[gnso-rds-pdp-wg] Dangers of public whois
allison nixon
elsakoo at gmail.com
Tue Feb 14 16:58:36 UTC 2017
Benny, dude, you just wrote "Buhu my work will get harder", so please don't
complain about adult and mature answers
On Tue, Feb 14, 2017 at 11:56 AM, benny at nordreg.se <benny at nordreg.se> wrote:
> A very adult and mature answer… with some nice baked in threats, funny its
> only your kind of crimes which matter apparantly… oh and the final on which
> always are been draged out when there are no more arguments, think about
> the one child we can save…
>
> To answer your questions hidden in the threats, yes you are part of the
> better for all but that also means everyone have to give and take to come
> to a better solution.
> In you ignorance you completely miss the point that by have all these data
> public there are commited crimes every minut by using those data nut hey
> what does that matter as long as you business can roll on… I guess those
> people will thank you for you helpful insights…
>
> Welcome to the discussion
>
>
>
> --
> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>
> Benny Samuelsen
> Registry Manager - Domainexpert
>
> Nordreg AB - ICANN accredited registrar
> IANA-ID: 638
> Phone: +46.42197080
> Direct: +47.32260201
> Mobile: +47.40410200
>
> > On 14 Feb 2017, at 17:29, John Bambenek <jcb at bambenekconsulting.com>
> wrote:
> >
> > Let me translate Allison's comments in the light of your mockery.
> >
> > You're ideas of privacy are patently absurd and your arrogance that
> entire industries need to rewrite how they do things to suit your effete
> and fantastical notions is breathtaking. Your mockery of people who
> investigate crime is just icing on the cake. Its not a question of looking
> past your own walls, its a question of whether you religious fanatics can
> acknowledge that other use cases are valid (or are we not part of the "all"
> in "better for all"). Are you really suggesting preventing spam is a higher
> priority than stopping human trafficking online?
> >
> > If someone who had need of privacy came to me for advice on registering
> a domain name I would tell them absolutely not to do it. Use blogspot or
> any other mechanism that doesn't involve a financial transaction to shield
> your privacy. Creating paper trails is always a poor life decision when
> OPSEC matters. Anything less and I would stop taking your concerns
> seriously.
> >
> > That said, we have a viable compromise, its called whois privacy
> protection. And it allows me to use risk based decisions on how I treat
> traffic to such domains.
> >
> > But if you wish to enable criminals to better hide so they can steal
> people's life savings, so they can anonymously traffic in child
> exploitation or to engage in sextortion against teenage girls all because
> you can't handle a spam filter, you can count me one that will line up
> against you and very publicly label you an enabler of child sexual
> exploitation. Then I will go to Congress, drag ICANN back under the
> Department of Commerce and ensure some adult supervision is had.
> >
> > Or you can calm the hell down and knock it off with your attitude and we
> can find a viable middle ground. Totally your call.
> >
> > And if you are really concerned about spammers, I help run
> investigations against them too (using whois data, in part) and could
> totally use the help.
> >
> > Sent from my iPhone
> >
> >> On Feb 14, 2017, at 05:28, "benny at nordreg.se" <benny at nordreg.se> wrote:
> >>
> >> So basicaly what you say are… Buhu my work will get harder, let all
> innocent registrants suffer from spam/scam mail sprung out of the whois
> data published, all those registrants who get fake mails about renewing
> there domain or buying fake SEO plans?
> >> How can anyone defend that we have data published to get abused just
> because some bad guys registrer domains? And those of you who does will
> still have access to the date just not in the same easy way…
> >>
> >> Sorry for my harsh tone but I really don’t see why we cant look past
> our own walls and find a solution which are to the better for all..
> >>
> >>
> >> --
> >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
> >>
> >> Benny Samuelsen
> >> Registry Manager - Domainexpert
> >>
> >> Nordreg AB - ICANN accredited registrar
> >> IANA-ID: 638
> >> Phone: +46.42197080
> >> Direct: +47.32260201
> >> Mobile: +47.40410200
> >>
> >>> On 14 Feb 2017, at 06:38, allison nixon <elsakoo at gmail.com> wrote:
> >>>
> >>> This car metaphor isn't complete without also stating that some car
> owners purchase them for the sole purpose of running over people!
> >>>
> >>> Some car owners purchase fleets of cars to run over as many people as
> possible. Even though they re-use their name on every single vehicle
> registration, the subpeona takes so long that the city can no longer
> automatically block the cars as they enter, and need to wait for them to
> run over a few people before they can do anything about it.
> >>>
> >>> This metaphor has obviously been tortured past the point of absurdity,
> I'll leave it alone now.
> >>>
> >>> I've mostly been lurking for the whole duration of this group, and
> please forgive me if I'm missing something massive here, but I get the
> impression that most people here don't spend a lot of time doing
> investigations. But this is my life. If I needed a subpeona for every
> single historical lookup, pivot, and reverse search, I would get zero done
> due to a lack of legal authority. Many if not most of the people doing the
> heavy lifting in anti-cybercrime efforts are private citizens with no
> government issued authority. It seems that the general expectation here is
> that limiting access to people with badges is OK, but I'm telling you there
> is a severe lack of those skillsets and it will be years before we see
> widespread technical literacy among the police. Whatever system results,
> private citizens need a path for unrestricted and automated access. And if
> we want to talk protecting privacy, I think criminally motivated violations
> of privacy are far more likely to affect everyone's day to day life right
> now, and automated WHOIS lookups are used heavily especially in
> anti-phishing and anti-spam operations.
> >>>
> >>> With the status quo, I can go on fishing expeditions through the WHOIS
> data and turn up hundreds of domains used for the same type of malicious
> activity, and predict with a high accuracy which domains will be malicious
> before they are used for anything. It sometimes turns up domains owned by
> innocent people, and I doubt privacy minded people would like that, but the
> reality is I rarely ever encounter WHOIS data that is convincing PII. It's
> almost all fake. And if it's not fake, it's a company's public contact
> info, or it's a foolish person who turned down WHOIS privacy protection,
> and will change their WHOIS as soon as the spam starts flowing.
> >>>
> >>> Have there been any studies on what percentage of WHOIS data is real
> and correct? Can we ever expect to have meaningful data when registrars are
> allowed to take Bitcoins over Tor as payment? At what point does "privacy"
> become an empty argument when some of these Internet hosting/registrar
> companies clearly profit from facilitating abuse, and network defenders
> block entire TLDs due to the saturation of abuse?
> >>>
> >>> From my vantage point, I see great benefit from seeing patterns in the
> fake data submitted by fraudsters, and I see few harms from the privacy
> side of things, because people seem to generally realize that "123 fake st"
> is a perfectly acceptable WHOIS entry.
> >>>
> >>> I also recognize this situation is completely absurd. Every aspect of
> this is surely an abuse of the original system. But it seems like building
> a pyramid from the top down, restricting access to supposed "PII" that is
> unlikely to contain PII, to the detriment of legitimate efforts that also
> seek to enhance privacy by preventing criminal theft of private data like
> bank account numbers.
> >>>
> >>>
> >>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam at lanfranco.net>
> wrote:
> >>> I have to strongly agree with Alex that whatever the criteria are for
> thin data, they cannot include that thin data "is transitive" in some sort
> of bread crumb trail manner.
> >>>
> >>> Everything is potentially transitive in that sense. I observe a
> vehicle but all I get is make, model and license plate, and in most
> jurisdictions that is all I get. It is the vehicle owner's "thin data". Of
> course I can hang around, see that the car has a baby seat, witness a woman
> or man putting a child in the car, assume that she/he has legitimate access
> to the car, follow the car and assemble more personal information (lives
> at; works at; shops at; visits;) The license plate didn't facilitate that
> crumb train discovery, but no license plate would hamper legitimate seeking
> of information about who owns the car (issuing a parking ticket, LEA
> investigation, etc.) . License plate is part of thin data with no gated
> access. Of course, this will change in the era of the digital vehicle.
> Depending on security, and authorization, one will be able to just ask the
> car, and ask about a lot of things...like whose cell phone was in the
> passenger's seat last night, when I was supposed to be alone )-:
> >>>
> >>> There needs to be a similar balance (license plate but no owner's name
> unless wanted, like Sam's Curry Pizza Barn logo, phone number and website
> URL painted on the side).
> >>>
> >>> More Important, have we made progress (convergence) on the working
> principles that should be brought to bear in building a thin data set. A
> lot of time has been spent looking at good case and bad case scenarios.
> What operational principles have been distilled from all these examples?
> What is the balance between thin data inclusion and exclusion, and design
> and technical solutions that can be used to prevent (for example) robotic
> harvesting? There is another frontier here, and that is what governments
> will do to restrain or enable certain uses of thin data? While ICANN needs
> to be aware of what is going on there, that part is beyond ICANN's remit,
> but those policies will help shape some of the context within which ICANN
> deals with the thin data task.
> >>>
> >>> Sam L
> >>>
> >>>
> >>> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
> >>> All,
> >>>
> >>> So it seems the debate has progressed from “thin data” to “thick data”
> (i.e. data that includes email). I know we are all super excited to talk
> about “thick data” but I don’t think we are there yet (are we? Hopefully I
> didn’t miss the party…)
> >>>
> >>> Focusing on thin data for the moment I struggle to understand how it
> is personal data. I do not believe it is. As for the odd logic proposed
> by some that the property of privacy is transitive (i.e. Because “thin
> data” can be used to link/point/discover other data then “thin data” equals
> “personal data”) I just don’t buy it.
> >>>
> >>> I don’t disagree with much of what was expressed in this thread,
> however we must keep in mind that balance and proportionality are important
> concepts in many (all?) data privacy laws. Any arguments that imply that
> no such balance exists (or should exist) is obstructive IMO.
> >>>
> >>> Alex
> >>>
> >>>
> >>> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces at icann.org on behalf of
> michele at blacknight.com> wrote:
> >>>
> >>> I agree and I know from how I’ve used various email addresses that
> they are actively being harvested and spammed.
> >>> Also it’s one of the biggest sources of complaints we get from
> our clients (registrants)
> >>> It’s definitely not an “edge case”.
> >>> Regards
> >>> Michele
> >>> --
> >>> Mr Michele Neylon
> >>> Blacknight Solutions
> >>> Hosting, Colocation & Domains
> >>> https://www.blacknight.com/
> >>> http://blacknight.blog/
> >>> Intl. +353 (0) 59 9183072
> >>> Direct Dial: +353 (0)59 9183090
> >>> Social: http://mneylon.social
> >>> Some thoughts: http://ceo.hosting/
> >>> -------------------------------
> >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
> >>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
> >>> _______________________________________________
> >>> gnso-rds-pdp-wg mailing list
> >>> gnso-rds-pdp-wg at icann.org
> >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >>>
> >>> _______________________________________________
> >>> gnso-rds-pdp-wg mailing list
> >>> gnso-rds-pdp-wg at icann.org
> >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >>>
> >>> --
> >>> *--------------------------------------------*
> >>> "It is a disgrace to be rich and honoured
> >>> in an unjust state" -Confucius
> >>> ----------------------------------------------
> >>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
> >>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
> >>> YorkU email: Lanfran at Yorku.ca Skype: slanfranco
> >>> blog: http://samlanfranco.blogspot.com
> >>> Phone: 613 476-0429 cell: 416-816-2852
> >>>
> >>>
> >>> _______________________________________________
> >>> gnso-rds-pdp-wg mailing list
> >>> gnso-rds-pdp-wg at icann.org
> >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >>>
> >>>
> >>>
> >>> --
> >>> _________________________________
> >>> Note to self: Pillage BEFORE burning.
> >>
> >> _______________________________________________
> >> gnso-rds-pdp-wg mailing list
> >> gnso-rds-pdp-wg at icann.org
> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
--
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/7c7a89fd/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list