WHOIS database and Use for SCAMS
I am expressing my concern over scams that use data downloaded in bulk from various on-line databases, such as the WHOIS database maintained by ICANN. Unfortunately I have received little response from the various government agencies (FTC, Postal Inspectors, New York and Washington State Attorney General's Offices, including members of Congress, and ICANN) and public agencies that I wrote. In most instances I followed up my email in a week with a phone call and still not much response. This is not a small issue. The Washington State Attorney General's office basically said there is nothing they can do, since the company in question says I wasn't their customer. (No kidding!) The attorney General's Office said people should read their mail more carefully (No kidding!). That it would be treading on the Constitutional rights of others if free access to "public" records were controlled. In the last month my wife, my mother-in-law, my wife's place of business, and I have been approached by SCAMS. There was the bogus- bill from Listing Corp., the bogus-bill from National Companies Register Corp., the phishing post card from Annuity Service Center, and the bogus FAX scam from International Directories Corporation. It is an epidemic and someone, in addition to me, needs to work on it. I feel like I'm walking down the street in some third-world country where the merchants try to suck you in to their stores to buy over-priced, useless tourist baubles. I am asking that you support measures that would require controls for access to the various "public" databases, such as WHOIS, and prevent the ability to accomplish "bulk" downloads of the database information. Here are a few of my thoughts on this subject. What is a SCAM? In the simplest terms it is an act where the perpetrator causes the victim to believe something is true when in fact it is not true in order to obtain monitory gain from the victim. This is accomplished through deceptive presentations of information, for example formatting a mailing or fax to appear to be a bill. There are many examples of the art of presenting a scam. Scams are implemented in person, over the phone, through the mail, by fax, and over the Internet. Their makeup is limited only by the imagination of the perpetrator. Some of the most repetitive scams attempt to deceive the victim into believing that they have already contracted for a product, like domain name registration, website position promotion, or being listed in a "business directory". The victim is sent a fax or a mailing that looks like a legitimate bill or a "renewal" notice, but in fact is just an attempt to steal from the unsuspecting. Unfortunately, enough of these "bogus bills" are paid to make it worth the intricate web these hucksters weave. For less than a dollar they stand to receive a return of $35 or more, depending on the scam. The percentage of returns is low, but the rewards are, well in a word, free. Where do they get addresses, phone numbers, and other information? If you have a state business license or you are incorporated your information is most likely available as public information through a state website. If you have a registered domain name your information is available as public information through the WHOIS data bank (unless you have paid to have it hidden). If you ever went to a Home Show and registered for a free something-or-other drawing you were listed in a customer data bank which may have been sold. A web crawler or data-harvesting program may have collected your information. There are companies who collect and sell data on everyone they can get their hooks into. They might even know more about you than the Federal Government. What do these SCAMS have in common? Usually these scams have a number of traits in common. 1. The mailing or FAX is in the familiar format of a bill, with possibly an account number. It is really a solicitation for business or an overture to a scam. With the amount of information and decisions we are asked to analyze on a daily basis, we tend to operate on perceptions based on past experience. If the mailing is formatted like an invoice, it is perceived as a bill. Clever to print a solicitation that looks like a bill. Honest solicitations say something like, "Howdy, this is us. This is what we can do for you. If you like what we have, give us a call. We would like to do business with you. Have a nice day." In addition to the "bogus-bill, and "bogus-fax-bill" there is new ploy, the "living check". It has a life of it's own. It's a check on the front, but turn it over and it's really a contract that you sign when you endorse the "check". What will they think of next! Maybe they could print the contract as a watermark or maybe a microdot. 2. There is always a looming deadline requiring the victim's response. The perpetrator does not want the victim to think. Usually one or two weeks are allowed for response. Sometimes there is even the ploy of a late fee. Nice touch. Send them a check and now they have your bank account number, sweet. Pay by credit card and, well they have your? double sweet. 3. They offer a product that has dubious need (If they actually provide what was offered is another matter). Ever wonder why someone would want to be listed in a business directory that requires a password for the general public to view or be promoted by a company who's fist listings when a Internet search is accomplished on their name are consumer complaints? 4. The mailing address for the "company" is a mailbox at a Commercial Mail Receiving Agency (CMRA), not at a physical office. These CMRA addresses change as often as the company names. The address will often incorporate the term "suite", for example: "suite 108" or "suite #108". NOTE: The # (pound sign) or "PMB" (private mailbox) in the address is required by the US Post Office when receiving mail at a CMRA. This is to ensure that people understand that the mail is not going to an address where there is a physical office for the addressed company. The perpetuation of the term "suite" in the address by the scammer is another attempt to deceive the victim. A check of the walking distance between the CMRA's used in New York City over the passed few years by one group of scammers shows that they are within a two miles of each other. Why do you suppose they need to move so often, but not go far? Maybe there's a great pizza place in the neighborhood? 5. Generally there is no company phone number listed on the "bogus bill" or on the company website (if there is a website). This eliminates the victim's ability to resolve any questions quickly. If the company has a website some information regarding the owner of the domain name may be available. It can be obtained through running a WHOIS query on the domain name. The information is supposed to be accurate and up to date. However, the address most likely is a CMRA and the phone number will either be incomplete or be located in another country (for example: Unionville, Ontario, Canada) and will be unlisted. Most business want to be found and will not have unlisted numbers. They want to be located. Go figure. 6. The trail of money will often end up in an offshore bank, for example in the Bahamas, Grand Turk, or the Cayman Islands. Is there any remedy? The victims of these scams can file complaints with various agencies like the US Postal Inspection Service, the Better Business Bureau, the Federal Trade Commission, various State Attorney Generals, and consumer protection agencies. This can seem like a dismal forest of unresponsive bureaucracy with little satisfaction. It can be like running on the beach at high tide, it is hard and your footprints are there only until the next wave washes them away. My experience is register your complaints, but don't expect anything other than canned responses. So where is the remedy? Public exposure of the various scams and scammers would help. An informed public would quickly end the scams. However, there is another step that needs to be taken. The various databases that these scammers use need to have controlled access. The organizations and agencies that are entrusted with "public" data need to control how it is accessed. The companies that sell collected "public" data need to be held responsible for how the data is used. What is the problem with controlling access to "public" data? The public has a right to know who is behind a website. There will be no argument from me, if the public wants to find out the registrant information for a particular website. The information should be current, correct, and available. However, the information should not be available in bulk. The scammers and spammers don't start out by finding the information one website at a time. It would take too long. It would be too much like real work. All information should not and is not available to all members of the public. There are already various classifications of government information, such as "For Official Use Only", "Confidential", "Top Secret", and "Business Sensitive". This classification is done to regulate and control the people who are allowed access to the information. Not all people need to know all things. The key is "need to know". In the instance of WHOIS data everyone has the right to know who is behind a particular website. It may be that a website is seditious, pornographic, racial or in other ways criminal or offensive in content. The public, law officials, and other government agency officials need a way to attach ownership to a particular website in order to file complaints or take legal action against the owner of the website. They have a "need to know" the registrant information for that site. It goes without saying that law and other government agencies have the right to access all of the information concerning any website or group of websites they choose to investigate. However, the public should not have access to the data for a website without knowing the domain name for the website. In other words the way in which the data is obtained is the problem. The public should not be able to obtain registrant information through bulk downloads of a data bank whether it is the WHOIS database or some states list of corporations. If I have an interest in who is behind website XYZ.con, I can search the WHOIS database for the contact information (the data may or may not be complete or accurate). I should not be able to access registrant information for domain names without knowing what the domain name is. I should not be able to accomplish a "blind" data search and obtain a bulk mailing list. The data is not intended to provide "bulk" mailing lists for scams, phishing schemes, and spam. It is a violation of my privacy and the scammers do not have a need to know. Today, more than ever, there is a fear of identity theft. There are many safeguards used to protect personal information. If you use on- line banking your bank requires a password. If you participate in an on-line auction, your account is password protected. Other databases such as state business license/incorporation data and WHOIS domain name data should be protected to prevent unauthorized use of the data. There is an on-going argument concerning what is public information and the publics "right" to know. In light of the numerous scams that originate via WHOIS data, my belief is that WHOIS data, for one, should be treated as personal privacy information. Access to the information should be on a need to know basis by authorized entities, like law enforcement agencies. An example of a controlled access data system that works for law enforcement is the FBI's CODIS system. There is no "need to know" for the general public. Another example is the California State Drivers License database. Given a person's drivers license number I can find out if that person has a valid license. The response from the system is a simple "yes" or "no". I can not find out where they live or their phone number. An example of a database that is not as well controlled is one states data on state corporations. When the database is first approached it requires that the searcher in-put the name of a corporation. However if an "advanced" search is accomplished, the search can be accomplished to provide the data on all corporations within a specific postal zone. The returned information will be hyperlinks to each corporation's registration data. This goes far beyond finding out who is behind a particular corporation. Honest people who provide information when obtaining a business license, registering a domain name, or incorporating are currently being bombarded by scams. However, the scammers provide bad information, including bogus names and incomplete phone numbers, to avoid being tracked. It appears that the scammers know how the game is played.