[gnso-rds-pdp-wg] Dangers of public whois

Tue Feb 14 21:13:44 UTC 2017

Yes, and you have to click a link to "verify". I know all that. No one here
is confused about this.

What I am confused about is the faith and assumption that the names, phone
numbers, and physical addresses are correct in any way. If there is a
process for reporting a wrong WHOIS detail, why is there no process for
validating the same WHOIS detail? This is such a joke. Can we consider
garbage as PII? What privacy controls do we need to protect garbage? What
penalties should people suffer for not properly protecting garbage?

Why are registrars not validating physical addresses and phone numbers?

On Tue, Feb 14, 2017 at 3:26 PM, Hollenbeck, Scott <shollenbeck at verisign.com
> wrote:

> Focusing on “fake”, I’m interpreting “fake email” as an address that is
> syntactically valid (it is formatted as local-part at domain as specified in
> Section 2.3.11 of RFC 5321) but incapable of receiving messages due to
> errors in processing either the local-part or the domain when attempting to
> deliver mail to the address. As I noted earlier, inability to deliver email
> sent to a contact address is one of the reasons for which an RAA-compliant
> registrar may suspend a registered domain.
>
>
>
> Scott
>
>
>
> *From:* allison nixon [mailto:elsakoo at gmail.com]
> *Sent:* Tuesday, February 14, 2017 2:45 PM
> *To:* Hollenbeck, Scott <shollenbeck at verisign.com>
> *Cc:* gca at icginc.com; gnso-rds-pdp-wg at icann.org
>
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois
>
>
>
> Why isn't it? I've been doing it for years. It's a great way to avoid
> having my PII abused. Please demonstrate these consequences to me.
>
>
>
> On Tue, Feb 14, 2017 at 2:34 PM, Hollenbeck, Scott <
> shollenbeck at verisign.com> wrote:
>
> Greg, I used the email address example only to address this statement
> originally sent by Allison (with emphasis added in bold italics for people
> with HTML-capable mail readers):
>
>
>
> “So put your contact address as "123 fake st" and your phone number as
> "555-555-5555". Make a *fake email*”
>
>
>
> All I’m trying to do is note that this kind of advice can cause real
> unintended operational consequences for well-meaning registrants who might
> think it’s a great way to avoid having their PII published via services
> like WHOIS. It isn’t.
>
>
>
> Scott
>
>
>
> *From:* Greg Aaron [mailto:gca at icginc.com]
> *Sent:* Tuesday, February 14, 2017 2:20 PM
> *To:* Hollenbeck, Scott <shollenbeck at verisign.com>; 'elsakoo at gmail.com' <
> elsakoo at gmail.com>
> *Cc:* 'gnso-rds-pdp-wg at icann.org' <gnso-rds-pdp-wg at icann.org>
> *Subject:* [EXTERNAL] RE: [gnso-rds-pdp-wg] Dangers of public whois
>
>
>
> No, the RAA validation steps are trivially easy to get around.  You use
> the example of a fake email address.  Criminals know not to use fake email
> addresses, and they don’t need to because they can get email addresses for
> free.  One can sign up for free email accounts anonymously.  There are even
> underground services that will generate freemail accounts in bulk.  These
> services cater to criminals such as spammers who need to register lots of
> domain names.
>
>
>
> All best,
>
> --Greg
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Hollenbeck,
> Scott
> *Sent:* Tuesday, February 14, 2017 1:57 PM
> *To:* 'elsakoo at gmail.com' <elsakoo at gmail.com>
> *Cc:* 'gnso-rds-pdp-wg at icann.org' <gnso-rds-pdp-wg at icann.org>
> *Subject:* Re: [gnso-rds-pdp-wg] Dangers of public whois
>
>
>
> *From:* allison nixon [mailto:elsakoo at gmail.com <elsakoo at gmail.com>]
> *Sent:* Tuesday, February 14, 2017 1:35 PM
> *To:* Hollenbeck, Scott <shollenbeck at verisign.com>
> *Cc:* vgreimann at key-systems.net; gnso-rds-pdp-wg at icann.org
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois
>
>
>
> >>[SAH] Actually, there *are* requirements to provide valid data and for
> registrars to perform validation processing:
>
>
>
> How do you expect toothless policy to work *on the Internet*? Seriously?
>
>
>
> Yes, seriously. Registrars who do not implement the policy are subject to
> having their accreditation revoked. ICANN has, in fact, revoked or
> suspended accreditations. Here are two examples:
>
>
>
> https://www.icann.org/news/announcement-2-2007-03-16-en
>
>
>
> https://www.icann.org/en/system/files/correspondence/
> serad-to-patel-2-18jul14-en.pdf
>
>
>
> worst that can happen when you put in fake whois data is that your domain
> gets reported, you change "123 fake st" to "124 fake st", and your
> registrar is satisfied because what more can they possibly do. I know this
> because I went through this with an old sinkhole domain. It's a total joke.
> Let's not pretend it's anything more than that.
>
>
>
> Not true. A fake email address, for example, can be detected easily when
> email sent to it (one of the registrar’s validation requirements) gets
> bounced back. The worst that can happen is that your domain gets put into
> some non-operational state (“suspend the registration” per the RAA).
>
>
>
> Scott
>
>
>
>
>
> --
>
> _________________________________
> Note to self: Pillage BEFORE burning.
>

-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/830d30ce/attachment.html>