[gnso-rds-pdp-wg] Dangers of public whois
Alan Greenberg
alan.greenberg at mcgill.ca
Mon Feb 20 01:31:16 UTC 2017
Ayden, you are correct about the overwhelming
length of this chain, and I rarely step into
them, but your post has left me with little choice.
Specifically, it is your use of the word
"misappropriated" which, in my mind, sets a tone
which will make our job in this PDP impossible.
By the same logic, crows and ravens
misappropriate twigs to dig for food, chimpanzees
misappropriate stones to crack nuts, and
elephants misappropriate branches to swat flies.
In all cases, that was not what the twig or stone
or branch was originally designed for, but we
generally credit such innovative use of tools as signs of intelligence.
At the other end of the spectrum, us humans have
clearly misappropriated the web, a tool
originally conceived and developed to meet the
demand for automatic information-sharing between
scientists in universities and institutes around
the world when we started using it for Facebook
or Youtube or electronic commerce.
We are creatures that perceive a need and find a
solution. You may support a particular use or
curse it, that is your prerogative. But because
you do not support a use does not make it less
appropriate than one you do support.
In the specific case of trademark infringement
that you mention, Whois is explicitly cited in
the Uniform Domain Name Dispute Resolution
Policy, a formal ICANN policy adopted over 17
years ago. How much more appropriate can a usage
be in relation to ICANN and the DNS?
If we can ever get to the end of this process, we
may choose to allow or disallow specific uses,
regardless of their lineage. But let's not mis-characterize how we got here.
Alan
At 19/02/2017 07:51 PM, Ayden Férdeline wrote:
>This email chain has become overwhelming in
>length, so my apologies if I am misinterpreting
>the recent direction of the discussion.
>
> From what you describe, Steve, of “settled
> expectations†over 15-20 years, WHOIS is a
> classic case of path dependency; it was a
> feature of the Internet that was designed in
> different conditions for different purposes and
> has been misappropriated by other parties
> because it was the closest thing to a form of
> global identification of website owners that
> could be offered in an Internet that lacked
> other tools to answer such a question. I think
> we both understand how this came to be; what I
> do not understand (or, rather, find difficult
> to accept) is the argument for why it must continue.
>
>I accept that open-access WHOIS may, to a
>limited extent, facilitate accountability
>online. My understanding of the concern of
>trademark holders is that they need a mechanism
>of enforcing their trademark rights against
>parties who register domain names which in their
>view infringe upon their mark(s). Without WHOIS
>there is a perception that there is no means of
>initiating a process against the party which is
>perceived as misusing a trademark. Please
>correct me if I am mistaken or the concern is
>broader. There are also arguments that law
>enforcement and private investigators use WHOIS in their investigations.
>
>At the same time, in order to have such a system
>in place to facilitate contact with the very,
>very small minority of domain name registrants
>whose domain names infringe upon the
>trademark/IP rights of others, or engage in
>abusive activities, we expose the sensitive
>personal data of all domain name registrants to
>three categories of real and significant abuse.
>These categories include: 1) unsolicited mass
>communication, 2) individual solicitation and
>harassment, and 3) the suppression of free
>speech. To the first point, we already know that
>entities are harvesting WHOIS records and using
>this information to spam others with marketing
>literature. To the second point, WHOIS has been
>used to dox and swat vulnerable persons, and to
>commit identify fraud, among other nefarious
>activities. To the third point, the lack of
>anonymity in the WHOIS service quashes the free
>expression of thought, because speakers have no
>protection from retaliation. These are all very
>significant privacy issues which need to be
>addressed, and should have been addressed long
>ago, so I take strong objection to the comment,
>Steve, that privacy advocates “have been
>crying wolf on this issue for more than a
>decadeâ€. The entire burden of ending the
>problematic, pre-existing default of open access
>to WHOIS records has been placed on privacy
>advocates, while proponents of open access have
>the luxury of reaping the benefits of inertia
>from our lack of consensus for change.
>
>Best wishes,
>
>Ayden Férdeline
><http://www.linkedin.com/in/ferdeline>linkedin.com/in/ferdeline
>
>
>>-------- Original Message --------
>>Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois
>>Local Time: 19 February 2017 9:40 PM
>>UTC Time: 19 February 2017 21:40
>>From: met at msk.com
>>To: 'theo geurts' <gtheo at xs4all.nl>, nathalie
>>coupet <nathaliecoupet at yahoo.com>,
>>gnso-rds-pdp-wg at icann.org
>><gnso-rds-pdp-wg at icann.org>, rrasmussen at infoblox.com <rrasmussen at infoblox.com>
>>
>>
>>Let me offer a +3/4 to the chain below. The
>>following are my personal views.
>>
>>
>>
>>I don’ t have any fundamental disagreement
>>with Theo’s take on this. Yes, if we (or the
>>original designers of the current RDS) had
>>ready access to time machines, it would
>>certainly have been designed quite differently.
>>
>>
>>
>>But over 15-20 years, settled expectations have
>>been built up that contact data for domain name
>>registrants will be available to the public
>>without significant restrictions. People in
>>many fields have come to rely on this as an
>>element that promotes transparency, and thus
>>accountability, for activities on the
>>Internet. Everyone recognizes that it is a
>>highly flawed tool for advancing this goal, but
>>nonetheless it is a tool many people rely on,
>>and many of them would be very unhappy if an
>>organization like ICANN --- still unknown to
>>the vast majority of Internet users – were somehow to take it away for them.
>>
>>
>>
>>So if we are to move to a new system that will
>>deprive people (entirely or to a great extent)
>>of this tool, then this needs to be accompanied
>>by some clear explanations of why it is
>>absolutely necessary to do so, and how what
>>will replace it will give members of the
>>general public – not just anti-abuse
>>specialists, law enforcement andd yes even
>>intellectual property interests --- at least
>>some part of the transparency they have come to
>>associate with the existing system.
>>
>>
>>
>>And personally, I don’t think that enactment
>>of the GDPR comes close – by itself – to
>>providing that explanation. T; The new
>>regulation does not strike me as a quantum leap
>>beyond the EU data protection framework that
>>has been in place for more than 20 years,
>>almost as long as Whois itself. Ever since at
>>least 2002 in Shanghai and 2003 in Montreal we
>>have been hearing at ICANN about the impending
>>train wreck when Whois collides with the data
>>protection authorities. Those who have been
>>crying wolf on this issue for more than a
>>decade will have to take that into account in
>>crafting the narrative that will be needed to
>>explain a change of the magnitude we are discussing.
>>
>>
>>
>>image001
>>
>>
>>Steven J. Metalitz | Partner, through his professional corporation
>>
>>T: 202.355.7902 | <mailto:met at msk.com>met at msk.com
>>
>>Mitchell Silberberg & Knupp LLP | <http://www.msk.com/>www.msk.com
>>
>>1818 N Street NW, 8th Floor, Washington, DC 20036
>>
>>
>>
>>THE INFORMATION CONTAINED IN THIS E-MAIL
>>MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND
>>CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS.
>>THIS MESSAGE MAY BE AN ATTORNEY-CLIENT
>>COMMUNICATION, AND AS SUCH IS PRIVILEGED AND
>>CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS
>>NOT AN INTENDED RECIPIENT, YOU ARE HEREBY
>>NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION,
>>FORWARDING OR COPYING OF THIS MESSAGE IS
>>STRICTLY PROHIBITED. PLEASE NOTIFY US
>>IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND
>>DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.
>>
>>
>>
>>From: gnso-rds-pdp-wg-bounces at icann.org
>>[mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of theo geurts
>>Sent: Saturday, February 18, 2017 4:24 PM
>>To: nathalie coupet; gnso-rds-pdp-wg at icann.org; rrasmussen at infoblox.com
>>Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois
>>
>>
>>
>>
>>Hi Rod, Thanks, Nathalie,
>>
>>@Rod
>>That is good info, and I agree this is something we need to keep in mind
>>when we get to that stage, but yes as a WG that should compass us.
>>
>>And even though we should not get ahead of ourselves, but regarding
>>solutions, having front row seats assisting LEA's and Intelligence
>>agencies as a Registrar in several high-profile investigations like
>>terrorism, IS, bounty kill lists and a lot more, I am pretty sure we as
>>a WG can honor the principle that privacy is a human right as laid out
>>by the UN, and yet make sure, we have the technical solutions. I think
>>creating the technical solutions is the least of our worries. Engineers
>>can code a solution for everything; we just need lawyers and privacy
>>guidelines to help us out. So perhaps we cannot show you X as it is
>>personal data we can show you A and how A is involved in tons of
>>criminal activities and map out an entire botnet...
>>
>>
>>Have a good weekend or what is left of it.
>>
>>Theo
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>On 18-2-2017 21:44, nathalie coupet via gnso-rds-pdp-wg wrote:
>> > I was holding my breath to see what the reaction would be. +2 to Theo!
>> >
>> > Sent from my iPhone
>> >
>> >> On Feb 18, 2017, at 2:10 PM, Rod Rasmussen
>> <<mailto:rrasmussen at infoblox.com>rrasmussen at infoblox.com> wrote:
>> >>
>> >> I cannot PLUS ONE this comment enough - thank you Theo!
>> >>
>> >> One thing that I would like to point out
>> that we covered in the EWG and I think is one
>> of many keys to solving many of the issues
>> exposed here but is missing from this current
>> debate is the concept that we do not have to
>> come up with a “one size fits allâ€
>> solution. For example, there are different
>> requirements under privacy law for business
>> entities vs. private individuals, there are
>> different amounts of information people and
>> businesses may want to provide to various
>> parties both publicly and privately, and those
>> of us who deal with abuse and domain
>> reputation can make different decisions on
>> actions (blocking, take-down, LE involvement,
>> etc.) based on what is occurring and what is
>> published in an RDS. Everyone in the ecosystem
>> already does this with the current whois
>> system, but inconsistently, with varying
>> degrees of knowledge, and without formal
>> “rules of the roadâ€. I think it would be
>> helpful for everyone, no matter what your
>> primary issues are to keep this in mind, as it
>> allows you to better conceive solutions to the
>> myriad issues we have to address. Make the
>> system flexible to accommodate different kinds
>> of use cases and desires for
>> “transparency†around domain ownership, contactabilty, and accountability.
>> >>
>> >> Cheers,
>> >>
>> >> Rod
>> >>
>> >>
>> >> Rod Rasmussen
>> >> VP, Cybersecurity
>> >> Infoblox
>> >>
>> >>> On Feb 17, 2017, at 1:09 PM, theo geurts
>> <<mailto:gtheo at xs4all.nl>gtheo at xs4all.nl> wrote:
>> >>>
>> >>> Mark,
>> >>>
>> >>> Thank you for your comment. I think you
>> are nailing the problem here; this is very good IMO.
>> >>>
>> >>> "and the need to mitigate them does not
>> eliminate the need to have public data."
>> >>>
>> >>> This is the issue here. That data should
>> have never been public if we look at the EU
>> GDPR and many other data privacy laws around
>> the globe, and this is what causes Registries
>> and Registrars having massive problems regarding complying with the law.
>> >>>
>> >>> So we with the RDS we are starting from
>> scratch. So and I think this is KEY here, how
>> do we ensure privacy and yet make sure we can still effectively combat abuse.
>> >>>
>> >>> Speaking personally, I think privacy is
>> very important, and I do not like the fact my
>> personal data is being processed all over the place by shady folks.
>> >>> As a Registrar, I find it very important
>> that we should not go backward in fighting
>> abuse. For the simple reason, abuse costs us
>> money, and we should never be in a situation
>> that it becomes harder to battle child porn,
>> or taking down terrorists, or sinkhole botnets.
>> >>>
>> >>> So what we cannot do is ignore all these
>> privacy laws. That would be insane as we would
>> be piling up in tons of fines here.
>> >>> We do not want to reduce effectiveness
>> regarding abuse because that is costing money
>> also. And to be clear here, the registrants
>> will be soaking it all up one way or another.
>> >>>
>> >>> So my take on this is, we make sure that
>> we move on and address BOTH issues and this is
>> our task as a WG. Our task is to solve these
>> problems as we start from scratch with RDS. We
>> learned our lessons from the current WHOIS,
>> now we need to make sure that we can avoid all these pitfalls within RDS.
>> >>>
>> >>> Thank you for making it this far.
>> >>>
>> >>> Have a good weekend,
>> >>>
>> >>> Theo
>> >>> Registrar
>> >>>
>> >>>
>> >> _______________________________________________
>> >> gnso-rds-pdp-wg mailing list
>> >> <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> > _______________________________________________
>> > gnso-rds-pdp-wg mailing list
>> > <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>_______________________________________________
>>gnso-rds-pdp-wg mailing list
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>Content-Type: image/gif; name="image001.gif"
>Content-ID: <image001.gif at 01D28ACC.3941F0F0>
>Content-Disposition: inline; filename="image001.gif"
>X-Microsoft-Exchange-Diagnostics:
>
>1;DM5PR03MB2714;9:tdxAx8xMQgAx4Gs73KhKeeJnhdSFoLZJMqy0YExEjtN2QkxAv647qbRT/F0l0Hnn/nKhfAMU+S8FwA4Ppi+jeVAD0cFy/LRIp4ZusIbBQNvhPwZU2SLSvpvc4/43gF5d50LnfFbFPNVZpF8+K99EP/PMi0mZp6osCFogHjFvH2QeIEaPdX2I2NgcFeUQbqlb2+g5b+MjyNvWdFCAxfspAEicufgrStlS4iDd+DV39XodbLV65S+ZeK3qyxwZE2s390sAmmVOVxz9Edm2rvvrbKDcmb3w4qfsWCMWyqarANW6Fr+7+AgTh/Ntx5XaGo0/ONNpxnfKQWIOqvHG7G+oRyh2QQqrUV41wCfZf0BsClTIGI/FSPZzrcwBOcoF9U5LbIkJQY+SkF9yO/6a0euTAtY06UD7WT78U/j9WWoNwiy5Cs7HBPFn/lJUxca7+sGR
>X-Microsoft-Antispam-Mailbox-Delivery:
> ex:0;auth:0;dest:I;ENG:(20160514016)(520000050)(520002050)(750028);
>
>
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline
>X-Microsoft-Exchange-Diagnostics:
>
>1;DM5PR03MB2714;9:tdxAx8xMQgAx4Gs73KhKeeJnhdSFoLZJMqy0YExEjtN2QkxAv647qbRT/F0l0Hnn/nKhfAMU+S8FwA4Ppi+jeVAD0cFy/LRIp4ZusIbBQNvhPwZU2SLSvpvc4/43gF5d50LnfFbFPNVZpF8+K99EP/PMi0mZp6osCFogHjFvH2QeIEaPdX2I2NgcFeUQbqlb2+g5b+MjyNvWdFCAxfspAEicufgrStlS4iDd+DV39XodbLV65S+ZeK3qyxwZE2s390sAmmVOVxz9Edm2rvvrbKDcmb3w4qfsWCMWyqarANW6Fr+7+AgTh/Ntx5XaGo0/ONNpxnfKQWIOqvHG7G+oRyh2QQqrUV41wCfZf0BsClTIGI/FSPZzrcwBOcoF9U5LbIkJQY+SkF9yO/6a0euTAtY06UD7WT78U/j9WWoNwiy5Cs7HBPFn/lJUxca7+sGR
>X-Microsoft-Antispam-Mailbox-Delivery:
> ex:0;auth:0;dest:I;ENG:(20160514016)(520000050)(520002050)(750028);
>
>_______________________________________________
>gnso-rds-pdp-wg mailing list
>gnso-rds-pdp-wg at icann.org
>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170219/45458672/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list