[registration-issues-wg] [CPWG] Fwd: [Policy] Chatham House publish a comment by Emily Taylor on WHOIS and GDPR

Derek Smythe derek at aa419.org
Sat Oct 20 20:10:23 UTC 2018

On 2018/10/20 20:28, Greg Shatan wrote:

> I’m not sure the suspension of the PPSAI IRT is anything to celebrate.

Agreed totally. Currently the RAA # and the
Specification on Privacy and Proxy Registrations is massively ignored
and not monitored. In turn this leads to phrases in response on
massive abuse of these proxies like:
> To clarify this matter, the registrar of record confirmed  ... and those registered with similar information, are registered to a third party or reseller and not a proxy service. Under the 2013 Registrar Accreditation Agreement (RAA), resellers may be registrants for domain names.

These were domains registered with a reseller's in-house proxy having
no proxy terms as per the RAA, spoofing the likes of NATO, banks etc
apart from other malicious domains. The reseller is an affiliate with
it's own domain registration panel and appearing as the reseller in a
WHOIS lookup.

To expand on what we're seeing ...

> Privacy/proxy is not dead; it may even be more alive than ever. One
> registrar has apparently put all of its registrants under its P/P
> protection. If a party seeks registrant information, they are first
> confronted with the P/P information. It they make a request from the
> P/P provider and they are successful, they are provided with ... a
> dataset with all of the contact information redacted due to GDPR. 

If anything, the .US ccTLD registrations at one such "blanket P/P
protection registrar", should be an extreme reason for concern. We see
all types of illegality in blatant conflict of local law at this
registrar. The quality of the registration data is not worth the time
taken to look at. Yet this is now blanketed with P/P protections. It's
not surprise this registrar sees growth, a migration from non-fraud
tolerant registrars to it. It also is the topic of regular posts in
the media regarding domain abuse, ditto the constant subject of
mutterings in security groups. As such it's no surprise the registrar
was also the source of the most long lived malicious domains abused in
advance fee fruad in 2017, which in turn leads to a privacy
deprivation and undermining the rights of legitimate domain name
holders. In some TLD registries this leads to a situation where most
of the registration data is blanked, apart from the country. So first
we have to battle the registry to obtain information, then we have to
battle the proxy provider registrar.

The irony was the the decision to offer blanket P/P protection where
possible, had nothing to do with consumer rights or privacy. It was a
a reactive decision due to the inability of the registrar to fix
default settings when registrants register new domains after they
deployed a new interface. The hosting/domain community was taking the
registrar to task on a public forum and they were loosing clients.

Of course the registrar likes to claim the complainant has to obtain a
court order. This is not unlike the situation explained in the new
MAAWG/AWPG report on the negative effects on the GDPR WHOIS:


> Insistence on court orders underscores the extraordinary change away from timely access to access that renders WHOIS nearly useless. Obtaining a court order from a local jurisdiction is
> challenging in and of itself. Out of jurisdiction investigators must obtain court orders through protracted Mutual Legal Assistance Treaty (MLAT) processes that take months, at great expense, if they are able to obtain them at all. This is true even for law enforcement, when they can avail themselves of MLAT assistance procedures.

The games continue.

My 5c ...

Derek Smythe
Artists Against 419

More information about the registration-issues-wg mailing list