<div dir="ltr">Jeremy, I strongly disagree with your previous email on a technical and factual basis due to the fact that my dayjob often centers on the exact issues you're describing. I think it's very important that the EFF understands the nuances of this issue and if you're interested in learning more about the process of how information is gathered and used I can walk you through recent incidents i worked on, and any number of other incidents i can remember working if you have the interest. <div><br></div><div>Whether or not the EFF agrees with the work of anti-abuse professionals may be a point of debate (or may not, I don't know if your org even likes the idea of anti-abuse or not), but if the EFF believes this information has no utility for our purposes then that is completely factually incorrect.<br><div><br></div><div>I coped your email and responded inline.<br></div><div><br></div><div><div>>> They think that anti-abuse professionals should be able to work with</div><div>>> whatever information they have that we already collect for the narrower</div><div>>> technical purposes of the operation of the DNS. </div><div><br></div><div>"whatever information they have" includes the currently collected WHOIS info, which we are not asking for any expansion of. </div><div><br></div><div>>>There is no added value</div><div>>> in collecting personal information - </div><div><br></div><div>This is completely and factually untrue. There are countless cases that I can point to where WHOIS data either connected previously-unrelated pieces of malicious infrastructure, or connected malicious infrastructure to their original owner's true identity. Also the ability to notify owners of compromised infrastructure. I believe that counts as added value.</div><div><br></div><div>>> after all, criminals are not going</div><div>>> to provide correct information anyway, </div><div><br></div><div>Again, a completely factually untrue statement. It is an assumption that many people make if they have not spent much time using WHOIS to track abuse. Many criminals do, or used to, put their personal data in WHOIS fields. They often redact them later when they get far along enough in their criminal careers. This is where historical WHOIS plays a part.</div><div><br></div><div>Additionally, faked WHOIS data is critically important. Similarities between faked WHOIS data are used to find potentially related domains and inform investigations. Any investigator worth their salt knows the value in observing the human predictability in attempts to generate randomness. Lies tell their own truth.</div><div><br></div><div>>> and if a domain has been</div><div>>> compromised then the personal information of the original registrant</div><div>>> isn't going to help much, </div><div><br></div><div>This is once again very much factually untrue. In cases of domains that are stolen and used to commit crimes, this makes a huge difference in how the registrant is treated. In most abuse cases, the provider cuts off service and does not offer refunds. However if the registrant is simply another victim, the provider treats them differently.</div><div><br></div><div>>> and its availability in the wild could cause</div><div>>> significant harm to the registrant.</div><div><br></div></div><div>Once again, untrue. If the people dealing with the abuse see the registrant as another victim, instead of the perpetrator, this can prevent situations where people are wrongfully searched or arrested. In the investigations world there are still a lot of police, especially in jurisdictions without a mature cyber investigations program, that are unable to differentiate when someone is the criminal or is simply another victim/proxy. Making these waters muddier increases the chance of this happening, and increases the number of arrests and searches on people who are simply another victim. </div><div><br></div><div>In conclusion, I don't know who your cybersecurity expert is within the EFF, but they are not an expert in WHOIS or investigations. But there are a number of people on this list that do use WHOIS in our daily jobs and we are telling you a very different message. Jeremy if my offer to show you my work interests you, might be best for a direct phone call and screen share session.</div><div><br></div><div>re: jonathan matkowsky's email, which came later:</div><div>>> The overwhelming majority of phishing is on compromised domains, and the primary course of mitigation is contacting the victim alongside their hosting provider. This is not done by the registrars currently but it could be contractually imposed on them, I suppose. </div><div><br></div><div>If WHOIS is shut down, then the registrars absolutely must take an increased responsibility. In my work with different providers, the vast majority will absolutely refuse to forward any concerns to the end user even with evidence. They only want to do the bare minimum because reducing costs is more important than anything else to that industry.</div><div><br></div><div>I like the idea of ICANN contractually obligating registrars to take on increased anti-abuse responsibility, but I also know this is never going to happen because the costs are going to be unacceptable. We also run into the issue that some registrars are run by criminals and they would love that kind of power.</div><div><br></div><div><br></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 3, 2017 at 3:05 PM, Jeremy Malcolm <span dir="ltr"><<a href="mailto:jmalcolm@eff.org" target="_blank">jmalcolm@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So because my comments have generated a bit of blowback from people I<br>
respect, I took the initiative to consult internally with some of my<br>
colleagues who have more expertise in cybersecurity than I do, to make<br>
sure that I'm not missing something. It turns out that they agree with<br>
my take on what EFF's position is here.<br>
<br>
They did not think that we should be designing an RDS that would gather<br>
information about domain registrants beyond what is required for<br>
technical operation of the DNS. Even if such information were only<br>
limited to anti-abuse professionals, that also wouldn't work. There<br>
would be nothing to stop malicious actors from identifying as anti-abuse<br>
professionals - neither would want to have a system to "vet" anti-abuse<br>
professionals, because that would be even more problematic.<br>
<br>
They think that anti-abuse professionals should be able to work with<br>
whatever information they have that we already collect for the narrower<br>
technical purposes of the operation of the DNS. There is no added value<br>
in collecting personal information - after all, criminals are not going<br>
to provide correct information anyway, and if a domain has been<br>
compromised then the personal information of the original registrant<br>
isn't going to help much, and its availability in the wild could cause<br>
significant harm to the registrant.<br>
<br>
So, I stand by what I originally wrote and can confirm that this is<br>
EFF's position, much as the anti-abuse professionals on this list may<br>
disagree with it.<br>
<div class="HOEnZb"><div class="h5"><br>
On 30/9/17 3:07 pm, Greg Aaron wrote:<br>
> I assume that the EFF (or its Internet service provider, Unwired) uses reputation systems to filter the EFF's email and keep malware, phishing, and spam from reaching the EFF staff. Just like every other enterprise out there.<br>
><br>
> Recently the EFF has been worried about malware and phishing attacks against NGOs, and has been a proponent of patching compromised machines that are being used to attack other people. Reputation systems are what people use to protect themselves and their networks against such things.<br>
><br>
> Would the DNS work without reputation systems? That is the wrong question, a reductio ad absurdum. A DNS without any users is worthless. Reputation systems are one of the things that keeps the Internet usable.<br>
><br>
> Domain names exist in order to enable communication. And in the DNS, people can send you whatever packets they want to, whether you want it or not. Users need to decide what traffic they wish to accept, and part of that is understanding what the sender or origin is. And some of those senders want to do us, and the people we wish to protect, great harm.<br>
><br>
> All best,<br>
> --Greg<br>
><br>
><br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a> [mailto:<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-<wbr>bounces@icann.org</a>] On Behalf Of Jeremy Malcolm<br>
> Sent: Friday, September 29, 2017 2:57 PM<br>
> To: <a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
> Subject: Re: [gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)<br>
><br>
> On 29/9/17 11:44 am, Andrew Sullivan wrote:<br>
>> Since we are making policy for a system that is used in support of<br>
>> domain name operation, we need to make that support work for all the<br>
>> parts of the operations in question. One of the operations in<br>
>> question is various reputation systems, so I think it is not optional<br>
>> for us to support that functionality.<br>
> I disagree, I think that a case can be made that reputation systems are important, but they're not essential to the operation of the DNS. You might as easily say that because advertising revenue is also used "in support of domain name operation", we need to make sure that the DNS supports that. There are lots of different working parts of the Internet ecosystem that make our online experience better, including voluntary reputation systems, but would the DNS still work without them? Yes.<br>
><br>
> --<br>
> Jeremy Malcolm<br>
> Senior Global Policy Analyst<br>
> Electronic Frontier Foundation<br>
> <a href="https://eff.org" rel="noreferrer" target="_blank">https://eff.org</a><br>
> <a href="mailto:jmalcolm@eff.org">jmalcolm@eff.org</a><br>
><br>
> Tel: <a href="tel:415.436.9333%20ext%20161" value="+14154369333">415.436.9333 ext 161</a><br>
><br>
> :: Defending Your Rights in the Digital World ::<br>
><br>
> Public key: <a href="https://www.eff.org/files/2016/11/27/key_jmalcolm.txt" rel="noreferrer" target="_blank">https://www.eff.org/files/<wbr>2016/11/27/key_jmalcolm.txt</a><br>
> PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122<br>
><br>
><br>
<br>
--<br>
Jeremy Malcolm<br>
Senior Global Policy Analyst<br>
Electronic Frontier Foundation<br>
<a href="https://eff.org" rel="noreferrer" target="_blank">https://eff.org</a><br>
<a href="mailto:jmalcolm@eff.org">jmalcolm@eff.org</a><br>
<br>
Tel: <a href="tel:415.436.9333%20ext%20161" value="+14154369333">415.436.9333 ext 161</a><br>
<br>
:: Defending Your Rights in the Digital World ::<br>
<br>
Public key: <a href="https://www.eff.org/files/2016/11/27/key_jmalcolm.txt" rel="noreferrer" target="_blank">https://www.eff.org/files/<wbr>2016/11/27/key_jmalcolm.txt</a><br>
PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122<br>
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">_________________________________<br>Note to self: Pillage BEFORE burning.</div>
</div>