<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-consumercci-dt] FW: [NCSG-Discuss] ICANN registrar: Don't Make Us Treat our Customers Like Criminals!
- To: "gnso-consumercci-dt@xxxxxxxxx" <gnso-consumercci-dt@xxxxxxxxx>
- Subject: [gnso-consumercci-dt] FW: [NCSG-Discuss] ICANN registrar: Don't Make Us Treat our Customers Like Criminals!
- From: Rosemary Sinclair <rosemary.sinclair@xxxxxxxxxxx>
- Date: Wed, 30 May 2012 02:11:33 +0000
Hi all
Just for a quick skim but I thought an interesting practical side to our
discussion this morning about security, fraud, law enforcement etc
Perhaps for our purposes using the contract requirements provides a path
through this thicket....
Cheers
Rosemary
Rosemary Sinclair | Director | External Relations
Australian School of Business | The University of New South Wales
Level 3, Building L5, UNSW Sydney 2052
Telephone: +61 (2) 9385 6228 | Fax +61 (2) 9385 5933 | Web:
www.asb.unsw.edu.au
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS@xxxxxxxxxxxxxxxx] On Behalf Of Robin
Gross
Sent: Wednesday, 30 May 2012 9:23 AM
To: NCSG-DISCUSS@xxxxxxxxxxxxxxxx
Subject: [NCSG-Discuss] ICANN registrar: Don't Make Us Treat our Customers Like
Criminals!
Below is really important blog post from Irish registrar Blacknight about what
"law enforcement" is up to at ICANN right now. Of course "law enforcement" at
ICANN ignores the enforcement of laws that protect individual rights rights,
like privacy and free expression, and only focuses instead on particular "law
enforcement" agencies' policy wish-lists. We need for ICANN to see it must
protect privacy and free expression at least as much as it protects trademarks.
After all, ICANN keeps billing itself as a public-interest organization….
Best, Robin
http://blog.blacknight.com/dont-make-us-treat-our-customers-like-criminals.html
Don’t Make Us Treat Our Customers Like Criminals!
This post is probably a little longer than my normal ones and is probably best
classified as a “rant”. You have been warned. Now please read on.
Online Crime Is A Serious Issue
Crime, fraud, scams etc., they’re all very bad things. They’re also not going
to go away anytime soon.
As a domain name registrar and hosting provider we’re constantly “at risk”, as
we sell a lot of services that are both cost-effective and also give criminals
the tools they need to attack 3rd parties.
Again, this isn’t exactly news.
We’ve always taken a very pro-active approach to dealing with criminal activity
and network abuse. If your website gets compromised, for example, you might get
an email from our technical team asking you to fix it. If you don’t act on our
notification we might go so far as taking the website offline until you fix it.
And we like to get paid by our clients, so we’ve implemented our own anti-fraud
checks. It makes sense. We want to get paid. We don’t want people paying us
with stolen credit card details.
Any and all of the things we do in order to keep our network clean and our
operations running is done with the least amount of disruption to our clients.
But recently I’ve been losing sleep.
What’s Going On?
Let me explain.
We are an ICANN accredited registrar
<http://www.icann.org/registrar-reports/accredited-list.html> . That means we
are one of the relatively small number of companies in the world that has a
contract, or “license”, both with ICANN and the various domain name registries
such as Verisign to provide domain names. The contract we have with ICANN is
like the “bible” for how we are meant to conduct ourselves. It includes a
combination of obligations and rights
<http://www.icann.org/en/resources/registrars/registrant-rights-responsibilities>
for both us, as a registrar and you, as a registrant (the person who
registers domains).
The contract is called the Registrar Accreditation Agreement or RAA for short
and we signed ours most recently in 2009. It’s now under review and while some
of the changes being proposed aren’t going to have a negative impact on either
us or you, our clients, there are several aspects of the proposals that simply
do not sit right with me.
I am personally very concerned about some of the proposals being pushed by Law
Enforcement and ICANN, which, if successful, would mean that we’d be forced to
demand a LOT more information from our clients than we should have to. It’s not
reasonable and some of the requests could put us in direct conflict with Irish
and EU law.
Just for the sake of transparency I’m posting the two documents outlining the
proposals as PDFs further down this page and you can read more about what’s
being going on over here
<https://community.icann.org/display/RAA/Negotiations+Between+ICANN+and+Registrars+to+Amend+the+Registrar+Accreditation+Agreement>
.
There’s quite a bit of legal mumbo jumbo but the bottom line is that Law
Enforcement want us to gather a LOT of information about you when you register
a domain name.
They also want us to validate a lot of the information you provide.
Both of these concepts aren’t abhorrent at some levels, but when you take them
too far and make them a binding obligatory part of our contract with ICANN they
result in me losing sleep. (And in case you’re asking if this change is made
then it’ll impact ALL .com domain registrations whether you do it directly via
a registrar like us or via a reseller like a lot of the smaller hosting
providers etc., out there)
There’s a lot of issues with both concepts, but let’s take them one at a time.
Data collection..
Collecting data that you need to do what you’re asked to do ie. register a
domain name for someone, is fine, but asking for a whole lot more data is an
issue. Not only are we expected to collect it, but we’re also expected to hold
on to it for way longer than you’d normally retain transaction data. (Remember
a domain can be registered for up to 10 years and the registrant can renew it
for up to 10 years at any time. )
In several jurisdictions (including Ireland) there are limitations on the
amount of non-essential data that you can collect as part of a transaction.
Take a look at any UK website since the beginning of this week and you’ll see
what they’re being forced to do when they want to collect cookies, which, in
many cases, are fairly innocuous. How we can be expected to collect data about
how you might use your domains is beyond me. And I don’t even see that is being
within the scope of ICANN’s role.
You can read over the document here: LE_Rec_coll2012
<http://blog.blacknight.com/wp-content/uploads/2012/05/LE_Rec_coll2012.pdf>
(it’s a PDF)
Validation & Verification
The other side of the “coin” is the entire validation / verification thing.
Now don’t get me wrong. I don’t have an issue with there being better data in
systems. I just think that there are ways to improve data quality without
making the entire domain registration process akin to pulling teeth.
Law Enforcement have provided an explanation on what they’d like to see us
doing (see: LEA Validation
<http://blog.blacknight.com/wp-content/uploads/2012/05/LE_Rec_Validation2012-2.pdf>
). Some of the stuff they’re asking about isn’t abhorrent as a concept, but
forcing us to conduct this kind of validation and verification on every single
domain name registrant is going to have a detrimental impact on the entire
domain name system. (And note the usage of terminology – a “registrant” might
be a customer of ours, but it could be a friend, or customer of one of our
clients.
Our account holders, however, are our clients and we’d have a pretty good idea
if they were up to no good as we do vet them)
A couple of highlights, or lowpoints from the document.. (take your pick)
When a prospective registrant submits a registration request, the
Registry will send a unique HTML link to the registrant’s email of record or to
the email of record of the beneficial registrant
Couple of issues with this. First off the “registry” doesn’t have the
registrant data or access to it if the domain in question is a .com. And asking
registrars to send emails to thousands of people who’ve never had any direct
dealings with them is going to cause more issues than it solves.
Registrar will call or SMS the phone number provided during the
registration form.
So you can only register a domain name if you have a mobile phone number? And
who is going to pay for all these phone calls and texts? Validating registrants
for .xxx costs in the region of $7 per domain, so you’d easily see the price of
a .com rise to €30 or €40, which doesn’t benefit us, ICANN or anyone else. (And
did I mention it won’t actually stop online crime?)
But the real kicker is this bit:
No domain name will be placed into the zone file and will not resolve
until the account e-mail and telephone number have been verified
Translation – unless you jump through hoops you don’t get your domain name and
it won’t actually work until you do backflips for it.
Remember how we got over 10 thousand businesses to go online over the last year
(for free)
<http://blog.blacknight.com/press-release-blacknight-announce-over-10000-irish-businesses-are-participating-in-getting-business-online.html>
? You might also have noticed that they went with the quickest and easiest
<http://domainincite.com/even-when-the-domains-are-free-irish-small-businesses-prefer-com-to-ie/>
route a .com, .eu or .biz domain name.
Putting extra barriers in the way of ordinary individuals and businesses when
they want to take their business online is a bad idea.
Are The Criminals Winning?
Why vilify the majority for fear of a minority?
The Internet is one of the few areas where business is still thriving. For a
lot of people and businesses taking themselves online offers them a chance of
survival.
Or if you want to get into other areas of this I can sum it up with two words:
digital divide.
When you get into an arena where you’re demanding that people handover loads of
data AND that they already have working email AND working phones AND verifiable
physical addresses etc., you’re immediately narrowing the field. You’re
stopping some people from getting online. And these are innocent bystanders.
They haven’t committed any crimes, but they’re being treated like criminals. In
fact we all are and we’re being forced to play “piggy in the middle”.
This is not a good move and if we’re forced to sign a new agreement with ICANN
which includes these kind of terms I can only see negative outcomes.
Comments, questions and general feedback welcome !
About Michele Neylon
Known for his outspoken opinions on technology and the Internet, Michele Neylon
is the award winning author of several blogs and co-host of the Technology.ie
podcast <http://technology.ie/> . A thought leader in the Internet community,
Neylon is active with ICANN and an expert on policy, security, ICANN, Nominet
and Internet Governance. You can stalk him on various social media networks
includingTwitter <http://twitter.com/mneylon> and Google
<https://plus.google.com/118227245867248794953?rel=author>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|