<p dir="ltr">(Also depending on how the english is read it might just be a turn of phrase and not aggressive language, i'm not agitated in any case, so let's please return the discussion to the facts and not get upset when facts are brought to the table)</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Apr 27, 2017 8:46 PM, "allison nixon" <<a href="mailto:elsakoo@gmail.com">elsakoo@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">a lot of emails since i have last been at a computer... replying to snippets of previous mails:<div><br></div><div><b>"<span style="font-size:12.8px">I actually disagree that there have been many situations where criminal investigations have been stifled due to an inability to meet the criteria for a search in Canada. Where those situations *have* arisen though, it is not a catch-22 situation, it's a situation where you just don't have a good enough reason to identify the anonymous digital activity.</span></b></div><b><br style="font-size:12.8px"><span style="font-size:12.8px">Regarding judges valuation of digital evidence, some will likely instill more rigorous digital forensics requirements than others, or draw more robust inferences from a certain dataset, but that cuts both ways (sometimes in favour of allowing the search sometimes against). Realistically speaking, very few ex parte search requests get denied (including ones for digital identification) so if anything I suspect the latter situation is more prevalent. </span><span style="font-size:12.8px">"</span><br style="font-size:12.8px"></b><div class="gmail_extra"><br></div><div class="gmail_extra">I'm specifically calling out situations where judges do not understand technology, and specifically in cybercrime cases with technically skilled suspects. I am not canadian and I have had very few interactions with their legal system and those few interactions leave me with hope that they improve in their understanding of how things work on the Internet. These catch-22 situations have all seemingly stemmed from a lack of understanding of technology. I cannot speak about specific details so I cannot continue this line of conversation much further. I would like to be wrong about my beliefs on this.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><b>"<span style="color:rgb(0,0,0);font-family:arial;font-size:16px">The likes of data harvesters, well, sorry but whois was not built for you to make money from, I do not pay my bandwidth bills for you to waste my cash. If you have a legitimate reason (and harvesting for sale which is what it is isn’t one of them) then explain.</span>"</b></div><div class="gmail_extra"><br></div><div class="gmail_extra">Data harvesting is the only way to perform those "reverse whois" and "historical whois" use-cases that are reiterated many times as a need. You don't store a historical repository on your whois server, and you don't notify when a record changes, so people must query over and over again. If you wanted to negotiate something better, I think both parties would benefit.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><b>"<span style="color:rgb(0,0,0);font-family:arial;font-size:16px">Today this group has done a great disservice, the constant back and fourth of bickering - yes bickering has lead to one person requesting to being removed, someone who I do have a great respect for who thinks outside the box to fix a solution like I do. Constant badgering really is not going to get this group further as the "people" (read for definition : Registrars) who have to collect this information are the ones that will ultimately get a fine, not "data harvesters" DomainTools (Paul Keating) or LegitScript (their WHOIS collection service - John Horton) or the "anti-abuse" people (Allison Nixon / John Bambenek) but the registrar.</span>"</b></div><div class="gmail_extra"><br></div><div class="gmail_extra">He resigned because I called his idea unappealing. His idea where this future scenario leads to a company risking a far higher fine than the criminals would ever have faced. So yes, I reiterate, that future is unappealing and even kafkaesque. Nowhere did I state a personal attack against him, so threats to the nose are enormously inappropriate and I as well as the list need to know if you intend to carry out those threats. Complaining about the quality of discussion and following up with threats of violence is not a consistent stance, pick one or the other and stick with it please.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">For those of you who think that every case of sharing publicly available PII is a travesty deserving of a major crackdown, I seek your opinions about the following scenario:</div><div class="gmail_extra"><br></div><div class="gmail_extra">Here's an article written by an independent journalist about commercially available malware in an underground forum that the authorities will likely never touch due to their chronic lack of manpower. In this article, he shares information relating to the maker of a remote access trojan with spying and ransom features, who sells it on an underground forum where users regularly use similar tools to engage in ransom, child exploitation, and other activities, essentially in an open-air market. Often the only deterrent to openly selling malware is journalistic exposure of one's activities, since the authorities either can't or won't take action.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><a href="https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/" target="_blank">https://krebsonsecurity.com/<wbr>2016/07/canadian-man-is-<wbr>author-of-popular-orcus-rat/</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">In this article, he shares quite a lot of PII much of it derived from WHOIS records, even on the guy's personal non-criminal sites. He doesn't even get a judge's approval to do so! </div><div class="gmail_extra"><br></div><div class="gmail_extra">If this article was written in the EU in the future, does this journalist deserve incredible fines while the criminal remains anonymous due to aforementioned chronic lack of manpower? </div><div class="gmail_extra">Also, do you think that such a privacy regime would retain public support for very long?</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">If you aren't acquainted with the darker side of the Internet, I suggest you read some more articles on that guy's site. This "I don't know and I don't care" attitude towards cybercrime, especially on the basis of questionable legal interpretations, is likely a source of much of this problem. But I don't want registrars to get fined either, and I think it would be ridiculous to force them into a situation where they take a fine from one end or the other. But there's most likely a solution that can work out for both sides because there are exemptions in these EU laws, and an actual legal expert can probably figure them out. </div><div class="gmail_extra"><br></div><div class="gmail_extra">also i continue to +1 the "whois privacy for free" idea.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 7:08 PM, John Bambenek via gnso-rds-pdp-wg <span dir="ltr"><<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><br><br>Sent from my iPhone</div><div><br>On Apr 27, 2017, at 17:54, "<a href="mailto:tisrael@cippic.ca" target="_blank">tisrael@cippic.ca</a>" <<a href="mailto:tisrael@cippic.ca" target="_blank">tisrael@cippic.ca</a>> wrote:<br><br></div><blockquote type="cite"><div>
<br>
<br>
<div class="m_-1139150506793045513gmail-m_-3292726421701122041moz-cite-prefix">On 2017-04-27 5:58 PM, John Bambenek
wrote:<br>
</div>
<blockquote type="cite">
On 4/27/2017 4:43 PM, <a class="m_-1139150506793045513gmail-m_-3292726421701122041moz-txt-link-abbreviated" href="mailto:tisrael@cippic.ca" target="_blank">tisrael@cippic.ca</a>
wrote:<br>
<blockquote type="cite"> Hi John,<br>
<br>
As long as it's a true choice this might be ok. As in a
cost-less opt-in choice the registrant can make and re-make at
any time.<br>
<br>
</blockquote>
<br>
This is exactly what I advocate. Literally check a box, uncheck a
box... hell, I'll even pop for making some videos and a website
explaining to consumers the pros and cons of doing both.<br>
</blockquote>
It doesn't sound like this is what you're proposing at all though.
You seem to be saying there should be a searchable database for at
least some thick WHOIS data items even if someone chooses the
'private' stream. <br></div></blockquote><div><br></div><div>As far as I am concerned the only data besides "PRIVATE" the needs to be shown in that case is nameservers (the domain wouldn't work without making that public somehow anyway). I would like registration, renewal, expiration dates. Other than that, they marked their info private, its private. </div><br><blockquote type="cite"><div>
<blockquote type="cite"> <br>
<blockquote type="cite"> But you would still need to develop a mechanism for
legitimate access to the 'privacy stream' data that should
reflect broader access norms. For example, if you are accessing
for private rights enforcement purposes, you would need to meet
the civil discovery threshold. If you're accessing for law
enforcement purposes, you would need to meet a whole other, more
rigorous threshold. This might differ by jurisdiction as well
(if you're an LEA from country A as opposed to country B). <br>
<br>
And even in respect to those in the fully public WHOIS stream,
you may still wish to impose some conditions. After all most
data protection regimes impose some conditions even on fully
public personal information. <br>
</blockquote>
<br>
The question then becomes on what data fields is that true. Lots
of data is stored by registrars... I don't need, for instance,
credit card information (well, I do, but those requests are
handled via law enforcement). In Canada, google shows a variety
of things that let me search property / title records... as a
rough analogy, why is what we <br>
</blockquote>
I'm not actually familiar with a google-able property search but
presumably the key difference would be that ownership of a property
doesn't in effect reveal anonymous activity of the type you would be
undertaking on an otherwise anonymous website. <br></div></blockquote><div><br></div><div>See above but I would dispute domain registrant info anyway unmasks any activity on an otherwise anonymous website. All it says is who owns a domain. </div><br><blockquote type="cite"><div>
<br>
Best,<br>
Tamir<br>
<blockquote type="cite">
<blockquote type="cite"> <br>
Best,<br>
Tamir<br>
<br>
<div class="m_-1139150506793045513gmail-m_-3292726421701122041moz-cite-prefix">On 2017-04-27 2:34 PM, John
Bambenek via gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite">
<p>That was why I advocate whois privacy (or equivalent).
WHOIS would still be public be some elements need to be
public (nameservers) or it just doesn't work... the consumer
is free to choose which lane they want to be in, and the
rest of us can use that data how we see fit.<br>
</p>
<br>
<div class="m_-1139150506793045513gmail-m_-3292726421701122041moz-cite-prefix">On 4/27/2017 1:17 PM, <a class="m_-1139150506793045513gmail-m_-3292726421701122041moz-txt-link-abbreviated" href="mailto:tisrael@cippic.ca" target="_blank">tisrael@cippic.ca</a>
wrote:<br>
</div>
<blockquote type="cite"> Hi there,<br>
<br>
Sorry to interject here.<br>
<br>
I think a governance exercise here must look beyond what the
law strictly allows in terms of formulating WHOIS and to how
a given WHOIS configuration will impact on recognized legal
privacy protections.<br>
<br>
So, in Canada, our courts have built legal protections and
safeguards into the civil discovery process that determine
under what conditions anonymous online activity can be
identified. Similarly, we have constitutional protections
that prevent private entities from voluntarily identifying
anonymous online actors to law enforcement if certain
procedural steps aren't met.<br>
<br>
Making WHOIS public by default would effectively bypass all
of these safeguards. Surely that, then, also has to be a
consideration in a governance process of this sort?<br>
<br>
Best regards,<br>
Tamir<br>
<br>
<div class="m_-1139150506793045513gmail-m_-3292726421701122041moz-cite-prefix">On 2017-04-27 2:07 PM, Paul
Keating wrote:<br>
</div>
<blockquote type="cite">
<div>All good questions but I would like to start with the
scope of the. Urrent laws as it applies to current Whois
data. <br>
<br>
Sincerely,
<div>Paul Keating, Esq.</div>
</div>
<div><br>
On Apr 27, 2017, at 7:47 PM, allison nixon <<a href="mailto:elsakoo@gmail.com" target="_blank">elsakoo@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">I'm sure everyone's schedules are quite
busy, and they will manage.
<div><br>
</div>
<div>We need a proper legal authority here because
it's potentially falsely being presumed that the
use of WHOIS data is illegal and noncompliant in
the first place. We simply do not know if that is
a factual premise. We also need to take into
account laws other than the EU privacy laws, and
laws outside the EU. A number of exemptions exist
within these privacy laws and those people
throwing around the legal arguments accusing this
of being illegal don't seem to ever mention that
fact. We need an unbiased legal expert.</div>
<div><br>
</div>
<div>What if a country is trying to enforce a law
that is deemed distasteful (violates human rights,
etc), and their registrant is located within the
country? does the gatekeeper have grounds to deny
them the ability to enforce their own laws against
their own people, and if so when?</div>
<div><br>
</div>
<div>How does WHOIS play into other areas of
compliance, such as know-your-customer, complying
with sanctions, anti-money laundering, HIPPAA,
PCI, etc? Is complying to one law more important
than complying to another, if one had to choose?</div>
<div><br>
</div>
<div>Will the gatekeeper comply with anti-trust
laws?</div>
<div><br>
</div>
<div>How does privacy law prohibit information
collection on registrants yet collect detailed PII
info on queriers and subject them to audit? What
happens if the gatekeeper is hacked into for those
audit logs? What happens if the gatekeeper
receives a national security letter?</div>
<div><br>
</div>
<div>All of these are legal questions that need to
be answered without bias and with full
understanding of the facts.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 27, 2017 at
12:42 PM, Stephanie Perrin <span dir="ltr"><<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank">stephanie.perrin@mail.utoront<wbr>o.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote">
<div>
<p>And we need to have a lengthy discussion
about precisely who that legal expert might
be. It appears that many of our members are
prepared to reject the views of the Data
Protection Authorities themselves, who took
the time out of their extraordinarily busy
schedules to come and speak with us in
Copenhagen.<br>
</p>
</div></blockquote></div></div></div></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></div></blockquote></div></blockquote></div><br clear="all"><div><br></div>-- <br><div class="m_-1139150506793045513gmail_signature">______________________________<wbr>___<br>Note to self: Pillage BEFORE burning.</div>
</div></div>
</blockquote></div></div>