[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

Andrew Sullivan ajs at anvilwalrusden.com
Mon Apr 24 17:50:01 UTC 2017 

Hi,

On Mon, Apr 24, 2017 at 07:25:47PM +0200, Paul Keating wrote:
> Andrew,
> 
> Thank you.  That was helpful.
> 
> ""Given this registrant, what other
> domains are registered?" is a solved problem, and has been since the
> early 2000s.²
> 
> This is also traceable via alternative means such as consistencies in
> various WHOIS fields such as email, address, name, etc.

Well, sort of.  The email, address, and name fields are _user_
supplied.  So they come from the other party to the transaction.  The
ROID is assigned by the registry itself.  So once you have a match,
you know that you are looking at the same object, only the same
object, and all the same object(s).  

Email addresses in particular are guaranteed unique in the world at
any given time (though not guaranteed as unique identifiers over
time), so they may be useful for these purposes.  Take it from someone
named "Andrew Sullivan", however, that names are pretty useless as
context-free identifiers :)

> In reality finding out answers to questions such as
> yours (above) requires investigation using a plethora of data.

To be clear, finding out the answer to what I (meant to) pose(d)
requires no plethora of data: it requires a single query and access to
the right repository (the registry).  In some theoretical system, the
correct underlying database query would be something like this:

    SELECT domain_roid, domain_name FROM domains WHERE registrant_roid = ?;

and you put the correct ROID in where the question mark is, and off
you go.  That will give you the list of all the domain names, and
their relevant ROIDs, registered by a given registrant contact.  At
least one registry with which I am familiar once had a WHOIS feature
that allowed something close to the above, only it would stop after
some number of domains so as not to return too much data.  I think the
default was therefore LIMIT 50, but I also think the feature was
eventually eliminated about the time that the ICANN community rejected
IRIS as an answer to "the whois problem".

What the above will of course not do is help you in the event Bob The
Scammer has created dozens of different contacts for himself by (say)
registering names through many different registrars.  I do not believe
that any registry is going to support such a use at least without
access controls, because it can be expensive to answer such things.
So, what you understood me to be asking, I think, is the question I
did _not_ ask: given this human being or organization, what other
domains are registered?"  That does require a lot of different data,
and it requires cross-organizational searches, and it requires sussing
out when someone has lied also.  Such research is, I agree, completely
outside the scope of what any technical system will ever be able to
offer reliably.

> An entire
> industry exists for this purpose and I don¹t think we should be
> considering replacing what has already been existing in the cyber security
> marketplace.

I do not believe it is this WG's responsibility to protect anyone's
commercial services if those things are basically in response to
deficiencies in the existing Whois protocol.  In this case, however,
that's not the problem.  Linking data in multiple databases to a given
real-world human being is hard even in systems without competition and
multiple points of access.  It's always going to require researchers
for the domain name system.

Best regards.

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list