Internet Domain Name Fraud – New Criminal and Civil
Enforcement Tools
Testimony of
Rick H. Wesson
President/CEO
Alice’s
Registry, Inc
Before the
House
Subcommittee
on Courts, the Internet and Intellectual Property
Thank you very much, Chairman
Smith, and Ranking Member Berman, and Members of the Subcommittee for the
opportunity to testify on this important subject. In the interests of full
disclosure I am the Vice-Chair and Chief Technical Officer of the Registrars
Constituency within ICANN and also serve on the ICANN Security and Stability
committee. Today I am testifying for my self as President and CEO of
This testimony will address two main issues. First, I will address Whois data accuracy as a function of fraud in domain registrations by ICANN accredited registrars. Second, I will address the issues of this legislation and further goals to peruse.
I’ve followed and participated in Whois issues for nearly a decade. When a member of Mr. Berman’s staff came to discuss IPR issues with the Registrars’ Constituency at one of our Interim meetings in Washington, DC, the staffers enumerated the issues of Whois accuracy, such as invalid or missing registrant data, examples given were obviously incorrect and even the most basic validation would have identified the domains as lacking correct or valid information.
Beginning in 2000, I spent the next 18 months developing a technology to perform fraud analysis on electronic commerce transactions with the intent of solving registrars’ Whois data accuracy problems. The technology we developed was specifically targeted to identify invalid and undeliverable postal address, undeliverable e-mail address, and nondialable telephone numbers.
Understand that the registrants for
Internet domain names are a global population. Registrars in
Typical scams included using cities that did not exist within the country they stated they were in, or telephone numbers that were valid, but proved to be a directory assistance number. Often fraudsters would use e-mail addresses that were undeliverable, telephone numbers that did not exist at all, and postal addresses that could not exist.
Eventually we learned how to correlate the postal address, email address, and telephone numbers with IP addresses and verify that they all exist, in over 200 countries. Using this technology we were able to make our business unattractive to individuals looking to fraudulently register domain names. It is simply an artifact that our anti-fraud technology prevents invalid registrant data.
While it is easy for the untrained
eye to see that the domains enumerated in Mr. Trainer’s testimony are
registered with inaccurate data, we provide three examples of domain name registrations
in our written testimony that are more difficult to determine the accuracy
of. While the Canadian and
A case in point where I encountered fraudulent data occurred last year when some of my computers had been infected with a virus that gave control of the system to a third party without my knowledge. When I tracked down the hacker and discussed with them how I became infected I learned the hackers controlled over 3,500 computers and for a fee, one of the operators offered to perform a denial of service attacks on any network I requested.
I attempted to have the Whois of the domain that they used to perform these attacks deleted. The domain was igger.com and the host they used to coordinate these attacks from was named n.igger.com. I submitted a Whois update request through ICANN and eventually the domain’s incorrect Whois was updated but not deleted, allowing the distributed denial of service attacks to continue. Shortly after the domain’s Whois was updated, it was updated again with bogus information. Currently this entire deception is completely legal. The same dynamic directly and immediately impacts trademark and copyright issues exactly the same way.
We launched the service Fraudit, as
in “Fraud-Audit”, for registrars to increase their data accuracy at the 2002
ICANN meeting in
Registrars appeared to believe that as long as no solution existed, there was no good reason audit their registrant data. In fact the only time they preformed self-audits is when the registrar was faced with a financial loss. Registrars have been hit hard with credit card fraud. One large registrar had a rather embarrassing incident by nearly loosing their merchant account, removing their ability to take credit cards over the Internet, because of fraud. Although all registrars experience some credit card fraud and most have invested in mitigating that risk, they have not attempted, nor invested in, an ability to prevent the introduction of fraudulent registrant data – as long as the domain is paid for and the registrar is not hit with a credit card charge back there is no business reason to prevent invalid registrant data in the Whois system. My ultimate realization that ICANN, gTLD registries and accredited registrars had no intention, desire, or incentive to audit their registrant data caused us to withdraw the product from the registrar Whois accuracy space.
I do support the proposed legislation as a step forward and hope it will deter those intent on registering domains with fraudulent contact data. While it might indeed have a deterrent effect, we cannot solely rely on industry regulation to prevent false and invalid registrant data from entering the Whois database. As it stands, the proposed legislation does not impact registrars. With no provision barring registrars from accepting fraudulent registrant data or requiring a registrar verify registrant data, I expect the industry to continue on its present course. With no real-time analysis of registrant data on the front end we are leaving it up to law enforcement to determine the accuracy only during an infringement investigation.
With simple regulation that registrars validate the accuracy of their Whois data, then law-enforcement can uphold the law. With out it, law-enforcement will just be swimming around in invalid data. It’s that simple. The technology exists, but legislation needs to require a reasonable effort on registrars’ part to use it. Please add a requirement that registrars be involved in validating a potentially accurate representation of those they register. Don’t miss this opportunity to evolve the Internet beyond the wild, wild west toward the safety of any civilized community.
Again, thank you for this opportunity to testify today and I am happy to answer any questions you have.
Appendix A
Example
Fraudit Analysis Report
Included below are three example
reports of Fraudit analysis of domain names. The first domain appears valid, as
all the normal address elements exist in the Whois record. Initial inspection
reveals that the phone number is not valid, though almost all of the elements
of the record are in fact invalid. The second domain resides in
Domain:
123bankruptcy.com
Registrant
FDS Digital
fdsdigitalwhj@hotmail.com
5525
+1.1111111111
Example
#2
Domain
Name.......... 123wine.com
Creation Date........ 2001-04-15
Registration Date.... 2001-04-15
Expiry Date.......... 2004-04-15
Admin
Name........... Sohail Roshni
Admin Address........ "42 olympus, mmc road"
Admin Address........ mahim west
Admin Address........ mumbai
Admin Address........ 400016
Admin Address........ maharashtra
Admin Address........
Admin Email.......... admin@findjunction.com
Admin Phone.......... 091982135659
Admin Fax............
Phone is mobile, confirmed.
Postal code for
Email address is deliverable, address confirmed.
City Mumbai is City Bombay -- Lat: 18 56 00 N Long: 072 51 00 E
Domain Name:
CALIFORNIALOTERY.COM
Administrative
Contact:
Admin, Site admin@acmemail.com
US
305-210-6453