[gnso-rds-pdp-wg] Dangers of public whois

allison nixon elsakoo at gmail.com
Tue Feb 14 05:38:22 UTC 2017 

This car metaphor isn't complete without also stating that some car owners
purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as
possible. Even though they re-use their name on every single vehicle
registration, the subpeona takes so long that the city can no longer
automatically block the cars as they enter, and need to wait for them to
run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll
leave it alone now.

I've mostly been lurking for the whole duration of this group, and please
forgive me if I'm missing something massive here, but I get the impression
that most people here don't spend a lot of time doing investigations. But
this is my life. If I needed a subpeona for every single historical lookup,
pivot, and reverse search, I would get zero done due to a lack of legal
authority. Many if not most of the people doing the heavy lifting in
anti-cybercrime efforts are private citizens with no government issued
authority. It seems that the general expectation here is that limiting
access to people with badges is OK, but I'm telling you there is a severe
lack of those skillsets and it will be years before we see widespread
technical literacy among the police. Whatever system results, private
citizens need a path for unrestricted and automated access. And if we want
to talk protecting privacy, I think criminally motivated violations of
privacy are far more likely to affect everyone's day to day life right now,
and automated WHOIS lookups are used heavily especially in anti-phishing
and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data
and turn up hundreds of domains used for the same type of malicious
activity, and predict with a high accuracy which domains will be malicious
before they are used for anything. It sometimes turns up domains owned by
innocent people, and I doubt privacy minded people would like that, but the
reality is I rarely ever encounter WHOIS data that is convincing PII. It's
almost all fake. And if it's not fake, it's a company's public contact
info, or it's a foolish person who turned down WHOIS privacy protection,
and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and
correct? Can we ever expect to have meaningful data when registrars are
allowed to take Bitcoins over Tor as payment? At what point does "privacy"
become an empty argument when some of these Internet hosting/registrar
companies clearly profit from facilitating abuse, and network defenders
block entire TLDs due to the saturation of abuse?

>From my vantage point, I see great benefit from seeing patterns in the fake
data submitted by fraudsters, and I see few harms from the privacy side of
things, because people seem to generally realize that "123 fake st" is a
perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this
is surely an abuse of the original system. But it seems like building a
pyramid from the top down, restricting access to supposed "PII" that is
unlikely to contain PII, to the detriment of legitimate efforts that also
seek to enhance privacy by preventing criminal theft of private data like
bank account numbers.


On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam at lanfranco.net> wrote:

> I have to strongly agree with Alex that whatever the criteria are for thin
> data, they cannot include that thin data "is transitive" in some sort of
> bread crumb trail manner.
>
> Everything is potentially transitive in that sense. I observe a vehicle
> but all I get is make, model and license plate, and in most jurisdictions
> that is all I get. It is the vehicle owner's "thin data". Of course I can
> hang around, see that the car has a baby seat, witness a woman or man
> putting a child in the car, assume that she/he has legitimate access to the
> car, follow the car and assemble more personal information (lives at; works
> at; shops at; visits;) The license plate didn't facilitate that crumb train
> discovery, but no license plate would hamper legitimate seeking of
> information about who owns the car (issuing a parking ticket, LEA
> investigation, etc.) . License plate is part of thin data with no gated
> access. Of course, this will change in the era of the digital vehicle.
> Depending on security, and authorization, one will be able to just ask the
> car, and ask about a lot of things...like whose cell phone was in the
> passenger's seat last night, when I was supposed to be alone )-:
>
> There needs to be a similar balance (license plate but no owner's name
> unless wanted, like Sam's Curry Pizza Barn logo, phone number and website
> URL painted on the side).
>
> More Important, have we made progress (convergence) on the working
> principles that should be brought to bear in building a thin data set. A
> lot of time has been spent looking at good case and bad case scenarios.
> What operational principles have been distilled from all these examples?
> What is the balance between thin data inclusion and exclusion, and design
> and technical solutions that can be used to prevent (for example) robotic
> harvesting? There is another frontier here, and that is what governments
> will do to restrain or enable certain uses of thin data? While ICANN needs
> to be aware of what is going on there, that part is beyond ICANN's remit,
> but those policies will help shape some of the context within which ICANN
> deals with the thin data task.
>
> Sam L
>
>
> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
>
>> All,
>>
>> So it seems the debate has progressed from “thin data” to “thick data”
>> (i.e. data that includes email).  I know we are all super excited to talk
>> about “thick data” but I don’t think we are there yet (are we?  Hopefully I
>> didn’t miss the party…)
>>
>> Focusing on thin data for the moment I struggle to understand how it is
>> personal data.  I do not believe it is.    As for the odd logic proposed by
>> some that the property of privacy is transitive (i.e. Because “thin data”
>> can be used to link/point/discover other data then “thin data” equals
>> “personal data”) I just don’t buy it.
>>
>> I don’t disagree with much of what was expressed in this thread, however
>> we must keep in mind that balance and proportionality are important
>> concepts in many (all?) data privacy laws.   Any arguments that imply that
>> no such balance exists (or should exist) is obstructive IMO.
>>
>> Alex
>>
>>
>> On 2/13/17, 5:42 AM,  <gnso-rds-pdp-wg-bounces at icann.org on behalf of
>> michele at blacknight.com> wrote:
>>
>>      I agree and I know from how I’ve used various email addresses that
>> they are actively being harvested and spammed.
>>           Also it’s one of the biggest sources of complaints we get from
>> our clients (registrants)
>>           It’s definitely not an “edge case”.
>>           Regards
>>           Michele
>>                --
>>      Mr Michele Neylon
>>      Blacknight Solutions
>>      Hosting, Colocation & Domains
>>      https://www.blacknight.com/
>>      http://blacknight.blog/
>>      Intl. +353 (0) 59 9183072
>>      Direct Dial: +353 (0)59 9183090
>>      Social: http://mneylon.social
>>      Some thoughts: http://ceo.hosting/
>>      -------------------------------
>>      Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
>> Park,Sleaty
>>      Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>>           _______________________________________________
>>      gnso-rds-pdp-wg mailing list
>>      gnso-rds-pdp-wg at icann.org
>>      https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
> --
> *--------------------------------------------*
> "It is a disgrace to be rich and honoured
> in an unjust state" -Confucius
> ----------------------------------------------
> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
> YorkU email: Lanfran at Yorku.ca   Skype: slanfranco
> blog:  http://samlanfranco.blogspot.com
> Phone: 613 476-0429 cell: 416-816-2852
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/bddb480f/attachment.html>

More information about the gnso-rds-pdp-wg mailing list