[gnso-rds-pdp-wg] Dangers of public whois

[Volker Greimann]

Hi Greg,

while Spicer may have done many things differently, this was not 
intended to point out why Spicer is an imbecile but rather to illustrate 
an overarching point: Public data enables abuse.
> Here are some facts to consider:
> * Privacy protection was available and Spicer didn’t obtain it.  That was his choice.
It was for him, but not all registrars or resellers offer it.
> * Spicer agreed to have his data published in WHOIS.  So that was either OK with him, or he didn't read the terms of service in his domain registration agreement.  Either way, it was his choice.
If you could see the number of complaints we get about publishing the 
private data of our customers even though they have agreed to our terms 
and voluntarily handed it over, you might argue differently. Most 
registrants (Mums, Dads, Singles, Teens, etc) do not know what whois is, 
and have no idea that their address will be published. By Choice? I 
don't think so.
As a provider, you can warn them only so much.
> * Spicer tweeted out his own Twitter password.  He's responsible for that.
Indeed.
> * Spicer himself published his email address in many, many public places over the years.  A simple Google search will tell you what his email address was.
He did, many others don't.
> * Those data breaches that Volker mentions have nothing to do with domain registration data.  They did not reveal domain registration data.  Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years.  Bad corporate security allowed those breaches to happen.
I completely agree about the data breaches themselves, however the email 
address being public makes the work of those that wish to benefit from 
these breaches that much easier: They just have to look at the address 
listed in the whois, then check if the address has appeared in any of 
the leaked data files and that is that. If the address had not been 
publicly listed, that piece of information would have been harder to find.
> * Spicer has a very different risk profile than the average person.   He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world).  A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone.
I wonder how many more cases are out there like this. And even if 
someone is not in the public limelight that does not mean they are not 
volnerable to their data being abused.

Best,
Volker
>
>
>
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Volker Greimann
> Sent: Thursday, February 9, 2017 4:28 AM
> To: gnso-rds-pdp-wg at icann.org
> Subject: [gnso-rds-pdp-wg] Dangers of public whois
>
> As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for:
>
> mashable.com/2017/02/07/sean-spicer-who-is
>
> also here:
> http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-privacy/
>
> While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper.
>
> I hope this helps remind folks that getting private data out of the public view is a good thing.
>

-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.