Comments on the Interim Report of the Internationalized Registration Data Working Group

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

On behalf of Internet Identity, an Internet Security company that routinely 
deals with abuse and criminal activities that utilize the domain name system 
around the world, we would like to thank the IRD Working Group for their work 
on this issue.  While only responding on behalf of our own company, we work 
with several industry organizations and international law enforcement agencies 
who we believe share similar experience and uses for whois data.

Over the years we note that the uses for whois data have expanded and changed, 
and with hundreds of millions of domains in existence, diversity of domain 
registrants and the uses they have for domain names are rich.  Unfortunately, a 
great deal of criminal activity and various abuses have also grown rapidly over 
the past few years, from spam to phishing, malware, botnets, and a host of 
fraudulent schemes.  In a large percentage of cases, criminal elements directly 
use the domain name registration system to create presences to lure victims or 
to command vast infrastructures of botnets.  To an even greater extent, they 
compromise, hack into, and/or hijack other people's legitimate online 
presences, subverting them for any and all of their nefarious uses, which turn 
domain names that are providing good and valuable information or services into 
platforms for abuse.

Whois services have been a valuable tool in the fight against criminal abuse.  
First, they are often used to identify bad actors, or at least their oft-used 
online aliases, and being able to correlate across several domain spaces (from 
one TLD to another) is an invaluable research tool for building cases.  Some of 
the largest criminal cases pursued in the phishing space for example have been 
greatly augmented by researchers tying evidence together based on registrant 
information for domains used in abuse and domains used for nameservers of 
fast-flux hosting.  The traditional use of ASCII has aided in these efforts, as 
it allows investigators to quickly and in some applications, automatically link 
incidents together.  Given the scale of many of these cases, automation and 
data-mining are necessary to have any hope of providing effective research in 
real-time to identify bad actors and their resources.

These factors auger for a solution that includes the "must be present" 
requirement as put forth in your report.  To the extent possible, this should 
be accurate and consistent between various TLD's.

A second major use for whois data in our work is to be able to quickly contact 
owners of website, mail servers, and other online presences where criminals 
have hacked into those servers and are using them for active criminal 
operations.  Whois thus serves one of its original purposes well in this 
instance (when it is accurate and non-hidden) which is to allow for people to 
inform the operator of a domain that they have a problem that is affecting 
other Internet users.  While our team has a diversity of language speakers on 
it, we typically speak =
English and are able to take advantage of ASCII based whois data to quickly be 
able to reach out to affected registrants and providers.  We note thought that 
several CERT teams exist throughout the world where the native language of the 
team is neither English nor the native language of the Internet presence they 
are trying to alert to a problem.  Thus having some type of mutually understood 
contact information within the whois for a domain is needed.  In some cases, 
particularly anti-spam operations, many companies utilize tools for automatic 
notification based on whois data - either IP or domain - based on the type of 
incident.

We would also note that while a domain registrant may intend to only use their 
domain "locally" or interact with people in their native script, the nature of 
the Internet itself means that any domain provisioned on it is available 
universally so is international in scope irregardless of intent.  There just 
isn't a local use only option for domains so any registration you make is in 
all practicality, international in its nature.

Again, these factors create a need for a "must be present" requirement, and 
this is largely for the benefit of the domain registrant whose assets have been 
compromised.

Several options were presented in your document that include some way of 
providing whois data in a universally understandable way, and all had pros and 
cons.  Without picking favorites, we would note a few things:

1) Any methodology needs to be as universally consistent as possible in order 
to provide the most benefit to everyone in the ecosystem.  Whether by 
designating centralized systems, stricter standards, or some other mechanism, a 
primary goal should be to assist in making handling of whois data scalable 
across TLD spaces.

2) The registry for a TLD is likely the logical place to implement standards.  
This could be accomplished via many methods from providing actual operations to 
required contract policy to registrars or registrants (depending on the TLD 
model).  We're agnostic about how this gets done, but it seems that if you're 
going to shoot for a universal standard to the extent possible, the registries 
are going to have to be involved at some level.

3) Large distributed systems for handling identification of people and places 
around the world already exist in the postal and parcel delivery systems.  
Companies like Fedex, DHL, UPS, and others have "solved" many of the issues 
that are being discussed in the paper in order to allow for people all around 
the world to send each other items in just a day, no matter what country they 
reside in and different languages they speak.  This requires a massive amount 
of automation in their data systems, dealing with many of the issues described 
in the report.  We would urge working with these kinds of organizations to 
leverage standards and techniques they've already spent a great amount of time 
and resources to develop.

In conclusion, we believe this paper has helped better define the issues and 
present some solution paths, but could be greatly augmented by leveraging the 
experience of industries that handle these issues at large scale on a daily 
basis to better inform the community on directions to take going forward.

Thank you for your consideration of our comments.

Regards,

Rod Rasmussen
President/CTO
Internet Identity