[gnso-rds-pdp-wg] Article 29 Working Party to ICANN

Fri Dec 8 02:54:52 UTC 2017

This is the most important point you have made of which I am in violent
agreement:

"The noncommercial users constituency has been trying to make this point
since it was formed.  Life is too complex to dump all this on the end
user. "

The reason open WHOIS is necessary (and end users can surely understand
how open directories work much like phone books do), is because the
service providers see no need to police usage of their system and dump
that on end-users. Because they can't do it, people like me and
anti-abuse organizations exist (many doing work for little to no money).
If domain registries, hosting providers and ISPs ACTUALLY enforced their
AUPs, or better yet, kicked criminals off their systems, there would
literally be no need for people like me. I wouldn't need WHOIS in that
scenario, because I quite literally would not be working.

Take phishing for example, it took us how many YEARS to get ICANN and
the registrars to even begin to deal with overt brand impersonation? And
even then, identification of domains used in brand impersonation is
still outsources to me and the brands involved to notify the registries
that their own service is being misused.

The attempt again to disabuse the notion that WHOIS isn't necessary...
let's go back to the French presidential elections. We discovered
Russian attempts to phish En Marche! that ultimately led to 7 e-mail
accounts being linked PURELY by whois data. We saw domains registered
with that "brand", we correlated registrant information, and enumerated
all that in time for En Marche! to take mitigating steps. Without whois,
it would have played out like this, the attempts at Russian election
influence would have been discovered once the emails got leaked (and
probably more than 7 accounts), at which point, the damage was done. We
are in a world were foreign powers are messing with others' democractic
processes. Surely we can agree that having tools to stop such activities
would be a good thing?

When those who are in business relationships with criminals and other
miscreants say "security is not our job", that outsources it to me and
others like me. And usually, we only have coarse tools to work with.

You could take WHOIS away from me (and let's all be honest here, you're
going to). That will just leave me blocking strategies that are more
prone to collateral damage. For instance, I could block every domain for
X registry because they ignore complaints, I have no ability to contact
the end domain owner, and I'm left with no other option. Yes, that will
adversely impact some measure of otherwise innocent people. But you've
taken away my ability to be precise, so it's either no protection, or
protection with collateral damage. The good news is, when we do
provider-based bans, we let people know why so they can choose better
providers.

It also means that instead of working with domain owners or other less
costly ways of dealing with abuse, now, for 100% of domain based abuse
reports, I'm just going to go to court and drag the registry in. Sure,
there are some subset that have proxy registration you have to deal
with. Now you're going to deal with 100% of all domains and you're going
to have to deal with it in a court of law. It won't cost me much, it
will cost the registries. This will literally create orders of magnitude
more work and legal costs for the registries.

But I reject the notion that the common person doesn't understand the
notion of what happens when their phone number is put on the internet
because they all have facebook and twitter accounts.

If you want our blocking and enforcement to be precise, we need precise
information. If you don't give us precise information, we're still going
to protect our constituencies, there just will be collateral damage. You
can blame us for that, of course, but the reality, we aren't the ones
creating this problem.

On 12/07/2017 08:08 PM, Stephanie Perrin wrote:
> The noncommercial users constituency has been trying to make this
> point since it was formed.  Life is too complex to dump all this on
> the end user. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171207/12f57ad6/attachment.html>