[gnso-rds-pdp-wg] Dangers of public whois
allison nixon
elsakoo at gmail.com
Tue Feb 14 16:57:09 UTC 2017
A lot of replies since last night
>>Would you be able to carry out your investigations normally if access to
WHOIS thick were restricted only by the need to enter an email?
I am personally OK with being held accountable for the data i search for. I
think a lot of the desire to require subpeonas or search warrants for WHOIS
data is a need for the "watchers" to be held accountable, which I do
believe in on a philosophical level. My search history would include NDA
and sensitive information such as identities of clients and investigations
in progress, so I wouldn't want it broadcasted, but I am absolutely
prepared to demonstrate that my use is not abusive.
>>So basicaly what you say are… Buhu my work will get harder, let all
innocent registrants suffer from spam/scam mail sprung out of the whois
data published, all those registrants who get fake mails about renewing
there domain or buying fake SEO plans?
How can anyone defend that we have data published to get abused just
because some bad guys registrer domains? And those of you who does will
still have access to the date just not in the same easy way…
>>Sorry for my harsh tone but I really don’t see why we cant look past our
own walls and find a solution which are to the better for all..
I don't take it personally at all. And the spam to WHOIS data is a problem.
I used to use real data on some old domains of mine, until I started
receiving the spam, and discovered the existence of WHOIS and how easy it
is to access. I have not used real info since that time.
But the reality is that cybercrime is a growing multi billion dollar
"industry", and the community of people that resist this industry is VERY
small, and VERY overwhelmed. If our jobs get harder, it won't be us who are
"buhu"ing, it will be you and everyone else who will pay higher fees on
everything. We will be paid handsomely regardless, so I'm not speaking on
behalf of myself but on behalf of the people I try to protect. If you want
to make light of a global problem, please choose one that doesn't involve
unbelievable amounts of monetary losses, and doesn't cause far worse
privacy violations than the stuff yall seem to be concerned about.
Here are some hard facts about the volume of abuse going on:
https://www.spamhaus.org/statistics/tlds/
Right now, 93.3 percent of all domains registered under the .science TLD
are malicious!
>>the question should be: Do you have a legally enforceable right to access
that data and do with it whatever you please.
At the moment, the answer to that is yes. And network owners also have a
right to decide who they want to interact with. WHOIS is used as part of
that determination. Not only is registrant data correlated with past
malicious registrants, but the age of the domain is also determined through
WHOIS. Without this granularity, network owners will absolutely err on the
side of blocking too much over too little. We already see this with
residential ISPs blocking entire TCP and UDP ports for their customer base,
because the alternative is a level of abuse that takes the entire network
down. Where is the "free and open Internet" when the Internet doesn't work
anymore? Those are the battles that are being fought right now, and
pretending this isn't a problem is a "wall" on yalls part, not mine.
Here is a list of all the ports that Comcast blocks for its users. This has
nothing to do with freedom of speech and everything to do with the fact
that Comcast's network will die if they don't do this. As a consequence I
can't send outbound TCP/25 SMTP anymore:
https://www.xfinity.com/support/internet/list-of-blocked-ports/
And over-blocking is going to be a worse problem when granularity is taken
away from network defenders. When Spamhaus decides an entire country's TLD
has too much abuse, most network operators will agree, and legitimate sites
(like that country's government, companies, and media outlets) are an
acceptable loss. You're going to see more of this, and that country's
government has little recourse aside from cleaning up their entire TLD so
network operators can be convinced to remove the blocks. But since
abuse-laden TLDs are usually that way due to lack of budget, it's more
likely that the entire country will simply suffer harms instead.
I am really surprised at how little credence is being given to these
problems.
On Tue, Feb 14, 2017 at 9:41 AM, theo geurts <gtheo at xs4all.nl> wrote:
>
> Hi John,
>
> I agree we do not want to create a centralized registration and
> surveillance scheme.
>
> Such a system would be subject to many regulations and fines from Data
> Regulators. If we do not execute privacy properly we are creating a system
> that will cost millions of dollars in fines alone. Tho that would actually
> answer the question are the costs of RDS viable. The answer would be no.
>
> Theo
> On 14-2-2017 14:59, John Horton wrote:
>
> Nathalie and others,
>
> I wanted to take a moment and explain why I'm strongly opposed to
> requiring email or other registration in order to view thin or thick
> details. For the reasons outlined below, I think it's antithetical to the
> open and decentralized nature of the internet, and constitutes a form of
> internet surveillance.
>
> First, putting aside repressive regimes, private networks and edge cases,
> one of the hallmark principles of the internet is that it's open; you don't
> have to register or justify your need to access information on the
> internet. And, it's decentralized. Historically, its open nature has
> included not only being able to see a website, but also the registration
> details for the website's domain name. And, whatever governments may do
> (which isn't the question here), there's no centralized internet
> surveillance or registration authority for internet users generally.
>
> If we impose a scheme where there is a central organization with the
> authority to a) require registration and b) centrally control access, and
> c) (as has been proposed) require the user to provide a reason for their
> access, that organization then also has the ability to d) make judgment
> calls about what reasons are valid and which are not and e) maintain data
> on who accessed what RDS data, for what reason, for how long and why. Note
> also that at least one version of the EWG report said that f) the
> organization would be empowered to levy punitive measures against internet
> users who accessed more data than the RDS deems appropriate.
>
> So: you have a system that surveils internet users who access some
> information and maintains data on their use of that data. Let's think about
> the following scenarios from the point of view of openness,
> decentralization and civil liberties.
>
> - A journalist (or blogger) is writing an investigative article and
> wants to find out who is behind a domain name. If we require registration
> and disclosure of the reason, that in essence creates a situation where the
> RDS de facto is monitoring that journalist and determining if their basis
> for conducting the investigation is worthy. It also allows the RDS the
> ability to monitor the journalist's use of the domain name registration
> data. This potentially chills free speech.
> - Consider a political activist who wishes to expose corruption by an
> elected politician and wants to access RDS information to show, for
> example, conflicts of interests in the politician's business operations.
> Once the political activist has to disclose who they are, let alone why
> they are accessing the information, that not only chills legitimate
> political activism but also potentially opens up a route for government
> abuse (e.g., if a government agency were able to subpoena the list of who
> accessed RDS information for which domain names and why).
> - Academic researchers periodically review Whois/RDS data; requiring
> them to register before reviewing data and disclose why they are doing the
> research potentially empowers the RDS to monitor academic research and
> determine its worthiness.
> - Imagine that a cybercrime network is under investigation (as they
> are wont to be); requiring law enforcement to register -- particularly if
> there is a log of which domain names they reviewed RDS for -- can
> potentially compromise the investigation if that information is disclosed.
> Would registrants have the right to be informed every time that someone
> registered to review their RDS details?
>
> For one central entity to possess that much power over internet users is
> something that I think we should avoid, and it's antithetical to the
> principles of openness and decentralization. There are other well-known
> solutions to spam and inappropriate contacts; forcing all other legitimate
> activities to grind to a screeching halt -- particular under the umbrella
> of a surveillance scheme -- is a cure worse than the disease.
>
> I recognize and agree that we should try to find constructive solutions to
> this that require some compromise, and I'm grateful not only for the
> expertise that Stephanie and others have brought to this group, but also
> that Benny and others have pointed out some of the problems with Whois
> details being inappropriately used (e.g., for spam). However, I wanted to
> outline my strong concerns about creating a centralized registration and
> surveillance scheme over one subset of internet users as part of the
> solutions.
>
> John Horton
> President and CEO, LegitScript
>
>
> *Follow LegitScript*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com>*
> | Google+ <https://plus.google.com/112436813474708014933/posts>
>
>
>
>
> On Tue, Feb 14, 2017 at 4:10 AM, nathalie coupet via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
>> Hi Allison,
>>
>> Would you be able to carry out your investigations normally if access to
>> WHOIS thick were restricted only by the need to enter an email?
>>
>> With regards to privacy by design, instead of pushing for the
>> implementation of this concept inside the realm of WHOIS where it is
>> foreign, since it is an engineering concept, why not advocate for its
>> implementation at the design level of the Internet, where it belongs?
>>
>>
>> Nathalie
>>
>>
>> On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo at gmail.com>
>> wrote:
>>
>>
>> This car metaphor isn't complete without also stating that some car
>> owners purchase them for the sole purpose of running over people!
>>
>> Some car owners purchase fleets of cars to run over as many people as
>> possible. Even though they re-use their name on every single vehicle
>> registration, the subpeona takes so long that the city can no longer
>> automatically block the cars as they enter, and need to wait for them to
>> run over a few people before they can do anything about it.
>>
>> This metaphor has obviously been tortured past the point of absurdity,
>> I'll leave it alone now.
>>
>> I've mostly been lurking for the whole duration of this group, and please
>> forgive me if I'm missing something massive here, but I get the impression
>> that most people here don't spend a lot of time doing investigations. But
>> this is my life. If I needed a subpeona for every single historical lookup,
>> pivot, and reverse search, I would get zero done due to a lack of legal
>> authority. Many if not most of the people doing the heavy lifting in
>> anti-cybercrime efforts are private citizens with no government issued
>> authority. It seems that the general expectation here is that limiting
>> access to people with badges is OK, but I'm telling you there is a severe
>> lack of those skillsets and it will be years before we see widespread
>> technical literacy among the police. Whatever system results, private
>> citizens need a path for unrestricted and automated access. And if we want
>> to talk protecting privacy, I think criminally motivated violations of
>> privacy are far more likely to affect everyone's day to day life right now,
>> and automated WHOIS lookups are used heavily especially in anti-phishing
>> and anti-spam operations.
>>
>> With the status quo, I can go on fishing expeditions through the WHOIS
>> data and turn up hundreds of domains used for the same type of malicious
>> activity, and predict with a high accuracy which domains will be malicious
>> before they are used for anything. It sometimes turns up domains owned by
>> innocent people, and I doubt privacy minded people would like that, but the
>> reality is I rarely ever encounter WHOIS data that is convincing PII. It's
>> almost all fake. And if it's not fake, it's a company's public contact
>> info, or it's a foolish person who turned down WHOIS privacy protection,
>> and will change their WHOIS as soon as the spam starts flowing.
>>
>> Have there been any studies on what percentage of WHOIS data is real and
>> correct? Can we ever expect to have meaningful data when registrars are
>> allowed to take Bitcoins over Tor as payment? At what point does "privacy"
>> become an empty argument when some of these Internet hosting/registrar
>> companies clearly profit from facilitating abuse, and network defenders
>> block entire TLDs due to the saturation of abuse?
>>
>> From my vantage point, I see great benefit from seeing patterns in the
>> fake data submitted by fraudsters, and I see few harms from the privacy
>> side of things, because people seem to generally realize that "123 fake st"
>> is a perfectly acceptable WHOIS entry.
>>
>> I also recognize this situation is completely absurd. Every aspect of
>> this is surely an abuse of the original system. But it seems like building
>> a pyramid from the top down, restricting access to supposed "PII" that is
>> unlikely to contain PII, to the detriment of legitimate efforts that also
>> seek to enhance privacy by preventing criminal theft of private data like
>> bank account numbers.
>>
>>
>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam at lanfranco.net> wrote:
>>
>> I have to strongly agree with Alex that whatever the criteria are for
>> thin data, they cannot include that thin data "is transitive" in some sort
>> of bread crumb trail manner.
>>
>> Everything is potentially transitive in that sense. I observe a vehicle
>> but all I get is make, model and license plate, and in most jurisdictions
>> that is all I get. It is the vehicle owner's "thin data". Of course I can
>> hang around, see that the car has a baby seat, witness a woman or man
>> putting a child in the car, assume that she/he has legitimate access to the
>> car, follow the car and assemble more personal information (lives at; works
>> at; shops at; visits;) The license plate didn't facilitate that crumb train
>> discovery, but no license plate would hamper legitimate seeking of
>> information about who owns the car (issuing a parking ticket, LEA
>> investigation, etc.) . License plate is part of thin data with no gated
>> access. Of course, this will change in the era of the digital vehicle.
>> Depending on security, and authorization, one will be able to just ask the
>> car, and ask about a lot of things...like whose cell phone was in the
>> passenger's seat last night, when I was supposed to be alone )-:
>>
>> There needs to be a similar balance (license plate but no owner's name
>> unless wanted, like Sam's Curry Pizza Barn logo, phone number and website
>> URL painted on the side).
>>
>> More Important, have we made progress (convergence) on the working
>> principles that should be brought to bear in building a thin data set. A
>> lot of time has been spent looking at good case and bad case scenarios.
>> What operational principles have been distilled from all these examples?
>> What is the balance between thin data inclusion and exclusion, and design
>> and technical solutions that can be used to prevent (for example) robotic
>> harvesting? There is another frontier here, and that is what governments
>> will do to restrain or enable certain uses of thin data? While ICANN needs
>> to be aware of what is going on there, that part is beyond ICANN's remit,
>> but those policies will help shape some of the context within which ICANN
>> deals with the thin data task.
>>
>> Sam L
>>
>>
>> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
>>
>> All,
>>
>> So it seems the debate has progressed from “thin data” to “thick data”
>> (i.e. data that includes email). I know we are all super excited to talk
>> about “thick data” but I don’t think we are there yet (are we? Hopefully I
>> didn’t miss the party…)
>>
>> Focusing on thin data for the moment I struggle to understand how it is
>> personal data. I do not believe it is. As for the odd logic proposed by
>> some that the property of privacy is transitive (i.e. Because “thin data”
>> can be used to link/point/discover other data then “thin data” equals
>> “personal data”) I just don’t buy it.
>>
>> I don’t disagree with much of what was expressed in this thread, however
>> we must keep in mind that balance and proportionality are important
>> concepts in many (all?) data privacy laws. Any arguments that imply that
>> no such balance exists (or should exist) is obstructive IMO.
>>
>> Alex
>>
>>
>> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces at icann .org
>> <gnso-rds-pdp-wg-bounces at icann.org> on behalf of michele at blacknight.com>
>> wrote:
>>
>> I agree and I know from how I’ve used various email addresses that
>> they are actively being harvested and spammed.
>> Also it’s one of the biggest sources of complaints we get from
>> our clients (registrants)
>> It’s definitely not an “edge case”.
>> Regards
>> Michele
>> --
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting, Colocation & Domains
>> https://www.blacknight.com/
>> http://blacknight.blog/
>> Intl. +353 (0) 59 9183072
>> Direct Dial: +353 (0)59 9183090
>> Social: http://mneylon.social
>> Some thoughts: http://ceo.hosting/
>> ----------------------------- --
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
>> Park,Sleaty
>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
>> ______________________________ _________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>> ______________________________ _________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>> --
>> *----------------------------- ---------------*
>> "It is a disgrace to be rich and honoured
>> in an unjust state" -Confucius
>> ------------------------------ ----------------
>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
>> YorkU email: Lanfran at Yorku.ca Skype: slanfranco
>> blog: http://samlanfranco.blogspot.c om
>> <http://samlanfranco.blogspot.com/>
>> Phone: 613 476-0429 cell: 416-816-2852
>>
>>
>> ______________________________ _________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>>
>> --
>> _________________________________
>> Note to self: Pillage BEFORE burning.
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
--
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/d2437f35/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list