What Protection Does ICANN Offer The Consumer?
On the 20th of Jan 2018 we sent an email to Tucows and the reseller SmarterASP on domains used for websites selling both legitimate and forged passports, visas, drivers licenses etc. They also claimed to sell forged currency. The reality is this is a well known scam used by Cameroonian fraudsters. Invariably these lead to later extortion where the fraudsters impersonate the authorities and fees/fines are payable.
Naturally such activities are illegal globally. Even if you don’t understand how the fraud plays out, at least any mature responsible person should know that you can’t simply buy a passport, visa or like government issued documents off the web, it is illegal.
Jan 20, 18:05 EST
We notice the not so beautiful (actually fake) registration details pointed out for these domains.
Having supplied the registrar and reseller these details, what would a reasonable party do? After all, has the Registrar group not said in ICANN policy discussions they generally would not ignore such complaints? As per the ICANN RAA, a response is due in 24 hours. However, the failure to respond in this time frame, if at all, has become a common occurrence at many registrars.
Having not heard back on this issue apart from an automated ticket ‘Your request (327630) has been received and is being reviewed by our support staff.’, a prompt was sent again on this issue on the 3rd Feb 2018. We received the following reply:
Feb 4, 08:49 EST
Whois information no longer shows up at http://tucowsdomains.com/whois due to GDPR regulations. You can read more about our position here: https://opensrs.com/the-gdpr/
Tucows/OpenSRS has no control or ownership over this domain. We are just the Registrar.
We do not host any content or provide bandwidth.
If you wish to launch a concern about abuse, you can try contacting the Internet Service Provider (ISP) or the upstream provider. They may have Rules governing the use of their service. You can also try contacting the actual domain owners by using contact information found on the website.
If this is an issue of trademark, then you may want to review the documentation on how to lodge a formal dispute through the UDRP (www.icann.org/udrp) or a court of competent jurisdiction.
Essentially, we are an administrative body and do not judge or adjudicate issues of dispute.
If the domain does go to arbitration, please send any legal documentation (court filed or filed with an ICANN recognized arbitrator) by email to firstname.lastname@example.org, by post to Tucows, Inc, 96 Mowat Ave, Toronto, Ontario, Canada M6K 3M1.
Please let me know if you have any other questions
Let’s put this response into perspective:
First is the ridiculous response: ‘You can also try contacting the actual domain owners by using contact information found on the website.‘ That sounds like an excellent Lalaland idea (not) to offer some relief, this section is simply mind boggling! Why haven’t we thought of this before? Let’s ask all criminals to stop committing crime, governments can save fortunes annually. Naturally this suggestion receives the contempt it deserves.
We pointed out the domain registration details were problematic before being hidden. The European GDPR was intended to protect the privacy of natural persons residing in the European Union. While nobody denies the need for legitimate privacy, Tucows is now using it as a blanket get-out-of-jail-free card to not meet it’s WHOIS obligations. Ironically this was predicted before the ICANN GDPR talks began in earnest. It was stated that Registrars and other ICANN contracted parties would abuse the GDPR to hide the mess that is WHOIS, but one that was used to protect governmental, commercial and consumer interests. It seems we may be correct. In turn this European privacy initiative was hijacked to now hide registrations for companies as well, some of them not even real as in this case. Bogus registration details for a fraudulent company is not a natural person. It’s not even a legal person! This mess was predictable, was predicted and now we are starting to see it’s fruits.
The irony is that in these talks, great fanfare was made about the requirement of the RAA to ensure that Registrars are obligated to collect accurate WHOIS details. This statement was made while we ourselves knew this to be patently untrue! In fact ICANN knew this as well. We had an ICANN Compliance Complaint later escalated to the ICANN Complaints office. ICANN’s own WHOIS accuracy reports in the past testified to this fact. Throughout the history of ICANN accurate WHOIS always has been a problematic issue and much abused to undermine consumers’ rights. Records of this can be found in the ICANN archives.
The irony is the GDPR is now being used by an ICANN Registrar to absolve themselves from any further need for action, dooming consumers who believe they can actually buy both “fake and real documents” off the net, to identity theft, fraud and extortion. The GDPR is now a tool to be used to shield themselves at registrars at the cost of the ordinary consumer.
22.214.171.124 The Registered Name Holder shall represent that, to the best of the Registered Name Holder’s knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party.
Claiming to be selling real and fake/forged documents to unwitting consumers in an elaborate fraudulent scheme is a blatant breach of this promise.
Registering a domain with fake registration details would be a further breach of the RAA/Registrant agreement, except this is now hidden. We had to use historic WHOIS data to show this problem, DNS abuse. Yet the registrar is now ignoring it, the perfect excuse to devolve the bigger problem to a “content only” problem. The GDPR is now a shield for plausible deniability and self-blinding.
Where we see the ICANN DAAR initiated to highlight problem trends, the Registry Stake Holders Group (RySG) was quick to attack this initiative: https://www.icann.org/octo-ssr/daar. Ironically the GDPR is mentioned as one of the reasons in criticism of DAAR. Yet this is an initiative to highlight abuse that also undermines consumers by the very parties who would most likely be allowing abuse, including abuse of the GDPR. Is the problem the issue, or rather shining light on the problem? Apparently it seems the latter.
During much of the GDPR talks, much was said about government interest in WHOIS data. Likewise commercial interests. There was no real acknowledgement for the common consumer who might wish to look at domain registration data to see if the party he is dealing with is credible. Contrary to what many parties would wish to be true, consumers actually did use WHOIS data to see if there is any credibility to the domain registration data before deciding to deal with a party. Any consumer that saw domain registration details on a domain such as the below, would avoid dealing with the associated website:
Registrant Name: Migration Documents Registrant Organization: CreativSoft Pvt Ltd Registrant Street: Brandenburg Brandenburg Registrant City: Berlin Registrant State/Province: Br Registrant Postal Code: 28359 Registrant Country: DE Registrant Phone: +1.2687362645 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: email@example.com
Now the consumer has to rely on a registrar, perhaps in a foreign country, delivering a service to somebody unknown, blindly hoping and trusting said registrar did in fact take the time verify registration details as is required in the RAA, mentioned by ICANN in the RAA talks and agreed to by registrars. All the consumer now sees is:
Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: REDACTED FOR PRIVACY
Meanwhile the registrar is aware of a serious problem, yet hiding behind the GDPR to do nothing. Too bad for the victims of fraud, ‘We are just the Registrar‘.
However the GDPR does have an accuracy requirement, something that falls by the wayside in all these Lalaland discussions where criminals are now abusing the GDPR to either commit fraud, where we find ICANN contracted parties shield themselves from having to deal with pesky fake WHOIS admin issues well known to exist.
Perhaps the ICANN contracted parties should take the precious time they have now saved, at the cost of the ordinary consumer, to actually read a most insightful article by Fabricio Vayra on CircleID: WHOIS Inaccuracy Could Mean Noncompliance with GDPR
It would be highly amusing to see how this issue would play out if a European citizen was defrauded by one of the reported domains, if the European authorities follow the much bandied about “due process”, to only uncover the garbage registration details. More so if they are aware of the type of responses as shown above on this issue. It should trump all the ICANN / Tucows court cases on the subject of privacy to date. The following article makes for quite an interesting read and we quote from this CircleID article by Michele Neylon:
ICANN vs EPAG/Tucows: Tucows Releases Statement on What They’re Doing and Why
“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”
We leave it to the reader to ponder this statement, weighed against the reply received. We are more than sure that ‘Migration Documents’ at ‘Brandenburg, Brandenburg in Bremen, Germany‘ will not be held accountable, no more than Yogi Bear in Yellowstone Park (buried in the annals of ICANN). We are sure the authorities also won’t be grateful for this great domain registration record, once due process has been followed and the waste of their precious resources.
So much song and dance about five domains? Surely not? All the time and money spent, would have been better spent in understanding the nature of Cameroonian fruad. The Brandenburg registrant is most likely a bit south on another continent in another country. The very problem and parties that were allowed to destroy the legitimate pet trade online, as highlighted by a US BBB report, is also responsible for these types of frauds. We only have to search for “undetectable counterfeit money” on Google to see over 200,000 results, many linked to bespoke domains. Enter registrar responsibility. This problem is just as pervasive as pet scams. Ditto “fake/real” passports and other government issued documents. Likewise other forms of abuse that have the authorities reeling from dya to day, overwhelmed by cyber crime complaints and reported losses ever increasing annually.
Newflash: Apparently certain Registrars and contracted parties don’t read the news. Law enforcement is overwhelmed with all the cyber fraud and can impossibly attend to all the fraud on the net. Yet this attitude allows even more DNS abuse to happen, worsening the problem. Allowing invalid registration data into the system, then hiding it in the name of the GDPR for a fake business, even less so.
Certain ICANN contracted parties are quick to absolve themselves from responsibility. They do not want their cash cows to seek refuge at a competitor. Law enforcement is made the scapegoat and given the responsibility to clean up all this abuse on the net and for failing to. The consumer count mounts daily, victims that will never see justice or restitution.
Why are registrars absolved from responsibility for the problem. Making law enforcement responsible for consumer protection in DNS abuse is inappropriate. At best law enforcement is mitigation after the fact of harm done. Law enforcement is bound by jurisdiction, law enforcement needs a victim report, law enforcement has to measure loss vs potential for success, cost of prosecution etc, all belying the self-serving ICANN logic.
Why all the bottoms-up processes if they are not implemented in reality and can be gamed? Why ask for community involvement to develop processes, but to then allow violation of such? Is ICANN looking for disciples, or true balanced input and a balanced result?
Currently turds are being gold-plated, wrapped up in gift wrap and worshiped. But once we remove the wrappings, it still remains a turd. Why wrap clearly malicious domains in pomp and due process? It serves nobody except a select few in self blinding or profiteering by nefarious actors and a rush-to-the-bottom self-destructive model for the internet to the detriment of consumers. This undermines the very credibility of the internet.
What protection does ICANN and it’s contracted parties offer the common consumer, the natural person?