At ICANN today the hot discussion centered around registrars, and the roll law enforcement wants to place on them to curb illegal activity on the net.
The bottom line is that if law enforcement gets their way, registrars are going to have a lot more obligations and therefore a lot more costs and guess whose going to foot the bill
You
The domain registrants.
In attendance today were some heavy hitters in the world of law enforcement.
The FBI.
The Secret Service.
Representatives from the federal law enforcement agencies for The UK, Belgium and France.
A serious group.
At issue, the amount of organized computer crimes in the form of Phishing, Botnets “Fast Flux” (a term honestly I never heard before today), child porn and the sale of illegal pharmaceuticals, to name a few which involve the use of hundreds or thousands of domains for each scheme say the feds.
The solution for law enforcement seems to be to hold the registrars responsible to “know their customers” so in the case the feds come knocking inquiring about a domain or set of domains, the registrar can give them info as to who really owns the domains allowing the feds to make arrests and seize and shut down the domains at issue.
The registrars respond that if the responsibility to collect and store such information is put on them they are going to have to hire additional people, incur substantial additional costs all of which they are going to have to pass down the added costs to the registrants.
That would be you.
The heat was turned up a by a report that was also published today by Knujon.com an independent security research group, which claims that ICANN-accredited Internet Registrars are currently violating their contracts with ICANN to support online criminals.
Knujon.com claims that 162 of Internet Registrars may be in breach of violating their registrar accreditation agreements with ICANN, including Dotster, Enom, NameScout, NSI, Register.com and Tucows.
Moreover the report stated that 80 ICANN Accredited registrars are blocking access to WHOIS data about their customers.
The report also called out eNom, in particular for “knowingly facilitating traffic in illegal online pharmaceuticals”.
The report goes on to say:
“”The growing trade in online pharmaceuticals is made possible by Internet Registrars, which provide back-end services that allow online pharmacies to operate.
“Whether actively or ignorantly involved, there is no question that eNom has become an arm of illicit international drug traffic, a resource modern organized crime cannot exist without”.
The panel at the ICAN Meeting heard the complaints of law enforcement regarding false whois info, blocking the whois database by registrars and discussed how it needed to be able to quickly identify who the beneficial owner of any domain was, regardless of whether the privacy or proxy services were being used.
Such detail would require each registrar to know each of its customers and allow the info to be turned over the law enforcement.
Of course here is the good old USA, there is a little thing known as the constitution and the right to privacy that is guaranteed by it and therefore such issues will have to be dealt with.
The police also want to place a duty on registrars to investigate any allegation of malicious conduct and require that each registrar have an appointed person avaliable 24/7 to investigate any such allegation immediately.
Police also want registrars who find false whois used in connection in a domain registration to immediately cancel the domain registration.
Finally it looks as if Registrars will be prohibited from cybersqautting and a registrar can have their accreditation yanked if they are found to be engaged in a pattern of cybersquatting based on their own registrations.
It seems clear to me as it did a few months ago that law enforcement is going to increase the pressure on registrars to know who the owners of domains actually are, by requiring some verification of ownership, which will increase their costs and thereby our costs, above and beyond the VeriSign Fee increases.
Moreover, it seems that using false whois info is going to create additional problems down the line for registrars and registrants.
Tomorrow the registrar group meets in an all day session.
The only good news is the rain stopped today and it may actually be warming up into the 60’s tomorrow.
Tim says
Thanks for the report Mike….I know it takes effort.
Dean says
Great read- the implications tremendous.
MHB says
Thanks unfortunately I know this will be a lightly read post, nobody cares about ICANN matters until all of a sudden registrar start raising the prices of registrations then everyone will look around and ask “how could this happen”
Randall Brown says
Thanks for the report.
I think some areas could have some work done to it as far as false whois, but if a law enforcement really wants the information I think it should be by court order and they are asking for to much information. Much like if I asked for president Obama information, Which we all know would not be given to me for anything in the world. I am not saying that this case is to such a high degree but why would one act be any different then the other. Obama does own a few domains dont forget, such as Change.gov, created right after he came into office. I think they are sticking their noses into it to much and the internet as we know it should not be governed.
MHB says
Randall
Law enforcement is saying that they don’t have the time nor the budget to get court orders for a daily situation of phishing sites stealing information., malware sites that install a virus on your computer which see’s every keystroke including every user Id and Password you type in.
They are saying that this is different because so much information, and thereby money can be stolen is just a few hours, that its different than normal criminal activity
RL says
The solution for law enforcement seems to be to hold the registrars responsible to “know their customers” – This does not make sense!
ICANN is just a registry … domain name registry … … information should be used for the purposes for which it was collected
…….
If you search for “know their customers” (about 1,260,000 results in Google) that nearly all businesses, not just registrars, are challenged to do the same.
“Merchants no longer know their customers; bank managers don’t know the people applying for loans; consumers don’t know the business people from whom they purchase goods and services; and parents may not even know the teachers, coaches or caregivers to whom they entrust their children …
As a result, we increasingly rely on information rather than personal knowledge or personal relationships to make decisions.”
“Our society could not function without trust. Our personal relationships are based on trust. Our political system is based on trust. Our economy is based on trust.” … ” Privacy, of course, is closely related to trust. There are innumerable definitions of privacy, but many of them refer to the ability of individuals to determine when and with whom they share personal information about themselves.”
“One reason that governments passed privacy laws was to create and strengthen trust.”
… as a general rule, organizations should inform individuals about all uses or disclosures and obtain consent at the time of collection … the bottom line is that consent is required before use or disclosure.
… should be able to use opt-out consent for disclosures.
… information should be used for the purposes for which it was collected.
I conclude that registries
Makis.TV says
I m confused over this topic.
I am a Greek citizen, how can FBI get my details without my permission?
Greek law secures me from such actions unless I have a prosecutor chasing me, Greek one.
John Beckwith says
Its about time people realized that the Wild West of the Internet will be cleaned up. Makis if you register .com names that registry is located in the US and if you were doing something illegal (I know you are not) especially against users in another country they are not going to sit back and say oh well he is Greek.
Of course the registrant is going to pay more, the registrar is not going to foot that, I did not think anyone would need an article to make that clear. Just like any other business when your product providers cost increase most of the time some of that will get passed along to their customer.
The key here is a delicate balance, because you want consumers confident they are being protected or else ecommerce will go in the opposite direction. Someone who uses fake whois should get nailed those opposed to that make me wonder what they are doing online.
Mike says
when do we get to the part where everyone just waves their hand with the implantable microchip across the computer for identification in order to register domains? maybe retinal scans will work better. they can upload your info right into a federal database. i’m sure this process will save us all a few dollars.
MHB says
Makis
As I said in my post not only was the FBI pushing for this but many countries federal police servers are pushing.
As it was said at the ICANN meeting yesterday (and again today) cyber secuirty is now on the front burner for almost every country in the world, and I would expect either that ICANN will legislate on this or most countries will have their own laws in the next 3 years on this so it won’t be the FBI knocking on your door but the equivalent agency in Greece
MHB says
Mike
Your appointment to have your chip installed was last week, don’t tell me you missed it
MHB says
RL
The problem is there is no one else in the food chain that can best know who owns a domain than that domains registrar. The registrar is the one that gets paid, so they either get a credit card or paypal account or something from the registrant.
Yes it might be a stolen credit card but they get something.
The registrar is also the only one that would have the email on file which requested the domain and the real persons name, address and IP address where the request came from
jeff schneider says
Hello Mike,
The key to the power of internet commerce is in fact the foundational portal door through which businesses are accessed. This is a pretty good definition of domain names. For assets that are indeed the foundation of web based businesses,it only makes sense that people out of control of these assets want control. All major governing bodies crave control, as in the example of Australia in your latest post. We all need to be prepared to fend off the dogs of entitlment.
Wars and laws have stolen assets down through the ages. Our domain assets are in many cases our retirement funds. Corporations and governments take what they can steal legally.
Welcome to the real world.
Gratefully,
Jeff
Makis.TV says
John and Michael, thank you for the replies.
I m still learning my obligations and rights as an internet user and domainer so I m looking in any possible direction for more input.
As you wrote Michael FBI cant knock on my door or use my private details, but from what I understand they will just pass them over to the local authorities making eligible to defend my rights under my Constitution and thats fine for me.
Cyber security laws is not existent in most countries and we certainly have to see a lot more development in the yrs to come.
domain guy says
yes domain registars will be held accountable not the government.
this is no big deal you know when you are breaking the law.phishing,child poro,stolen credit card numbers,trademark infringement,taking money and not delivering products…etc…know your customer rule is prevelant in securites laws..no big deal.
this is internal industry wide policing of its own product..the way it should be.just like any industry that is maturing more laws and regulations the wild wild west is being tamed.and is really a good thing in the long run creditability comes to an emerging industry as domains names are being recognized and regulated as a ligitimate asset class.
Louise says
This is good news:
“Finally it looks as if Registrars will be prohibited from cybersqautting and a registrar can have their accreditation yanked if they are found to be engaged in a pattern of cybersquatting based on their own registrations.”
Please, MHB, don’t fall on a bandwagon influenced by Registrar PR of offense to this law enforcement initiative. If ICANN were doing it’s job, there wouldn’t be a need for law enforcement to step in. The sorry reality is Registrars write their own rules, influence ICANN to write rules in their behalf, and are unaccountable to the RAA agreement which dictates all the above.
Patrick says
This is great news! I am glad to see that law enforcement will finally be policing what equates to the dark alley of a crappy city. It’s about time. Unless you are participating in unscrupulous acts, like say cybersquating, I am not sure why this would not be great news.
Some say they are not cybersquatting because they are only registering domains for which a small to midsized company failed to register their trademark. The actions of these people are precisely the reason congress passed cybersquatting laws in the first step.
I like to call them domain hoarders, buying a domain for $10, injecting no value in the domain and then essentially black mailing the businesses for tens of thousands of dollars. This is all made possible by a single misstep on the part of a small business by failing to register their trademark. One step removed from cybersquatting. I laugh when I see these same hoarders crying about how unfair all these new regulations are. When you play with fire you are bound to get burned.
MHB says
Domain Guy
“”yes domain registrars will be held accountable not the government.
this is no big deal you know when you are breaking the law.””
It no big deal as long as your not responsible for collecting, verifying and storing the information, which is a huge task and a costly process.
And its no big deal unless you are paying for it, which are registrants we will.
I asked a big registrar about these requirements yesterday and costs associated with it but his guess was something to the tune of an additional $.25-$.50 per domain.
MHB says
Louise
I was in the registrars meeting yesterday and I have to tell you is that they are none to happy with many of ICANN rules and moves.
If you think that ICANN simply rubber stamps everything they want, I got to tell you that is not the case.
There was plenty of push back from the registrar community yesterday to some actions of ICANN and the discussions got quite heated
MHB says
Patrick
I have no idea of what your talking about.
None of the activity law enforcement is concerned about has to deal with parked domains or what you call cybersquatting.
It has to do with criminal activity which we are all against, phishing, child porn, hacking, spoofing, malware that steals your information, etc etc.
The issue is how to prevent it, how to catch the guys doing it and whose going to pay for this effort
MHB says
Here is another story on the issue:
http://www.theregister.co.uk/2010/06/22/police_domain_rules/
Louise says
MHB, you’re wonderful. Thanx for posting your first-person account.
Hope this is an end of an era of a free ride for Registrars, esp. the largest. They brought this on themselves! See: Probe into hacking of high school Web site
domain guy says
@mhb 8% for legal overhead seems to be about right….i think anything less than 10% is acceptable..legal expenses are a part of any deal
and rick justified the legal expenses on a major post.as volume rises the legal expense should fall if we are lucky under 3%.and a sharp programmer might get it under 1%.as we all know we do not want the gov telling us what to do…so this is the industry response.it is much better having internal policing than being coierced into compliance….