Where Are the Registrars?
That's the big question that some people think needs to be answered, or at least one of them, if ICANN is indeed to play a more active role in helping to keep larger numbers of cyber-criminals and schemers offline.
As notorious registrar EstDomains sits in limbo waiting to see if the Internet Corporation for Assigned Names and Numbers is going to pull its accreditation on the grounds that its CEO is believed to have been convicted (PDF) for credit card fraud, money laundering and document forgery, some market watchers are postulating that even more shady registrars could be kept from going into business in the first place if ICANN would force the companies to provide accurate, verifiable information up front about their physical locations and corporate officers.
Garth Bruen, the mind behind anti-spam portal KnujOn, who was calling for EstDomains to be taken offline months before ICANN moved to do so, is one of the people leading the effort to push ICANN to further formalize its registrar registration efforts.
"We have before us rare opportunity to close a big Internet policy loophole. You may not be aware but Registrars (companies authorized to issue domain names) are not required to publicly disclose their ownership or location," Bruen said in a letter to supporters on Nov. 3. "It is my firm belief that this policy failure has helped criminals to get a foothold within the Internet infrastructure."
The security expert specifically called out ICANN's RAA (Registrar Accreditation Agreement) as providing no provision "mandating that location or ownership be disclosed to the public."
Bruen said, "In any other industry this would be intolerable. Internet users need to be aware of this and how it affects them."
To help further its push, KnujOn has sent one of its experts to the ongoing ICANN Cairo meetings to needle the regulators to adopt its suggestions.
To highlight the problem, Bruen pointed out that the CEO of another registrar well known to security researchers, NameJuice.com, is also believed to be a convicted felon, and that the CEO of another, Dynamic Dolphin, was successfully sued for spamming.
Yet, the people involved are still permitted by ICANN to operate their respective businesses, companies that purportedly allow others to engage in the same types of illegal activities they've been found guilty of.
According to KnujOn's research, many ICANN-certified registrars continue to do business using mail-drop addresses and post office boxes as their primary business locations, and KnujOn counted over 70 registrars that have no listed address at all.
As Bruen points out, it seems unusual that people registering Web sites must list their locations with regulators, while the registrars themselves seem to face no such requirement. Bruen wrote:
"It is clear that certain players within the community have set out to deceive consumers. These conditions do not promote stability or foster faith within the industry. Additionally, it seems somewhat hypocritical to require that registrants disclose accurate contact details in Whois but Registrars have escaped this requirement. Without public disclosure there cannot be true transparency, accountability or trust."
To read the exact wording Bruen is suggesting that ICANN adopt in its RAA, click here.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.