[Accred-Model] Letter to ICANN from RiskIQ

[Rubens Kuhl]

> On 22 Apr 2018, at 15:44, <trachtenbergm at gtlaw.com> <trachtenbergm at gtlaw.com> wrote:
> 
> Rubens,
> 
> My comment was not meant to be made as an ad hominem attack but rather to make a point. I don't know the details of your takedown, but do know from 15 years experience that for most effective online investigation and enforcement that access to registrant name and email is a critical element.

Partially true. Those can be used to do some correlations, but other factors such as name servers, IP address and target URL (if hiding in a redirection chain) are useful as well.

> Without these elements it is often impossible to tell if it's written further investigation. If you want to share the intimate details of that the security incident was, how you found out about it, and how you took it down without using whois, please share.

A registrar has access to registration data and can act based on that. So, if someone detects that example.example is a security threat, it can raise that issue with the registrar and that registrar can correlate to other domains registered by the same wrong-doer. There is no secret sauce, and this happens in large amounts everyday.

> But even in that case it doesn't mean that what you did in this one situation is applicable to detecting, investigating, and enforcing against the vast majority of online threats.

Both investigating and enforcing can be done by registrars or thick registries (if they continue to exist after GDPR). Detecting can be done both by registrars and by 3rd parties, and in my experience the best results come from all doing it: we run some pattern detection filters on the stream of new registrations and get threat feeds from the "usual suspects" (OpenPhish, PhishTank, ShadowServer etc.).
> 
>> "ICANN and the registries would also not be able to rely on a legitimate interest for making available all personal data in WHOIS directories to the general public."
> 
> To be clear, I am not advocating for public access to all WhoIs information - just registrant name, email, city and country.

Registrant name is a non-starter; it's foundational for privacy. Email also contains name in lots of cases (like yours and mine), and it's the main culprit for registrants perception of privacy violation due to spam.
What might fly, and I provided Jonathan with some thoughts on that, are transformations of registrant email (and perhaps name) that could be used to do correlation among domains. So a 3rd party wouldn't be able to know who the registrant is, but be able to match example1.example to example2.example.



> And I do not even advocate for this to be publicly available forever, but just in the interim.
> 

The interim time was between 27 April 2016, when GDPR passed, and 24 May 2018, the last day before its enforcement. Interim stops there, as some DPAs said:
https://iapp.org/news/a/dpas-to-pros-theres-no-grace-period-folks/

>> But as I said before, cut the middle-man and get the DPAs to say exactly what you believe is right. Then anyone not agreeing would first have to challenge that in an European court, but still comply with it in the mean time.
> 
> Let's be real - DPAs are not going to commit to anything specific. And even if some did, which ones control? Is one enough? 5? 10?

EDPB, known before May 25 as WP29. "The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions."



Rubens

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180422/3e1cc565/signature.asc>