“uuuuuuuuuuuuuuuuuuu”
Recently I saw a post from John Levine on LinkedIn on a flagrantly erroneous registration for a .com address. He had alerted ICANN, the responsible IP resource organisation to this registration. A month later John received a reply from ICANN that the registration had been amended by the sponsoring registrar. If you visit John’s weblog (http://weblog.johnlevine.com/2010/10/20#notcompliant) you can take a look for yourself.
What you will see is a trainload of “uuuuuuuuuuuu”s where the registration information on the company behind the .com website should be. In other words, the organisation behind all these u’s cannot be traced by anybody by account of the Whoisdata. Maybe this is not a problem at all, maybe there is a criminal organisation acting though the .com website. Who can tell?
All this shows what amendments seem to mean to the sponsoring registrar and thus to ICANN as she accepted the “amendments”. Unfortunately for us all it also says something about how seriously ICANN takes her public task. And this is what triggered me. Let’s go into that.
Law enforcement due diligence recommendations
Since the ICANN meeting in Seoul, Korea, law enforcement agencies are discussing due diligence for the registration of top level domain names, like .com., .org, .biz, etc. with ICANN. In short they request her and her affiliated registrars to check registrations. (For more in-depth information, type in “LE due diligence recommendations” into your search engine.)
Why is an accurate registration important?
I would like to focus on two other aspects, but first law enforcement. She, of course, focusses on the enforcement side of the accuracy of Whoisdata. The more accurate the data, the less chance of abuse and the easier the enforcement of perpetrations is. Whoisdata is the starting point of most cyber crime, spam and malware investigations as the data tells the enforcer about the owner of a domain name or IP address or where to find more information. A check on registration means there is no longer an easy way in for cyber criminals.
A public task by private entities
As I wrote I would like to focus on other two aspects. First. In my opinion distributing IP resources is a public task, a service to society, to public and private entities and persons alike. A good analogy is that telephone numbers are distributed in most countries by the government (or a government agency), according to a policy which is set and upheld by the government. E.g., misuse of a Dutch premium rate service number may lead to the revocation of this number.
Through the way the Internet has developed, IP resources are distributed by private entities. This does not diminish from the fact that it is a public service they render and a public service comes with responsibilities. In my opinion it is these responsibilities that may not always be recognized or lived up to.
Misuse of IP resources is commonplace nowadays. Most cyber criminals need IP resources to go about their business. IP resources are at the fore of internet access. Without them cyber criminals would have a much harder time to mislead the audience, sell spammed (illegal) products or lure bank costumers to fake but very similar looking phishing sites.
If IP resource organisations, all within reasonable boundaries, were to check registrations before effecting a registration or wait till a first payment is made before activating the resource, life of a criminal would already be made less easy and help protect the public and society. If IP resource organisations set up a policy and rules concerning registration and couple that to a policy on the abuse of IP resources and commit themselves to upholding these policies, they would show the world that they take their public role as distributer of public resources seriously and take the responsibility which comes with a public service. I am sure that this proof of mature policy making would quell discussions on regulation and a government role as discussed in the ITU in Mexico this month. This may cost money, but isn’t that simply a cost that comes with the product?
Good housekeeping
Yes, I agree with the resource organisations that they are not enforcement agencies -and neither should they be- but this is beside the point. Her I come to the second aspect. Having an accurate database is not only good policy but also a prerequisite in good housekeeping for the organisations concerned. What is the point in having non-existing costumers that do not pay for rendered services? Where is the benefit in being dragged into ongoing and more serious discussions on abuse? What is the benefit of costly procedures because of unnecessary and avoidable law enforcement inquiries? What is the value of having a less good reputation with governments and law enforcers? What is the value of having your resources misused to the max? I just don’t get this part.
Opportunities
The public is in danger of distrusting the Internet with all the consequences to our already faltering economy to pay, while governments are contemplating how to protect their (nation’s) interests. IP resource organisations are in a position to take a part of these concerns away and actively contribute to make the Internet a safer place, without being turned into an enforcement agency.
Accurate databases is good business in more than one way and, yes, law enforcement agencies and thus society will profit from this good business. The ensuing discussions on policy offer many opportunities for IP resource organisations to set the agenda and be pro-active. We may just all win, except for the bad guys of course.
Wout de Natris
Leiderdorp, 28 October 2010
International cooperation on cyber crime. The bridgebuilder's blog 