WHOIS database and Use for SCAMS

["Tom" <tisbell6@xxxxxxxxxxxxx>]

I am expressing my concern over scams that use data downloaded in 
bulk from various on-line databases, such as the WHOIS database 
maintained by ICANN.  Unfortunately I have received little response 
from the various government agencies (FTC, Postal Inspectors, New 
York and Washington State Attorney General's Offices, including 
members of Congress, and ICANN) and public agencies that I wrote.  In 
most instances I followed up my email in a week with a phone call and 
still not much response.  This is not a small issue.  The Washington 
State Attorney General's office basically said there is nothing they 
can do, since the company in question says I wasn't their customer.  
(No kidding!) The attorney General's Office said people should read 
their mail more carefully (No kidding!).  That it would be treading 
on the Constitutional rights of others if free access to "public" 
records were controlled. 

In the last month my wife, my mother-in-law, my wife's place of 
business, and I have been approached by SCAMS.  There was the bogus-
bill from Listing Corp., the bogus-bill from National Companies 
Register Corp., the phishing post card from Annuity Service Center, 
and the bogus FAX scam from International Directories Corporation.  
It is an epidemic and someone, in addition to me, needs to work on 
it.  I feel like I'm walking down the street in some third-world 
country where the merchants try to suck you in to their stores to buy 
over-priced, useless tourist baubles.

I am asking that you support measures that would require controls for 
access to the various "public" databases, such as WHOIS, and prevent 
the ability to accomplish "bulk" downloads of the database 
information.  Here are a few of my thoughts on this subject.


What is a SCAM? 

In the simplest terms it is an act where the perpetrator causes the 
victim to believe something is true when in fact it is not true in 
order to obtain monitory gain from the victim.  This is accomplished 
through deceptive presentations of information, for example 
formatting a mailing or fax to appear to be a bill.  There are many 
examples of the art of presenting a scam.  Scams are implemented in 
person, over the phone, through the mail, by fax, and over the 
Internet.  Their makeup is limited only by the imagination of the 
perpetrator.  Some of the most repetitive scams attempt to deceive 
the victim into believing that they have already contracted for a 
product, like domain name registration, website position promotion, 
or being listed in a "business directory".  The victim is sent a fax 
or a mailing that looks like a legitimate bill or a "renewal" notice, 
but in fact is just an attempt to steal from the unsuspecting.  
Unfortunately, enough of these "bogus bills" are paid to make it 
worth the intricate web these hucksters weave.  For less than a 
dollar they stand to receive a return of $35 or more, depending on 
the scam.  The percentage of returns is low, but the rewards are, 
well in a word, free.


Where do they get addresses, phone numbers, and other information?

If you have a state business license or you are incorporated your 
information is most likely available as public information through a 
state website.  If you have a registered domain name your information 
is available as public information through the WHOIS data bank 
(unless you have paid to have it hidden).  If you ever went to a Home 
Show and registered for a free something-or-other drawing you were 
listed in a customer data bank which may have been sold.  A web 
crawler or data-harvesting program may have collected your 
information.  There are companies who collect and sell data on 
everyone they can get their hooks into.  They might even know more 
about you than the Federal Government.


What do these SCAMS have in common?

Usually these scams have a number of traits in common.

1. The mailing or FAX is in the familiar format of a bill, with 
possibly an account number.  It is really a solicitation for business 
or an overture to a scam.  With the amount of information and 
decisions we are asked to analyze on a daily basis, we tend to 
operate on perceptions based on past experience.  If the mailing is 
formatted like an invoice, it is perceived as a bill.  Clever to 
print a solicitation that looks like a bill.  Honest solicitations 
say something like, "Howdy, this is us. This is what we can do for 
you. If you like what we have, give us a call.  We would like to do 
business with you. Have a nice day." 

In addition to the "bogus-bill, and "bogus-fax-bill" there is new 
ploy, the "living check".  It has a life of it's own.  It's a check 
on the front, but turn it over and it's really a contract that you 
sign when you endorse the "check".  What will they think of next!  
Maybe they could print the contract as a watermark or maybe a 
microdot.

2. There is always a looming deadline requiring the victim's 
response.  The perpetrator does not want the victim to think.  
Usually one or two weeks are allowed for response.  Sometimes there 
is even the ploy of a late fee.  Nice touch.  Send them a check and 
now they have your bank account number, sweet.  Pay by credit card 
and, well they have your?  double sweet.

3. They offer a product that has dubious need (If they actually 
provide what was offered is another matter).  Ever wonder why someone 
would want to be listed in a business directory that requires a 
password for the general public to view or be promoted by a company 
who's fist listings when a Internet search is accomplished on their 
name are consumer complaints?

4. The mailing address for the "company" is a mailbox at a Commercial 
Mail Receiving Agency (CMRA), not at a physical office.  These CMRA 
addresses change as often as the company names.  The address will 
often incorporate the term "suite", for example: "suite 108" or 
"suite #108". 


NOTE: The # (pound sign) or "PMB" (private mailbox) in the address is 
required by the US Post Office when receiving mail at a CMRA.  This 
is to ensure that people understand that the mail is not going to an 
address where there is a physical office for the addressed company.  
The perpetuation of the term "suite" in the address by the scammer is 
another attempt to deceive the victim.

A check of the walking distance between the CMRA's used in New York 
City over the passed few years by one group of scammers shows that 
they are within a two miles of each other.  Why do you suppose they 
need to move so often, but not go far?  Maybe there's a great pizza 
place in the neighborhood?


5. Generally there is no company phone number listed on the "bogus 
bill" or on the company website (if there is a website).  This 
eliminates the victim's ability to resolve any questions quickly.

If the company has a website some information regarding the owner of 
the domain name may be available.  It can be obtained through running 
a WHOIS query on the domain name.  The information is supposed to be 
accurate and up to date.  However, the address most likely is a CMRA 
and the phone number will either be incomplete or be located in 
another country (for example: Unionville, Ontario, Canada) and will 
be unlisted.   Most business want to be found and will not have 
unlisted numbers. They want to be located.  Go figure.

6. The trail of money will often end up in an offshore bank, for 
example in the Bahamas, Grand Turk, or the Cayman Islands. 


Is there any remedy?

The victims of these scams can file complaints with various agencies 
like the US Postal Inspection Service, the Better Business Bureau, 
the Federal Trade Commission, various State Attorney Generals, and 
consumer protection agencies.  This can seem like a dismal forest of 
unresponsive bureaucracy with little satisfaction. It can be like 
running on the beach at high tide, it is hard and your footprints are 
there only until the next wave washes them away.  My experience is 
register your complaints, but don't expect anything other than canned 
responses.  So where is the remedy?  Public exposure of the various 
scams and scammers would help.  An informed public would quickly end 
the scams.  However, there is another step that needs to be taken.  
The various databases that these scammers use need to have controlled 
access.  The organizations and agencies that are entrusted with 
"public" data need to control how it is accessed. The companies that 
sell collected "public" data need to be held responsible for how the 
data is used.


What is the problem with controlling access to "public" data?

The public has a right to know who is behind a website.  There will 
be no argument from me, if the public wants to find out the 
registrant information for a particular website.  The information 
should be current, correct, and available.  However, the information 
should not be available in bulk.  The scammers and spammers don't 
start out by finding the information one website at a time.  It would 
take too long.  It would be too much like real work.

All information should not and is not available to all members of the 
public.  There are already various classifications of government 
information, such as "For Official Use Only", "Confidential", "Top 
Secret", and "Business Sensitive".  This classification is done to 
regulate and control the people who are allowed access to the 
information.  Not all people need to know all things.  The key is 
"need to know".  In the instance of WHOIS data everyone has the right 
to know who is behind a particular website.  It may be that a website 
is seditious, pornographic, racial or in other ways criminal or 
offensive in content.  The public, law officials, and other 
government agency officials need a way to attach ownership to a 
particular website in order to file complaints or take legal action 
against the owner of the website.  They have a "need to know" the 
registrant information for that site.  It goes without saying that 
law and other government agencies have the right to access all of the 
information concerning any website or group of websites they choose 
to investigate.  However, the public should not have access to the 
data for a website without knowing the domain name for the website.  
In other words the way in which the data is obtained is the problem.  
The public should not be able to obtain registrant information 
through bulk downloads of a data bank whether it is the WHOIS 
database or some states list of corporations.  If I have an interest 
in who is behind website XYZ.con, I can search the WHOIS database for 
the contact information (the data may or may not be complete or 
accurate).  I should not be able to access registrant information for 
domain names without knowing what the domain name is.  I should not 
be able to accomplish a "blind" data search and obtain a bulk mailing 
list.  The data is not intended to provide "bulk" mailing lists for 
scams, phishing schemes, and spam. It is a violation of my privacy 
and the scammers do not have a need to know.

Today, more than ever, there is a fear of identity theft.  There are 
many safeguards used to protect personal information. If you use on-
line banking your bank requires a password.  If you participate in an 
on-line auction, your account is password protected.  Other databases 
such as state business license/incorporation data and WHOIS domain 
name data should be protected to prevent unauthorized use of the 
data.  There is an on-going argument concerning what is public 
information and the publics "right" to know.  In light of the 
numerous scams that originate via WHOIS data, my belief is that WHOIS 
data, for one, should be treated as personal privacy information.  
Access to the information should be on a need to know basis by 
authorized entities, like law enforcement agencies.  An example of a 
controlled access data system that works for law enforcement is the 
FBI's CODIS system.  There is no "need to know" for the general 
public. Another example is the California State Drivers License 
database. Given a person's drivers license number I can find out if 
that person has a valid license. The response from the system is a 
simple "yes" or "no". I can not find out where they live or their 
phone number.  An example of a database that is not as well 
controlled is one states data on state corporations.  When the 
database is first approached it requires that the searcher in-put the 
name of a corporation.  However if an "advanced" search is 
accomplished, the search can be accomplished to provide the data on 
all corporations within a specific postal zone.  The returned 
information will be hyperlinks to each corporation's registration 
data.  This goes far beyond finding out who is behind a particular 
corporation.

Honest people who provide information when obtaining a business 
license, registering a domain name, or incorporating are currently 
being bombarded by scams. However, the scammers provide bad 
information, including bogus names and incomplete phone numbers, to 
avoid being tracked.  It appears that the scammers know how the game 
is played.