RE: [registrars] RE: Registrar Approval of Variable Accreditation Fee for 2003-2004

[Tim Ruiz <tim@xxxxxxxxxxx>]

Rick, for the me the point is that getting more precise data does not in any way mean that it is more accurate. The congress, and others, seem to be under the impression that one leads to the other. It doesn't. All this will lead to is a better quality of bad data. What is the problem that they are really trying to solve?<br>
&nbsp;<br>
Tim<BR><BR><br>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px solid"><BR>-------- Original Message --------<BR>Subject: RE: [registrars] RE: Registrar Approval of Variable<BR>Accreditation &nbsp;Fee for 2003-2004<BR>From: "Rick Wesson" &lt;wessorh@xxxxxx&gt;<BR>Date: Wed, September 03, 2003 1:51 pm<BR>To: "Paul Stahura" &lt;stahura@xxxxxxxx&gt;<BR>Cc: "'Donny Simonton'" &lt;donny@xxxxxxxxxxxxxxx&gt;, "'Elana Broitman'"<BR>&lt;ebroitman@xxxxxxxxxxxx&gt;, "'Registrars List'" &lt;registrars@xxxxxxxx&gt;<BR><BR>Paul,<BR><BR>The example you and Donny put forth are both extremes. Postal validation<BR>alone is not 100% accurate and not for any postal system including the<BR>US Post Office. understand that all postal systems recognize this fact.<BR><BR>Any one of the examples below based solely on postal address and phone<BR>numbers are going to have big holes for gaming. You have to go beyond just<BR>evaluating the name and address in testing accuracy of a registrat!
ion.<BR><BR>The big point that must be communicated to the congress critters is that<BR>no matter the method or methodology of a heuristic to test accuracy of<BR>registrant data, none are 100% accurate. They know this, credit card<BR>companies know it and so does any large business that manages customer<BR>lists or looks for terrorists at airports -- but it is good to remind<BR>everyone involved that no system will provide 100% accuracy.<BR><BR>Paul's point (i think) is that even if we filter inaccurate data it is<BR>still posable to commit fraud (ie successfully lie) From my conversations<BR>with the concerned parties is that they understand there will always be<BR>ways to lie but desire a higher standard that what our industry currently<BR>implements which is -- effectively no checking at all.<BR><BR><BR><BR>best,<BR><BR>-rick<BR><BR><BR><BR><BR>On Wed, 3 Sep 2003, Paul Stahura wrote:<BR><BR>&gt; This is the main crux of the problem: it does not work in practice, but,<BR>&!
gt; hey, it looks good.<BR>&gt;<BR>&gt; Because even if an address was a precise and a valid address,<BR>&gt; it is not necessarily the address of the person making the registration.<BR>&gt;<BR>&gt; This address is a valid address:<BR>&gt; Smith, David<BR>&gt; 25242 Riverside Drive Ext<BR>&gt; Seaford, DE 19973<BR>&gt; Phone: 302-629-9829<BR>&gt; (there are millions of them, just go to infospace.com, I picked this one at<BR>&gt; random)<BR>&gt;<BR>&gt; But did David Smith make the registration?<BR>&gt; Or did a bad-guy just type in David's information?<BR>&gt; The bad-guy could just as easily use a valid address anywhere on the planet.<BR>&gt; Only good-guys would enter true information.<BR>&gt; Then, to bad for them, but that true information would be even more valuable<BR>&gt; to the bad-guy whois-harvesters.<BR>&gt;<BR>&gt; The only way to know if David Smith is the guy who controls the domain is to<BR>&gt; send David Smith a postal letter at that<BR>&gt; address and have!
 David confirm receipt of the letter and confirm intention<BR>&gt; to register the name.<BR>&gt; Even the .uk registry, a monopoly, has stopped sending paper around the<BR>&gt; planet.<BR>&gt; Then you'd have to do the same with the phone number (call it and have the<BR>&gt; person who answers make the same confirmations),<BR>&gt; but even that high-cost operation will be gamed by the bad guys because the<BR>&gt; phone number can be<BR>&gt; the number of a disposable cell phone, public phone near the valid but<BR>&gt; untrue street address etc.<BR>&gt; Sending a message to an email address, though low-cost, proves nothing about<BR>&gt; the registrant's identity besides the fact<BR>&gt; that the person who controls the domain also controls a nearly anonymous<BR>&gt; free email address.<BR>&gt;<BR>&gt; The costs are too high and the real benefit too low.<BR>&gt; The only benefit is that we would be seen as "doing something" at the time<BR>&gt; of registration.<BR>&gt;<BR>&gt; !
We (I mean the Internet and the public) get more bang for the buck by doing<BR>&gt; the above<BR>&gt; (sending paper, calling phone numbers, sending email, etc) when there is a<BR>&gt; known problem.<BR>&gt;<BR>&gt; Paul<BR>&gt;<BR>&gt;<BR>&gt;<BR>&gt; -----Original Message-----<BR>&gt; From: Donny Simonton [mailto:donny@xxxxxxxxxxxxxxx]<BR>&gt; Sent: Wednesday, September 03, 2003 8:15 AM<BR>&gt; To: 'Rick Wesson'; 'Elana Broitman'<BR>&gt; Cc: 'Registrars List'<BR>&gt; Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation<BR>&gt; Fee for 2003-2004<BR>&gt;<BR>&gt;<BR>&gt; The biggest problem we have found is getting the address information from<BR>&gt; all of the different countries to be able to have a 100% correct address<BR>&gt; verification system. &nbsp;In the US and Canada and I'm sure other countries you<BR>&gt; can buy address information for a few thousand a year. &nbsp;Then you have to buy<BR>&gt; the phone numbers from somebody else, Neustar if!
 I remember correctly. &nbsp;That<BR>&gt; would work fine for US and Canada.<BR>&gt;<BR>&gt; But most of our fraud is not in the US or Canada, it's in other countries<BR>&gt; that you are not able to get the address information from their postal<BR>&gt; service. &nbsp;And how would you verify this address anyway? &nbsp;This is a real<BR>&gt; address of one of our customers.<BR>&gt; "120 meters past McDonald's on Rue Flat Road".<BR>&gt;<BR>&gt; Yes and it's valid, because a hotel that is also on the same street is 240<BR>&gt; meters past McDonald's.<BR>&gt;<BR>&gt; So address and phone number verification is a great idea, we spent almost 2<BR>&gt; months working on it, then you get outside the US and Canada and you run<BR>&gt; into all kinds of issues with trying to verify the address and phone number.<BR>&gt; Good in theory, not good in practice.<BR>&gt;<BR>&gt; Donny<BR>&gt;<BR>&gt; &gt; -----Original Message-----<BR>&gt; &gt; From: owner-registrars@xxxxxxxxxxxxxx [mailto:o!
wner-<BR>&gt; &gt; registrars@xxxxxxxxxxxxxx] On Behalf Of Rick Wesson<BR>&gt; &gt; Sent: Wednesday, September 03, 2003 9:53 AM<BR>&gt; &gt; To: Elana Broitman<BR>&gt; &gt; Cc: Registrars List<BR>&gt; &gt; Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation<BR>&gt; &gt; Fee for 2003-2004<BR>&gt; &gt;<BR>&gt; &gt;<BR>&gt; &gt;<BR>&gt; &gt; Elana,<BR>&gt; &gt;<BR>&gt; &gt; do you have a link to information about the hearing?<BR>&gt; &gt;<BR>&gt; &gt; my $.02...<BR>&gt; &gt;<BR>&gt; &gt; doing registrant validation on signup cuts down fraud so if one reviews<BR>&gt; &gt; the amount of chargebacks one gets verses the cost of whois accuracy<BR>&gt; &gt; requirements performing such validation actually saves us more in<BR>&gt; &gt; chargebacks than costs us in performing the validation.<BR>&gt; &gt;<BR>&gt; &gt; We allow just about anything through the signup process and just don't<BR>&gt; &gt; process the fraudulent or highly supcious applications.<BR>&gt; !
&gt;<BR>&gt; &gt; We are working on more elaborate techniques to handle bounces and staging<BR>&gt; &gt; other automated means of communication such as: if email bounces and we<BR>&gt; &gt; have a fax, send a fax, if the fax bounces send a postcard, if all<BR>&gt; &gt; attempts bounce note the information is bad and lock the account with a<BR>&gt; &gt; note that will require additional information if the registrant comes to<BR>&gt; &gt; renew the domain.<BR>&gt; &gt;<BR>&gt; &gt; We could get even more elaborate by identifying telephone numbers that are<BR>&gt; &gt; mobile numbers and sending an SMS message but we don't have the volume of<BR>&gt; &gt; registrations to make that interesting yet.<BR>&gt; &gt;<BR>&gt; &gt; best,<BR>&gt; &gt;<BR>&gt; &gt; -rick<BR>&gt; &gt;<BR>&gt; &gt;<BR>&gt; &gt; On Wed, 3 Sep 2003, Elana Broitman wrote:<BR>&gt; &gt;<BR>&gt; &gt; &gt; On the same note, I am again going out to everyone with a request for<BR>&gt; &gt; &gt; some data (even merel!
y anecdotal) on how you comply with whois<BR>&gt; &gt; &gt; accuracy requirements in the RAA and cost of doing so. &nbsp;This is very<BR>&gt; &gt; &gt; important to provide before tomorrow's Congressional hearing in order<BR>&gt; &gt; &gt; help protect us from "unfunded mandates" based on incomplete<BR>&gt; &gt; &gt; information supplied by interest groups pushing for more Whois<BR>&gt; &gt; &gt; verification and availability.<BR>&gt; &gt; &gt;<BR>&gt; &gt; &gt; Thanks<BR>&gt; &gt; &gt;<BR>&gt; &gt; &gt; Elana Broitman<BR>&gt; &gt;<BR>&gt; &gt;<BR>&gt;<BR>&gt; </BLOCKQUOTE>