[anti-abuse-wg] Spam under protection. Believe it or not!

In message <795BDB4E-C73E-4669-AF8E-644156449479 at virtualized.org>, 
ICANN (David Conrad <drc at virtualized.org>) wrote:

>This is not accurate. I can definitively state that ICANN is not
>"effectively run by the registrars". ICANN has many, many masters, the
>interests of quite a few of which are directly in conflict. To assert
>that one stakeholder is running ICANN means you simply don't understand
>how ICANN works.

In Garth Bruen's detailed 2012 report, he described in detail (page 4)
where the funding for ICANN's voracious money appetite actually comes
from:

    http://krebsonsecurity.com/wp-content/uploads/2012/03/rogue_registrars_2012_DRAFT.pdf

It is quite revealing!

And if Garth's mountain of exquisitely researched and exquisitely
documented research on the dysfunction that is ICANN isn't enough,
I can also refer people to Paul Vixie's 2010 comments to the effect
that "Every day lots of new names are added to the global DNS, and
most of them belong to scammers, spammers, e-criminals, and speculators":

    http://www.circleid.com/posts/20100728_taking_back_the_dns/

(I see no evidence that anything much has changed since Paul made those
comments.)

>> the Powers That Be (e.g. ICANN) have already and long ago
>> decided that they simply don't WANT the problem(s) solved.
>
>This is untrue (at least in the case of ICANN, assuming ICANN is a
>"Power That Be").

Swell.  Then may I, with all due respect, request that you folks @ ICANN
please get off your asses and get on with it?  You can start by
requiring that the names and phone numbers that appear in domain name
WHOIS records match the ones associated with the credit cards that were
used to pay for the relevant domain name registrations.

It's a simple rule, and simple to enforce.  If this were implemented,
90% of all spam and 98% of all crime on the Internet would cease,
practically overnight.

Oh!  But I almost forgot.  The people who actually pay your salary...
the registrars... wouldn't like it.  (They might have to actually
start making money the old fashioned way... by actually earning it
by providing real products and services that lost of non-criminals
actually want.)

So I guess that idea is a non-starter, even if it would quite dramatically
reduce spamming and most other forms of Internet criminality.

(Even a system where every domain WHOIS record contained an irreversable
one-way hash of the ACTUAL dmain registrant's ACTUAL name would be a vast
improvement over the current status quo... for those of us to spend
hundreds of hours each year tracking down snowshoe spammers... but once
again, the registrars are sure to block any such idea, because they don't
want any of us pesky anti-spam activists to be able to notice what they
are doing... i.e. knowingly selling domain names by the gross to crooked
snowshoe spammers.)

>> Has there ever been a single decision taken by ICANN which they felt
>> they could get away with (i.e. without being sued to hell and back) that
>> WAS NOT in the economic interests of the domain registrars?
>
>I doubt you'll find many registrars that believe the government/law
>enforcement-requested changes that went into the 2013 RAA were in their
>economic interests.

They may not say so publically, but in private I would bet that the
big ICANN "contributors" agreed that they had to swallow these kinds
of small changes around the edges in order to forestall even more
onerous legislative intrusions into their existing business models
in various jurisdictions.  (The public at large has really had it.
We are all of us fed up to the teeth with all of the crooked and
illegal hanky panky that goes on on the Internet, and that continuously
hits the headlines and the evening news almost every day now.  Citizens
are finally demanding action and thus, legislators are starting to ask
annoying questions.  The only way to make at least some of these go
away is for the industry to bite the bullet and accept some minimal
concessions to their preferred operating mode of absolute secrecy, but
_only_ to law enforcement.  This way, at least, they can still avoid
having to answer to the vast majority of the actual victims of their
greedy daily cooperation with spammers and scammers.)

>> This whole sordid scheme about anonomous donmain registrations is a
>> case in point.
>
>You may wish to argue this point with those interested in privacy (e.g.,
>EFF) and other civil society organizations who are on the "we don't need
>Whois" side of the interminable Whois wars.

On most issues, I applaud the EFF.  In this case however, they have
elected to blindly follow their own internally-generated dogma rather
than reason and common sense.

You can have all of the privacy and anonymity you want... even on the
Internet.  And you can SAY anything you want.  Just do it on somebody
else's blog, BBS, or whatever.  (Or do it on Facebook and Twitter, just
like millions of participants in the so-called "Arab Spring" have done.)

You don't NEED your own bloody personal domain name if you want to
denounce crooked politicians, or human traffickers, or abortion provders,
or abortion opponents, or Vladimir Putin or whatever.  Claiming that
the WHOIS info in a domain name registration NEEDS to be anonymous is
ludicrous on the face of it.  And behind the scenes most of the people
who push this idiotic idea are either registrars or your employer (ICANN),
or others who have been paid to express their opinions in a particular
direction on this topic.  Of course, the argument is always disingenuously
couched in ridiculous retoric which has been designed and intended to
elicit sympathy from the ignorant masses who don't have the first clue
about the real issue.  That's why the proponents and their paid spokes-
models are always droning on about "those poor unfortunate rape victims"
who are terrified, but who now... for some inexplicable reason... absolutely
cannot find any other way to get their stories out unless they have their
own private and anonymously registered domain names.  I mean, PLLLEESE!
These arguments are so pathetic, repetitive, and disingenuous that I have
trouble understanding how even the ignorant unwashed masses are taken
in by them.  (But you know what they say.  There's a sucker born every
minute.  No wonder we now have 25% of 1/2 of the country ready to vote
for a "rodeo clown" as our next President.  As Abraham Lincoln said
"You can fool all of the people some of the time, and some of the
people all of the time...")

>> But the idea sailed through the ICANN approval process.
>
>Do you know how ICANN works? I can't think of _anything_ that "sails"
>through the "ICANN approval process."

OK.  I agree.  "Sailed" was not at all accurate.  What I can say however
is that with -zero- clear evidence of any serious or legitimate need, and
with a completely predictable downside... which us billions of non-criminal
Internet users are stuck with having to live with every damn day... the
idea of "anonymous" or "anonymized" domain name WHOIS records _did_ make
it all of the way through the intestine that is the ICANN consideration
process.  And why did it?  Because it is a money-maker for the registrars,
even if it gives the big middle finger to the entire remainder of the
inhabitants of this planet.  All of this crap about how political activists
and rape victims need their own private (and anonymized) domain names
in order to get their messages out is just that... crap.  It's all a
smokescreen.... a made up excuse for what may perhaps be the single most
ANTI-social invention since the pay toilet.

>> More to the point, does
>> there exist *any* "quality control" (for lack of a better term) on
>> ICANN decisions?  Are any of them ever reviewed after they have been
>> made and implemented, you know, to see if any of them are failures and
>> should be recinded?
>
>ICANN has reviews of pretty much _everything_ we do.

Great!  Then when and how do we arrange for this particular incredibly
moronic and ill-considered decision to be revisited (with an eye toward
an early repeal)?

>> why can't (or why
>> shouldn't) this exact type of anti-fraud system be applied also to
>> domain name registrations?
>
>Because it does not work in every country and ICANN gets heavily
>criticized if it does things that disadvantage a stakeholder group.

So what you are saying is that Google, and numerous other private
companies (many of whom also offer services world-wide) *can* make
a phone verification work, but ICANN for some reason, can't.

Hummm... maybe they (ICANN) need to hire somebody into a high-level
technical job who has more of a can-do attitude and/or who has some
actual knowledge and/or experience with implementing this kind of
(phone verification) system.

Solutions are valuable.  Lame excuses are worthless.

You are trying to suggest that there are people out there... somewhere...
perhaps n the back woods of Kazakhstan or some other equally worthless
place... where there are people who *do* need to register domain names
but who *do not* have access to either phones or Internet-connected
computers, as may be needed in order to complete a phone verification.

You seem like an intelligent fellow.  Do I really need to clarify for
you how absurd your contention is in this instance?

(Why someone who has neither a phone nor a computer nor an Internet
connection would need to register a domain name is left as an exercise
for the reader.)

>> this kind of idea will
>> surely never even find its way onto the agenda of any ICANN meeting,
>
>There will be a number of sessions at the Dublin ICANN meeting on
>approaches to address domain name abuse. For example, on Wednesday...

Somebody cue the crickets.

(Yawn.)

I'm sorry, but I have exactly -zero- faith that anything which is the
least bit useful or positive relating to WHOIS accuracy is going to
come out of any ICANN meeting... for the reasons I have already stated.

The registrars... who actually control the money, and who thus call
the tune... do not want there to be any change to the status quo.  They
*like* being able to take money from criminals and (even more) from
snowshoe spammers.  And more to the point, they have become _addicted_
to that revenue stream.  If anybody were to come into any sort of ICANN
meeting, or ICANN committee meeting, or ICANN sub-committee meeting,
or sub-sub-committee meeting and even dare to suggest that (gasp!)
the registrars should perhaps give up this existing criminally-funded
revenue stream... to which they have all become accustomed... that
person would almost certainly get their teeth knocked out... if not
physically, then at least verbally.  The registrar representatives...
which is to say most of the people who will be present in any ICANN
meeting...  would immediately jump to their feet and denounce the person
who suggested that maybe they should stop doing business with anonymous
criminals as a "communist" or worse.

There are plenty of ways to shut down a discussion in a committee
meeting.

>October 21 from 10 a.m. to 11:15 a.m. entitled "Role of Voluntary
>Practices in Combating Abuse and Illegal Activity"

Unilateral disarmament?

So basically, the idea here is that the good and socially responsible
registrars will Do The Right Thing, all on their own, while the remaining
ones will be free to continue making money by helping criminals and
spammers to evade identification and capture.  Is that about the size
of it?

>There is also a session on the ongoing effort
>to create a framework for Registries to address domain name abuse

Yea!  Gee!  That's what we need!  A "framework"!!  (Now why didn't *I*
think of that? :-)

(Hint:  I'll see your "framework" and raise you a simple requirement
for HONESTY as in "honest inclusion of the actual billing information
into the WHOIS records for all domain registrations... or at least the
ones that ICANN has some say over... which is about 95% of them.")


Regards,
rfg