[gnso-rds-pdp-wg] @EXT: RE: Use case - LEA

Nick Shorey nick.shorey at culture.gov.uk
Thu Jul 28 10:06:57 UTC 2016 

Thanks Gregory for sharing this use case. I think the core point made is
how the WHOIS was used in a law enforcement investigation to assist in the
attribution of criminal activity; an example of the type of useful and
relevant information; and how ready access facilitated progress in the
investigation. I would welcome further examples.

Kind regards,

Nick

Nick Shorey BA (Hons), MSc
Senior Policy Advisor, International Internet Governance
Department for Culture, Media & Sport
Email: nick.shorey at culture.gov.uk
Phone: +44 (0) 7741 256 320

Sent from my iPhone

On 28 Jul 2016, at 10:10, Volker Greimann <vgreimann at key-systems.net> wrote:

https://www.icann.org/news/blog/icann-is-not-the-internet-content-police

*"**The simple fact is that many laws in effect in numerous countries
render content itself illegal. However the 2013 **RAA** is interpreted, it
cannot mean that **ICANN** is responsible for making factual and legal
determinations as to whether content violates the law. **ICANN** cannot be
put in the position of requiring suspension of domain names on the basis of
allegations of blasphemy, hate speech, holocaust denial, political
organizing, full or partial nudity or a host of other content that may be
illegal somewhere in the world.  That would be inconsistent with **ICANN**'s
mission, **ICANN**'s limited remit and **ICANN**'s responsibility to
operate in accordance with a consensus-driven multistakeholder model.**"*
https://www.icann.org/resources/pages/content-2013-05-03-en

*"Complaints about website content are outside of **ICANN*

*'s scope and authority; for these types of complaints, please refer to one
of the options listed below" *
https://www.icann.org/en/system/files/correspondence/crocker-to-shatan-30jun16-en.pdf




* "This does not mean, however, that ICANN is required or qualified to make
factual or legal determinations as to whether a Registered Name Holder or a
website operator is violation applicable laws and governmental regulations,
and to assess what would be an appropriate remedy for such activities in
any particular situation. (...) (ICANN) was not intended to displace other
legal remedies (...) that may apply. (...) these initiatives are outside
ICANN's limited remit (...)". *Need more quotes on how this matter is
settled?

Am 27.07.2016 um 17:03 schrieb Kiran Malancharuvil via gnso-rds-pdp-wg:

Hi Stephanie,

It's far from settled that ICANN policies have nothing to do with
content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on
getting use cases out without making these kinds of judgments about
them?

Thanks,

Kiran

Kiran Malancharuvil
Policy Counselor
MarkMonitor
415-419-9138 (m)

Sent from my mobile, please excuse any typos.

On Jul 27, 2016, at 6:06 AM, Stephanie Perrin
<stephanie.perrin at mail.utoronto.ca<mailto:stephanie.perrin at mail.utoronto.ca>
<stephanie.perrin at mail.utoronto.ca>> wrote:


Some crimes are recognized nearly universally, and child abuse is one,
we have signed treaties have we not?   I think that is a good reason
to use this example, but we must remember that ICANN is not in the
business of analyzing content on websites, (or setting policy for
same) it is in the business of assisting in the execution of lawful
orders to take down a website when served.  I realize this seems like
a quibble, but it seems to me it is an important one.  As opposed to
other crimes that might not be universally recognized (eg hate speech,
political speech that is banned in only one country) an order for an
action in the matter of child abuse would be universally accepted.
ICANN would also be in the business of setting policy with respect to
assisting in the investigation of the offence with a view to providing
information useful to criminal prosecution.  However, as the data
commissioners have pointed out in their correspondence with ICANN (see
Article 29 letters re RAA) they should not be in the business of
compelling illegal data retention just in case a registrant might
commit a crime.

Stephanie Perrin
On 2016-07-27 1:32, David Cake wrote:

On 26 Jul 2016, at 11:25 PM, Mounier, Grégory
<gregory.mounier at europol.europa.eu>
<gregory.mounier at europol.europa.eu><mailto:gregory.mounier at europol.europa.eu>
<gregory.mounier at europol.europa.eu> wrote:

Dear David,

Thank you very much for your constructive comments. These are indeed
not "compromised websites" as in "stolen domains" but regular domains,
registered for illegal purpose. I have amended the use case
accordingly.


        Thank you for clarifying. The two cases are very different in
terms of how they should interact with the RDS and domain name system
generally.


Now, I am not sure I understand your point about "designing a case to
appear urgent and emotive". It just happens that EC3 has 3 different
teams of cyber investigators: one is working on
intrusion/malwares/botnets, the second one on online payment fraud and
the second one on online child sexual exploitation and distribution of
CAM. I asked each teams to give me examples of cases they were
currently working on and in which they used WHOIS data. So far I have
received this one and I thought that it was illustrative of the use
made of WHOIS information in criminal investigations so I decided to
share it with the group. I will certainly get some more examples from
the malware team and I'll share them too.


        Thank you for clarifying the origin.
        FWIW, I’m unsure whether we should simply treat it as clearly
illegal material, that is illegal across multiple jurisdictions, or
specifically address child abuse material as something that poses
unique challenges. If the latter, I would probably want slightly more
info, such as, is this material that is clearly illegal across most
jurisdictions such as material on the INTERPOL list, or only in some
jurisdictions.



These are real use cases and not scenarios: I have checked the urls
today and the websites are is still online as we speak. And yes, I do
have colleagues (1/3 of EC3's work force) working every day on online
child abuse cases because this is a major problem in our digitalised
and connected societies.

But if the group decides that we should not mention content or give
context because it could make the use cases "emotive" then I am happy
to simply talk about "illegal activities". But then we should not
mention Turkey either.


        If you think the specific nature of the material involved is
significant to the approach we should take (and it may be) then that
should be clear in the use case.

        David




Looking forward to continuing the discussion.

Kind regards,

Greg

-----Original Message-----
From: David Cake [mailto:dave at davecake.net <dave at davecake.net>]
Sent: 26 July 2016 09:32
To: Mounier, Grégory
Cc: gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
<gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA

At a first glance, this seems contradictory. You state that the web
sites are compromised - then assume that not just some WHOIS data is
valid, but enough of it to find cross-correlations. If the domains
were compromised, this would be meaningless - a linked email address
would just indicate that multiple sites belonging to the same original
person were compromised at the same time, presumably by compromise of
a shared host or shared controlling organisation, and its rare that
sites are compromised unless its entirely done by via DNS mechanisms,
in which case we could probably deal with that issue (stolen domains)
without bringing content into it.

So your use case assumes that the sites were not compromised, but
registered for illegal purpose, which is an entirely different
situation. This seems like a poorly constructed use case to me, in
that while it seems designed to appear very urgent and emotive by
focussing on content that no one would support, the actual DNS
scenario we are trying to address here is very unclear.


David



On 26 Jul 2016, at 6:25 AM, Mounier, Grégory
<gregory.mounier at europol.europa.eu>
<gregory.mounier at europol.europa.eu><mailto:gregory.mounier at europol.europa.eu>
<gregory.mounier at europol.europa.eu> wrote:

Dear all,

Please find attached a use case which shows how accurate WHOIS
information, combined with other types of evidence, can help
attributing crime online.

Regards,

Greg

*******************

DISCLAIMER : This message is sent in confidence and is only intended
for the named recipient. If you receive this message by mistake, you
may not use, copy, distribute or forward this message, or any part of
its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant
e-mails from any computer. This message does not constitute a
commitment by Europol unless otherwise indicated.

*******************
<EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________
gnso-rds-pdp-wg mailing
listgnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
<gnso-rds-pdp-wg at icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


*******************

DISCLAIMER : This message is sent in confidence and is only intended
for the named recipient. If you receive this message by mistake, you
may not use, copy, distribute or forward this message, or any part of
its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant
e-mails from any computer. This message does not constitute a
commitment by Europol unless otherwise indicated.

*******************



_______________________________________________
gnso-rds-pdp-wg mailing
listgnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
<gnso-rds-pdp-wg at icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________
gnso-rds-pdp-wg mailing
listgnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
<gnso-rds-pdp-wg at icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing
listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com /
www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei
Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den
angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe,
Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist
unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so
bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung
zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com /
www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay
updated:www.facebook.com/KeySystemswww.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

This e-mail and its attachments is intended only for the person to
whom it is addressed. Furthermore it is not permitted to publish any
content of this email. You must not use, disclose, copy, print or rely
on this e-mail. If an addressing or transmission error has misdirected
this e-mail, kindly notify the author by replying to this e-mail or
contacting us by telephone.




_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160728/9c219a1d/attachment.html>

More information about the gnso-rds-pdp-wg mailing list