[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data
John Bambenek
jcb at bambenekconsulting.com
Thu Apr 27 21:16:28 UTC 2017
1) Yes, I am aware of the registrar-only party some want to have, but
ICANN is a multistakeholder group and we get a say.
2) We are aware of who gets fines.
3) You are saying gated access will work for us but seem to ignore us
when we tell you it won't.
4) You have not established that you WILL be fined.
5) We are also working on thinking outside the box.
The lack of toleration for other points of view from some on this list
has lead to this exact situation. You're free to call it bickering, I'd
like to call it "Defending my point of view".
On 4/27/2017 4:11 PM, Chris Pelling wrote:
> With risk of being removed from this WG, I will say the following,
> this is not directed at anyone but the group as a whole. I will also
> risk the wrath of registrars/registries tomorrow (or tonight depending
> on who reads this that is).
>
> Today this group has done a great disservice, the constant back and
> fourth of bickering - yes bickering has lead to one person requesting
> to being removed, someone who I do have a great respect for who thinks
> outside the box to fix a solution like I do. Constant badgering
> really is not going to get this group further as the "people" (read
> for definition : Registrars) who have to collect this information are
> the ones that will ultimately get a fine, not "data harvesters"
> DomainTools (Paul Keating) or LegitScript (their WHOIS collection
> service - John Horton) or the "anti-abuse" people (Allison Nixon /
> John Bambenek) but the registrar.
>
> So, gated access which would allow (as long as they can pass all the
> requirements) access to the "thick" whois data (to be determined mind
> you) would satisfy Allison, Legitscript and John side of the table -
> it might mean you have to login to something - but hey its a simple
> extra step once allowed. If you feel you might not be allowed then
> this could be your argument - if so, explain. Remember gated access
> is not a harvesting service and would I suggest be a GUI allowing
> access to the record you are "investigating".
>
> The likes of data harvesters, well, sorry but whois was not built for
> you to make money from, I do not pay my bandwidth bills for you to
> waste my cash. If you have a legitimate reason (and harvesting for
> sale which is what it is isn’t one of them) then explain.
>
> Personally a consideration might be to allow the RDS system to hold
> archived records (maybe thin or maybe thick) for legitimate use by the
> law enforcement peops that require it.
>
> Just a last note - I won't break my local law or any other law that I
> am under (because of where I trade or have office) to facilitate this
> group - you won't pay my fine, or as in Turkey take my jail time - end of.
>
> Apologies if I have put anyone's nose out - no doubt Ill find out shortly.
>
> Kind regards,
>
> Chris
>
> ------------------------------------------------------------------------
> *From: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *To: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *Sent: *Thursday, 27 April, 2017 21:39:25
> *Subject: *Re: [gnso-rds-pdp-wg] international law enforcement
> association resolution regarding domain registration data
>
> We can go back and forth but the US has data protection laws... unless
> we are talking distribution of credit card info, I'm hard pressed to
> think which ones apply to the question of who is allowed to access
> whois information.
>
> And yes, I'm sure the UN guy is busy, as we all are, but the point
> remains, you had a discussion and you both came away learning
> something I bet. And I bet, that once exposed to us, they'd learn
> something different. That was the only point I believe Allison
> intended to make.
>
>
> On 4/27/2017 3:36 PM, Ayden Férdeline wrote:
>
> Hi Allison,
>
> * I like to think that I keep busy, but I’m happy to admit that
> the UN Special Rapporteur on the Right to Privacy is a far,
> far busier man than I am. I am very grateful that he, and the
> other Data Protection Commissioners, found the time to engage
> with us in Copenhagen given their many other engagements.
> * The idea that it is only Europe which has privacy laws has
> been widely debunked; three times on this list just today.
> * The "gatekeeper" can only release information that they hold.
> This is precisely why the only data that should be collected
> is that which is relevant and necessary for the purposes in
> which it is processed, and retained for only so long as is
> absolutely necessary.
>
> Best wishes,
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>
> -------- Original Message --------
> Subject: Re: [gnso-rds-pdp-wg] international law enforcement
> association resolution regarding domain registration data
> Local Time: 27 April 2017 6:47 PM
> UTC Time: 27 April 2017 17:47
> From: elsakoo at gmail.com
> To: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
> RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>
> I'm sure everyone's schedules are quite busy, and they will
> manage.
>
> We need a proper legal authority here because it's potentially
> falsely being presumed that the use of WHOIS data is illegal
> and noncompliant in the first place. We simply do not know if
> that is a factual premise. We also need to take into account
> laws other than the EU privacy laws, and laws outside the EU.
> A number of exemptions exist within these privacy laws and
> those people throwing around the legal arguments accusing this
> of being illegal don't seem to ever mention that fact. We need
> an unbiased legal expert.
>
> What if a country is trying to enforce a law that is deemed
> distasteful (violates human rights, etc), and their registrant
> is located within the country? does the gatekeeper have
> grounds to deny them the ability to enforce their own laws
> against their own people, and if so when?
>
> How does WHOIS play into other areas of compliance, such as
> know-your-customer, complying with sanctions, anti-money
> laundering, HIPPAA, PCI, etc? Is complying to one law more
> important than complying to another, if one had to choose?
>
> Will the gatekeeper comply with anti-trust laws?
>
> How does privacy law prohibit information collection on
> registrants yet collect detailed PII info on queriers and
> subject them to audit? What happens if the gatekeeper is
> hacked into for those audit logs? What happens if the
> gatekeeper receives a national security letter?
>
> All of these are legal questions that need to be answered
> without bias and with full understanding of the facts.
>
>
>
>
>
> On Thu, Apr 27, 2017 at 12:42 PM, Stephanie Perrin
> <stephanie.perrin at mail.utoronto.ca
> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>
> And we need to have a lengthy discussion about precisely
> who that legal expert might be. It appears that many of
> our members are prepared to reject the views of the Data
> Protection Authorities themselves, who took the time out
> of their extraordinarily busy schedules to come and speak
> with us in Copenhagen.
>
> Stephanie Perrin
>
>
> On 2017-04-27 09:14, Gomes, Chuck via gnso-rds-pdp-wg wrote:
>
> We as a WG have not requested funds for a legal
> expert, but I don’t know what staff has built into the
> Draft FY18 budget.
>
>
>
> Marika – Did the Policy Team build any funds into the
> Draft FY18 budget for legal experts?
>
>
>
> Note that this is a very time sensitive issue because
> the comment period on the Draft FY18 Operating Plan
> and Budget ends tomorrow.
>
>
>
> Lisa/Marika/Amr – Please prepare a draft comment on
> the Budget that the Leadership Team or me as Chair
> could send on Friday in this regard. If funds have
> not been proposed for such expenses, I think we should
> at a minimum raise the issue in the public comment
> forum even if there is not time to propose specific
> details.
>
>
>
> Chuck
>
>
>
>
> *From:*gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>
> [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On Behalf
> Of *Paul Keating
> *Sent:* Thursday, April 27, 2017 7:55 AM
> *To:* Greg Shatan <gregshatanipc at gmail.com>
> <mailto:gregshatanipc at gmail.com>; Volker Greimann
> <vgreimann at key-systems.net>
> <mailto:vgreimann at key-systems.net>
> *Cc:* RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> <mailto:gnso-rds-pdp-wg at icann.org>
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg]
> international law enforcement association resolution
> regarding domain registration data
>
>
>
> Has the WG requested funds to retain a legal expert to
> educate us on the actual laws at issue?
>
>
>
> *From: *<gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf
> of Greg Shatan <gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>>
> *Date: *Thursday, April 27, 2017 at 12:38 AM
> *To: *Volker Greimann <vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>>
> *Cc: *RDS PDP WG <gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>>
> *Subject: *Re: [gnso-rds-pdp-wg] international law
> enforcement association resolution regarding domain
> registration data
>
>
>
> We also need to be very clear about the limits of
> the legal requirements of applicable law, and the
> various options available for dealing with the
> law. There's no need to overcomply. Indeed it
> would be quite unreasonable to do so.
>
>
>
> Just as paying the lowest calculable income tax is
> perfectly legitimate, so is complying with the law
> in the least disruptive way possible.
>
>
>
> Greg
>
>
> *Greg Shatan
> *C: 917-816-6428 <tel:%28917%29%20816-6428>
> S: gsshatan
> Phone-to-Skype: 646-845-9428
> <tel:%28646%29%20845-9428>
> gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>
>
>
>
> On Wed, Apr 26, 2017 at 1:06 PM, Volker Greimann
> <vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>> wrote:
>
> I wish it were so simple. "Doing harm" is not
> necessary to be in violation with applicable
> law. Just like jaywalking, speeding on an
> empty road or crossing a red light carries a
> fine regardless of whether harm was done,
> privacy law too does not care about an actual
> harm.
>
> We need to be very clear about the legal
> requirements when we define the limits of what
> can be done with the data we collect, and by
> whom.
>
> Volker
>
>
>
> Am 26.04.2017 um 18:43 schrieb John Horton:
>
> Greg, well said. And Tim, well said. And
> I'll strongly +1 Michael Hammer as well. I
> agree with the "do no harm" philosophy --
> I'm not convinced that some of the
> proposed changes (e.g., those outlined in
> the EWG report) wouldn't cause more harm
> than the existing, admittedly imperfect,
> system. As I've said before, the
> importance of tools like Reverse Whois
> isn't only direct -- it's derivative as
> well. (If you enjoy the benefits of those
> of us who fight payment fraud, online
> abuse and other sorts of malfeasance, you
> have reverse Whois among other tools to
> thank.) Privacy laws in one part of the
> world are a factor we need to be aware of,
> among other factors.
>
>
>
> On Wed, Apr 26, 2017 at 9:07 AM nathalie
> coupet via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>
> +1
>
>
>
> Nathalie
>
>
>
> On Wednesday, April 26, 2017 12:02 PM,
> Victoria Sheckler <vsheckler at riaa.com
> <mailto:vsheckler at riaa.com>> wrote:
>
>
>
> +1
>
> Sent from my iPhone
>
>
> On Apr 26, 2017, at 8:56 AM, Greg
> Shatan <gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>> wrote:
>
> Thanks for weighing in, Tim.
> Since this is a
> multistakeholder process, everyone
> is assumed to come in with a point
> of view, so don't be shy. At the
> same time, if stakeholders cling
> dogmatically to their points of
> view the multistakeholder model
> doesn't work.
>
>
>
> As for being out on a limb:
>
> * We haven't decided what data
> will be "private" and for
> which registrants (e.g., based
> on geography or entity status)
> * We haven't decided there will
> be "gated" access and what
> that might mean, both for
> policy and practicality
> * The question shouldn't be
> whether we will be "allowing
> third parties access to
> harvest, repackage and
> republish that data," but how
> we should allow this in a way
> that balances various
> concerns. Eliminating reverse
> Whois and other such services
> is not a goal of this Working
> Group.
>
> Our job should be to provide the
> greatest possible access to the
> best possible data, consistent
> with minimizing risk under
> reasonable interpretations of
> applicable law. We need to deal
> with existing and incoming privacy
> laws (and with other laws) as
> well, but not in a worshipful
> manner; instead it should be in a
> solution-oriented manner. This is
> not, after all, the Privacy
> Working Group. I'll +1 Michael
> Hammer: Rather than starting from
> a model of justifying everything
> and anything from a privacy
> perspective, I would suggest that
> it would be much more appropriate,
> other than technical changes such
> as moving towards using JSON, to
> require justification and
> consensus for any changes from the
> existing model(s) of WHOIS.
>
>
>
> Finally, while our purpose is not
> to maintain anyone's economic
> interest, economic interests may
> well be aligned with policy
> interests. Assuming that economic
> interests are at odds with policy
> interests is just as dangerous as
> assuming that policy interests are
> served by maximizing economic
> interests.
>
>
>
> Greg
>
>
> *Greg Shatan
> *C: 917-816-6428
> <tel:%28917%29%20816-6428>
> S: gsshatan
> Phone-to-Skype: 646-845-9428
> <tel:%28646%29%20845-9428>
> gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>
>
>
>
> On Wed, Apr 26, 2017 at 11:28 AM,
> Dotzero <dotzero at gmail.com
> <mailto:dotzero at gmail.com>> wrote:
>
> Adding to what Tim and Allison
> wrote.
>
> As a starting point, I've had
> an account with DomainTools in
> the past and will likely have
> one in the future, although I
> don't currently have one.
>
> There are other organizations
> and individuals which
> consume/aggregate whois data
> so I don't think that for the
> purposes of this discussion
> the focus should be on just
> DomainTools. I know
> researchers and academics who
> use this data to analyze all
> sorts of things. As has been
> pointed out, there are all
> sorts of folks staking out
> positions because of their
> economic (and other) interests
> without necessarily being
> transparent about those
> interests.
>
> It should be remembered that
> the Internet is an
> agglomeration of many networks
> and resources, some public and
> some private. At the same
> time, it is simply a bunch of
> technical standards that
> people and organizations have
> agreed to use to interact with
> each other. In many cases, the
> ultimate solution to abuse is
> to drop route. To the extent
> that good and granular
> information is not readily
> available, regular (innocent)
> users may suffer as owners and
> administrators of resources
> act to protect those resources
> and their legitimate users
> from abuse and maliciousness.
> The reality is that most users
> of the internet utilize a
> relatively small subset of all
> the resources out there. For
> some, a service like Facebook
> IS the Internet.
>
> It may also incite a tendency
> towards returning to a model
> of walled gardens. At various
> points I have heard
> discussions about the
> balkanization of the internet,
> with things like separate
> roots, etc. People should
> think very carefully about
> what they are asking for
> because they may not be happy
> with it if they actually get it.
>
> Rather than starting from a
> model of justifying everything
> and anything from a privacy
> perspective, I would suggest
> that it would be much more
> appropriate, other than
> technical changes such as
> moving towards using JSON, to
> require justification and
> consensus for any changes from
> the existing model(s) of WHOIS.
>
> Michael Hammer
>
> On Wed, Apr 26, 2017 at 10:27
> AM, allison nixon
> <elsakoo at gmail.com
> <mailto:elsakoo at gmail.com>> wrote:
>
> Thank you for your email Tim.
>
> Full disclosure(because I
> believe in being
> transparent about this
> sort of thing), we do
> business with Domaintools
> and use their tools to
> consume whois data.
>
> "i'll close by saying I
> think Allison's point
> about economic value has
> merit. yes, the point of
> the WG is not to protect
> anyone's economic
> interest. I agree 100%
> with that statement and
> will disagree with anyone
> who thinks the future of
> DomainTools or other
> commercial service should
> have one iota of impact on
> this discussion."
>
> I will however disagree
> vehemently with you on
> this point. It is obvious
> that many of the arguments
> to cut off anonymous
> querying to WHOIS data are
> economically motivated.
> Financial concerns are
> cited numerous times in
> approved documents. I also
> believe the "vetting"
> process is likely to
> become a new revenue
> stream for someone as
> well. A revenue stream
> with HIGHLY questionable
> privacy value-add.
>
> Every dollar of income for
> the Domaintools company
> and others like it come
> from their clients, who
> see a multiplier of value
> from it. That means for
> every dollar spent on the
> entire whois aggregator
> industry means that a much
> larger amount of money is
> saved through prevented
> harms like fraud, abuse,
> and even fake medications
> which kill people.
>
> I think it is extremely
> important to identify what
> critical systems rely on
> whois (either directly or
> downstream), and determine
> if we are ready to give up
> the utility of these systems.
>
> We also need to identify
> the value of the ability
> to anonymously query whois
> and what that loss of
> privacy will mean as well.
> While I obviously do not
> make many queries
> anonymously(although our
> vendor has their own
> privacy policy), I
> understand this is
> important especially to
> those researching more
> dangerous actors. Why
> would $_COUNTRY dissidents
> want to query domains when
> their opponents would
> surely be hacking into the
> audit logs for this?
>
>
>
> On Apr 25, 2017 11:41 PM,
> "Chen, Tim"
> <tim at domaintools.com
> <mailto:tim at domaintools.com>>
> wrote:
>
> "And I hope more
> stakeholders in this
> multi-stakeholder
> process will come
> forward with their own
> perspectives, as they
> will differ from mine."
>
>
>
> happy to do so.
> DomainTools is clearly
> a stakeholder in this
> debate. and we have a
> fair amount of
> experience around the
> challenges, benefits
> and risks of whois
> data aggregation at
> scale.
>
>
>
> from the beginning of
> this EWG/RDS idea
> we've stood down bc i
> didn't believe our
> opinion would be seen
> as objective-enough
> given our line of
> business. but it is
> apparent to me having
> followed this debate
> for many weeks now,
> that this is a working
> group of individuals
> who all bring their
> own biases into the
> debate. whether they
> care to admit that to
> themselves or not. so
> we might as well wade
> in too. bc I think
> our experience is very
> relevant to the
> discussion.
>
>
>
> i'll do my best to be
> as objective as I can,
> as a domain registrant
> myself and as an
> informed industry
> participant.
>
>
>
> since our experience
> is working with
> security minded
> organizations, that is
> the context with which
> I will comment.
>
>
>
> since this is an ICANN
> working group, I start
> with the ICANN mission
> statement around the
> security and stability
> of the DNS. I find
> myself wanting to fit
> this debate to that as
> the north star. i do
> not see the RDS as
> purpose driven to fit
> the GDPR or any
> region-specific legal
> resolution. but I do
> see those as important
> inputs to our discussion.
>
>
>
> from a security
> perspective, my
> experience is that the
> benefits of the
> current Whois model,
> taken with this lens,
> far outweigh the
> costs. again, I can
> only speak from my
> experience here at
> DomainTools, and
> obviously under the
> current Whois regime.
> This is not to say it
> cannot be improved.
> From a data accuracy
> perspective alone
> there is enormous room
> for improvement as I
> think we can all
> agree. every day I
> see the tangible
> benefits to security
> interests, which for
> the most part are
> "doing good", from the
> work that we do. when
> I compare that to the
> complaints that we get
> bc "my PII is visible
> in your data", it's
> not even close by my
> value barometer (which
> my differ from
> others'). this is
> relevant bc any future
> solution will be
> imperfect as I have
> mentioned before. as
> Allison and others
> point out we need to
> measure the harm done
> by any new system that
> may seek to solve one
> problem (privacy?) and
> inadvertently create
> many more. since this
> group is fond of
> analogies I'll
> contribute one from
> the medical oath (not
> sure if this is just
> U.S.) "first, do no harm".
>
>
>
> i'll close by saying I
> think Allison's point
> about economic value
> has merit. yes, the
> point of the WG is not
> to protect anyone's
> economic interest. I
> agree 100% with that
> statement and will
> disagree with anyone
> who thinks the future
> of DomainTools or
> other commercial
> service should have
> one iota of impact on
> this discussion. but
> I also think "it's too
> expensive" or "it's
> too hard" are weak and
> dangerous excuses when
> dealing with an issue
> like this which has
> enormous and far
> reaching consequences
> for the very mission
> of ICANN around the
> security and stability
> of our internet.
>
>
>
> Tim
>
>
>
> On Mon, Apr 24, 2017
> at 3:50 PM, allison
> nixon
> <elsakoo at gmail.com
> <mailto:elsakoo at gmail.com>>
> wrote:
>
> Thanks for the
> documentation in
> your earlier
> email. While I
> understand that's
> how things are
> supposed to work
> in theory, it's
> not implemented
> very widely, and
> unless there is
> enforcement, then
> it's unlikely to
> be useful at all.
>
>
>
>
>
>
>
> "as a given, we
> put ourselves in a
> certain position
> in terms of the
> actions we can and
> cannot recommend.
> We can make
> similar statements
> focused on
> registry
> operators,
> registrars, or any
> other stakeholder
> in this space. If
> we all approach
> this WG's task
> with the goal of
> not changing
> anything, we're
> all just wasting
> our time."
>
> There are things
> that people would
> be willing to
> change about
> WHOIS. Changes
> purely relating to
> the data format
> would not be as
> controversial.
> Changing to that
> RDAP json format
> would probably be
> an agreeable point
> to most here.
>
>
>
> There are two
> different major
> points of
> contention here.
> The first is the
> data format,
> second is the
> creation of a new
> monopoly and
> ceding power to
> it. By monopoly I
> mean- who are the
> gatekeepers of
> "gated" access?
> Will it avoid all
> of the problems
> that monopolies
> are historically
> prone to? Who will
> pay them? It seems
> like a massive
> leap of faith to
> commit to this
> without knowing
> who we are making
> the commitment to.
>
>
>
>
>
> "I do not believe
> it is this WG's
> responsibility to
> protect anyone's
>
> commercial
> services if those
> things are
> basically in
> response to
> deficiencies in
> the existing Whois
> protocol. "
>
>
>
> From my
> understanding of
> past ICANN working
> groups, registrars
> have fought
> against issues
> that would have
> increased their
> costs. And the
> destruction of
> useful WHOIS
> results(or
> becoming beholden
> to some new
> monopoly) stand to
> incur far more
> costs for far
> larger industries.
> So this shouldn't
> surprise you. If
> those economic
> concerns are not
> valid then I
> question why the
> economic concerns
> of registrars are
> valid.
>
>
>
> If entire
> industries are
> built around a
> feature you would
> consider a
> "deficiency", then
> your opinion may
> solely be your
> own. And I hope
> more stakeholders
> in this
> multi-stakeholder
> process will come
> forward with their
> own perspectives,
> as they will
> differ from mine.
>
>
>
>
>
>
>
>
>
>
>
> "Not trying to
> hamstring the WG.
> Just asking if
> this is not
> something that has
> already been solved.."
>
> Hi Paul,
>
>
>
> It's an
> interesting
> thought. This
> document was
> recommended to me
> as one that was
> approved in the
> past by the
> working group that
> outlined what the
> resulting system
> might look like.
> I'm still learning
> and reading about
> these working
> groups and what
> they do, and this
> document is massive.
>
>
>
> https://www.icann.org/en/syste
> m/files/files/final-report-06j
> un14-en.pdf
> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>
>
>
>
> In the document,
> it says: /"Central
> to the remit of
> the EWG is the
> question of how to
> design a system
> that increases the
> accuracy of the
> data collected
> while also
> offering
> protections for
> those
> Registrants seeking
> to guard and
> maintain their
> privacy."/
>
>
>
> One of the things
> I notice is that
> any talk about
> actually
> increasing
> accuracy of whois
> info- via
> enforcement- is
> vigorously opposed
> in this group, and
> it's merely
> assumed that
> people will supply
> better quality
> data under the new
> system.
>
>
>
> Throughout the
> document it talks
> about use-cases
> and features
> (whois history,
> reverse query,
> etc), which are
> indeed identical
> to the features of
> the whois
> aggregators of
> current day. Such
> a system would
> replace them. Will
> the service
> quality be as good?
>
>
>
> On page 63 it gets
> into thoughts on
> who would be
> "accredited" to
> access the gated
> whois data. Every
> proposed scenario
> seems to recognize
> the resulting
> system will need
> to handle a large
> query volume from
> a large number of
> people, and one
> proposes
> accrediting bodies
> which may accredit
> organizations
> which may accredit
> individuals. It
> even proposes an
> abuse handling
> system which is
> also
> reminiscent in
> structure to how
> abuse is handled
> currently in our
> domain name
> system. Many of
> these proposed
> schemes appear to
> mimic the ways
> that the hosting
> industry and
> registrar industry
> operate, so we can
> expect that the
> patterns of abuse
> will be equally
> frequent,
> especially if
> higher quality
> data is supplied.
>
>
>
> The proposed
> scenarios all
> paint a picture of
> "gated" access
> with very wide
> gates, while
> simultaneously
> representing to
> domain purchasers
> that their data is
> safe and privacy
> protected. And
> this is supposed
> to *reduce* the
> total number of
> privacy
> violations? This
> doesn't even
> appeal to me as a
> consumer of this data.
>
>
>
> Whoever sets up
> this system also
> stands to inherit
> a lot of money
> from the
> soon-to-be-defunct
> whois aggregation
> industry. They
> would certainly
> win our contract,
> because we would
> have no choice.
> All domain
> reputation
> services,
> anti-spam,
> security research,
> etc, efforts will
> all need to pay up.
>
>
>
>
>
>
>
> After being
> supplied with the
> above document, I
> also saw a copy of
> a rebuttal written
> by a company that
> monitors abusive
> domains. I
> strongly agree
> with the
> sentiments in this
> document and I do
> not see evidence
> that those
> concerns have
> received fair
> consideration.
> While I do not see
> this new
> gatekeeper as an
> existential
> threat, I do see
> it as a likely
> degradation in the
> utility i do see
> from whois. To be
> clear, we do not
> do any business
> with this company.
>
>
>
> http://mm.icann.org/pipermail/
> input-to-ewg/attachments/20130
> 823/410038bb/LegitScriptCommen
> tsonICANNEWGWhoisReplacementSt
> ructure-0001.pdf
> <http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf>
>
>
>
>
>
>
>
> I also found John
> Bambenek's point
> in a later thread
> to be interesting-
> concentrating
> WHOIS knowledge
> solely to one
> organization
> allows the country
> it resides in to
> use it to support
> its intelligence
> apparatus, for
> example monitoring
> when its espionage
> domains are
> queried for, and
> targeting
> researchers that
> query them (since
> anonymous querying
> will be revoked).
> Nation states
> already use
> domains in
> operations so this
> monopoly is a
> perfect strategic
> data reserve. The
> fact that this
> system is pushed
> by privacy
> advocates is
> indeed ironic.
>
>
>
>
>
>
>
> None of those
> concerns appear to
> have been
> addressed by this
> group in any
> serious capacity.
> Before the
> addition of new
> members, I don't
> think many people
> had the
> backgrounds or
> skillsets to even
> understand why
> they are a
> concern. But I
> think this is a
> discussion worth
> having at this
> point in time for
> this group.
>
>
>
> On Mon, Apr 24,
> 2017 at 1:50 PM,
> Andrew Sullivan
> <ajs at anvilwalrusden.com
> <mailto:ajs at anvilwalrusden.com>>
> wrote:
>
> Hi,
>
> On Mon, Apr
> 24, 2017 at
> 07:25:47PM
> +0200, Paul
> Keating wrote:
> > Andrew,
> >
> > Thank you.
> That was helpful.
> >
> > ""Given this
> registrant,
> what other
> > domains are
> registered?"
> is a solved
> problem, and
> has been since the
> > early 2000s.²
> >
> > This is also
> traceable via
> alternative
> means such as
> consistencies in
> > various
> WHOIS fields
> such as email,
> address, name,
> etc.
>
> Well, sort
> of. The
> email,
> address, and
> name fields
> are _user_
> supplied. So
> they come from
> the other
> party to the
> transaction. The
> ROID is
> assigned by
> the registry
> itself. So
> once you have
> a match,
> you know that
> you are
> looking at the
> same object,
> only the same
> object, and
> all the same
> object(s).
>
> Email
> addresses in
> particular are
> guaranteed
> unique in the
> world at
> any given time
> (though not
> guaranteed as
> unique
> identifiers over
> time), so they
> may be useful
> for these
> purposes.
> Take it from
> someone
> named "Andrew
> Sullivan",
> however, that
> names are
> pretty useless as
> context-free
> identifiers :)
>
> > In reality
> finding out
> answers to
> questions such as
> > yours
> (above)
> requires
> investigation
> using a
> plethora of data.
>
> To be clear,
> finding out
> the answer to
> what I (meant
> to) pose(d)
> requires no
> plethora of
> data: it
> requires a
> single query
> and access to
> the right
> repository
> (the
> registry). In
> some
> theoretical
> system, the
> correct
> underlying
> database query
> would be
> something like
> this:
>
> SELECT
> domain_roid,
> domain_name
> FROM domains
> WHERE
> registrant_roid
> = ?;
>
> and you put
> the correct
> ROID in where
> the question
> mark is, and off
> you go. That
> will give you
> the list of
> all the domain
> names, and
> their relevant
> ROIDs,
> registered by
> a given
> registrant
> contact. At
> least one
> registry with
> which I am
> familiar once
> had a WHOIS
> feature
> that allowed
> something
> close to the
> above, only it
> would stop after
> some number of
> domains so as
> not to return
> too much
> data. I think the
> default was
> therefore
> LIMIT 50, but
> I also think
> the feature was
> eventually
> eliminated
> about the time
> that the ICANN
> community rejected
> IRIS as an
> answer to "the
> whois problem".
>
> What the above
> will of course
> not do is help
> you in the
> event Bob The
> Scammer has
> created dozens
> of different
> contacts for
> himself by (say)
> registering
> names through
> many different
> registrars. I
> do not believe
> that any
> registry is
> going to
> support such a
> use at least
> without
> access
> controls,
> because it can
> be expensive
> to answer such
> things.
> So, what you
> understood me
> to be asking,
> I think, is
> the question I
> did _not_ ask:
> given this
> human being or
> organization,
> what other
> domains are
> registered?"
> That does
> require a lot
> of different data,
> and it
> requires
> cross-organizational
> searches, and
> it requires
> sussing
> out when
> someone has
> lied also.
> Such research
> is, I agree,
> completely
> outside the
> scope of what
> any technical
> system will
> ever be able to
> offer reliably.
>
> > An entire
> > industry
> exists for
> this purpose
> and I don¹t
> think we should be
> > considering
> replacing what
> has already
> been existing
> in the cyber
> security
> > marketplace.
>
> I do not
> believe it is
> this WG's
> responsibility
> to protect
> anyone's
> commercial
> services if
> those things
> are basically
> in response to
> deficiencies
> in the
> existing Whois
> protocol. In
> this case,
> however,
> that's not the
> problem.
> Linking data
> in multiple
> databases to a
> given
> real-world
> human being is
> hard even in
> systems
> without
> competition and
> multiple
> points of
> access. It's
> always going
> to require
> researchers
> for the domain
> name system.
>
> Best regards.
>
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> <mailto:ajs at anvilwalrusden.com>
> ______________________________
> _________________
> gnso-rds-pdp-wg
> mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> --
>
> ______________________________
> ___
> Note to self:
> Pillage BEFORE
> burning.
>
>
> ______________________________
> _________________
> gnso-rds-pdp-wg
> mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
>
> ______________________________
> _________________
>
>
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> ______________________________
> _________________
>
>
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/
> listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> --
>
> Bei weiteren Fragen stehen wir Ihnen gerne zur
> Verfügung.
>
>
>
> Mit freundlichen Grüßen,
>
>
>
> Volker A. Greimann
>
> - Rechtsabteilung -
>
>
>
> Key-Systems GmbH
>
> Im Oberen Werk 1
>
> 66386 St. Ingbert
>
> Tel.: +49 (0) 6894 - 9396 901
> <tel:+49%206894%209396901>
>
> Fax.: +49 (0) 6894 - 9396 851
> <tel:+49%206894%209396851>
>
> Email: vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>
>
>
>
> Web: www.key-systems.net
> <http://www.key-systems.net> /
> www.RRPproxy.net
> <http://www.RRPproxy.net>www.domaindiscount24.com
> <http://www.domaindiscount24.com> /
> www.BrandShelter.com <http://www.BrandShelter.com>
>
>
>
> Folgen Sie uns bei Twitter oder werden Sie
> unser Fan bei Facebook:
>
> www.facebook.com/KeySystems
> <http://www.facebook.com/KeySystems>www.twitter.com/key_systems
> <http://www.twitter.com/key_systems>
>
>
>
> Geschäftsführer: Alexander Siffrin
>
> Handelsregister Nr.: HR B 18835 - Saarbruecken
>
> Umsatzsteuer ID.: DE211006534
>
>
>
> Member of the KEYDRIVE GROUP
>
> www.keydrive.lu <http://www.keydrive.lu>
>
>
>
> Der Inhalt dieser Nachricht ist vertraulich
> und nur für den angegebenen Empfänger
> bestimmt. Jede Form der Kenntnisgabe,
> Veröffentlichung oder Weitergabe an Dritte
> durch den Empfänger ist unzulässig. Sollte
> diese Nachricht nicht für Sie bestimmt sein,
> so bitten wir Sie, sich mit uns per E-Mail
> oder telefonisch in Verbindung zu setzen.
>
>
>
> --------------------------------------------
>
>
>
> Should you have any further questions, please
> do not hesitate to contact us.
>
>
>
> Best regards,
>
>
>
> Volker A. Greimann
>
> - legal department -
>
>
>
> Key-Systems GmbH
>
> Im Oberen Werk 1
>
> 66386 St. Ingbert
>
> Tel.: +49 (0) 6894 - 9396 901
> <tel:+49%206894%209396901>
>
> Fax.: +49 (0) 6894 - 9396 851
> <tel:+49%206894%209396851>
>
> Email: vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>
>
>
>
> Web: www.key-systems.net
> <http://www.key-systems.net> /
> www.RRPproxy.net
> <http://www.RRPproxy.net>www.domaindiscount24.com
> <http://www.domaindiscount24.com> /
> www.BrandShelter.com <http://www.BrandShelter.com>
>
>
>
> Follow us on Twitter or join our fan community
> on Facebook and stay updated:
>
> www.facebook.com/KeySystems
> <http://www.facebook.com/KeySystems>www.twitter.com/key_systems
> <http://www.twitter.com/key_systems>
>
>
>
> CEO: Alexander Siffrin
>
> Registration No.: HR B 18835 - Saarbruecken
>
> V.A.T. ID.: DE211006534
>
>
>
> Member of the KEYDRIVE GROUP
>
> www.keydrive.lu <http://www.keydrive.lu>
>
>
>
> This e-mail and its attachments is intended
> only for the person to whom it is addressed.
> Furthermore it is not permitted to publish any
> content of this email. You must not use,
> disclose, copy, print or rely on this e-mail.
> If an addressing or transmission error has
> misdirected this e-mail, kindly notify the
> author by replying to this e-mail or
> contacting us by telephone.
>
>
>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170427/cb5f36f3/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list