[Gnso-ppsai-pdp-wg] For review - updated templates Cat B, questions 1 and 2

John Horton john.horton at legitscript.com
Thu Feb 27 23:32:48 UTC 2014 

Thanks, Marika. I also wanted to provide a comment pertaining to Question 2
in the attachments (relating to periodic checks).

In a few of the recent discussions, there's been some reference to
criminals always or nearly always being untruthful in their Whois records
(even if privacy-protected), leading to the conclusion that there is little
purpose in having a registrar or any third party have to verify or
re-verify the information (especially if it is difficult to prove that the
data is falsified). I wanted to share our experience and observations on
that point, in the hope that it's relevant to future discussion regarding
Question 2.

Our consistent observation has been that when it comes to a particular
sub-category of criminal activity, spam, phishing, malware, and so forth,
it's probably safe to say that that statement is true -- the registrant's
Whois information is nearly always inaccurate. Even in cases, such as some
where we've worked with law enforcement, when the Whois record for a domain
name involved in spam, phishing or malware is privacy-protected and is
subsequently unmasked, the Whois record is still not accurate behind the
privacy curtain. There are probably exceptions, but that's what we've seen
well over 95% of the time. On occasion, it's a real address and phone
number, just not one genuinely connected to the registrant.

But there are other types of criminal activity where the Whois record is
not so regularly obfuscated. For example, we investigate a lot of websites
selling tainted dietary supplements that end up containing some toxin or
adulterant that harms people. In those cases, we've overwhelmingly seen
that even if the Whois record is privacy-protected, the trend is that the
underlying Whois record is accurate. The same has been true for illegal or
counterfeit medical device websites that we've researched. On illegal
Internet pharmacies not engaged in spam, it's probably 50-50. (It might be
a shell corporation, but that's still valuable information.)

One important point to consider is that the Whois registration can be
relevant information from a banking perspective for commercial entities.
That is, some banks are going to look at an online merchant's domain name
registration record and if it's either inaccurate or protected, they may
require disclosure, or ask about any discrepancy, which can be an incentive
for criminals selling products online who nevertheless want to get paid via
credit card to have an accurate Whois. Hackers, malware providers and
spammers will find a way around that, but they don't necessarily constitute
"most" criminal activity.

The point here is, I think verification can still be a useful and necessary
tool in either scenario, even if it doesn't uncover useful information a
portion of the time. I realize that only pertains to a portion of the
issues related to Question 2, but I hope that our observations on that are
relevant.

Thanks,

John Horton
President, LegitScript



*Follow LegitScript*:
LinkedIn<http://www.linkedin.com/company/legitscript-com>
|  Facebook <https://www.facebook.com/LegitScript>  |
Twitter<https://twitter.com/legitscript>
|  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
<http://blog.legitscript.com>*  |
Google+<https://plus.google.com/112436813474708014933/posts>


On Wed, Feb 26, 2014 at 2:39 AM, Marika Konings <marika.konings at icann.org>wrote:

> Dear All,
>
> Following our call yesterday, please find attached the updated templates
> for Category B - questions 1 & 2. Please review these templates to make
> sure the WG discussions have been accurately reflected and feel free to
> share any comments / edits you may have with the mailing list. We've
> created a page on the wiki where we'll post the templates that have been
> finalised for now (noting that for some of these the WG will need to come
> back to the template at a later date), see
> https://community.icann.org/x/ihLRAg.
>
> The WG will continue its deliberations on Category B - Question 2 next
> week. Some of the questions that came up during the conversation yesterday
> and which you are encouraged to share your views on (and/or add additional
> questions that need to be considered in this context) are:
>
>    - What would be the arguments for not using the same standards /
>    requirements for validation and verification as per the 2013 RAA?
>    - Should there be a requirement for re-verification, and if so, what
>    instances would trigger such re-verification?
>    - In case of affliction between the P/P service and the registrar, if
>    the registration information has already been verified by the registrar,
>    should this exempt the P/P provider from doing so?
>    - Should the same requirements apply to privacy and proxy services or
>    is there a reason to distinguish between the two?
>
> Best regards,
>
> Marika
>
> _______________________________________________
> Gnso-ppsai-pdp-wg mailing list
> Gnso-ppsai-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140227/8e3a6e79/attachment.html>

More information about the Gnso-ppsai-pdp-wg mailing list