<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">John, you just have to
be accredited, and authenticated to get tiered access. No
problem. DPAs agree. Then you get all the finegrained stuff
you need, and since it is not public there are fewer Mickey
and Minnie Mouse entries...</font></font></p>
<p><font size="+1"><font face="Lucida Grande">End users can
understand that they don't want their own phone number in the
book. What they cannot understand is how to read the WHOIS
and figure out who is behind a website or an email, and
whether that person/entity is even who they should expect to
see there. WHOIS is not a phone book, where it concerns the
actors one needs to be concerned about, or the large
corporations one wants to trust but verify. It is a maze.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">SP</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-12-07 21:54, John Bambenek via
gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5c44ed8f-7ab1-e72d-c897-dc73db1f2a57@bambenekconsulting.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>This is the most important point you have made of which I am in
violent agreement:</p>
<p><font size="+1"><font face="Lucida Grande">"The noncommercial
users constituency has been trying to make this point since
it was formed. Life is too complex to dump all this on the
end user. "<br>
</font></font></p>
The reason open WHOIS is necessary (and end users can surely
understand how open directories work much like phone books do), is
because the service providers see no need to police usage of their
system and dump that on end-users. Because they can't do it,
people like me and anti-abuse organizations exist (many doing work
for little to no money). If domain registries, hosting providers
and ISPs ACTUALLY enforced their AUPs, or better yet, kicked
criminals off their systems, there would literally be no need for
people like me. I wouldn't need WHOIS in that scenario, because I
quite literally would not be working.<br>
<br>
Take phishing for example, it took us how many YEARS to get ICANN
and the registrars to even begin to deal with overt brand
impersonation? And even then, identification of domains used in
brand impersonation is still outsources to me and the brands
involved to notify the registries that their own service is being
misused.<br>
<br>
The attempt again to disabuse the notion that WHOIS isn't
necessary... let's go back to the French presidential elections.
We discovered Russian attempts to phish En Marche! that ultimately
led to 7 e-mail accounts being linked PURELY by whois data. We saw
domains registered with that "brand", we correlated registrant
information, and enumerated all that in time for En Marche! to
take mitigating steps. Without whois, it would have played out
like this, the attempts at Russian election influence would have
been discovered once the emails got leaked (and probably more than
7 accounts), at which point, the damage was done. We are in a
world were foreign powers are messing with others' democractic
processes. Surely we can agree that having tools to stop such
activities would be a good thing?<br>
<br>
When those who are in business relationships with criminals and
other miscreants say "security is not our job", that outsources it
to me and others like me. And usually, we only have coarse tools
to work with.<br>
<br>
You could take WHOIS away from me (and let's all be honest here,
you're going to). That will just leave me blocking strategies that
are more prone to collateral damage. For instance, I could block
every domain for X registry because they ignore complaints, I have
no ability to contact the end domain owner, and I'm left with no
other option. Yes, that will adversely impact some measure of
otherwise innocent people. But you've taken away my ability to be
precise, so it's either no protection, or protection with
collateral damage. The good news is, when we do provider-based
bans, we let people know why so they can choose better providers.<br>
<br>
It also means that instead of working with domain owners or other
less costly ways of dealing with abuse, now, for 100% of domain
based abuse reports, I'm just going to go to court and drag the
registry in. Sure, there are some subset that have proxy
registration you have to deal with. Now you're going to deal with
100% of all domains and you're going to have to deal with it in a
court of law. It won't cost me much, it will cost the registries.
This will literally create orders of magnitude more work and legal
costs for the registries.<br>
<br>
But I reject the notion that the common person doesn't understand
the notion of what happens when their phone number is put on the
internet because they all have facebook and twitter accounts.<br>
<br>
If you want our blocking and enforcement to be precise, we need
precise information. If you don't give us precise information,
we're still going to protect our constituencies, there just will
be collateral damage. You can blame us for that, of course, but
the reality, we aren't the ones creating this problem.<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/07/2017 08:08 PM, Stephanie
Perrin wrote:<br>
</div>
<blockquote
cite="mid:d402a82c-aeec-5690-3b30-6bd56336fff4@mail.utoronto.ca"
type="cite"><font size="+1"><font face="Lucida Grande">The
noncommercial users constituency has been trying to make
this point since it was formed. Life is too complex to dump
all this on the end user. </font></font></blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>