[gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information

Mon Aug 1 22:01:31 UTC 2016

Thanks for your comments, Rod.
That primary concept is for a registrant to be able to definitively prove their
ownership (or “right to control/use" if you don’t like the concept of “owning”
domains) of a domain name. Someone has to have that information - the registrar
is the base case - in order for the vast, vast majority of domain holders to do
things like transfer their domain between registrars, sell the rights to their
domain to some other party, obtain domain-related services, ensure their domain
is not hijacked or can be recovered if it is, etc.
I see where you are coming from here, I just question why privacy must be eroded
to the point where anyone, for any reason, can query the RDS and retrieve such
sensitive personal information.
If I run with the arguments I've heard in this thread, there are two main
reasons for why we need a WHOIS-like service. One is so that if a domain name
causes problems (intentionally or otherwise) or has technical issues, there's a
point of contact who can be reached. The second argument, the one you have
raised, is that there should be some kind of record, like a land title registry,
of who owns each domain name. I'll admit I hadn't considered the latter before,
and I've been reflecting on the idea over the past few days.
In Helsinki at our cross-community session, Jordyn Buchanan from Google said we
shouldn't include any requirements where there's another, alternative mechanism
to achieve the same result in a better way. Applying his suggestion here, there
really would seem to be no need to know who owns a domain name, so long as there
is a mechanism through which a message can be relayed to the registrant if there
is a legitimate need to do so. Do questions of domain name ownership not fall
within the remit of whatever contract exists between the registrar and the
registrant? One of the data elements I suggested collecting was the name of the
registrar. I imagine that most registrars retain the billing information of
their active customers, so if they receive some kind of legal action, they have
the capacity to pass this along to the billing contact. Likewise, if law
enforcement is investigating something, provided due process is followed they
may be able to query the billing contact information. However, I remain firmly
of the view that such sensitive information should not be free for anyone to
query and retrieve.
Best wishes,
Ayden

On Tue, Jul 26, 2016 6:17 PM, Rod Rasmussen rrasmussen at infoblox.com wrote:
So let point out that the EWG spent a huge amount of time on exactly this use
case area to address these very difficult issues and concerns to life and
liberty. One reason that this took a lot of time is that the option that Ayden
is advocating for here that you cannot store ANY personally identifiable data in
any place anywhere (paraphrasing, please correct if I’m misinterpreting you
here) due to risk of its exposure due to some compromise in the chain (RDS,
registry, registrar, P/P service) runs counter to one of the *primary* use case
building blocks for domain registrants. That primary concept is for a registrant
to be able to definitively prove their ownership (or “right to control/use" if
you don’t like the concept of “owning” domains) of a domain name. Someone has to
have that information - the registrar is the base case - in order for the vast,
vast majority of domain holders to do things like transfer their domain between
registrars, sell the rights to their domain to some other party, obtain
domain-related services, ensure their domain is not hijacked or can be recovered
if it is, etc. So imposing requirements for a minuscule fraction of the domain
registrant population in order to handle an uncommon (yet vitally important!)
use case is simply disproportional. This is a great example of why you develop
use cases - to tease out where they conflict, and instead of proscribing
solutions up front (in this case not collecting information at all) you explore
what the goals are (in this case, making sure that an oppressive regime cannot
get ahold of the personal information of a dissident that could put that at risk
of harm) to see how to solve those while imposing such restrictions on the
system that you can’t accomplish other, equal or in this case, far more
important goals of the system.
So, what did we do on the EWG? We proposed an entire system for dealing with
such circumstances and that is explained in section VII b. Secure Protected
Credentials Principals on pages 101-108 of the EWG report ( https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf ). I would refer people with an interest in this topic to that rather detailed
section of our report to see a potential way forward on these issues. Since the
writing of the EWG report, much more work has occurred within the space of
providing anonymous, yet verifiable credentialing, particularly with the use of
blockchain technologies which are open source, and largely available at very low
cost for usage in software products and online services. Domain registration is
not the only area where people have this sort of interest, and the market, along
with the technical community, are responding accordingly. So while this is just
one way of solving this use case, and may not be fully fleshed out to the
implementation level in the current level of documentation, I will posit that
when you run into a use case like this that runs counter to many others, there
will often be a way to solve it without hampering or invalidating other use
cases, particularly fundamental ones.
Cheers,
Rod
Rod Rasmussen VP, Cybersecurity
-
On Jul 26, 2016, at 8:57 AM, Ayden Férdeline < icann at ferdeline.com > wrote:
Thanks for the questions, Alex. I am happy to clarify.
Based on the details you outline, particularly the limitations you place on the
RDS data elements, can you comment on how technical issues with the dissidents
domain name operation are handled?
I consider this to be registrar-registrant contract information. As such, it is
up to the registrar to determine which additional data elements they wish to
collect (if any), how they wish to store this data (if applicable), and to whom
they wish to release it, in accordance with local laws and the informed consent
of their customers.
As for the cost of P/P services I appreciate the view it is an added cost (and
even FWIW that one should not have to pay for privacy) but so is the purchase of
the domain name, hosting provider, web-site, tis cert (the non-free ones) to
enable transport encryption, etc. If there are funds available to purchase (and
maintain) a domain name (and the site behind it) I’m not sure the extra cost for
the P/P add-on is truly prohibitive.
It is possible that the web hosting or these other required products/services
have been donated.
But the principle is less about the cost and more about the data being collected
in the first place. If there exists a database which contains personally
identifiable information, even if this information is stored behind a locked
door, it is not unimaginable to anticipate it will be breached at some stage.
And once data is leaked, the damage is permanent.
Lastly, can you clarify the term “foreign nation” in the scenario description?
Is it the same or different from the nation of the dissident? This is a small
detail perhaps but one that got me thinking about how (or even if) this use case
would play out in a real world scenario.
The dissident lives in country X. The foreign nation is any other sovereign
state except X.
Best wishes,
Ayden

On Tue, Jul 26, 2016 4:46 PM, Deacon, Alex Alex_Deacon at mpaa.org wrote:
Thanks for the use case Ayden. A few questions/comments.
Based on the details you outline, particularly the limitations you place on the
RDS data elements, can you comment on how technical issues with the dissidents
domain name operation are handled?
As for the cost of P/P services I appreciate the view it is an added cost (and
even FWIW that one should not have to pay for privacy) but so is the purchase of
the domain name, hosting provider, web-site, tis cert (the non-free ones) to
enable transport encryption, etc. If there are funds available to purchase (and
maintain) a domain name (and the site behind it) I’m not sure the extra cost for
the P/P add-on is truly prohibitive.
Lastly, can you clarify the term “foreign nation” in the scenario description?
Is it the same or different from the nation of the dissident? This is a small
detail perhaps but one that got me thinking about how (or even if) this use case
would play out in a real world scenario.
Thanks!!
Alex

On Jul 26, 2016, at 6:38 AM, Ayden Férdeline < icann at ferdeline.com > wrote:
Thanks for your comments, Greg. Without wanting to dive too deep into our
deliberations, I would just like to briefly comment on this:

The actual market price of such services is inexpensive (for example GoDaddy’s
is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are
aware that privacy services exist, and can afford the minimal cost.
I do not think it is reasonable to make such an assumption. Privacy proxy
services have not reached critical mass, as most domain names are not protected
through such cloaks.
In addition, the subscription cost of such services must be seen as relative to
local incomes and the ability to make a purchase in a foreign currency. It is
not easy for everyone in every country to purchase goods online; not everyone
has access to a credit card, and in many regions payment processors do not
accept all currencies. And while US$7.00 per year may not be a lot to you or I,
it is a significant amount of money to some.
When I was living in Argentina in 2014, the government imposed restrictions on
online purchases as part of efforts to prevent foreign currency reserves from
dwindling. At one stage, I believe that Argentine credit cards were limited to
making no more than US$25 per month in foreign transactions. In such a case a
dissent group would have to choose carefully how to allocate their resources. Do
they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak?
Do they purchase literature from abroad that cannot be purchased locally?
Government authorities in the dissident’s country request the underlying
registrant data from the privacy service provider. The privacy service provider
must then decide whether it will accept the government’s complaint.
This operates on the assumption that due process is followed. A privacy service
provider is not a court and, as far as I am aware, there is no binding
entitlement to domain name registrants to a fair and public hearing within a
reasonable time by an independent, competent, and impartial tribunal as to
whether the registrant's data should be released to that government authority?
This also assumes that the data is requested and not simply taken. Given efforts
are underway globally to restrict encryption, we cannot presume that all
governments worldwide will follow due process if the data they desire exists in
some form where it can somehow be extracted.
Best wishes,
Ayden

On Tue, Jul 26, 2016 2:10 PM, Greg Aaron gca at icginc.com wrote:
Here are three cases that are variations of the scenario that Ayden presented.

1. Member of the dissident group registers a gTLD domain name using a privacy
service, located in a different country from the registrant. The actual market
price of such services is inexpensive (for example GoDaddy’s is US$7.00 per
year). It may be reasonable to assume that at-risk dissidents are aware that
privacy services exist, and can afford the minimal cost. Government authorities
in the dissident’s country request the underlying registrant data from the
privacy service provider. The privacy service provider must then decide whether
it will accept the government’s complaint. The decision may depend mainly on
whether the service provider believes the registrant has breached the service
provider’s terms of service, as interpreted under the laws of the service
provider’s country (not the country of the registrant and the complaining
government).

2. Instead of a gTLD domain, member of the dissident group chooses to register a
ccTLD domain, in a ccTLD that does not provide registrant contact data in its
WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If
the government authorities in the dissident’s country wish to obtain contact
data, the government authorities must contact either the registrar or registry,
which will then consider the complaint according to their terms of service, as
interpreted under the laws of the registrar’s or registry’s country.

3. Member of the dissident group registers a gTLD domain name using a proxy, such
as a law firm located in another country. If government authorities in the
dissident’s country request the identity of the dissident, the proxy must decide
whether to reveal its client’s name. The proxy is not subject to the
jurisdiction of the foreign government.

These use cases assume that dissidents wish to take steps to keep their
identities from their government regime. All three cases allow the registrant to
work within existing ICANN registration data policies, including the
recommendations that have come out of the recent privacy/proxy PDP.

All best,

--Greg

From: gnso-rds-pdp-wg-bounces at icann.org [ mailto:gnso-rds-pdp-wg-bounces at icann.org ] On Behalf Of Ayden Férdeline
Sent: Monday, July 25, 2016 6:41 PM
To: gnso-rds-pdp-wg at icann.org
Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate
Information

Hello all,

I would like to introduce an additional use case. This is just a rough draft for
now, and I welcome your feedback on how this use case can be strengthened.

The scenario is: a dissident group launches a website to bring important news
and information to the public. They register their domain name in a foreign
nation and do not want law enforcement, or other parties, to be able to identify
the website’s administrators, management, and/or sources of information. If this
information was made known, their publishing could be silenced and their sources
and contributors could suffer harm. The registrant is not aware of the existence
of privacy proxy services at the time they register their domain name.

Misuse Case: The RDS could be used by State actors or other parties to identify members of
or contributors to the dissident group, and this could result in their voices
being silenced through legal, political, or physical means.

Main Misuse Case: An actor is unhappy that a website in a country is publishing material that
speaks unfavourably about a given topic. They wish to launch political and legal
attacks to silence the website’s publishers and to alter the narrative of the
historical record on this topic. They thus utilise the RDS to identify a contact
of someone involved in the administration of this website, with the view of
torturing or otherwise extracting from this contact the names and contact
details of contributors to the dissenting website. As the registrant does not
subscribe to a privacy proxy service (possibly because of limited financial
resources, or lack of awareness that such a service exists), their contact
details have been permanently published into the public record and their privacy
is thus permanently breached. As a result the RDS threatens the ability of
dissenting voices to exercise their inalienable rights in an online environment.

Primary Actor: Government or other entity wanting to censor a dissident group.

Other stakeholders: Domain name registrant.

Scope:

Level:

Data Elements: In order to prevent misuse by another actor, no personally identifiable
information should be stored in the RDS whatsoever. The only data elements that
the RDS requires to operate on a technical level are: the domain name itself,
the registrar, the domain name’s expiry date, and its status (registered / not
registered). For it to be of functional use, there are two optional fields: name
servers, and the auth-code.

Story:

 * A requestor accesses the RDS to obtain information about a registered domain
   name. The RDS immediately returns the registration data associated with the
   domain name, which may include a name and physical address of the registrant.
 * The requestor passes the extracted information on to a third party who visits
   the physical address of the contact. The registrant suffers physical harm as
   a result of the RDS and no longer feels comfortable using the Internet to
   convey to the public important information.

Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone
has the right to freedom of opinion and expression; this right includes the
freedom to hold opinions without interference and to seek, receive, and impart
information and ideas through any media and regardless of frontiers. These
principles must be upheld in the RDS. An RDS that contains any
personally-identifiable information would threaten these very freedoms.
Accordingly, the RDS must only collect and store data for limited, lawful, and
appropriate purposes.

Who has control of and access to the data:

Conditions under which the data are accessible:

How data can be accessed: At this time, personally identifiable information can be accessed by any party
in the world, for any reason. This is not consistent with best practices in
privacy protection.

Other?

As you can see, I have left a few of the fields in Lisa's template for use cases
blank. I do not have all the answers, so I would very much welcome your
suggestions on how this use case could be strengthened. I'm still a little
uncertain as to whether we are designing use cases for what the WHOIS protocol
is like today (this is an assumption I have gone by in this first draft) or if
this is meant to be more like a use case in a dream system instead. I'll revise
this use case once I understand this exercise a bit better.

Thank you for your time, consideration, and feedback.

Best wishes,

Ayden Férdeline

Ayden Férdeline Statement of Interest _______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden Férdeline Statement of Interest _______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden Férdeline Statement of Interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160801/165dc501/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attachment-1.png
Type: image/png
Size: 17183 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160801/165dc501/attachment-1.png>