Re: [gnso-acc-sgb] Additional Proposal

[Ross Rader <ross@xxxxxxxxxx>]

Margie Milam wrote:
> The value of these services is evident from the marketplace that has
> arisen to fill the need and the numerous financial institutions that
> have subscribed to these services.  Security Companies (both public and
> private) have devoted significant resources in monitoring, detecting and
> responding to phishing, and taking down fraudulent web-sites, and use
> WHOIS for this purpose.  Banks don't generally desire to spend the
> research and development resources necessary to keep up with the
> sophisticated phishers and often turn to security companies to assist
> them.    

You missed my point. I was pointing out that the value of the services 
that these firms provide is not contingent on continued unfettered 
access to whois data.

> Relying on IP addresses alone does not provide all of the information
> necessary to identify domain name phishes because if you shut down one
> IP address, they just set up additional ip addresses to host the
> fraudulent sites.   The only way to effectively shut down domain based
> phishes is to deal with it at the registrar level because the registrar
> has the information that can identify the culprit.

That's a bit circular. a) IP addresses are less disposable than domains, 
b) most domain based phishes actually use a domain name that belongs to 
the culprit (most piggyback on a third party domain that has been 
captured due to some technical insecurity) and c) identifying the 
culprit doesn't shut down the phish.


> Please note that the problem is not just phishing, although phishing is
> significant. The problem extends to all kinds of intellectual property
> abuse, including the sale of counterfeits, such as counterfeit drugs.
> Because law enforcement is ill-equiped and under-resourced, much of the
> work falls to the brand holders, many of whom use service providers, to
> protect their consumers from illegal online-activities.

That's a pretty broad brush. Isn't it actually the case that enforcement 
is primarily the responsibility of the IP holder and that law 
enforcement agency will typically focus on higher value, higher yield 
activities than focusing on specific intellectual property protection cases?

And while slightly off-topic, I'll also point out that its more often 
the case that the general public needs protection from your corporate 
clients than the other way around - which is one of the primary reasons 
why enhanced privacy for individuals is so important.

-ross