<div dir="auto"><div dir="ltr"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"></blockquote><div><span style="font-size:12.8px">>> That is not a reasonable requirement: this WG is not responsible for</span></div><div><span style="font-size:12.8px">>> tool development or design. The protocol needs to change -- has</span></div><div><span style="font-size:12.8px">>> certainly needed to for 20 years -- and in order to make that happen</span></div><div><span style="font-size:12.8px">>> some tools will need to change. There is no way to guarantee what</span></div><div><span style="font-size:12.8px">>> people will do to the user interface when they change tools.</span></div><div><span style="font-size:12.8px">>> Moreover, we don't have a common definition of what an "inferior" user</span></div><div><span style="font-size:12.8px">>> interface is anyway. What would be a reasonable requirement is that</span></div><div><span style="font-size:12.8px">>> it is _possible_ to build a simialr user interface as what already</span></div><div><span style="font-size:12.8px">>> exists, but atop the new data access protocol.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">My understanding is that under this closed system, the entity responsible for building the access method will no longer be "anyone with the motivation and talent", as it is now, but rather a single entity that must be authorized to work with such "sensitive" data and everyone will have to use them from now on. After all, anyone aggregating the whois data and reselling it under their interface would defeat the entire point of a gate.</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">>> I think I disagree with this claim. We are in fact discussing what</span></div><div><span style="font-size:12.8px">>> the gated system, if it is created, is supposed to contain. It is</span></div><div><span style="font-size:12.8px">>> possible that there are things currently in the public whois that</span></div><div><span style="font-size:12.8px">>> never should have been published at all, even to authenticated</span></div><div><span style="font-size:12.8px">>> parties, without some legal processes and I think we are going to have</span></div><div><span style="font-size:12.8px">>> to argue about that. I am not claiming that there are such things: I</span></div><div><span style="font-size:12.8px">>> don't know, and part of my frustration over the last month or two has</span></div><div><span style="font-size:12.8px">>> been that we have been arguing over the obvious rather than getting</span></div><div><span style="font-size:12.8px">>> down to this quite difficult issue.</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I think it's very much worth arguing about. Let's imagine the practical reality of getting that done. </span></div><div><br></div><div><span style="font-size:12.8px">For the legal process route- let's say for the sake of argument in the USA it'll require a subpoena because I don't think there's any process that has a lower bar. I've never sought a subpoena, but I know that colleagues in my industry sometimes do. I've heard that getting subpoenas for cybercrime related issues costs between 1 and 10 thousand dollars depending on lawyer and jurisdiction and other factors. Also, using that process will get the customer's billing and IP info anyways. So if I have to get a court order, then I don't care about WHOIS. I'm getting everything. </span></div><div dir="auto"><br></div><div><span style="font-size:12.8px">I see two possibilities arising from requiring this. Either, a near-complete shutdown, or a streamlined process resulting in business-as-usual. </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">If a subpoena is the bar we set, all available information will be sought. I can guarantee these queries will also be made against every domain ever used in sent e-mail, and every domain queried from a corporate environment, at a minimum. This is supposed to enhance privacy? Or is the goal to prevent some portion of the queries made for the purposes of network defense?</span></div><div><br></div><div>We also face the obvious fact that Russian judges are unlikely to unmask whois for Russian domains used to meddle in elections(or any of the obscene volume of cybercrime coming from there), and Chinese judges are unlikely to unmask Chinese domains used to hack other militaries. Does our working group accept these predictable outcomes as valid?</div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Court orders also take weeks. I'd like to hear a serious proposal on how this "legal process" will work and somehow not result in either a 100% shutdown of anti-abuse activity or a massive violation of privacy.</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">>> I strongly agree with this. Those registering domain names on the</span></div><div><span style="font-size:12.8px">>> Internet are not simply passive users, and it is reasonable to treat</span></div><div><span style="font-size:12.8px">>> them differently than people who are just visiting web pages, for</span></div><div><span style="font-size:12.8px">>> instance. Since the test is whether some infringement on people's</span></div><div><span style="font-size:12.8px">>> data is necessary, we will do well to remember that there is no need</span></div><div><span style="font-size:12.8px">>> to register domain names on the Internet in order to connect to it or</span></div><div><span style="font-size:12.8px">>> use it.</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Public whois has been a fact for a very long time. The only people who are shocked by this are uninformed. We can't dismantle the Internet for their sake.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 29, 2017 at 5:26 PM, Andrew Sullivan <span dir="ltr"><<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I am sympathetic, as you know, to the concerns of researchers using<br>
the current RDS. But I think we need to be careful.<br>
<span><br>
On Thu, Jun 29, 2017 at 04:04:18PM -0400, allison nixon wrote:<br>
> -The gated access cannot have an inferior user interface compared to<br>
> current tools<br>
<br>
</span>That is not a reasonable requirement: this WG is not responsible for<br>
tool development or design. The protocol needs to change -- has<br>
certainly needed to for 20 years -- and in order to make that happen<br>
some tools will need to change. There is no way to guarantee what<br>
people will do to the user interface when they change tools.<br>
Moreover, we don't have a common definition of what an "inferior" user<br>
interface is anyway. What would be a reasonable requirement is that<br>
it is _possible_ to build a simialr user interface as what already<br>
exists, but atop the new data access protocol.<br>
<span><br>
> -The gated access cannot have an inferior dataset<br>
<br>
</span>I don't think this requirement is possible to specify in advance,<br>
since it is precisely what we are arguing about. Accepting this<br>
requirement would be begging the question.<br>
<br>
(I would go through the rest of the items, but I think they have<br>
similar problems.) More generally,<br>
<span><br>
> The gated system is supposed to replicate in a closed system what the open<br>
> system has accomplished naturally. This is an exceedingly difficult task,<br>
> and the price of failure is high.<br>
<br>
</span>I think I disagree with this claim. We are in fact discussing what<br>
the gated system, if it is created, is supposed to contain. It is<br>
possible that there are things currently in the public whois that<br>
never should have been published at all, even to authenticated<br>
parties, without some legal processes and I think we are going to have<br>
to argue about that. I am not claiming that there are such things: I<br>
don't know, and part of my frustration over the last month or two has<br>
been that we have been arguing over the obvious rather than getting<br>
down to this quite difficult issue.<br>
<span><br>
> Users need to be educated about all the risks so they can weigh them in a<br>
> manner that makes the most sense for their situation. It's not just junk<br>
> mail.<br>
<br>
</span>I strongly agree with this. Those registering domain names on the<br>
Internet are not simply passive users, and it is reasonable to treat<br>
them differently than people who are just visiting web pages, for<br>
instance. Since the test is whether some infringement on people's<br>
data is necessary, we will do well to remember that there is no need<br>
to register domain names on the Internet in order to connect to it or<br>
use it.<br>
<span class="m_-2334465325999841959im m_-2334465325999841959HOEnZb"><br>
Best regards,<br>
<br>
A<br>
<br>
--<br>
Andrew Sullivan<br>
<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a><br>
</span><div class="m_-2334465325999841959HOEnZb"><div class="m_-2334465325999841959h5">______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-2334465325999841959gmail_signature" data-smartmail="gmail_signature">______________________________<wbr>___<br>Note to self: Pillage BEFORE burning.</div>
</div>