[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

[allison nixon]

(Also depending on how the english is read it might just be a turn of
phrase and not aggressive language, i'm not agitated in any case, so let's
please return the discussion to the facts and not get upset when facts are
brought to the table)

On Apr 27, 2017 8:46 PM, "allison nixon" <elsakoo at gmail.com> wrote:

> a lot of emails since i have last been at a computer... replying to
> snippets of previous mails:
>
> *"I actually disagree that there have been many situations where criminal
> investigations have been stifled due to an inability to meet the criteria
> for a search in Canada. Where those situations *have* arisen though, it is
> not a catch-22 situation, it's a situation where you just don't have a good
> enough reason to identify the anonymous digital activity.*
>
>
> *Regarding judges valuation of digital evidence, some will likely instill
> more rigorous digital forensics requirements than others, or draw more
> robust inferences from a certain dataset, but that cuts both ways
> (sometimes in favour of allowing the search sometimes against).
> Realistically speaking, very few ex parte search requests get denied
> (including ones for digital identification) so if anything I suspect the
> latter situation is more prevalent. "*
>
> I'm specifically calling out situations where judges do not understand
> technology, and specifically in cybercrime cases with technically skilled
> suspects. I am not canadian and I have had very few interactions with their
> legal system and those few interactions leave me with hope that they
> improve in their understanding of how things work on the Internet. These
> catch-22 situations have all seemingly stemmed from a lack of understanding
> of technology. I cannot speak about specific details so I cannot continue
> this line of conversation much further. I would like to be wrong about my
> beliefs on this.
>
> *"The likes of data harvesters, well, sorry but whois was not built for
> you to make money from, I do not pay my bandwidth bills for you to waste my
> cash.  If you have a legitimate reason (and harvesting for sale which is
> what it is isn’t one of them) then explain."*
>
> Data harvesting is the only way to perform those "reverse whois" and
> "historical whois" use-cases that are reiterated many times as a need. You
> don't store a historical repository on your whois server, and you don't
> notify when a record changes, so people must query over and over again. If
> you wanted to negotiate something better, I think both parties would
> benefit.
>
> *"Today this group has done a great disservice, the constant back and
> fourth of bickering - yes bickering has lead to one person requesting to
> being removed, someone who I do have a great respect for who thinks outside
> the box to fix a solution like I do.  Constant badgering really is not
> going to get this group further as the "people" (read for definition :
> Registrars)  who have to collect this information are the ones that will
> ultimately get a fine, not "data harvesters" DomainTools (Paul Keating) or
> LegitScript (their WHOIS collection service - John Horton) or the
> "anti-abuse" people (Allison Nixon / John Bambenek) but the registrar."*
>
> He resigned because I called his idea unappealing. His idea where this
> future scenario leads to a company risking a far higher fine than the
> criminals would ever have faced. So yes, I reiterate, that future is
> unappealing and even kafkaesque. Nowhere did I state a personal attack
> against him, so threats to the nose are enormously inappropriate and I as
> well as the list need to know if you intend to carry out those threats.
> Complaining about the quality of discussion and following up with threats
> of violence is not a consistent stance, pick one or the other and stick
> with it please.
>
>
>
> For those of you who think that every case of sharing publicly available
> PII is a travesty deserving of a major crackdown, I seek your opinions
> about the following scenario:
>
> Here's an article written by an independent journalist about commercially
> available malware in an underground forum that the authorities will likely
> never touch due to their chronic lack of manpower. In this article, he
> shares information relating to the maker of a remote access trojan with
> spying and ransom features, who sells it on an underground forum where
> users regularly use similar tools to engage in ransom, child exploitation,
> and other activities, essentially in an open-air market. Often the only
> deterrent to openly selling malware is journalistic exposure of one's
> activities, since the authorities either can't or won't take action.
>
> https://krebsonsecurity.com/2016/07/canadian-man-is-
> author-of-popular-orcus-rat/
>
> In this article, he shares quite a lot of PII much of it derived from
> WHOIS records, even on the guy's personal non-criminal sites. He doesn't
> even get a judge's approval to do so!
>
> If this article was written in the EU in the future, does this journalist
> deserve incredible fines while the criminal remains anonymous due to
> aforementioned chronic lack of manpower?
> Also, do you think that such a privacy regime would retain public support
> for very long?
>
>
>
> If you aren't acquainted with the darker side of the Internet, I suggest
> you read some more articles on that guy's site. This "I don't know and I
> don't care" attitude towards cybercrime, especially on the basis of
> questionable legal interpretations, is likely a source of much of this
> problem. But I don't want registrars to get fined either, and I think it
> would be ridiculous to force them into a situation where they take a fine
> from one end or the other. But there's most likely a solution that can work
> out for both sides because there are exemptions in these EU laws, and an
> actual legal expert can probably figure them out.
>
> also i continue to +1 the "whois privacy for free" idea.
>
>
>
>
> On Thu, Apr 27, 2017 at 7:08 PM, John Bambenek via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
>>
>>
>> Sent from my iPhone
>>
>> On Apr 27, 2017, at 17:54, "tisrael at cippic.ca" <tisrael at cippic.ca> wrote:
>>
>>
>>
>> On 2017-04-27 5:58 PM, John Bambenek wrote:
>>
>> On 4/27/2017 4:43 PM, tisrael at cippic.ca wrote:
>>
>> Hi John,
>>
>> As long as it's a true choice this might be ok. As in a cost-less opt-in
>> choice the registrant can make and re-make at any time.
>>
>>
>> This is exactly what I advocate.  Literally check a box, uncheck a box...
>> hell, I'll even pop for making some videos and a website explaining to
>> consumers the pros and cons of doing both.
>>
>> It doesn't sound like this is what you're proposing at all though. You
>> seem to be saying there should be a searchable database for at least some
>> thick WHOIS data items even if someone chooses the 'private' stream.
>>
>>
>> As far as I am concerned the only data besides "PRIVATE" the needs to be
>> shown in that case is nameservers (the domain wouldn't work without making
>> that public somehow anyway). I would like registration, renewal, expiration
>> dates. Other than that, they marked their info private, its private.
>>
>>
>> But you would still need to develop a mechanism for legitimate access to
>> the 'privacy stream' data that should reflect broader access norms. For
>> example, if you are accessing for private rights enforcement purposes, you
>> would need to meet the civil discovery threshold. If you're accessing for
>> law enforcement purposes, you would need to meet a whole other, more
>> rigorous threshold. This might differ by jurisdiction as well (if you're an
>> LEA from country A as opposed to country B).
>>
>> And even in respect to those in the fully public WHOIS stream, you may
>> still wish to impose some conditions. After all most data protection
>> regimes impose some conditions even on fully public personal information.
>>
>>
>> The question then becomes on what data fields is that true.  Lots of data
>> is stored by registrars... I don't need, for instance, credit card
>> information (well, I do, but those requests are handled via law
>> enforcement).  In Canada, google shows a variety of things that let me
>> search property / title records... as a rough analogy, why is what we
>>
>> I'm not actually familiar with a google-able property search but
>> presumably the key difference would be that ownership of a property doesn't
>> in effect reveal anonymous activity of the type you would be undertaking on
>> an otherwise anonymous website.
>>
>>
>> See above but I would dispute domain registrant info anyway unmasks any
>> activity on an otherwise anonymous website. All it says is who owns a
>> domain.
>>
>>
>> Best,
>> Tamir
>>
>>
>> Best,
>> Tamir
>>
>> On 2017-04-27 2:34 PM, John Bambenek via gnso-rds-pdp-wg wrote:
>>
>> That was why I advocate whois privacy (or equivalent).  WHOIS would still
>> be public be some elements need to be public (nameservers) or it just
>> doesn't work... the consumer is free to choose which lane they want to be
>> in, and the rest of us can use that data how we see fit.
>>
>> On 4/27/2017 1:17 PM, tisrael at cippic.ca wrote:
>>
>> Hi there,
>>
>> Sorry to interject here.
>>
>> I think a governance exercise here must look beyond what the law strictly
>> allows in terms of formulating WHOIS and to how a given WHOIS configuration
>> will impact on recognized legal privacy protections.
>>
>> So, in Canada, our courts have built legal protections and safeguards
>> into the civil discovery process that determine under what conditions
>> anonymous online activity can be identified. Similarly, we have
>> constitutional protections that prevent private entities from voluntarily
>> identifying anonymous online actors to law enforcement if certain
>> procedural steps aren't met.
>>
>> Making WHOIS public by default would effectively bypass all of these
>> safeguards. Surely that, then, also has to be a consideration in a
>> governance process of this sort?
>>
>> Best regards,
>> Tamir
>>
>> On 2017-04-27 2:07 PM, Paul Keating wrote:
>>
>> All good questions but I would like to start with the scope of the.
>> Urrent laws as it applies to current Whois data.
>>
>> Sincerely,
>> Paul Keating, Esq.
>>
>> On Apr 27, 2017, at 7:47 PM, allison nixon <elsakoo at gmail.com> wrote:
>>
>> I'm sure everyone's schedules are quite busy, and they will manage.
>>
>> We need a proper legal authority here because it's potentially falsely
>> being presumed that the use of WHOIS data is illegal and noncompliant in
>> the first place. We simply do not know if that is a factual premise. We
>> also need to take into account laws other than the EU privacy laws, and
>> laws outside the EU. A number of exemptions exist within these privacy laws
>> and those people throwing around the legal arguments accusing this of being
>> illegal don't seem to ever mention that fact. We need an unbiased legal
>> expert.
>>
>> What if a country is trying to enforce a law that is deemed distasteful
>> (violates human rights, etc), and their registrant is located within the
>> country? does the gatekeeper have grounds to deny them the ability to
>> enforce their own laws against their own people, and if so when?
>>
>> How does WHOIS play into other areas of compliance, such as
>> know-your-customer, complying with sanctions, anti-money laundering,
>> HIPPAA, PCI, etc? Is complying to one law more important than complying to
>> another, if one had to choose?
>>
>> Will the gatekeeper comply with anti-trust laws?
>>
>> How does privacy law prohibit information collection on registrants yet
>> collect detailed PII info on queriers and subject them to audit? What
>> happens if the gatekeeper is hacked into for those audit logs? What happens
>> if the gatekeeper receives a national security letter?
>>
>> All of these are legal questions that need to be answered without bias
>> and with full understanding of the facts.
>>
>>
>>
>>
>>
>> On Thu, Apr 27, 2017 at 12:42 PM, Stephanie Perrin <
>> stephanie.perrin at mail.utoronto.ca> wrote:
>>
>>> And we need to have a lengthy discussion about precisely who that legal
>>> expert might be.  It appears that many of our members are prepared to
>>> reject the views of the Data Protection Authorities themselves, who took
>>> the time out of their extraordinarily busy schedules to come and speak with
>>> us in Copenhagen.
>>>
>>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170427/35ec1a90/attachment-0001.html>