[gnso-rds-pdp-wg] Article 29 Working Party to ICANN

John Bambenek jcb at bambenekconsulting.com
Fri Dec 8 06:04:59 UTC 2017 

You miss my point. As a mere *end-user* I should be able to validate
this information and any system that has to accredit however billion
internet users is a system that doesn't need accreditation. It isn't a
question of what *I* need, there doesn't exist any system you can devise
that will ultimately keep me from that... it is a question of what end
network operators need. And that includes home users, small offices,
etc. That being said, based on the conduct of members on this list, the
conclusion by me and other security professionals is that you will
*never* accredit us to use such a system or get that data unless the
issue is forced upon the system somehow.

You say we need "accreditation" to get fine-grained stuff. On paper,
I'll concede that may be true. But at this point, the trust is
completely broken. In my mind, such a system will be designed in
practice to prevent us from getting the information directly. But like I
said, it isn't about me. I have resources, I'll get the information.
It's about the billions of other people who need it to make THEIR
networking decisions because contrary to popular belief, I don't control
every network on the planet.

I think if you explain to an end-user that WHOIS is a phone book so
people can contact them if they list their information, they'll
understand it. To say it is a maze is to grossly complicate the matter
considering these same end-users are using Facebook, Twitter, Instagram,
etc. Publish it on the internet for the world to see means the world can
see it. It just isn't a hard concept.


On 12/07/2017 09:35 PM, Stephanie Perrin wrote:
>
> John, you just have to be accredited, and authenticated to get tiered
> access.  No problem.  DPAs agree.  Then you get all the finegrained
> stuff you need, and since it is not public there are fewer Mickey and
> Minnie Mouse entries...
>
> End users can understand that they don't want their own phone number
> in the book.  What they cannot understand is how to read the WHOIS and
> figure out who is behind a website or an email, and whether that
> person/entity is even who they should expect to see there.  WHOIS is
> not a phone book, where it concerns the actors one needs to be
> concerned about, or the large corporations one wants to trust but
> verify.  It is a maze.
>
> SP
>
>
> On 2017-12-07 21:54, John Bambenek via gnso-rds-pdp-wg wrote:
>>
>> This is the most important point you have made of which I am in
>> violent agreement:
>>
>> "The noncommercial users constituency has been trying to make this
>> point since it was formed.  Life is too complex to dump all this on
>> the end user. "
>>
>> The reason open WHOIS is necessary (and end users can surely
>> understand how open directories work much like phone books do), is
>> because the service providers see no need to police usage of their
>> system and dump that on end-users. Because they can't do it, people
>> like me and anti-abuse organizations exist (many doing work for
>> little to no money). If domain registries, hosting providers and ISPs
>> ACTUALLY enforced their AUPs, or better yet, kicked criminals off
>> their systems, there would literally be no need for people like me. I
>> wouldn't need WHOIS in that scenario, because I quite literally would
>> not be working.
>>
>> Take phishing for example, it took us how many YEARS to get ICANN and
>> the registrars to even begin to deal with overt brand impersonation?
>> And even then, identification of domains used in brand impersonation
>> is still outsources to me and the brands involved to notify the
>> registries that their own service is being misused.
>>
>> The attempt again to disabuse the notion that WHOIS isn't
>> necessary... let's go back to the French presidential elections. We
>> discovered Russian attempts to phish En Marche! that ultimately led
>> to 7 e-mail accounts being linked PURELY by whois data. We saw
>> domains registered with that "brand", we correlated registrant
>> information, and enumerated all that in time for En Marche! to take
>> mitigating steps. Without whois, it would have played out like this,
>> the attempts at Russian election influence would have been discovered
>> once the emails got leaked (and probably more than 7 accounts), at
>> which point, the damage was done. We are in a world were foreign
>> powers are messing with others' democractic processes. Surely we can
>> agree that having tools to stop such activities would be a good thing?
>>
>> When those who are in business relationships with criminals and other
>> miscreants say "security is not our job", that outsources it to me
>> and others like me. And usually, we only have coarse tools to work with.
>>
>> You could take WHOIS away from me (and let's all be honest here,
>> you're going to). That will just leave me blocking strategies that
>> are more prone to collateral damage. For instance, I could block
>> every domain for X registry because they ignore complaints, I have no
>> ability to contact the end domain owner, and I'm left with no other
>> option. Yes, that will adversely impact some measure of otherwise
>> innocent people. But you've taken away my ability to be precise, so
>> it's either no protection, or protection with collateral damage. The
>> good news is, when we do provider-based bans, we let people know why
>> so they can choose better providers.
>>
>> It also means that instead of working with domain owners or other
>> less costly ways of dealing with abuse, now, for 100% of domain based
>> abuse reports, I'm just going to go to court and drag the registry
>> in. Sure, there are some subset that have proxy registration you have
>> to deal with. Now you're going to deal with 100% of all domains and
>> you're going to have to deal with it in a court of law. It won't cost
>> me much, it will cost the registries. This will literally create
>> orders of magnitude more work and legal costs for the registries.
>>
>> But I reject the notion that the common person doesn't understand the
>> notion of what happens when their phone number is put on the internet
>> because they all have facebook and twitter accounts.
>>
>> If you want our blocking and enforcement to be precise, we need
>> precise information. If you don't give us precise information, we're
>> still going to protect our constituencies, there just will be
>> collateral damage. You can blame us for that, of course, but the
>> reality, we aren't the ones creating this problem.
>>
>>
>> On 12/07/2017 08:08 PM, Stephanie Perrin wrote:
>>> The noncommercial users constituency has been trying to make this
>>> point since it was formed.  Life is too complex to dump all this on
>>> the end user. 
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171208/b869a96f/attachment.html>

More information about the gnso-rds-pdp-wg mailing list