to solve them,
> I'd love to rise to the challenge too).
> 
> So, here's just one of the major problems that would need to be solved
> before implementing "loser pays" or penalties --- lack of WHOIS
> verification which relates to identity theft. Registrars generally
> don't have any "Know Your Client" requirements and there is no real
> verification of the true identity of the person/entity that purports
> to be the registrant. There might be verification that the email
> address and/or the telephone number are verified. But, all the rest of
> the fields in the WHOIS can easily be faked, or used to impersonate
> others to commit identity theft.
> 
> This is not some theoretical issue. I know first hand, as someone
> using a Chinese registrar copied my company's WHOIS for a malware
> domain, see the historical WHOIS at:
> 
> https://research.domaintools.com/research/whois-history/search/?q=antivirusan.com&date=2011-06-16&origin=permalink
> 
> (I had a Google Alert triggered, and that's how I noticed it; the
> attacker changed the phone number by 1 digit from my real phone
> number, but copied my name, company name, fax, address, and used a
> gkirikos@ address (obviously not matching my real email address).
> 
> [I complained to the registrar, and also using an ICANN WHOIS complaint]
> 
> [NB: with GDPR and redacted WHOIS out there, it could be happening
> *now* -- how would I know??]
> 
> This has even happened within UDRP cases, where there has been
> identity theft, see:
> 
> http://www.udrpsearch.com/search?query=identity%20theft&search=text&results=100&start=1
> 
> for various matches. e.g.:
> 
> http://www.adrforum.com/domaindecisions/1774660.htm
> http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1843
> 
> So, let's consider various scenarios. If there's a "loser pays"
> system, new vulnerabilities would be created if a system is not
> carefully constructed. An attacker could copy someone else's
> name/identity, use it for cybersquatting, and "lose" a UDRP/URS. Now
> that victim of identity theft would potentially have a liability for
> damages on a domain they never actually registered, using a registrar
> that they never had any relationship with.
> 
> Most of the time, the registrar simply has a relationship with a
> purported identity, not a verified identity with a verified
> relationship (i.e. "Tom Cruise" is a real person, but the famous actor
> Tom Cruise is unlikely to be the actual registrant with a real
> relationship with a registrar, if that actor's name is placed into the
> WHOIS by an attacker).
> 
> One of the proposals went even further, saying:
> 
> https://community.icann.org/display/RARPMRIAGPWG/URS+Proposals
> 
> "the penalties should include (i) a requirement that the registrant
> deposit funds into an escrow account, or provide an equivalent
> authorization on a credit card, with each new domain registration
> (such funds could be dispersed to prevailing complainants in future
> domain name disputes against that registrant as part of a “loser pays”
> system), and (ii) a universal blocking of all domain registrations for
> a set period for the registrant (i.e. “blacklisting” the registrant on
> a temporary basis)" (from proposal #30)
> 
> It should be fairly obvious that such a scheme would enable an
> attacker to engage in a Denial of Service attack against a victim, by
> impersonating them (stealing their identity).
> 
> e.g. (a) spend $20 total on a few dozen "throwaway" domains that have
> a sub-$1 dollar promo price (b) copy the victim's identity on a series
> of "famousbrand-authorized-store.newgtld" domains (c) wait for the
> victim to lose the URS/UDRP and be labelled a "repeat offender" or
> "high volume cybersquatter"
> 
> Now when the *real* victim wants to register a domain at their real
> registrar, they'll suddenly encounter their name on a "blacklist"!!
> 
> To show how truly vulnerable the system is to an attack, there's
> likely no real verification by the URS/UDRP providers that a
> *Complainant* is who they say they are!
> 
> So, let's suppose the "victim" is "John Smith". The attacker has
> created the cybersquatting domains under the "John Smith" name, using
> multiple trademarks of Amazon, for example. Instead of waiting for the
> brandholder Amazon to file a URS (i.e. step (c) above), a truly
> motivated attacker (think state-funded actors, as an example, that
> want to interfere with a business competitor or an election) could go
> even further, and go impersonate the brandholder and file the URS or
> UDRP actions as a complaint!
> 
> This email's getting long, and the more sophisticated readers can see
> where this takes us. I won't go into too much more detail now (can
> expand later, if desired), but you'd need to develop a system not only
> to verify identity properly, but also a system to *DISAVOW* domain
> name registrations. That disavowal system would be very hard for
> domains (a disavowal system was developed by Google for backlinks,
> https://support.google.com/webmasters/answer/2648487?hl=en , but
> that's much easier). [Real verification could take place via a digital
> signature system, like the one that exists in Estonia, for example]
> 
> And even if one did verify identity properly (e.g. "John Smith" is
> labelled a serial cybersquatter), there are so many people that share
> common names (think China, India) that the blacklist would have
> collateral damage on many innocent registrants.
> 
> And here's the thing -- an attacker can simply create a new real
> identity (even a "verified" one) very cheaply. For £12, (USD $15.59 at
> the time of this post), one can create a real UK company online within
> 24 hours:
> 
> https://www.gov.uk/limited-company-formation/register-your-company
> 
> (or effectively "free" if one uses a stolen credit card, as criminals
> tend to do!)
> 
> So, even a "properly" implemented system would not be effective, if
> one can create new verified identities at low cost.
> 
> The only real parties within the ICANN system that *are* verified are
> registrars and registries, and I think they would likely push back
> very hard if they are the "losers" who have to pay up. [an unverified
> Complainant can put up a security bond before filing a complaint, and
> to that extent that bond could also represent security if the
> Complainant loses, albeit the Complainant themselves may not be who
> they say they are.
> 
> [by the way, I do like the idea of posting security bonds, but not in
> the manner that the proposals have suggested --- I would want security
> bonds as a means for registrants to completely *opt-out* of URS/UDRP,
> so that any disputes for a "bonded" registrant/domain can be handled
> only by the courts]
> 
> Even the real legal system (court system) could be subject to attempts
> at foul play using these kinds of tricks. However, real courts have
> much stronger due process mechanisms and machinery (e.g. court orders,
> contempt, etc.) to deal with them (e.g. subpoena the registrar who
> enabled the identity theft, discovery, etc.) and the real victim would
> have to be properly served, etc.. URS/UDRP providers don't have those
> strong mechanisms or powers.
> 
> So, I'm very sympathetic to the motivation behind these proposals, and
> the objective to go after the bad guys. I want loser pays too, in
> order to protect my company from frivolous complaints. I know others
> with valuable domains want the same thing. But, the proposals on the
> table right now will need much, much more work before I can support
> them. All the various vulnerabilities that are present in the system
> *today* will be magnified if "loser pays" or "penalties" are adopted
> without addressing issues like verification and identity theft first.
> 
> Sincerely,
> 
> George Kirikos
> 416-588-0269
> http://www.leap.com/
> 
> P.S. I don't know if we have any SSAC members on this PDP, but the
> broader issue of vulnerabilities and identity theft might be passed on
> to them for advice.
> _______________________________________________
> gnso-rpm-wg mailing list
> gnso-rpm-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg


More information about the gnso-rpm-wg mailing list