[registration-issues-wg] [CPWG] [GTLD-WG] Next possible move related to GDPR

Derek Smythe derek at aa419.org
Wed Sep 5 16:24:11 UTC 2018


Realities please.

Ironically this is exactly what another registrar said as well in
response to a complaint to ICANN Compliance.

This, despite the fact that this was the second Registrar Standards
report I made on exactly the same registrar issue in as many years
against teh same registrar. In it I analyzed registration details that
were not verified to death and back. I showed the registrar was not
verifying details as per the RAA, how we saw impossible phone numbers
and addresses, all linked, how the registrant "Bar Clay" was
manufactured. No guess for what. I showed how the Registrar has a
broken reporting system that can impossibly allow for compliance
metrics as per the RAA and it's abused as a get-out-of-jail-free card.
This formed the basis for a massive nest that saw banks and commerce
spoofed, while creating more fake online entities - all in a consumer
focused attack.

Incidentally, before making it a LEA issue: Michele, you yourself saw
some of this in another group where we are mutual members. LEA was
involved, due process etc. Their hands are tied - jurisdictional
issues. Suffer the people of India, no matter that we see tender scams
and job scams targeting them with registration details not worth the
time to read it.

ICANN Compliance blindly accepted the registrar response as "content
issues", chose to close the complaint. The self blinding is
unbelievable. It's now sitting at ICANN Complaints and some of it will
be available on the ICANN Complaints page the end of the month.

This is also NOT what was told to the community during the GDPR
discussions, where it was said registrars check registration details.
So were the community sold a bag of goods under false pretenses?

A second part of this complaint is already on the ICANN Complaints
page (out of order processing), where the Registrar's reseller chose
to provide a proxy not meeting the RAA specification on proxies. This
was closed as being a proxy for the reseller for own use and outside
the scope of the RAA - which incidentally spoofed banks and even NATO
personnel in consumer facing attacks. Also a phishing attacks turning
to BEC. All the community input on this issue, including that of ICANN
SSAC, was was ignored.

Content issues may have many originating points in the attack on the
consumer. But if a malicious registrant registers a domain with
patently fake registration details, the uses that domain to host
content, does it merely depend on the content if it's abusive of not?
Does it merely rely on commercial third party rights that may or may
not be violated? Spoofing a bank vs creating a totally FakeBank to
confuse consumers, where FakeBank may not even have an associated
website, rather be used in email only consumer attacks? Does this not
undermine SPF/DKIM/DMARC intent? How about the ability to re-host
content on as many hosters as there are hosters, while the malicious
registrant re-points the DNS for the domain? Do I blame a real bank
for consumer because if they are spoofed and chose not to defend their
rights (the surrogacy mentioned)? One consumer attack saw a spoofed
lawyer in Africa chosing not to defend his domain, it being terminated
27 times at hosting level and continuously jumping around. How is this
NOT DNS abuse?

This is not some theoretical situation - we see this abuse daily and
it's massive and pervasive in the DNS system.  It even fuels certain
industries. Yesterday a "nest" of ~250 malicious domains was put on
clienthold at a certain registrar. It was a reseller's total account
minus three potentially legitimate (arguably) domains. This was a
romance scam nest with massive amounts of victims in the Far East,
some in Europe, some in the USA, some in South America, some in Africa
and Australia. It's in a country where there is no chance of
investigation or arrest. Some consumers' saving grace was also the
most dangerous - their details were trivially being leaked out by
these websites. Some lost fortunes, yet some were warned in time.
Incidentally it's also this type of abuse leading to innocent
consumers ending up as unwitting drug and money mules.

Here is the registrant vs consumer issue also previously mentioned.
Not only is the registrant defrauding the consumer, it's also opening
the door to consumer privacy loss and other human rights abuse. Does
the registrant have the right to do this and be shielded by ICANN and
the DNS system? If you answer is "yes", then we may as well make out
the "trust" part of DNS as false and misleading advertising.

It's a fact that Law Enforcement will only engage in some of the
situations, depending on loss or other factors. But then again - they
are not consumer protection, they at best mitigate as resources are
available. They are not the ICANN abuse operators. Other issues such
as MLATs and jurisdiction creates an environment where consumers loose
out if we self blind and try to separate the knife handle from the
knife blade. Already LEA have admitted they do not have the required
resources to combat all the cyber crime.

So now, we are covering up fake registration details with the GDPR and
the consumer has to hope and trust the registrar actually verified the
registrant details. In turn ICANN has to be trusted to enforce the RAA
if a registrar violates it, to protect consumers. But we already know
neither registrars nor ICANN is willing to accept this responsibility.
What now?

The very consumers that the GDPR was meant to protect are now the ones
the most vulnerable with even lesser protections in the ICANN system.
Consumers do know how to use WHOIS. In fact I can see what a
registrant's email is at EurId's website, even if via manual
processes. But not so in the current temporary policy ICANN
implementation. Are we going overboard?

Should we not be looking at natural vs legal person? At this stage I
side with the US approach from a purely consumer protection view.

So please, can we put some real consumer protection into these
discussions and not theories of operation with no basis in reality?
Law enforcement is not the start and end of the discussion, rather it
abuses them making them scapegoats for something not of their own
making. Due process can be abused. Ditto policies.

I'm also not suggesting we be vigilantes, by no means. But ultimately
consumers have the right to not be abused, trivially loose there
livelihoods and be subjected to all forms of degrading treatment while
we have a DNS system that protects this abuse. Consumer protection
should be our goal when discussing the GDPR, after all that is what
the GDPR is about, not self or commercial interests. That does not
mean we can't satisfy both if our interests are legitimate.

I made some very strong statements here. Anybody wishing to know more
is welcome to contact me.

Derek Smythe
Artists Against 419

On 2018/09/05 13:57, Michele Neylon - Blacknight wrote:
> Content != the DNS
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> https://www.blacknight.com/
> https://blacknight.blog/
> Intl. +353 (0) 59  9183072
> Direct Dial: +353 (0)59 9183090
> Personal blog: https://michele.blog/
> Some thoughts: https://ceo.hosting/ 
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
> On 05/09/2018, 04:18, "GTLD-WG on behalf of Jonathan Zuck" <gtld-wg-bounces at atlarge-lists.icann.org on behalf of JZuck at innovatorsnetwork.org> wrote:
>     Trust and Stability of the DNS. Seems simple to justify.
>     From: Holly Raiche <h.raiche at internode.on.net>
>     Sent: Tuesday, September 4, 2018 5:53 PM
>     To: Jonathan Zuck <JZuck at innovatorsnetwork.org>
>     Cc: CPWG <cpwg at icann.org>
>     Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] Next possible move related to GDPR
>     Thanks Jonathan
>     Yes, true.  But if we are to make an argument that those who are NOT 'law enforcement' should have access, then we have to say why.  Under the GDPR, it simply is not good enough to say that I should have access because I hunt down the bad guys.  If we are clear that we must operate within GDPR bounds, then there has to be  reason why an individual who isn't in uniform should have access.
>     Holly
>     On 5 Sep 2018, at 7:18 am, Jonathan Zuck <JZuck at innovatorsnetwork.org<mailto:JZuck at innovatorsnetwork.org>> wrote:
>     Thanks Holly. I appreciate you have a nuanced view but the term "law enforcement" gets used pretty specifically to exclude commercial interests so I just wanted to be clear.
>     From: Holly Raiche <h.raiche at internode.on.net<mailto:h.raiche at internode.on.net>>
>     Sent: Tuesday, September 4, 2018 5:01 PM
>     To: Jonathan Zuck <JZuck at innovatorsnetwork.org<mailto:JZuck at innovatorsnetwork.org>>
>     Cc: Evan Leibovitch <evanleibovitch at gmail.com<mailto:evanleibovitch at gmail.com>>; cpwg at icann.org<mailto:cpwg at icann.org>
>     Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] Next possible move related to GDPR
>     Hi Jonathan
>     I'm using the term generally.  Please don't think the words apply only to those in uniform.  We are talking about abuse of the Internet and how to stop it.  And I"m sure there would be a very good argument to say that those engaged in stopping abuse of the Internet should be considered for access.  But again - please lets first talk about a broad definition. then lets talk about how to define those who do it in a way that does not give carte blanche to anyone who wants to set up shop so they can have access.
>     So let's not create a narrow framework for the debate.  But please, let's stay within a broad framework
>     Holly
>     On 5 Sep 2018, at 6:54 am, Jonathan Zuck <JZuck at innovatorsnetwork.org<mailto:JZuck at innovatorsnetwork.org>> wrote:
>     It's not just law enforcement that help prevent maleware, spam and phishing. It's researchers, commercial enterprises that build reputational databases and yes, even ip folks because there's a strong correlation between copyright and trademark infringement and these other woes. Don't reduce it to law enforcement.
>     From: GTLD-WG <gtld-wg-bounces at atlarge-lists.icann.org<mailto:gtld-wg-bounces at atlarge-lists.icann.org>> On Behalf Of Holly Raiche
>     Sent: Tuesday, September 4, 2018 4:49 PM
>     To: Evan Leibovitch <evanleibovitch at gmail.com<mailto:evanleibovitch at gmail.com>>
>     Cc: cpwg at icann.org<mailto:cpwg at icann.org>
>     Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] Next possible move related to GDPR
>     Sorry Evan
>     I'm with Bastiaan and Tijani and Roberto on this one.
>     Yes, I asked for balance.  And in many of my earlier emails on this issue, I have always acknowledged the genuine reason for law enforcement agencies (defined broadly) to address the misuse of the Internet.
>     I am just saying we must be very careful in giving blanket access to personal data from everyone who puts their hands up to say that they need the data for their own personal pursuit of miscreants.
>     Holly
>     On 5 Sep 2018, at 12:58 am, Evan Leibovitch <evanleibovitch at gmail.com<mailto:evanleibovitch at gmail.com>> wrote:
>     > Hi Holly,
>     >
>     > I'm with Carlton on this.
>     >
>     > I would remind all to recall the reason we are here: ICANN Bylaw Section 12.2(d)(i):
>     >
>     > The role of the ALAC shall be to consider and provide advice on the activities of ICANN, insofar as they relate to the interests  individual Internet users.
>     >
>     > We are here (primarily, arguably exclusively) to (a) determine positions based on the needs of the billions of Internet users and (b) advance those positions within ICANN as strongly as possible. Our role is not to consider and balance all sides before-the-fact; that is for the greater community-based negotiation and ultimately the Board. We are here as advocates, not conciliators.
>     >
>     > Like it or not, ICANN is an adversarial environment in which (Holly and Tijani, you both know this as well as anyone) historically the needs of end-users have taken a back seat to all other interests. If At-Large does not clearly articulate the needs of end users, nobody will -- indeed that is our singular role in ICANN --  and even when we do we're not always listened to. Of course reasonable result and compromise are possible, but let's not handicap our positions before we start. There's been little "balance" or consideration shown to date by those who have already made enforcement of existing ICANN abuse regulations a nightmare and would eagerly roll back even the meagre attempts at protection that already exist.
>     >
>     > When the tolerant and reasonable encounter the intolerant and unreasonable, even if the tolerant are far greater in numbers, the latter gets its way.
>     >
>     > Cheers,
>     > Evan
>     >
>     >
>     > On Tue, 4 Sep 2018 at 07:58, Holly Raiche <h.raiche at internode.on.net<mailto:h.raiche at internode.on.net>> wrote:
>     > Folks
>     >
>     > First - Carlton, while I almost always agree with you, I"m afraid that, this time, I think Bastiaan has made a very good argument and I agree with his statement - which is even more impressive since English is not his first language.  Well done Bastiaan.
>     >
>     > And for Carlton - I still think we are on the same page - or close to.
>     >
>     > And to borrow from a presentation I recently attended:  the issue isn't privacy versus security; it is really an issue of one aspect of security versus another - both are necessary.
>     >
>     > Holly
>     > On 4 Sep 2018, at 8:43 pm, Bastiaan Goslings <bastiaan.goslings at ams-ix.net<mailto:bastiaan.goslings at ams-ix.net>> wrote:
>     >
>     > >
>     > >> On 4 Sep 2018, at 12:22, Carlton Samuels <carlton.samuels at gmail.com<mailto:carlton.samuels at gmail.com>> wrote:
>     > >>
>     > >> Bastiaan:
>     > >> You seem adept at destroying context to feed your allergy.
>     > >
>     > >
>     > > I 'seem adept at destroying'?
>     > >
>     > > Ok, thank you... I am not an English native speaker so I had to look it up just to confirm what you might mean. You have a talent for ('seem adept at') phrasing your sentences quite archaically ;-)
>     > >
>     > > Anyway, perception is of course in the eye of the beholder, which I'll have to respect and therefore cannot comment on. Suffice to say I completely disagree, I have no intention whatsoever to consciously destroy anything, I could have easily quoted someone else to make my point. One that still stands btw.
>     > >
>     > >
>     > >> My phrasing was in context of defining what I meant by majority. Your interpretation blithely ignored the contextual meaning..There  is a word for that I cannot recall at the minute.
>     > >>
>     > >> Kindly,
>     > >> -Carlton
>     > >
>     > >
>     > > Right. Not very 'kind' from where I sit, but I am not going to take offence here.
>     > >
>     > > -Bastiaan
>     >
>     _______________________________________________
>     CPWG mailing list
>     CPWG at icann.org<mailto:CPWG at icann.org>
>     https://mm.icann.org/mailman/listinfo/cpwg
>     _______________________________________________
>     GTLD-WG mailing list
>     GTLD-WG at atlarge-lists.icann.org<mailto:GTLD-WG at atlarge-lists.icann.org>
>     https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
>     Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> _______________________________________________
> registration-issues-wg mailing list
> registration-issues-wg at atlarge-lists.icann.org
> https://mm.icann.org/mailman/listinfo/registration-issues-wg

More information about the registration-issues-wg mailing list