07
Apr 10

ISP Privacy Proposal Draws Fire

A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software.

The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers.

The idea has support from several ISPs that claim the current policy forces ISPs to effectively publish their customer lists.

“I operate in a very competitive business, and there are instances where I can show that my competitors have gone out and harvested customers’ contact information and used that to try to take those customers away,” said Aaron Wendel, chief technical officer at Kansas City based Wholesale Internet Inc., and the author of the proposal. “I have yet to find another private industry that is not government-related that requires you to make your customer lists publicly available on the Internet.”

Critics of the plan say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.

Jeff Chan, who maintains Surbl.org, a list of Web sites that have appeared in spam e-mails, said in written comments on the proposal that it would effectively require a court order to ARIN to discover the business user of an Internet address, as the proposal doesn’t contemplate a process by which ISPs would be required to disclose the information.

“Such restrictions could severely hamper private operations that significantly help to secure the Internet, such as security research, botnet and malware mitigation, notification about cracked servers and networks, etc,” Chan wrote. “By slowing down access to contact information, indeed severely restricting access to it, routine actions which today help protect the Internet community could be severely obstructed to the point of preventing them from happening in many cases.”

Security experts from Paypal commented that ARIN should be considering ways to make the ownership of address blocks more transparent – not less – citing research published by KrebsOnSecurity.com that examined the ISPs that were most commonly identified on the Top Ten Worst ISP lists, from ten different organizations that measure ISP reputation.

“The concerns we raise above to be aren’t purely hypothetical either.  Just this week we’ve seen the publishing of data about possibly malicious ISPs that paints with a fairly broad brush because of how registration data is represented to the outside world,” wrote Andy Steingrubel and Jon Orbeton, members of Paypals’ security team. “Without better visibility into the actual bad actors the community is forced to view certain large ISPs with more suspicion than they may be due.  More accurate records….can help to prevent this situation.”

Chief among concerns voiced by those in the security industry is that the policy change would make it easier to hide the tracks of so-called snowshoe spammers. According Spamhaus.org, these are spammers who use “many fictitious business names, fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small permanent range of sending Internet addresses. Snowshoers often use anonymized or unidentifiable WHOIS records, whereas legitimate senders are proud to provide their bona fide identity.”

Indeed, Spamhaus has identified a fairly large  number of snowshow spammers apparently operating out of Wholesale Internet.

Wendel said his company has a full-time employee who handles abuse complaints and disconnects customers who generate spam abuse complaints.

“Unfortunately, spammers are attracted to us because [our service is] cheap and their liability [for losing servers to abuse complaints] is much lower. That’s just the nature of the business, unfortunately.”

Still, Wendel said he was somewhat unprepared for the public reaction to his proposal.

“Before I floated this [proposal], I got a lot of people saying, ‘Good luck, and keep your head down.’ I knew I’d catch some flack for it, but it’s generated a bit more flack than I expected.”

ARIN is expected to decide on the proposal later this month at its meeting in Toronto.

Tags: , , , , , , , , ,

34 comments

  1. Personally, I hope they throw this proposal out. All this is going to do, as has been made clear by others, is make it alot more difficult to identify and report, bad players.

    ThePlanet are a prime example of this, due to their not making it clear, which company owns certain ranges within their AS (which has in turn, led to most assuming ThePlanet themselves are responsible).

    • Suresh Ramasubramanian

      Theplanet’s rwhois server works great for what you need
      rwhois.theplanet.com port 4321

  2. I have all of Wholesale Internet’s IP space blocked as I have never seen anything legitimate coming from there. Seems to me they’re just looking to make it harder to trace their spammers.

  3. Spammers must seriously be loving this. Right as China makes things more difficult for them (and stomps on some human rights?). There will soon be a way to hide your spammy self even better!

    Hopefully this thing gets thrown out, there are few enough people dedicated to fighting spam without making their jobs/lives substantially more difficult.

    • Don’t you get it… this won’t have any impact. Businesses systems will just be compromised and used for spam instead. No point in it non-anonymous records. Sure it makes it harder for the less technical spammers because now they have to come up with the capital to pay for the software to thwart the system instead of the capital to pay for the dsl lines…. ohh wait.. never mind. they are about the same price. haha yea it really makes a difference.

  4. Why should the ownership of web property be any different than the ownership of real property, such as a house?

    How can we abate web nuisances if we don’t know who the owners are, just as we can not abate the neighbor next door that is dealing drugs?

    We are not obliged to make up for a business person whose customers are easily talked away because the business offers nothing special in their way of business. Without a unique selling proposition, any business, web or otherwise is ultimately doomed.

    • As to that, I think both should be considered private. I don’t like property ownership being “public record” any more than I like my local government selling my email address if I dare ask for an automated answer to a FAQ.

      I’d rather see them make it an option. If you believe that all legitimate business sites will proudly advertise their information, then follow John’s example and blacklist those who don’t. I don’t like that the default is always “full disclosure,” especially when to my view it seems that it would only take one extra “if-then” statement to make it the customer’s choice.

  5. BattleChicken

    “Unfortunately, spammers are attracted to us because [our service is] cheap and their liability [for losing servers to abuse complaints] is much lower. That’s just the nature of the business, unfortunately.”

    Translation: “We design our business to appeal to spammers – they are our best customers”.

    It seems to me that this proposal was designed to capitalize on a market opportunity created by the legislation in other countries.

    Shady business at it’s worst.

  6. One thing that’s not entirely clear from this article (or indeed in the proposal) is that this proposal is actually a major change to long-held precedent that the owner of a range of IP addresses should be contactable.

    In other words: the proposal is to hide information that’s already available.

    • J.D. — Really? I thought that was stated twice in the first two paragraphs. Second graf:

      The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – later this month will consider a proposal to ease rules that require ISPs publish address and phone number information for their business customers.

  7. Chris Anderson

    It looks like the public comment period of ARIN policy development takes place via mailing list. Would anyone know if this rule-making body still is accepting comments from the public? And short of attending the upcoming conference, how I could do just that?

  8. CAUCE will be attending the ARIN meeting, and I am aware of other anti-abuse organizations that have submitted comments to ARIN.

    We will be coming our very much against this proposal; perhaps the commentary here can also be cited.

    One bt of disengenuousness that hasn’t been mentioned here is how trivial it is, even with telephone numbers and email addresses obfuscated, to determine a point of contact were one predisposed to intra-ISP client poaching. They have these new things where you can find out all sorts of stuff abut a given company. I believe they are called ‘websites’.


    Neil Schwartzman
    Executive Director
    CAUCE: The Coalition Against Unsolicited Commercial Email

  9. The issue here is transparency. A business is not a person so much as a bunch of contracts. An ISP is a reseller of digital land. I suppose registration records are analogous to land deeds. People, especially the State, have to know who owns property to settle disputes and prevent fraud. An IP address or block is analogous to owning a plot of land or an entire community. A commercial property is different from residential property. What one does in one’s home is a private matter. What goes on in businesses are not necessarily private. Employees have no expectations of privacy. Customers have no expectations of privacy since the owners can sell their customer databases to any one who wants to buy it, and businesses are not allowed to hide who they do business with unless the customer requests it. But ISP’s are selling more than a service, they are selling presence or space. If someone is smart enough to work out your customer list via whois records that is tough. You can still sell your database because you have better information in it. This proposal is against the common good and would make it quite difficult for people to be held accountable for bad behavior. It would make the ISP’s less accountable than they already are to their customers and private citizens. Society only works because of peer pressure to conform to common moral decency. When peer pressure and transparency fail, laws must be invoked. If laws are unenforceable or not enforced, they are useless. Since there is little law on the Internet and no expectation of privacy for customers, why should this businessman be able to prevent people from knowing who he does business with? Commerce is supposed to be open and transparent. Without transparency, there’d be no way for the buyer of his contact list to verify that it was any good from the whois records. The ISPs would also become havens for crooks who can hide from the light of inquiry.

    • “A business is not a person so much as a bunch of contracts.”

      I don’t know if you’re a business owner or not, but the above statement is absolutely incorrect. LLC’s, C-Corps and S-Corps and various other legal “entities” are absolutely considered “persons” in the eyes of the law. That key concept is the underpinning of much Western law.

      When a law wants to distinguish between a corporation and carbon based being, they will use the phrase “natural person” to make it clear that they are referring only to carbon based entities.

  10. If ISP’s are worried about competitors harvesting their customers’ email addresses, provide another way to contact those customers. I’d love to be able to use a web form to message a business whose pwned server is hosting malware or phishing websites. And if the owners of those businesses have the sense they were born with, they ought to want their ISP to make it easier for people to contact them.

    If ISP’s were making the effort to aggressively search for evidence of abuse and compromise on their own networks, it might be a different discussion. But the current state of affairs is they seem to do nothing until some third party makes the effort to submit an abuse report to inform them about a problem. We’re talking about alerting them that their paying customers are infected with data-mining trojans that can potentially destroy their businesses. They should welcome this information. They are certainly in no position to whine about whether their customer lists are public if they depend on the public to do their jobs for them.

    • You have no right not-to-receive packets. If you don’t like the shit I send drop the packets once you get them.

  11. I find it interesting that so many people approach this issue not as a “property rights” issue – but as an issue about “what is best for the community”. Sounds an awful lot like the debate raging in US political spheres right now.

    Anyway….I strongly prefer to analyze this as a “property rights” issue – consistent with our constitutionally protected right to own private property. I refuse to make groundless speculation about “what is best for the community” because that’s exactly how our rights and liberties are eroded every single day. But I digress. My actual point is…

    If you register an LLC or a corporation in any US state, you must, without exception, provide the name of a “registered agent” who can receive correspondence on behalf of the LLC or corporation. If the registered agent is not reachable or does not respond to a court summons, etc…then the LLC or corporation is deemed invalid.

    You can not establish a corporation but then provide no way for other entities to contact that corporation.

    I think it should be the same with domain names. You should not have to reveal who actually owns this property – but you do have to provide a way to contact the owners, even if it is through a “registered agent”. And if the owners do not respond to correspondence, then the domain should be deemed invalid/abandoned.

  12. To the extent that you feel strongly about this issue, I recommend participating in the ARIN meeting (either onsite or remotely). There is no cost associated with remote participation, and we provide the ability for remote participants to make comments and ask questions just as any other participant. Anyone in the Internet community may participate, membership in ARIN is not required to participate in the policy discussions.

    For more details, please refer to

    /John

    John Curran
    President and CEO
    ARIN

  13. Best idea yet! I don’t think anybody should ever identify themselves on the internet unless absolutely necessary. It just seems dumb. This is why we have spam and all the problems we do. We’re doing the exact opposite of what we should be doing. Instead of trying to identify spammers we should be anonymous ourselves both businesses and individuals on the web. You want to order something online? Get a throw-away address (post office should offer these ‘fake redirect addresses’), a throw-away credit card number with a specified amount preloaded (via a website you can create these throw-away credit cards), etc. and so on. Businesses might need to identify themselves for brand purposes and that allows them to built a reputation. BUT this is not the type of business that is going to be anonymous. The type of business that is going to be anonymous is going to be engaged in activities that others may find undesirable-and therefore harassing with litigation. There is not justification for it and nobody should have to identify themselves. If there is a significant criminal complaint then the law can get involved… although even in that case it is of questionable value since true anonymity should still exist online for political groups. If that exists it therefore must exist for any other purpose. It already does in practice- so this argument is completely philosophical. All one has to do to prove it is look at freenet, tor, and similar anonymous networks. You can even link directly to anonymous websites via ‘proxy-like’ sites such as tor2web. You don’t have to install any special software.

    Here is one anonymously published site that was setup as an example that even if the government wanted to they couldn’t get taken offline because it is on a server that is hidden. Unlike some of these spammers setups this can’t be taken down by a court order since there is no way to identify the host or ISP. You don’t know if it is hosted in the USA, Russia, or somewhere in Africa.

    The anonymous site I’m linking to as an example is probably completely legal in all jurisdictions of the world as it is just (hehe) one countries constitution:

    http://duskgytldkxiuqc6.tor2web.com/comsense.html

  14. That is the complete opposite of what we are doing at APNIC at the moment.
    http://www.apnic.net/policy/proposals/prop-079

    The nearly same proposal will get online tonight for AfriNIC.

  15. All in all this proposal makes wholesaleinternet.com look bad when you look under the surface. And it’s kind of funny, about a week ago actually I emailed them inquiring about colocation prices. Got a response, but the president didn’t respond to my follow-up question. Makes them seem unserious.

    Anyway, their chief technical officer, Aaron Wendel, uses Microsoft Office Outlook. (It doesn’t even do proper quoting!) To me, using such software says he’s not interested in security. And perhaps less interested in “playing nice” (by respecting mail netiquette) than he should be. If one’s security measures determine the type of data flowing across the network, then maybe it’s not the network to be on. And lo and behold, many of its netblocks are found in dnsbl lists, far more than other colo companies I’ve looked at. 2 + 2 = ??

    • ‘To me, using such software says he’s not interested in security.’

      Exactly. Either not interested or clueless or both. Avoid like plague. 😉

  16. All in all this proposal makes wholesaleinternet.com look bad when you look under the surface. And it’s kind of funny, about a week ago actually I emailed them inquiring about colocation prices. Got a response, but the president didn’t respond to my follow-up question. Makes them seem unserious.

    Anyway, their chief technical officer, Aaron Wendel, uses Microsoft Office Outlook. (It doesn’t even do proper quoting!) To me, using such software says he’s not interested in security. And perhaps less interested in “playing nice” (by not respecting mail netiquette) than he should be. If one’s security measures determine the type of data flowing across the network, then maybe it’s not the network to be on. And lo and behold, many of its netblocks are found in dnsbl lists, far more than other colo companies I’ve looked at. 2 + 2 = ??

  17. As I said above, I have never seen anything legitimate coming from Wholesale Bandwidth and its past is certainly very murky:

    http://www.47-usc-230c2.org/chapter2.html

  18. Bernard Swiss

    “I operate in a very competitive business, and there are instances where I can show that my competitors have gone out and harvested customers’ contact information and used that to try to take those customers away,” said Aaron Wendel, chief technical officer at Kansas City based Wholesale Internet Inc., and the author of the proposal. “I have yet to find another private industry that is not government-related that requires you to make your customer lists publicly available on the Internet.”

    Boo-hoo. My phone service provider, my credit card company, and my heating-oil company, among others, beg to differ (and that’s just so far this year). And when I was managing a storefront retail business, my suppliers would have disagreed, too. It’s called “competition”, and guess what — that means you have to compete with other suppliers/providers.

    “Unfortunately, spammers are attracted to us because [our service is] cheap and their liability [for losing servers to abuse complaints] is much lower. That’s just the nature of the business, unfortunately.”

    So, since you have such an attractive offering, why are you worried about competitors wooing your customers, anyway?

  19. Bernard Swiss

    Lost a whole couple of sentences in there, somehow…

    … My phone service provider, my credit card company, and my heating-oil company, among others, beg to differ (and that’s just so far this year). I hear from their competitors all the time, by phone and by mail. And when I was managing a storefront retail business, my suppliers would have disagreed, too — their competitors would even show up in person. It’s called “competition”, and guess what — that means you have to compete …