[gnso-rds-pdp-wg] [For Background] APWG report on phishers use of Domain Name System

[allison nixon]

>> That is not a reasonable requirement: this WG is not responsible for
>> tool development or design.  The protocol needs to change -- has
>> certainly needed to for 20 years -- and in order to make that happen
>> some tools will need to change.  There is no way to guarantee what
>> people will do to the user interface when they change tools.
>> Moreover, we don't have a common definition of what an "inferior" user
>> interface is anyway.  What would be a reasonable requirement is that
>> it is _possible_ to build a simialr user interface as what already
>> exists, but atop the new data access protocol.

My understanding is that under this closed system, the entity responsible
for building the access method will no longer be "anyone with the
motivation and talent", as it is now, but rather a single entity that must
be authorized to work with such "sensitive" data and everyone will have to
use them from now on. After all, anyone aggregating the whois data and
reselling it under their interface would defeat the entire point of a gate.

>> I think I disagree with this claim.  We are in fact discussing what
>> the gated system, if it is created, is supposed to contain.  It is
>> possible that there are things currently in the public whois that
>> never should have been published at all, even to authenticated
>> parties, without some legal processes and I think we are going to have
>> to argue about that.  I am not claiming that there are such things: I
>> don't know, and part of my frustration over the last month or two has
>> been that we have been arguing over the obvious rather than getting
>> down to this quite difficult issue.

I think it's very much worth arguing about. Let's imagine the practical
reality of getting that done.

For the legal process route- let's say for the sake of argument in the USA
it'll require a subpoena because I don't think there's any process that has
a lower bar. I've never sought a subpoena, but I know that colleagues in my
industry sometimes do. I've heard that getting subpoenas for cybercrime
related issues costs between 1 and 10 thousand dollars depending on lawyer
and jurisdiction and other factors.  Also, using that process will get the
customer's billing and IP info anyways. So if I have to get a court order,
then I don't care about WHOIS. I'm getting everything.

I see two possibilities arising from requiring this. Either, a
near-complete shutdown, or a streamlined process resulting in
business-as-usual.

If a subpoena is the bar we set, all available information will be sought.
I can guarantee these queries will also be made against every domain ever
used in sent e-mail, and every domain queried from a corporate environment,
at a minimum. This is supposed to enhance privacy? Or is the goal to
prevent some portion of the queries made for the purposes of network
defense?

We also face the obvious fact that Russian judges are unlikely to unmask
whois for Russian domains used to meddle in elections(or any of the obscene
volume of cybercrime coming from there), and Chinese judges are unlikely to
unmask Chinese domains used to hack other militaries. Does our working
group accept these predictable outcomes as valid?

Court orders also take weeks. I'd like to hear a serious proposal on how
this "legal process" will work and somehow not result in either a 100%
shutdown of anti-abuse activity or a massive violation of privacy.

>> I strongly agree with this.  Those registering domain names on the
>> Internet are not simply passive users, and it is reasonable to treat
>> them differently than people who are just visiting web pages, for
>> instance.  Since the test is whether some infringement on people's
>> data is necessary, we will do well to remember that there is no need
>> to register domain names on the Internet in order to connect to it or
>> use it.

Public whois has been a fact for a very long time. The only people who are
shocked by this are uninformed. We can't dismantle the Internet for their
sake.






On Thu, Jun 29, 2017 at 5:26 PM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> Hi,
>
> I am sympathetic, as you know, to the concerns of researchers using
> the current RDS.  But I think we need to be careful.
>
> On Thu, Jun 29, 2017 at 04:04:18PM -0400, allison nixon wrote:
> > -The gated access cannot have an inferior user interface compared to
> > current tools
>
> That is not a reasonable requirement: this WG is not responsible for
> tool development or design.  The protocol needs to change -- has
> certainly needed to for 20 years -- and in order to make that happen
> some tools will need to change.  There is no way to guarantee what
> people will do to the user interface when they change tools.
> Moreover, we don't have a common definition of what an "inferior" user
> interface is anyway.  What would be a reasonable requirement is that
> it is _possible_ to build a simialr user interface as what already
> exists, but atop the new data access protocol.
>
> > -The gated access cannot have an inferior dataset
>
> I don't think this requirement is possible to specify in advance,
> since it is precisely what we are arguing about.  Accepting this
> requirement would be begging the question.
>
> (I would go through the rest of the items, but I think they have
> similar problems.)  More generally,
>
> > The gated system is supposed to replicate in a closed system what the
> open
> > system has accomplished naturally. This is an exceedingly difficult task,
> > and the price of failure is high.
>
> I think I disagree with this claim.  We are in fact discussing what
> the gated system, if it is created, is supposed to contain.  It is
> possible that there are things currently in the public whois that
> never should have been published at all, even to authenticated
> parties, without some legal processes and I think we are going to have
> to argue about that.  I am not claiming that there are such things: I
> don't know, and part of my frustration over the last month or two has
> been that we have been arguing over the obvious rather than getting
> down to this quite difficult issue.
>
> > Users need to be educated about all the risks so they can weigh them in a
> > manner that makes the most sense for their situation. It's not just junk
> > mail.
>
> I strongly agree with this.  Those registering domain names on the
> Internet are not simply passive users, and it is reasonable to treat
> them differently than people who are just visiting web pages, for
> instance.  Since the test is whether some infringement on people's
> data is necessary, we will do well to remember that there is no need
> to register domain names on the Internet in order to connect to it or
> use it.
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170629/e3894776/attachment-0001.html>