<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.m-1989214556801852688m-7832141262075475097hoenzb
{mso-style-name:m_-1989214556801852688m_-7832141262075475097hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:83916041;
mso-list-type:hybrid;
mso-list-template-ids:841907100 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Michael, all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">This may be a good opportunity to remind the WG and especially those that have recently joined this effort that the objective of the WG per its charter (see
<a href="https://community.icann.org/x/E4xlAw">https://community.icann.org/x/E4xlAw</a>) is to reach consensus recommendations<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">regarding the following questions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:Calibri">What are the fundamental requirements for gTLD registration data? When addressing this question, the PDP WG should consider, at a minimum, users and purposes and associated access,
accuracy, data element, and privacy requirements.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:Calibri">Is a new policy framework and next-generation RDS needed to address these requirements?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:Calibri">If yes, what cross-cutting requirements must a next-generation RDS address, including coexistence, compliance, system model, and cost, benefit, and risk analysis requirements?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:Calibri">If no, does the current WHOIS policy framework sufficiently address these requirements? If not, what revisions are recommended to the current WHOIS policy framework to do so?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">We are now in the first phase of what is a three phase process, namely: (1) establish gTLD registration data requirements to determine if and why a next generation RDS is needed, (2) design
policies that detail functions that must be provided by a next generation RDS to support those requirements, and (3) provide guidance for how a next-generation RDS should implement those policies, coexisting with and eventually replacing WHOIS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">For those of you that have not done so yet, you are strongly encouraged to review the charter and the documents that are referenced there, especially the Final Issue Report and the Process
Framework. For those of you who prefer watching and listening to reading, you may also want to review the RDS Beginner’s tutorial which can be found here:
<a href="https://icann.adobeconnect.com/p10x6r7jvg6/">https://icann.adobeconnect.com/p10x6r7jvg6/</a>.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Marika<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black"><gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com><br>
<b>Date: </b>Wednesday, April 26, 2017 at 09:28<br>
<b>To: </b>allison nixon <elsakoo@gmail.com><br>
<b>Cc: </b>"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org><br>
<b>Subject: </b>Re: [gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Adding to what Tim and Allison wrote.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">As a starting point, I've had an account with DomainTools in the past and will likely have one in the future, although I don't currently have one.
<br>
<br>
There are other organizations and individuals which consume/aggregate whois data so I don't think that for the purposes of this discussion the focus should be on just DomainTools. I know researchers and academics who use this data to analyze all sorts of things.
As has been pointed out, there are all sorts of folks staking out positions because of their economic (and other) interests without necessarily being transparent about those interests.
<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">It should be remembered that the Internet is an agglomeration of many networks and resources, some public and some private. At the same time, it is simply a bunch of technical standards that people and organizations
have agreed to use to interact with each other. In many cases, the ultimate solution to abuse is to drop route. To the extent that good and granular information is not readily available, regular (innocent) users may suffer as owners and administrators of resources
act to protect those resources and their legitimate users from abuse and maliciousness. The reality is that most users of the internet utilize a relatively small subset of all the resources out there. For some, a service like Facebook IS the Internet.<br>
<br>
It may also incite a tendency towards returning to a model of walled gardens. At various points I have heard discussions about the balkanization of the internet, with things like separate roots, etc. People should think very carefully about what they are asking
for because they may not be happy with it if they actually get it.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Rather than starting from a model of justifying everything and anything from a privacy perspective, I would suggest that it would be much more appropriate, other than technical changes such as moving towards
using JSON, to require justification and consensus for any changes from the existing model(s) of WHOIS.<o:p></o:p></p>
</div>
<p class="MsoNormal">Michael Hammer<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Apr 26, 2017 at 10:27 AM, allison nixon <<a href="mailto:elsakoo@gmail.com" target="_blank">elsakoo@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p>Thank you for your email Tim. <o:p></o:p></p>
<p>Full disclosure(because I believe in being transparent about this sort of thing), we do business with Domaintools and use their tools to consume whois data.<o:p></o:p></p>
<p>"i'll close by saying I think Allison's point about economic value has merit. yes, the point of the WG is not to protect anyone's economic interest. I agree 100% with that statement and will disagree with anyone who thinks the future of DomainTools or
other commercial service should have one iota of impact on this discussion."<o:p></o:p></p>
<p>I will however disagree vehemently with you on this point. It is obvious that many of the arguments to cut off anonymous querying to WHOIS data are economically motivated. Financial concerns are cited numerous times in approved documents. I also believe
the "vetting" process is likely to become a new revenue stream for someone as well. A revenue stream with HIGHLY questionable privacy value-add.
<o:p></o:p></p>
<p>Every dollar of income for the Domaintools company and others like it come from their clients, who see a multiplier of value from it. That means for every dollar spent on the entire whois aggregator industry means that a much larger amount of money is saved
through prevented harms like fraud, abuse, and even fake medications which kill people.<o:p></o:p></p>
<p>I think it is extremely important to identify what critical systems rely on whois (either directly or downstream), and determine if we are ready to give up the utility of these systems.
<o:p></o:p></p>
<p style="margin-bottom:12.0pt">We also need to identify the value of the ability to anonymously query whois and what that loss of privacy will mean as well. While I obviously do not make many queries anonymously(although our vendor has their own privacy policy),
I understand this is important especially to those researching more dangerous actors. Why would $_COUNTRY dissidents want to query domains when their opponents would surely be hacking into the audit logs for this?<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Apr 25, 2017 11:41 PM, "Chen, Tim" <<a href="mailto:tim@domaintools.com" target="_blank">tim@domaintools.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">"And I hope more stakeholders in this multi-stakeholder process will come forward with their own perspectives, as they will differ from mine."</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">happy to do so. DomainTools is clearly a stakeholder in this debate. and we have a fair amount of experience around the challenges, benefits and risks of whois data aggregation at scale. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">from the beginning of this EWG/RDS idea we've stood down bc i didn't believe our opinion would be seen as objective-enough given our line of business. but it is apparent to me having followed this debate for
many weeks now, that this is a working group of individuals who all bring their own biases into the debate. whether they care to admit that to themselves or not. so we might as well wade in too. bc I think our experience is very relevant to the discussion.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">i'll do my best to be as objective as I can, as a domain registrant myself and as an informed industry participant.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">since our experience is working with security minded organizations, that is the context with which I will comment. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">since this is an ICANN working group, I start with the ICANN mission statement around the security and stability of the DNS. I find myself wanting to fit this debate to that as the north star. i do not see
the RDS as purpose driven to fit the GDPR or any region-specific legal resolution. but I do see those as important inputs to our discussion.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">from a security perspective, my experience is that the benefits of the current Whois model, taken with this lens, far outweigh the costs. again, I can only speak from my experience here at DomainTools, and
obviously under the current Whois regime. This is not to say it cannot be improved. From a data accuracy perspective alone there is enormous room for improvement as I think we can all agree. every day I see the tangible benefits to security interests, which
for the most part are "doing good", from the work that we do. when I compare that to the complaints that we get bc "my PII is visible in your data", it's not even close by my value barometer (which my differ from others'). this is relevant bc any future
solution will be imperfect as I have mentioned before. as Allison and others point out we need to measure the harm done by any new system that may seek to solve one problem (privacy?) and inadvertently create many more. since this group is fond of analogies
I'll contribute one from the medical oath (not sure if this is just U.S.) "first, do no harm".</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">i'll close by saying I think Allison's point about economic value has merit. yes, the point of the WG is not to protect anyone's economic interest. I agree 100% with that statement and will disagree with
anyone who thinks the future of DomainTools or other commercial service should have one iota of impact on this discussion. but I also think "it's too expensive" or "it's too hard" are weak and dangerous excuses when dealing with an issue like this which has
enormous and far reaching consequences for the very mission of ICANN around the security and stability of our internet.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Tim</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Apr 24, 2017 at 3:50 PM, allison nixon <<a href="mailto:elsakoo@gmail.com" target="_blank">elsakoo@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Thanks for the documentation in your earlier email. While I understand that's how things are supposed to work in theory, it's not implemented very widely, and unless there is enforcement, then it's unlikely to be useful at all.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"<span style="font-size:9.5pt">as a given, we put ourselves in a certain position in terms of the actions we can and cannot recommend. We can make similar statements focused on registry operators, registrars, or any other stakeholder in
this space. If we all approach this WG's task with the goal of not changing anything, we're all just wasting our time."</span><br>
<br>
<span style="font-size:9.5pt">There are things that people would be willing to change about WHOIS. Changes purely relating to the data format would not be as controversial. Changing to that RDAP json format would probably be an agreeable point to most here.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">There are two different major points of contention here. The first is the data format, second is the creation of a new monopoly and ceding power to it. By monopoly I mean- who are the gatekeepers of "gated"
access? Will it avoid all of the problems that monopolies are historically prone to? Who will pay them? It seems like a massive leap of faith to commit to this without knowing who we are making the commitment to.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">"I do not believe it is this WG's responsibility to protect anyone's</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:9.5pt">commercial services if those things are basically in response to<br>
deficiencies in the existing Whois protocol. "</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">From my understanding of past ICANN working groups, registrars have fought against issues that would have increased their costs. And the destruction of useful WHOIS results(or becoming beholden to some new
monopoly) stand to incur far more costs for far larger industries. So this shouldn't surprise you. If those economic concerns are not valid then I question why the economic concerns of registrars are valid.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">If entire industries are built around a feature you would consider a "deficiency", then your opinion may solely be your own. And I hope more stakeholders in this multi-stakeholder process will come forward
with their own perspectives, as they will differ from mine.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">"Not trying to hamstring the WG. Just asking if this is not something that has already been solved.."</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Hi Paul,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">It's an interesting thought. This document was recommended to me as one that was approved in the past by the working group that outlined what the resulting system might look like. I'm still learning and reading
about these working groups and what they do, and this document is massive.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><a href="https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf" target="_blank">https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf</a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">In the document, it says: <i>"Central to the remit of the EWG is the question of how to design a system that increases the accuracy of the data collected while also offering protections for those Registrants seeking
to guard and maintain their privacy."</i></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">One of the things I notice is that any talk about actually increasing accuracy of whois info- via enforcement- is vigorously opposed in this group, and it's merely assumed that people will supply better quality
data under the new system. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Throughout the document it talks about use-cases and features (whois history, reverse query, etc), which are indeed identical to the features of the whois aggregators of current day. Such a system would replace
them. Will the service quality be as good?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">On page 63 it gets into thoughts on who would be "accredited" to access the gated whois data. Every proposed scenario seems to recognize the resulting system will need to handle a large query volume from a
large number of people, and one proposes accrediting bodies which may accredit organizations which may accredit individuals. It even proposes an abuse handling system which is also reminiscent in structure to how abuse is handled currently in our domain name
system. Many of these proposed schemes appear to mimic the ways that the hosting industry and registrar industry operate, so we can expect that the patterns of abuse will be equally frequent, especially if higher quality data is supplied.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">The proposed scenarios all paint a picture of "gated" access with very wide gates, while simultaneously representing to domain purchasers that their data is safe and privacy protected. And this is supposed
to *reduce* the total number of privacy violations? This doesn't even appeal to me as a consumer of this data.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Whoever sets up this system also stands to inherit a lot of money from the soon-to-be-defunct whois aggregation industry. They would certainly win our contract, because we would have no choice. All domain reputation
services, anti-spam, security research, etc, efforts will all need to pay up. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">After being supplied with the above document, I also saw a copy of a rebuttal written by a company that monitors abusive domains. I strongly agree with the sentiments in this document and I do not see evidence
that those concerns have received fair consideration. While I do not see this new gatekeeper as an existential threat, I do see it as a likely degradation in the utility i do see from whois. To be clear, we do not do any business with this company.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><a href="http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf" target="_blank">http://mm.icann.org/pipermail/input-to-ewg/attachments/20130823/410038bb/LegitScriptCommentsonICANNEWGWhoisReplacementStructure-0001.pdf</a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">I also found John Bambenek's point in a later thread to be interesting- concentrating WHOIS knowledge solely to one organization allows the country it resides in to use it to support its intelligence apparatus,
for example monitoring when its espionage domains are queried for, and targeting researchers that query them (since anonymous querying will be revoked). Nation states already use domains in operations so this monopoly is a perfect strategic data reserve. The
fact that this system is pushed by privacy advocates is indeed ironic.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">None of those concerns appear to have been addressed by this group in any serious capacity. Before the addition of new members, I don't think many people had the backgrounds or skillsets to even understand
why they are a concern. But I think this is a discussion worth having at this point in time for this group.</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Apr 24, 2017 at 1:50 PM, Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Hi,<br>
<br>
On Mon, Apr 24, 2017 at 07:25:47PM +0200, Paul Keating wrote:<br>
> Andrew,<br>
><br>
> Thank you. That was helpful.<br>
><br>
> ""Given this registrant, what other<br>
> domains are registered?" is a solved problem, and has been since the<br>
> early 2000s.²<span style="font-family:PMingLiU"><br>
</span>><span style="font-family:PMingLiU"><br>
</span>> This is also traceable via alternative means such as consistencies in<br>
> various WHOIS fields such as email, address, name, etc.<br>
<br>
Well, sort of. The email, address, and name fields are _user_<br>
supplied. So they come from the other party to the transaction. The<br>
ROID is assigned by the registry itself. So once you have a match,<br>
you know that you are looking at the same object, only the same<br>
object, and all the same object(s).<br>
<br>
Email addresses in particular are guaranteed unique in the world at<br>
any given time (though not guaranteed as unique identifiers over<br>
time), so they may be useful for these purposes. Take it from someone<br>
named "Andrew Sullivan", however, that names are pretty useless as<br>
context-free identifiers :)<br>
<br>
> In reality finding out answers to questions such as<br>
> yours (above) requires investigation using a plethora of data.<br>
<br>
To be clear, finding out the answer to what I (meant to) pose(d)<br>
requires no plethora of data: it requires a single query and access to<br>
the right repository (the registry). In some theoretical system, the<br>
correct underlying database query would be something like this:<br>
<br>
SELECT domain_roid, domain_name FROM domains WHERE registrant_roid = ?;<br>
<br>
and you put the correct ROID in where the question mark is, and off<br>
you go. That will give you the list of all the domain names, and<br>
their relevant ROIDs, registered by a given registrant contact. At<br>
least one registry with which I am familiar once had a WHOIS feature<br>
that allowed something close to the above, only it would stop after<br>
some number of domains so as not to return too much data. I think the<br>
default was therefore LIMIT 50, but I also think the feature was<br>
eventually eliminated about the time that the ICANN community rejected<br>
IRIS as an answer to "the whois problem".<br>
<br>
What the above will of course not do is help you in the event Bob The<br>
Scammer has created dozens of different contacts for himself by (say)<br>
registering names through many different registrars. I do not believe<br>
that any registry is going to support such a use at least without<br>
access controls, because it can be expensive to answer such things.<br>
So, what you understood me to be asking, I think, is the question I<br>
did _not_ ask: given this human being or organization, what other<br>
domains are registered?" That does require a lot of different data,<br>
and it requires cross-organizational searches, and it requires sussing<br>
out when someone has lied also. Such research is, I agree, completely<br>
outside the scope of what any technical system will ever be able to<br>
offer reliably.<br>
<br>
> An entire<br>
> industry exists for this purpose and I don¹t think we should be<span style="font-family:PMingLiU"><br>
</span>> considering replacing what has already been existing in the cyber security<span style="font-family:PMingLiU"><br>
</span>> marketplace.<span style="font-family:PMingLiU"><br>
<br>
</span>I do not believe it is this WG's responsibility to protect anyone's<span style="font-family:PMingLiU"><br>
</span>commercial services if those things are basically in response to<br>
deficiencies in the existing Whois protocol. In this case, however,<br>
that's not the problem. Linking data in multiple databases to a given<br>
real-world human being is hard even in systems without competition and<br>
multiple points of access. It's always going to require researchers<br>
for the domain name system.<br>
<br>
Best regards.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
A<span style="color:#888888"><br>
<br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb">--</span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb">Andrew Sullivan</span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb"><a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a></span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb">_______________________________________________</span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb">gnso-rds-pdp-wg mailing list</span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb"><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a></span><br>
<span class="m-1989214556801852688m-7832141262075475097hoenzb"><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></span><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span style="color:#888888"><br>
<br clear="all">
</span><span class="m-1989214556801852688m-7832141262075475097hoenzb"><span style="color:#888888"><o:p></o:p></span></span></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span class="m-1989214556801852688m-7832141262075475097hoenzb"><span style="color:#888888">--
</span><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#888888">_________________________________<br>
Note to self: Pillage BEFORE burning.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>