[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Thu Apr 27 16:36:01 UTC 2017
It seems apparent that nobody reads my posts. I remain undeterred.
There are, as of 2015, 109 national data protection laws in effect.
That is a lot more than Europe. Check our documents trove, you will
find the references to the excellent chart which is maintained by
Professor Graham Greenleaf, emeritus of the University of New South
Wales. Just google it and you will find in and other references. I
recommend his excellent book on data privacy law in Asia.
Stephanie Perrin
On 2017-04-27 08:23, John Horton wrote:
> Well, on that note, let me propose a solution to consider.
>
> Volker and others have pointed out that the EU has some legal
> requirements pertaining to privacy. As far as I can tell, these
> generally don't exist elsewhere. (That's not to say "nowhere," but
> it's the exception, not the rule.) Let's stipulate, for the sake of
> argument, that registrars in those countries have to adhere to those
> laws. However, the purpose of privacy laws in Germany, France or
> Sweden are to protect the citizens of those countries -- not
> registrants in other countries.
>
> As a trade-off, it seems reasonable to me to explore a solution where
> EU registrars agree to forego accepting domain name registrations from
> outside their own jurisdiction. We can then have a bi-furcated system
> -- this should only apply to registrants using the domain name for
> non-commercial reasons, by the way, since the privacy laws only apply
> to individuals, not corporations -- where, say, a German citizen can
> register with Key-Systems (for example) and enjoy whatever data
> protections Key-Systems feels that it needs to implement. (Volker, I'm
> not picking on you here, I'm just using you as an EU-based example.)
> It's incredibly easy to implement technically: just restrict the
> available countries in the drop-down menu during registration to a
> single country.
>
> After all, as a US citizen, why should I -- or a Chinese citizen, or a
> Brazilian citizen -- have the right to avail myself of the privacy
> protections afforded by the German government to German citizens?
> Those aren't meant for me.
>
> And, after all, why should privacy protections that apply to a
> minority of the world's population force a global change everywhere?
>
> I'd be interested to hear from registrars whether, in exchange for
> being able to implement rigorous privacy protections for domain names
> used for non-commercial purposes, they would be willing to forego
> accepting registrations from outside of their own jurisdiction (or,
> perhaps, the EU). This would allow Volker and others to comply with
> their own laws but in a minimally disruptive way.
>
> John Horton
> President and CEO, LegitScript
>
>
> *FollowLegitScript*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | _Blog
> <http://blog.legitscript.com>_ |Google+
> <https://plus.google.com/112436813474708014933/posts>
>
>
>
>
> On Thu, Apr 27, 2017 at 4:45 AM, Ayden Férdeline <icann at ferdeline.com
> <mailto:icann at ferdeline.com>> wrote:
>
> re: the repeated suggestion of “opt in registration for public
> WHOIS”. It bears repeating what was said to us by the Data
> Protection Commissioners in Copenhagen; consent is not a waiver
> for disproportionate or unlawful processing. You cannot ask a data
> subject to consent to something which is unlawful.
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>
>> -------- Original Message --------
>> Subject: Re: [gnso-rds-pdp-wg] international law enforcement
>> association resolution regarding domain registration data
>> Local Time: 27 April 2017 12:36 PM
>> UTC Time: 27 April 2017 11:36
>> From: Paul at law.es <mailto:Paul at law.es>
>> To: Michele Neylon - Blacknight <michele at blacknight.com
>> <mailto:michele at blacknight.com>>, Greg Shatan
>> <gregshatanipc at gmail.com <mailto:gregshatanipc at gmail.com>>,
>> Volker Greimann <vgreimann at key-systems.net
>> <mailto:vgreimann at key-systems.net>>
>> RDS PDP WG <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>
>> "Privacy laws in one part of the world are a factor we need to be
>> aware of, among other factors. “
>>
>> This seems to be the entire driving force behind considering a
>> more restrictive (gated) access to WHOIS. If there are other
>> reasons please let me know.
>>
>> Also, I have yet to see any legal authority that precludes:
>>
>> Opt in registration for public WHOIS
>> For those not desiring a public WHOIS record, then the ability to
>> use a recognized privacy service so as to “anchor" the
>> registration of the domain
>>
>> If one does exist can someone point me to the link?
>>
>>
>> A balancing of needs is important here. Seems to me that the
>> competing interests here are not simply privacy vs. public
>> access. There are the private interests of those who regularly
>> use the current WHOIS data set for any variety of purposes including:
>>
>> Security research and prevention
>> Law enforcement
>> Highjacking recovery
>> Private transactions (confirmation of current and historical
>> ownership)
>> Lending and financing transactions (confirmation of ownership to
>> support security interests)
>> Providing WHOIS and other data services to others
>>
>>
>> Paul
>>
>>
>>
>> *From: * <gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Michele
>> Blacknight <michele at blacknight.com <mailto:michele at blacknight.com>>
>> *Date: * Thursday, April 27, 2017 at 9:21 AM
>> *To: * Greg Shatan <gregshatanipc at gmail.com
>> <mailto:gregshatanipc at gmail.com>>, Volker Greimann
>> <vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>>
>> *Cc: * RDS PDP WG <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>>
>> *Subject: * Re: [gnso-rds-pdp-wg] international law enforcement
>> association resolution regarding domain registration data
>>
>> Greg
>>
>>
>> As a business owner I need to make sure that I’m not exposing
>> myself or the company to unnecessary risk.
>>
>> While big corporations might be comfortable spending large
>> amounts of money on “creative” tax arrangements that isn’t
>> really an option for smaller companies like ourselves.
>>
>>
>> Regards
>>
>>
>> Michele
>>
>>
>> --
>>
>> Mr Michele Neylon
>>
>> Blacknight Solutions
>>
>> Hosting, Colocation & Domains
>>
>> https://www.blacknight.com/
>>
>> https://blacknight.blog/
>>
>> https://ceo.hosting/
>>
>> Intl. +353 (0) 59 9183072 <tel:+353%2059%20918%203072>
>>
>> Direct Dial: +353 (0)59 9183090 <tel:+353%2059%20918%203090>
>>
>> -------------------------------
>>
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside
>> Business Park,Sleaty
>>
>> Road,Graiguecullen,Carlow,R93 X265,
>>
>> Ireland Company No.: 370845
>>
>>
>> *From: *<gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Greg
>> Shatan <gregshatanipc at gmail.com <mailto:gregshatanipc at gmail.com>>
>> *Date: *Wednesday 26 April 2017 at 23:38
>> *To: *Volker Greimann <vgreimann at key-systems.net
>> <mailto:vgreimann at key-systems.net>>
>> *Cc: *RDS PDP WG <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>>
>> *Subject: *Re: [gnso-rds-pdp-wg] international law
>> enforcement association resolution regarding domain
>> registration data
>>
>>
>> We also need to be very clear about the limits of the legal
>> requirements of applicable law, and the various options
>> available for dealing with the law. There's no need to
>> overcomply. Indeed it would be quite unreasonable to do so.
>>
>>
>> Just as paying the lowest calculable income tax is perfectly
>> legitimate, so is complying with the law in the least
>> disruptive way possible.
>>
>>
>> Greg
>>
>>
>> *Greg Shatan
>> *C: 917-816-6428 <tel:%28917%29%20816-6428>
>> S: gsshatan
>> Phone-to-Skype: 646-845-9428 <tel:%28646%29%20845-9428>
>> gregshatanipc at gmail.com <mailto:gregshatanipc at gmail.com>
>>
>>
>> On Wed, Apr 26, 2017 at 1:06 PM, Volker Greimann
>> <vgreimann at key-systems.net
>> <mailto:vgreimann at key-systems.net>> wrote:
>>
>> I wish it were so simple. "Doing harm" is not necessary
>> to be in violation with applicable law. Just like
>> jaywalking, speeding on an empty road or crossing a red
>> light carries a fine regardless of whether harm was done,
>> privacy law too does not care about an actual harm.
>>
>> We need to be very clear about the legal requirements
>> when we define the limits of what can be done with the
>> data we collect, and by whom.
>>
>> Volker
>>
>>
>> Am 26.04.2017 um 18:43 schrieb John Horton:
>>
>> Greg, well said. And Tim, well said. And I'll
>> strongly +1 Michael Hammer as well. I agree with the
>> "do no harm" philosophy -- I'm not convinced that
>> some of the proposed changes (e.g., those outlined in
>> the EWG report) wouldn't cause more harm than the
>> existing, admittedly imperfect, system. As I've said
>> before, the importance of tools like Reverse Whois
>> isn't only direct -- it's derivative as well. (If you
>> enjoy the benefits of those of us who fight payment
>> fraud, online abuse and other sorts of malfeasance,
>> you have reverse Whois among other tools to thank.)
>> Privacy laws in one part of the world are a factor we
>> need to be aware of, among other factors.
>>
>>
>> On Wed, Apr 26, 2017 at 9:07 AM nathalie coupet via
>> gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>
>> +1
>>
>>
>> Nathalie
>>
>>
>> On Wednesday, April 26, 2017 12:02 PM, Victoria
>> Sheckler <vsheckler at riaa.com
>> <mailto:vsheckler at riaa.com>> wrote:
>>
>>
>> +1
>>
>> Sent from my iPhone
>>
>>
>> On Apr 26, 2017, at 8:56 AM, Greg Shatan
>> <gregshatanipc at gmail.com
>> <mailto:gregshatanipc at gmail.com>> wrote:
>>
>> Thanks for weighing in, Tim. Since this is a
>> multi_stakeholder_ process, everyone is
>> assumed to come in with a point of view, so
>> don't be shy. At the same time, if
>> stakeholders cling dogmatically to their
>> points of view the multistakeholder model
>> doesn't work.
>>
>>
>> As for being out on a limb:
>>
>> * We haven't decided what data will be
>> "private" and for which registrants
>> (e.g., based on geography or entity status)
>> * We haven't decided there will be "gated"
>> access and what that might mean, both for
>> policy and practicality
>> * The question shouldn't be whether we will
>> be "allowing third parties access to
>> harvest, repackage and republish that
>> data," but how we should allow this in a
>> way that balances various concerns.
>> Eliminating reverse Whois and other such
>> services is not a goal of this Working Group.
>>
>> Our job should be to provide the greatest
>> possible access to the best possible data,
>> consistent with minimizing risk under
>> reasonable interpretations of applicable
>> law. We need to deal with existing and
>> incoming privacy laws (and with other laws)
>> as well, but not in a worshipful manner;
>> instead it should be in a solution-oriented
>> manner. This is not, after all, the Privacy
>> Working Group. I'll +1 Michael Hammer:
>> Rather than starting from a model of
>> justifying everything and anything from a
>> privacy perspective, I would suggest that it
>> would be much more appropriate, other than
>> technical changes such as moving towards
>> using JSON, to require justification and
>> consensus for any changes from the existing
>> model(s) of WHOIS.
>>
>>
>> Finally, while our purpose is not to maintain
>> anyone's economic interest, economic
>> interests may well be aligned with policy
>> interests. Assuming that economic interests
>> are at odds with policy interests is just as
>> dangerous as assuming that policy interests
>> are served by maximizing economic interests.
>>
>>
>> Greg
>>
>>
>> *Greg Shatan
>> *C: 917-816-6428 <tel:%28917%29%20816-6428>
>> S: gsshatan
>> Phone-to-Skype: 646-845-9428
>> <tel:%28646%29%20845-9428>
>> gregshatanipc at gmail.com
>> <mailto:gregshatanipc at gmail.com>
>>
>>
>> On Wed, Apr 26, 2017 at 11:28 AM, Dotzero
>> <dotzero at gmail.com
>> <mailto:dotzero at gmail.com>> wrote:
>>
>> Adding to what Tim and Allison wrote.
>>
>> As a starting point, I've had an account
>> with DomainTools in the past and will
>> likely have one in the future, although I
>> don't currently have one.
>>
>> There are other organizations and
>> individuals which consume/aggregate whois
>> data so I don't think that for the
>> purposes of this discussion the focus
>> should be on just DomainTools. I know
>> researchers and academics who use this
>> data to analyze all sorts of things. As
>> has been pointed out, there are all sorts
>> of folks staking out positions because of
>> their economic (and other) interests
>> without necessarily being transparent
>> about those interests.
>>
>> It should be remembered that the Internet
>> is an agglomeration of many networks and
>> resources, some public and some private.
>> At the same time, it is simply a bunch of
>> technical standards that people and
>> organizations have agreed to use to
>> interact with each other. In many cases,
>> the ultimate solution to abuse is to drop
>> route. To the extent that good and
>> granular information is not readily
>> available, regular (innocent) users may
>> suffer as owners and administrators of
>> resources act to protect those resources
>> and their legitimate users from abuse and
>> maliciousness. The reality is that most
>> users of the internet utilize a
>> relatively small subset of all the
>> resources out there. For some, a service
>> like Facebook IS the Internet.
>>
>> It may also incite a tendency towards
>> returning to a model of walled gardens.
>> At various points I have heard
>> discussions about the balkanization of
>> the internet, with things like separate
>> roots, etc. People should think very
>> carefully about what they are asking for
>> because they may not be happy with it if
>> they actually get it.
>>
>> Rather than starting from a model of
>> justifying everything and anything from a
>> privacy perspective, I would suggest that
>> it would be much more appropriate, other
>> than technical changes such as moving
>> towards using JSON, to require
>> justification and consensus for any
>> changes from the existing model(s) of WHOIS.
>>
>> Michael Hammer
>>
>> On Wed, Apr 26, 2017 at 10:27 AM, allison
>> nixon <elsakoo at gmail.com
>> <mailto:elsakoo at gmail.com>> wrote:
>>
>> Thank you for your email Tim.
>>
>> Full disclosure(because I believe in
>> being transparent about this sort of
>> thing), we do business with
>> Domaintools and use their tools to
>> consume whois data.
>>
>> "i'll close by saying I think
>> Allison's point about economic value
>> has merit. yes, the point of the WG
>> is not to protect anyone's economic
>> interest. I agree 100% with that
>> statement and will disagree with
>> anyone who thinks the future of
>> DomainTools or other commercial
>> service should have one iota of
>> impact on this discussion."
>>
>> I will however disagree vehemently
>> with you on this point. It is obvious
>> that many of the arguments to cut off
>> anonymous querying to WHOIS data are
>> economically motivated. Financial
>> concerns are cited numerous times in
>> approved documents. I also believe
>> the "vetting" process is likely to
>> become a new revenue stream for
>> someone as well. A revenue stream
>> with HIGHLY questionable privacy
>> value-add.
>>
>> Every dollar of income for the
>> Domaintools company and others like
>> it come from their clients, who see a
>> multiplier of value from it. That
>> means for every dollar spent on the
>> entire whois aggregator industry
>> means that a much larger amount of
>> money is saved through prevented
>> harms like fraud, abuse, and even
>> fake medications which kill people.
>>
>> I think it is extremely important to
>> identify what critical systems rely
>> on whois (either directly or
>> downstream), and determine if we are
>> ready to give up the utility of these
>> systems.
>>
>> We also need to identify the value of
>> the ability to anonymously query
>> whois and what that loss of privacy
>> will mean as well. While I obviously
>> do not make many queries
>> anonymously(although our vendor has
>> their own privacy policy), I
>> understand this is important
>> especially to those researching more
>> dangerous actors. Why would $_COUNTRY
>> dissidents want to query domains when
>> their opponents would surely be
>> hacking into the audit logs for this?
>>
>>
>> On Apr 25, 2017 11:41 PM, "Chen, Tim"
>> <tim at domaintools.com
>> <mailto:tim at domaintools.com>> wrote:
>>
>> "And I hope more stakeholders in
>> this multi-stakeholder process
>> will come forward with their own
>> perspectives, as they will differ
>> from mine."
>>
>>
>> happy to do so. DomainTools is
>> clearly a stakeholder in this
>> debate. and we have a fair
>> amount of experience around the
>> challenges, benefits and risks of
>> whois data aggregation at scale.
>>
>>
>> from the beginning of this
>> EWG/RDS idea we've stood down bc
>> i didn't believe our opinion
>> would be seen as objective-enough
>> given our line of business. but
>> it is apparent to me having
>> followed this debate for many
>> weeks now, that this is a working
>> group of individuals who all
>> bring their own biases into the
>> debate. whether they care to
>> admit that to themselves or not.
>> so we might as well wade in too.
>> bc I think our experience is
>> very relevant to the discussion.
>>
>>
>> i'll do my best to be as
>> objective as I can, as a domain
>> registrant myself and as an
>> informed industry participant.
>>
>>
>> since our experience is working
>> with security minded
>> organizations, that is the
>> context with which I will comment.
>>
>>
>> since this is an ICANN working
>> group, I start with the ICANN
>> mission statement around the
>> security and stability of the
>> DNS. I find myself wanting to
>> fit this debate to that as the
>> north star. i do not see the RDS
>> as purpose driven to fit the GDPR
>> or any region-specific legal
>> resolution. but I do see those
>> as important inputs to our
>> discussion.
>>
>>
>> from a security perspective, my
>> experience is that the benefits
>> of the current Whois model, taken
>> with this lens, far outweigh the
>> costs. again, I can only speak
>> from my experience here at
>> DomainTools, and obviously under
>> the current Whois regime. This
>> is not to say it cannot be
>> improved. From a data accuracy
>> perspective alone there is
>> enormous room for improvement as
>> I think we can all agree. every
>> day I see the tangible benefits
>> to security interests, which for
>> the most part are "doing good",
>> from the work that we do. when I
>> compare that to the complaints
>> that we get bc "my PII is visible
>> in your data", it's not even
>> close by my value barometer
>> (which my differ from others').
>> this is relevant bc any future
>> solution will be imperfect as I
>> have mentioned before. as
>> Allison and others point out we
>> need to measure the harm done by
>> any new system that may seek to
>> solve one problem (privacy?) and
>> inadvertently create many more.
>> since this group is fond of
>> analogies I'll contribute one
>> from the medical oath (not sure
>> if this is just U.S.) "first, do
>> no harm".
>>
>>
>> i'll close by saying I think
>> Allison's point about economic
>> value has merit. yes, the point
>> of the WG is not to protect
>> anyone's economic interest. I
>> agree 100% with that statement
>> and will disagree with anyone who
>> thinks the future of DomainTools
>> or other commercial service
>> should have one iota of impact on
>> this discussion. but I also
>> think "it's too expensive" or
>> "it's too hard" are weak and
>> dangerous excuses when dealing
>> with an issue like this which has
>> enormous and far reaching
>> consequences for the very mission
>> of ICANN around the security and
>> stability of our internet.
>>
>>
>> Tim
>>
>>
>> On Mon, Apr 24, 2017 at 3:50 PM,
>> allison nixon <elsakoo at gmail.com
>> <mailto:elsakoo at gmail.com>> wrote:
>>
>> Thanks for the documentation
>> in your earlier email. While
>> I understand that's how
>> things are supposed to work
>> in theory, it's not
>> implemented very widely, and
>> unless there is enforcement,
>> then it's unlikely to be
>> useful at all.
>>
>>
>>
>>
>> "as a given, we put ourselves
>> in a certain position in
>> terms of the actions we can
>> and cannot recommend. We can
>> make similar statements
>> focused on registry
>> operators, registrars, or any
>> other stakeholder in this
>> space. If we all approach
>> this WG's task with the goal
>> of not changing anything,
>> we're all just wasting our time."
>>
>> There are things that people
>> would be willing to change
>> about WHOIS. Changes purely
>> relating to the data format
>> would not be as
>> controversial. Changing to
>> that RDAP json format would
>> probably be an agreeable
>> point to most here.
>>
>>
>> There are two different major
>> points of contention here.
>> The first is the data format,
>> second is the creation of a
>> new monopoly and ceding power
>> to it. By monopoly I mean-
>> who are the gatekeepers of
>> "gated" access? Will it avoid
>> all of the problems that
>> monopolies are historically
>> prone to? Who will pay them?
>> It seems like a massive leap
>> of faith to commit to this
>> without knowing who we are
>> making the commitment to.
>>
>>
>>
>> "I do not believe it is this
>> WG's responsibility to
>> protect anyone's
>>
>> commercial services if those
>> things are basically in
>> response to
>> deficiencies in the existing
>> Whois protocol. "
>>
>>
>> From my understanding of past
>> ICANN working groups,
>> registrars have fought
>> against issues that would
>> have increased their costs.
>> And the destruction of useful
>> WHOIS results(or becoming
>> beholden to some new
>> monopoly) stand to incur far
>> more costs for far larger
>> industries. So this shouldn't
>> surprise you. If those
>> economic concerns are not
>> valid then I question why the
>> economic concerns of
>> registrars are valid.
>>
>>
>> If entire industries are
>> built around a feature you
>> would consider a
>> "deficiency", then your
>> opinion may solely be your
>> own. And I hope more
>> stakeholders in this
>> multi-stakeholder process
>> will come forward with their
>> own perspectives, as they
>> will differ from mine.
>>
>>
>>
>>
>>
>>
>> "Not trying to hamstring the
>> WG. Just asking if this is
>> not something that has
>> already been solved.."
>>
>> Hi Paul,
>>
>>
>> It's an interesting thought.
>> This document was recommended
>> to me as one that was
>> approved in the past by the
>> working group that outlined
>> what the resulting system
>> might look like. I'm still
>> learning and reading about
>> these working groups and what
>> they do, and this document is
>> massive.
>>
>>
>> https://www.icann.org/en/syste
>> m/files/files/final-report-06j
>> un14-en.pdf
>> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>
>>
>>
>> In the document, it says:
>> /"Central to the remit of the
>> EWG is the question of how to
>> design a system that
>> increases the accuracy of the
>> data collected while also
>> offering protections for
>> those Registrants seeking to
>> guard and maintain their
>> privacy."/
>>
>>
>> One of the things I notice is
>> that any talk about actually
>> increasing accuracy of whois
>> info- via enforcement- is
>> vigorously opposed in this
>> group, and it's merely
>> assumed that people will
>> supply better quality data
>> under the new system.
>>
>>
>> Throughout the document it
>> talks about use-cases and
>> features (whois history,
>> reverse query, etc), which
>> are indeed identical to the
>> features of the whois
>> aggregators of current day.
>> Such a system would replace
>> them. Will the service
>> quality be as good?
>>
>>
>> On page 63 it gets into
>> thoughts on who would be
>> "accredited" to access the
>> gated whois data. Every
>> proposed scenario seems to
>> recognize the resulting
>> system will need to handle a
>> large query volume from a
>> large number of people, and
>> one proposes accrediting
>> bodies which may accredit
>> organizations which may
>> accredit individuals. It even
>> proposes an abuse handling
>> system which is also
>> reminiscent in structure to
>> how abuse is handled
>> currently in our domain name
>> system. Many of these
>> proposed schemes appear to
>> mimic the ways that the
>> hosting industry and
>> registrar industry operate,
>> so we can expect that the
>> patterns of abuse will be
>> equally frequent, especially
>> if higher quality data is
>> supplied.
>>
>>
>> The proposed scenarios all
>> paint a picture of "gated"
>> access with very wide gates,
>> while simultaneously
>> representing to domain
>> purchasers that their data is
>> safe and privacy protected.
>> And this is supposed to
>> *reduce* the total number of
>> privacy violations? This
>> doesn't even appeal to me as
>> a consumer of this data.
>>
>>
>> Whoever sets up this system
>> also stands to inherit a lot
>> of money from the
>> soon-to-be-defunct whois
>> aggregation industry. They
>> would certainly win our
>> contract, because we would
>> have no choice. All domain
>> reputation services,
>> anti-spam, security research,
>> etc, efforts will all need to
>> pay up.
>>
>>
>>
>>
>> After being supplied with the
>> above document, I also saw a
>> copy of a rebuttal written by
>> a company that monitors
>> abusive domains. I strongly
>> agree with the sentiments in
>> this document and I do not
>> see evidence that those
>> concerns have received fair
>> consideration. While I do not
>> see this new gatekeeper as an
>> existential threat, I do see
>> it as a likely degradation in
>> the utility i do see from
>> whois. To be clear, we do not
>> do any business with this
>> company.
>>
>>
>> http://mm.icann.org/pipermail/
>> input-to-ewg/attachments/20130
>> 823/410038bb/LegitScriptCommen
>> tsonICANNEWGWhoisReplacementSt
>> ructure-0001.pdf
>> <http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf>
>>
>>
>>
>>
>> I also found John Bambenek's
>> point in a later thread to be
>> interesting- concentrating
>> WHOIS knowledge solely to one
>> organization allows the
>> country it resides in to use
>> it to support its
>> intelligence apparatus, for
>> example monitoring when its
>> espionage domains are queried
>> for, and targeting
>> researchers that query them
>> (since anonymous querying
>> will be revoked). Nation
>> states already use domains in
>> operations so this monopoly
>> is a perfect strategic data
>> reserve. The fact that this
>> system is pushed by privacy
>> advocates is indeed ironic.
>>
>>
>>
>>
>> None of those concerns appear
>> to have been addressed by
>> this group in any serious
>> capacity. Before the addition
>> of new members, I don't think
>> many people had the
>> backgrounds or skillsets to
>> even understand why they are
>> a concern. But I think this
>> is a discussion worth having
>> at this point in time for
>> this group.
>>
>>
>> On Mon, Apr 24, 2017 at 1:50
>> PM, Andrew Sullivan
>> <ajs at anvilwalrusden.com
>> <mailto:ajs at anvilwalrusden.com>>
>> wrote:
>>
>> Hi,
>>
>> On Mon, Apr 24, 2017 at
>> 07:25:47PM +0200, Paul
>> Keating wrote:
>> > Andrew,
>> >
>> > Thank you. That was
>> helpful.
>> >
>> > ""Given this
>> registrant, what other
>> > domains are
>> registered?" is a solved
>> problem, and has been
>> since the
>> > early 2000s.2
>> >
>> > This is also traceable
>> via alternative means
>> such as consistencies in
>> > various WHOIS fields
>> such as email, address,
>> name, etc.
>>
>> Well, sort of. The
>> email, address, and name
>> fields are _user_
>> supplied. So they come
>> from the other party to
>> the transaction. The
>> ROID is assigned by the
>> registry itself. So once
>> you have a match,
>> you know that you are
>> looking at the same
>> object, only the same
>> object, and all the same
>> object(s).
>>
>> Email addresses in
>> particular are guaranteed
>> unique in the world at
>> any given time (though
>> not guaranteed as unique
>> identifiers over
>> time), so they may be
>> useful for these
>> purposes. Take it from
>> someone
>> named "Andrew Sullivan",
>> however, that names are
>> pretty useless as
>> context-free identifiers :)
>>
>> > In reality finding out
>> answers to questions such as
>> > yours (above) requires
>> investigation using a
>> plethora of data.
>>
>> To be clear, finding out
>> the answer to what I
>> (meant to) pose(d)
>> requires no plethora of
>> data: it requires a
>> single query and access to
>> the right repository (the
>> registry). In some
>> theoretical system, the
>> correct underlying
>> database query would be
>> something like this:
>>
>> SELECT domain_roid,
>> domain_name FROM domains
>> WHERE registrant_roid = ?;
>>
>> and you put the correct
>> ROID in where the
>> question mark is, and off
>> you go. That will give
>> you the list of all the
>> domain names, and
>> their relevant ROIDs,
>> registered by a given
>> registrant contact. At
>> least one registry with
>> which I am familiar once
>> had a WHOIS feature
>> that allowed something
>> close to the above, only
>> it would stop after
>> some number of domains so
>> as not to return too much
>> data. I think the
>> default was therefore
>> LIMIT 50, but I also
>> think the feature was
>> eventually eliminated
>> about the time that the
>> ICANN community rejected
>> IRIS as an answer to "the
>> whois problem".
>>
>> What the above will of
>> course not do is help you
>> in the event Bob The
>> Scammer has created
>> dozens of different
>> contacts for himself by (say)
>> registering names through
>> many different
>> registrars. I do not believe
>> that any registry is
>> going to support such a
>> use at least without
>> access controls, because
>> it can be expensive to
>> answer such things.
>> So, what you understood
>> me to be asking, I think,
>> is the question I
>> did _not_ ask: given this
>> human being or
>> organization, what other
>> domains are registered?"
>> That does require a lot
>> of different data,
>> and it requires
>> cross-organizational
>> searches, and it requires
>> sussing
>> out when someone has lied
>> also. Such research is, I
>> agree, completely
>> outside the scope of what
>> any technical system will
>> ever be able to
>> offer reliably.
>>
>> > An entire
>> > industry exists for
>> this purpose and I don1t
>> think we should be
>> > considering replacing
>> what has already been
>> existing in the cyber
>> security
>> > marketplace.
>>
>> I do not believe it is
>> this WG's responsibility
>> to protect anyone's
>> commercial services if
>> those things are
>> basically in response to
>> deficiencies in the
>> existing Whois protocol.
>> In this case, however,
>> that's not the problem.
>> Linking data in multiple
>> databases to a given
>> real-world human being is
>> hard even in systems
>> without competition and
>> multiple points of
>> access. It's always
>> going to require researchers
>> for the domain name system.
>>
>> Best regards.
>>
>>
>> A
>>
>> --
>> Andrew Sullivan
>> ajs at anvilwalrusden.com
>> <mailto:ajs at anvilwalrusden.com>
>> ______________________________
>> _________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/l
>> istinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>> --
>>
>> ______________________________
>> ___
>> Note to self: Pillage BEFORE
>> burning.
>>
>>
>> ______________________________
>> _________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/l
>> istinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>> ______________________________
>> _________________
>>
>>
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/l
>> istinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>> ______________________________
>> _________________
>>
>>
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/
>> listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>> _______________________________________________
>>
>> gnso-rds-pdp-wg mailing list
>>
>> gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>> --
>>
>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>
>>
>>
>> Mit freundlichen Grüßen,
>>
>>
>>
>> Volker A. Greimann
>>
>> - Rechtsabteilung -
>>
>>
>>
>> Key-Systems GmbH
>>
>> Im Oberen Werk 1
>>
>> 66386 St. Ingbert
>>
>> Tel.:+49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
>>
>> Fax.:+49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
>>
>> Email:vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>
>>
>>
>>
>> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net>
>>
>> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>
>>
>>
>>
>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>>
>> www.facebook.com/KeySystems
>> <http://www.facebook.com/KeySystems>
>>
>> www.twitter.com/key_systems
>> <http://www.twitter.com/key_systems>
>>
>>
>>
>> Geschäftsführer: Alexander Siffrin
>>
>> Handelsregister Nr.: HR B 18835 - Saarbruecken
>>
>> Umsatzsteuer ID.: DE211006534
>>
>>
>>
>> Member of the KEYDRIVE GROUP
>>
>> www.keydrive.lu <http://www.keydrive.lu>
>>
>>
>>
>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
>>
>>
>>
>> --------------------------------------------
>>
>>
>>
>> Should you have any further questions, please do not hesitate to contact us.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Volker A. Greimann
>>
>> - legal department -
>>
>>
>>
>> Key-Systems GmbH
>>
>> Im Oberen Werk 1
>>
>> 66386 St. Ingbert
>>
>> Tel.:+49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
>>
>> Fax.:+49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
>>
>> Email:vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>
>>
>>
>>
>> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net>
>>
>> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>
>>
>>
>>
>> Follow us on Twitter or join our fan community on Facebook and stay updated:
>>
>> www.facebook.com/KeySystems
>> <http://www.facebook.com/KeySystems>
>>
>> www.twitter.com/key_systems
>> <http://www.twitter.com/key_systems>
>>
>>
>>
>> CEO: Alexander Siffrin
>>
>> Registration No.: HR B 18835 - Saarbruecken
>>
>> V.A.T. ID.: DE211006534
>>
>>
>>
>> Member of the KEYDRIVE GROUP
>>
>> www.keydrive.lu <http://www.keydrive.lu>
>>
>>
>>
>> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
> _______________________________________________ gnso-rds-pdp-wg
> mailing list gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170427/612fee4f/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list