A couple of interesting developments on the issue of whether registrars should be required to verify the identity of the registrant of every domain name.
First today the authority charged with running the .Ru ccTLD, the Coordination Center for TLD RU, announced that effective April 1, 2010 all registrants of .RU domain names, must file proof of their identities with their registrars in order to maintain their existing domain names or to obtain new ones.
If the registrant is an individual the registrar must obtain proof of his or her full name and address. This requirement can be satisfied by submitting a copy of the registrant’s passport.
Where the registrant is a corporation or other legally registered entity, the registrar must obtain a copy of its corporate or other state registration.
The Terms and Conditions specify that a registrar may cease to process an application for a new domain name if the applicant fails to provide proof of identity.
Furthermore, the registrant of an existing domain must satisfy a request for proof of identification within two months, or risk losing its registration.
Now before you just dismiss this as a Russian thing, there is a few stories out today where the Serious Organised Crime Agency (SOCA) in the UK, and the FBI in the US have teamed up and is asking ICANN to require that all domain registrants verify their identity in the same fashion that .RU just passed.
“”Now it is “ridiculously easy” to register a domain name under false details, said Paul Hoare, senior manager and head of e-crime operations at SOCA.
“”Domain names can be used for all kinds of criminal activity, ranging from phishing to trademark abuse to facilitating botnets. Law enforcement often run into difficulty when investigating those domains, as criminals use false details and stolen credit cards.””
CADNA is of course in favor of such a requirement.
This doesn’t necessarily mean that you won’t be able to have privacy on your registration, but that your registrar and ultimately law enforcement would know who actually owed every domain name.
The day is not here yet, but put this issue on your radar.
Seems to me one way this requirement could be easily met
is for a Registrar to accept and a Registrant to use a verified PayPal account.
PayPal has already done the work of identity proof for verified accounts.
I’ve long supported WHOIS verification. There’s an open comment period for the recent WHOIS accuracy study, and my comment for that is at:
http://forum.icann.org/lists/whois-accuracy-study/msg00003.html
The method I suggested involves using a PIN code that is mailed to one’s physical address, and then a domain name wouldn’t resolve until the PIN is entered at the site of the registrar or registry. Let’s say it costs $1 to mail out the PIN (at scale). The average registrant might own 10 domains, in which case the effective cost is 10 cents/domain. For larger portfolios, the cost is even less. The reduction in abuse would be enormous, and far outweigh these costs. Using the passport would be more controversial, because that opens up the possibility of identity theft if the registrar is hacked, etc. One shouldn’t be using passports except for their intended uses (travel, etc.). PIN codes would be much less controversial.
Only idiotic domainers could ask for this. The only reason FBI wants it is to link domain revenue to IRS. Nothing else.
Hm
No domainers are asking for it.
Police are
“The method I suggested involves using a PIN code that is mailed to one’s physical address”
George,
That should only have to be done once per Registrant
and not for every domain registration, no?
Yes, tricolorro.
And the best of all, you are allow to have only 10 domains per human being!!!
The next future is your social security # will be your domain name
123456789.com
Now how that???
and you are all to turn the feature on/off for others to look except for the govt that can view everything!!
“That should only have to be done once per Registrant
and not for every domain registration, no?”
yes, and I hope that those who have a domain will be already “verified”
.
Pfft
Some of you lot need a re-think
Receiving any PIN or whatnot thru the post doesn’t ‘prove’ ID – all it proves is that some recipient received the PIN safely.
Real world:
– Passport copies? Photoshoop
– Mail address. Any idiot can get a maildrop in Timbucktoo and redirect the mail with PIN to wherever..
– More form filling & checking boxes — but ultimately useless and easy to get around.
– anyone can incorporate in some lax 3rd world a Ltd co. (or fifty) & get a bunch of typo domains under those cos. as registrant.
C’mon getting around all this nonsense is child’s play for those with the will & knowledge. You don’t need to be trained by Mossad…
>> One thing is for sure…it’s gonna get more onerous for registrants (domainers)…yet again <<
Aggro: There’s a finite number of real-world locations. If one got a maildrop in Timbuktu and abused it, then it would be blacklisted. If your IP address when logging in to the registrar’s interface is different than the country of PIN code mailing address, that’s another sign for the registrar to flag the account for review. In finance, the standard is “know your client.”
Mailed PIN codes are used by Revenue Canada, for example, to do online access of one’s tax info. They’re also used by online casinos, before one is allowed to cash out.
Is the system “perfect”? Certainly not, but there’s a saying that “the perfect is the enemy of the good.”
Regardless of how one feels about such “prove who you are” proposals, the LA Times shows how such information can come back to bite one–hard:
http://www.latimes.com/news/nation-and-world/more/la-fg-secrets-for-sale17-2010mar17,0,1670609,print.story
So George, what happens when yu are a domainer who is constantly travelling the world and log in to your registrar account from different countires ll the time. You will get you account blocked and then have to prove this and that…
Also domain registration fees would go up. The registrar has more administration work to do and also bears some liability, this are additional cost, which of course the domainer would have to pay.
Guys
My prediction on the possibility of requiring that a domainer owner’s identity to be required to be verified by a registrar within the next next 5 years:
100%
Michael,
Unfortunately, I agree that it will happen.
However, If I buy a piece of property and pay cash, I’m not required to show proof that I am who I say I am.
I do have to file it with the local gov’t where one agrees that the information is correct. But, aren’t we already doing that now?
Small
On the contrary if you buy a piece of property with cash in the US the titled company, escrow agent and/or Realtor, whoever is involved and handles the closing is going to want ID from you and has to report the receipt of cash to the IRS.
Small,
The only way to buy property with no ID and all cash is to buy it direct from the seller (who is supposed to report it but might be willing to not do so) and record the transfer deed yourself with the county.
As Mike indicates, you will not, however, be able to obtain title insurance; thereby putting you at serious risk of recorded and unrecorded liens, judgments, loans, “hidden” seller(s), and easements.
@George Kirikos … you forgot to mention the IRS also assigns a PIN for certain tax transactions. I think the PIN system is a good idea, personally; I also believe it may have value in removing some of the phony domain owners out there. There’s currently a case in Virginia, involving Microsoft, that goes to the heart of registering domains under false names, then using those names to spread malware.
Perhaps getting the larger registries to voluntarily commit to this action, or some similar verification system, before it becomes a law, will prevent any enacted legislation from being overreaching, thus resulting in litigation. Again, the PIN system is not a panacea, but it is a very good starting place.