WHOIS database and Use for SCAMS
- To: whois-services-comments@xxxxxxxxx
- Subject: WHOIS database and Use for SCAMS
- From: "Tom" <tisbell6@xxxxxxxxxxxxx>
- Date: Fri, 08 Dec 2006 10:47:34 -0800
I am expressing my concern over scams that use data downloaded in
bulk from various on-line databases, such as the WHOIS database
maintained by ICANN. Unfortunately I have received little response
from the various government agencies (FTC, Postal Inspectors, New
York and Washington State Attorney General's Offices, including
members of Congress, and ICANN) and public agencies that I wrote. In
most instances I followed up my email in a week with a phone call and
still not much response. This is not a small issue. The Washington
State Attorney General's office basically said there is nothing they
can do, since the company in question says I wasn't their customer.
(No kidding!) The attorney General's Office said people should read
their mail more carefully (No kidding!). That it would be treading
on the Constitutional rights of others if free access to "public"
records were controlled.
In the last month my wife, my mother-in-law, my wife's place of
business, and I have been approached by SCAMS. There was the bogus-
bill from Listing Corp., the bogus-bill from National Companies
Register Corp., the phishing post card from Annuity Service Center,
and the bogus FAX scam from International Directories Corporation.
It is an epidemic and someone, in addition to me, needs to work on
it. I feel like I'm walking down the street in some third-world
country where the merchants try to suck you in to their stores to buy
over-priced, useless tourist baubles.
I am asking that you support measures that would require controls for
access to the various "public" databases, such as WHOIS, and prevent
the ability to accomplish "bulk" downloads of the database
information. Here are a few of my thoughts on this subject.
What is a SCAM?
In the simplest terms it is an act where the perpetrator causes the
victim to believe something is true when in fact it is not true in
order to obtain monitory gain from the victim. This is accomplished
through deceptive presentations of information, for example
formatting a mailing or fax to appear to be a bill. There are many
examples of the art of presenting a scam. Scams are implemented in
person, over the phone, through the mail, by fax, and over the
Internet. Their makeup is limited only by the imagination of the
perpetrator. Some of the most repetitive scams attempt to deceive
the victim into believing that they have already contracted for a
product, like domain name registration, website position promotion,
or being listed in a "business directory". The victim is sent a fax
or a mailing that looks like a legitimate bill or a "renewal" notice,
but in fact is just an attempt to steal from the unsuspecting.
Unfortunately, enough of these "bogus bills" are paid to make it
worth the intricate web these hucksters weave. For less than a
dollar they stand to receive a return of $35 or more, depending on
the scam. The percentage of returns is low, but the rewards are,
well in a word, free.
Where do they get addresses, phone numbers, and other information?
If you have a state business license or you are incorporated your
information is most likely available as public information through a
state website. If you have a registered domain name your information
is available as public information through the WHOIS data bank
(unless you have paid to have it hidden). If you ever went to a Home
Show and registered for a free something-or-other drawing you were
listed in a customer data bank which may have been sold. A web
crawler or data-harvesting program may have collected your
information. There are companies who collect and sell data on
everyone they can get their hooks into. They might even know more
about you than the Federal Government.
What do these SCAMS have in common?
Usually these scams have a number of traits in common.
1. The mailing or FAX is in the familiar format of a bill, with
possibly an account number. It is really a solicitation for business
or an overture to a scam. With the amount of information and
decisions we are asked to analyze on a daily basis, we tend to
operate on perceptions based on past experience. If the mailing is
formatted like an invoice, it is perceived as a bill. Clever to
print a solicitation that looks like a bill. Honest solicitations
say something like, "Howdy, this is us. This is what we can do for
you. If you like what we have, give us a call. We would like to do
business with you. Have a nice day."
In addition to the "bogus-bill, and "bogus-fax-bill" there is new
ploy, the "living check". It has a life of it's own. It's a check
on the front, but turn it over and it's really a contract that you
sign when you endorse the "check". What will they think of next!
Maybe they could print the contract as a watermark or maybe a
2. There is always a looming deadline requiring the victim's
response. The perpetrator does not want the victim to think.
Usually one or two weeks are allowed for response. Sometimes there
is even the ploy of a late fee. Nice touch. Send them a check and
now they have your bank account number, sweet. Pay by credit card
and, well they have your? double sweet.
3. They offer a product that has dubious need (If they actually
provide what was offered is another matter). Ever wonder why someone
would want to be listed in a business directory that requires a
password for the general public to view or be promoted by a company
who's fist listings when a Internet search is accomplished on their
name are consumer complaints?
4. The mailing address for the "company" is a mailbox at a Commercial
Mail Receiving Agency (CMRA), not at a physical office. These CMRA
addresses change as often as the company names. The address will
often incorporate the term "suite", for example: "suite 108" or
NOTE: The # (pound sign) or "PMB" (private mailbox) in the address is
required by the US Post Office when receiving mail at a CMRA. This
is to ensure that people understand that the mail is not going to an
address where there is a physical office for the addressed company.
The perpetuation of the term "suite" in the address by the scammer is
another attempt to deceive the victim.
A check of the walking distance between the CMRA's used in New York
City over the passed few years by one group of scammers shows that
they are within a two miles of each other. Why do you suppose they
need to move so often, but not go far? Maybe there's a great pizza
place in the neighborhood?
5. Generally there is no company phone number listed on the "bogus
bill" or on the company website (if there is a website). This
eliminates the victim's ability to resolve any questions quickly.
If the company has a website some information regarding the owner of
the domain name may be available. It can be obtained through running
a WHOIS query on the domain name. The information is supposed to be
accurate and up to date. However, the address most likely is a CMRA
and the phone number will either be incomplete or be located in
another country (for example: Unionville, Ontario, Canada) and will
be unlisted. Most business want to be found and will not have
unlisted numbers. They want to be located. Go figure.
6. The trail of money will often end up in an offshore bank, for
example in the Bahamas, Grand Turk, or the Cayman Islands.
Is there any remedy?
The victims of these scams can file complaints with various agencies
like the US Postal Inspection Service, the Better Business Bureau,
the Federal Trade Commission, various State Attorney Generals, and
consumer protection agencies. This can seem like a dismal forest of
unresponsive bureaucracy with little satisfaction. It can be like
running on the beach at high tide, it is hard and your footprints are
there only until the next wave washes them away. My experience is
register your complaints, but don't expect anything other than canned
responses. So where is the remedy? Public exposure of the various
scams and scammers would help. An informed public would quickly end
the scams. However, there is another step that needs to be taken.
The various databases that these scammers use need to have controlled
access. The organizations and agencies that are entrusted with
"public" data need to control how it is accessed. The companies that
sell collected "public" data need to be held responsible for how the
data is used.
What is the problem with controlling access to "public" data?
The public has a right to know who is behind a website. There will
be no argument from me, if the public wants to find out the
registrant information for a particular website. The information
should be current, correct, and available. However, the information
should not be available in bulk. The scammers and spammers don't
start out by finding the information one website at a time. It would
take too long. It would be too much like real work.
All information should not and is not available to all members of the
public. There are already various classifications of government
information, such as "For Official Use Only", "Confidential", "Top
Secret", and "Business Sensitive". This classification is done to
regulate and control the people who are allowed access to the
information. Not all people need to know all things. The key is
"need to know". In the instance of WHOIS data everyone has the right
to know who is behind a particular website. It may be that a website
is seditious, pornographic, racial or in other ways criminal or
offensive in content. The public, law officials, and other
government agency officials need a way to attach ownership to a
particular website in order to file complaints or take legal action
against the owner of the website. They have a "need to know" the
registrant information for that site. It goes without saying that
law and other government agencies have the right to access all of the
information concerning any website or group of websites they choose
to investigate. However, the public should not have access to the
data for a website without knowing the domain name for the website.
In other words the way in which the data is obtained is the problem.
The public should not be able to obtain registrant information
through bulk downloads of a data bank whether it is the WHOIS
database or some states list of corporations. If I have an interest
in who is behind website XYZ.con, I can search the WHOIS database for
the contact information (the data may or may not be complete or
accurate). I should not be able to access registrant information for
domain names without knowing what the domain name is. I should not
be able to accomplish a "blind" data search and obtain a bulk mailing
list. The data is not intended to provide "bulk" mailing lists for
scams, phishing schemes, and spam. It is a violation of my privacy
and the scammers do not have a need to know.
Today, more than ever, there is a fear of identity theft. There are
many safeguards used to protect personal information. If you use on-
line banking your bank requires a password. If you participate in an
on-line auction, your account is password protected. Other databases
such as state business license/incorporation data and WHOIS domain
name data should be protected to prevent unauthorized use of the
data. There is an on-going argument concerning what is public
information and the publics "right" to know. In light of the
numerous scams that originate via WHOIS data, my belief is that WHOIS
data, for one, should be treated as personal privacy information.
Access to the information should be on a need to know basis by
authorized entities, like law enforcement agencies. An example of a
controlled access data system that works for law enforcement is the
FBI's CODIS system. There is no "need to know" for the general
public. Another example is the California State Drivers License
database. Given a person's drivers license number I can find out if
that person has a valid license. The response from the system is a
simple "yes" or "no". I can not find out where they live or their
phone number. An example of a database that is not as well
controlled is one states data on state corporations. When the
database is first approached it requires that the searcher in-put the
name of a corporation. However if an "advanced" search is
accomplished, the search can be accomplished to provide the data on
all corporations within a specific postal zone. The returned
information will be hyperlinks to each corporation's registration
data. This goes far beyond finding out who is behind a particular
Honest people who provide information when obtaining a business
license, registering a domain name, or incorporating are currently
being bombarded by scams. However, the scammers provide bad
information, including bogus names and incomplete phone numbers, to
avoid being tracked. It appears that the scammers know how the game