[gnso-rds-pdp-wg] @EXT: RE: Use case - LEA

Mounier, Grégory gregory.mounier at europol.europa.eu
Tue Jul 26 15:30:34 UTC 2016 

With the amended cases.


-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Mounier, Grégory
Sent: 26 July 2016 17:26
To: 'David Cake'
Cc: gnso-rds-pdp-wg at icann.org
Subject: [gnso-rds-pdp-wg] @EXT: RE: Use case - LEA

Dear David, 

Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. 

Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too.

These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.

But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either.

Looking forward to continuing the discussion.

Kind regards, 

Greg

-----Original Message-----
From: David Cake [mailto:dave at davecake.net] 
Sent: 26 July 2016 09:32
To: Mounier, Grégory
Cc: gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA

At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it. 

So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.


David

> On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier at europol.europa.eu> wrote:
> 
> Dear all,
> 
> Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
> 
> Regards,
> 
> Greg
> 
> *******************
> 
> DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
> Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
> 
> *******************
> <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EUROPOL-Use_case_-_websites_registered for illegal purpose_-_PDP_NG_RDS_WHOIS.pdf
Type: application/pdf
Size: 18970 bytes
Desc: EUROPOL-Use_case_-_websites_registered for illegal purpose_-_PDP_NG_RDS_WHOIS.pdf
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160726/25a3f0d1/EUROPOL-Use_case_-_websites_registeredforillegalpurpose_-_PDP_NG_RDS_WHOIS.pdf>

More information about the gnso-rds-pdp-wg mailing list