ICANN's WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. For those who are familiar with the cycle of WDPRS complaints, the time frame is supposed to be 45 days at a maximum. The 45-day window was defeated by the domain owner who constantly transferred the domain and changed the data which took it out of the hard-structured view of complaints processing. This is part of an ongoing series of articles and research into online opioids traffic and effectiveness of different enforcement procedures. The first complaint was submitted 4 August 2016 and the most recent response from ICANN on 6 March stated in part:
ICANN considers this matter now closed.
Wonderful. We should all feel so much safer. Unfortunately, this is just the continuation of a very long process failure. The domain in question, DRUGS-ORDER.NET (which I refer to in my handwritten notes as "DONT") is still online and used for selling opioids without a prescription and without displaying a pharmacy license. The memo I submitted in response to these events is an analysis of the ICANN complaint system (WDPRS). The analysis uses this domain with false WHOIS as an example to better understand the issues with ICANN policy and procedure. In short, the ICANN WDPRS has been effectively circumvented. The domain has had 3 different sets of false WHOIS and simply transferred their domain each time a complaint was filed. The domain has been transferred to 4 different registrars and is currently operating selling narcotics. With nearly 3000 registrars there is no practical limit. In each case, the registrar largely followed the process and complied with ICANN. So ultimately it's not a registrar issue, it's an ICANN issue. The failure of the organization to understand how the process can be manipulated makes the process useless. ICANN compliance will likely respond by stating they are constrained by the contract. However, they are also apparently constrained by process innovation as well as real-world context.
This is an extremely urgent issue. Yesterday, here in Copenhagen at the CC session towards effective DNS abuse mitigation prevention mitigation some very smart and passionate experts (including APWG and global LE) discussed various threats on the Internet. One fact is clear from this discussion: the ability of criminals to obtain domains far outpaces the current ability to contain them. Even concerned and proactive registrars at the session complained that their compliance and cooperation with abuse mitigation is hampered by other factors out of their control. The various issues can be summed up in one word: complexity. The data is complex, but the process cannot accept that complexity.
All criminal and abusive operations should follow this cycle to stay in business: Obfuscate, Wait, Transfer, Repeat.
I will be presenting on these issues at the joint session of the Public Safety Working Group (PSWG) and the Verified TLD (vTLD) constituency. This meeting is scheduled for Tuesday 14 March from 18:30 to 19:30 (CET) in Hall B4.1 at ICANN58.
Written by Garth Bruen, Internet Fraud Analyst and Policy Developer