[gnso-rds-pdp-wg] Fwd: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Mon Aug 15 21:41:48 UTC 2016
With great respect to both sides, I would like to comment.
1. The fact that we have universal security problems (eg. banks are
hacked all the time) does not negate concern over over-collection, from
the perspective of the individual concerned. The impact of mistakes on
the part of security agencies can be greater.
2. Given the security and lack of transparency regarding national
security practices, I think it is unfair to say that if you have never
worked in the environment, you cannot speak to the effectiveness of such
programs. In many respects that is true of course. Unlike other
government programs, these programs are rarely, even in western
democracies, subject to outside audit. However anyone who has worked in
government knows what happens when there is insufficient oversight and
performance measurement. Those who wish to study national security can
read about part of the picture, but good luck figuring out performance
metrics. So unfortunately, we are left reading about the disasters (I
offer you the Arar commission, as one Canadian example....3 volumes).
This does not make national security practices a disaster by any means,
but those "in the know" should in my view avoid telling others
interested in plain old good democratic practices that they don't know
what they are talking about. That is my personal opinion of course, but
not an ill informed one.
3. As I mentioned in my exchange with Dick a while ago, intelligence
agencies are sharing more information, or talking about sharing more
information. Global citizens who travel for work, and who must do so to
maintain their good jobs, have no way of knowing what data is in border
control data systems. Oversight and appeal of these systems has been a
problem since I started in privacy and access to information in 1984.
The chances for inaccurate inference are as likely to go up as down,
with the kind of analytics used today, in my view (and I do study this
stuff) so finding appeal mechanisms when lives can be impacted radically
is rather important in my view. So let us be clear that we have moved on
from "who is listening to my phone calls" .....even though we still like
to joke about it. We are talking about algorithmic transparency now.
What is triggering the persons of interest question? Would your
employer still hire you if the United States border control decided not
to let you in? a question all non-US citizens have to ask themselves.
Impacts are real.
Stephanie Perrin
On 2016-08-15 15:38, Terri Stumme wrote:
> Ayden,
>
> We could go back and forth on this topic forever. Your anti-government
> sentiment is noted, but I can't help myself ...
>> *Privacy is not an indication of criminal behaviour but a fundamental
>> part of life. **In addition, justice is about persons being treated
>> as innocent until proven guilty. I am not a criminal and I have
>> 'nothing to hide' but I don't want the government reading my private
>> messages. Frankly, your messages aren't that important, unless, of
>> course, you are a terrorist, or funding terrorism through criminal
>> activity. **Nobody has the time to sit around and read non-essential
>> private messages --seriously, not the focus or purpose of the program.*
>>
>> *It is up to the state to bear the burden of showing there is a good
>> reason for suspicion about me, not the other way around. *
>> *Finally, you said you were recently the victim of a US government
>> data breach. Yet another reason why I don't want information about me
>> "sitting in a government data centre" Data is not secure anywhere.
>> Banks are hacked all the time. Not to mention what you can find out
>> about someone through a simple Google search.*
>> *I am aware that other governments have mass surveillance programmes
>> and I do not support them. I do not believe they are effective. If
>> you've never worked in the environment, then I do not believe you can
>> speak to the effectiveness of such programs.*
>> **
>> *And the fact you acknowledge they operate so secretly that I may not
>> have heard of them fills me with no comfort. If a government agency
>> is keeping secret what it is collecting about me or the reasons for
>> doing so, **It's labeled "need-to-know" in the government;*
>> *I cannot correct potential errors. And from my experience with
>> governments, I understand that errors are common. Transparency, here,
>> is not only about making sure a government's actions can be
>> evaluated, but ensuring its outputs are equally accurate. I'll save
>> myself some time and refrain from responding to this statement. *
>
> On Mon, Aug 15, 2016 at 12:08 PM, Ayden Férdeline <icann at ferdeline.com
> <mailto:icann at ferdeline.com>> wrote:
>
> Thanks for your message, Terri. Please see comments below inline
> in *bold*. (If the formatting looks strange, I would appreciate it
> if someone would let me know. I have migrated this morning to a
> new encrypted email service so am still configuring it.)
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>> -------- Original Message --------
>> From: *Terri Stumme* <terri.stumme at legitscript.com
>> <mailto:terri.stumme at legitscript.com>>
>> Date: 14 August 2016 at 20:26
>> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental,
>> Incidental, and Theoretical
>> To: Ayden Férdeline <icann at ferdeline.com
>> <mailto:icann at ferdeline.com>>
>> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>
>>
>> Ayden,
>>
>> You are correct. NSA collects data without warrants and without
>> probable cause. However, the purpose for the collection of the
>> data is in the interest of national security.
>>
>> *I would have thought that unaccountable government agencies
>> which are unwilling to follow the law
>> <https://www.washingtonpost.com/news/the-switch/wp/2013/09/10/we-now-know-exactly-what-made-the-fisa-court-so-upset-with-the-nsa/>
>> would be greater threats to national security, but what would I
>> know? ;-) Anything, it would seem, can be justified in the
>> pursuit of "national security". I would suggest, however, that
>> when a government agency speaks of 'security', they are speaking
>> of their own, because all citizens are a threat to "national
>> security" by virtue of the fact that they hold the keys to
>> overthrowing the Establishment, if only they were to organise.*
>> **
>> The data collected by the NSA is not shared with any other
>> three-letter agency in the US without that agency providing
>> probable cause, presented in the form of a signed court order. If
>> an individual is not involved in criminal activity, then their
>> data sitting in a government data center should not be of concern.
>> *This argument implies that privacy is something only criminals
>> desire. I can only speak about myself here, but there are things
>> that I choose to do in private that are neither wrong nor
>> illegal, yet which I would not want public. The songs I have
>> stored in my Spotify playlists, for instance. Privacy is not an
>> indication of criminal behaviour but a fundamental part of life.
>> In addition, justice is about persons being treated as innocent
>> until proven guilty. I am not a criminal and I have 'nothing to
>> hide' but I don't want the government reading my private
>> messages. It is up to the state to bear the burden of showing
>> there is a good reason for suspicion about me, not the other way
>> around. Finally, you said you were recently the victim of a US
>> government data breach. Yet another reason why I don't want
>> information about me "sitting in a government data centre". *
>>
>> Of more concern should be what private companies do with the data
>> they collect, sell it for a profit.
>> *I have concerns here as well. However, sharing personal data
>> with governments is of higher risk, because governments have the
>> power to arrest, imprison, and in some cases even kill their
>> citizens or enemies. Sharing personal data with companies is
>> typically of lower risk. Businesses can freely use personal data
>> to manipulate and perhaps exploit consumers, but within the
>> confines of the law cannot use it for coercive purposes.*
>>
>> Regarding your statement: "The only 'check' that there is on the
>> NSA's surveillance techniques is that of the Foreign Intelligence
>> Surveillance Court, a secret body of judges that hears arguments
>> from only one side: the NSA." I can tell you (although you
>> probably won't believe it anyway) that there are very stringent
>> internal regulations and oversight of the NSA program.
>> *Very astute ;-) I don't believe they are at all accountable.
>> Even sitting US senators are not able to obtain information from
>> the NSA about why their constituents are being monitored.*
>>
>> And, I would bet that the US is not the only government that has
>> a program like NSA's. You just haven't heard about those ...
>> *I am aware that other governments have mass surveillance
>> programmes and I do not support them. I do not believe they are
>> effective. And the fact you acknowledge they operate so secretly
>> that I may not have heard of them fills me with no comfort. If a
>> government agency is keeping secret what it is collecting about
>> me or the reasons for doing so, I cannot correct potential
>> errors. And from my experience with governments, I understand
>> that errors are common. Transparency, here, is not only about
>> making sure a government's actions can be evaluated, but ensuring
>> its outputs are equally accurate. *
>>
>> The private sector owns and operates a vast majority of the
>> entire Internet infrastructure, and that includes critical
>> components of the infrastructure. The point is that the same
>> joint effort of the private sector and government towards
>> enhancing the security and resilience of the nation's critical
>> infrastructure, can and should be applied to protecting the
>> public against cybercriminals involved in identity theft, human
>> trafficking, drug trafficking, child abuse, etc.
>> *Yes, I agree there is a role for public and private sector
>> cooperation, but this does not mean I support what I would term
>> 'bottom feeders' in the private sector being able to scrape up
>> whatever data they can for whatever purposes they claim they want
>> to use it. I think we're conflating a few things in this
>> discussion by referring to the 'private sector' as a single
>> entity. It isn't so homogenous. I use Facebook, for instance, and
>> have consented to its terms of service. This does not mean,
>> however, I approve of websites unaffiliated with Facebook
>> harvesting my public profile and reposting my data on their
>> websites hosted in Belarus (which is something that has happened
>> to me). Both entities claim to be private sector actors, but that
>> does not mean they should have equal access to or permission to
>> use my personally-identifiable information.*
>>
>> On Wed, Aug 10, 2016 at 6:01 PM, Ayden Férdeline
>> <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>
>> Hi Terri,
>>
>> Please see my responses in-line.
>>
>> Thanks,
>>
>> Ayden
>>
>> On 9 August 2016 at 17:51, Terri Stumme
>> <terri.stumme at legitscript.com
>> <mailto:terri.stumme at legitscript.com>> wrote:
>>
>> Ayden,
>>
>> These were /recommendations/; nothing more, nothing less.
>> Although included in the 2013 RAA
>>
>>
>> An agreement containing, I have been told, a litany of
>> unintended consequences.
>>
>>
>> Multiple stakeholders around the world have compelling
>> reasons and competing interests when it comes to
>> accessing electronic data. As does LE
>>
>>
>>
>> Absolutely. I do not mean to suggest otherwise.
>>
>>
>> I understand that law enforcement and intelligence
>> agencies need the ability to fulfil their mission to
>> prevent serious crime (or, failing that, to bring the
>> perpetrators to justice).
>>
>> At the same time, the protection and promotion of civil
>> liberties, human rights, and the right to privacy are not
>> equally as strong in every territory around the world.
>> Some countries are more authoritarian than others. I
>> support a balance here; my personal information, as well
>> as the personal information of my family members, as well
>> as thousands of US federal employees, was compromised in
>> the hack of the Office of Personnel Management federal
>> employee records.
>>
>>
>>
>> I am sorry to hear you were the victim of cybercrime.
>>
>> And a balance is precisely what I am advocating for, so it
>> seems like we are on the same page. This shouldn't be a
>> zero-sum game. Privacy and security should be mutually
>> reinforcing.
>>
>> In addition, strengthened data and security practices also
>> decrease the risks associated with personal data collection
>> and processing for both end-users and businesses. A study
>> from IBM in 2015
>> <https://securityintelligence.com/cost-of-a-data-breach-2015/>
>> found that the average data breach cost each impacted company
>> USD $3.79 million, without factoring in for the consumer
>> confidence lost as a result of their personally-identifiable
>> data being stolen or misused.
>>
>> Attaching themselves to the unquestionably valid
>> objectives that law enforcement and intelligence agencies
>> have are private entities who do not have the same legal
>> mandates or privileged access to information. There is no
>> privileged access to information afforded to LE, and
>> appropriate legal processes are abided by throughout
>> investigations.
>>
>>
>>
>> Yes, there is privileged access to information afforded to
>> intelligence agencies. It is common knowledge that the NSA
>> has a 1-million-square-foot data centre in Utah sucking up
>> the data of people without warrants, and without probable
>> cause. The only 'check' that there is on the NSA's
>> surveillance techniques is that of the Foreign Intelligence
>> Surveillance Court, a secret body of judges that hears
>> arguments from only one side: the NSA. I would suggest that
>> it is not a beacon of accountability.
>>
>> As for law enforcement, this varies by country and perhaps in
>> the US law enforcement does not have such a right (I don't
>> know, but I'd be willing to bet that "officer discretion",
>> "exigent circumstances", etc. would be enough to justify a
>> lot of actions.) Their authority, combined with a badge, a
>> "trusted third party" data sharing agreement, or a simple
>> request, is likely to be more fruitful than if I was to
>> request the same information as a private citizen.
>>
>> Private entities have become attached to the
>> unquestionably valid objectives of law enforcement due to
>> the inherent nature of the beast.
>>
>>
>>
>> I take a rather bleak view of companies which gather data on
>> individuals without their knowledge or consent.
>>
>>
>> /"Because the private sector owns and operates a vast
>> majority of the nation's critical infrastructure,
>> partnerships between the public and private sectors are
>> essential to maintaining critical infrastructure security
>> and resilience. These partnerships create an environment
>> to share critical threat information, risk mitigation,
>> and other vital information and resources." Source:
>> /https://www.dhs.gov/critical-infrastructure-sector-partnerships
>> <https://www.dhs.gov/critical-infrastructure-sector-partnerships>.
>>
>>
>>
>> I would agree that we get better answers to complex questions
>> when a range of experts and interests can meaningfully take
>> part in the discussions.
>>
>> However, this quote is referring to the investment made by
>> private sector actors who invest in, construct, and/or own
>> pieces of critical infrastructure (things like dams, nuclear
>> reactors, water systems, satellites). I agree that the public
>> and private sectors, here, need to work together to identify
>> threats and vulnerabilities in a collaborative and creative
>> manner.
>>
>> This quote is not suggesting that all private sector actors
>> should have the same scope to collect data as intelligence
>> agencies or law enforcement might be able to. And, I will
>> insist here, they should not. Some private investigators may
>> like to attach themselves to the "cloak of legitimacy" which
>> is afforded public actors, but in some instances I find these
>> perceived associations to be highly problematic. I suppose
>> this is a conversation for another time.
>>
>>
>> I think it is important that we make this distinction.
>>
>>
>>
>> On Mon, Aug 8, 2016 at 8:12 AM, Ayden Férdeline
>> <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>
>>
>> Terri,
>>
>> Absolutely, Greg. The 2009 law enforcement
>> recommendations regarding amendments to the RAA
>> addressed Whois data, specifically the need for
>> validating registrant information. The reason
>> this recommendation was included in the
>> recommendations is because LE utilizes the data
>> in cyber investigations. There are many
>> transcripts related to this issue, and LE has
>> conveyed to the ICANN community on several
>> occasions the importance of Whois data, and how
>> LE utilizes the data in cyber investigations.
>>
>>
>>
>> These were /recommendations/; nothing more, nothing less.
>>
>> Multiple stakeholders around the world have
>> compelling reasons and competing interests when it
>> comes to accessing electronic data.
>>
>> I understand that law enforcement and intelligence
>> agencies need the ability to fulfil their mission to
>> prevent serious crime (or, failing that, to bring the
>> perpetrators to justice).
>>
>> At the same time, the protection and promotion of
>> civil liberties, human rights, and the right to
>> privacy are not equally as strong in every territory
>> around the world. Some countries are more
>> authoritarian than others.
>>
>> Attaching themselves to the unquestionably valid
>> objectives that law enforcement and intelligence
>> agencies have are private entities who do not have
>> the same legal mandates or privileged access to
>> information.
>>
>> I think it is important that we make this distinction.
>>
>> - Ayden
>>
>>
>>
>> On Thu, Aug 4, 2016 3:31 PM, Terri Stumme
>> terri.stumme at legitscript.com
>> <mailto:terri.stumme at legitscript.com> wrote:
>>
>>
>> Absolutely, Greg. The 2009 law enforcement
>> recommendations regarding amendments to the RAA
>> addressed Whois data, specifically the need for
>> validating registrant information. The reason
>> this recommendation was included in the
>> recommendations is because LE utilizes the data
>> in cyber investigations. There are many
>> transcripts related to this issue, and LE has
>> conveyed to the ICANN community on several
>> occasions the importance of Whois data, and how
>> LE utilizes the data in cyber investigations.
>>
>>
>>
>>
>>
>> On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory
>> <gregory.mounier at europol.europa.eu
>> <mailto:gregory.mounier at europol.europa.eu>> wrote:
>>
>> Dear Rob,
>>
>> Thanks for sharing the outcome of your chat
>> with ex-FBI and UK LEA agents. I feel that I
>> need to step in to provide a different
>> perspective than the one you just gave on the
>> law enforcement use of the WHOIS. It might be
>> a matter of interpretation but the views
>> expressed by your interlocutors are not
>> shared by my colleagues working throughout
>> European police cyber divisions.
>>
>> If European cyber investigators are obviously
>> all aware of the fact that WHOIS registration
>> data can sometime be inaccurate and not
>> up-to-date (ICANN compliance reported that
>> for the first quarter of 2015, WHOIS
>> inaccuracy comprised 74.0 % of complaints),
>> in 90% of cases they will start their
>> investigations with a WHOIS lookup. This is
>> really the first step.
>>
>> Despite the lack of accuracy, WHOIS
>> information is useful in so many different
>> ways. One of the first them is to make
>> correlations and link pieces of information
>> obtained through other means than from the
>> WHOIS. This was the point I tried to make on
>> Tuesday during the conference call.
>>
>> Accurate and reliable WHOIS data helps crime
>> attribution and can save precious
>> investigation time (you can rule out wrong
>> investigative leads).
>> It raises the bar and makes it more difficult
>> for criminals to abuse domain names. It
>> pushes them to resort to more complex
>> techniques such as ID theft to register
>> domains for malicious purposes.
>>
>> In short, for LEA WHOIS is certainly not the
>> silver bullet to attribute crime on line but
>> it is an essential tool in the tool box of
>> law enforcement.
>>
>> Best,
>>
>> Greg
>>
>>
>> -----Original Message-----
>> From: gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>
>> [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>]
>> On Behalf Of Rob Golding
>> Sent: 04 August 2016 01:46
>> To: RDS PDP WG
>> Subject: Re: [gnso-rds-pdp-wg] Use cases:
>> Fundamental, Incidental, and Theoretical
>>
>> >> Theoretical
>> >> ===========
>> >> We have seen a couple of proposed use
>> cases that seem to be ideas
>> >> that people have for useful or harmful
>> ways that RDS can be used, but
>> >> that do not exist today (at least not that
>> anyone can fully
>> >> document).
>> >>
>> >> For example, there seems to be a desire to
>> use the RDS as a way to
>> >> issue warrants for information about
>> registrants. While this may be
>> >> useful, this is not possible today (even
>> with RDAP, I note).
>>
>> It not only is possible today, it's also
>> "common" (although thankfully not frequent)
>>
>> Registrars get served warrants for details
>> about registrants, and the _only_ information
>> from WHOIS that's "needed" or used for such
>> cases is the name of the Registrar.
>>
>> I had the pleasure of meeting Chris Tarbell,
>> ex-FBI Cyber Crime, at HostingCon last week -
>> asked about WHOIS/domain data he said "we
>> dont use it"
>>
>> Last year at the UKNOF event in Sheffield I
>> spent quite some time talking with some
>> amazing people from the UK CyberCrime
>> departments - asked the same questions, they
>> confirmed that although whois _might_ be
>> looked at to see if it matches _data they
>> already have_ for confirmation, it's not used
>> or relied on.
>>
>> Which beggars the question, should
>> "LawEnforcement" use cases even be part of
>> the discussions ?
>>
>> Rob
>> --
>> Rob Golding rob.golding at astutium.com
>> <mailto:rob.golding at astutium.com>
>> Astutium Ltd, Number One Poultry, London.
>> EC2R 8JR
>>
>> * domains * hosting * vps * servers * cloud *
>> backups *
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>> *******************
>>
>> DISCLAIMER : This message is sent in
>> confidence and is only intended for the named
>> recipient. If you receive this message by
>> mistake, you may not use, copy, distribute or
>> forward this message, or any part of its
>> contents or rely upon the information
>> contained in it.
>> Please notify the sender immediately by
>> e-mail and delete the relevant e-mails from
>> any computer. This message does not
>> constitute a commitment by Europol unless
>> otherwise indicated.
>>
>> *******************
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>>
>> --
>> /Terri Stumme/
>> /Investigative Analyst/
>>
>>
>>
>> Ayden Férdeline
>> Statement of Interest
>> <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>
>>
>>
>>
>>
>> --
>> /Terri Stumme/
>> /Investigative Analyst/
>>
>>
>>
>>
>>
>> --
>> /Terri Stumme/
>> /Investigative Analyst/
>
>
>
>
> --
> /Terri Stumme/
> /Investigative Analyst/
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160815/4ae7167a/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list