<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">With great respect to
both sides, I would like to comment.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">1. The fact that we
have universal security problems (eg. banks are hacked all the
time) does not negate concern over over-collection, from the
perspective of the individual concerned. The impact of
mistakes on the part of security agencies can be greater.<br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">2. Given the security
and lack of transparency regarding national security practices,
I think it is unfair to say that if you have never worked in
the environment, you cannot speak to the effectiveness of such
programs. In many respects that is true of course. Unlike
other government programs, these programs are rarely, even in
western democracies, subject to outside audit. However anyone
who has worked in government knows what happens when there is
insufficient oversight and performance measurement. Those who
wish to study national security can read about part of the
picture, but good luck figuring out performance metrics. So
unfortunately, we are left reading about the disasters (I
offer you the Arar commission, as one Canadian example....3
volumes). This does not make national security practices a
disaster by any means, but those "in the know" should in my
view avoid telling others interested in plain old good
democratic practices that they don't know what they are
talking about. That is my personal opinion of course, but not
an ill informed one. <br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">3. As I mentioned in
my exchange with Dick a while ago, intelligence agencies are
sharing more information, or talking about sharing more information.
Global citizens who travel for work, and who must do so to
maintain their good jobs, have no way of knowing what data is
in border control data systems. Oversight and appeal of these
systems has been a problem since I started in privacy and
access to information in 1984. The chances for inaccurate inference
are as likely to go up as down, with the kind of analytics
used today, in my view (and I do study this stuff) so finding
appeal mechanisms when lives can be impacted radically is
rather important in my view. </font></font><font size="+1"><font
face="Lucida Grande"><font size="+1"><font face="Lucida
Grande">So let us be clear that we have moved on from "who
is listening to my phone calls" .....even though we still
like to joke about it. We are talking about algorithmic
transparency now.</font></font> What is triggering the
persons of interest question? Would your employer still hire
you if the United States border control decided not to let you
in? a question all non-US citizens have to ask themselves.
Impacts are real.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2016-08-15 15:38, Terri Stumme
wrote:<br>
</div>
<blockquote
cite="mid:CAGvh5H63ppb95u8F-Gxj6htLyiBP9DLWe1aUmm=QXgtVtcFvhw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small">Ayden,</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small">We could go
back and forth on this topic forever. Your anti-government
sentiment is noted, but I can't help myself ...</div>
<div class="gmail_default">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>Privacy
is not an indication of criminal behaviour but a
fundamental part of life. </b><b>In addition,
justice is about persons being treated as
innocent until proven guilty. I am not a
criminal and I have 'nothing to hide' but I
don't want the government reading my private
messages. <font color="#e06666">Frankly, your
messages aren't that important, unless, of
course, you are a terrorist, or funding
terrorism through criminal activity. </font></b><b><font
color="#e06666">Nobody has the time to sit
around and read non-essential private messages
--seriously, not the focus or purpose of the
program.</font></b></div>
</div>
</div>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>It
is up to the state to bear the burden of showing
there is a good reason for suspicion about me,
not the other way around. </b></div>
<div><b>Finally, you said you were recently the
victim of a US government data breach. Yet
another reason why I don't want information
about me "sitting in a government data centre" <font
color="#e06666">Data is not secure anywhere.
Banks are hacked all the time. Not to mention
what you can find out about someone through a
simple Google search.</font></b></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div class="gmail_default">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><b>I am aware that other governments have mass
surveillance programmes and I do not support them.
I do not believe they are effective. <font
style="font-family:arial,sans-serif;font-size:13px"
color="#e06666">If you've never worked in the
environment, then I do not believe you can speak
to the effectiveness of such programs.</font></b></div>
<div><b><font
style="font-family:arial,sans-serif;font-size:13px"
color="#e06666"> </font></b></div>
<div><b>And the fact you acknowledge they operate so
secretly that I may not have heard of them fills
me with no comfort. If a government agency is
keeping secret what it is collecting about me or
the reasons for doing so, </b><b><font
color="#e06666">It's labeled "need-to-know" in
the government;</font></b></div>
<div><b>I cannot correct potential errors. <font
color="#e06666"> </font>And from my experience
with governments, I understand that errors are
common. Transparency, here, is not only about
making sure a government's actions can be
evaluated, but ensuring its outputs are equally
accurate. <font color="#e06666"> I'll save myself
some time and refrain from responding to this
statement. </font></b></div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Aug 15, 2016 at 12:08 PM, Ayden
Férdeline <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:icann@ferdeline.com" target="_blank">icann@ferdeline.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Thanks for your message, Terri. Please see comments
below inline in <b>bold</b>. (If the formatting looks
strange, I would appreciate it if someone would let me
know. I have migrated this morning to a new encrypted
email service so am still configuring it.)</div>
<div><br>
</div>
<div>
<div>Ayden Férdeline<br>
</div>
<div><a moz-do-not-send="true"
href="http://www.linkedin.com/in/ferdeline"
title="http://www.linkedin.com/in/ferdeline"
target="_blank">linkedin.com/in/ferdeline</a><br>
</div>
<div><br>
</div>
</div>
<blockquote type="cite">
<div>-------- Original Message --------<br>
</div>
<div dir="ltr">
<div class="gmail_quote"><span class="">
<div>From: <b class="gmail_sendername">Terri Stumme</b>
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:terri.stumme@legitscript.com"
target="_blank">terri.stumme@legitscript.com</a>></span><br>
</div>
<div>Date: 14 August 2016 at 20:26<br>
</div>
<div>Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use
cases: Fundamental, Incidental, and Theoretical<br>
</div>
<div>To: Ayden Férdeline <<a
moz-do-not-send="true"
href="mailto:icann@ferdeline.com"
target="_blank">icann@ferdeline.com</a>><br>
</div>
<div>Cc: RDS PDP WG <<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank">gnso-rds-pdp-wg@icann.org</a>><br>
</div>
<div><br>
</div>
<div><br>
</div>
</span>
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">Ayden,<br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><span
class="">
<div
style="font-family:arial,sans-serif;font-size:13px">You
are correct. NSA collects data without
warrants and without probable cause. However,
the purpose for the collection of the data is
in the interest of national security. <br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>I
would have thought that unaccountable
government agencies which are <a
moz-do-not-send="true"
title="https://www.washingtonpost.com/news/the-switch/wp/2013/09/10/we-now-know-exactly-what-made-the-fisa-court-so-upset-with-the-nsa/"
rel="nofollow"
href="https://www.washingtonpost.com/news/the-switch/wp/2013/09/10/we-now-know-exactly-what-made-the-fisa-court-so-upset-with-the-nsa/"
target="_blank">unwilling to follow the law</a>
would be greater threats to national security,
but what would I know? ;-) Anything, it would
seem, can be justified in the pursuit of
"national security". I would suggest, however,
that when a government agency speaks of
'security', they are speaking of their own,
because all citizens are a threat to "national
security" by virtue of the fact that they hold
the keys to overthrowing the Establishment, if
only they were to organise.</b><br>
</div>
<span class="">
<div
style="font-family:arial,sans-serif;font-size:13px"><b> </b><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">The
data collected by the NSA is not shared with
any other three-letter agency in the US
without that agency providing probable cause,
presented in the form of a signed court order.
If an individual is not involved in criminal
activity, then their data sitting in a
government data center should not be of
concern. <br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>This
argument implies that privacy is something
only criminals desire. I can only speak about
myself here, but there are things that I
choose to do in private that are neither wrong
nor illegal, yet which I would not want
public. The songs I have stored in my Spotify
playlists, for instance. Privacy is not an
indication of criminal behaviour but a
fundamental part of life. In addition, justice
is about persons being treated as innocent
until proven guilty. I am not a criminal and I
have 'nothing to hide' but I don't want the
government reading my private messages. It is
up to the state to bear the burden of showing
there is a good reason for suspicion about me,
not the other way around. Finally, you said
you were recently the victim of a US
government data breach. Yet another reason why
I don't want information about me "sitting in
a government data centre". </b><br>
</div>
<span class="">
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">Of
more concern should be what private companies
do with the data they collect, sell it for a
profit. <br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>I
have concerns here as well. However, sharing
personal data with governments is of higher
risk, because governments have the power to
arrest, imprison, and in some cases even kill
their citizens or enemies. Sharing personal
data with companies is typically of lower
risk. Businesses can freely use personal data
to manipulate and perhaps exploit consumers,
but within the confines of the law cannot use
it for coercive purposes.</b><br>
</div>
<span class="">
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">Regarding
your statement: "The only 'check' that there
is on the NSA's surveillance techniques is
that of the Foreign Intelligence Surveillance
Court, a secret body of judges that hears
arguments from only one side: the NSA." I can
tell you (although you probably won't believe
it anyway) that there are very stringent
internal regulations and oversight of the NSA
program. <br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>Very
astute ;-) I don't believe they are at all
accountable. Even sitting US senators are not
able to obtain information from the NSA about
why their constituents are being monitored.</b><br>
</div>
<span class="">
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">And,
I would bet that the US is not the only
government that has a program like NSA's. You
just haven't heard about those ...<br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>I
am aware that other governments have mass
surveillance programmes and I do not support
them. I do not believe they are effective. And
the fact you acknowledge they operate so
secretly that I may not have heard of them
fills me with no comfort. If a government
agency is keeping secret what it is collecting
about me or the reasons for doing so, I cannot
correct potential errors. And from my
experience with governments, I understand that
errors are common. Transparency, here, is not
only about making sure a government's actions
can be evaluated, but ensuring its outputs are
equally accurate. </b><br>
</div>
<span class="">
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">The
private sector owns and operates a vast
majority of the entire Internet
infrastructure, and that includes critical
components of the infrastructure. The point is
that the same joint effort of the private
sector and government towards enhancing the
security and resilience of the nation's
critical infrastructure, can and should be
applied to protecting the public against
cybercriminals involved in identity theft,
human trafficking, drug trafficking, child
abuse, etc.<br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><b>Yes,
I agree there is a role for public and private
sector cooperation, but this does not mean I
support what I would term 'bottom feeders' in
the private sector being able to scrape up
whatever data they can for whatever purposes
they claim they want to use it. I think we're
conflating a few things in this discussion by
referring to the 'private sector' as a single
entity. It isn't so homogenous. I use
Facebook, for instance, and have consented to
its terms of service. This does not mean,
however, I approve of websites unaffiliated
with Facebook harvesting my public profile and
reposting my data on their websites hosted in
Belarus (which is something that has happened
to me). Both entities claim to be private
sector actors, but that does not mean they
should have equal access to or permission to
use my personally-identifiable information.</b><br>
</div>
</div>
</div>
<div>
<div class="h5">
<div>
<div>
<div class="gmail_extra">
<div><br>
</div>
<div class="gmail_quote">
<div>On Wed, Aug 10, 2016 at 6:01 PM,
Ayden Férdeline <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:icann@ferdeline.com"
target="_blank">icann@ferdeline.com</a>></span>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Hi Terri,<br>
</div>
<div><br>
</div>
<div>Please see my responses in-line.<br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div><br>
</div>
<div>
<div>Ayden<br>
</div>
<div class="gmail_extra">
<div><br>
</div>
<div class="gmail_quote">
<div><span>On 9 August 2016 at
17:51, Terri Stumme <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:terri.stumme@legitscript.com"
target="_blank">terri.stumme@legitscript.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">Ayden,</span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"></span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">These
were <i>recommendations</i>;
nothing more,
nothing less. <span
style="color:rgb(224,102,102)">Although included in the 2013 RAA</span></span><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span></div>
<div>An agreement containing, I
have been told, a litany of
unintended consequences.<br>
</div>
<div><span>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"> </span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">Multiple
stakeholders
around the world
have compelling
reasons and
competing
interests when it
comes to accessing
electronic data. <span
style="color:rgb(224,102,102)">As does LE</span></span><br>
</div>
<span>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"></span><br>
</div>
</span></div>
</div>
</blockquote>
<div><br>
</div>
</span><br>
</div>
<div>Absolutely. I do not mean
to suggest otherwise.<br>
</div>
<div><span>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small"><span>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"> </span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">I
understand that
law enforcement
and intelligence
agencies need
the ability to
fulfil their
mission to
prevent serious
crime (or,
failing that, to
bring the
perpetrators to
justice). </span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"> </span><br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">At
the same time, the
protection and
promotion of civil
liberties, human
rights, and the
right to privacy
are not equally as
strong in every
territory around
the world. Some
countries are more
authoritarian than
others. <span
style="color:rgb(224,102,102)">I
support a
balance here; my
personal
information, as
well as the
personal
information of
my family
members, as well
as thousands of
US federal
employees, was
compromised in
the hack of the
Office of
Personnel
Management
federal employee
records.</span></span><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span><br>
</div>
<div>I am sorry to hear you were
the victim of cybercrime.<br>
</div>
<div><br>
</div>
<div>And a balance is precisely
what I am advocating for, so
it seems like we are on the
same page. This shouldn't be a
zero-sum game. Privacy and
security should be mutually
reinforcing.<br>
</div>
<div><br>
</div>
<div>In addition, strengthened
data and security practices
also decrease the risks
associated with personal data
collection and processing for
both end-users and businesses.
A <a moz-do-not-send="true"
rel="noreferrer"
href="https://securityintelligence.com/cost-of-a-data-breach-2015/"
target="_blank">study from
IBM in 2015</a> found that
the average data breach cost
each impacted company USD
$3.79 million, without
factoring in for the consumer
confidence lost as a result of
their personally-identifiable
data being stolen or misused.<br>
</div>
<div><span>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">Attaching
themselves to the
unquestionably
valid objectives
that law
enforcement and
intelligence
agencies have are
private entities
who do not have
the same legal
mandates or
privileged access
to information. <span
style="color:rgb(224,102,102)">There is no privileged access to
information
afforded to LE,
and appropriate
legal processes
are abided by
throughout
investigations.
</span></span><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span><br>
</div>
<div>Yes, there is privileged
access to information afforded
to intelligence agencies. It
is common knowledge that the
NSA has
a 1-million-square-foot data
centre in Utah sucking up the
data of people without
warrants, and without probable
cause. The only 'check' that
there is on the NSA's
surveillance techniques is
that of the Foreign
Intelligence Surveillance
Court, a secret body of judges
that hears arguments from only
one side: the NSA. I would
suggest that it is not a
beacon of accountability.<br>
</div>
<div><br>
</div>
<div>As for law enforcement,
this varies by country and
perhaps in the US law
enforcement does not have such
a right (I don't know, but I'd
be willing to bet that
"officer discretion", "exigent
circumstances", etc. would be
enough to justify a lot of
actions.) Their authority,
combined with a badge, a
"trusted third party" data
sharing agreement, or a simple
request, is likely to be more
fruitful than if I was to
request the same information
as a private citizen.<br>
</div>
<div><span>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"><span
style="color:rgb(224,102,102)">Private entities have become attached to
the
unquestionably
valid objectives
of law
enforcement due
to the inherent
nature of the
beast. </span></span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"><span
style="color:rgb(224,102,102)"></span></span><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span><br>
</div>
<div>I take a rather bleak view
of companies which gather data
on individuals without their
knowledge or consent.<br>
</div>
<div><span>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"><span
style="color:rgb(224,102,102)"></span></span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">
<p
style="margin:0px
0px
1em;padding:0px;font-family:"Source
Sans
Pro",sans-serif;font-size:17px;line-height:25.5px"><span
style="color:rgb(224,102,102)"><i>"Because the private sector owns and
operates a
vast majority
of the
nation's
critical
infrastructure,
partnerships
between the
public and
private
sectors are
essential to
maintaining
critical
infrastructure
security and
resilience.
These
partnerships
create an
environment to
share critical
threat
information,
risk
mitigation,
and other
vital
information
and
resources."
Source: </i></span><span
style="color:rgb(224,102,102)"><span
style="font-family:arial,sans-serif"><span
style="font-size:13px"> </span></span></span><a moz-do-not-send="true"
rel="noreferrer"
href="https://www.dhs.gov/critical-infrastructure-sector-partnerships"
style="font-family:arial,sans-serif;font-size:13px"
target="_blank">https://www.dhs.gov/c<wbr>ritical-infrastructure-sector-<wbr>partnerships</a><span
style="color:rgb(224,102,102)"><span
style="font-family:arial,sans-serif"><span
style="font-size:13px">.</span></span></span><br>
</p>
</span><br>
</div>
</div>
</div>
</blockquote>
</span><br>
</div>
<div>I would agree that we get
better answers to complex
questions when a range of
experts and interests can
meaningfully take part in the
discussions.<br>
</div>
<div><br>
</div>
<div>However, this quote is
referring to the investment
made by private sector actors
who invest in, construct,
and/or own pieces of critical
infrastructure (things like
dams, nuclear reactors, water
systems, satellites). I agree
that the public and private
sectors, here, need to work
together to identify threats
and vulnerabilities in a
collaborative and creative
manner. <br>
</div>
<div><br>
</div>
<div>This quote is not
suggesting that all private
sector actors should have the
same scope to collect data as
intelligence agencies or law
enforcement might be able to.
And, I will insist here, they
should not. Some private
investigators may like to
attach themselves to the
"cloak of legitimacy" which is
afforded public actors, but in
some instances I find these
perceived associations to be
highly problematic. I suppose
this is a conversation for
another time.<br>
</div>
<div>
<div>
<div> <br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small"><span>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"> </span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB">I
think it is
important that
we make this
distinction.</span><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><span
lang="EN-GB"> </span><br>
</div>
</span><br>
</div>
</div>
<div>
<div>
<div
class="gmail_extra">
<div><br>
</div>
<div
class="gmail_quote">
<div>On Mon, Aug
8, 2016 at 8:12
AM, Ayden
Férdeline <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:icann@ferdeline.com" target="_blank">icann@ferdeline.com</a>></span>
wrote:<br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div><br>
</div>
<div
style="word-wrap:normal">
<table
valign="top"
style="width:100%;margin-top:6px"
lang="container" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td
style="line-height:1.31;color:rgb(34,34,34);font-family:arial,sans-serif"
valign="top">
<div>Terri,<br>
</div>
<div><span>
<div><br>
</div>
<blockquote
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex;padding-top:0px;padding-bottom:0px">
<div>Absolutely,
Greg. The 2009
law
enforcement
recommendations
regarding
amendments to
the RAA
addressed
Whois data,
specifically
the need for
validating
registrant
information.
The reason
this
recommendation
was included
in the
recommendations
is because LE
utilizes the
data in cyber
investigations. There are many transcripts related to this issue, and LE
has conveyed
to the ICANN
community on
several
occasions the
importance of
Whois data,
and how LE
utilizes the
data in cyber
investigations.<br>
</div>
</blockquote>
<div><br>
</div>
</span><br>
</div>
<div><span
lang="EN-GB"><span>These
were
<i>recommendations</i>;
nothing more,
nothing less.</span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>Multiple
stakeholders
around the
world have
compelling
reasons and
competing
interests when
it comes to
accessing
electronic
data.</span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>I
understand
that law
enforcement
and
intelligence
agencies need
the ability to
fulfil
their mission
to prevent
serious crime
(or, failing
that, to bring
the
perpetrators
to justice). </span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>At
the same
time, the
protection and
promotion of
civil
liberties,
human rights,
and the
right to
privacy are
not equally as
strong in
every
territory
around the
world.
Some countries
are more
authoritarian
than others. </span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>Attaching
themselves to
the
unquestionably
valid
objectives
that law
enforcement
and
intelligence
agencies have
are private
entities who
do not have
the same legal
mandates or
privileged
access to
information.</span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>I
think it
is important
that we make
this
distinction.</span></span><br>
</div>
<div><span
lang="EN-GB"><span> </span></span><br>
</div>
<div><span
lang="EN-GB"><span>-
Ayden</span></span><br>
</div>
<div><img
moz-do-not-send="true"
style="border:0px;width:0px;min-height:0px"
src="imap://stephanie%2Eperrin%40mail%2Eutoronto%2Eca@outlook.office365.com:993/fetch%3EUID%3E/Drafts%3E28691?sc=false"
alt=""
height="0"
align="left"
width="0"> <br>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<div>
<div>
<p><br>
</p>
<div
class="gmail_extra">
<p><br>
</p>
<div
class="gmail_quote">
<div>On Thu,
Aug 4, 2016
3:31 PM, Terri
Stumme <span
dir="ltr"> <a
moz-do-not-send="true" href="mailto:terri.stumme@legitscript.com"
target="_blank">terri.stumme@legitscript.com</a></span>
wrote:<br>
</div>
<div><br>
</div>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div><br>
</div>
<div dir="ltr">
<div
style="font-family:georgia,serif;font-size:small">Absolutely,
Greg. The 2009
law
enforcement
recommendations
regarding
amendments to
the RAA
addressed
Whois data,
specifically
the need for
validating
registrant
information.
The reason
this
recommendation
was included
in the
recommendations
is because LE
utilizes the
data in cyber
investigations. There are many transcripts related to this issue, and LE
has conveyed
to the ICANN
community on
several
occasions the
importance of
Whois data,
and how LE
utilizes the
data in cyber
investigations.<br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div
style="font-family:georgia,serif;font-size:small"><br>
</div>
</div>
<div>
<div><br>
</div>
<div>
<div>On Thu,
Aug 4, 2016 at
8:59 AM,
Mounier,
Grégory <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:gregory.mounier@europol.europa.eu"
target="_blank">gregory.mounier@europol.europ<wbr>a.eu</a>></span>
wrote:<br>
</div>
<blockquote
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div>Dear Rob,<br>
</div>
<div><br>
</div>
<div>Thanks
for sharing
the outcome of
your chat with
ex-FBI and UK
LEA agents. I
feel that I
need to step
in to provide
a different
perspective
than the one
you just gave
on the law
enforcement
use of the
WHOIS. It
might be a
matter of
interpretation
but the views
expressed by
your
interlocutors
are not shared
by my
colleagues
working
throughout
European
police cyber
divisions.<br>
</div>
<div><br>
</div>
<div>If
European cyber
investigators
are obviously
all aware of
the fact that
WHOIS
registration
data can
sometime be
inaccurate and
not up-to-date
(ICANN
compliance
reported that
for the first
quarter of
2015, WHOIS
inaccuracy
comprised 74.0
% of
complaints),
in 90% of
cases they
will start
their
investigations
with a WHOIS
lookup. This
is really the
first step.<br>
</div>
<div><br>
</div>
<div>Despite
the lack of
accuracy,
WHOIS
information is
useful in so
many different
ways. One of
the first them
is to make
correlations
and link
pieces of
information
obtained
through other
means than
from the
WHOIS. This
was the point
I tried to
make on
Tuesday during
the conference
call.<br>
</div>
<div><br>
</div>
<div>Accurate
and reliable
WHOIS data
helps crime
attribution
and can save
precious
investigation
time (you can
rule out wrong
investigative
leads).<br>
</div>
<div>It raises
the bar and
makes it more
difficult for
criminals to
abuse domain
names. It
pushes them to
resort to more
complex
techniques
such as ID
theft to
register
domains for
malicious
purposes.<br>
</div>
<div><br>
</div>
<div>In short,
for LEA WHOIS
is certainly
not the silver
bullet to
attribute
crime on line
but it is an
essential tool
in the tool
box of law
enforcement.<br>
</div>
<div><br>
</div>
<div>Best,<br>
</div>
<div><br>
</div>
<div>Greg<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-----Original
Message-----<br>
</div>
<div>From: <a
moz-do-not-send="true" href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a>
[mailto:<a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounce<wbr>s@icann.org</a>]
On Behalf Of
Rob Golding<br>
</div>
<div>Sent: 04
August 2016
01:46<br>
</div>
<div>To: RDS
PDP WG<br>
</div>
<div>Subject:
Re:
[gnso-rds-pdp-wg]
Use cases:
Fundamental,
Incidental,
and
Theoretical<br>
</div>
<div><br>
</div>
<div>>>
Theoretical<br>
</div>
<div>>>
===========<br>
</div>
<div>>>
We have seen a
couple of
proposed use
cases that
seem to be
ideas<br>
</div>
<div>>>
that people
have for
useful or
harmful ways
that RDS can
be used, but<br>
</div>
<div>>>
that do not
exist today
(at least not
that anyone
can fully<br>
</div>
<div>>>
document).<br>
</div>
<div>>><br>
</div>
<div>>>
For example,
there seems to
be a desire to
use the RDS as
a way to<br>
</div>
<div>>>
issue warrants
for
information
about
registrants.
While this may
be<br>
</div>
<div>>>
useful, this
is not
possible today
(even with
RDAP, I note).<br>
</div>
<div><br>
</div>
<div>It not
only is
possible
today, it's
also "common"
(although
thankfully not
frequent)<br>
</div>
<div><br>
</div>
<div>Registrars
get served
warrants for
details about
registrants,
and the _only_
information
from WHOIS
that's
"needed" or
used for such
cases is the
name of the
Registrar.<br>
</div>
<div><br>
</div>
<div>I had the
pleasure of
meeting Chris
Tarbell,
ex-FBI Cyber
Crime, at
HostingCon
last week -
asked about
WHOIS/domain
data he said
"we dont use
it"<br>
</div>
<div><br>
</div>
<div>Last year
at the UKNOF
event in
Sheffield I
spent quite
some time
talking with
some amazing
people from
the UK
CyberCrime
departments -
asked the same
questions,
they confirmed
that although
whois _might_
be looked at
to see if it
matches _data
they already
have_ for
confirmation,
it's not used
or relied on.<br>
</div>
<div><br>
</div>
<div>Which
beggars the
question,
should
"LawEnforcement"
use cases even
be part of the
discussions ?<br>
</div>
<div><br>
</div>
<div>Rob<br>
</div>
<div>--<br>
</div>
<div>Rob
Golding <a
moz-do-not-send="true"
href="mailto:rob.golding@astutium.com" target="_blank">rob.golding@astutium.com</a><br>
</div>
<div>Astutium
Ltd, Number
One Poultry,
London. EC2R
8JR<br>
</div>
<div><br>
</div>
<div>* domains
* hosting *
vps * servers
* cloud *
backups *
______________________________<wbr>_________________<br>
</div>
<div>gnso-rds-pdp-wg
mailing list<br>
</div>
<div><a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
</div>
<div><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer"
target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</div>
<div>*******************<br>
</div>
<div><br>
</div>
<div>DISCLAIMER
: This message
is sent in
confidence and
is only
intended for
the named
recipient. If
you receive
this message
by mistake,
you may not
use, copy,
distribute or
forward this
message, or
any part of
its contents
or rely upon
the
information
contained in
it.<br>
</div>
<div>Please
notify the
sender
immediately by
e-mail and
delete the
relevant
e-mails from
any computer.
This message
does not
constitute a
commitment by
Europol unless
otherwise
indicated.<br>
</div>
<div><br>
</div>
<div>*******************<br>
</div>
<div><br>
</div>
<div>______________________________<wbr>_________________<br>
</div>
<div>gnso-rds-pdp-wg
mailing list<br>
</div>
<div><a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
</div>
<div><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer"
target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</div>
</blockquote>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-- <br>
</div>
<div
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></span><br>
</div>
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div><span>
<div>Ayden
Férdeline<br>
</div>
<div><a
moz-do-not-send="true"
rel="noreferrer"
href="https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI"
style="background-color:white" target="_blank">Statement of Interest</a><br>
</div>
</span><br>
</div>
</div>
</blockquote>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-- <br>
</div>
<div
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></span><br>
</div>
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-- <br>
</div>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></span><br>
</div>
<div><span
style="font-size:13px"><span
style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font size="2"><span
style="background-color:rgb(159,197,232)"><i>Terri
Stumme</i></span></font>
<div><font size="2"><span
style="background-color:rgb(159,197,232)"><i>Investigative
Analyst</i></span></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>