<div dir="ltr">Hi Terri,<div><br></div><div>Please see my responses in-line.</div><div><br></div><div>Thanks,</div><div><br></div><div>Ayden<br><div class="gmail_extra"><br><div class="gmail_quote">On 9 August 2016 at 17:51, Terri Stumme <span dir="ltr"><<a href="mailto:terri.stumme@legitscript.com" target="_blank">terri.stumme@legitscript.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">Ayden,</span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"><br></span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">These were <i>recommendations</i>; nothing more, nothing less. <font color="#e06666">Although included in the 2013 RAA</font></span></div></div></div></blockquote><div><br></div><div>An agreement containing, I have been told, a litany of unintended consequences.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"> </span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">Multiple stakeholders around the world have compelling reasons and competing interests when it comes to accessing electronic data. <font color="#e06666">As does LE</font></span></div><span class=""><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"></span></div></span></div></div></blockquote><div><br></div><div>Absolutely. I do not mean to suggest otherwise.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><span class=""><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"> </span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">I understand that law enforcement and intelligence agencies need the ability to fulfil their mission to prevent serious crime (or, failing that, to bring the perpetrators to justice). </span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"> </span></div></span><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">At the same time, the protection and promotion of civil liberties, human rights, and the right to privacy are not equally as strong in every territory around the world. Some countries are more authoritarian than others. <font color="#e06666">I support a balance here; my personal information, as well as the personal information of my family members, as well as thousands of US federal employees, was compromised in the hack of the Office of Personnel Management federal employee records.</font></span></div></div></div></blockquote><div><br></div><div>I am sorry to hear you were the victim of cybercrime.</div><div><br></div><div>And a balance is precisely what I am advocating for, so it seems like we are on the same page. This shouldn't be a zero-sum game. Privacy and security should be mutually reinforcing.</div><div><br></div><div>In addition, strengthened data and security practices also decrease the risks associated with personal data collection and processing for both end-users and businesses. A <a href="https://securityintelligence.com/cost-of-a-data-breach-2015/">study from IBM in 2015</a> found that the average data breach cost each impacted company USD $3.79 million, without factoring in for the consumer confidence lost as a result of their personally-identifiable data being stolen or misused.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">Attaching themselves to the unquestionably valid objectives that law enforcement and intelligence agencies have are private entities who do not have the same legal mandates or privileged access to information. <font color="#e06666">There is no privileged access to information afforded to LE, and appropriate legal processes are abided by throughout investigations. </font></span></div></div></div></blockquote><div><br></div><div>Yes, there is privileged access to information afforded to intelligence agencies. It is common knowledge that the NSA has a 1-million-square-foot data centre in Utah sucking up the data of people without warrants, and without probable cause. The only 'check' that there is on the NSA's surveillance techniques is that of the Foreign Intelligence Surveillance Court, a secret body of judges that hears arguments from only one side: the NSA. I would suggest that it is not a beacon of accountability.</div><div><br></div><div>As for law enforcement, this varies by country and perhaps in the US law enforcement does not have such a right (I don't know, but I'd be willing to bet that "officer discretion", "exigent circumstances", etc. would be enough to justify a lot of actions.) Their authority, combined with a badge, a "trusted third party" data sharing agreement, or a simple request, is likely to be more fruitful than if I was to request the same information as a private citizen.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"><font color="#e06666">Private entities have become attached to the unquestionably valid objectives of law enforcement due to the inherent nature of the beast. </font></span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"><font color="#e06666"><br></font></span></div></div></div></blockquote><div><br></div><div>I take a rather bleak view of companies which gather data on individuals without their knowledge or consent.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"><font color="#e06666"></font></span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"><p style="margin:0px 0px 1em;padding:0px;font-family:"Source Sans Pro",sans-serif;font-size:17px;line-height:25.5px"><font color="#e06666"><i>"Because the private sector owns and operates a vast majority of the nation's critical infrastructure, partnerships between the public and private sectors are essential to maintaining critical infrastructure security and resilience. These partnerships create an environment to share critical threat information, risk mitigation, and other vital information and resources." Source: </i></font><span style="font-family:arial,sans-serif;font-size:13px;color:rgb(224,102,102)"> </span><a href="https://www.dhs.gov/critical-infrastructure-sector-partnerships" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://www.dhs.gov/<wbr>critical-infrastructure-<wbr>sector-partnerships</a><span style="font-family:arial,sans-serif;font-size:13px;color:rgb(224,102,102)">.</span></p></span></div></div></div></blockquote><div>I would agree that we get better answers to complex questions when a range of experts and interests can meaningfully take part in the discussions.</div><div><br></div><div>However, this quote is referring to the investment made by private sector actors who invest in, construct, and/or own pieces of critical infrastructure (things like dams, nuclear reactors, water systems, satellites). I agree that the public and private sectors, here, need to work together to identify threats and vulnerabilities in a collaborative and creative manner. </div><div><br></div><div>This quote is not suggesting that all private sector actors should have the same scope to collect data as intelligence agencies or law enforcement might be able to. And, I will insist here, they should not. Some private investigators may like to attach themselves to the "cloak of legitimacy" which is afforded public actors, but in some instances I find these perceived associations to be highly problematic. I suppose this is a conversation for another time.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif;font-size:small"><span class=""><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"> </span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB">I think it is important that we make this distinction.</span></div><div style="font-family:arial,sans-serif;font-size:13px"><span lang="EN-GB"> </span></div></span></div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 8, 2016 at 8:12 AM, Ayden Férdeline <span dir="ltr"><<a href="mailto:icann@ferdeline.com" target="_blank">icann@ferdeline.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<u></u>
<div style="word-wrap:normal">
<table lang="container" border="0" cellpadding="0" cellspacing="0" valign="top" style="width:100%;margin-top:6px">
<tbody><tr>
<td valign="top" style="line-height:1.31;color:rgb(34,34,34);font-family:arial,sans-serif">
<div>Terri,</div><span><div><br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex;padding-top:0px;padding-bottom:0px"><div>Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.</div></blockquote><div><br></div></span><div><span lang="EN-GB"><font>These were
<i>recommendations</i>; nothing more, nothing less.</font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>Multiple
stakeholders around the world have compelling reasons and competing interests when
it comes to accessing electronic data.</font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>I
understand that law enforcement and intelligence agencies need the ability to fulfil
their mission to prevent serious crime (or, failing that, to bring the
perpetrators to justice). </font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>At the same
time, the protection and promotion of civil liberties, human rights, and the
right to privacy are not equally as strong in every territory around the world.
Some countries are more authoritarian than others. </font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>Attaching
themselves to the unquestionably valid objectives that law enforcement and
intelligence agencies have are private entities who do not have the same legal
mandates or privileged access to information.</font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>I think it
is important that we make this distinction.</font></span></div><div><span lang="EN-GB"><font> </font></span></div><div><span lang="EN-GB"><font>- Ayden</font></span></div><img align="left" width="0" height="0" style="border: 0px; width: 0px; min-height: 0px;" src="https://app.mixmax.com/api/track/v2/i4fUCgBUYtvBTO6Rp/i02bj5SZulGblRmclZGQu5WYjlmI/i02bj5CdwlmcjNHdpdWZsBUZt1Wd0NnLpJnclRnI/ISZt1Wd0NFIpJnclRlI?sc=false" alt="">
</td>
</tr>
</tbody></table><div><div>
<div>
<div>
<p><br></p>
<div class="gmail_extra">
<p><br></p>
<div class="gmail_quote">
On Thu, Aug 4, 2016 3:31 PM, Terri Stumme <span dir="ltr"> <a href="mailto:terri.stumme@legitscript.com" target="_blank">terri.stumme@legitscript.com</a></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<u></u>
<div dir="ltr"><div style="font-family:georgia,serif;font-size:small">Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.</div><div style="font-family:georgia,serif;font-size:small"><br></div><div style="font-family:georgia,serif;font-size:small"><br></div><div style="font-family:georgia,serif;font-size:small"><br></div><div style="font-family:georgia,serif;font-size:small"><br></div></div><div><br><div>On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory <span dir="ltr"><<a href="mailto:gregory.mounier@europol.europa.eu" target="_blank">gregory.mounier@europol.europ<wbr>a.eu</a>></span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Dear Rob,<br>
<br>
Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.<br>
<br>
If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.<br>
<br>
Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.<br>
<br>
Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).<br>
It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.<br>
<br>
In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.<br>
<br>
Best,<br>
<br>
Greg<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a> [mailto:<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounce<wbr>s@icann.org</a>] On Behalf Of Rob Golding<br>
Sent: 04 August 2016 01:46<br>
To: RDS PDP WG<br>
Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical<br>
<br>
>> Theoretical<br>
>> ===========<br>
>> We have seen a couple of proposed use cases that seem to be ideas<br>
>> that people have for useful or harmful ways that RDS can be used, but<br>
>> that do not exist today (at least not that anyone can fully<br>
>> document).<br>
>><br>
>> For example, there seems to be a desire to use the RDS as a way to<br>
>> issue warrants for information about registrants. While this may be<br>
>> useful, this is not possible today (even with RDAP, I note).<br>
<br>
It not only is possible today, it's also "common" (although thankfully not frequent)<br>
<br>
Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.<br>
<br>
I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"<br>
<br>
Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.<br>
<br>
Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?<br>
<br>
Rob<br>
--<br>
Rob Golding <a href="mailto:rob.golding@astutium.com" target="_blank">rob.golding@astutium.com</a><br>
Astutium Ltd, Number One Poultry, London. EC2R 8JR<br>
<br>
* domains * hosting * vps * servers * cloud * backups * ______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
*******************<br>
<br>
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.<br>
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br>
<br>
*******************<br>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2" style="font-size:1em"><span style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></font><div><font size="2" style="font-size:1em"><span style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></font></div></div></div></div></div></div></div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<br><br></div></div><span><div>Ayden Férdeline</div><div><a href="https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI" style="background-color:white" target="_blank">Statement of Interest</a></div>
</span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2"><span style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></font><div><font size="2"><span style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></font></div></div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br></div></div></div>