[gnso-rds-pdp-wg] Dangers of public whois

Tue Feb 14 23:12:05 UTC 2017

One of many domain ownership verification schemes (adding a TXT record is
another one)

Is that going to be the only use? Seriously? Has there been any
consideration for the actual use cases of a private WHOIS system?

On Tue, Feb 14, 2017 at 5:21 PM, benny at nordreg.se <benny at nordreg.se> wrote:

> Proof of ownership of the registration for example
> The hidden data can be turned public for getting a ssl certificate and
> then hidden again
>
> I am not saying it's a perfect solution but a start to think different
> from what we have today in the gTLD world
>
>
> Sent from my iPhone
>
> On 14 Feb 2017, at 23:11, allison nixon <elsakoo at gmail.com> wrote:
>
> What would the WHOIS data be used for once it is made private? Why would
> people want to supply correct, or any, data? If it isn't used for financial
> transactions with the registrar, and can no longer be used as a public
> contact "phone book", then aside from criminal investigations what is the
> point of this?
>
> On Tue, Feb 14, 2017 at 5:02 PM, benny at nordreg.se <benny at nordreg.se>
> wrote:
>
>> Oh sorry I forgot that it was stated that just give fake info and you are
>> safe...
>>
>> That's in my opinion a sign of a sick system which badly need to be fixed!
>>
>> I will point to a previous post with .SE which have a build in protection
>> of private registered domains, people gives correct data because they can
>> trust the system for not leaking data.
>> Are there abuse cases, yes but they are solvable even with the non public
>> data
>>
>> But if you have a good example of a cost free alternative solution which
>> will work in any jurisdiction I will be happy to hear about it. It will
>> probably educate others too with knowledge...
>>
>> Sent from my iPhone
>>
>> > On 14 Feb 2017, at 22:48, Kiran Malancharuvil <
>> Kiran.Malancharuvil at markmonitor.com> wrote:
>> >
>> > Why would the cost of owning a domain name be giving up sensitive
>> private information when there are so many alternatives? Contactable
>> information does not mean information that makes you vulnerable.
>> >
>> > Kiran Malancharuvil
>> > Policy Counselor
>> > MarkMonitor
>> > 415-419-9138 (m)
>> >
>> > Sent from my mobile, please excuse any typos.
>> >
>> >> On Feb 14, 2017, at 1:41 PM, "benny at nordreg.se" <benny at nordreg.se>
>> wrote:
>> >>
>> >> I will admit that stupid was a bad choice of word.
>> >>
>> >> But we all know that most people don't read the info about privacy and
>> what they agree too by accepting conditions and so on. I will still argue
>> that that is not an excuse for not making a better system which prevent
>> public data in Whois to be abused on a daily basis.
>> >>
>> >> That can't be all put on the registrars responsibility it must be
>> anchored through policy and community support through a system that provide
>> the best possible solution for all parts. If that is realistic is another
>> question which only time will show what we can deliver as a united group
>> were compromises from all must be admitted.
>> >>
>> >> If owning a domain are a privilege and the cost are giving up you
>> private info receiving spam and your date being used for fraud and ID theft
>> then we can just conclude that personal domains are only for the elite who
>> pay the extra costs of privacy and the rest can sell their souls to Google,
>> Microsoft or some of the others with so-called free services. But is that
>> what we really want?
>> >>
>> >> I doubt it....
>> >>
>> >> Sent from my iPhone
>> >>
>> >>> On 14 Feb 2017, at 22:10, Kiran Malancharuvil <
>> Kiran.Malancharuvil at markmonitor.com> wrote:
>> >>>
>> >>> Benny,
>> >>>
>> >>> Perhaps you recall in the article that sparked this discussion that
>> even the author acknowledges that education about Whois and who has access
>> to the data may be key to avoid disclosure of sensitive data, and perhaps
>> that is the responsibility of the Registrar.  I don't think anyone
>> suggested that only "stupid people" put in real addresses.  Lack of
>> education about something doesn't mean you're stupid, it may mean you
>> weren't given the proper education and resources.  With the proper
>> education and resources, perhaps people will do what they do whenever they
>> have to give an address for public records (such as business incorporation
>> documents), e.g.: create a d/b/a.  After all, it's not as if everyone is
>> forced to own a domain name and forced to put in home contact information.
>> Like owning a business, owning a domain name is a privilege that should (of
>> course) be afforded to as many people as possible, according to desire and
>> (perhaps) comes with some responsibilities such as providing contactable
>> information.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Kiran
>> >>>
>> >>> Kiran Malancharuvil
>> >>> Policy
>> >>> MarkMonitor
>> >>> 415.222.8318 (t)
>> >>> 415.419.9138 (m)
>> >>> www.markmonitor.com
>> >>>
>> >>>
>> >>>
>> >>> -----Original Message-----
>> >>> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:
>> gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of benny at nordreg.se
>> >>> Sent: Tuesday, February 14, 2017 10:35 AM
>> >>> To: allison nixon <elsakoo at gmail.com>
>> >>> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>> >>> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois
>> >>>
>> >>> Can you please reveal where you work and you job title? I would love
>> to put these advices forward to ICANN compliance when we will be held up
>> for allowing this…
>> >>>
>> >>> I would  be very helpful to have a good reference saying that only
>> stupid people put in  there real adress
>> >>> --
>> >>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>> >>>
>> >>> Benny Samuelsen
>> >>> Registry Manager - Domainexpert
>> >>>
>> >>> Nordreg AB - ICANN accredited registrar
>> >>> IANA-ID: 638
>> >>> Phone: +46.42197080
>> >>> Direct: +47.32260201
>> >>> Mobile: +47.40410200
>> >>>
>> >>>> On 14 Feb 2017, at 19:20, allison nixon <elsakoo at gmail.com> wrote:
>> >>>>
>> >>>>>> to your first point: the right to privacy of ones own data may be
>> different where I live and where you live. Suffice it to say that in our
>> day-to-day business we get eough complaints from customers who feel their
>> rivacy has been violated either by our putting their data out for everyone
>> to see or by customers of ours who provide services that do the same. And
>> we both agree that whois privacy will not protect you 100%.
>> >>>>
>> >>>> So put your contact address as "123 fake st" and your phone number
>> as "555-555-5555". Make a fake email. No one is forcing you to disclose
>> more than you want to. And the only people who disclose too much are doing
>> so by mistake, not by coercion.
>> >>>>
>> >>>>>> to your second point: why is requiring the same legal standard for
>> accessing data of customers of hosting service providers, of ebay account
>> holders, of Amazon sellers and many other areas where the data is not
>> public suddenly not feasible for customers of domain name registrars?  Our
>> privacy service gets regular subpoenas for data of customers. Why is making
>> that the standard suddenly the end of the world?
>> >>>>
>> >>>> Because when I purchase something from Amazon, I need to give my
>> credit card number, address, zip, etc.  Similarly, we do not get payment
>> details from the registrar, even though they require billing address and
>> zip code, which is a completely different dataset than the zip codes in
>> WHOIS data. WHOIS data is completely arbitrary and not required to complete
>> any transactions.
>> >>>>
>> >>>>>> And while I appreciate the good work that many like John are doing
>> on a private level, ultimately they are not law enforcement and are not
>> entitled to the same level of access as law enforcement has just like a
>> rent-a-cop does not have the same law enforcement powers a real cop has.
>> >>>>
>> >>>> Your comparisons between anti-abuse and rent-a-cops further
>> demonstrates your disrespect. I am happy to allow law enforcement to fully
>> take over this work, but this field has not matured enough yet, and the
>> literacy just isn't there. The skills, experience, and power rests almost
>> fully in the private sector. This isn't some mall cop operation. It's the
>> last line of defense between you and all manner of bad things happening to
>> you. You might not like that, and you probably don't want to recognize that
>> as legitimate, but it's reality. You should thank the people defending your
>> networks, and the people defending the networks of companies you do
>> business with.
>> >>>>
>> >>>>>> Re:Spamhaus: I have worked with them and while they provide a
>> valuable anti-spam service, some of their methods or publications leave a
>> lot to be desired. The fact that they ofter outright refuse to provide
>> evidence of their claims, the fact that they outright lie to ICANN
>> compliance, and the fact that they bend numbers anyway they need to fit
>> their narrative do not help to build trust and work with them as partners.
>> I think they provide a good service but ultimately they are vigilantes and
>> often overshoot their mark. This "study" is one such instance where they
>> present a result without allowing the reader to look at the work that led
>> to the result. And that makes it worthless for peer review or for basing
>> anything on their results.
>> >>>>
>> >>>> And it shows how bad the situation is when an operation of this
>> quality is still the best and most used blocklist out there. When the
>> volume of abuse is so high that "due process" is, literally, a
>> mathematically impossible order. And despite all of those flaws, their
>> actions do more to protect privacy than anything discussed in this working
>> group.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Tue, Feb 14, 2017 at 1:03 PM, Volker Greimann <
>> vgreimann at key-systems.net> wrote:
>> >>>> Hi Allion,
>> >>>>
>> >>>> to your first point: the right to privacy of ones own data may be
>> different where I live and where you live. Suffice it to say that in our
>> day-to-day business we get eough complaints from customers who feel their
>> rivacy has been violated either by our putting their data out for everyone
>> to see or by customers of ours who provide services that do the same. And
>> we both agree that whois privacy will not protect you 100%.
>> >>>>
>> >>>> to your second point: why is requiring the same legal standard for
>> accessing data of customers of hosting service providers, of ebay account
>> holders, of Amazon sellers and many other areas where the data is not
>> public suddenly not feasible for customers of domain name registrars?  Our
>> privacy service gets regular subpoenas for data of customers. Why is making
>> that the standard suddenly the end of the world?
>> >>>>
>> >>>> And while I appreciate the good work that many like John are doing
>> on a private level, ultimately they are not law enforcement and are not
>> entitled to the same level of access as law enforcement has just like a
>> rent-a-cop does not have the same law enforcement powers a real cop has.
>> >>>> Re:Spamhaus: I have worked with them and while they provide a
>> valuable anti-spam service, some of their methods or publications leave a
>> lot to be desired. The fact that they ofter outright refuse to provide
>> evidence of their claims, the fact that they outright lie to ICANN
>> compliance, and the fact that they bend numbers anyway they need to fit
>> their narrative do not help to build trust and work with them as partners.
>> I think they provide a good service but ultimately they are vigilantes and
>> often overshoot their mark. This "study" is one such instance where they
>> present a result without allowing the reader to look at the work that led
>> to the result. And that makes it worthless for peer review or for basing
>> anything on their results.
>> >>>> Best,
>> >>>>
>> >>>> Volker
>> >>>>
>> >>>>
>> >>>>
>> >>>> Am 14.02.2017 um 18:39 schrieb allison nixon:
>> >>>>>>> Here you go with the edge cases again.
>> >>>>>
>> >>>>> The mother of all edge cases is the main contention of this entire
>> working group. The theory that an innocent domain registrant's privacy is
>> either "violated" or "not violated" and that this somehow hinges on the
>> privacy status of the WHOIS data. This is absolutely a false premise. If I
>> want to find someone, and they frequently use the Internet and aren't
>> extremely OPSEC-aware, I'm going to find them. WHOIS privacy absolutely
>> will not protect them.
>> >>>>>
>> >>>>> Does anyone believe this premise that also has experience in
>> investigations? I do not believe any such person exists, because when you
>> are experienced in tracking people down, you will know that this premise is
>> factually untrue.
>> >>>>>
>> >>>>>>> Well it might be so, but every singel person “claiming” they use
>> >>>>>>> whois for investigation seems to lack the understanding that they
>> >>>>>>> will get the access it will just be a little harder to get the
>> >>>>>>> normal misuse of whois info can be prevented but looks like noen
>> of
>> >>>>>>> you want that to happen
>> >>>>>
>> >>>>> Is this an assurance? Because the talk I see here is about
>> requiring paperwork like subpeonas and search warrants and that isn't
>> feasible both from an investigation or automation standpoint as well as the
>> fact that the vast majority of the anti-abuse community are not cops.
>> There's no sign whatsoever that there is consideration towards anti-abuse.
>> >>>>>
>> >>>>>>> I trust these statistics by spamhaus less than anything coming
>> out of the mouth of the orange menace. And that is saying something.
>> >>>>>
>> >>>>> You stand alone in that opinion. Spamhaus is not perfect but they
>> are the most widely used blocklists among network operators. The amount of
>> harm prevented by Spamhaus's block lists eclipses the harm prevented by
>> registrants receiving WHOIS spam. It is like comparing the size of the sun
>> to the size of an ant. If you have ever tried to operate from
>> infrastructure that's on Spamhaus's block lists, your access to the
>> Internet at large will be very poor indeed.
>> >>>>>
>> >>>>> How many of you people actually have day to day experience in
>> fighting spam and preventing the massive privacy invasions that happen on a
>> daily basis to innocent people?  I am getting the feeling that this group
>> badly needs to gain some perspective. WHOIS spam is a problem and is an
>> annoyance, privacy is important, but this group keeps talking about WHOIS
>> privacy and completely ignoring the fact that by volume such a scheme would
>> cause great harms for mostly imaginary gain. To me this shows a sign that
>> many of the arguments here are about idealism without practical experience.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Tue, Feb 14, 2017 at 12:24 PM, benny at nordreg.se <
>> benny at nordreg.se> wrote:
>> >>>>> Hi John
>> >>>>>
>> >>>>> None in the group can do that, just as little as the opposite if we
>> dont work together on the needs, give and take on it, we will not move
>> forward.
>> >>>>> But the attitude which I see where the Status Quo are the driver for
>> >>>>> the discussions are not really productive…
>> >>>>>
>> >>>>> Everything can be changed with new privacy laws coming in to force
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>> >>>>>
>> >>>>> Benny Samuelsen
>> >>>>> Registry Manager - Domainexpert
>> >>>>>
>> >>>>> Nordreg AB - ICANN accredited registrar
>> >>>>> IANA-ID: 638
>> >>>>> Phone: +46.42197080
>> >>>>> Direct: +47.32260201
>> >>>>> Mobile: +47.40410200
>> >>>>>
>> >>>>>> On 14 Feb 2017, at 18:18, John Horton <john.horton at legitscript.com>
>> wrote:
>> >>>>>>
>> >>>>>> Hi Benny,
>> >>>>>>
>> >>>>>> Let me try to dig into that a little bit with a serious question.
>> What assurance do those of us engaged in cybercrime investigation -- or not
>> yet created organizations that are legitimate -- have that we would have
>> the same level of access in the future? Is it possible for this group to
>> make that assurance? To be sure, this isn't my only concern or objection,
>> but part of what I'm trying to get at is: even if those of us on this
>> working group were to agree that cybercrime-mitigation entities should have
>> the same access we have today, what's to prevent a stricter regime from
>> changing the rules in the future? In other words, if we create a system
>> that empowers one central organization to say that Allison's reasons (for
>> example) are valid now, there's nothing to prevent that organization from
>> deciding to block her in the future because they don't believe her reasons
>> for investigating cybercrime are valid. Put another way, my concern isn't
>> that you personally or anyone on this group wants to block cybercrime
>> mitigation from happening -- rather, I'm wondering how this group could
>> bind a future RDS 1, 5 or 10 years down the road not to change the
>> goalposts.
>> >>>>>>
>> >>>>>> John Horton
>> >>>>>> President and CEO, LegitScript
>> >>>>>>
>> >>>>>>
>> >>>>>> Follow LegitScript: LinkedIn  |  Facebook  |  Twitter  |  Blog  |
>> >>>>>> Google+
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Tue, Feb 14, 2017 at 9:05 AM, benny at nordreg.se <
>> benny at nordreg.se> wrote:
>> >>>>>> Well it might be so, but every singel person “claiming” they use
>> whois for investigation seems to lack the understanding that they will get
>> the access it will just be a little harder to get the normal misuse of
>> whois info can be prevented but looks like noen of you want that to
>> happen...
>> >>>>>>
>> >>>>>> --
>> >>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>> >>>>>>
>> >>>>>> Benny Samuelsen
>> >>>>>> Registry Manager - Domainexpert
>> >>>>>>
>> >>>>>> Nordreg AB - ICANN accredited registrar
>> >>>>>> IANA-ID: 638
>> >>>>>> Phone: +46.42197080
>> >>>>>> Direct: +47.32260201
>> >>>>>> Mobile: +47.40410200
>> >>>>>>
>> >>>>>>> On 14 Feb 2017, at 17:58, allison nixon <elsakoo at gmail.com>
>> wrote:
>> >>>>>>>
>> >>>>>>> Benny, dude, you just wrote "Buhu my work will get harder", so
>> >>>>>>> please don't complain about adult and mature answers
>> >>>>>>>
>> >>>>>>> On Tue, Feb 14, 2017 at 11:56 AM, benny at nordreg.se <
>> benny at nordreg.se> wrote:
>> >>>>>>> A very adult and mature answer… with some nice baked in threats,
>> >>>>>>> funny its only your kind of crimes which matter apparantly… oh
>> >>>>>>> and the final on which always are been draged out when there are
>> >>>>>>> no more arguments, think about the one child we can save…
>> >>>>>>>
>> >>>>>>> To answer your questions hidden in the threats, yes you are part
>> of the better for all but that also means everyone have to give and take to
>> come to a better solution.
>> >>>>>>> In you ignorance you completely miss the point that by have all
>> >>>>>>> these data public there are commited crimes every minut by using
>> >>>>>>> those data nut hey what does that matter as long as you business
>> >>>>>>> can roll on… I guess those people will thank you for you helpful
>> >>>>>>> insights…
>> >>>>>>>
>> >>>>>>> Welcome to the discussion
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>> >>>>>>>
>> >>>>>>> Benny Samuelsen
>> >>>>>>> Registry Manager - Domainexpert
>> >>>>>>>
>> >>>>>>> Nordreg AB - ICANN accredited registrar
>> >>>>>>> IANA-ID: 638
>> >>>>>>> Phone: +46.42197080 <+46%2042%2019%2070%2080>
>> >>>>>>> Direct: +47.32260201 <+47%2032%2026%2002%2001>
>> >>>>>>> Mobile: +47.40410200 <+47%20404%2010%20200>
>> >>>>>>>
>> >>>>>>>> On 14 Feb 2017, at 17:29, John Bambenek <
>> jcb at bambenekconsulting.com> wrote:
>> >>>>>>>>
>> >>>>>>>> Let me translate Allison's comments in the light of your mockery.
>> >>>>>>>>
>> >>>>>>>> You're ideas of privacy are patently absurd and your arrogance
>> that entire industries need to rewrite how they do things to suit your
>> effete and fantastical notions is breathtaking. Your mockery of people who
>> investigate crime is just icing on the cake. Its not a question of looking
>> past your own walls, its a question of whether you religious fanatics can
>> acknowledge that other use cases are valid (or are we not part of the "all"
>> in "better for all"). Are you really suggesting preventing spam is a higher
>> priority than stopping human trafficking online?
>> >>>>>>>>
>> >>>>>>>> If someone who had need of privacy came to me for advice on
>> registering a domain name I would tell them absolutely not to do it. Use
>> blogspot or any other mechanism that doesn't involve a financial
>> transaction to shield your privacy. Creating paper trails is always a poor
>> life decision when OPSEC matters. Anything less and I would stop taking
>> your concerns seriously.
>> >>>>>>>>
>> >>>>>>>> That said, we have a viable compromise, its called whois privacy
>> protection. And it allows me to use risk based decisions on how I treat
>> traffic to such domains.
>> >>>>>>>>
>> >>>>>>>> But if you wish to enable criminals to better hide so they can
>> steal people's life savings, so they can anonymously traffic in child
>> exploitation or to engage in sextortion against teenage girls all because
>> you can't handle a spam filter, you can count me one that will line up
>> against you and very publicly label you an enabler of child sexual
>> exploitation. Then I will go to Congress, drag ICANN back under the
>> Department of Commerce and ensure some adult supervision is had.
>> >>>>>>>>
>> >>>>>>>> Or you can calm the hell down and knock it off with your
>> attitude and we can find a viable middle ground. Totally your call.
>> >>>>>>>>
>> >>>>>>>> And if you are really concerned about spammers, I help run
>> investigations against them too (using whois data, in part) and could
>> totally use the help.
>> >>>>>>>>
>> >>>>>>>> Sent from my iPhone
>> >>>>>>>>
>> >>>>>>>>> On Feb 14, 2017, at 05:28, "benny at nordreg.se" <benny at nordreg.se>
>> wrote:
>> >>>>>>>>>
>> >>>>>>>>> So basicaly what you say are… Buhu my work will get harder, let
>> all innocent registrants suffer from spam/scam mail sprung out of the whois
>> data published, all those registrants who get fake mails about renewing
>> there domain or buying fake SEO plans?
>> >>>>>>>>> How can anyone defend that we have data published to get
>> >>>>>>>>> abused just because some bad guys registrer domains? And those
>> >>>>>>>>> of you who does will still have access to the date just not in
>> >>>>>>>>> the same easy way…
>> >>>>>>>>>
>> >>>>>>>>> Sorry for my harsh tone but I really don’t see why we cant look
>> past our own walls and find a solution which are to the better for all..
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>> >>>>>>>>>
>> >>>>>>>>> Benny Samuelsen
>> >>>>>>>>> Registry Manager - Domainexpert
>> >>>>>>>>>
>> >>>>>>>>> Nordreg AB - ICANN accredited registrar
>> >>>>>>>>> IANA-ID: 638
>> >>>>>>>>> Phone: +46.42197080 <+46%2042%2019%2070%2080>
>> >>>>>>>>> Direct: +47.32260201 <+47%2032%2026%2002%2001>
>> >>>>>>>>> Mobile: +47.40410200 <+47%20404%2010%20200>
>> >>>>>>>>>
>> >>>>>>>>>> On 14 Feb 2017, at 06:38, allison nixon <elsakoo at gmail.com>
>> wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> This car metaphor isn't complete without also stating that
>> some car owners purchase them for the sole purpose of running over people!
>> >>>>>>>>>>
>> >>>>>>>>>> Some car owners purchase fleets of cars to run over as many
>> people as possible. Even though they re-use their name on every single
>> vehicle registration, the subpeona takes so long that the city can no
>> longer automatically block the cars as they enter, and need to wait for
>> them to run over a few people before they can do anything about it.
>> >>>>>>>>>>
>> >>>>>>>>>> This metaphor has obviously been tortured past the point of
>> absurdity, I'll leave it alone now.
>> >>>>>>>>>>
>> >>>>>>>>>> I've mostly been lurking for the whole duration of this group,
>> and please forgive me if I'm missing something massive here, but I get the
>> impression that most people here don't spend a lot of time doing
>> investigations. But this is my life. If I needed a subpeona for every
>> single historical lookup, pivot, and reverse search, I would get zero done
>> due to a lack of legal authority. Many if not most of the people doing the
>> heavy lifting in anti-cybercrime efforts are private citizens with no
>> government issued authority. It seems that the general expectation here is
>> that limiting access to people with badges is OK, but I'm telling you there
>> is a severe lack of those skillsets and it will be years before we see
>> widespread technical literacy among the police. Whatever system results,
>> private citizens need a path for unrestricted and automated access. And if
>> we want to talk protecting privacy, I think criminally motivated violations
>> of privacy are far more likely to affect everyone's day to day life right
>> now, and automated WHOIS lookups are used heavily especially in
>> anti-phishing and anti-spam operations.
>> >>>>>>>>>>
>> >>>>>>>>>> With the status quo, I can go on fishing expeditions through
>> the WHOIS data and turn up hundreds of domains used for the same type of
>> malicious activity, and predict with a high accuracy which domains will be
>> malicious before they are used for anything. It sometimes turns up domains
>> owned by innocent people, and I doubt privacy minded people would like
>> that, but the reality is I rarely ever encounter WHOIS data that is
>> convincing PII. It's almost all fake. And if it's not fake, it's a
>> company's public contact info, or it's a foolish person who turned down
>> WHOIS privacy protection, and will change their WHOIS as soon as the spam
>> starts flowing.
>> >>>>>>>>>>
>> >>>>>>>>>> Have there been any studies on what percentage of WHOIS data
>> is real and correct? Can we ever expect to have meaningful data when
>> registrars are allowed to take Bitcoins over Tor as payment? At what point
>> does "privacy" become an empty argument when some of these Internet
>> hosting/registrar companies clearly profit from facilitating abuse, and
>> network defenders block entire TLDs due to the saturation of abuse?
>> >>>>>>>>>>
>> >>>>>>>>>> From my vantage point, I see great benefit from seeing
>> patterns in the fake data submitted by fraudsters, and I see few harms from
>> the privacy side of things, because people seem to generally realize that
>> "123 fake st" is a perfectly acceptable WHOIS entry.
>> >>>>>>>>>>
>> >>>>>>>>>> I also recognize this situation is completely absurd. Every
>> aspect of this is surely an abuse of the original system. But it seems like
>> building a pyramid from the top down, restricting access to supposed "PII"
>> that is unlikely to contain PII, to the detriment of legitimate efforts
>> that also seek to enhance privacy by preventing criminal theft of private
>> data like bank account numbers.
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <
>> sam at lanfranco.net> wrote:
>> >>>>>>>>>> I have to strongly agree with Alex that whatever the criteria
>> are for thin data, they cannot include that thin data "is transitive" in
>> some sort of bread crumb trail manner.
>> >>>>>>>>>>
>> >>>>>>>>>> Everything is potentially transitive in that sense. I observe
>> a vehicle but all I get is make, model and license plate, and in most
>> jurisdictions that is all I get. It is the vehicle owner's "thin data". Of
>> course I can hang around, see that the car has a baby seat, witness a woman
>> or man putting a child in the car, assume that she/he has legitimate access
>> to the car, follow the car and assemble more personal information (lives
>> at; works at; shops at; visits;) The license plate didn't facilitate that
>> crumb train discovery, but no license plate would hamper legitimate seeking
>> of information about who owns the car (issuing a parking ticket, LEA
>> investigation, etc.) . License plate is part of thin data with no gated
>> access. Of course, this will change in the era of the digital vehicle.
>> Depending on security, and authorization, one will be able to just ask the
>> car, and ask about a lot of things...like whose cell phone was in the
>> passenger's seat last night, when I was supposed to be alone )-:
>> >>>>>>>>>>
>> >>>>>>>>>> There needs to be a similar balance (license plate but no
>> owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number
>> and website URL painted on the side).
>> >>>>>>>>>>
>> >>>>>>>>>> More Important, have we made progress (convergence) on the
>> working principles that should be brought to bear in building a thin data
>> set. A lot of time has been spent looking at good case and bad case
>> scenarios. What operational principles have been distilled from all these
>> examples? What is the balance between thin data inclusion and exclusion,
>> and design and technical solutions that can be used to prevent (for
>> example) robotic harvesting? There is another frontier here, and that is
>> what governments will do to restrain or enable certain uses of thin data?
>> While ICANN needs to be aware of what is going on there, that part is
>> beyond ICANN's remit, but those policies will help shape some of the
>> context within which ICANN deals with the thin data task.
>> >>>>>>>>>>
>> >>>>>>>>>> Sam L
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
>> >>>>>>>>>> All,
>> >>>>>>>>>>
>> >>>>>>>>>> So it seems the debate has progressed from “thin data” to
>> >>>>>>>>>> “thick data” (i.e. data that includes email).  I know we are
>> >>>>>>>>>> all super excited to talk about “thick data” but I don’t
>> >>>>>>>>>> think we are there yet (are we?  Hopefully I didn’t miss the
>> >>>>>>>>>> party…)
>> >>>>>>>>>>
>> >>>>>>>>>> Focusing on thin data for the moment I struggle to understand
>> how it is personal data.  I do not believe it is.    As for the odd logic
>> proposed by some that the property of privacy is transitive (i.e. Because
>> “thin data” can be used to link/point/discover other data then “thin data”
>> equals “personal data”) I just don’t buy it.
>> >>>>>>>>>>
>> >>>>>>>>>> I don’t disagree with much of what was expressed in this
>> thread, however we must keep in mind that balance and proportionality are
>> important concepts in many (all?) data privacy laws.   Any arguments that
>> imply that no such balance exists (or should exist) is obstructive IMO.
>> >>>>>>>>>>
>> >>>>>>>>>> Alex
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On 2/13/17, 5:42 AM,  <gnso-rds-pdp-wg-bounces at icann.org on
>> behalf of michele at blacknight.com> wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> I agree and I know from how I’ve used various email addresses
>> that they are actively being harvested and spammed.
>> >>>>>>>>>>      Also it’s one of the biggest sources of complaints we get
>> from our clients (registrants)
>> >>>>>>>>>>      It’s definitely not an “edge case”.
>> >>>>>>>>>>      Regards
>> >>>>>>>>>>      Michele
>> >>>>>>>>>>           --
>> >>>>>>>>>> Mr Michele Neylon
>> >>>>>>>>>> Blacknight Solutions
>> >>>>>>>>>> Hosting, Colocation & Domains
>> >>>>>>>>>> https://www.blacknight.com/
>> >>>>>>>>>> http://blacknight.blog/
>> >>>>>>>>>> Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>
>> >>>>>>>>>> Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>
>> >>>>>>>>>> Social: http://mneylon.social
>> >>>>>>>>>> Some thoughts: http://ceo.hosting/
>> >>>>>>>>>> -------------------------------
>> >>>>>>>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside
>> Business Park,Sleaty
>> >>>>>>>>>> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>> >>>>>>>>>>      _______________________________________________
>> >>>>>>>>>> gnso-rds-pdp-wg mailing list
>> >>>>>>>>>> gnso-rds-pdp-wg at icann.org
>> >>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>>>>>>>
>> >>>>>>>>>> _______________________________________________
>> >>>>>>>>>> gnso-rds-pdp-wg mailing list
>> >>>>>>>>>> gnso-rds-pdp-wg at icann.org
>> >>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> *--------------------------------------------*
>> >>>>>>>>>> "It is a disgrace to be rich and honoured in an unjust state"
>> >>>>>>>>>> -Confucius
>> >>>>>>>>>> ----------------------------------------------
>> >>>>>>>>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York
>> >>>>>>>>>> U., Toronto, Ontario, CANADA - M3J 1P3
>> >>>>>>>>>> YorkU email: Lanfran at Yorku.ca   Skype: slanfranco
>> >>>>>>>>>> blog:  http://samlanfranco.blogspot.com
>> >>>>>>>>>> Phone: 613 476-0429 <(613)%20476-0429> cell: 416-816-2852
>> <(416)%20816-2852>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> _______________________________________________
>> >>>>>>>>>> gnso-rds-pdp-wg mailing list
>> >>>>>>>>>> gnso-rds-pdp-wg at icann.org
>> >>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> _________________________________ Note to self: Pillage
>> >>>>>>>>>> BEFORE burning.
>> >>>>>>>>>
>> >>>>>>>>> _______________________________________________
>> >>>>>>>>> gnso-rds-pdp-wg mailing list
>> >>>>>>>>> gnso-rds-pdp-wg at icann.org
>> >>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> _________________________________ Note to self: Pillage BEFORE
>> >>>>>>> burning.
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> gnso-rds-pdp-wg mailing list
>> >>>>>> gnso-rds-pdp-wg at icann.org
>> >>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> _________________________________
>> >>>>> Note to self: Pillage BEFORE burning.
>> >>>>>
>> >>>>>
>> >>>>> ______________________________
>> >>>>> _________________
>> >>>>> gnso-rds-pdp-wg mailing list
>> >>>>>
>> >>>>> gnso-rds-pdp-wg at icann.org
>> >>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>
>> >>>> --
>> >>>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>> >>>>
>> >>>> Mit freundlichen Grüßen,
>> >>>>
>> >>>> Volker A. Greimann
>> >>>> - Rechtsabteilung -
>> >>>>
>> >>>> Key-Systems GmbH
>> >>>> Im Oberen Werk 1
>> >>>> 66386 St. Ingbert
>> >>>> Tel.:
>> >>>> +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>> >>>>
>> >>>> Fax.:
>> >>>> +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>> >>>>
>> >>>> Email:
>> >>>> vgreimann at key-systems.net
>> >>>>
>> >>>>
>> >>>> Web:
>> >>>> www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com /
>> >>>> www.BrandShelter.com
>> >>>>
>> >>>>
>> >>>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>> >>>>
>> >>>> www.facebook.com/KeySystems
>> >>>> www.twitter.com/key_systems
>> >>>>
>> >>>>
>> >>>> Geschäftsführer: Alexander Siffrin
>> >>>> Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.:
>> >>>> DE211006534
>> >>>>
>> >>>> Member of the KEYDRIVE GROUP
>> >>>>
>> >>>> www.keydrive.lu
>> >>>>
>> >>>>
>> >>>> Der Inhalt dieser Nachricht ist vertraulich und nur für den
>> angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe,
>> Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist
>> unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten
>> wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
>> >>>>
>> >>>> ------------------------------
>> >>>> --------------
>> >>>>
>> >>>> Should you have any further questions, please do not hesitate to
>> contact us.
>> >>>>
>> >>>> Best regards,
>> >>>>
>> >>>> Volker A. Greimann
>> >>>> - legal department -
>> >>>>
>> >>>> Key-Systems GmbH
>> >>>> Im Oberen Werk 1
>> >>>> 66386 St. Ingbert
>> >>>> Tel.:
>> >>>> +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>> >>>>
>> >>>> Fax.:
>> >>>> +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>> >>>>
>> >>>> Email:
>> >>>> vgreimann at key-systems.net
>> >>>>
>> >>>>
>> >>>> Web:
>> >>>> www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com /
>> >>>> www.BrandShelter.com
>> >>>>
>> >>>>
>> >>>> Follow us on Twitter or join our fan community on Facebook and stay
>> updated:
>> >>>>
>> >>>> www.facebook.com/KeySystems
>> >>>> www.twitter.com/key_systems
>> >>>>
>> >>>>
>> >>>> CEO: Alexander Siffrin
>> >>>> Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
>> >>>>
>> >>>> Member of the KEYDRIVE GROUP
>> >>>>
>> >>>> www.keydrive.lu
>> >>>>
>> >>>>
>> >>>> This e-mail and its attachments is intended only for the person to
>> whom it is addressed. Furthermore it is not permitted to publish any
>> content of this email. You must not use, disclose, copy, print or rely on
>> this e-mail. If an addressing or transmission error has misdirected this
>> e-mail, kindly notify the author by replying to this e-mail or contacting
>> us by telephone.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> gnso-rds-pdp-wg mailing list
>> >>>> gnso-rds-pdp-wg at icann.org
>> >>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> _________________________________
>> >>>> Note to self: Pillage BEFORE burning.
>> >>>> _______________________________________________
>> >>>> gnso-rds-pdp-wg mailing list
>> >>>> gnso-rds-pdp-wg at icann.org
>> >>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> >>>
>> >>> _______________________________________________
>> >>> gnso-rds-pdp-wg mailing list
>> >>> gnso-rds-pdp-wg at icann.org
>> >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
>

-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/59b20b96/attachment-0001.html>