[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

[allison nixon]

Thanks for the documentation in your earlier email. While I understand
that's how things are supposed to work in theory, it's not implemented very
widely, and unless there is enforcement, then it's unlikely to be useful at
all.



"as a given, we put ourselves in a certain position in terms of the actions
we can and cannot recommend. We can make similar statements focused on
registry operators, registrars, or any other stakeholder in this space. If
we all approach this WG's task with the goal of not changing anything,
we're all just wasting our time."

There are things that people would be willing to change about WHOIS.
Changes purely relating to the data format would not be as controversial.
Changing to that RDAP json format would probably be an agreeable point to
most here.

There are two different major points of contention here. The first is the
data format, second is the creation of a new monopoly and ceding power to
it. By monopoly I mean- who are the gatekeepers of "gated" access? Will it
avoid all of the problems that monopolies are historically prone to? Who
will pay them? It seems like a massive leap of faith to commit to this
without knowing who we are making the commitment to.



"I do not believe it is this WG's responsibility to protect anyone's
commercial services if those things are basically in response to
deficiencies in the existing Whois protocol. "

>From my understanding of past ICANN working groups, registrars have fought
against issues that would have increased their costs. And the destruction
of useful WHOIS results(or becoming beholden to some new monopoly) stand to
incur far more costs for far larger industries.  So this shouldn't surprise
you. If those economic concerns are not valid then I question why the
economic concerns of registrars are valid.

If entire industries are built around a feature you would consider a
"deficiency", then your opinion may solely be your own. And I hope more
stakeholders in this multi-stakeholder process will come forward with their
own perspectives, as they will differ from mine.





"Not trying to hamstring the WG.  Just asking if this is not something that
has already been solved.."
Hi Paul,

It's an interesting thought. This document was recommended to me as one
that was approved in the past by the working group that outlined what the
resulting system might look like. I'm still learning and reading about
these working groups and what they do, and this document is massive.

https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf

In the document, it says: *"Central to the remit of the EWG is the question
of how to design a system that increases **the accuracy of the data
collected while also offering protections for those Registrants seeking to
guard and maintain their privacy."*

One of the things I notice is that any talk about actually increasing
accuracy of whois info- via enforcement- is vigorously opposed in this
group, and it's merely assumed that people will supply better quality data
under the new system.

Throughout the document it talks about use-cases and features (whois
history, reverse query, etc), which are indeed identical to the features of
the whois aggregators of current day. Such a system would replace them.
Will the service quality be as good?

On page 63 it gets into thoughts on who would be "accredited" to access the
gated whois data. Every proposed scenario seems to recognize the resulting
system will need to handle a large query volume from a large number of
people, and one proposes accrediting bodies which may accredit
organizations which may accredit individuals. It even proposes an abuse
handling system which is also reminiscent in structure to how abuse is
handled currently in our domain name system. Many of these proposed schemes
appear to mimic the ways that the hosting industry and registrar industry
operate, so we can expect that the patterns of abuse will be equally
frequent, especially if higher quality data is supplied.

The proposed scenarios all paint a picture of "gated" access with very wide
gates, while simultaneously representing to domain purchasers that their
data is safe and privacy protected. And this is supposed to *reduce* the
total number of privacy violations? This doesn't even appeal to me as a
consumer of this data.

Whoever sets up this system also stands to inherit a lot of money from the
soon-to-be-defunct whois aggregation industry. They would certainly win our
contract, because we would have no choice. All domain reputation services,
anti-spam, security research, etc, efforts will all need to pay up.



After being supplied with the above document, I also saw a copy of a
rebuttal written by a company that monitors abusive domains. I strongly
agree with the sentiments in this document and I do not see evidence that
those concerns have received fair consideration. While I do not see this
new gatekeeper as an existential threat, I do see it as a likely
degradation in the utility i do see from whois. To be clear, we do not do
any business with this company.

http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf



I also found John Bambenek's point in a later thread to be interesting-
concentrating WHOIS knowledge solely to one organization allows the country
it resides in to use it to support its intelligence apparatus, for example
monitoring when its espionage domains are queried for, and targeting
researchers that query them (since anonymous querying will be revoked).
Nation states already use domains in operations so this monopoly is a
perfect strategic data reserve. The fact that this system is pushed by
privacy advocates is indeed ironic.



None of those concerns appear to have been addressed by this group in any
serious capacity. Before the addition of new members, I don't think many
people had the backgrounds or skillsets to even understand why they are a
concern. But I think this is a discussion worth having at this point in
time for this group.

On Mon, Apr 24, 2017 at 1:50 PM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> Hi,
>
> On Mon, Apr 24, 2017 at 07:25:47PM +0200, Paul Keating wrote:
> > Andrew,
> >
> > Thank you.  That was helpful.
> >
> > ""Given this registrant, what other
> > domains are registered?" is a solved problem, and has been since the
> > early 2000s.²
> >
> > This is also traceable via alternative means such as consistencies in
> > various WHOIS fields such as email, address, name, etc.
>
> Well, sort of.  The email, address, and name fields are _user_
> supplied.  So they come from the other party to the transaction.  The
> ROID is assigned by the registry itself.  So once you have a match,
> you know that you are looking at the same object, only the same
> object, and all the same object(s).
>
> Email addresses in particular are guaranteed unique in the world at
> any given time (though not guaranteed as unique identifiers over
> time), so they may be useful for these purposes.  Take it from someone
> named "Andrew Sullivan", however, that names are pretty useless as
> context-free identifiers :)
>
> > In reality finding out answers to questions such as
> > yours (above) requires investigation using a plethora of data.
>
> To be clear, finding out the answer to what I (meant to) pose(d)
> requires no plethora of data: it requires a single query and access to
> the right repository (the registry).  In some theoretical system, the
> correct underlying database query would be something like this:
>
>     SELECT domain_roid, domain_name FROM domains WHERE registrant_roid = ?;
>
> and you put the correct ROID in where the question mark is, and off
> you go.  That will give you the list of all the domain names, and
> their relevant ROIDs, registered by a given registrant contact.  At
> least one registry with which I am familiar once had a WHOIS feature
> that allowed something close to the above, only it would stop after
> some number of domains so as not to return too much data.  I think the
> default was therefore LIMIT 50, but I also think the feature was
> eventually eliminated about the time that the ICANN community rejected
> IRIS as an answer to "the whois problem".
>
> What the above will of course not do is help you in the event Bob The
> Scammer has created dozens of different contacts for himself by (say)
> registering names through many different registrars.  I do not believe
> that any registry is going to support such a use at least without
> access controls, because it can be expensive to answer such things.
> So, what you understood me to be asking, I think, is the question I
> did _not_ ask: given this human being or organization, what other
> domains are registered?"  That does require a lot of different data,
> and it requires cross-organizational searches, and it requires sussing
> out when someone has lied also.  Such research is, I agree, completely
> outside the scope of what any technical system will ever be able to
> offer reliably.
>
> > An entire
> > industry exists for this purpose and I don¹t think we should be
> > considering replacing what has already been existing in the cyber
> security
> > marketplace.
>
> I do not believe it is this WG's responsibility to protect anyone's
> commercial services if those things are basically in response to
> deficiencies in the existing Whois protocol.  In this case, however,
> that's not the problem.  Linking data in multiple databases to a given
> real-world human being is hard even in systems without competition and
> multiple points of access.  It's always going to require researchers
> for the domain name system.
>
> Best regards.
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170424/fa25971a/attachment.html>