ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Another example why due process is important

  • To: fastflux@xxxxxxxx
  • Subject: Re: [gnso-ff-pdp-may08] Another example why due process is important
  • From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Date: Sat, 31 Jan 2009 12:34:26 -0800

George mentioned:

#No one creates false positives intentionally, that's the entire point.

And I'm sure that enhanced operational checks at Google will insure that 
"/" is never accepted as a valid URL in a file from StopBadWare in the 
future.

#The policy problem remains that if false positives do occur (and a
#domain is taken down that shouldn't be by a registry or other actor)
#for fast flux or for the broader issue of alleged "abuse", there needs
#to be financial repercussions on that actor, besides an "oops" or
#"we're sorry." 

If provable material damages result and a party is legally culpable, 
civil processes already exist for the redress of those damages, e.g.,
through litigation.

I would NOT be in favor of creating statutory damages to cover such cases.

#If we look at guns, for example, guns can be used to defend oneself,
#or to commit murder. Gun registration laws and waiting periods have
#been one policy choice to limit access to guns for "bad actors". 

And yet, as an empirical fact, we know that some regions with some of
the most stringent restrictions on firearms have the highest crime
rates, while others with the least stringent ones have the lowest. 
Gary Kleck, a criminology professor at Florida State, has done some 
great work in this area. You can see some of his peer-reviewed work 
linked from http://www.criminology.fsu.edu/p/faculty-gary-kleck.php

#One of the comments on the report used that example:
#
#http://forum.icann.org/lists/fast-flux-initial-report/msg00003.html
#
#although registering in person, photo ID and biometric data are
#probably overkill (the verified WHOIS approach through PINs sent by
#physical mail that I've suggested in the past should be sufficient and
#be inexpensive to implement while maintaining the benefits of being
#proactive). What "bad" things can happen under such a system?

I'd support stronger verification of identity at the time of domain
registration, however that process assumes trustworthy registration
service providers, and currently registration service providers are
not subject to any sort of vetting as far as I'm aware. 

#c) new registrant who has malevolent intent has to supply a physical
#address -- great tool for law enforcement to help track them down if
#they commit a crime (not bad at all, except for the bad guys)

Not all physical addresses result in fruitful investigative leads. 

For example, some miscreants might pay a dupe to receive and forward
mail for them, much as some miscreants use dupes in "reshipping"
fraud schemes.

#All the people modelling abuse (or fast flux) are providing a
#statistical model based on observed variables, and making a
#probabilistic assessment that A is a good site or B is a bad site. How
#would those models change if they had one more "observed variable",
#namely that Site A had verified WHOIS, whereas Site B did not? I would
#posit that adding that single variable alone would shift the
#predictions of their models greatly, and reduce false positives.

I would suggest that if whois data was more readily available, it
would be trivial to identify and eliminate many obviously bogus bits
of whois data ("Santa Claus, 10000000 Nowhere Lane, North Pole," etc.)

I was interested in addressing the bad whois data problem as part of 
the group's work, but recall that there was significant push back at 
the time because other entities had been tasked with looking at the 
whois data quality issue, we already had a lot on our plates, etc.,
etc.

Regards,

Joe 

Disclaimer: all opinions strictly my own.



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy