[gnso-rds-pdp-wg] Purpose in accordance with Registry Agreement section 2.18

John Bambenek jcb at bambenekconsulting.com
Tue Jun 6 17:19:59 UTC 2017 

For the great majority of us, no one pays us for what we do.  So if
"contractual" in this case means "paying customer", now we are at least
getting to the heart of the matter. But it also misses the point.  We
are here because your have a contractual relationship with ICANN
(directly or via a registry).  We are arguing what THOSE contractual
obligations should be.

On this I would argue several things, the domain system and DNS is a
commons, not a mere private property.  ICANN's mandate is "The mission
of ICANN is to coordinate the stable operation of the Internet's unique
identifier systems."  Stable operations is quite profoundly more than
mere conveyance of a domain from registrar to registrant.  Some of that
inherently requires you the make public without access control some
classes of data (the domain itself and nameservers).  If you don't do
that, none of this matters because there is no internet. (Yes, I know
this isn't done with WHOIS, we are talking pure access to data at this
point).

If I am an end organization or end consumer, I have a right to work on
the stability of my own network and applications and that requires
knowing who I am communicating too.  It us untenable to expect end users
or end operators to establish an contractual relationship with *EVERY
REGISTRY* AT BEST.  At worst, they'd have to establish a contractual
relationship with *EVERY REGISTRAR*.  Considering there are arguably
criminal registrars, why would we ever expect good outcomes for
stability when it required cooperation from the very entity that has a
vested interest in not giving it to you?

Back to the idea of DNS and domains being a commons, there quite simply
is no Internet without it.  Registrars and registries may come and go,
but the impact of your decisions are global in scale.  Take any analogy
you like, regulation over who uses which radio frequencies, roadway
designs and access, maritime regulation... some things are global
resources that are used by a wide variety of stakeholders whose
interests must be balanced.  The purpose of ICANN and DNS is not the
mere transference of a domain from registrar to registry.  If it was,
why have a multi-stakeholder model at all?

Similar types of registries exist all over the world. Real property
records, for one.  That is because the interest of who holds title is
more important than just to the property holder.  In some parts of the
world, tax records are public. I could go on, but every nation is different.

As I mentioned above, most of the security / anti-abuse we are talking
about is provider free to consumers (and for that matter many
businesses).  If you set up a situation where those services have to pay
you, they can no longer be free to consumers.  Many people mention SEO
spam and the various spam revolving domain regisrtrations.  Sure, I'm
not saying it isn't a nuisance.  However, a large part of the spam
fighting that consumers benefit from is FREE.  If it is hindered (or
basically ended), that amount of increase in spam hitting consumers (who
will not nor cannot pay for services to protect them) will not just
increase, it will increase by orders of magnitude.  And not just scams,
malware, phishing, fraud... all of it.

I am sure that we can find something that will keep the data privacy
regulators at bay... that said, even if we can't, I assure you we can
make the case easily that the status quo is far better for the public
than the alternative that is being proposed so far.

So to get back to a potential solution... all consumers are allowed to
check a box on whether they have registrant details in their records or
not.  They are given links pointing to the pros, cons, and implications
of that decision.  The implications of that decision is that if they
enter data, people can use it for whatever they want (just like you can
do with twitter information today), but if you don't put anything in
there, then people like me may label the domain more risky than we would
otherwise.  They are making a free and informed choice, I am making a
free and informed choice.  We can a little bit of privacy for those who
want it, and we maintain the security provided to the bulk of humanity
that is given at no cost. 

I'll even throw in for free helping write that education.  For the
mythical Chinese dissident, we can even direct them to Security Without
Borders (an organization I'm tangentially part of) that can provide far
more in-depth discussion on how to protect their privacy from
nation-state adversaries (in fact, many of the people on this list
arguing for maintaining access to WHOIS data are ALSO helping people pro
bono who are facing real threats and consequences if their identities
were exposed).

If you want to redo the protocol, fine.  One of the major reasons I pay
for DomainTools is being able to get simple normalized WHOIS
information.  But creating an authentication mechanism that will keep an
audit trail will also expose people like me who, for instance, will be
keeping tabs on the Russians in the run-up to the Germany elections to
detect if there is any pending attacks on their democratic institutions
(also a service that is provided for free) that will expose ME to
personal risk (that audit trail will surely be accessible to the FSB on
request) will also be problematic.  And we don't have to be anti-Russian
here, I'm sure there are people keeping tabs on my country's
intelligence services too who would prefer their identities aren't given
to the CIA upon receipt of an NSL.

I don't think it is in anyone's interest in creating a global
surveillance state for the domain system.

j

On 06/06/2017 11:45 AM, benny at nordreg.se wrote:
> Well Registrars and Registries have contractual obligations on how data shall be handled and I don’t see why anti abuse and others handling those data elements shall be allowed to freely use these data in a non controlled manner were there are no contractual obligations. 
>
> I would say that is fair for all parts in this and therefore we need a new system which balance this. I am recognising your need for data for the work you do, but am not accepting that equals free use/abuse from the whole world as it is per today. 
>
> There must be a way we can do this in an effective and maybe even better way than what we have today.
>
> --
> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>
> Benny Samuelsen
> Registry Manager - Domainexpert
>
> Nordreg AB - ICANN accredited registrar
> IANA-ID: 638
> Phone: +46.42197000
> Direct: +47.32260201
> Mobile: +47.40410200
>
>> On 6 Jun 2017, at 18:33, gnso-rds-pdp-wg at icann.org wrote:
>>
>> You mean like whois privacy for free?  We have been giving out ideas
>> (and not just that one), I'm not sure why that is not being recognized.
>>
>> We have also been pointing out the very real harms your proposed path
>> will cause, I'm not sure why those aren't being recognized (instead of
>> ignored) so we can create a balanced approach.
>>
>>
>> On 06/06/2017 09:40 AM, benny at nordreg.se wrote:
>>> Anti Abuse are important no one disagree on that, what I just don’t get are why you and others can’t come up with an idea of how we can make a better solution than today which benefits all sides, instead of fighting for Status Quo.
>>>
>>> Feel like a broken record
>>>
>>> --
>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>
>>> Benny Samuelsen
>>> Registry Manager - Domainexpert
>>>
>>> Nordreg AB - ICANN accredited registrar
>>> IANA-ID: 638
>>> Phone: +46.42197080
>>> Direct: +47.32260201
>>> Mobile: +47.40410200
>>>
>>>> On 6 Jun 2017, at 16:31, allison nixon <elsakoo at gmail.com> wrote:
>>>>
>>>> Fully agreed! Anti-abuse is critical to the basic functionality of the Internet. If "basic functionality" is something we should avoid breaking, then anti-abuse is part of that. 
>>>>
>>>> We have seen numerous cases where a single attack has global effects far beyond the victim. 
>>>>
>>>> The more often this happens, the more likely that laws will be passed that invade privacy. Whois is not a real invasion of privacy because no one is forced to disclose info, and future laws are extremely unlikely to provide people with "options" like whois does now. I would rather avoid entering into a scenario that increases the motivation to pass these laws. We can do a lot with the very minimal amount that is out there right now. 
>>>>
>>>> I very much want to encourage the privacy minded people here to think about the long term ramifications rather than just the short term potential victory. Remember my story about Tor.
>>>>
>>>>
>>>>
>>>> On Jun 6, 2017 9:59 AM, "Natale Maria Bianchi" <nmb at spamhaus.org> wrote:
>>>> Besides private and business domains, there is also the large category of
>>>> abusive domains - domains registered (or acquired from a previous owner)
>>>> for the only purpose of abusing the Internet.  One may perhaps categorize
>>>> them as "business", but it does not make much sense to put them together
>>>> with domains used legitimately, or worry much about privacy issues -
>>>> those are typically registered giving fake credentials, or the
>>>> credentials are hidden from the public through an anonymous registration,
>>>> and no one will every file a privacy complaint about those.
>>>>
>>>> There are operations out there that do this on a massive, industrial scale,
>>>> registering hundreds or thousands of domains per day that are going to be
>>>> used for a very short time, even a few minutes in the most extreme cases
>>>> (hailstorm spammers).  In these cases, literally every second after
>>>> registration matters, and whois is therefore a very critical resource for
>>>> abuse researchers.  This is why I and others are here.
>>>>
>>>> Due to the automated methods used for these registrations and the
>>>> consequent correlations between them, it is quite common to be able to
>>>> indeed distinguish this category of domains with "sufficient accuracy"
>>>> once whois data have been retrieved.
>>>>
>>>> So please think in terms of three de facto categories rather than two:
>>>>
>>>>        *  legitimate, private
>>>>        *  legitimate, business
>>>>        *  abusive
>>>>
>>>> I am not suggesting that one puts the third category in ICANN
>>>> agreements :)  I am merely reminding that looking for abusive domains
>>>> is a very important operational aspect of thin and thick whois, and
>>>> care should be taken not to throw this other baby away with
>>>> the baby water.
>>>>
>>>> Natale Maria Bianchi
>>>> Spamhaus Project
>>>>
>>>>
>>>>
>>>> On Tue, Jun 06, 2017 at 11:24:10AM +0200, Volker Greimann wrote:
>>>>> If you can differentiate the use that a domain isgoing to be put to
>>>>> at the time of registration with sufficient accuracy, you are due
>>>>> for an an award ;-)
>>>>>
>>>>>
>>>>> Am 02.06.2017 um 22:15 schrieb Dotzero:
>>>>>> The overwhelming majority of domains registered would be
>>>>>> considered for commercial purposes. The fact that a small
>>>>>> percentage of domains are registered by individuals for personal
>>>>>> use should not be the determining factor as to what is appropriate
>>>>>> for ICANN to do. In fact, many of what people assert are personal
>>>>>> domains have advertising on them and would therefor be considered
>>>>>> by almost any jurisdiction to be engaged in a commercial activity.
>>>>>> This includes many (most?) parked domains.
>>>>> [...]
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list