Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet Your Rights Online

Proposal To Limit ISP Contact Data Draws Fire 100

An anonymous reader writes "A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software, according to a story at Krebsonsecurity.com. From the piece: 'The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses — later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. Proponents of the plan couch it in terms of property rights and privacy, but critics say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.'"
This discussion has been archived. No new comments can be posted.

Proposal To Limit ISP Contact Data Draws Fire

Comments Filter:
  • by Renraku ( 518261 ) on Thursday April 08, 2010 @04:04PM (#31781864) Homepage

    Only for businesses, of course, since they have the money and don't mind paying extra to be untraceable. In fact, why not just go ahead and pass a law that bans popup blockers and mandates every citizen to an hour of forced ad viewing per day?

    • by maxrate ( 886773 )
      Ah, ARIN does NOT need IP addresses data to be published for individuals/residential - So, as a residential subscriber, you're 'shielded' by your ISP
      • Re:Businesses... (Score:5, Informative)

        by mysidia ( 191772 ) on Thursday April 08, 2010 @05:40PM (#31782994)

        Almost correct... ARIN does not need IP addresses or contact data to be published for residential dial-in users, provided they are not assigned a /29 (or shorter prefix)

        Currently a /29 is the magic number. If you get a netblock that is larger, such as a netblock with 16, 32, 64, 256, or more contiguous IP address numbers, then the upstream provider has to publish re-assignment information and a contact.

        • by Bengie ( 1121981 )

          What are they gonna do when IPv6 gives out /64 blocks for EVERYONE?

          • by mysidia ( 191772 )

            In IPv6, a /64 is just one subnet, so re-assignment information is probably not going to be required.

            Policy on that has yet to be hammered out on that through the PDP on the arin-ppml mailing list and at ARIN meetings.

            My best guess would be the magic number is going to be something like a /62 for V6

    • In 1886, Santa Clara County v. Southern Pacific RR granted human rights to corporations under the Constitution. This made corporations more than human: They don't eat, breathe or die (unless they go bankrupt - Hmmmm).

      There are companies that are hundreds of years old - how's a human supposed to compete with that? After all, you might be able to punch your next door neighbor in the face, but you'll never punch Coca-Cola in the face...
    • by samantha ( 68231 ) *

      I have money. I am not a business. I would pay to not be automatically trackable just because I use higher bandwidth (business class) services. Where is this a problem. Are you saying I must be fully trackable at all times just on the grounds that I might do something criminal? Are you sure you want to take (and live by in all ways yourself) that position?

      • I have money. I am not a business. I would pay to not be automatically trackable

        Set up a front business in a suitable jurisdiction with one person employed who spends an hour a month answering the phone. You could probably make the whole setup tax-deductable by hiring a mentally-handicapped person to act as your "receptionist".

  • by Oxford_Comma_Lover ( 1679530 ) on Thursday April 08, 2010 @04:12PM (#31781942)

    Person A says to cops: "I received spam. Here is copy."
    Cop identifies IP.
    Cop says to provider "Give me billing info on this IP b/c of spam."
    Provider gives billing info. If not, does so after quick court order. If still not, gets shut down.
    Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.

    Or something like that.

    The problem is having a quick, efficient, and intelligent police response in place, and having people know where they can go to get it. We will never stop spam unless we decide to commit sufficient resources to doing so.

    We might use civil causes of action, class actions, and/or private atty general statutes. (But have to be careful to limit abuse.)

    • by Improv ( 2467 ) <pgunn01@gmail.com> on Thursday April 08, 2010 @04:15PM (#31781990) Homepage Journal

      Not good enough. I don't want to bother the cops when I can bother the ISP, or the people hosting that ISP, and upwards. Besides, not everyone is in the US.

      Privacy is less important here than the potential for menace and the ability of people to kvetch directly at troublemakers.

      • Re: (Score:3, Insightful)

        Not good enough. I don't want to bother the cops when I can bother the ISP, or the people hosting that ISP, and upwards.

        Isn't that the RIAA thought as well?

        • by mysidia ( 191772 )

          It occurs that the privacy of IP information should make sending DMCA letters to an accurate contact based on IP address almost impossible (eventually)

        • by Improv ( 2467 )

          If it is, so what? In your scenario, the RIAA would go to the police using their lawyers instead.

          While legal recourse is possibly necessary at some point, having contact information for IPs accessible without a lawyer helps keep the net running smoothly. It's not worth giving that up in the name of privacy.

    • by ShakaUVM ( 157947 ) on Thursday April 08, 2010 @04:27PM (#31782098) Homepage Journal

      I know that for my company, I'd get a lot less spam if they couldn't trawl my email address out of the registry. Fortunately, a quick filter set up gets rid of most of it.

    • Re: (Score:3, Insightful)

      by wowbagger ( 69688 )

      Unfortunately, there are several problems with this:

      1) "We might use civil causes of action, class actions, and/or private atty general statutes. (But have to be careful to limit abuse.)"
      result: Cop says "Not breaking the law, not my problem, go away."

      So you have to make spamming truly against the law.

      Result: Cop says "Yea, I'll get right on that, after I go after a bunch of more interesting (read: higher fines) crimes." Considering how little the cops enforce crimes that are threats to life and lim

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      1. How do you identify the source of the spam? Email headers can be forged, you know; you're going to have to analyze the log files at each node along the way. Good luck with that.
      2. Nobody is going to shutdown a provider unless the violation is extremely egregious; people use bot nets to spread the damage around rather than isolating it at a single point of failure.
      3. Spam is really annoying and costs people real money, but not so much that actually going after people is worth the extra expense; maybe a

    • Person A says to cops: "I received spam. Here is copy."

      Cop requests complete copy of spam, waits three days for response, works through forged headers, determines IP is in another country.
      Cop answers impatient email from Person A.
      Cop requests assistance from local authorities, six months pass. Cop answers several impatient emails from Person A.
      Local authorities provide name and street address registered to IP.
      Cop researches data and determines the address is a vacant lot in another country. Cop reports th

    • Re: (Score:2, Interesting)

      by Ornlu ( 1706502 )

      ... after quick court order. If still not, gets shut down. Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.

      The trouble is, that stuff costs money. And ignoring/filtering spam doesn't. I'd rather keep my money (and have to deal with spam) than pay higher taxes to fight it.

    • Re: (Score:2, Interesting)

      by mysidia ( 191772 )

      Cop identifies IP.

      And since the upstream has kept the ISP's information private, to prevent other providers from seeking their contact details, the Cop is going to have a very fun time.

      Suppose the user was not a subscriber to a Tier 1 ISP.

      Then there could be 3 or 4 levels of re-assignment involved, all private.

      For example, the user subscribes to Mom and Pop ISP who buys data service from Xyz Co, who is a local exchange or local provider of data services in a very small region.

      Said local provi

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Person A says to cops: "I received spam. Here is copy."
      Cop says "GTFO! Hahaha."

      FTFY.

      Seriously, who calls the cops for spam and expects them to not laugh at you?

      • > Seriously, who calls the cops for spam and expects them to not laugh at you?

        It doesn't have to be the same cops who deal with murders and stabbings. In fact, it probably shouldn't be; it takes different skills to hunt down spammers.

    • Having dealt with identity theft and the police, I think it'd go more like this:

      Person A says to cops: "I received spam. Here is copy."
      Cop says it might not be their jurisdiction and there might not be much they can do about it, but they'll look into it.
      A month passes and Person A calls the cops to see what progress has been made.
      Cops reply that they've assigned an officer to the case, but he's got a lot of other cases and he'll get back to Person A.
      Repeat the last 2 steps until Person A gives up and drops

  • Want to fix the spam problem? Get rid of "private" domain registrations. If the domain isn't registered to a real human being, pull the plug.

    This will help stop sites that offer crap like "bullet-proof email services" - spam-on-demand.

    • Want to fix the spam problem? Get rid of "private" domain registrations. If the domain isn't registered to a real human being, pull the plug.

      This will help stop sites that offer crap like "bullet-proof email services" - spam-on-demand.

      Real question because I don't honestly know: how much spam is actually sent from people with registered domain names who own blocks of IP addresses? How does this number compare to the spam sent from compromised Windows machines that participate in various botnets? If the latter is a much larger source, then this looks more like another ineffective feel-good measure. Though to be honest, even if you shut down every last botnet I don't believe that would stop spam, because spam predates large botnets.

      T

      • Re: (Score:3, Interesting)

        by tomhudson ( 43916 )

        Spammers need a legit server to receive those clicks. See how I tracked down one spammer half an hour ago [slushdot.com] to learn more.

        Pay particular attention to the section around the "Directory Listing Denied" segment.

        You might also want to help ...

        Your only hope is to convince the users to give up their habits through education.

        I'm still waiting for the "year of the linux desktop", so I don't hold out much hope for end-user education :-)

        • Spammers need a legit server to receive those clicks. See how I tracked down one spammer half an hour ago [slushdot.com] to learn more.

          That's wonderful, and probably made you feel better, only it misses my point. You can track down 500 more spammers if you want. Even if you manage to get every last one of those 501 taken offline, more will show up to take their place. That will continue so long as spam remains profitable. What you're doing there is more about a visceral feeling of nailing someone for

          • That will continue so long as spam remains profitable

            Here, let me fix that for you:

            That will continue so long as spammers don't go to jail.

            The root problem is that spammers are anonymous. Strip them of their anonymity, and watch how spam goes from 95% of all email to 5%.

      • Re: (Score:2, Interesting)

        by mysidia ( 191772 )

        Real question because I don't honestly know: how much spam is actually sent from people with registered domain names who own blocks of IP addresses? How does this number compare to the spam sent from compromised Windows machines that participate in various botnets? If the latter is a much larger source, then this looks more like another ineffective feel-good measure.

        You realize, these are not disjoint sets?

        There are a lot of Windows machines on the networks of companies that hold IP addresses.

        These

    • Getting rid of "private" domains won't do a damn thing except INCREASE the amount of spam that domain holders get. Spammers don't hide behind private domains, they hide behind huge botnets!

      I used to not hide my whois information. In fact, I was proud to display my contact information in my whois entry when owning my own domain was a novel thing. Then the spam started on the contact accounts. Annoying, but I could handle it. Soon after, I started getting phone calls from people who barely spoke Engli

      • Spammers don't hide behind private domains

        Your statement isn't true. As an example, yesterdays' spam [slushdot.com] - that wasn't sent by a botnet.

        Second, for the spam that IS sent by a botnet, you'll see that it tries to send people to specific sites. Those sites are the ones you want the whois information for. Often, they're hiding (like yesterdays) behind bogus throw-away email addresses (such as, in yesterday's case, gmail accounts).

        Sure, you'll get a few phone calls - that's what call display is for. And with

        • Sure, you'll get a few phone calls - that's what call display is for. And with the new Do Not Call list, such calls net the caller an $11,000 fine. Haven't gotten one since I put my number on the list, so even if they harvest the phone number, they can't use it.

          So wait, guys trying to get illegitimate access to my machines and/or steal my identity and calling through "unavailable" VoIP lines from Russia and Nigeria are going to respect the US's Do Not Call list? Get real.

          Also, even though my contact information is unavailable TO YOU, it is not unavailable. If there is an issue, my registrar does have my full and complete information (and they are required by ICANN to confirm it is correct periodically, which they do). Perhaps not all registrars follow the ICA

  • Why is it so hard? (Score:3, Insightful)

    by Auroch ( 1403671 ) on Thursday April 08, 2010 @04:21PM (#31782038)
    If GB is passing laws to cut off file sharers, who do so for personal use only, why can't they move quickly to impede spam?

    ... oh right. Spam is enterprise, brings in money. Piracy takes it away. Never mind that everyone loves piracy and hates spam ...
    • Re: (Score:3, Insightful)

      by D Ninja ( 825055 )

      ... oh right. Spam is enterprise, brings in money. Piracy takes it away. Never mind that everyone loves piracy and hates spam ...

      What people like and what people don't like should not dictate the laws of the government. I would LIKE free money given to me every single day of my life and I would LIKE not to ever pay taxes again.

      And, your reasoning is off. Piracy is getting such attention because interest groups (music industry, movie industry) are throwing money behind it to stop it from happening because they think (rightly or wrongly - not going into that here) that piracy is hurting their business. Most individuals don't think

      • What people like and what people don't like should not dictate the laws of the government.

        Why?

        I would LIKE free money given to me every single day of my life and I would LIKE not to ever pay taxes again

        Invalid example, you are not "people", now if people wanted those things, I would not see a reason for the government to not comply, of course, this has obvious consequences that make it impractical and people know that, but you are not arguing against the consequences, your position is that the will of the people shouldn't dictate law.

        Will you defend it or take it back?

    • Spam is an annoyance. Piracy is actually damaging.

      • by Bengie ( 1121981 )

        Wikipedia:
        "the worldwide productivity cost of spam has been estimated to be $50 billion in 2005"

        And that's back several years. Now include money scams/etc.

        Piracy:
        Many independent researches have shown the people who pirate the most are the same people who are most likely to buy the material.
        eg. The guy who pirated Avatar was also the guy who went to the theater several times then went out and bought the blue-ray

        Per person, people who pirate, spend more money. Yes, some people who pirate don't buy anything w

  • I find the "contact us" facility on some ISPs to be totally lacking, especially if you want to complain about one of their customers abusing their service. I had course to complain [paullee.com] to swbell/AT and T about a venonomous message recently and not only did it take ages to find a complaint address, but I never got a reply back. (Also, the police and FBI have been useless too)....
    • by mysidia ( 191772 )

      A "venomous message" is not network abuse in the traditional sense, although it still may result in account termination (especially if the ISP is a university or employer of the sender), most commercial ISPs will not or cannot do anything about a complaint of a venomous message. Although they may have an AUP that message content violates, support personnel cannot readily make a determination whether a single message constitutes legal harassment or not, and whether the claimed sender really sent that text

  • by Anonymous Coward

    Everybody should have a right to privacy up to the point they abuse it. That address and contact information, when reflexively made public, can and is happily abused by other unaccountable individuals and businesses.

    Our problem is that we don't have an effective system for making abusers face consequences for their actions, and stomping on the privacy of responsible actors on the Internet only makes the problem worse by adding to the pool of people whose information can be used to harass them with spammy c

    • by mysidia ( 191772 )

      Personally, I think you should have to register to see entries in the WHOIS directory, pay a $5 fee, and obtain a login and password to authenticate. You yourself will be listed in the WHOIS directory as a whois user, with full details.

      And any lookups you perform will become public knowledge for the next 7 days, together with the IP address(es) performing the lookup, and what records you looked up.

      In other words... public information, but also public record of who is accessing that information.

  • Contrast this with the provisions of ACTA, which require that the ISPs more strictly monitor citizens for imaginary property infringement.

    Looks like you're much better off being a corporation than a person these days. Better privacy. Better health benefits. Better insulation from litigation. And if you get big enough you don't even have to be financially solvent in order to survive, the government will bail you out.

  • by Anonymous Coward

    Corporations are NOT people. Therefore, they have no "privacy" expectations or rights to such.

    They are PUBLIC corporations. I see no reason to extend the rights that individual PEOPLE enjoy to corporations, which by their inherent creation, are PUBLIC entities.

    If they have nothing to hide, well, then why are they asking to be hidden? (I know this is a fallacious argument, but when corporations and the government (and their cheerleaders) apply it to people, why can't it be applied similarly to corporations?)

    • by blair1q ( 305137 )

      Not all corporations are public.

      But the Internet should not be an anonymizer for criminals, either.

  • by Anonymous Coward

    At least with this proposal providers could implement their whois servers and actually leave them up and running all the time, rather than only turning them on when working with ARIN to receive another IP allocation (common practice in the industry), which doesn't really help anybody when they are down.

    • by mysidia ( 191772 )

      Intentionally downing or failing to do either operate the RWHOIS server 24x7 or provide the re-assignments using SWIP is a NRPM violation, and therefore a breach of the RSA contract the provider signed with ARIN.

      If they are found out, their IP resources subject to the RSA can be revoked immediately...

      In reality, they might get off with a stern warning, but it seems like a really risky practice.

  • Neither WHOIS information nor IP address block allocation (ARIN's remit) should be private. Neither businesses nor anonymous web sites are entitled to anonymity in most of the developed world. Europe, in fact, is tougher on this than the US. [sitetruth.com] Europe has the European Privacy Directive, but that's for individuals acting in their private capacity. Businesses come under the European Directive on Electronic Commerce. [europa.eu]

    1. In addition to other information requirements established by Community law, Member States

  • Seems to me that legitimate businesses with an internet presence spend a lot of time & money on trying to be known.
    Why would a legit business want to be anon?
    For people posting in fear of their lives, there's Wikileaks...
    This is not the way to defeat spammers and others.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...