[gnso-rds-pdp-wg] Dangers of public whois

Chris Pelling chris at netearth.net
Wed Feb 15 21:25:27 UTC 2017 

HI Allison, 

I have kept quiet for most of the debate back and forward and have not put my head above the parapet for the odd comment made through fear of the "oh another registrar - comment". However, if you have had a bad experience with a registrar, you report it to ICANN, please do not hang around, we like you want the bad actors to change their direction and be good and worthwhile registrars - whois inaccuracy reports come from ICANN and I have my fair share of them. 

I certainly do not risk my ICANN creds over someone’s whois - if there is a report, and the address looks bogus (and even if not as we have to provide ICANN some proof and "google maps" doesn’t cut it) we require ID, generally government based proving the address that has been updated is correct. 

Now, that does not prove verification, that proves validation, I am sure as you I believe suggested you could put down anyone’s address and it would be valid, however, verifying it is completely different, and costly, I believe Volker mentioned it before, if a solution can be found and it is commercially viable - confirm who is paying for it, as it is unfair to burden the registrant with extra cost, similar to the registrar, nor the registry. 

I cited once before, I know my neighbours name, his address (should do, he is my neighbour after all), his age, and because of cake last year, his birthday - lastly I know his height and can have a stab at his mothers maiden name (he mentioned it once before in passing conversation as it was similar to my mothers), thus quite a bit of information not really out in the public. You are probably now thinking where am I going with this. Verification can ONLY be done with the tools the governments of our world have, they know your passport number, driving license number, marriage date and other such dates. Only the governments can provide a way of verification that is as close as damn it to being the person you are dealing with. 

One final point to your comment " Really? Because a lot of domains have WHOIS privacy enabled, which is as good as a fake address. " We pay plenty for our office address per year, this is our privacy/proxy service address, so please don't tar all services with the same brush, some are great, some do as they need and some don't. 


Kind regards, 

Chris 


From: "allison nixon" <elsakoo at gmail.com> 
To: "Volker Greimann" <vgreimann at key-systems.net> 
Cc: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org> 
Sent: Wednesday, 15 February, 2017 16:31:40 
Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois 

>> Yet we hear claims on this list again and again that it is used by internet users all the time to verify whether the site they want to conduct commercial transactions on is legit. 

Really? Because a lot of domains have WHOIS privacy enabled, which is as good as a fake address. 

>> If provided with actual evidence of wilful use of incorrect data and the data either remains uncorrected or no evidence of acuracy of the correction is presented, then you will find that many registrars will deactivate the domain. For many, the threat of suspension of their domain is compulsion enough. 

And if the registrant doesn't flagrantly admit to doing so, and they use an address of the nearest football stadium or enemy's house, the song and dance continues. Or they use existing whois privacy, input 123 fake st, and the complainant has no standing to make additional complaints 

>> You seem to be saying: Let's abolish whois altogether since it is all fake info anyway...? 

Not really, just pointing out the ridiculousness of the assumptions being made here. 

On Wed, Feb 15, 2017 at 11:22 AM, Volker Greimann < vgreimann at key-systems.net > wrote: 





You seem to be saying: Let's abolish whois altogether since it is all fake info anyway...? 

Am 15.02.2017 um 16:29 schrieb allison nixon: 

BQ_BEGIN



>> That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data. 

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke. 

>> I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating. 

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response. 

Cue yakety sax. 

The emperor wears no clothes. 

>> Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena. 

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions. 

>> There has to be some form of due process, anything else is anarchy. 

The Internet is in a state of anarchy. 

>> Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it. 

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong. 


On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann < vgreimann at key-systems.net > wrote: 

BQ_BEGIN



Hi Greg, 

that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible. 

Volker 



Am 14.02.2017 um 20:19 schrieb Greg Aaron: 

BQ_BEGIN



No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. 




All best, 

--Greg 








From: gnso-rds-pdp-wg-bounces at icann.org [ mailto:gnso-rds-pdp-wg-bounces at icann.org ] On Behalf Of Hollenbeck, Scott 
Sent: Tuesday, February 14, 2017 1:57 PM 
To: ' elsakoo at gmail.com ' <elsakoo at gmail.com> 
Cc: ' gnso-rds-pdp-wg at icann.org ' <gnso-rds-pdp-wg at icann.org> 
Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois 





From: allison nixon [ mailto:elsakoo at gmail.com ] 
Sent: Tuesday, February 14, 2017 1:35 PM 
To: Hollenbeck, Scott < shollenbeck at verisign.com > 
Cc: vgreimann at key-systems.net ; gnso-rds-pdp-wg at icann.org 
Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois 





>>[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing: 





How do you expect toothless policy to work *on the Internet*? Seriously? 



Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: 



https://www.icann.org/news/announcement-2-2007-03-16-en 



https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul14-en.pdf 





worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. 





Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). 



Scott 


_______________________________________________
gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg 



-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann at key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken 
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann at key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken 
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. 
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg 
BQ_END

-- 
_________________________________ Note to self: Pillage BEFORE burning. 

BQ_END

-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann at key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken 
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann at key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken 
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. 

BQ_END




-- 
_________________________________ 
Note to self: Pillage BEFORE burning. 

_______________________________________________ 
gnso-rds-pdp-wg mailing list 
gnso-rds-pdp-wg at icann.org 
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170215/58cc69c6/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list