[gnso-rds-pdp-wg] Fwd: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Mon Aug 15 19:38:40 UTC 2016

Ayden,

We could go back and forth on this topic forever. Your anti-government
sentiment is noted, but I can't help myself ...

*Privacy is not an indication of criminal behaviour but a fundamental part
of life. **In addition, justice is about persons being treated as innocent
until proven guilty. I am not a criminal and I have 'nothing to hide' but I
don't want the government reading my private messages. Frankly, your
messages aren't that important, unless, of course, you are a terrorist, or
funding terrorism through criminal activity. **Nobody has the time to sit
around and read non-essential private messages --seriously, not the focus
or purpose of the program.*

*It is up to the state to bear the burden of showing there is a good reason
for suspicion about me, not the other way around. *
*Finally, you said you were recently the victim of a US government data
breach. Yet another reason why I don't want information about me "sitting
in a government data centre" Data is not secure anywhere. Banks are hacked
all the time. Not to mention what you can find out about someone through a
simple Google search.*

*I am aware that other governments have mass surveillance programmes and I
do not support them. I do not believe they are effective. If you've never
worked in the environment, then I do not believe you can speak to the
effectiveness of such programs.*

*And the fact you acknowledge they operate so secretly that I may not have
heard of them fills me with no comfort. If a government agency is keeping
secret what it is collecting about me or the reasons for doing so, **It's
labeled "need-to-know" in the government;*
*I cannot correct potential errors.  And from my experience with
governments, I understand that errors are common. Transparency, here, is
not only about making sure a government's actions can be evaluated, but
ensuring its outputs are equally accurate.  I'll save myself some time and
refrain from responding to this statement.  *

On Mon, Aug 15, 2016 at 12:08 PM, Ayden Férdeline <icann at ferdeline.com>
wrote:

> Thanks for your message, Terri. Please see comments below inline in *bold*.
> (If the formatting looks strange, I would appreciate it if someone would
> let me know. I have migrated this morning to a new encrypted email service
> so am still configuring it.)
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
> -------- Original Message --------
> From: Terri Stumme <terri.stumme at legitscript.com>
> Date: 14 August 2016 at 20:26
> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental,
> Incidental, and Theoretical
> To: Ayden Férdeline <icann at ferdeline.com>
> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>
>
> Ayden,
>
> You are correct. NSA collects data without warrants and without probable
> cause. However, the purpose for the collection of the data is in the
> interest of national security.
>
> *I would have thought that unaccountable government agencies which are
> unwilling to follow the law
> <https://www.washingtonpost.com/news/the-switch/wp/2013/09/10/we-now-know-exactly-what-made-the-fisa-court-so-upset-with-the-nsa/>
> would be greater threats to national security, but what would I know? ;-)
> Anything, it would seem, can be justified in the pursuit of "national
> security". I would suggest, however, that when a government agency speaks
> of 'security', they are speaking of their own, because all citizens are a
> threat to "national security" by virtue of the fact that they hold the keys
> to overthrowing the Establishment, if only they were to organise.*
>
> The data collected by the NSA is not shared with any other three-letter
> agency in the US without that agency providing probable cause, presented in
> the form of a signed court order. If an individual is not involved in
> criminal activity, then their data sitting in a government data center
> should not be of concern.
> *This argument implies that privacy is something only criminals desire. I
> can only speak about myself here, but there are things that I choose to do
> in private that are neither wrong nor illegal, yet which I would not want
> public. The songs I have stored in my Spotify playlists, for instance.
> Privacy is not an indication of criminal behaviour but a fundamental part
> of life. In addition, justice is about persons being treated as innocent
> until proven guilty. I am not a criminal and I have 'nothing to hide' but I
> don't want the government reading my private messages. It is up to the
> state to bear the burden of showing there is a good reason for suspicion
> about me, not the other way around. Finally, you said you were recently the
> victim of a US government data breach. Yet another reason why I don't want
> information about me "sitting in a government data centre". *
>
> Of more concern should be what private companies do with the data they
> collect, sell it for a profit.
> *I have concerns here as well. However, sharing personal data with
> governments is of higher risk, because governments have the power to
> arrest, imprison, and in some cases even kill their citizens or
> enemies. Sharing personal data with companies is typically of lower risk.
> Businesses can freely use personal data to manipulate and perhaps exploit
> consumers, but within the confines of the law cannot use it for coercive
> purposes.*
>
> Regarding your statement: "The only 'check' that there is on the NSA's
> surveillance techniques is that of the Foreign Intelligence Surveillance
> Court, a secret body of judges that hears arguments from only one side: the
> NSA." I can tell you (although you probably won't believe it anyway) that
> there are very stringent internal regulations and oversight of the NSA
> program.
> *Very astute ;-) I don't believe they are at all accountable. Even sitting
> US senators are not able to obtain information from the NSA about why their
> constituents are being monitored.*
>
> And, I would bet that the US is not the only government that has a program
> like NSA's. You just haven't heard about those ...
> *I am aware that other governments have mass surveillance programmes and I
> do not support them. I do not believe they are effective. And the fact you
> acknowledge they operate so secretly that I may not have heard of them
> fills me with no comfort. If a government agency is keeping secret what it
> is collecting about me or the reasons for doing so, I cannot correct
> potential errors. And from my experience with governments, I understand
> that errors are common. Transparency, here, is not only about making sure a
> government's actions can be evaluated, but ensuring its outputs are equally
> accurate. *
>
> The private sector owns and operates a vast majority of the entire
> Internet infrastructure, and that includes critical components of the
> infrastructure. The point is that the same joint effort of the private
> sector and government towards enhancing the security and resilience of the
> nation's critical infrastructure, can and should be applied to protecting
> the public against cybercriminals involved in identity theft, human
> trafficking, drug trafficking, child abuse, etc.
> *Yes, I agree there is a role for public and private sector cooperation,
> but this does not mean I support what I would term 'bottom feeders' in the
> private sector being able to scrape up whatever data they can for whatever
> purposes they claim they want to use it. I think we're conflating a few
> things in this discussion by referring to the 'private sector' as a single
> entity. It isn't so homogenous. I use Facebook, for instance, and have
> consented to its terms of service. This does not mean, however, I approve
> of websites unaffiliated with Facebook harvesting my public profile and
> reposting my data on their websites hosted in Belarus (which is something
> that has happened to me). Both entities claim to be private sector actors,
> but that does not mean they should have equal access to or permission to
> use my personally-identifiable information.*
>
> On Wed, Aug 10, 2016 at 6:01 PM, Ayden Férdeline <icann at ferdeline.com>
> wrote:
>
>> Hi Terri,
>>
>> Please see my responses in-line.
>>
>> Thanks,
>>
>> Ayden
>>
>> On 9 August 2016 at 17:51, Terri Stumme <terri.stumme at legitscript.com>
>> wrote:
>>
>>> Ayden,
>>>
>>> These were *recommendations*; nothing more, nothing less. Although
>>> included in the 2013 RAA
>>>
>>
>> An agreement containing, I have been told, a litany of unintended
>> consequences.
>>
>>
>>>
>>> Multiple stakeholders around the world have compelling reasons and
>>> competing interests when it comes to accessing electronic data. As does
>>> LE
>>>
>>>
>>
>> Absolutely. I do not mean to suggest otherwise.
>>
>>
>>>
>>> I understand that law enforcement and intelligence agencies need the
>>> ability to fulfil their mission to prevent serious crime (or, failing that,
>>> to bring the perpetrators to justice).
>>>
>>> At the same time, the protection and promotion of civil liberties, human
>>> rights, and the right to privacy are not equally as strong in every
>>> territory around the world. Some countries are more authoritarian than
>>> others. I support a balance here; my personal information, as well as
>>> the personal information of my family members, as well as thousands of US
>>> federal employees, was compromised in the hack of the Office of Personnel
>>> Management federal employee records.
>>>
>>
>>
>> I am sorry to hear you were the victim of cybercrime.
>>
>> And a balance is precisely what I am advocating for, so it seems like we
>> are on the same page. This shouldn't be a zero-sum game. Privacy and
>> security should be mutually reinforcing.
>>
>> In addition, strengthened data and security practices also decrease the
>> risks associated with personal data collection and processing for both
>> end-users and businesses. A study from IBM in 2015
>> <https://securityintelligence.com/cost-of-a-data-breach-2015/> found
>> that the average data breach cost each impacted company USD $3.79 million,
>> without factoring in for the consumer confidence lost as a result of their
>> personally-identifiable data being stolen or misused.
>>
>>
>>> Attaching themselves to the unquestionably valid objectives that law
>>> enforcement and intelligence agencies have are private entities who do not
>>> have the same legal mandates or privileged access to information. There
>>> is no privileged access to information afforded to LE, and appropriate
>>> legal processes are abided by throughout investigations.
>>>
>>
>>
>> Yes, there is privileged access to information afforded to intelligence
>> agencies. It is common knowledge that the NSA has a 1-million-square-foot
>> data centre in Utah sucking up the data of people without warrants, and
>> without probable cause. The only 'check' that there is on the NSA's
>> surveillance techniques is that of the Foreign Intelligence Surveillance
>> Court, a secret body of judges that hears arguments from only one side: the
>> NSA. I would suggest that it is not a beacon of accountability.
>>
>> As for law enforcement, this varies by country and perhaps in the US law
>> enforcement does not have such a right (I don't know, but I'd be willing to
>> bet that "officer discretion", "exigent circumstances", etc. would be
>> enough to justify a lot of actions.) Their authority, combined with a
>> badge, a "trusted third party" data sharing agreement, or a simple request,
>> is likely to be more fruitful than if I was to request the same information
>> as a private citizen.
>>
>>
>>> Private entities have become attached to the unquestionably valid
>>> objectives of law enforcement due to the inherent nature of the beast.
>>>
>>>
>>
>> I take a rather bleak view of companies which gather data on individuals
>> without their knowledge or consent.
>>
>>
>>>
>>> *"Because the private sector owns and operates a vast majority of the
>>> nation's critical infrastructure, partnerships between the public and
>>> private sectors are essential to maintaining critical infrastructure
>>> security and resilience. These partnerships create an environment to share
>>> critical threat information, risk mitigation, and other vital information
>>> and resources." Source: * https://www.dhs.gov/c
>>> ritical-infrastructure-sector-partnerships.
>>>
>>>
>> I would agree that we get better answers to complex questions when a
>> range of experts and interests can meaningfully take part in the
>> discussions.
>>
>> However, this quote is referring to the investment made by private sector
>> actors who invest in, construct, and/or own pieces of critical
>> infrastructure (things like dams, nuclear reactors, water systems,
>> satellites). I agree that the public and private sectors, here, need to
>> work together to identify threats and vulnerabilities in a collaborative
>> and creative manner.
>>
>> This quote is not suggesting that all private sector actors should have
>> the same scope to collect data as intelligence agencies or law enforcement
>> might be able to. And, I will insist here, they should not. Some private
>> investigators may like to attach themselves to the "cloak of legitimacy"
>> which is afforded public actors, but in some instances I find these
>> perceived associations to be highly problematic. I suppose this is a
>> conversation for another time.
>>
>>
>>>
>>> I think it is important that we make this distinction.
>>>
>>>
>>>
>>> On Mon, Aug 8, 2016 at 8:12 AM, Ayden Férdeline <icann at ferdeline.com>
>>> wrote:
>>>
>>>>
>>>> Terri,
>>>>
>>>> Absolutely, Greg. The 2009 law enforcement recommendations regarding
>>>> amendments to the RAA addressed Whois data, specifically the need for
>>>> validating registrant information. The reason this recommendation was
>>>> included in the recommendations is because LE utilizes the data in cyber
>>>> investigations. There are many transcripts related to this issue, and LE
>>>> has conveyed to the ICANN community on several occasions the importance of
>>>> Whois data, and how LE utilizes the data in cyber investigations.
>>>>
>>>>
>>>>
>>>> These were *recommendations*; nothing more, nothing less.
>>>>
>>>> Multiple stakeholders around the world have compelling reasons and
>>>> competing interests when it comes to accessing electronic data.
>>>>
>>>> I understand that law enforcement and intelligence agencies need the
>>>> ability to fulfil their mission to prevent serious crime (or, failing that,
>>>> to bring the perpetrators to justice).
>>>>
>>>> At the same time, the protection and promotion of civil liberties,
>>>> human rights, and the right to privacy are not equally as strong in every
>>>> territory around the world. Some countries are more authoritarian than
>>>> others.
>>>>
>>>> Attaching themselves to the unquestionably valid objectives that law
>>>> enforcement and intelligence agencies have are private entities who do not
>>>> have the same legal mandates or privileged access to information.
>>>>
>>>> I think it is important that we make this distinction.
>>>>
>>>> - Ayden
>>>>
>>>>
>>>>
>>>> On Thu, Aug 4, 2016 3:31 PM, Terri Stumme terri.stumme at legitscript.com
>>>> wrote:
>>>>
>>>>
>>>>> Absolutely, Greg. The 2009 law enforcement recommendations regarding
>>>>> amendments to the RAA addressed Whois data, specifically the need for
>>>>> validating registrant information. The reason this recommendation was
>>>>> included in the recommendations is because LE utilizes the data in cyber
>>>>> investigations. There are many transcripts related to this issue, and LE
>>>>> has conveyed to the ICANN community on several occasions the importance of
>>>>> Whois data, and how LE utilizes the data in cyber investigations.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory <
>>>>> gregory.mounier at europol.europa.eu> wrote:
>>>>>
>>>>> Dear Rob,
>>>>>
>>>>> Thanks for sharing the outcome of your chat with ex-FBI and UK LEA
>>>>> agents. I feel that I need to step in to provide a different perspective
>>>>> than the one you just gave on the law enforcement use of the WHOIS. It
>>>>> might be a matter of interpretation but the views expressed by your
>>>>> interlocutors are not shared by my colleagues working throughout European
>>>>> police cyber divisions.
>>>>>
>>>>> If European cyber investigators are obviously all aware of the fact
>>>>> that WHOIS registration data can sometime be inaccurate and not up-to-date
>>>>> (ICANN compliance reported that for the first quarter of 2015, WHOIS
>>>>> inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start
>>>>> their investigations with a WHOIS lookup. This is really the first step.
>>>>>
>>>>> Despite the lack of accuracy, WHOIS information is useful in so many
>>>>> different ways. One of the first them is to make correlations and link
>>>>> pieces of information obtained through other means than from the WHOIS.
>>>>> This was the point I tried to make on Tuesday during the conference call.
>>>>>
>>>>> Accurate and reliable WHOIS data helps crime attribution and can save
>>>>> precious investigation time (you can rule out wrong investigative leads).
>>>>> It raises the bar and makes it more difficult for criminals to abuse
>>>>> domain names. It pushes them to resort to more complex techniques such as
>>>>> ID theft to register domains for malicious purposes.
>>>>>
>>>>> In short, for LEA WHOIS is certainly not the silver bullet to
>>>>> attribute crime on line but it is an essential tool in the tool box of law
>>>>> enforcement.
>>>>>
>>>>> Best,
>>>>>
>>>>> Greg
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounce
>>>>> s at icann.org] On Behalf Of Rob Golding
>>>>> Sent: 04 August 2016 01:46
>>>>> To: RDS PDP WG
>>>>> Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and
>>>>> Theoretical
>>>>>
>>>>> >> Theoretical
>>>>> >> ===========
>>>>> >> We have seen a couple of proposed use cases that seem to be ideas
>>>>> >> that people have for useful or harmful ways that RDS can be used,
>>>>> but
>>>>> >> that do not exist today (at least not that anyone can fully
>>>>> >> document).
>>>>> >>
>>>>> >> For example, there seems to be a desire to use the RDS as a way to
>>>>> >> issue warrants for information about registrants. While this may be
>>>>> >> useful, this is not possible today (even with RDAP, I note).
>>>>>
>>>>> It not only is possible today, it's also "common" (although thankfully
>>>>> not frequent)
>>>>>
>>>>> Registrars get served warrants for details about registrants, and the
>>>>> _only_ information from WHOIS that's "needed" or used for such cases is the
>>>>> name of the Registrar.
>>>>>
>>>>> I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at
>>>>> HostingCon last week - asked about WHOIS/domain data he said "we dont use
>>>>> it"
>>>>>
>>>>> Last year at the UKNOF event in Sheffield I spent quite some time
>>>>> talking with some amazing people from the UK CyberCrime departments - asked
>>>>> the same questions, they confirmed that although whois _might_ be looked at
>>>>> to see if it matches _data they already have_ for confirmation, it's not
>>>>> used or relied on.
>>>>>
>>>>> Which beggars the question, should "LawEnforcement" use cases even be
>>>>> part of the discussions ?
>>>>>
>>>>> Rob
>>>>> --
>>>>> Rob Golding   rob.golding at astutium.com
>>>>> Astutium Ltd, Number One Poultry, London. EC2R 8JR
>>>>>
>>>>> * domains * hosting * vps * servers * cloud * backups *
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> *******************
>>>>>
>>>>> DISCLAIMER : This message is sent in confidence and is only intended
>>>>> for the named recipient. If you receive this message by mistake, you may
>>>>> not use, copy, distribute or forward this message, or any part of its
>>>>> contents or rely upon the information contained in it.
>>>>> Please notify the sender immediately by e-mail and delete the relevant
>>>>> e-mails from any computer. This message does not constitute a commitment by
>>>>> Europol unless otherwise indicated.
>>>>>
>>>>> *******************
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Terri Stumme*
>>>>> *Investigative Analyst*
>>>>>
>>>>
>>>>
>>>> Ayden Férdeline
>>>> Statement of Interest
>>>> <https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI>
>>>>
>>>>
>>>
>>>
>>> --
>>> *Terri Stumme*
>>> *Investigative Analyst*
>>>
>>
>>
>
>
> --
> *Terri Stumme*
> *Investigative Analyst*
>
>
>

-- 
*Terri Stumme*
*Investigative Analyst*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160815/4cb4ab97/attachment.html>