AFNIC new procedures for fighting against identity theft!
AFNIC creates a new system to fight against identity theft in Whois data.
A disguised anonymity
This practice is unfortunately common and concerns all extensions. Many extrajudicial procedures (Syreli, UDRP) reveal these actions, which can be explained by two main reasons:
- Hiding a fraudulent reservation
The Whois is declarative: no serious verification is imposed on registrars. Cybersquatters and counterfeiters therefore regularly abuse this system by entering false information so as not to reveal their identity. To avoid flagrant cases (John Doe, 52 Champs Elysées 75008 Paris), using an existing identity is common.
The practice is booming with the development of phishing campaigns and, in particular, Spear Phishing, where the domain name used is often registered in the name of the CEO / CTO in order to deceive, hide, or delay the detection of the fraudulent nature of the registration.
For example, Philip Morris was a victim of this practice, as highlighted in decision UDRP D2017-0782:
“This is evidently a fraudulent misidentification by the unknown person who actually registered the Domain Name, who shall be referred to hereafter as the Respondent. The name given by the Respondent at that time is that of the Complainant’s president and CEO, and the postal address given for the registrant is the address of the Complainant’s headquarters”
- Respecting the conditions of eligibility
To "apparently” comply with the eligibility conditions of .FR domain names, non-European holders steal identities on the internet, including directories. This practice has particularly developed over the last years with the booming of the SEO sector, counterfeiters’ interest for expired domain names, and the explosion of the BackOrder market.
In order not to be identified, while complying with the conditions of eligibility, these individuals massively file domain names under the identity of French citizens.
This sometimes leads to original cases, such as the recovery of the domain name <cocusdenicolassarkozy.fr> (<cukfoldsofnicolassarkozy.fr>) to sell infringing tongs, using Whois data which were apparently stolen.
(@163.com which is a very popular free webmail in China shows the real identity of the holder)
A growing practice
From 2015 to 2017 AFNIC identified 50 applications related to this practice for 115 domain names.
While the French registry was already dealing with this type of disputes and communicated about this topic, the process was simplified on 4 June 2019 with two new procedures.
AFNIC new procedures
AFNIC has just published two new procedures allowing both to identify potential cases of infringement, and to act against them. These procedures can therefore be cumulative or alternative.
It should be recalled that, by default, AFNIC opts for a restricted distribution of data relating to natural persons, in accordance with its charter and the legislation on personal data:
“In compliance with the request of the France's data protection authority (CNIL)and according to GDPR, when a domain name is registered by an individual, the registrant may opt by default for the "restricted distribution" option.
.When this option is chosen, no personal data (name, address, telephone, fax, and e-mail address) is distributed online within the Whois database, except for technical information only (technical contact -Registrar details and DNS servers).”
Therefore, it is difficult, if not impossible, to identify domain names registered under a given identity.
Reverse Whois: identifying domain names that use my personal data
First, AFNIC provides a form allowing to identify all .FR domain names whose Whois data contain personal data of natural persons.
“This form allows you to request that Afnic communicate the information about you in the Whois database and thus to know exactly which domain names have been registered using your identity under the TLDs operated by Afnic, namely: fr, .pm, .re, .tf, .wf, and .yt.”
However, this procedure will be limited to information provided to registrars by potentially fraudulent reservists. It is also not clear whether the information is searched cumulatively or alternatively:
- exact combination: name + first name + phone + address
- or, search on the phone number only, sole combination of name and surname, etc.
Procedure for the deletion of domain names filed under a false identity
Following the first step, the French register allows to highlight disputed domains and to ask for their deletion.
Filing a complaint will nevertheless be a prerequisite for the processing of the application:
“As a victim, you must file a complaint with a police station or gendarmerie citing the known domain names and associated identifiers for which your personal data have been used without your knowledge”.
If the registrar is unable to validate the identity of the owner, AFNIC will delete the domain names using this information. More precisely, the HANDLES NICs identified will be deleted, and the registrar will delete such domain names due to the lack of validation of identity (subsequent control).
Actions at the expenses... of the victims!
A disputed domain name registered under a false identity was the subject of legal proceedings before the Paris Court of first instance. The individual mentioned in the Whois data and whose identity had been stolen had to respond to this infringement before the Court of first degree.
ln a surprising decision dated of 2 March 2017, the Paris Court recognized the responsibility of this individual, who was the victim of an identity theft in the whois data, because the same did not act strongly enough to request the deletion of the domain name.
Accordingly, this individual will be condemned by the Court:
"As the losing party in the dispute, Mrs. Y. who did not take with sufficient diligence the steps necessary for the transfer or deletion of the disputed domain name will be ordered to pay Mrs. X. the sum of Euros 800 pursuant to Article 700 of the Code of Civil Procedure and to bear the entire costs of the proceedings.”
It is a double punishment for the victim to be unduly associated with a legal action and to bear the costs therefor.
Further to this case law precedent, we can only welcome these two new AFNIC procedures and invite any victim to proceed shortly with the verification of their data within the Whois data, and request the deletion of the domain names at issue.
Gaël Mancec | ICT expert
+ 33 (0) 4 72 69 84 30