One of Interpol's top child porn cops has launched a blistering attack on the domain name industry and the Internet Corporation for Assigned Names and Numbers (ICANN) for not doing enough to help law enforcement tackle child abuse imagery online. At ICANN's public meeting in San Francisco this week, Garda Síochána's Michael …
It seems to me that although ICANN has its faults that it cannot be expected to Police the Internet. That is not the reason why I helped set it up. ICANN's responsibilities are already spread thinly and it is a costly operation to run. Thus placing extra burden on it will just make it cost more to buy domain names and associated services. No-one who wants child porn to proliferate but putting the burden on ICANN's shoulders in not the way forward. Suspending domain names given there are hundreds of millions of them would result in some people claiming sites have child porn on them just so the site is pulled for their benefit. It is not clear cut and if it was we would not need ICANN.
and I assume that the plods will be happy to sign up to a system which allows them to request the immediate suspension of a domain (without a court order after the traditional presentation of evidence to a judge, which seems to be what they are after), but only on condition that if it subsequently turns out that there were no valid grounds for the suspension (i.e. no subsequent conviction), that they will automatically pay say, $100,000 dollars compensation for each incorrectly suspended domain.
And of course, it'll start with suspension of domains for hosting kiddie porn (perfectly reasonable) and will end up with any website the plods/government/hollywood executives don't like.
The problem is that a completely innocent website, can find that people have added links to child porn (or even hot-linking actual images). You don't want to take the entire website offline because a miscreant has abused the site.
It is also not feasible for a forum to check for child porn: it is illegal to go looking for it, even if your intent is to remove it. And checking every single post 24/7 is not always practical either.
In some cases it may appropriate to deactivate an entire domain, but do we really think that the authorities will take due care and attention over sites caught in the middle?
"it is illegal to go looking for it" is it? Really?
Under which law does it say that?
I thought the criminal act was possession of extreme pornography, not searching for it?
"We would love to see an automatic system whereby, upon notification, ICANN, or whoever, can just sever them,"
Er, well it won't be ICANN. It'll be the "whoever". Specifically, it will be the roughly 200 sovereign states who will pass the necessary laws and enforce them. Given the universal dislike of the material in question, that's probably feasible, but it would help if you started by talking to the right people and stopped beating up on ICANN.
Fully automatic plod domain suspension
because it's for the childrun, guv.
Look, I get that these bods are plod through and through. They're also a wee bit behind the times. So, world-wide, we have this list of what, four hundred domains full of kiddiepr0n? And the plod "need" to turn them off without judicial oversight because... they haven't caught the perps? And the people behind it have not been put behind bars, why?
Why doesn't mr. moran go and does his job, hm? Whois records not accurate just means a spot of good old detective work. That's what detectives are there for. Or is expecting them to do their jobs too much to ask these days? Well?
Perfection - and other impossibilities
Yes. OK. Before anybody starts the home fires (or any other kind) burning, I agree. Child abuse is a very bad thing. I got that. But...
'Bobby Flaim of the FBI noted that there are "pockets of excellence" within the domain name industry, but that cooperation with law enforcement needs to be 100 per cent if it is to make a difference. ICANN requires registrars to enforce the accuracy of their customers' Whois records, and the leading registrars are often quite strict about complying with this rule. But with almost 1,000 ICANN-accredited registrars, there are many "rogue" companies with fewer scruples.'
If I may...
'Barney Rubble of the <insert law enforcement agency here> noted that there are "pockets of excellence" within the <retail gun industry>, but that cooperation with law enforcement needs to be 100 per cent if it is to make a difference. <The government> requires <gun sellers> to enforce the accuracy of their customers' <identity> records, and the leading <gun sellers> are often quite strict about complying with this rule. But with almost <insert big number here> <government> accredited <gun sellers>, there are many "rogue" companies with fewer scruples.'
'Barney Rubble of the <insert law enforcement agency here> noted that there are "pockets of excellence" within the <pharmaceutical industry>, but that cooperation with law enforcement needs to be 100 per cent if it is to make a difference. <The government> requires <pharmaceutical suppliers> to enforce the accuracy of their customers' <identity> records, and the leading <pharmaceutiucal suppliers> are often quite strict about complying with this rule. But with almost <insert big number here> <government> accredited <pharmaceutiucal suppliers>, there are many "rogue" companies with fewer scruples.'
''Barney Rubble of the <insert law enforcement agency here> noted that there are "pockets of excellence" within the <pawnbroking industry>, but that cooperation with law enforcement needs to be 100 per cent if it is to make a difference. <The government> requires <pawnbrokers> to enforce the accuracy of their customers' <identity> records and the provenance of items they buy, and the leading <pawnbrokers> are often quite strict about complying with this rule. But with almost <insert big number here> <government> accredited <pawnbrokers>, there are many "rogue" companies with fewer scruples.'
Sigh. I could go on. But I won't. Save, perhaps, to add:
Frederica Flintstone of the <general public> noted that there are "pockets of excellence" within the <law enforcement industry>, but that <ethical and moral standards of those within it> needs to be 100 per cent if it is to make a difference. <general public> requires <law enforcement> to be absolutely perfect and all those working in it to be saints in training without exception>, and <in many cases law enforcement tries to live up to these standards>. But with almost <insert big number here> <authorised law officers>, there are some "rogue" <officers> with fewer scruples.'
Sigh. My dear Mr Rubble. My dear Ms Flintstone. My dear Mr Flaim. There is no such thing as 100% compliance. Indeed, the whole nature of law enforcement is largely to deal with non-compliance. Yes, it's a real shame people do bad things. But don't try to propose a system that '100%' eliminates a bad anything at any point in the system. 'Cos you're pre-sedigning failure into your solution.
OK. I'll shut up now...
.. leave my wife out of this. Or she'll block my domain name.
Why do police always seem to think that, when it comes to the internet, others should be doing their evidence gathering for them?
Seriously, I have never heard a policeman complain that burglars don't leave calling cards with accurate address information. Nor have I heard of a requirement that car thieves register their full and accurate contact details with the DMV.
Investigating crimes and gathering evidence are the police's job. If they are incapable, as their insistence that somebody else do it for them seems to imply, then maybe they should be hiring more people with the technical skills that their job requires.
Perhaps all registrars should contribute to an independent agency who have the job of sending letters to domain holders, requesting them to enter an auth code on a website by a certain date. If you respond then you're in the clear, the address has been verified as getting to a real person, if not, they can try again using a more robust delivery method (in case the first one got lost). eventually send email to the contact addresses listed (often they're fake too) with a final demand for a valid postal address and if that bounces or is ignored, suspend the domain.
It would need fine tuning to make it robust, especially in some parts of the world, but it shouldn't be too hard. Having a formal check of contact emai addresses would be good as well, I bet a lot will bounce, and the only way to get a valid one is to suspend the domain and wait for someone to complain. A great shame the Ts and Cs didn't forsee this one and allow it.
re: ID verification
I thought that historically the contact information was there for the convenience of the domain owner and administrator, should anyone wish to contact them - if they don't want to be contacted then tough. It's not as if it's going to be hard for criminals to set up fake ID to get around any but the most stringent verification process, I imagine some will specialise in it and sell the resulting dodgy domains in the same way that they sell credit card and other information for fraudulent gain.
Some countrys already do this
IIRC Russian already does this for .ru domain registration.
What does Jaqui think?
A policy to apply for a government licence to host a website? ID cards for anyone owning a server? Etc, etc...
Typical senior plod
thinks he is fit and able to be technical expert, judge, jury and executioner as well as doing the job for which he is actually employed.
Headline: Police hate anonymity and judicial process
There's a reason we don't want police creating policy. They are enforcement-driven, and authoritarian by tendency.
Regulation to stop police from political lobbying, that's the reform we need.
Abused of the system
Surely if the whois database is fully accurate then this would be a valuable tool for the likes of China/Iran/Libya etc to find out who is hosting domains so that they can go and arrest them for 'counter-political activities'? Sure, finding out who the nasty kiddy fiddlers are is important, but setting up a system like this can be abused just as easily as it can be used for genuine law enforcement work?
This issue seems to have been completely over-looked in this article, or am I missing something? Organised crime, terrorists etc already know how to set up false accounts to pay for stuff while not being traced, that is the whole point of detective work. The only people they would catch with be the more stupid or the more honest kind.
>launched a blistering attack on the domain name industry
Quite correct too, they should have a .CP suffix for child porn for which you need to provide valid ID and a few previously unpublished images then it would make everybody's job easier.
Who gives a damn what the WHOIS record says? Even if it's accurate, a legitimate domain or subdomain could be used to provide access to this sort of filth. What would they do with a *.dyndns.com domain, for instance? The first response of Interpol should be to shut down and/or seize the server where this stuff is located and going from there... DNS and WHOIS information has absolutely no bearing on that.
Like seemingly all plods, this tit has no clue about how the net works.
"We have to fix that hole in the fence."
Yup, nothing worse than having a tatty hole in your fence.
Are we talking a quick "make the hole a bit neater" exercise or the full "exact circle, sand the edges smooth and treat the newly exposed timber" here?
.. it's the "let's stick some tape on this hole here but please leave the double gate open" type.
You'd think they have feet so big they would not fit in any sensible mouth, but you'd be wrong..
In other news
Senior police complained that the Sarf London blaggers index wasn't accurate, with many criminals robbing banks without first obtaining a licence and registering with the police.
Unless I am mistaken, the 100 staff on GoDaddy abuse team deal with hosted mail, web hosting and god knows what else as well as DNS takedown issues. Once again, unless I am mistaken, they are not staff dedicated to dealing with domains which are suspected of some form of abuse and only registered via GoDaddy while hosted elsewhere.
Reply to post: Misrepresntation
Whatever else the GoDaddy abouse team deal with it isn't spam reports from hosted mail - the amount of crap that comes from them is second only to Yahoo.
Plod need to understand DNS first
The domain name isn't the webserver. It's only a pointer to it. And as someone else has already pointed out WHOIS information only covers the second level domain name, not subsequent levels.
To use a bad car analogy, what the plod want to do is have the power to remove all the signs to the M1 just because a 'bad person' drove on it last week.
Police narrow mindedness
Child abuse is a nice pat term. Everyone knows what it means so no-one bothers to define it.
What does just child mean? http://en.wikipedia.org/wiki/Age_of_consent#Ages_of_consent_in_various_countries
How is an international organisation supposed to police that? Once we've sorted that out, we can start defining abuse.
Or we could stop wasting time and money and go after the producers rather than the publishers.
My registrar promotes an anonymous WHOIS service - as a tool to avoid spamers.
Perhaps we need to move to an electoral role system - a public and private WHOIS?
another stupid cop
wtf? every clueful cop knows whois is fucking useless and a waste of time. so they don't bother with it as a starting point for an investiagtion.
i wonder why this guy is using "won't anyone think of the children" as the reason to try to fix the unfixable. perhaps he expects criminals to pop into the local nick and tell pc plod what crimes they plan to commit next week.
oh and icann's "control" over whois doesn't go beyond the gtlds. they can't do anything about whois in cctlds even if they were able to. which they're not.
I don't see anything to deal with law enforcement in the ICANN name or charter. Guess it's not their job.
Also, I'm sure if someone decides do card a domain, they really don't care whose name is on the WHOIS information. The only way accurate WHOIS info would be useful is for the idiots who buy domains for their botnet with their Mommy and Daddy's credit card. Like others have mentioned, I think they just want someone to do the legwork they should be doing themselves.
Whois,,, the patsy?
"Hello Mr <gullible person in need of some quick cash>
"We are willing to pay you £500 to register these domains at your address, all you need to do is fill in the forms and confirm the details when the request comes through, sorted."
Cue several thousand domains registered at one address and one poor sap who has nothing to do with kiddie porn getting hauled up in court...
Pots and Kettles?
$ nslookup www.police.uk
$ whois police.uk
Error for "police.uk".
This domain cannot be registered because it contravenes the Nominet UK
naming rules. The reason is:
the domain name contains too few parts.
WHOIS lookup made at 16:10:34 17-Mar-2011
police.uk isn't a nominet controlled domain
so won't show up on their whois. Also, doing 'whois police.uk' is about as useful as doing 'whois co.uk'- if you do 'whois met.police.uk' (for example), you'll see a more useful 'Nominet is not the registry for this domain name'.
I'm sure this is brought up every time police.uk is mentioned. Shame, really. If I were in charge of the police web presence, I'd be sure to have an administrative office at "Letsby Ave, Norton, Sheffield"
... who IS the registry for met.police.uk then?
The title is required, and must contain letters and/or digits.
At a guess, it'll be probably be the Home Office (by way of COI or NPIA). Either way, you won't get to use their whois server if they even have one.
Try an FOI request if you're that keen to find out where the met's website is registered to.
What 'measures' would the registraars require for you to register a domain name, a copy of a passport, driving license, state issued ID? well that would be easy enough to fake for criminals, Watch one of the programs about customs officers on sky and see how many fake passports they deal with.
What about a legitimate US resident who went to register a domain name using a florida state issued driving license too a registrar based in Germany is the German registrar going to know what a florida state driving license looks like and how to spot a fake? I know i sure wouldn't.
Police don't want to know about crime on the internet unless they can find out all they need to know with a few click of a mouse. If all registrars were required to ask for ID then whats to stop the kiddy pron pushers simply giving out the servers IP address instead?
Even without WHOIS, it's very easy to trace where a site is hosted at. Take El Reg for example. Most would think it was hosted in the UK. When I ping www.theregister.co.uk, it gives me the ip address of 18.104.22.168. Googling 22.214.171.124 tells me 126.96.36.199 is an IP Address managed by Rackspace Hosting and located in San Antonio, Texas, United States.
Now if I was a plod and had evidence of wrong doing, I would coordinate with the plods in Texas so they in turn could get a cout order for Rackspace to get all the contact details on just who owns theregister.co.uk.
Its about the money stupid....
ICANN will never change this. It's not in their interest to. Their "not for profit fees" are paid for by the Domain name industry that doesn't want to pay money checking who is buying their domains. Who cares as long as the cash rolls in?
ICANN have had three compliance officers jobs empty for months and have no interest in filling them. God forbid they would bite the hand that feeds them. Lobby all you want coppers, they'll be no change in the foreseeable future. But we'll all lose in the long term when this is dealt with by draconian legislation which will fracture the internet.
Why not merge Interpol, ICANN and, what the hell, let's throw in Little Chef as well. It could be called the Information Superhighway Restaurant Assigned Numbers Police Agency.
Who needs a domain anyway?
It's quite possible to host stuff using an IP address without any associated domain name - in fact I do exactly that for a customer, who wanted a private data archive / repository.
BTW, for elreg I get 188.8.131.52, which is still rackspace, but in the UK.