[gnso-consumercci-dt] FW: [NCSG-Discuss] ICANN registrar: Don't Make Us Treat our Customers Like Criminals!

[Rosemary Sinclair <rosemary.sinclair@xxxxxxxxxxx>]

Hi all

Just for a quick skim but I thought an interesting practical side to our 
discussion this morning about security, fraud, law enforcement etc

Perhaps for our purposes using the contract requirements provides a path 
through this thicket....

Cheers

Rosemary

Rosemary Sinclair | Director | External Relations 
Australian School of Business | The University of New South Wales  
Level 3, Building L5, UNSW Sydney 2052
Telephone: +61 (2) 9385 6228  | Fax +61 (2) 9385 5933 | Web: 
www.asb.unsw.edu.au 




-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS@xxxxxxxxxxxxxxxx] On Behalf Of Robin 
Gross
Sent: Wednesday, 30 May 2012 9:23 AM
To: NCSG-DISCUSS@xxxxxxxxxxxxxxxx
Subject: [NCSG-Discuss] ICANN registrar: Don't Make Us Treat our Customers Like 
Criminals!


Below is really important blog post from Irish registrar Blacknight about what 
"law enforcement" is up to at ICANN right now.  Of course "law enforcement" at 
ICANN ignores the enforcement of laws that protect individual rights rights, 
like privacy and free expression, and only focuses instead on particular "law 
enforcement" agencies' policy wish-lists.  We need for ICANN to see it must 
protect privacy and free expression at least as much as it protects trademarks. 
 After all, ICANN keeps billing itself as a public-interest organization….

Best, Robin



http://blog.blacknight.com/dont-make-us-treat-our-customers-like-criminals.html


Don’t Make Us Treat Our Customers Like Criminals!


This post is probably a little longer than my normal ones and is probably best 
classified as a “rant”. You have been warned. Now please read on.

Online Crime Is A Serious Issue

Crime, fraud, scams etc., they’re all very bad things. They’re also not going 
to go away anytime soon.

As a domain name registrar and hosting provider we’re constantly “at risk”, as 
we sell a lot of services that are both cost-effective and also give criminals 
the tools they need to attack 3rd parties.

Again, this isn’t exactly news.

We’ve always taken a very pro-active approach to dealing with criminal activity 
and network abuse. If your website gets compromised, for example, you might get 
an email from our technical team asking you to fix it. If you don’t act on our 
notification we might go so far as taking the website offline until you fix it.

And we like to get paid by our clients, so we’ve implemented our own anti-fraud 
checks. It makes sense. We want to get paid. We don’t want people paying us 
with stolen credit card details.

Any and all of the things we do in order to keep our network clean and our 
operations running is done with the least amount of disruption to our clients.

But recently I’ve been losing sleep.

What’s Going On?

Let me explain.

We are an ICANN accredited registrar 
<http://www.icann.org/registrar-reports/accredited-list.html> . That means we 
are one of the relatively small number of companies in the world that has a 
contract, or “license”,  both with ICANN and the various domain name registries 
such as Verisign to provide domain names. The contract we have with ICANN is 
like the “bible” for how we are meant to conduct ourselves. It includes a 
combination of obligations and rights 
<http://www.icann.org/en/resources/registrars/registrant-rights-responsibilities>
  for both us, as a registrar and you, as a registrant (the person who 
registers domains).

The contract is called the Registrar Accreditation Agreement or RAA for short 
and we signed ours most recently in 2009. It’s now under review and while some 
of the changes being proposed aren’t going to have a negative impact on either 
us or you, our clients, there are several aspects of the proposals that simply 
do not sit right with me.

I am personally very concerned about some of the proposals being pushed by Law 
Enforcement and ICANN, which, if successful, would mean that we’d be forced to 
demand a LOT more information from our clients than we should have to. It’s not 
reasonable and some of the requests could put us in direct conflict with Irish 
and EU law.

Just for the sake of transparency I’m posting the two documents outlining the 
proposals as PDFs further down this page and you can read more about what’s 
being going on over here 
<https://community.icann.org/display/RAA/Negotiations+Between+ICANN+and+Registrars+to+Amend+the+Registrar+Accreditation+Agreement>
 .

There’s quite a bit of legal mumbo jumbo but the bottom line is that Law 
Enforcement want us to gather a LOT of information about you when you register 
a domain name.

They also want us to validate a lot of the information you provide.

Both of these concepts aren’t abhorrent at some levels, but when you take them 
too far and make them a binding obligatory part of our contract with ICANN they 
result in me losing sleep. (And in case you’re asking if this change is made 
then it’ll impact ALL .com domain registrations whether you do it directly via 
a registrar like us or via a reseller like a lot of the smaller hosting 
providers etc., out there)

There’s a lot of issues with both concepts, but let’s take them one at a time.

Data collection..

Collecting data that you need to do what you’re asked to do ie. register a 
domain name for someone, is fine, but asking for a whole lot more data is an 
issue. Not only are we expected to collect it, but we’re also expected to hold 
on to it for way longer than you’d normally retain transaction data. (Remember 
a domain can be registered for up to 10 years and the registrant can renew it 
for up to 10 years at any time. )

In several jurisdictions (including Ireland) there are limitations on the 
amount of non-essential data that you can collect as part of a transaction. 
Take a look at any UK website since the beginning of this week and you’ll see 
what they’re being forced to do when they want to collect cookies, which, in 
many cases, are fairly innocuous. How we can be expected to collect data about 
how you might use your domains is beyond me. And I don’t even see that is being 
within the scope of ICANN’s role.

You can read over the document here: LE_Rec_coll2012 
<http://blog.blacknight.com/wp-content/uploads/2012/05/LE_Rec_coll2012.pdf>  
(it’s a PDF)

Validation & Verification

The other side of the “coin” is the entire validation / verification thing.

Now don’t get me wrong. I don’t have an issue with there being better data in 
systems. I just think that there are ways to improve data quality without 
making the entire domain registration process akin to pulling teeth.

Law Enforcement have provided an explanation on what they’d like to see us 
doing (see: LEA Validation 
<http://blog.blacknight.com/wp-content/uploads/2012/05/LE_Rec_Validation2012-2.pdf>
 ). Some of the stuff they’re asking about isn’t abhorrent as a concept, but 
forcing us to conduct this kind of validation and verification on every single 
domain name registrant is going to have a detrimental impact on the entire 
domain name system. (And note the usage of terminology – a “registrant” might 
be a customer of ours, but it could be a friend, or customer of one of our 
clients.

Our account holders, however, are our clients and we’d have a pretty good idea 
if they were up to no good as we do vet them)

A couple of highlights, or lowpoints from the document.. (take your pick)

        When a prospective registrant submits a registration request, the 
Registry will send a unique HTML link to the registrant’s email of record or to 
the email of record of the beneficial registrant

Couple of issues with this. First off the “registry” doesn’t have the 
registrant data or access to it if the domain in question is a .com. And asking 
registrars to send emails to thousands of people who’ve never had any direct 
dealings with them is going to cause more issues than it solves.

        Registrar will call or SMS the phone number provided during the 
registration form.

So you can only register a domain name if you have a mobile phone number? And 
who is going to pay for all these phone calls and texts? Validating registrants 
for .xxx costs in the region of $7 per domain, so you’d easily see the price of 
a .com rise to €30 or €40, which doesn’t benefit us, ICANN or anyone else. (And 
did I mention it won’t actually stop online crime?)

But the real kicker is this bit:

        No domain name will be placed into the zone file and will not resolve 
until the account e-mail and telephone number have been verified

Translation – unless you jump through hoops you don’t get your domain name and 
it won’t actually work until you do backflips for it.

Remember how we got over 10 thousand businesses to go online over the last year 
(for free) 
<http://blog.blacknight.com/press-release-blacknight-announce-over-10000-irish-businesses-are-participating-in-getting-business-online.html>
  ? You might also have noticed that they went with the quickest and easiest 
<http://domainincite.com/even-when-the-domains-are-free-irish-small-businesses-prefer-com-to-ie/>
  route a .com, .eu or .biz domain name.

Putting extra barriers in the way of ordinary individuals and businesses when 
they want to take their business online is a bad idea.

Are The Criminals Winning?

Why vilify the majority for fear of a minority?

The Internet is one of the few areas where business is still thriving. For a 
lot of people and businesses taking themselves online offers them a chance of 
survival.

Or if you want to get into other areas of this I can sum it up with two words: 
digital divide.

When you get into an arena where you’re demanding that people handover loads of 
data AND that they already have working email AND working phones AND verifiable 
physical addresses etc., you’re immediately narrowing the field. You’re 
stopping some people from getting online. And these are innocent bystanders. 
They haven’t committed any crimes, but they’re being treated like criminals. In 
fact we all are and we’re being forced to play “piggy in the middle”.

This is not a good move and if we’re forced to sign a new agreement with ICANN 
which includes these kind of terms I can only see negative outcomes.

Comments, questions and general feedback welcome !




About Michele Neylon

Known for his outspoken opinions on technology and the Internet, Michele Neylon 
is the award winning author of several blogs and co-host of the Technology.ie 
podcast <http://technology.ie/> . A thought leader in the Internet community, 
Neylon is active with ICANN and an expert on policy, security, ICANN, Nominet 
and Internet Governance. You can stalk him on various social media networks 
includingTwitter <http://twitter.com/mneylon>  and Google 
<https://plus.google.com/118227245867248794953?rel=author>