[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data
Paul Keating
Paul at law.es
Thu Apr 27 11:54:34 UTC 2017
Has the WG requested funds to retain a legal expert to educate us on the
actual laws at issue?
From: <gnso-rds-pdp-wg-bounces at icann.org> on behalf of Greg Shatan
<gregshatanipc at gmail.com>
Date: Thursday, April 27, 2017 at 12:38 AM
To: Volker Greimann <vgreimann at key-systems.net>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] international law enforcement association
resolution regarding domain registration data
> We also need to be very clear about the limits of the legal requirements of
> applicable law, and the various options available for dealing with the law.
> There's no need to overcomply. Indeed it would be quite unreasonable to do
> so.
>
> Just as paying the lowest calculable income tax is perfectly legitimate, so is
> complying with the law in the least disruptive way possible.
>
> Greg
>
> Greg Shatan
> C: 917-816-6428
> S: gsshatan
> Phone-to-Skype: 646-845-9428
> gregshatanipc at gmail.com <mailto:gregshatanipc at gmail.com>
>
>
> On Wed, Apr 26, 2017 at 1:06 PM, Volker Greimann <vgreimann at key-systems.net>
> wrote:
>>
>>
>>
>> I wish it were so simple. "Doing harm" is not necessary to be in violation
>> with applicable law. Just like jaywalking, speeding on an empty road or
>> crossing a red light carries a fine regardless of whether harm was done,
>> privacy law too does not care about an actual harm.
>>
>>
>> We need to be very clear about the legal requirements when we define the
>> limits of what can be done with the data we collect, and by whom.
>>
>>
>>
>> Volker
>>
>>
>>
>> Am 26.04.2017 um 18:43 schrieb John Horton:
>>
>>
>>>
>>> Greg, well said. And Tim, well said. And I'll strongly +1 Michael Hammer as
>>> well. I agree with the "do no harm" philosophy -- I'm not convinced that
>>> some of the proposed changes (e.g., those outlined in the EWG report)
>>> wouldn't cause more harm than the existing, admittedly imperfect, system. As
>>> I've said before, the importance of tools like Reverse Whois isn't only
>>> direct -- it's derivative as well. (If you enjoy the benefits of those of us
>>> who fight payment fraud, online abuse and other sorts of malfeasance, you
>>> have reverse Whois among other tools to thank.) Privacy laws in one part of
>>> the world are a factor we need to be aware of, among other factors.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Apr 26, 2017 at 9:07 AM nathalie coupet via gnso-rds-pdp-wg
>>> <gnso-rds-pdp-wg at icann.org> wrote:
>>>
>>>
>>>>
>>>>
>>>>
>>>> +1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Nathalie
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wednesday, April 26, 2017 12:02 PM, Victoria Sheckler
>>>> <vsheckler at riaa.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> +1
>>>>
>>>> Sent from my iPhone
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Apr 26, 2017, at 8:56 AM, Greg Shatan <gregshatanipc at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks for weighing in, Tim. Since this is a multistakeholder process,
>>>>> everyone is assumed to come in with a point of view, so don't be shy. At
>>>>> the same time, if stakeholders cling dogmatically to their points of view
>>>>> the multistakeholder model doesn't work.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> As for being out on a limb:
>>>>>
>>>>>
>>>>> * We haven't decided what data will be "private" and for which registrants
>>>>> (e.g., based on geography or entity status)
>>>>> * We haven't decided there will be "gated" access and what that might
>>>>> mean, both for policy and practicality
>>>>> * The question shouldn't be whether we will be "allowing third parties
>>>>> access to harvest, repackage and republish that data," but how we should
>>>>> allow this in a way that balances various concerns. Eliminating reverse
>>>>> Whois and other such services is not a goal of this Working Group.
>>>>>
>>>>> Our job should be to provide the greatest possible access to the best
>>>>> possible data, consistent with minimizing risk under reasonable
>>>>> interpretations of applicable law. We need to deal with existing and
>>>>> incoming privacy laws (and with other laws) as well, but not in a
>>>>> worshipful manner; instead it should be in a solution-oriented manner.
>>>>> This is not, after all, the Privacy Working Group. I'll +1 Michael
>>>>> Hammer: Rather than starting from a model of justifying everything and
>>>>> anything from a privacy perspective, I would suggest that it would be much
>>>>> more appropriate, other than technical changes such as moving towards
>>>>> using JSON, to require justification and consensus for any changes from
>>>>> the existing model(s) of WHOIS.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Finally, while our purpose is not to maintain anyone's economic interest,
>>>>> economic interests may well be aligned with policy interests. Assuming
>>>>> that economic interests are at odds with policy interests is just as
>>>>> dangerous as assuming that policy interests are served by maximizing
>>>>> economic interests.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Greg
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Greg Shatan
>>>>> C: 917-816-6428 <tel:(917)%20816-6428>
>>>>> S: gsshatan
>>>>> Phone-to-Skype: 646-845-9428 <tel:(646)%20845-9428>
>>>>> gregshatanipc at gmail.com <mailto:gregshatanipc at gmail.com>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 26, 2017 at 11:28 AM, Dotzero <dotzero at gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Adding to what Tim and Allison wrote.
>>>>>>
>>>>>>
>>>>>> As a starting point, I've had an account with DomainTools in the past
>>>>>> and will likely have one in the future, although I don't currently have
>>>>>> one.
>>>>>>
>>>>>> There are other organizations and individuals which consume/aggregate
>>>>>> whois data so I don't think that for the purposes of this discussion the
>>>>>> focus should be on just DomainTools. I know researchers and academics who
>>>>>> use this data to analyze all sorts of things. As has been pointed out,
>>>>>> there are all sorts of folks staking out positions because of their
>>>>>> economic (and other) interests without necessarily being transparent
>>>>>> about those interests.
>>>>>>
>>>>>>
>>>>>> It should be remembered that the Internet is an agglomeration of many
>>>>>> networks and resources, some public and some private. At the same time,
>>>>>> it is simply a bunch of technical standards that people and organizations
>>>>>> have agreed to use to interact with each other. In many cases, the
>>>>>> ultimate solution to abuse is to drop route. To the extent that good and
>>>>>> granular information is not readily available, regular (innocent) users
>>>>>> may suffer as owners and administrators of resources act to protect those
>>>>>> resources and their legitimate users from abuse and maliciousness. The
>>>>>> reality is that most users of the internet utilize a relatively small
>>>>>> subset of all the resources out there. For some, a service like Facebook
>>>>>> IS the Internet.
>>>>>>
>>>>>> It may also incite a tendency towards returning to a model of walled
>>>>>> gardens. At various points I have heard discussions about the
>>>>>> balkanization of the internet, with things like separate roots, etc.
>>>>>> People should think very carefully about what they are asking for because
>>>>>> they may not be happy with it if they actually get it.
>>>>>>
>>>>>>
>>>>>> Rather than starting from a model of justifying everything and anything
>>>>>> from a privacy perspective, I would suggest that it would be much more
>>>>>> appropriate, other than technical changes such as moving towards using
>>>>>> JSON, to require justification and consensus for any changes from the
>>>>>> existing model(s) of WHOIS.
>>>>>>
>>>>>>
>>>>>> Michael Hammer
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 26, 2017 at 10:27 AM, allison nixon <elsakoo at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thank you for your email Tim.
>>>>>>>
>>>>>>> Full disclosure(because I believe in being transparent about this sort
>>>>>>> of thing), we do business with Domaintools and use their tools to
>>>>>>> consume whois data.
>>>>>>>
>>>>>>> "i'll close by saying I think Allison's point about economic value has
>>>>>>> merit. yes, the point of the WG is not to protect anyone's economic
>>>>>>> interest. I agree 100% with that statement and will disagree with
>>>>>>> anyone who thinks the future of DomainTools or other commercial service
>>>>>>> should have one iota of impact on this discussion."
>>>>>>>
>>>>>>> I will however disagree vehemently with you on this point. It is obvious
>>>>>>> that many of the arguments to cut off anonymous querying to WHOIS data
>>>>>>> are economically motivated. Financial concerns are cited numerous times
>>>>>>> in approved documents. I also believe the "vetting" process is likely to
>>>>>>> become a new revenue stream for someone as well. A revenue stream with
>>>>>>> HIGHLY questionable privacy value-add.
>>>>>>>
>>>>>>> Every dollar of income for the Domaintools company and others like it
>>>>>>> come from their clients, who see a multiplier of value from it. That
>>>>>>> means for every dollar spent on the entire whois aggregator industry
>>>>>>> means that a much larger amount of money is saved through prevented
>>>>>>> harms like fraud, abuse, and even fake medications which kill people.
>>>>>>>
>>>>>>> I think it is extremely important to identify what critical systems rely
>>>>>>> on whois (either directly or downstream), and determine if we are ready
>>>>>>> to give up the utility of these systems.
>>>>>>>
>>>>>>> We also need to identify the value of the ability to anonymously query
>>>>>>> whois and what that loss of privacy will mean as well. While I obviously
>>>>>>> do not make many queries anonymously(although our vendor has their own
>>>>>>> privacy policy), I understand this is important especially to those
>>>>>>> researching more dangerous actors. Why would $_COUNTRY dissidents want
>>>>>>> to query domains when their opponents would surely be hacking into the
>>>>>>> audit logs for this?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Apr 25, 2017 11:41 PM, "Chen, Tim" <tim at domaintools.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>> "And I hope more stakeholders in this multi-stakeholder process will
>>>>>>> come forward with their own perspectives, as they will differ from
>>>>>>> mine."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> happy to do so. DomainTools is clearly a stakeholder in this debate.
>>>>>>> and we have a fair amount of experience around the challenges, benefits
>>>>>>> and risks of whois data aggregation at scale.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> from the beginning of this EWG/RDS idea we've stood down bc i didn't
>>>>>>> believe our opinion would be seen as objective-enough given our line of
>>>>>>> business. but it is apparent to me having followed this debate for many
>>>>>>> weeks now, that this is a working group of individuals who all bring
>>>>>>> their own biases into the debate. whether they care to admit that to
>>>>>>> themselves or not. so we might as well wade in too. bc I think our
>>>>>>> experience is very relevant to the discussion.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> i'll do my best to be as objective as I can, as a domain registrant
>>>>>>> myself and as an informed industry participant.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> since our experience is working with security minded organizations, that
>>>>>>> is the context with which I will comment.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> since this is an ICANN working group, I start with the ICANN mission
>>>>>>> statement around the security and stability of the DNS. I find myself
>>>>>>> wanting to fit this debate to that as the north star. i do not see the
>>>>>>> RDS as purpose driven to fit the GDPR or any region-specific legal
>>>>>>> resolution. but I do see those as important inputs to our discussion.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> from a security perspective, my experience is that the benefits of the
>>>>>>> current Whois model, taken with this lens, far outweigh the costs.
>>>>>>> again, I can only speak from my experience here at DomainTools, and
>>>>>>> obviously under the current Whois regime. This is not to say it cannot
>>>>>>> be improved. From a data accuracy perspective alone there is enormous
>>>>>>> room for improvement as I think we can all agree. every day I see the
>>>>>>> tangible benefits to security interests, which for the most part are
>>>>>>> "doing good", from the work that we do. when I compare that to the
>>>>>>> complaints that we get bc "my PII is visible in your data", it's not
>>>>>>> even close by my value barometer (which my differ from others'). this
>>>>>>> is relevant bc any future solution will be imperfect as I have mentioned
>>>>>>> before. as Allison and others point out we need to measure the harm
>>>>>>> done by any new system that may seek to solve one problem (privacy?) and
>>>>>>> inadvertently create many more. since this group is fond of analogies
>>>>>>> I'll contribute one from the medical oath (not sure if this is just
>>>>>>> U.S.) "first, do no harm".
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> i'll close by saying I think Allison's point about economic value has
>>>>>>> merit. yes, the point of the WG is not to protect anyone's economic
>>>>>>> interest. I agree 100% with that statement and will disagree with
>>>>>>> anyone who thinks the future of DomainTools or other commercial service
>>>>>>> should have one iota of impact on this discussion. but I also think
>>>>>>> "it's too expensive" or "it's too hard" are weak and dangerous excuses
>>>>>>> when dealing with an issue like this which has enormous and far reaching
>>>>>>> consequences for the very mission of ICANN around the security and
>>>>>>> stability of our internet.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 24, 2017 at 3:50 PM, allison nixon <elsakoo at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Thanks for the documentation in your earlier email. While I understand
>>>>>>> that's how things are supposed to work in theory, it's not implemented
>>>>>>> very widely, and unless there is enforcement, then it's unlikely to be
>>>>>>> useful at all.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "as a given, we put ourselves in a certain position in terms of the
>>>>>>> actions we can and cannot recommend. We can make similar statements
>>>>>>> focused on registry operators, registrars, or any other stakeholder in
>>>>>>> this space. If we all approach this WG's task with the goal of not
>>>>>>> changing anything, we're all just wasting our time."
>>>>>>>
>>>>>>> There are things that people would be willing to change about WHOIS.
>>>>>>> Changes purely relating to the data format would not be as
>>>>>>> controversial. Changing to that RDAP json format would probably be an
>>>>>>> agreeable point to most here.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> There are two different major points of contention here. The first is
>>>>>>> the data format, second is the creation of a new monopoly and ceding
>>>>>>> power to it. By monopoly I mean- who are the gatekeepers of "gated"
>>>>>>> access? Will it avoid all of the problems that monopolies are
>>>>>>> historically prone to? Who will pay them? It seems like a massive leap
>>>>>>> of faith to commit to this without knowing who we are making the
>>>>>>> commitment to.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "I do not believe it is this WG's responsibility to protect anyone's
>>>>>>> commercial services if those things are basically in response to
>>>>>>> deficiencies in the existing Whois protocol. "
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From my understanding of past ICANN working groups, registrars have
>>>>>>> fought against issues that would have increased their costs. And the
>>>>>>> destruction of useful WHOIS results(or becoming beholden to some new
>>>>>>> monopoly) stand to incur far more costs for far larger industries. So
>>>>>>> this shouldn't surprise you. If those economic concerns are not valid
>>>>>>> then I question why the economic concerns of registrars are valid.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If entire industries are built around a feature you would consider a
>>>>>>> "deficiency", then your opinion may solely be your own. And I hope more
>>>>>>> stakeholders in this multi-stakeholder process will come forward with
>>>>>>> their own perspectives, as they will differ from mine.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Not trying to hamstring the WG. Just asking if this is not something
>>>>>>> that has already been solved.."
>>>>>>>
>>>>>>> Hi Paul,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It's an interesting thought. This document was recommended to me as one
>>>>>>> that was approved in the past by the working group that outlined what
>>>>>>> the resulting system might look like. I'm still learning and reading
>>>>>>> about these working groups and what they do, and this document is
>>>>>>> massive.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://www.icann.org/en/syste m/files/files/final-report-06j
>>>>>>> un14-en.pdf
>>>>>>> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In the document, it says: "Central to the remit of the EWG is the
>>>>>>> question of how to design a system that increases the accuracy of the
>>>>>>> data collected while also offering protections for those Registrants
>>>>>>> seeking to guard and maintain their privacy."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> One of the things I notice is that any talk about actually increasing
>>>>>>> accuracy of whois info- via enforcement- is vigorously opposed in this
>>>>>>> group, and it's merely assumed that people will supply better quality
>>>>>>> data under the new system.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Throughout the document it talks about use-cases and features (whois
>>>>>>> history, reverse query, etc), which are indeed identical to the features
>>>>>>> of the whois aggregators of current day. Such a system would replace
>>>>>>> them. Will the service quality be as good?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On page 63 it gets into thoughts on who would be "accredited" to access
>>>>>>> the gated whois data. Every proposed scenario seems to recognize the
>>>>>>> resulting system will need to handle a large query volume from a large
>>>>>>> number of people, and one proposes accrediting bodies which may accredit
>>>>>>> organizations which may accredit individuals. It even proposes an abuse
>>>>>>> handling system which is also reminiscent in structure to how abuse is
>>>>>>> handled currently in our domain name system. Many of these proposed
>>>>>>> schemes appear to mimic the ways that the hosting industry and registrar
>>>>>>> industry operate, so we can expect that the patterns of abuse will be
>>>>>>> equally frequent, especially if higher quality data is supplied.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The proposed scenarios all paint a picture of "gated" access with very
>>>>>>> wide gates, while simultaneously representing to domain purchasers that
>>>>>>> their data is safe and privacy protected. And this is supposed to
>>>>>>> *reduce* the total number of privacy violations? This doesn't even
>>>>>>> appeal to me as a consumer of this data.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Whoever sets up this system also stands to inherit a lot of money from
>>>>>>> the soon-to-be-defunct whois aggregation industry. They would certainly
>>>>>>> win our contract, because we would have no choice. All domain reputation
>>>>>>> services, anti-spam, security research, etc, efforts will all need to
>>>>>>> pay up.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> After being supplied with the above document, I also saw a copy of a
>>>>>>> rebuttal written by a company that monitors abusive domains. I strongly
>>>>>>> agree with the sentiments in this document and I do not see evidence
>>>>>>> that those concerns have received fair consideration. While I do not see
>>>>>>> this new gatekeeper as an existential threat, I do see it as a likely
>>>>>>> degradation in the utility i do see from whois. To be clear, we do not
>>>>>>> do any business with this company.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://mm.icann.org/pipermail/ input-to-ewg/attachments/20130
>>>>>>> 823/410038bb/LegitScriptCommen tsonICANNEWGWhoisReplacementSt
>>>>>>> ructure-0001.pdf
>>>>>>> <http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038b
>>>>>>> b/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I also found John Bambenek's point in a later thread to be interesting-
>>>>>>> concentrating WHOIS knowledge solely to one organization allows the
>>>>>>> country it resides in to use it to support its intelligence apparatus,
>>>>>>> for example monitoring when its espionage domains are queried for, and
>>>>>>> targeting researchers that query them (since anonymous querying will be
>>>>>>> revoked). Nation states already use domains in operations so this
>>>>>>> monopoly is a perfect strategic data reserve. The fact that this system
>>>>>>> is pushed by privacy advocates is indeed ironic.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> None of those concerns appear to have been addressed by this group in
>>>>>>> any serious capacity. Before the addition of new members, I don't think
>>>>>>> many people had the backgrounds or skillsets to even understand why they
>>>>>>> are a concern. But I think this is a discussion worth having at this
>>>>>>> point in time for this group.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 24, 2017 at 1:50 PM, Andrew Sullivan
>>>>>>> <ajs at anvilwalrusden.com> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Mon, Apr 24, 2017 at 07:25:47PM +0200, Paul Keating wrote:
>>>>>>>> > Andrew,
>>>>>>>> >
>>>>>>>> > Thank you. That was helpful.
>>>>>>>> >
>>>>>>>> > ""Given this registrant, what other
>>>>>>>> > domains are registered?" is a solved problem, and has been since the
>>>>>>>> > early 2000s.²
>>>>>>>> >
>>>>>>>> > This is also traceable via alternative means such as consistencies
in
>>>>>>>> > various WHOIS fields such as email, address, name, etc.
>>>>>>>
>>>>>>> Well, sort of. The email, address, and name fields are _user_
>>>>>>> supplied. So they come from the other party to the transaction. The
>>>>>>> ROID is assigned by the registry itself. So once you have a match,
>>>>>>> you know that you are looking at the same object, only the same
>>>>>>> object, and all the same object(s).
>>>>>>>
>>>>>>> Email addresses in particular are guaranteed unique in the world at
>>>>>>> any given time (though not guaranteed as unique identifiers over
>>>>>>> time), so they may be useful for these purposes. Take it from someone
>>>>>>> named "Andrew Sullivan", however, that names are pretty useless as
>>>>>>> context-free identifiers :)
>>>>>>>
>>>>>>>> > In reality finding out answers to questions such as
>>>>>>>> > yours (above) requires investigation using a plethora of data.
>>>>>>>
>>>>>>> To be clear, finding out the answer to what I (meant to) pose(d)
>>>>>>> requires no plethora of data: it requires a single query and access to
>>>>>>> the right repository (the registry). In some theoretical system, the
>>>>>>> correct underlying database query would be something like this:
>>>>>>>
>>>>>>> SELECT domain_roid, domain_name FROM domains WHERE registrant_roid
>>>>>>> = ?;
>>>>>>>
>>>>>>> and you put the correct ROID in where the question mark is, and off
>>>>>>> you go. That will give you the list of all the domain names, and
>>>>>>> their relevant ROIDs, registered by a given registrant contact. At
>>>>>>> least one registry with which I am familiar once had a WHOIS feature
>>>>>>> that allowed something close to the above, only it would stop after
>>>>>>> some number of domains so as not to return too much data. I think the
>>>>>>> default was therefore LIMIT 50, but I also think the feature was
>>>>>>> eventually eliminated about the time that the ICANN community rejected
>>>>>>> IRIS as an answer to "the whois problem".
>>>>>>>
>>>>>>> What the above will of course not do is help you in the event Bob The
>>>>>>> Scammer has created dozens of different contacts for himself by (say)
>>>>>>> registering names through many different registrars. I do not believe
>>>>>>> that any registry is going to support such a use at least without
>>>>>>> access controls, because it can be expensive to answer such things.
>>>>>>> So, what you understood me to be asking, I think, is the question I
>>>>>>> did _not_ ask: given this human being or organization, what other
>>>>>>> domains are registered?" That does require a lot of different data,
>>>>>>> and it requires cross-organizational searches, and it requires sussing
>>>>>>> out when someone has lied also. Such research is, I agree, completely
>>>>>>> outside the scope of what any technical system will ever be able to
>>>>>>> offer reliably.
>>>>>>>
>>>>>>>> > An entire
>>>>>>>> > industry exists for this purpose and I don¹t think we should be
>>>>>>>> > considering replacing what has already been existing in the cyber
>>>>>>>> security
>>>>>>>> > marketplace.
>>>>>>>
>>>>>>> I do not believe it is this WG's responsibility to protect anyone's
>>>>>>> commercial services if those things are basically in response to
>>>>>>> deficiencies in the existing Whois protocol. In this case, however,
>>>>>>> that's not the problem. Linking data in multiple databases to a given
>>>>>>> real-world human being is hard even in systems without competition and
>>>>>>> multiple points of access. It's always going to require researchers
>>>>>>> for the domain name system.
>>>>>>>
>>>>>>> Best regards.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> A
>>>>>>>
>>>>>>> --
>>>>>>> Andrew Sullivan
>>>>>>> ajs at anvilwalrusden.com
>>>>>>> ______________________________ _________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>>> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> ______________________________ ___
>>>>>>> Note to self: Pillage BEFORE burning.
>>>>>>>
>>>>>>>
>>>>>>> ______________________________ _________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>>> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> ______________________________ _________________
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>>> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ______________________________ _________________
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg
>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-
>>> wg
>>>
>>
>>
>> --
>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>
>> Mit freundlichen Grüßen,
>>
>> Volker A. Greimann
>> - Rechtsabteilung -
>>
>> Key-Systems GmbH
>> Im Oberen Werk 1
>> 66386 St. Ingbert
>> Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
>> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
>> Email: vgreimann at key-systems.net
>>
>> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net
>> <http://www.RRPproxy.net> www.domaindiscount24.com
>> <http://www.domaindiscount24.com> / www.BrandShelter.com
>> <http://www.BrandShelter.com>
>>
>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>> www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
>> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
>>
>> Geschäftsführer: Alexander Siffrin
>> Handelsregister Nr.: HR B 18835 - Saarbruecken
>> Umsatzsteuer ID.: DE211006534
>>
>> Member of the KEYDRIVE GROUP
>> www.keydrive.lu <http://www.keydrive.lu>
>>
>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
>> Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
>> Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
>> Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
>> E-Mail oder telefonisch in Verbindung zu setzen.
>>
>> --------------------------------------------
>>
>> Should you have any further questions, please do not hesitate to contact us.
>>
>> Best regards,
>>
>> Volker A. Greimann
>> - legal department -
>>
>> Key-Systems GmbH
>> Im Oberen Werk 1
>> 66386 St. Ingbert
>> Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
>> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
>> Email: vgreimann at key-systems.net
>>
>> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net
>> <http://www.RRPproxy.net> www.domaindiscount24.com
>> <http://www.domaindiscount24.com> / www.BrandShelter.com
>> <http://www.BrandShelter.com>
>>
>> Follow us on Twitter or join our fan community on Facebook and stay updated:
>> www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
>> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
>>
>> CEO: Alexander Siffrin
>> Registration No.: HR B 18835 - Saarbruecken
>> V.A.T. ID.: DE211006534
>>
>> Member of the KEYDRIVE GROUP
>> www.keydrive.lu <http://www.keydrive.lu>
>>
>> This e-mail and its attachments is intended only for the person to whom it is
>> addressed. Furthermore it is not permitted to publish any content of this
>> email. You must not use, disclose, copy, print or rely on this e-mail. If an
>> addressing or transmission error has misdirected this e-mail, kindly notify
>> the author by replying to this e-mail or contacting us by telephone.
>>
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________ gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170427/02eb3173/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list