<div dir="auto"><div dir="ltr"><div><span style="font-size:12.8px">On Wed, Jun 07, 2017 at 10:55:19AM -0400, Stephanie Perrin wrote:</span><br style="font-size:12.8px"><span style="font-size:12.8px">> These are excellent questions. I would add an additional one: why are</span><br style="font-size:12.8px"><span style="font-size:12.8px">> private cybercrime investigators not accredited? How can the global public</span><br style="font-size:12.8px"><span style="font-size:12.8px">> trust them, or perhaps why?</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">There's even more deep misunderstandings afoot. There's also the implicit idea that "</span><span style="font-size:12.8px">private cybercrime investigators" are default untrustworthy, and ICANN is by default trustworthy. </span></div><div><div><span style="font-size:12.8px"><br class="m_8025482563642165809gmail-Apple-interchange-newline">If you ever entered your data into a web form, you are trusting these "</span><span style="font-size:12.8px">private cybercrime investigators", and if you truly believe they are not trustworthy, you are free to minimize what you share.</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If ICANN is going to be entrusted with heaps of PII, </span><span style="font-size:12.8px">"</span><span style="font-size:12.8px">private cybercrime investigators"</span><span style="font-size:12.8px"> will be employed to protect that data. Maybe even some of the same people that are telling you it's a bad idea to collect it.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Second, ICANN has a consistently bad track record when it comes to inaction in the face of known abuse. Not only is WHOIS accuracy the butt of jokes, but some "bulletproof" registrars remain accredited long after they are outed, and entire TLDs are infamous. And we're supposed to believe that ICANN will suddenly start getting proactive about abuse. WHOIS is one of the few tools that can be used to hold ICANN accountable!</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">There is also the deep misunderstanding that there is any accreditation scheme that will produce the results you hope for without destroying the utility of this.</span><span style="font-size:12.8px"> Unless this is merely ritualistic box checking, in which case the misunderstanding is on me.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Another deep misunderstanding- the idea that the data is sensitive enough to warrant this. People in the security community go through "accreditation" to become private investigators or to get security clearance, but to imagine WHOIS data on par with classified data or PI's records is silly. If we're going to go through that, we better get the IP and billing address too. The actual sensitive PII.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Andrew's point about voluntary interconnection is spot on. Networks are far from perfect. ICANN won't save you, and neither will the government. The Internet is NOT a safe place, and will not be made safer by blinding people. </span></div><div><br></div><div>>><span style="font-size:12.8px">its role in IANA registries will simply be usurped by others, and</span></div><span style="font-size:12.8px">>>people will ignore the ICANN registrars and registries and everything</span><br style="font-size:12.8px"><span style="font-size:12.8px">>>like that. I certainly hope we never get there, because it would be</span><br style="font-size:12.8px"><span style="font-size:12.8px">>>really painful and bad for the Internet</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">We're getting there. Entire top level domains are already ignored on many networks like .science, .xyz, .pw, .top, .club, et cetera. These products are becoming worthless to legitimate buyers due to abuse. "</span><span style="font-size:12.8px">private cybercrime investigators" are the people bringing these facts to light, and the proper response is not to act with suspicion and demand that they fill out more paperwork, but maybe think about why operators want to block vast swaths of namespace and how much that reflects declining trust in ICANN accredited entities.</span><span style="font-size:12.8px"><br></span><div><br></div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 7, 2017 at 12:53 PM, Andrew Sullivan <span dir="ltr"><<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
On Wed, Jun 07, 2017 at 10:55:19AM -0400, Stephanie Perrin wrote:<br>
> These are excellent questions. I would add an additional one: why are<br>
> private cybercrime investigators not accredited? How can the global public<br>
> trust them, or perhaps why?<br>
<br>
The above question implies a deep misunderstanding of the nature of<br>
the Internet.<br>
<br>
As Phill Hallam-Baker[1] said once, "On the Internet, you are so not<br>
in charge for every value of 'you'." The reason that Internet private<br>
cybercrime investigators are not accredited is the same reason that<br>
Internet policy people are not accredited, Internet technical<br>
contributors are not accredited, Internet e-commerce site operators<br>
are not accredited, and Internet private fans of dressing up as furry<br>
creatures are not accredited. In a network of networks, there is no<br>
centre of control because there is _no centre_. Since there is no<br>
centre of control on the Internet, accreditation in the generic<br>
sense above is completely meaningless.<br>
<br>
The way things on the Internet work is _voluntary_ interconnection,<br>
which means that you're a "private cybercrime investigator" if people<br>
who have real legal authority in real legal jurisdictions decide to<br>
rely on and work with your investigations. You're an ISP if people<br>
decide to use your service provisioning to connect to the Internet.<br>
And so on.<br>
<br>
The idea that there is anyone in a position to accredit someone else<br>
for a generic Internet job completely misses the way the Internet<br>
actually functions. ICANN today can accredit registrars and<br>
registries (and therefore make policies about RDS) because people<br>
agree to let ICANN do this, because it's doing it now and it's hard to<br>
change that. But if ICANN proves to be too useless for the rest of<br>
the Internet (because, to take an imaginary case, the community around<br>
ICANN thinks it is Boss of da Internetz and so can make rules that<br>
break operational reality without any apparent operational benefit),<br>
then its role in IANA registries will simply be usurped by others, and<br>
people will ignore the ICANN registrars and registries and everything<br>
like that. I certainly hope we never get there, because it would be<br>
really painful and bad for the Internet. But it is certainly<br>
possible. ICANN has no power independent of the agreement of everyone<br>
to use the ICANN policies for the IANA DNS root. Ask MySpace or the<br>
authors of Gopher whether there are any permanent favourites on the<br>
Internet.<br>
<br>
Best regards,<br>
<br>
A<br>
<br>
[1] of all people<br>
<span class="m_8025482563642165809HOEnZb"><font color="#888888"><br>
--<br>
Andrew Sullivan<br>
<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a><br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_8025482563642165809gmail_signature" data-smartmail="gmail_signature">______________________________<wbr>___<br>Note to self: Pillage BEFORE burning.</div>
</div>