Jump to content

CIRA Domain Registration


rooster

Recommended Posts

I would appreciate hearing some informed opinions from some of the ‘longheads’ on the SC Forum about the proposed changes to CIRA practices and policies excerpted below.

As a CIRA member, I was taken a bit by surprise when I learned of this. I assume it is my naiveté that makes me think this policy would benefit spammers, scammers and fraudsters with no commensurate benefit that I can see to legitimate domain holders and site administrators; outright criminal activity notwithstanding.

Quite possibly, I unwittingly developed an unfair bias on the privacy issue in my pursuit of cretins spamvertizing porn sites. At one point or another, information in this wise has often proved useful to me in ways I’m certain everyone here understands and quite probably appreciates.

I realize in practice, with the ‘half-life’ of most spamvertised sites now being about 5 calendar days, what can be accomplished against (forged) registration information is much more limited than it was even 6 months ago. But if excluding this info by default becomes the common practice, I can’t help but feel spammers will take full advantage and make a bad situation even worse.

Right now, I’m entertaining rather strong feelings of objection to this proposed change. Experience has taught me that, as often as not, such sentiments arise because I haven’t fully come to understand the issue.

What am I missing here?

rooster

boundary bay, bc

http://www.cira.ca/en/Whois/whois-backgrounder.html

<snip>

Currently, when a domain name is entered into the CIRA WHOIS look-up service, personal information about the Administrative Contact for that domain name, such as their address and telephone number, is made available to the public. In April 2005 CIRA adopted a new WHOIS policy which will impose new limits on public availability of personal information. This is to ensure that CIRA’s policies and procedures comply with Canadian privacy laws and because CIRA understands the importance of individual privacy rights.

Under the new approved WHOIS policy, CIRA will continue to collect the same information from Registrants as it did under its former policy. However, under the new policy, it will no longer make publicly available, through its WHOIS look-up directory, the name, address, administrative and technical contact information for individual Registrants without their consent.

CIRA’s new approved WHOIS policy was developed following extensive and far-reaching public consultations with numerous CIRA and WHOIS stakeholders such as:

• Registrants;

• Certified Registrars;

• A random sample of 1000 Canadians;

• Leading organizations and experts in the areas of:

o Law enforcement

o Internet use

o Intellectual property

o Privacy, and;

• Members of the CIRA Board of Directors.

<snip>
Link to comment
Share on other sites

I would appreciate hearing some informed opinions from some of the ‘longheads’ on the SC Forum about the proposed changes to CIRA practices and policies excerpted below.
Evidently no being meeting the criterion has yet passed by so, instead, I will essay an initial response.

While the Greeks of old would allegedly ponder all the aspects of the gift horse from an exalted plane, the more practical peoples would count teeth. I think the unthroughfaresomeness that is Canadian bureaucracy needs to have its impact viewed in terms of its effect on the tools available (not to mention on ARIN) and that appears not yet to be possible. (For instance <www.someone.ca>).

Even given the new policy it will take some time to work through the existing records (though you say the spammy ones don't hang around anyway), then there's the "voluntary disclosure" provision (ok, I imagine spammers would only enter optional data in fun). Perhaps someone has some spammy.ca links in recent spam?

This is discounting whatever this means "The new WHOIS Policy may make it more difficult for an individual or organization to prove that a domain was registered by another party in bad faith. CIRA proposes amending the CDRP Rules, making it easier for the complainant to provide proper evidence in order to prove their case. This solution maintains maximum privacy protection while ensuring the effectiveness of the CDRP. " (in reference to Dispute Resolution). This seems to be mainly aimed at conflict over domain names, not at stomping out the ungodly.

IIUC the .uk has already gone down the same road - haven't specifically noticed. In the taxonomy of "nanny state-edness" I can only suppose .au will follow. Anyway, there has to be some reason rfc-ignorant holds that "individual domains with incomplete contact information will no longer be listable." Okay, the possibility is that I am hopelessly confused.

So, really, I agree with you. The cac-hand of officialdom seems once more to solve problems that never were, all in the name of the dogma of the day, exacerbating the real and urgent needs in so doing. I'm not sure if this will cause a shift-load [sp] of spam-hosting to the provinces and territories of the dominion but others have (I think) preceded Canada and in which case there is no overwhelming evidence to say it might happen.

Steve

Link to comment
Share on other sites

There is certain information about entitites that ought to be publically verifiable. I see no reason why any WHOIS information should not be publically available. If anyone wants to be 'anonymous' then they can hire an agent who has valid contact information.

Corporations have to have publically available information, I believe. I don't see why domains should not.

Miss Betsy

Link to comment
Share on other sites

I guess the CIRA proposal doesn’t bother other ‘spamjammers’ as much as it does me.

In my attempts to inconvenience those purportedly responsible for spamvertised sites, I’ve resorted to using site registration contact info on a fair number of occasions, in addition to keeping a db to help correlate spam from apparently different sources, (including Open Relays/Proxies)…. eventually linking them by virtue of having the same dudes/contact info show up at the spamvertised domains and/or running the servers. It's hardly probative I know; but even a crude compass is better than telepathy.

I realize the landscape is changing almost every couple of months and this approach isn’t as effective as it was even a year ago. Still, even with my limited savvy of the overall situation with spam, it seems the task of identifying, harassing, and hopefully prosecuting spammers will be made more difficult if this info cannot be gathered conveniently; i.e. from public records.

I was hoping to elicit some concrete, specific reasons why it is a bad idea to allow domains to be registered, for all practical purposes, anonymously.

In the abstract, since domains are ostensibly public, I don’t see why “right to privacy” should be any more of an issue than it is for a driver’s license, property ownership, or as Miss Betsy suggests, registering a company; public or not. Heck; you can't even get a dog license without providing it's/your address! Can you imagine the look on the cops face when he/she asks you why your address is missing from your D/L and you try to tell them that it’s considered private information 'where you come from'. They would probably tell you PDQ that it surely isn’t 'where you’re going'

According to one source I came across recently, 32 out of every 35 domains registered in the last couple of months was a bogie. The registrars never saw a nickel. It seems painfully clear to me, there is a huge problem with accountability in the DNS and registries and this proposed move by CIRA is calculated to make it even worse. It seems so absurd to me that I doubt my own senses.

Tweaking the process involved in resolving a handful of legitimate disputes a year over who has title to ".ca" domain names seems insignificant compared to the overwhelming need to discourage fraud, larceny, theft of services etc., etc., associated with the same basic administrative function. When 32 million out of 38 million domain registrations prove to be fraudulent within 5 days, doesn't someone need to give their head a shake and ask just who the dickens is setting priorities? And on what basis?

C’mon guys; if I'm going to protest this nonsense, I’m going to need some ammunition from the pros. My country needs you.

Link to comment
Share on other sites

... C’mon guys; if I'm going to protest this nonsense, I’m going to need some ammunition from the pros. My country needs you.
Gee Rod, maybe it wasn't such a good idea to burn Washington back in the war of 1812 - these guys must have awful long memories. Can you do newsgroups? Maybe take it over "there".
Link to comment
Share on other sites

IMHO, the very fact that so many registrations are bogus is pretty powerful together with the expansion of my first contribution.

I suppose one of the arguments against making information public is that it makes easier for censorship or physical attacks by the other extreme in the case of non-businesses. In that case, there is no reason why a registered agent can't be used. Lots of states require corporations from other states who want to do business in that state to have an address in that state. If the corporation doesn't want to have an office in that state, they can hire an agent with a verifiable address. That person has to be able to be reached. To hire a registered agent is not very expensive and pretty routine. However, IIRC, they charge by what they do for you so if they are answering lots of inquiries for a spamvertized site, then they will up the cost of spam. Or if the spammers don't pay, they will make it difficult to be hired by a spammer.

In fact, now that I think of it, I am surprised that governments have not gotten in the act by requiring that doing business online requires all the fees and taxes that corporations now have to pay offline. It would be easy to collect those taxes if businesses or individuals doing business on the internet had to reveal their true location when registering a domain. That might be an argument. No matter where you register your domain, the government of where you are physically located can assess a 'doing business' registration fee. And there could be great big fines for registering false information (or not checking registrations for businesses) or for doing business without registering as a business. IOW, people who hide business registration information are evading taxes.

That would eliminate the other domains from having to register all their information publically if registration details were just for business.

Miss Betsy

Link to comment
Share on other sites

IMHO, the very fact that so many registrations are bogus is pretty powerful together with the expansion of my first contribution.

I agree. Registrars don't care less about who registers a domain. They allow people to give any name/address/phone number on the account and whois information. This needs to be FIXED by the whole internet community! Make people pay by using a valid credit card and link a Social Security number or driver's license number to the domain account. Use that credit card name/address and billing information for the WHOIS lookup. And don't allow the people to change that information. That way, when you do a WHOIS lookup, there is VALID information. This would stop a lot of spammers in their tracks, unless they get ahold of someone's credit card number and driver's license information.

It is common sense, yet no one wants to take this kind of action. All I've been hearing over the past few years is EXCUSES by the whole internet community! They don't want to fix SMTP protocol either! It is also a problem, since spammers easily can alter headers. They need to go to an encrypted SMTP protocol that doesn't allow header manipulation!

Sorry for the rant, but nothing is going to happen unless the whole community gets their act together.

Link to comment
Share on other sites

...Sorry for the rant, but nothing is going to happen unless the whole community gets their act together.
Nothing to be sorry about there. Real concerns, no evidence of the "political" will to do anything about it, contrary evidence (of it going the other way) from Rooster is at the heart of the whole topic - FWIW I think yours and Miss Betsy's comments are right to the point and properly concerned.

"We" see the question from one side - a variety of views expressed at http://mattcutts.com/blog/false-whois-data/

Then there's a dandy middleman "privacy service" available from http://www.lanechange.net/html/whois_privacy_service.shtml (wherever there's a niche ... the private enterprise version of the taxpayer-funded .gov.ca "initiative".) And the Invalid Whois Data project (guess .ca will give that a real workout!) Not sure where they're going with that one but, like the rest, all part of developng the picture. Loads more viewpoints and data out there in general (just from Googling "whois information valid").

What else would be worth a chuckle would be the format of "CIRA’s ... extensive and far-reaching public consultations with numerous CIRA and WHOIS stakeholders," specifically the "random sample of 1000 Canadians." Why 1,000 ? How many responded/were asked? What were they asked? If this is a valid representation of the Canadian will then perhaps it points to a great way to save heaps of time and money presently wasted on things like democratic elections (wonder what the technical term for "rule by random sample" would be?) D'accord, no fair, but nor is high-handed bureaucracy a satisfactory substitute for effective public policy-making. IMO

[sp][added clarification etc.]

Link to comment
Share on other sites

Wednesday, August 09, 2006

Farelf;

Can you do newsgroups? Maybe take it over "there".

NG’s a next step. I don’t want to over-generalize, but I’ve been a bit off-put in the past by the Trollers over yonder. At my skill level, I can’t/couldn’t always tell the angels with wings, from the nuts with wings.

worth a chuckle would be the format of "CIRA’s ... extensive and far-reaching public consultations with numerous CIRA and WHOIS stakeholders,"

Indeed. That announcement in their newsletter was the first I had heard of a proposed relaxation of Registration Documentation requirements and it was news to my ISP as well. Coincidentally; item 5 on the AGM agenda (August 17) is:

“5. Report on Excess Funds Public Consultation”

http://www.cira.ca/en/board-minutes/board-...2006_08_17.html

To the skeptic, this might suggest there was an exceptional degree of economizing (under utilization of allocated funds) in this, “far-reaching public consultations” process; else, why would it even make the agenda at the AGM? In my experience, when a department or committee significantly under spent an appropriation, it was a ‘lead-pipe cinch’ somebody hadn’t done their job.

I’ve waited patiently for 12 days now; expecting a response here from a CIRA rep. One might think the “extensive and far-reaching public consultations” they contend were/are under way would, at the barest minimum, involve a Google Alert about “CIRA + Domain Registration”. Evidently not. As Farelf alludes, this makes their contention very suspect; yeah, even dubious.

My take on the announcement doesn’t exactly conform to previous testimonials and announcements that made their way to me from CIRA. I should point out, at least on the face of it, this proposal marks a divergence in both policy and priorities from what I understood to be the case prior to the final posting of new board candidates on July 20, with elections slated:

“The election will be held from noon (12:00) EDT September 15, 2006 to 8:00 pm (20:00) EDT September 21, 2006 through CIRA’s website.”

From the CIRA ‘Mission Statement’:

3

CIRA’s mission / mandate

From IANA / Government of Canada Expectations:

CIRA is a key public resource, promoting the development of e-commerce in

Canada and important to Canadian future social and economic development

Administrator of the .ca domain space

Conduct CIRA activities in an open and transparent manner that ensures wide

public access to all relevant information

Follow fair and sound business practices

Ensure appropriate balance of representation, accountability and diversity on the

Board

Apply for domain names as quickly and easily as applying in other top level

domains, and priced competitively

Reduce conflicts between persons granted domain names

A system that facilitates entry for new players including registrars

http://www.cira.ca/en/documents/Summary-of...ic-planning.pdf.

For starters, from a policy standpoint, I submit it can be demonstrated that the proposal fails to conform to the 2 of the 3 highlighted entries above.

http://mattcutts.com/blog/false-whois-data/

Reviewed: arguments for Private Registration; i.e. Internic’s shortcomings, domain vulnerability to ‘joe-jobbing’, and the potentials for identity theft. All can be rebutted quite easily.

Invalid Whois Data project

Reviewed: overly ambitious. Spamhause already reports on these as does SPEWS. Re-inventing the wheel. Ineffective against "hit and run" registrations.

Googling "whois information valid"

Reviewed: I didn’t find anything especially supportive of Registration Anonymity. At least; nothing that doesn’t sound like 'topspin' from players who have questionable motives; i.e. spammers, scammers and those afraid of Revenue Canada and/or the Post Office …. and bill collectors.

Miss Betsy

Very interesting insights. The idea of introducing Registering Agents, I think, is already being done in a limited way… it’s just that, and correct me if I am missing the point, but CIRA accredited registrars are supposed to be filling that role. And they don’t need anonymity. Can you elaborate a bit on how dunning a Registering Agent with complaints about, for example, a spamvertized site, would compare with dunning a normal Registrar saddled with bogus info instead of just unpublished info? Or dunning CIRA itself? (That prospect could be a can of worms for CIRA; couldn’t it?)

However, IIRC, they charge by what they do for you so if they are answering lots of inquiries for a spamvertized site, then they will up the cost of spam. Or if the spammers don't pay, they will make it difficult to be hired by a spammer.

I’m not sure I’m smart enough to understand the connection between the current cost of spam(ming) and a Registering Agent’s retainer. (But the idea really appeals to me) I’m thinking the cost of registering and maintaining a domain is incidental to the ‘cleft-footed’ elite as it is now. How would it really affect the spammers’ margins if the RegAgent added a few buck for his T & T? And then; this RegAgent is more or less obliged to flick the flak back up the track to the Registrar/CIRA anyway, ... introducing more time lags before there be joy to the world. Same time; there are (only) 778,000 “.ca” domains in the country. Really; how hard could it be to run a tight ship; registration-wise?

Looking at RegAgents as an element in Organizational Design, they have “off-line” accountability to Registrants, and are functionally autonomous w.r.t. CIRA or the DNS. As such, they are an added “communications node”, or “buffer”. From the POV those wanting to complain of aBUSE, or from the POV of CIRA wanting to respond to complaints about spamvertised Sites, trying to take action through “buffers’” could resemble trying to act against a numbered company with a P.O Box in a different country. Who is to be held responsible for aBUSE; the bona fide domain holder (i.e. the party legally entitled to sell the domain name), or the RegAgent?

I am reminded here of the number of bogus domains, rfc.ignorant sites and Open Relays (hijacked PCs) that aBUSERs have spawned. If RegAgents become conventionalized, how many thousands of these, accountable only to (or contrived by) the Scammer, Hijacker, and Identity Thief Brigade are likely to emerge?

Which brings us to:

requiring that doing business online requires all the fees and taxes that corporations now have to pay offline.

IOW; people who hide business registration information are evading taxes.

Betsy; I think I like you. I really do. You’ve given me some good ideas.

The accountability issue has nagged me since I first began looking into the whole SMTP/ Domain Registration/IP address stuff last year. There is no such thing as unlimited freedom.

There (should) be freedom for anyone to access the internet. But spamvertizing is NOT free. It is exceedingly costly and it is business. Freedom of access to communal internet services is not innately flawed as an ideal, or censurable as a practice; but it has become so in consequence of the prevalence of parasitic exploitation.

It would be interesting to see what Revenue Canada would have to say if spamvertised “.ca” sites were routinely reported to them as, “Going Concerns”. They might well take a view of anonymity quite different from that proposed by CIRA. This insight of yours could be “… the Start of Something Big”.

On a parallel track;if I have a company car, club memberships, free parking, and miscellaneous allowances, I have to give an accounting of the $ value of these perks to Revenue Canada and I have to put my name and address on the return. The “Firm", the "Company" or the "Mob” keeps records and gets to “expense” it; I don’t. I am also expected to tremble when I try to claim all or part as “non-taxable exemptions”. If I appropriate (hijack) the company vehicle to run a delivery service in the evenings and w/ends; that’s a foul, and accountability trumps my freedom to use the thing. It’s called “Misappropriation”. And I still am going to have to pay taxes on the ill-gotten gains!

If buy a bus pass for a day, I can go anywhere public transit goes all day long; even if I only take in the scenery or glee at the air conditioning. But, if I indiscriminately buttonhole every rider that gets on to ‘hawk’ erectile dysfunction noceboes, (including grandmothers and little book-bag bandits), I would get booted off by the driver PDQ. And he would demand to see some (valid) ID into the bargain, not to mention punch in my pass’s number and have it instantly voided before my Reebok knock-offs hit the bricks. Yes; they can do that now.

General Arguments for Anonymity seem to involve the following propositions:

“Legitimate holders of email accounts need anonymity* to protect themselves [mitigate] against Scammers, Hijackers** and Identity Thieves.

“Legitimate holders of Web Sites and Domain Accounts need anonymity to protect themselves against Scammers, Hijackers, Identity Thieves and Malicious Attackers.

“Scammers, Hijackers, Identity Thieves and Malicious Attackers need anonymity in order to prevail against those who would call them to account.”

“There would be an overall (net?) benefit if increased anonymity/protection was available to All Domain Registrants.”

*(“Right to Privacy” can be substituted for, “need for anonymity”)

**( “Hijackers”: I’m Including aBUSE Spammers, Open Relay ‘botmeisters’, DDoS/Vampires, Mail Bombers…)

Based on my experience over just 24 months, when I look at the 4 propositions above I am strongly persuaded that Anonymity disproportionately facilitates the activities of one segment of the Internet Community; the one to which the term “legitimate” least applies.

Even without getting into the numbers, I think we’ve all seen enough by now to understand that the commercial benefits (inducements) to expand ecommerce Internet Traffic that would result from the full implementation of the CIRA Proposal are going to accrue primarily to those least prepared to use internet resources responsibly or be accountable. The CIRA Proposal would make illicit internet use even more commercially attractive by minimizing a critical impediment faced by the very ones against whom the internet community is struggling to protect itself; the ‘bad actors’ already costing the internet community billions in terms of capital, non-capital and human resources. The incremental net costs that would derive from the Policy are (vastly?) disproportionate to the purported benefits. You wouldn’t need differential calculus to figure out how the look of the utilization curve would be changed; but then, perhaps “getting into the numbers” is going to be what it takes.

This “Right to Privacy” issue as pertains the CIRA proposal seems to me to resonate with a similar argument that is bruited by a certain ‘dellusionary’, (i.e. “The Man Who Still thinks he’s Moses”), to declaim the need for gun control in the US. Yes, that’s the same testostero-titan who maintains that the US has every right, it’s their bounden duty in fact, to take any steps necessary to prevent other countries from getting the bomb.

I think CIRA's strategy for handling the "Right to Privacy" Issue by granting 'carte blanche' anonymity to Domain Registrants can be expected to promote domestic security, peace of mind and commercial growth with the same outcome we see from the US’ strategy for handling the “Right to Bear Arms” Issue by granting virtually everyone free access to firearms. This policy makes sense only to those with a vested, commercial interest in the ordnance trade, and those who need guns to conduct their business; i.e. cops & criminals.

The question is, which of those job descriptions applies to the committee nobs at CIRA who imagine benefit from this idiotic, self-destructive policy? The legitimate, independent "disinterested" end-user is certainly not going to benefit; rather, they (we) will become in need of purchasing/leasing more and more rapidly-depreciating assets for our “personal protection”.

Some optical incongruities in the above-mentioned CIRA Mission Statement vis à vis their Right To Privacy proposal deserve a note:

The CIRA MS suggests, “the internet should be open to everyone”.

The CIRA RTP Proposal suggests, “the internet should be a good place to hide”

The CIRA MS advocates the promotion of ecommerce

The CIRA RTP Proposal advocates a policy that is tailor-made for misrepresentation and fraud, that would further obstruct accountability, and is inherently exploitable and untrustworthy. In effect, the policy could be interpreted to say: “avoiding being associated with/to your business (i.e. domain) is good business”.

I don’t understand how CIRA can sustain the paradoxical assertions that the deceptive practices used by hijackers and scammers to hide their identities are reprehensible, while also advocating that their ‘clients’ may take advantage of the same practice without prejudice.

If rabbits are overrunning the lettuce patch, you aren’t likely to increase production by providing comfy hidey-holes for the bounders. Likewise; adding fertilizer (trying to grow “ecommerce” by making registration easier) doesn’t increase the yield, just the number of pudgy bunnies at harvest time. Ask an Aussi…

Which poses the greater risk to our privacy, our security, and our personal rights?

(A) Having ourselves (or an agent - thank you Betsy) publicly nominated as the (legally?) responsible party for our domain/web site; or,

(B) Further abetting the “the slithy toaths” who doth, “gyer and gimble in the wabe”, those with proven records of violating every law, personal right, acceptable business practice and code of decency they can imagine. Such practices as: promoting ersatz medicines that could, and do, end up harming the naïve and the desperate, promoting porn/prostitution by proxy, selling pirated software, running credit and financial scams etc., etc., etc., anonymously overburdening the internet’s resources, not to mention our inboxes, in the process?

Instead of locking the gates and bidding them go find legitimate jobs, instead of treating them like “dangerous offenders”, CIRA appears to be sanctioning ‘aBUSEers’ by offering public housing next to schools, libraries, playgrounds, next door and virtually billeting them right in your own home. And CIRA doesn’t acknowledge an obligation to let the public find out who they are or what mischief they’ve been at.

Instead of facilitating the practice of 'caveat emptor' , CIRA is advocating pulling down the “Watch for Falling Rocks” sign on the pretext that it’s parked on some private (albeit rented) property and the tenant complained that it obstructed his view! Sure he complained; there weren’t any falling rocks before he moved in; he just likes throwing rocks at cars. He’s got a good thing going with the local Maaco franchise.

The ability to put up a mailbox (Domain) in front of one’s house (public right-of-way), or putting a poster on a community bulletin board (Website), should not entitle anyone to rain salvos of cluster bombs filled with leaflets over the entire planet every day; … twice on Sunday if my recent spam load is any indication.

The CIRA proposal makes me feel like I'm being told that if I don’t like all the 'drive-by' shootings from 'joy-riders' piloting hijacked cars and sporting fake drivers’ licenses, then I can choose to stop living near a public street, de-list my nominative info from the phone book, and not tell anyone my real name. After all; it’s a free country. Well; ecuUuUuUuse me!

Kojote

Rant! Pshaw; now this ^ is a rant.

I am deeply grateful for your excellent insights and input. I feel encouraged to look up the CIRA exec and a few other folk now that I have some confidence that I’m not just ‘tilting’, or making a mountain out of a devnull-mole hill.

Happy trails,

Link to comment
Share on other sites

... Kojote

Rant! Pshaw; now this ^ is a rant....

Indeed. Somewhere up above is a reference to "privacy" hosting, that is, good ol' private enterprise can take care of the shrinking inviolates who wanna be seen but stay forever mysterious. Another example of a (Canadian) provider is le fou en fut. Why must government be involved - have they solved all the real problems already? An intermediate position with the mandatory exposure/full disclosure model sitting out to the right there somewheres.

I mentioned AU nannydom - I am a bit behind the times, the little devils were "at" it 5 years ago, it seems - see Australian National University NG achives. Hmmm ... ANU, in this case the acronym is very close to perfection as a self-contained descriptor (but I digress). Anyway, you might like to review this one, along with the referenced link in that thread, as a precis of the privacy issues driving the push. As Sun Tszu said, 知道您的敵人

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...