[gnso-rds-pdp-wg] For your review - updated RDS Statement of Purpose

Marina Lewis marina at dns-law.com
Fri Oct 7 05:59:07 UTC 2016 

+1

Marina A. Lewis
marina at dns-law.com<mailto:marina at dns-law.com>
(415) 290-1245

On Oct 6, 2016, at 7:47 PM, Greg Shatan <gregshatanipc at gmail.com<mailto:gregshatanipc at gmail.com>> wrote:

Criminals have a goal of not getting caught.

Law enforcement has a goal of catching criminals.  They actually succeed quite often.  The time, cost and level of success depend on the tools available.

Criminals have a goal of ripping people off.  Online crime undermines the security of the Internet and reduces consumer/end-user trust and confidence in the Internet.

Maintaining the security of the Internet and trust in the Internet is a critical part of ICANN's mission.

Our policy recommendations have to support ICANN's mission.

The direction in which we need to go seems fairly clear.

Greg Shatan




On Thursday, October 6, 2016, Stephanie Perrin <stephanie.perrin at mail.utoronto.ca<mailto:stephanie.perrin at mail.utoronto.ca>> wrote:

Not at all, ordinary people make mistakes all the time.  However, rarely would this kind of mistake render the person/organization un-contactable, which it seems to me is the evil we are trying to avoid with bad data.  On the other hand, criminals have a goal of being untraceable, so will continue to make sure they are not located, right?

SP

On 2016-10-06 19:20, Mark Svancarek wrote:
There seems to be a presumption that bad data is caused entirely by bad people.
Do we actually have data showing which fraction of bad data is created with criminal intent, and which fraction is just people being lazy or careless and then never being held accountable by the data actually being verified?

From: gnso-rds-pdp-wg-bounces at icann.org<javascript:_e(%7B%7D,'cvml','gnso-rds-pdp-wg-bounces at icann.org');> [mailto:gnso-rds-pdp-wg-bounces at icann.org<javascript:_e(%7B%7D,'cvml','gnso-rds-pdp-wg-bounces at icann.org');>] On Behalf Of Stephanie Perrin
Sent: Thursday, October 6, 2016 3:09 PM
To: gnso-rds-pdp-wg at icann.org<javascript:_e(%7B%7D,'cvml','gnso-rds-pdp-wg at icann.org');>
Subject: Re: [gnso-rds-pdp-wg] For your review - updated RDS Statement of Purpose


I agree with those pushing back on including a commitment to accuracy in this statement of purpose.  I think there are a number of sound reasons for this.  Those of us who push back are not advocating for bad data, that would be silly.  What we are addressing is the futility of attempting to get the criminal element to put good data in their registration data.  If we force them, we drive ID theft.  Here are a few of my reasons:

1.  Governments actually do not usually invest taxpayers money verifying citizen data, they provide penalties for having inaccurate data and leave it at that.  Verifying address and phone number, given the mobility of the population in the countries I am familiar with from my past government service (US, Canada, Australia, New Zealand, and UK) is expensive and there is very little way to enforce it.  This being the case, why would we force ICANN to do this?  The cost inevitably would fall on the Registrars and registries, and be passed on to the end users.

2.  As mentioned above, any pressure to improve data quality can hardly be expected to get criminals to give their accurate data, it will drive them to steal good data.

3.  The vast majority of people are actually honest.  I do realize that there is a high volume of cybercrime, but penalizing the majority of end users for the actions of a few (even if those actions result in a high volume of phishing and malware etc) is not good policy.  There are other ways to catch and dump bad domains.  Prosecution of malfeasant registrants remains a problem, but frankly how many can be prosecuted across borders anyway?

4.  We do have questions about accuracy that we need to address, according to our charter.  The purpose of this purpose statement is to boil down our business requirements for the activity in which we are engaged.  While many actors want more accurate data, how to get that accuracy is so open to question that I regard its inclusion in the statement of purpose as setting impossible goals.  I would be happy to revise this sentence as follows:

To enable release of accurate gTLD registration data that may not otherwise be publicly available, under specific and explicit policy-defined conditions   Change to



To enable release of gTLD registration data that may not otherwise be publicly available under specific conditions defined by policy, and to develop mechanisms to encourage greater accuracy of data.
Stephanie Perrin
On 2016-10-06 16:48, Chris Pelling wrote:
Hi Nick,

I would actually concur with Volker.  I see your point but, can I ask a question, the data collected cannot be proven to any certainty because we have nothing as the registry/registrar community to "check" it against.  Simply checking say the address against a city, against a State, against a postal/zip code then country isnt proving the registrant data is correct, its simply proving that the registrant can open a phone book and pick an address out.

Until tools are created to prove that registrant is actually at address X,  accuracy is a rather moot point.

I agree with your point about law enforcement and bad data being a cost to the public purse, but until the governments can get together and work out a solution for the data to be verified there is little anyone can do.

Registrant giving fake address = bad data
Registrant giving correct address of neighbour = bad data
Registrant giving old address where previously lived = bad data - but at least it could be validated against old correct data and cross checked

This list could be endless :

Registrant giving correct data = good, verifiable.   Maybe the governments can work out a solution to being able to verify their citizens data.

I would love to find a solution that is workable and commercially viable, the governments and LEA can then use the data with some surety to its worthiness - although this is a totally separate topic, I would like to sit down and discuss it further - the governments getting together and helping this work.

Just a thought.

Kind regards,

Chris

________________________________
From: "Nick Shorey" <nick.shorey at culture.gov.uk><javascript:_e(%7B%7D,'cvml','nick.shorey at culture.gov.uk');>
To: "Volker Greimann" <vgreimann at key-systems.net><javascript:_e(%7B%7D,'cvml','vgreimann at key-systems.net');>
Cc: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org><javascript:_e(%7B%7D,'cvml','gnso-rds-pdp-wg at icann.org');>
Sent: Thursday, 6 October, 2016 17:38:55
Subject: Re: [gnso-rds-pdp-wg] For your review - updated RDS Statement of        Purpose

Interesting comments Volker! I guess it's all about the perspective you view it from I suppose. The impact of bad data on law enforcement investigations can also be waste of valuable time and cost. Except the cost comes out of of the public purse...


Nick Shorey BA(Hons) MSc.
Senior Policy Advisor | Global Internet Governance
Department for Culture, Media & Sport
HM Government | United Kingdom

Email: nick.shorey at culture.gov.uk<javascript:_e(%7B%7D,'cvml','nick.shorey at culture.gov.uk');>
Tel: +44 (0)7710 025 626
Skype: nick.shorey
Twitter: @nickshorey
LinkedIn: www.linkedin.com/in/nicklinkedin<http://www.linkedin.com/in/nicklinkedin>

On 6 October 2016 at 17:23, Volker Greimann <vgreimann at key-systems.net<javascript:_e(%7B%7D,'cvml','vgreimann at key-systems.net');>> wrote:


Hi Greg,
Arguments to the contrary tend to look like a Defense of Bad Data.  I can't think of any reasons to defend bad data, unless one wants a bad database.
If you want reasons, here are a few:
1) Cost
2) Waste of valuable time
3) Implementation nightmares
4) No actual standard that applies worldwide
5) Legacy data from legacy sources
6) Customer service nightmare
It's reasonable to strive for perfectly accurate data, but accept that one will never get there.  There should be commercially reasonable and proportionate methods to get as close as practically possible.
One can strive for anything, but it may never be achieved, consuming valuable ressources on the way. How many people died trying to reach the south pole, the north pole, the peak of the Matterhorn, before someone made it. While that first one to make is famous now, consider the loss of life and ressources wasted we spent getting there.
We have not (in this group) discussed data migration, but assuming a Garbage In, Garbage Out approach doesn't seem reasonable.  Whether all the data is validated before migration, or just validated as part of a normal validation cycle, it needs be validated.
Existing data in is the only feasible solution if you want a manageable transition process.
As for validation by the road, before designing a process we should define who is going to have to implement it, process it, deal with user complaints, pay for it, etc. What is better data worth to those who have to pay for it? Are those that benefit from better data going to finance it (including all associated costs)? If so, let's talk....

Best,
Volker


On Thu, Oct 6, 2016 at 11:00 AM, Carlton Samuels <carlton.samuels at gmail.com<javascript:_e(%7B%7D,'cvml','carlton.samuels at gmail.com');>> wrote:

+1.

Not to make too fine a point of it. But the EWG was tasked to re-imagine an RDS.  If this PDP is tasked to build on the works of EWG maybe it'd be useful to re-visit certain ideas we now hold as verities.

-Carlton


==============================
Carlton A Samuels
Mobile: 876-818-1799<tel:876-818-1799>
Strategy, Planning, Governance, Assessment & Turnaround
=============================

On Wed, Oct 5, 2016 at 7:38 PM, Holly Raiche <h.raiche at internode.on.net<javascript:_e(%7B%7D,'cvml','h.raiche at internode.on.net');>> wrote:

Folks

Maybe we need to back up a bit and go back to the Charter and what we are supposed to be doing.  Let me quote directly from it:

First - background: Quoting the Charter on the Board decision to launch this PDP:

On 26 May, 2015, the ICANN Board passed a resolution adopting that Process Framework and reaffirming its 2012 request for a Board - initiated PDP to define the purpose of collecting, maintaining and providing access to gTLD registration data, and to consider safeguards for protecting data, using the recommendations in the EWG’s Final Report as an input to, and, if appropriate, as the foundation for a new gTLD policy


Later - what The Charter tasked this Working Group with:


As part of its Phase 1 deliberations, the PDP WG should work to reach consensus recommendations by considering, at a minimum, the following complex and inter-related questions:
 Users/Purposes: Who should have access to gTLD registration data and why?
 Gated Access: What steps should be taken to control data access for each user/purpose?
 Data Accuracy: What steps should be taken to improve data accuracy?
 Data Elements: What data should be collected, stored, and disclosed?
 Privacy: What steps are needed to protect data and privacy?
 Coexistence: What steps should be taken to enable next-generation RDS coexistence with and replacement of the legacy WHOIS system?
Compliance: What steps are needed to enforce these policies?
 System Model:What system requirements must be satisfied by any next-generation RDS implementation?
 Cost: What costs will be incurred and how must they be covered?
 Benefits: What benefits will be achieved and how will they be measured?
 Risks: What risks do stakeholders face and how will they be reconciled?


So accuracy’s there - along with a lot of other issues. That is not saying that accuracy is not covered in existing requirements on registries/registrars.  But it is giving a broader meaning to RDS - i.e., it’s not just about collection, maintenance and access to data; it’s also about safeguards, etc - using the EWG work.

So thanks Rob.  It’s a bit premature to rule issues out when they are well and truly on our table.


Holly




On 6 Oct 2016, at 6:37 am, Rod Rasmussen <rrasmussen at infoblox.com<javascript:_e(%7B%7D,'cvml','rrasmussen at infoblox.com');>> wrote:

Folks,

Gotta chime in here, since the EWG provided a lot of thinking on this issue. If you haven’t already, please review the EWG report sections on data accuracy and also the concept of data validators and their relationship to the RDS.  For example, I would note that a well-provisioned RDS would be able to provide some sort of validation checks against existing data in the use case of trying to prevent impersonation (a form of accuracy) of an existing registrant (a big brand like Facebook for instance).  Another concept we found very important in the EWG is the idea of creating a contact data set tied to a contact ID that is portable between registrars and registries.  This provides for the purpose-based contacts we talk about at great length in the report.  It also is key for addressing some of the fundamental operational issues that lead to inaccurate, out-of-date data at various registrars.  If you have a change in your contact information (a new e-mail for instance) and hold multiple roles in conjunction with many domains, you have a real challenge making updates throughout the universe of your domain names.  Using a data validator and then acting via the RDS, when you make a change to your contact info, that automatically can be reflected in all domains you are associated with and thus improve accuracy tremendously.  Those are just a couple examples of how an RDS can be involved in dealing with accuracy issues and represent many of the concepts you can address once you look beyond the current paradigm of registrar controlled contact information anchored specifically to individual domain names.  Accuracy in the “generic” system (including registries, registrars, RDS, validators, some other group we haven’t thought of yet) is definitely in-scope.  How that is done can take many forms and could have different roles played by different participants in the entire ecosystem.

Cheers,

Rod

On Oct 5, 2016, at 10:36 AM, benny at nordreg.se<javascript:_e(%7B%7D,'cvml','benny at nordreg.se');> wrote:

But the data accuracy can’t be done in RDS, the accuracy is done on a registrar level when collecting data.
RDS shall under no circumstances alter any information received from registry / registrars and showing any different info than what is collected on that level.

WG can look at what accuracy they want registrars to do yes, but RDS doesn’t do anything.

--
Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20161007/83a97d24/attachment.html>

More information about the gnso-rds-pdp-wg mailing list