[CPWG] One additional EPDP issue

George Kirikos icann at leap.com
Thu Feb 14 14:17:23 UTC 2019 

Hi folks,

(new to this mailing list, so I'm still catching up)

For most online form implementations, they're very simple, and the
enquirer is not authenticated before using the form. Thus, if a copy
of the email is sent to the "enquirer's email address", the form can
be misused to send spam to random email addresses that are submitted
as the "enquirer's email address."

It's essential that the registrant be able to opt-in to display of
their own email address and contact details in the WHOIS, as otherwise
the registrar becomes a gatekeeper of all those communications,
essentially intercepting it. The registrar's systems become a point of
failure (take a look at the history of downtime of their forms or
email, compared to your own email), any spam filtering they impose on
their form or anonymized email might cause one to lose valuable
communications due to false positives, and any CAPTCHA they use for
their forms might block various legitimate users (e.g. a CAPTCHA might
block inquiries from China, if the registrar uses RECAPTCHA by Google
as the CAPTCHA, as China blocks many Google services). Registrars
often own domain portfolios of their own, and having them be
positioned in a way to see all the inbound inquiries to other people's
domain names gives them competitive intelligence that can create a
conflict of interest, too (e.g. some registrars might use that
intelligence to sell domains to the inquirer from their own portfolio,
or register other domain names that are similar to ones that are
receiving many inquiries, thereby competing with their own customers).

It's kind of a bizarre solution put forth by registrars, that to
protect "privacy", they will "help" by standing in the middle of other
people's correspondence, and relay it between the 2 parties, thereby
being able to fully view and analyze that correspondence! I personally
do not mind having my contact details be 100% public in the WHOIS,
because I want to preserve the privacy of those communications, and
not have the registrars be intercepting them. All registrants should
be able to make that choice for themselves (i.e. whether they want to
preserve the privacy of their contact info, at the expense of having
their communications be intercepted by the registrar; or whether they
want to preserve the privacy of their inbound communications, at the
"expense" of having their contact info be public; different people
will make different choices, depending on their own cost/benefit
analysis). From the registrars point of view, their "cost" is
extremely low of creating an anonymized email address or form, but
their benefit (that competitive intelligence from intercepting all the
inbound communications of their clients coming from WHOIS)  can be
enormous!

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/

On Wed, Feb 13, 2019 at 8:01 PM Olivier MJ Crépin-Leblond <ocl at gih.com> wrote:
>
> Dear Alan,
>
> this is like lobbing correspondence over a wall... something which some of us are accustomed to. :-)
> More seriously though, would it be possible to require that any such correspondence using an online form needs to email a copy of the form to the enquirer's email address as well as the registrant and provide both with a unique case ID? In effect, it's a CRM system. Online businesses use that all the time. I can live with a CRM system that tracks cases even without knowing who owns the domain name.
> Kindest regards,
>
> Olivier
>
> On 13/02/2019 21:42, Alan Greenberg wrote:
>
> There was bound to be one issue that we forgot today.
>
> This is the fact that all communications with a registrant or tech
> contact will be via anonymized e-mail r a we form (which then is
> e-mail sent by the registrar).
>
> Both are what I refer to as "black hole" communications. You tow the
> message out and unless there is a reply, you never know if it was
> really forwarded on your behalf, whether it was received. If it
> bounced, the Registrar may know that it did, but the sender does not.
>
> With a real address, you can at least use a number of tools to try to
> determine if there is a path to the mail server or if the user
> exists. Here there is nothing.
>
> Alan
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
>
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg

More information about the CPWG mailing list