<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div>Colleagues,</div><div><br class="webkit-block-placeholder"></div><div>Below is a draft of our constituency statement on the PDP re: <a href="http://www.icann.org/transfers/">Intra-Registrar Transfer Policy</a>. The PDP itself is non-contentious, but this is a good opportunity to comment on the problem publication of whois data causes for domain hijacking.</div><div><br class="webkit-block-placeholder"></div><div>Please send any comments and suggestions for edits asap, as our final statement needs to be submitted by Friday.</div><div><br class="webkit-block-placeholder"></div><div>Thank you,</div><div>Robin</div><div>________________________________</div><div><!--StartFragment--><p class="MsoNormal" align="center" style="text-align:center">Statement of the Non-Commercial User’s Constituency (NCUC)</p><p class="MsoNormal" align="center" style="text-align:center"> RE:<span style="mso-spacerun: yes"> </span>Intra-Registrar Transfer Policy Development Process</p><p class="MsoNormal" align="center" style="text-align:center">Background</p> <div class="MsoNormal"> <o:p></o:p></div> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>Domain hijacking, in which one party fraudulently takes control of another's domain name, allows unethical hackers to direct traffic to sites under their control, conduct denial of service attacks, and collect identifying or financial data from unsuspecting users.<span style="mso-spacerun: yes"> </span>These attacks not only cause direct harm to those involved but also undermine the security and stability of the Internet and e-commerce generally.<span style="mso-spacerun: yes"> </span>Every person who uses the Internet has a clear interest in preventing these attacks.</div><div class="MsoNormal"><br class="webkit-block-placeholder"></div> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>As the SSAC report makes clear, unethical hackers are coupling domain hijackings with an inter-registrar transfer to take advantage of a natural point of confusion and human psychology.<span style="mso-spacerun: yes"> </span>When a domain is transferred from one registrar to another, the losing registrar may feel less responsibility for catching or correcting fraud, whereas the gaining registrar may have less reason to suspect fraud and will have no prior relationship with the victimized registrant.<span style="mso-spacerun: yes"> </span>This, plus miscommunication between the registrars, can prevent or delay efforts to correct the domain hijacking once detected.<span style="mso-spacerun: yes"> </span>ICANN exists to coordinate such communication, and should endeavor to adjust its policies to take these attacks into account.</div> <div class="MsoNormal"> <o:p></o:p></div><p class="MsoNormal" align="center" style="text-align:center">GNSO Action</p><p class="MsoNormal" align="center" style="text-align:center"> <o:p></o:p></p> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>The GNSO currently has before it an extensive list of proposals on how to prevent domain hijackings and to remedy them more rapidly once detected.<span style="mso-spacerun: yes"> </span>In considering these proposals, the GNSO should recognize these two goals as distinct, and ensure that both are addressed.<span style="mso-spacerun: yes"> </span>Moreover, while the registrars can create their own internal security policies to help prevent domain hijacking, all parties are dependent on ICANN to set sound policies for the coordination of two or more registrars and a registrant.<span style="mso-spacerun: yes"> </span>Therefore, the GNSO should carefully consider all proposals that may modify policies for intra-registrar transfer and remedy of a domain hijacking.</div><div class="MsoNormal"><br class="webkit-block-placeholder"></div> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>When considering these proposals, the GNSO should also recognize that some may be implemented quickly and easily whereas others may require more extensive discussion.<span style="mso-spacerun: yes"> </span>Since these proposals are intended to address an existing vulnerability, timely action is important.<span style="mso-spacerun: yes"> </span>Tying all of these proposals to the same policy development process runs the risk that easily agreed upon fixes will be needlessly delayed or, conversely, that discussion of more complicated or controversial remedies will be hurried or cut short.<span style="mso-spacerun: yes"> </span>Therefore, it may be appropriate for the working group to submit a short list of easily agreed upon proposals before moving on to the more time consuming proposals.</div> <div class="MsoNormal"> <o:p></o:p></div><p class="MsoNormal" align="center" style="text-align:center">Whois Issues</p> <div class="MsoNormal"> <o:p></o:p></div> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>Because whois reform has been the subject of a separate policy development process, none of the proposed methods of countering domain hijacking include any changes to the whois database policy.<span style="mso-spacerun: yes"> </span>Given the contentious nature of whois reform, it unquestionably warrants its own PDP.<span style="mso-spacerun: yes"> </span>Yet to discuss domain hijacking without discussing whois is to ignore an elephant standing in the middle of the room.<span style="mso-spacerun: yes"> </span>The implications of the current whois policy for domain hijacking should not be ignored merely because the issues straddle two working groups.</div><div class="MsoNormal"><br class="webkit-block-placeholder"></div> <div class="MsoNormal"><span style="mso-tab-count:1"> </span>As the investigation into high profile domain hijackings has made clear, whois data is a valuable resource to Internet scammers.<span style="mso-spacerun: yes"> </span>The database lets the nefarious hacker know whom he should impersonate in a social engineering attack, and which email address the registrar will accept requests from.<span style="mso-spacerun: yes"> </span>Because this information is made publicly available through whois, this tool has been given to the black-hat hackers for free.<span style="mso-spacerun: yes"> </span>Restricting access to whois data may be the easiest and most effective way to combat domain hijackings.<span style="mso-spacerun: yes"> </span>While it may be appropriate to discuss these issues in another working group, they should not be allowed to slip through the cracks.</div> <!--EndFragment--> </div><div><br class="webkit-block-placeholder"></div>-------------------------<br><br><div> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div><br class="Apple-interchange-newline"><br class="khtml-block-placeholder"></div><div><br class="khtml-block-placeholder"></div><div>IP JUSTICE</div><div>Robin Gross, Executive Director</div><div>1192 Haight Street, San Francisco, CA 94117 USA</div><div>p: +1-415-553-6261 f: +1-415-462-6451</div><div>w: <a href="http://www.ipjustice.org">http://www.ipjustice.org</a> e: <a href="mailto:robin@ipjustice.org">robin@ipjustice.org</a></div><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline"> </div><br></body></html>