youreacriminal

Don’t Make Us Treat Our Customers Like Criminals!

This post is probably a little longer than my normal ones and is probably best classified as a “rant”. You have been warned. Now please read on.

Online Crime Is A Serious Issue

Crime, fraud, scams etc., they’re all very bad things. They’re also not going to go away anytime soon.

As a domain name registrar and hosting provider we’re constantly “at risk”, as we sell a lot of services that are both cost-effective and also give criminals the tools they need to attack 3rd parties.

Again, this isn’t exactly news.

We’ve always taken a very pro-active approach to dealing with criminal activity and network abuse. If your website gets compromised, for example, you might get an email from our technical team asking you to fix it. If you don’t act on our notification we might go so far as taking the website offline until you fix it.

And we like to get paid by our clients, so we’ve implemented our own anti-fraud checks. It makes sense. We want to get paid. We don’t want people paying us with stolen credit card details.

Any and all of the things we do in order to keep our network clean and our operations running is done with the least amount of disruption to our clients.

But recently I’ve been losing sleep.

What’s Going On?

Let me explain.

We are an ICANN accredited registrar. That means we are one of the relatively small number of companies in the world that has a contract, or “license”,  both with ICANN and the various domain name registries such as Verisign to provide domain names. The contract we have with ICANN is like the “bible” for how we are meant to conduct ourselves. It includes a combination of obligations and rights for both us, as a registrar and you, as a registrant (the person who registers domains).

The contract is called the Registrar Accreditation Agreement or RAA for short and we signed ours most recently in 2009. It’s now under review and while some of the changes being proposed aren’t going to have a negative impact on either us or you, our clients, there are several aspects of the proposals that simply do not sit right with me.

I am personally very concerned about some of the proposals being pushed by Law Enforcement and ICANN, which, if successful, would mean that we’d be forced to demand a LOT more information from our clients than we should have to. It’s not reasonable and some of the requests could put us in direct conflict with Irish and EU law.

Just for the sake of transparency I’m posting the two documents outlining the proposals as PDFs further down this page and you can read more about what’s being going on over here.

There’s quite a bit of legal mumbo jumbo but the bottom line is that Law Enforcement want us to gather a LOT of information about you when you register a domain name.

They also want us to validate a lot of the information you provide.

Both of these concepts aren’t abhorrent at some levels, but when you take them too far and make them a binding obligatory part of our contract with ICANN they result in me losing sleep. (And in case you’re asking if this change is made then it’ll impact ALL .com domain registrations whether you do it directly via a registrar like us or via a reseller like a lot of the smaller hosting providers etc., out there)

There’s a lot of issues with both concepts, but let’s take them one at a time.

Data collection..

Collecting data that you need to do what you’re asked to do ie. register a domain name for someone, is fine, but asking for a whole lot more data is an issue. Not only are we expected to collect it, but we’re also expected to hold on to it for way longer than you’d normally retain transaction data. (Remember a domain can be registered for up to 10 years and the registrant can renew it for up to 10 years at any time. )

In several jurisdictions (including Ireland) there are limitations on the amount of non-essential data that you can collect as part of a transaction. Take a look at any UK website since the beginning of this week and you’ll see what they’re being forced to do when they want to collect cookies, which, in many cases, are fairly innocuous. How we can be expected to collect data about how you might use your domains is beyond me. And I don’t even see that is being within the scope of ICANN’s role.

You can read over the document here: LE_Rec_coll2012 (it’s a PDF)

Validation & Verification

The other side of the “coin” is the entire validation / verification thing.

Now don’t get me wrong. I don’t have an issue with there being better data in systems. I just think that there are ways to improve data quality without making the entire domain registration process akin to pulling teeth.

Law Enforcement have provided an explanation on what they’d like to see us doing (see: LEA Validation ). Some of the stuff they’re asking about isn’t abhorrent as a concept, but forcing us to conduct this kind of validation and verification on every single domain name registrant is going to have a detrimental impact on the entire domain name system. (And note the usage of terminology – a “registrant” might be a customer of ours, but it could be a friend, or customer of one of our clients.

Our account holders, however, are our clients and we’d have a pretty good idea if they were up to no good as we do vet them)

A couple of highlights, or lowpoints from the document.. (take your pick)

When a prospective registrant submits a registration request, the Registry will send a unique HTML link to the registrant’s email of record or to the email of record of the beneficial registrant

Couple of issues with this. First off the “registry” doesn’t have the registrant data or access to it if the domain in question is a .com. And asking registrars to send emails to thousands of people who’ve never had any direct dealings with them is going to cause more issues than it solves.

Registrar will call or SMS the phone number provided during the registration form.

So you can only register a domain name if you have a mobile phone number? And who is going to pay for all these phone calls and texts? Validating registrants for .xxx costs in the region of $7 per domain, so you’d easily see the price of a .com rise to €30 or €40, which doesn’t benefit us, ICANN or anyone else. (And did I mention it won’t actually stop online crime?)

But the real kicker is this bit:

No domain name will be placed into the zone file and will not resolve until the account e-mail and telephone number have been verified

Translation – unless you jump through hoops you don’t get your domain name and it won’t actually work until you do backflips for it.

Remember how we got over 10 thousand businesses to go online over the last year (for free) ? You might also have noticed that they went with the quickest and easiest route a .com, .eu or .biz domain name.

Putting extra barriers in the way of ordinary individuals and businesses when they want to take their business online is a bad idea.

Are The Criminals Winning?

Why vilify the majority for fear of a minority?

The Internet is one of the few areas where business is still thriving. For a lot of people and businesses taking themselves online offers them a chance of survival.

Or if you want to get into other areas of this I can sum it up with two words: digital divide.

When you get into an arena where you’re demanding that people handover loads of data AND that they already have working email AND working phones AND verifiable physical addresses etc., you’re immediately narrowing the field. You’re stopping some people from getting online. And these are innocent bystanders. They haven’t committed any crimes, but they’re being treated like criminals. In fact we all are and we’re being forced to play “piggy in the middle”.

This is not a good move and if we’re forced to sign a new agreement with ICANN which includes these kind of terms I can only see negative outcomes.

Comments, questions and general feedback welcome !

, , , , , , , ,

67 Responses to Don’t Make Us Treat Our Customers Like Criminals!

  1. John UK May 29, 2012 at 17:36 #

    Very good article. It would be tragic if these measures are brought into force as it will kill domainers to a large degree. The fact is this. The Government’s, primarily the USA and UK, bring in a lot of measures for an ulterior motive and not the one that people might see upfront. These two Government’s want to keep track of all it’s citizens and I can see soon that they will also insist that Facebook and Twitter et al also take such information and echk it. You see they need to control the uncontrollable because they are scared of “revolutions” being planned using such domains, facebook and twitter. In the UK after decades of not bothering ,the Govt now wants to make it a Criminal Offence NOT to vote in elections. The reason is not because they want you to vote BUT because they want to have the home addresses and other details of EVERYONE. At the moment if you dont want to be seen you can hide form the State but in doing so you have to forgo your voting rights. They want to take that hiding place away. I see this ICANN thing as the same, they dont want anyone to have a hiding place. You can be certain it will all be agreed behind the closed doors and handshake between Govt and ICANN.

  2. George Kirikos May 29, 2012 at 19:43 #

    For a long time, I have been in favour of registrant validation as a proactive means to reduce abuse. Look up Twilio.com, if you think it would be expensive to automate phone/SMS verification — it wouldn’t. Also, the cost is spread per REGISTRANT at a given registrar, not per domain — the average registrant owns more than a single domain name (I think GoDaddy has 52 million domains, and 10 million customers, so 5.2 domains/customer would be their average; the industry-wide average might be even higher).

    I’m in favour of verification of the physical postal address, via emailing a unique PIN code, as it’s easy to get a throwaway phone number or email address, and they are in huge supply. Physical postal addresses are harder to abuse, and it’s easier to spot abusive ones. If you have 100 domains and it costs $2 to validate by postal letter, that’s a trivial amount per domain.

    I’m glad you oppose higher costs on registrants. Where were all the comments from registrars opposing the dot-com monopoly contract renewal from VeriSign?? That’s more than $5/yr per domain due to their monopoly, relative to what the costs would be under a competitive tender. $500 million/yr in extra costs to registrants due to that monopoly, and all but a few registrars are silent.

    • George Kirikos May 29, 2012 at 19:47 #

      First comment is stuck in moderation, but I made a typo, it should have been “via MAILING a unique PIN code”.

    • Michele Neylon May 29, 2012 at 19:55 #

      George
      Thanks for taking the time to post a thoughtful comment.
      As often happens we may have to agree to disagree 🙂

      If I want to implement extra levels of validation / verification of my customer base then you, as a registrant, have the choice to use our services or not. For you the higher level of validation etc., might be an advantage, but it’s a very different matter when it’s an obligation.

      If we had had to do extensive per registrant verification with the Getting Business Online program, for example, it would never have worked. And that’s just one example. I’m sure there are plenty of others.

      Regards

      Michele

  3. Irene May 29, 2012 at 21:13 #

    Michele I can see both sides to the ‘rant/argument’ and well it’s a thought out rant if you want out call it that. From my perspective in finance we are having major issues with ‘fraud’ copying our code and sites and using similar URL’s so I would not mind having to jump through a few more hoops and if that meant paying an extra few dollars or even $50 to validate I would prefer it. Consumers do not understand SSL certificates and rarely go to check so they are giving their details to sites that are capturing their data fraudulently and are either selling it on or grabbing account information because the URL looks similar and the graphics look similar to a site they have used and seen before.

    On the other hand I can see your issue with ‘data storage’ and processing etc. This came up when I was CEO of the IIA on a regularly it also brings up security issues and it could be a barrier to entry for growth or for hosting companies to ‘service’ the requirements again unless the prices went up however this is were most compete so again it becomes an issue.

    I can understand your rant and I don’t think there are any quick solutions to it and I would not be in favor of major validations but would be happy to pay more for customers to be aware that we are who we say we are……

    My 2 cents – Irene

    • Michele Neylon May 29, 2012 at 21:23 #

      Irene

      The key thing here is one of “choice”.

      If you are selling online then you need to get a digital certificate (secure cert / SSL) and would have to go through a validation process of some kind to get it.

      However nobody is forcing you to sell online or go through any extra process.

      No matter what kind of validation comes into play anywhere it won’t kill off online fraud. From our experience, for example, we see the vast majority of phishing attacks coming from compromised CMS installs etc.,

      But really it comes down to a much more fundamental issue.

      Shouldn’t people be treated as innocent until proven guilty? And not the other way round?

      If we, in industry, want business to embrace digital we shouldn’t be putting more obstacles in their way – see my link to our experiences with Getting Business Online

      Thanks for your comment

      Michele

  4. George Kirikos May 29, 2012 at 21:36 #

    “Shouldn’t people be treated as innocent until proven guilty?” DEFINITELY. That’s why I was so opposed to the ETRP proposal, and other proposals that deny basic due process to registrants.

    However, all verification/validation is doing is making sure that you have “People” to begin with, i.e. that registrants are who they say they are! Without verification, you’re giving the right to due process to throwaway identities. With verification, the registrar can step aside, and let folks resolve dispute amongst themselves. Verification would actually end up reducing overall abuse, and reducing costs of managing abuse for registrars.

    How many times have you seen the DMV (Department of Motor Vehicles), or the equivalent in other countries that issues license plates, dragged before a court for “car abuse”? The DMV is comparable to a registrar, in some ways.

    • Michele Neylon May 29, 2012 at 21:42 #

      George

      The DMV (and their equivalents) are usually state / government agencies.
      And they’re usually only dealing with users with residency in a limited geographical territory.

      Registrars are (for the most part) dealing with customers from the four corners of the globe.

      While the idea might seem “simple” it’s incredibly complicated when you start dealing with the operational realities.

      At present, for example, we conduct a certain degree of anti-fraud checks. But this is a business choice, both ours for choosing to do it and our customers when they choose to do business with us.

      Thanks, as always, for your comments

      Michele

  5. Bob Mtn May 29, 2012 at 22:29 #

    Great post Michele, lots of conflicting perspectives on this one for sure and glad you and others are working on behalf of Registrars.

  6. kristina Macaulay May 30, 2012 at 00:49 #

    Individual and organisational authentication is going to have to be addressed somehow…if it’s not via ICANN, ITU…then can I kindly suggest that you contribute a solution at WCIT2012.

    Warmly,
    Kristina

  7. Andy Steingruebl May 30, 2012 at 03:45 #

    Michael,

    I’m going to indulge you and assume this isn’t just shameless trolling.

    How exactly is verifying email address and other contact information going to cost a ridiculous amount of money, and be a giant hopp to jump through?

    Have you ever registered for an account with pretty much any mailing list, e-commerce site, etc? Many of them want to verify your email address, or other contact information. Heck, Facebook verifies your email address, so do lots of other sites.

    Care to elaborate on where the problem really exists here as compared to the extremely inaccurate data in WHOIS today?

  8. WebWiseForum May 30, 2012 at 09:21 #

    Very interesting blog post Michele!

    It will definitely make things more difficult for businesses.

    I think, however, that this sort of move is inevitable. As crime moves online the Internet has to adapt. Surely if registrars are qualified to register domain names they should also be qualified to monitor them!

    However I do agree that this could be done in a more efficient manner!

    Thanks!

    • Michele Neylon May 30, 2012 at 11:21 #

      Do you honestly think that criminals use their own details to register domain names?

  9. John McCormac May 30, 2012 at 15:22 #

    So the Law Enforcement group wants ICANN to become some kind of data gathering operation that can enforce these conditions on registrars because the Law Enforcement community does not have the budget or expertise to gather this data?

    Traditionally, managed registry TLDs where some form of entitlement has to be proven before a domain is allowed have lower registration figures than open TLDs. What may well happen is that it could kill the ICANN gTLDs as a viable market and force people and businesses into registering more domains in their local ccTLDs.

    While I can understand some of the arguments on the pro side, the reality is that there are over 100 million .com domains and turning all those into compliant registrations will severely impact some registrars.

    • Michele Neylon May 30, 2012 at 15:42 #

      John

      I’ve seen various versions of proposed texts for the new contract. Most of what I’ve seen has led me to believe that they’re trying to take on roles for which the organization was never setup.

      The entire concept of a “managed” registry seems to be an IEDRism. And as you pointed out, leads to lower registration numbers.
      Of course the elephant in the room is New TLDs.

      If registering domain names is made too complicated then how are any new TLD operators going to achieve any level of success?

      Thanks for your comments

      Michele

      • John McCormac May 30, 2012 at 16:25 #

        The odds are stacked against the new gTLDs as it is, Michele,
        This will absolutely kill some of them – especially the ones that are hoping for domain name speculation (as opposed to brand protection registrations) to drive sales in their first year. Many of the recently launched TLDs had massive growth in the first six months of open operation and this is also when a lot of domains are traded. The initial registration data on these domains would then have to be updated and verified as they are traded. This would kill any chance of a Landrush effect because it would, in some respects, be replicating the Sunrise phases and introducing a delay into the system.

        Perhaps what the Law Enforcement really wants is a complete archive of all domain registration history tied in with internet and financial activity of every registrant in a single database but this is not the purpose for which ICANN was created.

        • Michele Neylon May 30, 2012 at 19:43 #

          John
          There’s some interesting discussions going on in other areas about a replacement to whois and one of the possible additions could be a “who was” for domains, though that opens up a different can of worms entirely

          Michele

  10. anon_proxy May 31, 2012 at 11:26 #

    For many a year I have had argument after argument with any company or organisation – which means all – that have demanded I validate by asking a series of stupid question. It does not prove anything, it only satisfies the organisation that they have done their job. They still dont know who I am as i could have been bin diving and data mining to get the info – so whats the point. The questions instantly label everyone as a criminal. They allways come out with its the data protection act thats why we do it. But the dpa does not specify what questions should be asked or how many. These issues are entirely down to the company. It does not stop fraud and in all walks of life their is someone on the fiddle – look at the MP’s expense claims. But we are all labeled as criminals.

    Wasnt there a leaked memo by the uk government that stated all but the ministers are dishonest. This was before the expense claims came to light but shows how the political class views the population.

  11. Curtis Brown June 7, 2012 at 17:29 #

    A lot of people are not happy about the new regulations, and I get that. But I think it is good. Why? Well, I am on both sides of the coin. I personally will have to make the changes, which will cost me, but at the same time I have had to pay because of fraudulent behavior of others.
    You say don’t punish the majority because of the minority. But the reality is the minority are the ones punishing the majority. These rules are trying to protect the majority.

    • Michele Neylon June 12, 2012 at 13:36 #

      Curtis

      I’ve read your comment several times and no matter how often I read it I still don’t understand your logic at all.

      Regards

      Michele

  12. GrangeWeb June 11, 2012 at 10:11 #

    I hope this is not implemented. I’avoid’ .ie domains for the same reasons as you have stated above. People want a simple process and when you start asking for (in the case of .ies) driving licences and FAxes or scans (who has either these days) of bank statements it makes the whole process so much harder.

    I bet a large majority of the 10K who went the GIBO route probably didn’t even have a very active email account so this is / was a great success.

    • Michele Neylon June 12, 2012 at 13:37 #

      @Grangeweb – a lot of people who signup for a domain name and hosting do so because they’re starting out online and don’t have a proper email address. Restricting domains to people who have email is a bit mad tbh 🙂

  13. Patrick Stack June 12, 2012 at 11:53 #

    The paranoia of the people behind the so-called “war on terror” knows no bounds. They want to turn the entire planet into a police state. You are right to be losing sleep over this. Let’s hope they will not get what they want.

    • Michele Neylon June 12, 2012 at 13:37 #

      @Patrick

      I’m not sure if “war on terror” is the main driver, but I think that they’re asking for more than they need

      • Patrick Stack June 12, 2012 at 13:48 #

        I see this as a small part of the bigger picture where the authorities (Governments) are demanding ever more information on citizens and putting in place ever more stringent controls (they call them “safeguards”) in all aspects of life. This is IMO a symptom of a dangers slide toward authoritarianism which is a direct result of the “War on terror”.

  14. A June 21, 2012 at 03:04 #

    ICANN seems to be a joke. My identity has been stolen by BIZCN domain registrar (or their customer(s)), who is accredited by ICANN. Someone at BIZCN has registered over 50 to 70 domain names (or more) using my name and my address, but they used their own email address and my old (not working) phone/fax number and everyone knows why they do it (so I don’t get contacted too soon). If you take a look at for instance at the following domain and website: http://www.swissandluxury.com, it’s not only registered in my name, but it is a live website selling watches and I am sure it is as fraudulent as hell. My numerous attempts to call , email and fax ICANN ended up in a wall of silence and complete ignorance by ICANN. More, ICANN’s forms online to report bad registrars and fraudulent domain registrations does no work and sends me annoying and unbelievable form refusals for all domains I tried to report repeatedly many times wasting days and weeks of my time. My numerous attempts to reach BIZCN ended up in “Jimmy” from BIZCN responding (after numerous no-responses) and promising changes, yet he did very little and I noticed only a handful of domains at the Whois replaced my address with (I am sure) another stolen address/identity. BIZCN is a criminal fraud accredited by ICANN! Then who are ICANN if they accredit criminal domain registrars?

    Here’s a by far incomplete list of domain names that bear or used to bear my name and my mailing address and my old outdated fax number that was sent to “Jimmy” at BIZCN as a request to remove my name, address and telephone from those domain records many months ago:

    http://www.ip-adress.com/whois/swissandluxury.com
    http://whois.domaintools.com/bestdumps.biz
    http://whois.domaintools.com/haugher.com
    http://whois.domaintools.com/trymani.com
    http://whois.domaintools.com/leonardodemadagaskar.net
    http://whois.domaintools.com/jawproot.com
    http://whois.domaintools.com/ziconna.com
    http://whois.domaintools.com/chastet.com
    http://whois.domaintools.com/aderally.com
    http://whois.domaintools.com/medicalinv.com
    http://whois.domaintools.com/bestdumps.biz
    http://whois.domaintools.com/swissapotheker.com
    http://whois.domaintools.com/virgull.com
    http://whois.domaintools.com/quadroprivate.net
    http://whois.domaintools.com/vzisf7g69gr.com
    http://whois.domaintools.com/sfs8968f6h8sf6hs80xx.com
    http://whois.domaintools.com/feacaebook.com
    http://whois.domaintools.com/cwr79698wvw82.com
    http://whois.domaintools.com/ponsul.com
    http://whois.domaintools.com/sivement.com
    http://whois.domaintools.com/traff-info.com
    http://whois.domaintools.com/occupan.com
    http://whois.domaintools.com/sf0878ksks73o9dd.com
    http://whois.domaintools.com/swalerk.com
    http://whois.domaintools.com/best-rolex.net

    I just tried to submit this post to Facebook and here’s what it said:

    Sorry, this post contains a blocked URL
    The content you’re trying to share includes a link that’s been blocked for being spammy or unsafe:

    F e a c a e b o o k . com

    Now wait! That’s one of the domain names which’s true owner (hidden behind my stolen identity)
    is a criminal att BIZCN or is a customer of the BIZCN registrar (accredited by ICANN).

    So, I CANN or I CANN’T?

  15. Michele Neylon June 14, 2012 at 02:31 #

    Making domain registration too complicated would have a negative impact on legitimate registrants, which is one of the reasons why we oppose some of the measures being suggested.