[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data
allison nixon
elsakoo at gmail.com
Fri Apr 28 14:04:59 UTC 2017
"Threats ? English for "putting ones nose out" means to cause upset...
Please show me where I "threatened anyone", maybe this will help:
https://www.google.co.uk/search?hl=en&q=putting+ones+nose+out&meta=&gws_rd=ssl
"
Yes, it was a misunderstanding and i apologize for the misunderstanding.
The phrase was explained to me earlier, as i had never heard of it before.
"I fail to understand or see (please enlighten me) how enabling free whois
privacy will help you in your investigations as rather than ownership info,
you will see a privacy service - I could well be missing this point - so -
if you can point that out it would be good."
It won't, but i believe it strikes the right balance. I'm a domain
registrant, too, and i know you cant coerce people to putting this type of
info publicly and i don't think they should be coerced to. Me and my
colleagues who are here are not some evil government bent on violating
rights every day, and the vast majority of us got into this field because
we were attacked via the internet. We are regular people who use data as a
tool to make sense of the world. And taking away these tools strikes the
wrong balance. I do not think blinding regular people in the service of
privacy really does much service to regular people, or privacy for that
matter.
"John referring to this is a multistakeholder group and the right to defend
there views and we all respect that, but that should be mutual and that
doesn’t seem to be the case.
Allison I really don’t think Theo resigned because of your comment, but the
constant battering from certain people here which are trying to keep Status
Quo and not coming with ideas or solutions for a progress."
Theo outlined an idea for how our future workflows could be structured, and
every time someone from outside our industry suggests how we could do our
job, its invariably a wrongheaded idea. We don't tell you how you can do
your workflows.
It was yet another example of how this chronic lack of understanding
of how *your
own* services are abused manifests. If agreeing that an objectively
ignorant idea is a good one is what passes for mutual respect, then my
uncivil behavior will continue. If registrars could keep the massive volume
of abuse off their services we wouldn't be having this conversation in the
first place. We don't snoop for the sake of snooping. We are responding to
tremendous volumes of abuse.
Several months ago our community responded to ddos attacks large enough to
take down major networks and even a major dns provider. All of those
botnets relied on domains and whois was a major part of figuring out whats
going on. The resulting action even DIS-accredited a registrar, which is
public record. One way or the other you will end up caring about abuse,
because abuse handling is a prerequisite of functioning networks. Without
this, your domain name is more likely to fail to resolve entirely. Don't
simply assume these problems go away on their own. They get worse if no one
actively fights them. And believe me when situations get that bad, people
will bend the rules. You do not want rule bending by backbone operators to
become the norm, and we do not want to choose between jail time and a
functioning network.
"To all of the rest… Get back on track and if you have some good ideas tell
us all, but we as a community can’t sitt and wait out the changes which
are coming closer every day. In a perfect world this wouldn’t be an issue
but sadly enough we are not living in a perfect world. So let us try to get
the best from all sides here and create a solution where all can be nearly
satisfied."
There's a lot of talk about this desire to enthusiastically follow these eu
laws due to fear of fines, and every other legal variant in every other
country. What happens when another country passes contradictory data
retention laws with a threat of fines? Or when the next round of
pro-security-information-sharing legislation appears? This is going to put
you in a bad spot down the road, and politically its very likely due to the
volume of abuse facilitated by registrars. You might not care until fines
are imposed but i ask you what you would do in the future when you are
required to care.
Maybe it is a better long term strategy to care slightly more about this
abuse issue, because its eventually going to be used as a political tool
against you. It's going to further balkanize the internet, and cut you off
from international markets.
Maybe it is a better long term goal to seek exemptions for systems like
whois, because private people are not forced to buy domains to function in
society, and privacy options are still available, and so are non-icann name
services like dynamic dns domains, .onions, namecoin, social media etc.
Icann domains are one out of many, many name options to choose from.
On Apr 28, 2017 6:33 AM, "Chris Pelling" <chris at netearth.net> wrote:
Allison,
--------------------------
*"Today this group has done a great disservice, the constant back and
fourth of bickering - yes bickering has lead to one person requesting to
being removed, someone who I do have a great respect for who thinks outside
the box to fix a solution like I do. Constant badgering really is not
going to get this group further as the "people" (read for definition :
Registrars) who have to collect this information are the ones that will
ultimately get a fine, not "data harvesters" DomainTools (Paul Keating) or
LegitScript (their WHOIS collection service - John Horton) or the
"anti-abuse" people (Allison Nixon / John Bambenek) but the registrar."*
He resigned because I called his idea unappealing. His idea where this
future scenario leads to a company risking a far higher fine than the
criminals would ever have faced. So yes, I reiterate, that future is
unappealing and even kafkaesque. Nowhere did I state a personal attack
against him, so threats to the nose are enormously inappropriate and I as
well as the list need to know if you intend to carry out those threats.
Complaining about the quality of discussion and following up with threats
of violence is not a consistent stance, pick one or the other and stick
with it please.
--------------------------
Threats ? English for "putting ones nose out" means to cause upset...
Please show me where I "threatened anyone", maybe this will help:
https://www.google.co.uk/search?hl=en&q=putting+ones+
nose+out&meta=&gws_rd=ssl
I already put a suggestion in the same email with regards archived whois
data, in that maybe it could be a consideration to have archived material
in the gated RDS system to allow lookups etc.
Also "also i continue to +1 the "whois privacy for free" idea." I fail to
understand or see (please enlighten me) how enabling free whois privacy
will help you in your investigations as rather than ownership info, you
will see a privacy service - I could well be missing this point - so - if
you can point that out it would be good.
Kind regards,
Chris
------------------------------
*From: *"allison nixon" <elsakoo at gmail.com>
*To: *"John Bambenek" <jcb at bambenekconsulting.com>
*Cc: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>
*Sent: *Friday, 28 April, 2017 01:46:30
*Subject: *Re: [gnso-rds-pdp-wg] international law enforcement association
resolution regarding domain registration data
a lot of emails since i have last been at a computer... replying to
snippets of previous mails:
*"I actually disagree that there have been many situations where criminal
investigations have been stifled due to an inability to meet the criteria
for a search in Canada. Where those situations *have* arisen though, it is
not a catch-22 situation, it's a situation where you just don't have a good
enough reason to identify the anonymous digital activity.*
*Regarding judges valuation of digital evidence, some will likely instill
more rigorous digital forensics requirements than others, or draw more
robust inferences from a certain dataset, but that cuts both ways
(sometimes in favour of allowing the search sometimes against).
Realistically speaking, very few ex parte search requests get denied
(including ones for digital identification) so if anything I suspect the
latter situation is more prevalent. "*
I'm specifically calling out situations where judges do not understand
technology, and specifically in cybercrime cases with technically skilled
suspects. I am not canadian and I have had very few interactions with their
legal system and those few interactions leave me with hope that they
improve in their understanding of how things work on the Internet. These
catch-22 situations have all seemingly stemmed from a lack of understanding
of technology. I cannot speak about specific details so I cannot continue
this line of conversation much further. I would like to be wrong about my
beliefs on this.
*"The likes of data harvesters, well, sorry but whois was not built for you
to make money from, I do not pay my bandwidth bills for you to waste my
cash. If you have a legitimate reason (and harvesting for sale which is
what it is isn’t one of them) then explain."*
Data harvesting is the only way to perform those "reverse whois" and
"historical whois" use-cases that are reiterated many times as a need. You
don't store a historical repository on your whois server, and you don't
notify when a record changes, so people must query over and over again. If
you wanted to negotiate something better, I think both parties would
benefit.
*"Today this group has done a great disservice, the constant back and
fourth of bickering - yes bickering has lead to one person requesting to
being removed, someone who I do have a great respect for who thinks outside
the box to fix a solution like I do. Constant badgering really is not
going to get this group further as the "people" (read for definition :
Registrars) who have to collect this information are the ones that will
ultimately get a fine, not "data harvesters" DomainTools (Paul Keating) or
LegitScript (their WHOIS collection service - John Horton) or the
"anti-abuse" people (Allison Nixon / John Bambenek) but the registrar."*
He resigned because I called his idea unappealing. His idea where this
future scenario leads to a company risking a far higher fine than the
criminals would ever have faced. So yes, I reiterate, that future is
unappealing and even kafkaesque. Nowhere did I state a personal attack
against him, so threats to the nose are enormously inappropriate and I as
well as the list need to know if you intend to carry out those threats.
Complaining about the quality of discussion and following up with threats
of violence is not a consistent stance, pick one or the other and stick
with it please.
For those of you who think that every case of sharing publicly available
PII is a travesty deserving of a major crackdown, I seek your opinions
about the following scenario:
Here's an article written by an independent journalist about commercially
available malware in an underground forum that the authorities will likely
never touch due to their chronic lack of manpower. In this article, he
shares information relating to the maker of a remote access trojan with
spying and ransom features, who sells it on an underground forum where
users regularly use similar tools to engage in ransom, child exploitation,
and other activities, essentially in an open-air market. Often the only
deterrent to openly selling malware is journalistic exposure of one's
activities, since the authorities either can't or won't take action.
https://krebsonsecurity.com/2016/07/canadian-man-is-author-
of-popular-orcus-rat/
In this article, he shares quite a lot of PII much of it derived from WHOIS
records, even on the guy's personal non-criminal sites. He doesn't even get
a judge's approval to do so!
If this article was written in the EU in the future, does this journalist
deserve incredible fines while the criminal remains anonymous due to
aforementioned chronic lack of manpower?
Also, do you think that such a privacy regime would retain public support
for very long?
If you aren't acquainted with the darker side of the Internet, I suggest
you read some more articles on that guy's site. This "I don't know and I
don't care" attitude towards cybercrime, especially on the basis of
questionable legal interpretations, is likely a source of much of this
problem. But I don't want registrars to get fined either, and I think it
would be ridiculous to force them into a situation where they take a fine
from one end or the other. But there's most likely a solution that can work
out for both sides because there are exemptions in these EU laws, and an
actual legal expert can probably figure them out.
also i continue to +1 the "whois privacy for free" idea.
On Thu, Apr 27, 2017 at 7:08 PM, John Bambenek via gnso-rds-pdp-wg <
gnso-rds-pdp-wg at icann.org> wrote:
>
>
> Sent from my iPhone
>
> On Apr 27, 2017, at 17:54, "tisrael at cippic.ca" <tisrael at cippic.ca> wrote:
>
>
>
> On 2017-04-27 5:58 PM, John Bambenek wrote:
>
> On 4/27/2017 4:43 PM, tisrael at cippic.ca wrote:
>
> Hi John,
>
> As long as it's a true choice this might be ok. As in a cost-less opt-in
> choice the registrant can make and re-make at any time.
>
>
> This is exactly what I advocate. Literally check a box, uncheck a box...
> hell, I'll even pop for making some videos and a website explaining to
> consumers the pros and cons of doing both.
>
> It doesn't sound like this is what you're proposing at all though. You
> seem to be saying there should be a searchable database for at least some
> thick WHOIS data items even if someone chooses the 'private' stream.
>
>
> As far as I am concerned the only data besides "PRIVATE" the needs to be
> shown in that case is nameservers (the domain wouldn't work without making
> that public somehow anyway). I would like registration, renewal, expiration
> dates. Other than that, they marked their info private, its private.
>
>
> But you would still need to develop a mechanism for legitimate access to
> the 'privacy stream' data that should reflect broader access norms. For
> example, if you are accessing for private rights enforcement purposes, you
> would need to meet the civil discovery threshold. If you're accessing for
> law enforcement purposes, you would need to meet a whole other, more
> rigorous threshold. This might differ by jurisdiction as well (if you're an
> LEA from country A as opposed to country B).
>
> And even in respect to those in the fully public WHOIS stream, you may
> still wish to impose some conditions. After all most data protection
> regimes impose some conditions even on fully public personal information.
>
>
> The question then becomes on what data fields is that true. Lots of data
> is stored by registrars... I don't need, for instance, credit card
> information (well, I do, but those requests are handled via law
> enforcement). In Canada, google shows a variety of things that let me
> search property / title records... as a rough analogy, why is what we
>
> I'm not actually familiar with a google-able property search but
> presumably the key difference would be that ownership of a property doesn't
> in effect reveal anonymous activity of the type you would be undertaking on
> an otherwise anonymous website.
>
>
> See above but I would dispute domain registrant info anyway unmasks any
> activity on an otherwise anonymous website. All it says is who owns a
> domain.
>
>
> Best,
> Tamir
>
>
> Best,
> Tamir
>
> On 2017-04-27 2:34 PM, John Bambenek via gnso-rds-pdp-wg wrote:
>
> That was why I advocate whois privacy (or equivalent). WHOIS would still
> be public be some elements need to be public (nameservers) or it just
> doesn't work... the consumer is free to choose which lane they want to be
> in, and the rest of us can use that data how we see fit.
>
> On 4/27/2017 1:17 PM, tisrael at cippic.ca wrote:
>
> Hi there,
>
> Sorry to interject here.
>
> I think a governance exercise here must look beyond what the law strictly
> allows in terms of formulating WHOIS and to how a given WHOIS configuration
> will impact on recognized legal privacy protections.
>
> So, in Canada, our courts have built legal protections and safeguards into
> the civil discovery process that determine under what conditions anonymous
> online activity can be identified. Similarly, we have constitutional
> protections that prevent private entities from voluntarily identifying
> anonymous online actors to law enforcement if certain procedural steps
> aren't met.
>
> Making WHOIS public by default would effectively bypass all of these
> safeguards. Surely that, then, also has to be a consideration in a
> governance process of this sort?
>
> Best regards,
> Tamir
>
> On 2017-04-27 2:07 PM, Paul Keating wrote:
>
> All good questions but I would like to start with the scope of the. Urrent
> laws as it applies to current Whois data.
>
> Sincerely,
> Paul Keating, Esq.
>
> On Apr 27, 2017, at 7:47 PM, allison nixon <elsakoo at gmail.com> wrote:
>
> I'm sure everyone's schedules are quite busy, and they will manage.
>
> We need a proper legal authority here because it's potentially falsely
> being presumed that the use of WHOIS data is illegal and noncompliant in
> the first place. We simply do not know if that is a factual premise. We
> also need to take into account laws other than the EU privacy laws, and
> laws outside the EU. A number of exemptions exist within these privacy laws
> and those people throwing around the legal arguments accusing this of being
> illegal don't seem to ever mention that fact. We need an unbiased legal
> expert.
>
> What if a country is trying to enforce a law that is deemed distasteful
> (violates human rights, etc), and their registrant is located within the
> country? does the gatekeeper have grounds to deny them the ability to
> enforce their own laws against their own people, and if so when?
>
> How does WHOIS play into other areas of compliance, such as
> know-your-customer, complying with sanctions, anti-money laundering,
> HIPPAA, PCI, etc? Is complying to one law more important than complying to
> another, if one had to choose?
>
> Will the gatekeeper comply with anti-trust laws?
>
> How does privacy law prohibit information collection on registrants yet
> collect detailed PII info on queriers and subject them to audit? What
> happens if the gatekeeper is hacked into for those audit logs? What happens
> if the gatekeeper receives a national security letter?
>
> All of these are legal questions that need to be answered without bias and
> with full understanding of the facts.
>
>
>
>
>
> On Thu, Apr 27, 2017 at 12:42 PM, Stephanie Perrin <
> stephanie.perrin at mail.utoronto.ca> wrote:
>
>> And we need to have a lengthy discussion about precisely who that legal
>> expert might be. It appears that many of our members are prepared to
>> reject the views of the Data Protection Authorities themselves, who took
>> the time out of their extraordinarily busy schedules to come and speak with
>> us in Copenhagen.
>>
>
--
_________________________________
Note to self: Pillage BEFORE burning.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170428/2c4c5c25/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list