draft of NCUC constituency statement on PDP: Intra-Registrar Transfer Policy

Robin Gross robin at IPJUSTICE.ORG
Tue Jan 22 06:17:53 CET 2008


Colleagues,

Below is a draft of our constituency statement on the PDP re: Intra- 
Registrar Transfer Policy.  The PDP itself is non-contentious, but  
this is a good opportunity to comment on the problem publication of  
whois data causes for domain hijacking.

Please send any comments and suggestions for edits asap, as our final  
statement needs to be submitted by Friday.

Thank you,
Robin
________________________________
Statement of the Non-Commercial User’s Constituency (NCUC)

  RE:  Intra-Registrar Transfer Policy Development Process

Background


Domain hijacking, in which one party fraudulently takes control of  
another's domain name, allows unethical hackers to direct traffic to  
sites under their control, conduct denial of service attacks, and  
collect identifying or financial data from unsuspecting users.  These  
attacks not only cause direct harm to those involved but also  
undermine the security and stability of the Internet and e-commerce  
generally.  Every person who uses the Internet has a clear interest  
in preventing these attacks.

As the SSAC report makes clear, unethical hackers are coupling domain  
hijackings with an inter-registrar transfer to take advantage of a  
natural point of confusion and human psychology.  When a domain is  
transferred from one registrar to another, the losing registrar may  
feel less responsibility for catching or correcting fraud, whereas  
the gaining registrar may have less reason to suspect fraud and will  
have no prior relationship with the victimized registrant.  This,  
plus miscommunication between the registrars, can prevent or delay  
efforts to correct the domain hijacking once detected.  ICANN exists  
to coordinate such communication, and should endeavor to adjust its  
policies to take these attacks into account.

GNSO Action



The GNSO currently has before it an extensive list of proposals on  
how to prevent domain hijackings and to remedy them more rapidly once  
detected.  In considering these proposals, the GNSO should recognize  
these two goals as distinct, and ensure that both are addressed.   
Moreover, while the registrars can create their own internal security  
policies to help prevent domain hijacking, all parties are dependent  
on ICANN to set sound policies for the coordination of two or more  
registrars and a registrant.  Therefore, the GNSO should carefully  
consider all proposals that may modify policies for intra-registrar  
transfer and remedy of a domain hijacking.

When considering these proposals, the GNSO should also recognize that  
some may be implemented quickly and easily whereas others may require  
more extensive discussion.  Since these proposals are intended to  
address an existing vulnerability, timely action is important.  Tying  
all of these proposals to the same policy development process runs  
the risk that easily agreed upon fixes will be needlessly delayed or,  
conversely, that discussion of more complicated or controversial  
remedies will be hurried or cut short.  Therefore, it may be  
appropriate for the working group to submit a short list of easily  
agreed upon proposals before moving on to the more time consuming  
proposals.

Whois Issues


Because whois reform has been the subject of a separate policy  
development process, none of the proposed methods of countering  
domain hijacking include any changes to the whois database policy.   
Given the contentious nature of whois reform, it unquestionably  
warrants its own PDP.  Yet to discuss domain hijacking without  
discussing whois is to ignore an elephant standing in the middle of  
the room.  The implications of the current whois policy for domain  
hijacking should not be ignored merely because the issues straddle  
two working groups.

As the investigation into high profile domain hijackings has made  
clear, whois data is a valuable resource to Internet scammers.  The  
database lets the nefarious hacker know whom he should impersonate in  
a social engineering attack, and which email address the registrar  
will accept requests from.  Because this information is made publicly  
available through whois, this tool has been given to the black-hat  
hackers for free.  Restricting access to whois data may be the  
easiest and most effective way to combat domain hijackings.  While it  
may be appropriate to discuss these issues in another working group,  
they should not be allowed to slip through the cracks.

-------------------------




IP JUSTICE
Robin Gross, Executive Director
1192 Haight Street, San Francisco, CA  94117  USA
p: +1-415-553-6261    f: +1-415-462-6451
w: http://www.ipjustice.org     e: robin at ipjustice.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20080121/8f5bdec1/attachment.html>


More information about the Ncuc-discuss mailing list