[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data
John Bambenek
jcb at bambenekconsulting.com
Thu Apr 27 21:54:24 UTC 2017
Below
On 4/27/2017 4:31 PM, Chris Pelling wrote:
> Let me correct your points here :
>
> 1) Correct in that you can make your point, contracted parties get a
> say.
Ok, you can take that position. I'm happy to try to work with this PDP
process that is supposedly multistakeholder even though really you are
saying here only one stakeholder matters. Why not just shut this down then?
> 2) Good, I am happy to note that you are happily putting registrars
> under the bus here.
I, in no way, have suggested that. And you know that. Are we really
going back to intentionally misrepresenting other people's points of view?
> 3) Please enlighten us - what is the problem with logging into a
> portal (to give an example) to see the data you need (bear in mind we
> have not even discussed what data)
You're asking for a specific problem for a vague system that does not
exist. The first problem I see is, I don't think you can build such a
system. The second problem is, I don't think you can, in any way,
meaningfully assess what roles people should get aside of "government"
or "not". The third problem is, there is no likelihood you could fully
vet people into roles. The entire SSL/TLS regime rests on one thing,
verifying the requester of an encryption certificate is authorized to
get one for a domain. That entire regime is a complete and unmitigated
failure. You really think you can do better?
Now, beyond the argument of what you set out to do has a pretty low
likelihood of success...
There are far too many criminals and far too few investigators. if you
think I can chuck automation out the window and make me revert to manual
checks is a case study in success, perhaps you should spend some time
figuring out what we actually DO. I mean, we're hearing telling you and
usually met with registrars telling us our opinion doesn't matter and
ignoring our messages.
You will also be creating audit trails that, for instance, would say X
person is investigating Y intelligence agency for propaganda. That puts
them at FAR more risk than mere domain renewal spam as surely those
records are going to be available to governments. It also allows, for
instance, the collection of trade secrets. For instance, I could use
John Horton's whois/RDS searches to build his client lists in a system
you created and mandate everyone uses. Are you prepared for that
liability when it gets breached?
> 4) I'll tell you what John, I am not willing to even RISK the point
> of being fined, as a business I cannot stop it, but, I will do
> everything in my power to mitigate it.
Which is why we are here, working on these issues. If your position is
just eliminate WHOIS, why not go full hog and eliminate RDS too?
> 5) Excellent, show us then - as at the moment all I see is the " I
> dont want it to change - I have easy access to what I need" - but
> remember this has no cost to you at this time, although what is
> decided here WILL have a cost to us.
You have not established it WILL have cost to you. I have established it
WILL have cost to society. I even used the very specific example of
election manipulation I put on this list this very morning. In fact, I
bet you I can sell the status quo to data protection authorities and
governments and that outcome will cost you nothing.
>
> I am all for listening to a "solution" that covers the registrars or
> registries "a**" - bring it on. Although remember you will need to do
> a little more than simply typing in the word "jwhois" or "whois" into
> a terminal and actually login to something as long as you have the
> rights too.
It sounds like you've already preordained the outcome. I have also
mentioned the very real risks investigators will have in such a system.
I am also convinced, as are my peers, that such a gate will very quickly
exclude us and treat us as "consumers" entitled to nothing. Based on
your tone and tenor, as well as others, I'm highly confident that's the
eventual outcome. It isn't making my life more difficult in using
whois. I believe you want to shut it down entirely. Which, as a side
effect, would let alleged Russian election interference by much more
successful per my example this morning.
>
> Kind regards,
>
> Chris
>
> ------------------------------------------------------------------------
> *From: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *To: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *Sent: *Thursday, 27 April, 2017 22:16:28
> *Subject: *Re: [gnso-rds-pdp-wg] international law enforcement
> association resolution regarding domain registration data
>
> 1) Yes, I am aware of the registrar-only party some want to have, but
> ICANN is a multistakeholder group and we get a say.
>
> 2) We are aware of who gets fines.
>
> 3) You are saying gated access will work for us but seem to ignore us
> when we tell you it won't.
>
> 4) You have not established that you WILL be fined.
>
> 5) We are also working on thinking outside the box.
>
> The lack of toleration for other points of view from some on this list
> has lead to this exact situation. You're free to call it bickering,
> I'd like to call it "Defending my point of view".
>
>
> On 4/27/2017 4:11 PM, Chris Pelling wrote:
>
> With risk of being removed from this WG, I will say the following,
> this is not directed at anyone but the group as a whole. I will
> also risk the wrath of registrars/registries tomorrow (or tonight
> depending on who reads this that is).
>
> Today this group has done a great disservice, the constant back
> and fourth of bickering - yes bickering has lead to one person
> requesting to being removed, someone who I do have a great respect
> for who thinks outside the box to fix a solution like I do.
> Constant badgering really is not going to get this group further
> as the "people" (read for definition : Registrars) who have to
> collect this information are the ones that will ultimately get a
> fine, not "data harvesters" DomainTools (Paul Keating) or
> LegitScript (their WHOIS collection service - John Horton) or the
> "anti-abuse" people (Allison Nixon / John Bambenek) but the registrar.
>
> So, gated access which would allow (as long as they can pass all
> the requirements) access to the "thick" whois data (to be
> determined mind you) would satisfy Allison, Legitscript and John
> side of the table - it might mean you have to login to something -
> but hey its a simple extra step once allowed. If you feel you
> might not be allowed then this could be your argument - if so,
> explain. Remember gated access is not a harvesting service and
> would I suggest be a GUI allowing access to the record you are
> "investigating".
>
> The likes of data harvesters, well, sorry but whois was not built
> for you to make money from, I do not pay my bandwidth bills for
> you to waste my cash. If you have a legitimate reason (and
> harvesting for sale which is what it is isn’t one of them) then
> explain.
>
> Personally a consideration might be to allow the RDS system to
> hold archived records (maybe thin or maybe thick) for legitimate
> use by the law enforcement peops that require it.
>
> Just a last note - I won't break my local law or any other law
> that I am under (because of where I trade or have office) to
> facilitate this group - you won't pay my fine, or as in Turkey
> take my jail time - end of.
>
> Apologies if I have put anyone's nose out - no doubt Ill find out
> shortly.
>
> Kind regards,
>
> Chris
>
> ------------------------------------------------------------------------
> *From: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *To: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
> *Sent: *Thursday, 27 April, 2017 21:39:25
> *Subject: *Re: [gnso-rds-pdp-wg] international law enforcement
> association resolution regarding domain registration data
>
> We can go back and forth but the US has data protection laws...
> unless we are talking distribution of credit card info, I'm hard
> pressed to think which ones apply to the question of who is
> allowed to access whois information.
>
> And yes, I'm sure the UN guy is busy, as we all are, but the point
> remains, you had a discussion and you both came away learning
> something I bet. And I bet, that once exposed to us, they'd learn
> something different. That was the only point I believe Allison
> intended to make.
>
>
> On 4/27/2017 3:36 PM, Ayden Férdeline wrote:
>
> Hi Allison,
>
> * I like to think that I keep busy, but I’m happy to admit
> that the UN Special Rapporteur on the Right to Privacy is
> a far, far busier man than I am. I am very grateful that
> he, and the other Data Protection Commissioners, found the
> time to engage with us in Copenhagen given their many
> other engagements.
> * The idea that it is only Europe which has privacy laws has
> been widely debunked; three times on this list just today.
> * The "gatekeeper" can only release information that they
> hold. This is precisely why the only data that should be
> collected is that which is relevant and necessary for the
> purposes in which it is processed, and retained for only
> so long as is absolutely necessary.
>
> Best wishes,
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>
> -------- Original Message --------
> Subject: Re: [gnso-rds-pdp-wg] international law
> enforcement association resolution regarding domain
> registration data
> Local Time: 27 April 2017 6:47 PM
> UTC Time: 27 April 2017 17:47
> From: elsakoo at gmail.com
> To: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
> RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>
> I'm sure everyone's schedules are quite busy, and they
> will manage.
>
> We need a proper legal authority here because it's
> potentially falsely being presumed that the use of WHOIS
> data is illegal and noncompliant in the first place. We
> simply do not know if that is a factual premise. We also
> need to take into account laws other than the EU privacy
> laws, and laws outside the EU. A number of exemptions
> exist within these privacy laws and those people throwing
> around the legal arguments accusing this of being illegal
> don't seem to ever mention that fact. We need an unbiased
> legal expert.
>
> What if a country is trying to enforce a law that is
> deemed distasteful (violates human rights, etc), and their
> registrant is located within the country? does the
> gatekeeper have grounds to deny them the ability to
> enforce their own laws against their own people, and if so
> when?
>
> How does WHOIS play into other areas of compliance, such
> as know-your-customer, complying with sanctions,
> anti-money laundering, HIPPAA, PCI, etc? Is complying to
> one law more important than complying to another, if one
> had to choose?
>
> Will the gatekeeper comply with anti-trust laws?
>
> How does privacy law prohibit information collection on
> registrants yet collect detailed PII info on queriers and
> subject them to audit? What happens if the gatekeeper is
> hacked into for those audit logs? What happens if the
> gatekeeper receives a national security letter?
>
> All of these are legal questions that need to be answered
> without bias and with full understanding of the facts.
>
>
>
>
>
> On Thu, Apr 27, 2017 at 12:42 PM, Stephanie Perrin
> <stephanie.perrin at mail.utoronto.ca
> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>
> And we need to have a lengthy discussion about
> precisely who that legal expert might be. It appears
> that many of our members are prepared to reject the
> views of the Data Protection Authorities themselves,
> who took the time out of their extraordinarily busy
> schedules to come and speak with us in Copenhagen.
>
> Stephanie Perrin
>
>
> On 2017-04-27 09:14, Gomes, Chuck via gnso-rds-pdp-wg
> wrote:
>
> We as a WG have not requested funds for a legal
> expert, but I don’t know what staff has built into
> the Draft FY18 budget.
>
>
>
> Marika – Did the Policy Team build any funds into
> the Draft FY18 budget for legal experts?
>
>
>
> Note that this is a very time sensitive issue
> because the comment period on the Draft FY18
> Operating Plan and Budget ends tomorrow.
>
>
>
> Lisa/Marika/Amr – Please prepare a draft comment
> on the Budget that the Leadership Team or me as
> Chair could send on Friday in this regard. If
> funds have not been proposed for such expenses, I
> think we should at a minimum raise the issue in
> the public comment forum even if there is not time
> to propose specific details.
>
>
>
> Chuck
>
>
>
>
> *From:*gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>
> [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On
> Behalf Of *Paul Keating
> *Sent:* Thursday, April 27, 2017 7:55 AM
> *To:* Greg Shatan <gregshatanipc at gmail.com>
> <mailto:gregshatanipc at gmail.com>; Volker Greimann
> <vgreimann at key-systems.net>
> <mailto:vgreimann at key-systems.net>
> *Cc:* RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> <mailto:gnso-rds-pdp-wg at icann.org>
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg]
> international law enforcement association
> resolution regarding domain registration data
>
>
>
> Has the WG requested funds to retain a legal
> expert to educate us on the actual laws at issue?
>
>
>
> *From: *<gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on
> behalf of Greg Shatan <gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>>
> *Date: *Thursday, April 27, 2017 at 12:38 AM
> *To: *Volker Greimann <vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>>
> *Cc: *RDS PDP WG <gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>>
> *Subject: *Re: [gnso-rds-pdp-wg] international law
> enforcement association resolution regarding
> domain registration data
>
>
>
> We also need to be very clear about the limits
> of the legal requirements of applicable law,
> and the various options available for dealing
> with the law. There's no need to overcomply.
> Indeed it would be quite unreasonable to do so.
>
>
>
> Just as paying the lowest calculable income
> tax is perfectly legitimate, so is complying
> with the law in the least disruptive way possible.
>
>
>
> Greg
>
>
> *Greg Shatan
> *C: 917-816-6428 <tel:%28917%29%20816-6428>
> S: gsshatan
> Phone-to-Skype: 646-845-9428
> <tel:%28646%29%20845-9428>
> gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>
>
>
>
> On Wed, Apr 26, 2017 at 1:06 PM, Volker
> Greimann <vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>> wrote:
>
> I wish it were so simple. "Doing harm" is
> not necessary to be in violation with
> applicable law. Just like jaywalking,
> speeding on an empty road or crossing a
> red light carries a fine regardless of
> whether harm was done, privacy law too
> does not care about an actual harm.
>
> We need to be very clear about the legal
> requirements when we define the limits of
> what can be done with the data we collect,
> and by whom.
>
> Volker
>
>
>
> Am 26.04.2017 um 18:43 schrieb John Horton:
>
> Greg, well said. And Tim, well said.
> And I'll strongly +1 Michael Hammer as
> well. I agree with the "do no harm"
> philosophy -- I'm not convinced that
> some of the proposed changes (e.g.,
> those outlined in the EWG report)
> wouldn't cause more harm than the
> existing, admittedly imperfect,
> system. As I've said before, the
> importance of tools like Reverse Whois
> isn't only direct -- it's derivative
> as well. (If you enjoy the benefits of
> those of us who fight payment fraud,
> online abuse and other sorts of
> malfeasance, you have reverse Whois
> among other tools to thank.) Privacy
> laws in one part of the world are a
> factor we need to be aware of, among
> other factors.
>
>
>
> On Wed, Apr 26, 2017 at 9:07 AM
> nathalie coupet via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>
> +1
>
>
>
> Nathalie
>
>
>
> On Wednesday, April 26, 2017 12:02
> PM, Victoria Sheckler
> <vsheckler at riaa.com
> <mailto:vsheckler at riaa.com>> wrote:
>
>
>
> +1
>
> Sent from my iPhone
>
>
> On Apr 26, 2017, at 8:56 AM, Greg
> Shatan <gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>>
> wrote:
>
> Thanks for weighing in, Tim.
> Since this is a
> multistakeholder process,
> everyone is assumed to come in
> with a point of view, so don't
> be shy. At the same time, if
> stakeholders cling
> dogmatically to their points
> of view the multistakeholder
> model doesn't work.
>
>
>
> As for being out on a limb:
>
> * We haven't decided what
> data will be "private" and
> for which registrants
> (e.g., based on geography
> or entity status)
> * We haven't decided there
> will be "gated" access and
> what that might mean, both
> for policy and practicality
> * The question shouldn't be
> whether we will be
> "allowing third parties
> access to harvest,
> repackage and republish
> that data," but how we
> should allow this in a way
> that balances various
> concerns. Eliminating
> reverse Whois and other
> such services is not a
> goal of this Working Group.
>
> Our job should be to provide
> the greatest possible access
> to the best possible data,
> consistent with minimizing
> risk under reasonable
> interpretations of applicable
> law. We need to deal with
> existing and incoming privacy
> laws (and with other laws) as
> well, but not in a worshipful
> manner; instead it should be
> in a solution-oriented
> manner. This is not, after
> all, the Privacy Working
> Group. I'll +1 Michael
> Hammer: Rather than starting
> from a model of justifying
> everything and anything from a
> privacy perspective, I would
> suggest that it would be much
> more appropriate, other than
> technical changes such as
> moving towards using JSON, to
> require justification and
> consensus for any changes from
> the existing model(s) of WHOIS.
>
>
>
> Finally, while our purpose is
> not to maintain anyone's
> economic interest, economic
> interests may well be aligned
> with policy interests.
> Assuming that economic
> interests are at odds with
> policy interests is just as
> dangerous as assuming that
> policy interests are served by
> maximizing economic interests.
>
>
>
> Greg
>
>
> *Greg Shatan
> *C: 917-816-6428
> <tel:%28917%29%20816-6428>
> S: gsshatan
> Phone-to-Skype: 646-845-9428
> <tel:%28646%29%20845-9428>
> gregshatanipc at gmail.com
> <mailto:gregshatanipc at gmail.com>
>
>
>
> On Wed, Apr 26, 2017 at 11:28
> AM, Dotzero <dotzero at gmail.com
> <mailto:dotzero at gmail.com>> wrote:
>
> Adding to what Tim and
> Allison wrote.
>
> As a starting point, I've
> had an account with
> DomainTools in the past
> and will likely have one
> in the future, although I
> don't currently have one.
>
> There are other
> organizations and
> individuals which
> consume/aggregate whois
> data so I don't think that
> for the purposes of this
> discussion the focus
> should be on just
> DomainTools. I know
> researchers and academics
> who use this data to
> analyze all sorts of
> things. As has been
> pointed out, there are all
> sorts of folks staking out
> positions because of their
> economic (and other)
> interests without
> necessarily being
> transparent about those
> interests.
>
> It should be remembered
> that the Internet is an
> agglomeration of many
> networks and resources,
> some public and some
> private. At the same time,
> it is simply a bunch of
> technical standards that
> people and organizations
> have agreed to use to
> interact with each other.
> In many cases, the
> ultimate solution to abuse
> is to drop route. To the
> extent that good and
> granular information is
> not readily available,
> regular (innocent) users
> may suffer as owners and
> administrators of
> resources act to protect
> those resources and their
> legitimate users from
> abuse and maliciousness.
> The reality is that most
> users of the internet
> utilize a relatively small
> subset of all the
> resources out there. For
> some, a service like
> Facebook IS the Internet.
>
> It may also incite a
> tendency towards returning
> to a model of walled
> gardens. At various points
> I have heard discussions
> about the balkanization of
> the internet, with things
> like separate roots, etc.
> People should think very
> carefully about what they
> are asking for because
> they may not be happy with
> it if they actually get it.
>
> Rather than starting from
> a model of justifying
> everything and anything
> from a privacy
> perspective, I would
> suggest that it would be
> much more appropriate,
> other than technical
> changes such as moving
> towards using JSON, to
> require justification and
> consensus for any changes
> from the existing model(s)
> of WHOIS.
>
> Michael Hammer
>
> On Wed, Apr 26, 2017 at
> 10:27 AM, allison nixon
> <elsakoo at gmail.com
> <mailto:elsakoo at gmail.com>>
> wrote:
>
> Thank you for your
> email Tim.
>
> Full
> disclosure(because I
> believe in being
> transparent about this
> sort of thing), we do
> business with
> Domaintools and use
> their tools to consume
> whois data.
>
> "i'll close by saying
> I think Allison's
> point about economic
> value has merit. yes,
> the point of the WG is
> not to protect
> anyone's economic
> interest. I agree
> 100% with that
> statement and will
> disagree with anyone
> who thinks the future
> of DomainTools or
> other commercial
> service should have
> one iota of impact on
> this discussion."
>
> I will however
> disagree vehemently
> with you on this
> point. It is obvious
> that many of the
> arguments to cut off
> anonymous querying to
> WHOIS data are
> economically
> motivated. Financial
> concerns are cited
> numerous times in
> approved documents. I
> also believe the
> "vetting" process is
> likely to become a new
> revenue stream for
> someone as well. A
> revenue stream with
> HIGHLY questionable
> privacy value-add.
>
> Every dollar of income
> for the Domaintools
> company and others
> like it come from
> their clients, who see
> a multiplier of value
> from it. That means
> for every dollar spent
> on the entire whois
> aggregator industry
> means that a much
> larger amount of money
> is saved through
> prevented harms like
> fraud, abuse, and even
> fake medications which
> kill people.
>
> I think it is
> extremely important to
> identify what critical
> systems rely on whois
> (either directly or
> downstream), and
> determine if we are
> ready to give up the
> utility of these systems.
>
> We also need to
> identify the value of
> the ability to
> anonymously query
> whois and what that
> loss of privacy will
> mean as well. While I
> obviously do not make
> many queries
> anonymously(although
> our vendor has their
> own privacy policy), I
> understand this is
> important especially
> to those researching
> more dangerous actors.
> Why would $_COUNTRY
> dissidents want to
> query domains when
> their opponents would
> surely be hacking into
> the audit logs for this?
>
>
>
> On Apr 25, 2017 11:41
> PM, "Chen, Tim"
> <tim at domaintools.com
> <mailto:tim at domaintools.com>>
> wrote:
>
> "And I hope more
> stakeholders in
> this
> multi-stakeholder
> process will come
> forward with their
> own perspectives,
> as they will
> differ from mine."
>
>
>
> happy to do so.
> DomainTools is
> clearly a
> stakeholder in
> this debate. and
> we have a fair
> amount of
> experience around
> the challenges,
> benefits and risks
> of whois data
> aggregation at
> scale.
>
>
>
> from the beginning
> of this EWG/RDS
> idea we've stood
> down bc i didn't
> believe our
> opinion would be
> seen as
> objective-enough
> given our line of
> business. but it
> is apparent to me
> having followed
> this debate for
> many weeks now,
> that this is a
> working group of
> individuals who
> all bring their
> own biases into
> the debate.
> whether they care
> to admit that to
> themselves or not.
> so we might as
> well wade in too.
> bc I think our
> experience is very
> relevant to the
> discussion.
>
>
>
> i'll do my best to
> be as objective as
> I can, as a domain
> registrant myself
> and as an informed
> industry participant.
>
>
>
> since our
> experience is
> working with
> security minded
> organizations,
> that is the
> context with which
> I will comment.
>
>
>
> since this is an
> ICANN working
> group, I start
> with the ICANN
> mission statement
> around the
> security and
> stability of the
> DNS. I find
> myself wanting to
> fit this debate to
> that as the north
> star. i do not
> see the RDS as
> purpose driven to
> fit the GDPR or
> any
> region-specific
> legal resolution.
> but I do see
> those as important
> inputs to our
> discussion.
>
>
>
> from a security
> perspective, my
> experience is that
> the benefits of
> the current Whois
> model, taken with
> this lens, far
> outweigh the
> costs. again, I
> can only speak
> from my experience
> here at
> DomainTools, and
> obviously under
> the current Whois
> regime. This is
> not to say it
> cannot be
> improved. From a
> data accuracy
> perspective alone
> there is enormous
> room for
> improvement as I
> think we can all
> agree. every day
> I see the tangible
> benefits to
> security
> interests, which
> for the most part
> are "doing good",
> from the work that
> we do. when I
> compare that to
> the complaints
> that we get bc "my
> PII is visible in
> your data", it's
> not even close by
> my value barometer
> (which my differ
> from others').
> this is relevant
> bc any future
> solution will be
> imperfect as I
> have mentioned
> before. as
> Allison and others
> point out we need
> to measure the
> harm done by any
> new system that
> may seek to solve
> one problem
> (privacy?) and
> inadvertently
> create many more.
> since this group
> is fond of
> analogies I'll
> contribute one
> from the medical
> oath (not sure if
> this is just U.S.)
> "first, do no harm".
>
>
>
> i'll close by
> saying I think
> Allison's point
> about economic
> value has merit.
> yes, the point of
> the WG is not to
> protect anyone's
> economic
> interest. I agree
> 100% with that
> statement and will
> disagree with
> anyone who thinks
> the future of
> DomainTools or
> other commercial
> service should
> have one iota of
> impact on this
> discussion. but I
> also think "it's
> too expensive" or
> "it's too hard"
> are weak and
> dangerous excuses
> when dealing with
> an issue like this
> which has enormous
> and far reaching
> consequences for
> the very mission
> of ICANN around
> the security and
> stability of our
> internet.
>
>
>
> Tim
>
>
>
> On Mon, Apr 24,
> 2017 at 3:50 PM,
> allison nixon
> <elsakoo at gmail.com
> <mailto:elsakoo at gmail.com>>
> wrote:
>
> Thanks for the
> documentation
> in your
> earlier email.
> While I
> understand
> that's how
> things are
> supposed to
> work in
> theory, it's
> not
> implemented
> very widely,
> and unless
> there is
> enforcement,
> then it's
> unlikely to be
> useful at all.
>
>
>
>
>
>
>
> "as a given,
> we put
> ourselves in a
> certain
> position in
> terms of the
> actions we can
> and cannot
> recommend. We
> can make
> similar
> statements
> focused on
> registry
> operators,
> registrars, or
> any other
> stakeholder in
> this space. If
> we all
> approach this
> WG's task with
> the goal of
> not changing
> anything,
> we're all just
> wasting our time."
>
> There are
> things that
> people would
> be willing to
> change about
> WHOIS. Changes
> purely
> relating to
> the data
> format would
> not be as
> controversial.
> Changing to
> that RDAP json
> format would
> probably be an
> agreeable
> point to most
> here.
>
>
>
> There are two
> different
> major points
> of contention
> here. The
> first is the
> data format,
> second is the
> creation of a
> new monopoly
> and ceding
> power to it.
> By monopoly I
> mean- who are
> the
> gatekeepers of
> "gated"
> access? Will
> it avoid all
> of the
> problems that
> monopolies are
> historically
> prone to? Who
> will pay them?
> It seems like
> a massive leap
> of faith to
> commit to this
> without
> knowing who we
> are making the
> commitment to.
>
>
>
>
>
> "I do not
> believe it is
> this WG's
> responsibility
> to protect
> anyone's
>
> commercial
> services if
> those things
> are basically
> in response to
> deficiencies
> in the
> existing Whois
> protocol. "
>
>
>
> From my
> understanding
> of past ICANN
> working
> groups,
> registrars
> have fought
> against issues
> that would
> have increased
> their costs.
> And the
> destruction of
> useful WHOIS
> results(or
> becoming
> beholden to
> some new
> monopoly)
> stand to incur
> far more costs
> for far larger
> industries.
> So this
> shouldn't
> surprise you.
> If those
> economic
> concerns are
> not valid then
> I question why
> the economic
> concerns of
> registrars are
> valid.
>
>
>
> If entire
> industries are
> built around a
> feature you
> would consider
> a
> "deficiency",
> then your
> opinion may
> solely be your
> own. And I
> hope more
> stakeholders
> in this
> multi-stakeholder
> process will
> come forward
> with their own
> perspectives,
> as they will
> differ from mine.
>
>
>
>
>
>
>
>
>
>
>
> "Not trying to
> hamstring the
> WG. Just
> asking if this
> is not
> something that
> has already
> been solved.."
>
> Hi Paul,
>
>
>
> It's an
> interesting
> thought. This
> document was
> recommended to
> me as one that
> was approved
> in the past by
> the working
> group that
> outlined what
> the resulting
> system might
> look like. I'm
> still learning
> and reading
> about these
> working groups
> and what they
> do, and this
> document is
> massive.
>
>
>
> https://www.icann.org/en/syste
> m/files/files/final-report-06j
> un14-en.pdf
> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>
>
>
>
> In the
> document, it
> says:
> /"Central to
> the remit of
> the EWG is the
> question of
> how to design
> a system that
> increases the
> accuracy of
> the data
> collected
> while also
> offering
> protections
> for those
> Registrants seeking
> to guard and
> maintain their
> privacy."/
>
>
>
> One of the
> things I
> notice is that
> any talk about
> actually
> increasing
> accuracy of
> whois info-
> via
> enforcement-
> is vigorously
> opposed in
> this group,
> and it's
> merely assumed
> that people
> will supply
> better quality
> data under the
> new system.
>
>
>
> Throughout the
> document it
> talks about
> use-cases and
> features
> (whois
> history,
> reverse query,
> etc), which
> are indeed
> identical to
> the features
> of the whois
> aggregators of
> current day.
> Such a system
> would replace
> them. Will the
> service
> quality be as
> good?
>
>
>
> On page 63 it
> gets into
> thoughts on
> who would be
> "accredited"
> to access the
> gated whois
> data. Every
> proposed
> scenario seems
> to recognize
> the resulting
> system will
> need to handle
> a large query
> volume from a
> large number
> of people, and
> one proposes
> accrediting
> bodies which
> may accredit
> organizations
> which may
> accredit
> individuals.
> It even
> proposes an
> abuse handling
> system which
> is also
> reminiscent in
> structure to
> how abuse is
> handled
> currently in
> our domain
> name system.
> Many of these
> proposed
> schemes appear
> to mimic the
> ways that the
> hosting
> industry and
> registrar
> industry
> operate, so we
> can expect
> that the
> patterns of
> abuse will be
> equally
> frequent,
> especially if
> higher quality
> data is supplied.
>
>
>
> The proposed
> scenarios all
> paint a
> picture of
> "gated" access
> with very wide
> gates, while
> simultaneously
> representing
> to domain
> purchasers
> that their
> data is safe
> and privacy
> protected. And
> this is
> supposed to
> *reduce* the
> total number
> of privacy
> violations?
> This doesn't
> even appeal to
> me as a
> consumer of
> this data.
>
>
>
> Whoever sets
> up this system
> also stands to
> inherit a lot
> of money from
> the
> soon-to-be-defunct
> whois
> aggregation
> industry. They
> would
> certainly win
> our contract,
> because we
> would have no
> choice. All
> domain
> reputation
> services,
> anti-spam,
> security
> research, etc,
> efforts will
> all need to
> pay up.
>
>
>
>
>
>
>
> After being
> supplied with
> the above
> document, I
> also saw a
> copy of a
> rebuttal
> written by a
> company that
> monitors
> abusive
> domains. I
> strongly agree
> with the
> sentiments in
> this document
> and I do not
> see evidence
> that those
> concerns have
> received fair
> consideration.
> While I do not
> see this new
> gatekeeper as
> an existential
> threat, I do
> see it as a
> likely
> degradation in
> the utility i
> do see from
> whois. To be
> clear, we do
> not do any
> business with
> this company.
>
>
>
> http://mm.icann.org/pipermail/
> input-to-ewg/attachments/20130
> 823/410038bb/LegitScriptCommen
> tsonICANNEWGWhoisReplacementSt
> ructure-0001.pdf
> <http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf>
>
>
>
>
>
>
>
> I also found
> John
> Bambenek's
> point in a
> later thread
> to be
> interesting-
> concentrating
> WHOIS
> knowledge
> solely to one
> organization
> allows the
> country it
> resides in to
> use it to
> support its
> intelligence
> apparatus, for
> example
> monitoring
> when its
> espionage
> domains are
> queried for,
> and targeting
> researchers
> that query
> them (since
> anonymous
> querying will
> be revoked).
> Nation states
> already use
> domains in
> operations so
> this monopoly
> is a perfect
> strategic data
> reserve. The
> fact that this
> system is
> pushed by
> privacy
> advocates is
> indeed ironic.
>
>
>
>
>
>
>
> None of those
> concerns
> appear to have
> been addressed
> by this group
> in any serious
> capacity.
> Before the
> addition of
> new members, I
> don't think
> many people
> had the
> backgrounds or
> skillsets to
> even
> understand why
> they are a
> concern. But I
> think this is
> a discussion
> worth having
> at this point
> in time for
> this group.
>
>
>
> On Mon, Apr
> 24, 2017 at
> 1:50 PM,
> Andrew
> Sullivan
> <ajs at anvilwalrusden.com
> <mailto:ajs at anvilwalrusden.com>>
> wrote:
>
> Hi,
>
> On Mon,
> Apr 24,
> 2017 at
> 07:25:47PM
> +0200,
> Paul
> Keating wrote:
> > Andrew,
> >
> > Thank
> you. That
> was helpful.
> >
> > ""Given
> this
> registrant,
> what other
> > domains
> are
> registered?"
> is a
> solved
> problem,
> and has
> been since the
> > early
> 2000s.²
> >
> > This is
> also
> traceable
> via
> alternative
> means such
> as
> consistencies
> in
> > various
> WHOIS
> fields
> such as
> email,
> address,
> name, etc.
>
> Well, sort
> of. The
> email,
> address,
> and name
> fields are
> _user_
> supplied.
> So they
> come from
> the other
> party to
> the
> transaction.
> The
> ROID is
> assigned
> by the
> registry
> itself.
> So once
> you have a
> match,
> you know
> that you
> are
> looking at
> the same
> object,
> only the same
> object,
> and all
> the same
> object(s).
>
> Email
> addresses
> in
> particular
> are
> guaranteed
> unique in
> the world at
> any given
> time
> (though
> not
> guaranteed
> as unique
> identifiers
> over
> time), so
> they may
> be useful
> for these
> purposes.
> Take it
> from someone
> named
> "Andrew
> Sullivan",
> however,
> that names
> are pretty
> useless as
> context-free
> identifiers :)
>
> > In
> reality
> finding
> out
> answers to
> questions
> such as
> > yours
> (above)
> requires
> investigation
> using a
> plethora
> of data.
>
> To be
> clear,
> finding
> out the
> answer to
> what I
> (meant to)
> pose(d)
> requires
> no
> plethora
> of data:
> it
> requires a
> single
> query and
> access to
> the right
> repository
> (the
> registry).
> In some
> theoretical
> system, the
> correct
> underlying
> database
> query
> would be
> something
> like this:
>
> SELECT
> domain_roid,
> domain_name
> FROM
> domains
> WHERE
> registrant_roid
> = ?;
>
> and you
> put the
> correct
> ROID in
> where the
> question
> mark is,
> and off
> you go.
> That will
> give you
> the list
> of all the
> domain
> names, and
> their
> relevant
> ROIDs,
> registered
> by a given
> registrant
> contact. At
> least one
> registry
> with which
> I am
> familiar
> once had a
> WHOIS feature
> that
> allowed
> something
> close to
> the above,
> only it
> would stop
> after
> some
> number of
> domains so
> as not to
> return too
> much
> data. I
> think the
> default
> was
> therefore
> LIMIT 50,
> but I also
> think the
> feature was
> eventually
> eliminated
> about the
> time that
> the ICANN
> community
> rejected
> IRIS as an
> answer to
> "the whois
> problem".
>
> What the
> above will
> of course
> not do is
> help you
> in the
> event Bob The
> Scammer
> has
> created
> dozens of
> different
> contacts
> for
> himself by
> (say)
> registering
> names
> through
> many
> different
> registrars.
> I do not
> believe
> that any
> registry
> is going
> to support
> such a use
> at least
> without
> access
> controls,
> because it
> can be
> expensive
> to answer
> such things.
> So, what
> you
> understood
> me to be
> asking, I
> think, is
> the question I
> did _not_
> ask: given
> this human
> being or
> organization,
> what other
> domains
> are
> registered?"
> That does
> require a
> lot of
> different
> data,
> and it
> requires
> cross-organizational
> searches,
> and it
> requires
> sussing
> out when
> someone
> has lied
> also.
> Such
> research
> is, I
> agree,
> completely
> outside
> the scope
> of what
> any
> technical
> system
> will ever
> be able to
> offer
> reliably.
>
> > An entire
> > industry
> exists for
> this
> purpose
> and I
> don¹t
> think we
> should be
> >
> considering
> replacing
> what has
> already
> been
> existing
> in the
> cyber security
> > marketplace.
>
> I do not
> believe it
> is this
> WG's
> responsibility
> to protect
> anyone's
> commercial
> services
> if those
> things are
> basically
> in response to
> deficiencies
> in the
> existing
> Whois
> protocol.
> In this
> case, however,
> that's not
> the
> problem.
> Linking
> data in
> multiple
> databases
> to a given
> real-world
> human
> being is
> hard even
> in systems
> without
> competition
> and
> multiple
> points of
> access.
> It's
> always
> going to
> require
> researchers
> for the
> domain
> name system.
>
> Best regards.
>
>
> A
>
> --
> Andrew
> Sullivan
> ajs at anvilwalrusden.com
> <mailto:ajs at anvilwalrusden.com>
> ______________________________
> _________________
> gnso-rds-pdp-wg
> mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> --
>
> ______________________________
> ___
> Note to self:
> Pillage BEFORE
> burning.
>
>
> ______________________________
> _________________
> gnso-rds-pdp-wg
> mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
>
> ______________________________
> _________________
>
>
> gnso-rds-pdp-wg
> mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l
> istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> ______________________________
> _________________
>
>
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/
> listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> --
>
> Bei weiteren Fragen stehen wir Ihnen gerne
> zur Verfügung.
>
>
>
> Mit freundlichen Grüßen,
>
>
>
> Volker A. Greimann
>
> - Rechtsabteilung -
>
>
>
> Key-Systems GmbH
>
> Im Oberen Werk 1
>
> 66386 St. Ingbert
>
> Tel.: +49 (0) 6894 - 9396 901
> <tel:+49%206894%209396901>
>
> Fax.: +49 (0) 6894 - 9396 851
> <tel:+49%206894%209396851>
>
> Email: vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>
>
>
>
> Web: www.key-systems.net
> <http://www.key-systems.net> /
> www.RRPproxy.net
> <http://www.RRPproxy.net>www.domaindiscount24.com
> <http://www.domaindiscount24.com> /
> www.BrandShelter.com
> <http://www.BrandShelter.com>
>
>
>
> Folgen Sie uns bei Twitter oder werden Sie
> unser Fan bei Facebook:
>
> www.facebook.com/KeySystems
> <http://www.facebook.com/KeySystems>www.twitter.com/key_systems
> <http://www.twitter.com/key_systems>
>
>
>
> Geschäftsführer: Alexander Siffrin
>
> Handelsregister Nr.: HR B 18835 -
> Saarbruecken
>
> Umsatzsteuer ID.: DE211006534
>
>
>
> Member of the KEYDRIVE GROUP
>
> www.keydrive.lu <http://www.keydrive.lu>
>
>
>
> Der Inhalt dieser Nachricht ist
> vertraulich und nur für den angegebenen
> Empfänger bestimmt. Jede Form der
> Kenntnisgabe, Veröffentlichung oder
> Weitergabe an Dritte durch den Empfänger
> ist unzulässig. Sollte diese Nachricht
> nicht für Sie bestimmt sein, so bitten wir
> Sie, sich mit uns per E-Mail oder
> telefonisch in Verbindung zu setzen.
>
>
>
> --------------------------------------------
>
>
>
> Should you have any further questions,
> please do not hesitate to contact us.
>
>
>
> Best regards,
>
>
>
> Volker A. Greimann
>
> - legal department -
>
>
>
> Key-Systems GmbH
>
> Im Oberen Werk 1
>
> 66386 St. Ingbert
>
> Tel.: +49 (0) 6894 - 9396 901
> <tel:+49%206894%209396901>
>
> Fax.: +49 (0) 6894 - 9396 851
> <tel:+49%206894%209396851>
>
> Email: vgreimann at key-systems.net
> <mailto:vgreimann at key-systems.net>
>
>
>
> Web: www.key-systems.net
> <http://www.key-systems.net> /
> www.RRPproxy.net
> <http://www.RRPproxy.net>www.domaindiscount24.com
> <http://www.domaindiscount24.com> /
> www.BrandShelter.com
> <http://www.BrandShelter.com>
>
>
>
> Follow us on Twitter or join our fan
> community on Facebook and stay updated:
>
> www.facebook.com/KeySystems
> <http://www.facebook.com/KeySystems>www.twitter.com/key_systems
> <http://www.twitter.com/key_systems>
>
>
>
> CEO: Alexander Siffrin
>
> Registration No.: HR B 18835 - Saarbruecken
>
> V.A.T. ID.: DE211006534
>
>
>
> Member of the KEYDRIVE GROUP
>
> www.keydrive.lu <http://www.keydrive.lu>
>
>
>
> This e-mail and its attachments is
> intended only for the person to whom it is
> addressed. Furthermore it is not permitted
> to publish any content of this email. You
> must not use, disclose, copy, print or
> rely on this e-mail. If an addressing or
> transmission error has misdirected this
> e-mail, kindly notify the author by
> replying to this e-mail or contacting us
> by telephone.
>
>
>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170427/001d34f3/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list