[registration-issues-wg] [CPWG] Urgent EPDP question

Derek Smythe derek at aa419.org
Mon Oct 15 10:35:46 UTC 2018


We used to see a lot of complaints along the lines of "X you have in
your database also has this domain now" (with WHOIS details and
sometimes how the were scammed by them). It's become noticeable that
we no longer see these type of reports even though the complaints
continue.

We also used to see consumer groups fighting abuse using it a lot. On
general tech forums, when somebody has a query regarding the validity
of say an online shop, they'd look at WHOIS. In turn the average Joe
would know somebody that can assist him with queries and would use it.

So either directly or indirectly, end users used it a lot.

Derek Smythe
Artists Against 419
http://www.aa419.org

On 2018/10/15 12:17, Michele Neylon - Blacknight wrote:
> So I'd personally love to know how many "end users" actually check whois data.
> Any of you got *any* data on that?
> 
> 
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> https://www.blacknight.com/
> https://blacknight.blog/
> Intl. +353 (0) 59  9183072
> Direct Dial: +353 (0)59 9183090
> Personal blog: https://michele.blog/
> Some thoughts: https://ceo.hosting/ 
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
> 
> On 15/10/2018, 08:21, "registration-issues-wg on behalf of Hadia  Abdelsalam Mokhtar EL miniawi" <registration-issues-wg-bounces at atlarge-lists.icann.org on behalf of Hadia at tra.gov.eg> wrote:
> 
>     So far it seems that we have an agreement on the differentiation between natural and legal persons for the benefit of the end users.
>     
>     Kindest Regards
>     Hadia
>     
>     -----Original Message-----
>     From: registration-issues-wg [mailto:registration-issues-wg-bounces at atlarge-lists.icann.org] On Behalf Of Derek Smythe
>     Sent: Monday, October 15, 2018 9:16 AM
>     To: registration-issues-wg at atlarge-lists.icann.org
>     Subject: Re: [registration-issues-wg] [CPWG] Urgent EPDP question
>     
>     Yes, agreed 100%.
>     
>     Contracted parties should treat Legal Persons differently from Natural
>     Persons.
>     
>     We are essentially asking consumers to sign a blank check/cheque when
>     they try and deal with a new business that's GDPR protected as they
>     can't do any form of due diligence in reality. This makes any consumer
>     a potential target to loss of privacy, fraud and more.
>     
>     The only argument should really be as to whether this extends to all
>     Natural Persons or just those of the EU.
>     
>     We need to consider a major concern here is the abuse of domains. How
>     do we protect or mitigate? This is what keeps us all safer. Law
>     enforcement simply cannot do it all as is a matter of record. Nor will
>     litigation for numerous reasons.
>     
>     We also need to ask what happens is a domain claims to be a natural
>     person, but is used for a company? We most certainly have malicious
>     "Interpol", "United Nations" clone domains out there registered to
>     natural persons. And fictitious companies. Even a registrant name "Bar
>     Clay" used for a fake bank. This needs to be addressed as well as we
>     are guaranteed to see abuse of the definitions here.
>     
>     > (As you may note if you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA must do some validation of contact information for new an transfered domains, but none to simple renewal. so there are currently 140,000,000 domains without verified information (5 years after the 2013 RAA came into force) and there is no requirement to ever validate their information - so unspecified time frames can last a LONG time.)
>     
>     I believe we see the most abuse at the start of the domain's life
>     cycle and the chance of abuse declines over time. This has most
>     certainly been my experience in advance fee fraud. So we can be
>     somewhat flexible on older established domains.
>     
>     A bigger danger is registrars that have not signed the RAA 2013 and
>     still bound under older versions of the RAA. I discovered one
>     recently, much abused.
>     
>     A potential loophole is in private domain resales. We encounter
>     situations where the new owner simply changes the emails and not the
>     other details, then starts abusing that domain. This is also used as a
>     stepping stone to purchase new domains at the original registrar.
>     
>     
>     Something to chew on, three years old but still as valid as ever:
>     
>     http://www.securityskeptic.com/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html
>     
>     Obviously there is a risk in displaying Legal Persons details. But if
>     they can't protect themselves, how can they be expected to protect
>     those they deal with? A simple explanation page to each registrant
>     email would be simpler than trying to fix later where we're heading to.
>     
>     Derek Smythe
>     Artists Against 419
>     http://www.aa419.org
>     
>     
>     On 2018/10/15 03:12, Alan Greenberg wrote:
>     > Here is a question that we need an answer on no later than Tuesday
>     > morning.
>     > 
>     > GDPR requires the information related to Natural Persons be protected
>     > (for those resident in Europe) be protected. GDPR does not apply to
>     > Legal Persons (ie companies).
>     > 
>     > ICANN's Temporary Spec allows contracted parties to treat all
>     > registrant alike and subject to GDPR.
>     > 
>     > The EPDP Charter includes questions about whether contracted parties
>     > may or must treat Legal Persons differently from Natural Persons.
>     > 
>     > The GAC, BC and IPC have made strong statements about the need to
>     > restrict GDPS to Natural Persons. The contracted parties are pushing
>     > back - strongly. The words vary, but in essence what they are saying
>     > ranges from there should be no constraint on them to yes, they may
>     > differentiate but with an unspecified time-frame.  (As you may note if
>     > you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA
>     > must do some validation of contact information for new an transfered
>     > domains, but none to simple renewal. so there are currently
>     > 140,000,000 domains without verified information (5 years after the
>     > 2013 RAA came into force) and there is no requirement to ever validate
>     > their information - so unspecified time frames can last a LONG time.)
>     > 
>     > I personally feel that it is essential that we should differentiate
>     > between legal persons and natural persons, just as GDPR and other
>     > privacy legislation does.
>     > 
>     > Comments?
>     > 
>     > Alan
>     > 
>     > _______________________________________________
>     > CPWG mailing list
>     > CPWG at icann.org
>     > https://mm.icann.org/mailman/listinfo/cpwg
>     > _______________________________________________
>     > registration-issues-wg mailing list
>     > registration-issues-wg at atlarge-lists.icann.org
>     > https://mm.icann.org/mailman/listinfo/registration-issues-wg
>     > 
>     _______________________________________________
>     registration-issues-wg mailing list
>     registration-issues-wg at atlarge-lists.icann.org
>     https://mm.icann.org/mailman/listinfo/registration-issues-wg
>     _______________________________________________
>     registration-issues-wg mailing list
>     registration-issues-wg at atlarge-lists.icann.org
>     https://mm.icann.org/mailman/listinfo/registration-issues-wg
>     
> 


More information about the registration-issues-wg mailing list