Re: [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

["Mike O'Connor" <mike@xxxxxxxxxx>]

This proposal got some discussion on the BC list, and I've gotten 
permission from George Kiricos to cross-post his comments to this 
list.  I think they are great suggestions on ways to improve the 
"rights protection" features of the proposal.  I've copied him on 
this posting, please copy him on your replies as well.
m

- - - - - - - [from George Kirikos]

Hello,

This is a *much* better starting point than the document/policy that
Afilias brought to the table for .info. The process is highly
detailed, and thereby predictable.

There's also a hint that there will be accountability for false
positives in multiple sections (those sections perhaps need to be
expanded upon).

In particular, under the "Accreditation Procedure" it discusses
applicants being publicly traded or having commercial insurance,
hinting they might be liable if mistakes occur. It can be made more
explicit, for example requiring them to be bonded.

Similarly for the "Penalties" section, it perhaps needs to be more
explicit that a false positive can allow the innocent registrant to
seek damages (from the registry operator and/or the entity making the
false allegation).

False positives are inevitable, as humans are not perfect, and neither
are machines. If one does a search in Google for "false positives"
2008 (i.e. adding "2008" to narrow things down to recent hits), there
almost a million matches (one can narrow things further by adding
terms like "spam" or "phishing" etc.).

Just to give a sense that even the biggest companies can make
mistakes, note the case a couple of months ago where Yahoo/McAfee
classified Google as a malware site:

http://www.techcrunch.com/2008/05/11/google-is-a-malware-site-says-yahoo/
http://www.crn.com/security/208401061?pgno=2

These kinds of false positives are all too common, thus if a company
is seeking to save time (and money) through an expedited takedown
procedure, there should be an offsetting protection for registrants
that that same company will be held liable if they make a mistake.

Even today when I file abuse reports (e.g. hacking attempts on our
servers occur almost every day, and we occasionally report them as
it's usually a sign that someone's else's dedicated server has been
hacked, and is being used in an automated fashion to find other
vulnerable servers), I expect that if my company got it wrong, we
would be held liable (although, we report it to the webhosting
company, not domain name registrars most of the time). We leave it up
to the webhosting company to decide what to do, though, so ultimately
it's their call (i.e. we just provide the details from our logs,
evidence that they can use to investigate the issue further and decide
on a proper course of action; since they have physical access to the
servers, they are in the best position to eliminate false positives).

The big problem I see, however, is that malefactors will adjust to
even this new proposal. They could use other ccTLDs. They could use IP
addresses (the IP WHOIS database accuracy is an important issue in
tracking abuse, i.e. working through ARIN, RIPE, etc.). Ultimately one
wants to remove the incentives to do the behaviour in the first place.
Just like with domain tasting, economics are often the solution
(economics including making big enough fines, or enforcing existing
ones). People are motivated by economics and will act rationally when
those economics change.

Sincerely,

George Kirikos
416-588-0269
www.LOFFS.com