[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

[Chen, Tim]

FWIW a few comments on the resulting threads:

@Allison - I should have been more precise in my economic argument.  ICANN
is always affecting policy.  Policy should be specifically driven by the
mandates set before it. Economic actors will have to adjust to any new
policy and have had to do so often (registrars, registries, etc.).  I
wanted to disclaim any notion of me being here to defend a business model
and profits.  I care about the tangible security benefits created by the
accessible Whois data in today's regime, specifically the benefits created
by our customers who are the ones actually doing the hard work in security,
and this is the argument I want us to be focusing on.  This position also
creates consistency when I argue that Registrars and Registries also need
to stand down from their economic arguments and focus on the policy goals.
  This position, I believe, does not conflict with your very valid point
about the enormous downstream benefits (societal benefits and ultimately
some cost savings for targets of cyberattacks and fraud) created by your
firm and other similar security orgs.

+1 to Greg's point (supported by Marika's routing of the WG Charter)
clarifying what the goals of this WG actually are.  all of us need to be
careful making summary statements that interpret the goals of this WG
through the lens of our own individual opinions on what we want them to be.

+1 to Mike's comment about not making this about DomainTools.  I invoked
our name only as due process in my initial post, for full disclosure.  But
I will endeavor to not mention it again.

+1 John Horton, who has done yoeman's work to write thoughtful and public
commentary on the specific ways that whois data supports the very important
work that people in his line of work do on a daily basis.

On Wed, Apr 26, 2017 at 10:06 AM, Volker Greimann <vgreimann at key-systems.net
> wrote:

> I wish it were so simple. "Doing harm" is not necessary to be in violation
> with applicable law. Just like jaywalking, speeding on an empty road or
> crossing a red light carries a fine regardless of whether harm was done,
> privacy law too does not care about an actual harm.
>
> We need to be very clear about the legal requirements when we define the
> limits of what can be done with the data we collect, and by whom.
>
> Volker
>
> Am 26.04.2017 um 18:43 schrieb John Horton:
>
> Greg, well said. And Tim, well said. And I'll strongly +1 Michael Hammer
> as well. I agree with the "do no harm" philosophy -- I'm not convinced that
> some of the proposed changes (e.g., those outlined in the EWG report)
> wouldn't cause more harm than the existing, admittedly imperfect, system.
> As I've said before, the importance of tools like Reverse Whois isn't only
> direct -- it's derivative as well. (If you enjoy the benefits of those of
> us who fight payment fraud, online abuse and other sorts of malfeasance,
> you have reverse Whois among other tools to thank.) Privacy laws in one
> part of the world are a factor we need to be aware of, among other factors.
>
> On Wed, Apr 26, 2017 at 9:07 AM nathalie coupet via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
>> +1
>>
>> Nathalie
>>
>>
>> On Wednesday, April 26, 2017 12:02 PM, Victoria Sheckler <
>> vsheckler at riaa.com> wrote:
>>
>>
>> +1
>>
>> Sent from my iPhone
>>
>> On Apr 26, 2017, at 8:56 AM, Greg Shatan <gregshatanipc at gmail.com> wrote:
>>
>> Thanks for weighing in, Tim.  Since this is a multi*stakeholder* process,
>> everyone is assumed to come in with a point of view, so don't be shy.  At
>> the same time, if stakeholders cling dogmatically to their points of view
>> the multistakeholder model doesn't work.
>>
>> As for being out on a limb:
>>
>>    - We haven't decided what data will be "private" and for which
>>    registrants (e.g., based on geography or entity status)
>>    - We haven't decided there will be "gated" access and what that might
>>    mean, both for policy and practicality
>>    - The question shouldn't be whether we will be "allowing third
>>    parties access to harvest, repackage and republish that data," but how we
>>    should allow this in a way that balances various concerns.  Eliminating
>>    reverse Whois and other such services is not a goal of this Working Group.
>>
>> Our job should be to provide the greatest possible access to the best
>> possible data, consistent with minimizing risk under reasonable
>> interpretations of applicable law.  We need to deal with existing and
>> incoming privacy laws (and with other laws) as well, but not in a
>> worshipful manner; instead it should be in a solution-oriented manner.
>> This is not, after all, the Privacy Working Group.  I'll +1 Michael Hammer: Rather
>> than starting from a model of justifying everything and anything from a
>> privacy perspective, I would suggest that it would be much more
>> appropriate, other than technical changes such as moving towards using
>> JSON, to require justification and consensus for any changes from the
>> existing model(s) of WHOIS.
>>
>> Finally, while our purpose is not to maintain anyone's economic interest,
>> economic interests may well be aligned with policy interests.  Assuming
>> that economic interests are at odds with policy interests is just as
>> dangerous as assuming that policy interests are served by maximizing
>> economic interests.
>>
>> Greg
>>
>>
>>
>> *Greg Shatan *C: 917-816-6428 <(917)%20816-6428>
>> S: gsshatan
>> Phone-to-Skype: 646-845-9428 <(646)%20845-9428>
>> gregshatanipc at gmail.com
>>
>> On Wed, Apr 26, 2017 at 11:28 AM, Dotzero <dotzero at gmail.com> wrote:
>>
>> Adding to what Tim and Allison wrote.
>>
>> As a starting point, I've had an account with DomainTools in the past and
>> will likely have one in the future, although I don't currently have one.
>>
>> There are other organizations and individuals which consume/aggregate
>> whois data so I don't think that for the purposes of this discussion the
>> focus should be on just DomainTools. I know researchers and academics who
>> use this data to analyze all sorts of things. As has been pointed out,
>> there are all sorts of folks staking out positions because of their
>> economic (and other) interests without necessarily being transparent about
>> those interests.
>>
>> It should be remembered that the Internet is an agglomeration of many
>> networks and resources, some public and some private. At the same time, it
>> is simply a bunch of technical standards that people and organizations have
>> agreed to use to interact with each other. In many cases, the ultimate
>> solution to abuse is to drop route. To the extent that good and granular
>> information is not readily available, regular (innocent) users may suffer
>> as owners and administrators of resources act to protect those resources
>> and their legitimate users from abuse and maliciousness. The reality is
>> that most users of the internet utilize a relatively small subset of all
>> the resources out there. For some, a service like Facebook IS the Internet.
>>
>> It may also incite a tendency towards returning to a model of walled
>> gardens. At various points I have heard discussions about the balkanization
>> of the internet, with things like separate roots, etc. People should think
>> very carefully about what they are asking for because they may not be happy
>> with it if they actually get it.
>>
>> Rather than starting from a model of justifying everything and anything
>> from a privacy perspective, I would suggest that it would be much more
>> appropriate, other than technical changes such as moving towards using
>> JSON, to require justification and consensus for any changes from the
>> existing model(s) of WHOIS.
>>
>> Michael Hammer
>>
>> On Wed, Apr 26, 2017 at 10:27 AM, allison nixon <elsakoo at gmail.com>
>> wrote:
>>
>> Thank you for your email Tim.
>> Full disclosure(because I believe in being transparent about this sort of
>> thing), we do business with Domaintools and use their tools to consume
>> whois data.
>> "i'll close by saying I think Allison's point about economic value has
>> merit.  yes, the point of the WG is not to protect anyone's economic
>> interest.  I agree 100% with that statement and will disagree with anyone
>> who thinks the future of DomainTools or other commercial service should
>> have one iota of impact on this discussion."
>> I will however disagree vehemently with you on this point. It is obvious
>> that many of the arguments to cut off anonymous querying to WHOIS data are
>> economically motivated. Financial concerns are cited numerous times in
>> approved documents. I also believe the "vetting" process is likely to
>> become a new revenue stream for someone as well. A revenue stream with
>> HIGHLY questionable privacy value-add.
>> Every dollar of income for the Domaintools company and others like it
>> come from their clients, who see a multiplier of value from it. That means
>> for every dollar spent on the entire whois aggregator industry means that a
>> much larger amount of money is saved through prevented harms like fraud,
>> abuse, and even fake medications which kill people.
>> I think it is extremely important to identify what critical systems rely
>> on whois (either directly or downstream), and determine if we are ready to
>> give up the utility of these systems.
>> We also need to identify the value of the ability to anonymously query
>> whois and what that loss of privacy will mean as well. While I obviously do
>> not make many queries anonymously(although our vendor has their own privacy
>> policy), I understand this is important especially to those researching
>> more dangerous actors. Why would $_COUNTRY dissidents want to query domains
>> when their opponents would surely be hacking into the audit logs for this?
>>
>>
>> On Apr 25, 2017 11:41 PM, "Chen, Tim" <tim at domaintools.com> wrote:
>>
>> "And I hope more stakeholders in this multi-stakeholder process will come
>> forward with their own perspectives, as they will differ from mine."
>>
>> happy to do so.  DomainTools is clearly a stakeholder in this debate.
>>  and we have a fair amount of experience around the challenges, benefits
>> and risks of whois data aggregation at scale.
>>
>> from the beginning of this EWG/RDS idea we've stood down bc i didn't
>> believe our opinion would be seen as objective-enough given our line of
>> business.  but it is apparent to me having followed this debate for many
>> weeks now, that this is a working group of individuals who all bring their
>> own biases into the debate.  whether they care to admit that to themselves
>> or not.  so we might as well wade in too.  bc I think our experience is
>> very relevant to the discussion.
>>
>> i'll do my best to be as objective as I can, as a domain registrant
>> myself and as an informed industry participant.
>>
>> since our experience is working with security minded organizations, that
>> is the context with which I will comment.
>>
>> since this is an ICANN working group, I start with the ICANN mission
>> statement around the security and stability of the DNS.  I find myself
>> wanting to fit this debate to that as the north star.  i do not see the RDS
>> as purpose driven to fit the GDPR or any region-specific legal resolution.
>>  but I do see those as important inputs to our discussion.
>>
>> from a security perspective, my experience is that the benefits of the
>> current Whois model, taken with this lens, far outweigh the costs.  again,
>> I can only speak from my experience here at DomainTools, and obviously
>> under the current Whois regime.  This is not to say it cannot be improved.
>> From a data accuracy perspective alone there is enormous room for
>> improvement as I think we can all agree.  every day I see the tangible
>> benefits to security interests, which for the most part are "doing good",
>> from the work that we do.  when I compare that to the complaints that we
>> get bc "my PII is visible in your data", it's not even close by my value
>> barometer (which my differ from others').  this is relevant bc any future
>> solution will be imperfect as I have mentioned before.  as Allison and
>> others point out we need to measure the harm done by any new system that
>> may seek to solve one problem (privacy?) and inadvertently create many
>> more. since this group is fond of analogies I'll contribute one from the
>> medical oath (not sure if this is just U.S.) "first, do no harm".
>>
>> i'll close by saying I think Allison's point about economic value has
>> merit.  yes, the point of the WG is not to protect anyone's economic
>> interest.  I agree 100% with that statement and will disagree with anyone
>> who thinks the future of DomainTools or other commercial service should
>> have one iota of impact on this discussion.  but I also think "it's too
>> expensive" or "it's too hard" are weak and dangerous excuses when dealing
>> with an issue like this which has enormous and far reaching consequences
>> for the very mission of ICANN around the security and stability of our
>> internet.
>>
>> Tim
>>
>> On Mon, Apr 24, 2017 at 3:50 PM, allison nixon <elsakoo at gmail.com> wrote:
>>
>> Thanks for the documentation in your earlier email. While I understand
>> that's how things are supposed to work in theory, it's not implemented very
>> widely, and unless there is enforcement, then it's unlikely to be useful at
>> all.
>>
>>
>>
>> "as a given, we put ourselves in a certain position in terms of the
>> actions we can and cannot recommend. We can make similar statements focused
>> on registry operators, registrars, or any other stakeholder in this space.
>> If we all approach this WG's task with the goal of not changing anything,
>> we're all just wasting our time."
>>
>> There are things that people would be willing to change about WHOIS.
>> Changes purely relating to the data format would not be as controversial.
>> Changing to that RDAP json format would probably be an agreeable point to
>> most here.
>>
>> There are two different major points of contention here. The first is the
>> data format, second is the creation of a new monopoly and ceding power to
>> it. By monopoly I mean- who are the gatekeepers of "gated" access? Will it
>> avoid all of the problems that monopolies are historically prone to? Who
>> will pay them? It seems like a massive leap of faith to commit to this
>> without knowing who we are making the commitment to.
>>
>>
>>
>> "I do not believe it is this WG's responsibility to protect anyone's
>> commercial services if those things are basically in response to
>> deficiencies in the existing Whois protocol. "
>>
>> From my understanding of past ICANN working groups, registrars have
>> fought against issues that would have increased their costs. And the
>> destruction of useful WHOIS results(or becoming beholden to some new
>> monopoly) stand to incur far more costs for far larger industries.  So
>> this shouldn't surprise you. If those economic concerns are not valid then
>> I question why the economic concerns of registrars are valid.
>>
>> If entire industries are built around a feature you would consider a
>> "deficiency", then your opinion may solely be your own. And I hope more
>> stakeholders in this multi-stakeholder process will come forward with their
>> own perspectives, as they will differ from mine.
>>
>>
>>
>>
>>
>> "Not trying to hamstring the WG.  Just asking if this is not something
>> that has already been solved.."
>> Hi Paul,
>>
>> It's an interesting thought. This document was recommended to me as one
>> that was approved in the past by the working group that outlined what the
>> resulting system might look like. I'm still learning and reading about
>> these working groups and what they do, and this document is massive.
>>
>> https://www.icann.org/en/syste m/files/files/final-report-06j un14-en.pdf
>> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>
>>
>> In the document, it says: *"Central to the remit of the EWG is the
>> question of how to design a system that increases **the accuracy of the
>> data collected while also offering protections for those
>> Registrants seeking to guard and maintain their privacy."*
>>
>> One of the things I notice is that any talk about actually
>>
>> ...
>
> [Message clipped]
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170426/328460f6/attachment-0001.html>