In message <CAN-Dau2V1AVqHV7TwBEd9LZifv61e=b5jqaq7eult34qool...@mail.gmail.com> David Farmer <[email protected]> wrote:
>The proposed /22 limit seems reasonable and should be effective in limiting >the financial incentives to profiteer. I could show you direct evidence from the RIPE region which, if you saw it, would quite certainly demonstrate to you beyond any doubt that merely limiting allocations to /22 blocks has little if any effect on those seeking to game the system. In fact, I could show you evidence of -two- entirely separate operations that have been plundering the remaining RIPE IPv4 space, basically one /22 at a time, for some significant time now, and where each of these two operations has already amassed its own colossal amount of IPv4 space in exactly this manner. (We are *not* talking about a few dozen /22 blocks here. We are talking about two sets, each of which is in the low hundreds.) I would have publicized these operations and their allocations already, but I've been working on a lot of things, some of which have been even rather more urgent, like my pursuit of the two groups of bad actors who have been sending out those annoying bitcoin "sextortion" spams, and, on December 13th, 2018, those bitcoin extortion bomb threats. Anyway, this topic brings me back to something else I wanted to mention here anyway. Once again I'll get back up on my soapbox, for whatever little good it will do, and continue my longstanding, ongoing, and generalized rant about transparency. What's the point of limiting each organization that applies to some RIR to just a small /22 allocation as long neither the RIRs themselves nor anybody else for that matter has any real idea who is actually behind any of these applicant entities? As the two european operations I've aluded to above have quite successfully proven, it is both cheap and easy to acquite essentially unlimited numbers of essentially fictitious but properly regitered corporate entities, *and* to then use each of those to make seprate requests for IPv4 space. This isn't a hypthetical problem. It's been ongoing for some time already, at least in the RIPE region, and at a gigantic scale, and at least with respect to two entirely separate operations that I personally am already aware of. (There may perhaps be even more such operations out there that I personally just haven't had the pleasure of bumping into yet.) Exactly such forests of essntially annonmous, unattributable and completely unaccountable corporate shell companies have, of course, bedeviled all those who work to thwart money laundering. And such sets of shell companies have been at the center of innumerable money laundering cases for a long long time now. So in that sense, at least, the use of groups of shell companies to disguise what's really going on is really nothing new. What is at least somewhat new... and arguably entirely predictable... is the use of sets of shell companies to aquire, by hook or by crook, what little remains of the highly valuable IPv4 address space. So, how does this occur, how does it all work, and what if anything can be done to stop it? Not surprisingly, it all comes back to transparency, or rather, to the abundant lack thereof. Just the other day, someone pointed me at a segment of the the current (2013?) standardized ICANN accreditation agreement that they make all of their domain name registrars sign. I don't know if the specific part of that standard agreement that I was looking at was added in response to the incident, some years ago, when ICANN had egg all over their collective faces... because they had allowed the notorious Scott Richter to become an accredited domain name registar... or if this part of the current standard ICANN registrar contract was put in as a reaction to something else, but anyway, these days each and every entity that wants to become an ICANN accredited domain name registrar has to divulge to ICANN that entity's "beneficial owners" all the way down to the 5% level. So in theory, at least, ICANN knows about all cases where someone actually owns two or more "separate" domain name registrars. Well, that's true in theory anyway. It's not immediately clear, to me at least, that the "owners" that ICANN demands be (confidentially) identified can or cannot themselves be shell companies. If they can be, then this whole exercise is really just an elaborate charade on ICANN's part... a fig leaf covering up a fig leaf. And being jaded as I am, I am inclined to think that that is indeed most probably the case, and that this was all worked out in a way so that really, any crook or conman that comes along can still become an ICANN Accredited registrar (and ICANN can still derive the revenue therefrom) except that now, there is a tiny bit more paperwork involved, and a tiny additional fee, specifically the one to cover the creation of the shell company. But conveniently, the *next time* somebody figures out that ICANN has made some new crook into an accredited registrar, ICANN has plausible deniability and can just say, with an almost straight face, "Gee! We didn't know! As far as we knew it was this shell company that we made into an accredited registrar! And we are shocked to find that there's gambling going on here!" So, to bring this back on point, if anybody in ARIN-land actually and seriously gives a rat's patootie about eliminating this kind of game playing, wherein numerous shell companies are used, in effect, as straw buyers to accumulate IPv4 address space, then there is one, and only one Right Answer. ARIN would need to have every privately held entity which receives a direct allocation divulge all of its actual "natural person" owners, at least down to some pencentage level. Ideally, that information would then be made public, so that in addition to any vetting that ARIN staff might do, various enterprising independent investigators could also check to see if some guy whose company just got a /22 also happend to have a brother-in-law, or a chef, or a favorite chello player who also just happned to get his own /22 block at around the same time. The Brits, having been under intense pressure to clean up the colossal mess that was Russian money laundering into the City of London banks, by way of a few zillion anonymously held UK shell companies, recently got off their asses and actually legisslated that enough was finally enough, and now, if you go to the UK's CompaniesHouse web site, for each active UK company registered there, you can look and see who the natural person beneficial owners are, at least down to the 25% level. And starting at the end of next year (2020) these new transparency rules will also come into effect even for the traditional secrecy, money laundering, and tax havens of the various British Overseas Territories, e.g. Caman Islands, British Virgin Islands, and so forth. The tide is slowly but surely shifting away from dodgy secrecy and various old corpoate secrecy rules, in many jurisdictions, including many which have for so long allowed crime, fraud, and malfeasance to flourish in many of the dark corners of this planet. Even Switzerland has been forced to give up information about U.S. tax cheats to the U.S. Department of Justice. Withe respect to this growing trend towards transparency in the service of honesty and fair dealing, I respectfully suggest that ARIN should either lead, follow or get out of the way. I don't think it would do for ARIN or the various other RIRs to be the last places on earth to actively provide aid, comfort and shelter to crooks hiding behind unattributable shell companies, and ideed, as the examples I've seen in the RIPE region prove, beyond a reasonable doubt, shell companies have been used and are being used to slowly but surely drain away what little remains of the IPv4 address space, to the benefit of a very select few. Those few have had no apparent trouble whatsoever in figuring out how to trivially game the present system. Transparency woukld solve all that, of course, but given that 99.9% of ARINs constituients are corporations which are themselves, rightly or wrongly, deathly afraid of even the mere suggestion that they should ever be required to divulge anything at all, I must face that fact that the ARIN community isn't at all likely to adopt any new transparency measures anytime soon. But given present circumstances I felt compelled to offer these observations anyway. My only hope is that someday, perhaps 10 or 20 years from now, someone will look back at this post in the archives and judge me prescient. Regards, rfg P.S. Most infuriatingly, the kind of transparency about beneficial owner- ship of the kind I've described above really only has applicability to that subset of ARIN's constituents that are NOT publicly traded companies. By definition, ownership of publicly traded companies is, by and large, already a matter of public record, and thus, no new, additional, or special disclosures are needed from any of them. And quite certainly, if we were to add up the current market valuations of all of these already public ARIN constituent public companies, their gross value would be counted in the trillions of dollars and would utterly dwarf the combined value of all of the privately owned ARIN constituent companies. So here we have a perfect example of the tail wagging the dog. The smaller privately held companies would (and will) undoubtedly scream and cry and veto any proposal aimed greater transparency about beneficial ownership, even though, by dollar denominated weight, they are vastly outnumbred by the publicly traded ARIN constituent companies that have already grown accustomed, years ago, to providing detailed ownership information to the government, and by implication, to essentially everyone. And yet it can be easily predicted that these small fish, with the support of ARIN management, will get their way, and thus, no actual swamp draining is at all likely to occur in the forseeable future. You heard it here first. P.P.S. If anyone wants to see corroborating evidence regarding my claims above about illicit IPv4 address block allocation shenanigans within the RIPE region, please contact me off list and I will provide that. You'll have to explicity acknowledge to me first however that you understand that both of these situtations are ongoing investigations, and thus must not yet be disturbed in any way. _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
