[gnso-rds-pdp-wg] Dangers of public whois
Volker Greimann
vgreimann at key-systems.net
Tue Feb 14 14:26:39 UTC 2017
The thing with private data is that it is amazing what you can
legitimately and illegitimately do with it. You can correlate,
investigate, use, abuse it in any shape or form, but at the end of the
day, the question should be: Do you have a legally enforceable right to
access that data and do with it whatever you please. Many jurisdictions
have decided that the protection of the individual weighs heavier than
any potentially beneficial uses.
And if you have a right to access the data, you will still be able to do so.
Best,
Volker
Am 14.02.2017 um 13:10 schrieb nathalie coupet via gnso-rds-pdp-wg:
> Hi Allison,
>
> Would you be able to carry out your investigations normally if access
> to WHOIS thick were restricted only by the need to enter an email?
>
> With regards to privacy by design, instead of pushing for the
> implementation of this concept inside the realm of WHOIS where it is
> foreign, since it is an engineering concept, why not advocate for its
> implementation at the design level of the Internet, where it belongs?
>
> Nathalie
>
>
> On Tuesday, February 14, 2017 12:38 AM, allison nixon
> <elsakoo at gmail.com> wrote:
>
>
> This car metaphor isn't complete without also stating that some car
> owners purchase them for the sole purpose of running over people!
>
> Some car owners purchase fleets of cars to run over as many people as
> possible. Even though they re-use their name on every single vehicle
> registration, the subpeona takes so long that the city can no longer
> automatically block the cars as they enter, and need to wait for them
> to run over a few people before they can do anything about it.
>
> This metaphor has obviously been tortured past the point of absurdity,
> I'll leave it alone now.
>
> I've mostly been lurking for the whole duration of this group, and
> please forgive me if I'm missing something massive here, but I get the
> impression that most people here don't spend a lot of time doing
> investigations. But this is my life. If I needed a subpeona for every
> single historical lookup, pivot, and reverse search, I would get zero
> done due to a lack of legal authority. Many if not most of the people
> doing the heavy lifting in anti-cybercrime efforts are private
> citizens with no government issued authority. It seems that the
> general expectation here is that limiting access to people with badges
> is OK, but I'm telling you there is a severe lack of those skillsets
> and it will be years before we see widespread technical literacy among
> the police. Whatever system results, private citizens need a path for
> unrestricted and automated access. And if we want to talk protecting
> privacy, I think criminally motivated violations of privacy are far
> more likely to affect everyone's day to day life right now, and
> automated WHOIS lookups are used heavily especially in anti-phishing
> and anti-spam operations.
>
> With the status quo, I can go on fishing expeditions through the WHOIS
> data and turn up hundreds of domains used for the same type of
> malicious activity, and predict with a high accuracy which domains
> will be malicious before they are used for anything. It sometimes
> turns up domains owned by innocent people, and I doubt privacy minded
> people would like that, but the reality is I rarely ever encounter
> WHOIS data that is convincing PII. It's almost all fake. And if it's
> not fake, it's a company's public contact info, or it's a foolish
> person who turned down WHOIS privacy protection, and will change their
> WHOIS as soon as the spam starts flowing.
>
> Have there been any studies on what percentage of WHOIS data is real
> and correct? Can we ever expect to have meaningful data when
> registrars are allowed to take Bitcoins over Tor as payment? At what
> point does "privacy" become an empty argument when some of these
> Internet hosting/registrar companies clearly profit from facilitating
> abuse, and network defenders block entire TLDs due to the saturation
> of abuse?
>
> From my vantage point, I see great benefit from seeing patterns in the
> fake data submitted by fraudsters, and I see few harms from the
> privacy side of things, because people seem to generally realize that
> "123 fake st" is a perfectly acceptable WHOIS entry.
>
> I also recognize this situation is completely absurd. Every aspect of
> this is surely an abuse of the original system. But it seems like
> building a pyramid from the top down, restricting access to supposed
> "PII" that is unlikely to contain PII, to the detriment of legitimate
> efforts that also seek to enhance privacy by preventing criminal theft
> of private data like bank account numbers.
>
>
> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam at lanfranco.net
> <mailto:sam at lanfranco.net>> wrote:
>
> I have to strongly agree with Alex that whatever the criteria are
> for thin data, they cannot include that thin data "is transitive"
> in some sort of bread crumb trail manner.
>
> Everything is potentially transitive in that sense. I observe a
> vehicle but all I get is make, model and license plate, and in
> most jurisdictions that is all I get. It is the vehicle owner's
> "thin data". Of course I can hang around, see that the car has a
> baby seat, witness a woman or man putting a child in the car,
> assume that she/he has legitimate access to the car, follow the
> car and assemble more personal information (lives at; works at;
> shops at; visits;) The license plate didn't facilitate that crumb
> train discovery, but no license plate would hamper legitimate
> seeking of information about who owns the car (issuing a parking
> ticket, LEA investigation, etc.) . License plate is part of thin
> data with no gated access. Of course, this will change in the era
> of the digital vehicle. Depending on security, and authorization,
> one will be able to just ask the car, and ask about a lot of
> things...like whose cell phone was in the passenger's seat last
> night, when I was supposed to be alone )-:
>
> There needs to be a similar balance (license plate but no owner's
> name unless wanted, like Sam's Curry Pizza Barn logo, phone number
> and website URL painted on the side).
>
> More Important, have we made progress (convergence) on the working
> principles that should be brought to bear in building a thin data
> set. A lot of time has been spent looking at good case and bad
> case scenarios. What operational principles have been distilled
> from all these examples? What is the balance between thin data
> inclusion and exclusion, and design and technical solutions that
> can be used to prevent (for example) robotic harvesting? There is
> another frontier here, and that is what governments will do to
> restrain or enable certain uses of thin data? While ICANN needs to
> be aware of what is going on there, that part is beyond ICANN's
> remit, but those policies will help shape some of the context
> within which ICANN deals with the thin data task.
>
> Sam L
>
>
> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
>
> All,
>
> So it seems the debate has progressed from “thin data” to
> “thick data” (i.e. data that includes email). I know we are
> all super excited to talk about “thick data” but I don’t think
> we are there yet (are we? Hopefully I didn’t miss the party…)
>
> Focusing on thin data for the moment I struggle to understand
> how it is personal data. I do not believe it is. As for
> the odd logic proposed by some that the property of privacy is
> transitive (i.e. Because “thin data” can be used to
> link/point/discover other data then “thin data” equals
> “personal data”) I just don’t buy it.
>
> I don’t disagree with much of what was expressed in this
> thread, however we must keep in mind that balance and
> proportionality are important concepts in many (all?) data
> privacy laws. Any arguments that imply that no such balance
> exists (or should exist) is obstructive IMO.
>
> Alex
>
>
> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces at icann .org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org> on behalf of
> michele at blacknight.com <mailto:michele at blacknight.com>> wrote:
>
> I agree and I know from how I’ve used various email
> addresses that they are actively being harvested and spammed.
> Also it’s one of the biggest sources of complaints
> we get from our clients (registrants)
> It’s definitely not an “edge case”.
> Regards
> Michele
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> https://www.blacknight.com/
> http://blacknight.blog/
> Intl. +353 (0) 59 9183072
> Direct Dial: +353 (0)59 9183090
> Social: http://mneylon.social <http://mneylon.social/>
> Some thoughts: http://ceo.hosting/
> ----------------------------- --
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside
> Business Park,Sleaty
> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.:
> 370845
> ______________________________ _________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
> ______________________________ _________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
> --
> *----------------------------- ---------------*
> "It is a disgrace to be rich and honoured
> in an unjust state" -Confucius
> ------------------------------ ----------------
> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
> YorkU email: Lanfran at Yorku.ca Skype: slanfranco
> blog: http://samlanfranco.blogspot.c om
> <http://samlanfranco.blogspot.com/>
> Phone: 613 476-0429 cell: 416-816-2852
>
>
> ______________________________ _________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/4411157a/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list