[gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)

Jeremy Malcolm jmalcolm at eff.org
Tue Oct 3 19:05:33 UTC 2017 

So because my comments have generated a bit of blowback from people I
respect, I took the initiative to consult internally with some of my
colleagues who have more expertise in cybersecurity than I do, to make
sure that I'm not missing something.  It turns out that they agree with
my take on what EFF's position is here.

They did not think that we should be designing an RDS that would gather
information about domain registrants beyond what is required for
technical operation of the DNS. Even if such information were only
limited to anti-abuse professionals, that also wouldn't work. There
would be nothing to stop malicious actors from identifying as anti-abuse
professionals - neither would want to have a system to "vet" anti-abuse
professionals, because that would be even more problematic.

They think that anti-abuse professionals should be able to work with
whatever information they have that we already collect for the narrower
technical purposes of the operation of the DNS.  There is no added value
in collecting personal information - after all, criminals are not going
to provide correct information anyway, and if a domain has been
compromised then the personal information of the original registrant
isn't going to help much, and its availability in the wild could cause
significant harm to the registrant.

So, I stand by what I originally wrote and can confirm that this is
EFF's position, much as the anti-abuse professionals on this list may
disagree with it.

On 30/9/17 3:07 pm, Greg Aaron wrote:
> I assume that the EFF (or its Internet service provider, Unwired) uses reputation systems to filter the EFF's email and keep malware, phishing, and spam from reaching the EFF staff.  Just like every other enterprise out there.
>
> Recently the EFF has been worried about malware and phishing attacks against NGOs, and has been a proponent of patching compromised machines that are being used to attack other people.  Reputation systems are what people use to protect themselves and their networks against such things.  
>
> Would the DNS work without reputation systems?  That is the wrong question, a reductio ad absurdum.  A DNS without any users is worthless.  Reputation systems are one of the things that keeps the Internet usable.
>
> Domain names exist in order to enable communication.  And in the DNS, people can send you whatever packets they want to, whether you want it or not.   Users need to decide what traffic they wish to accept, and part of that is understanding what the sender or origin is.  And some of those senders want to do us, and the people we wish to protect, great harm.
>
> All best,
> --Greg
>
>
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Jeremy Malcolm
> Sent: Friday, September 29, 2017 2:57 PM
> To: gnso-rds-pdp-wg at icann.org
> Subject: Re: [gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)
>
> On 29/9/17 11:44 am, Andrew Sullivan wrote:
>> Since we are making policy for a system that is used in support of 
>> domain name operation, we need to make that support work for all the 
>> parts of the operations in question.  One of the operations in 
>> question is various reputation systems, so I think it is not optional 
>> for us to support that functionality.
> I disagree, I think that a case can be made that reputation systems are important, but they're not essential to the operation of the DNS.  You might as easily say that because advertising revenue is also used "in support of domain name operation", we need to make sure that the DNS supports that.  There are lots of different working parts of the Internet ecosystem that make our online experience better, including voluntary reputation systems, but would the DNS still work without them?  Yes.
>
> --
> Jeremy Malcolm
> Senior Global Policy Analyst
> Electronic Frontier Foundation
> https://eff.org
> jmalcolm at eff.org
>
> Tel: 415.436.9333 ext 161
>
> :: Defending Your Rights in the Digital World ::
>
> Public key: https://www.eff.org/files/2016/11/27/key_jmalcolm.txt
> PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122
>
>

-- 
Jeremy Malcolm
Senior Global Policy Analyst
Electronic Frontier Foundation
https://eff.org
jmalcolm at eff.org

Tel: 415.436.9333 ext 161

:: Defending Your Rights in the Digital World ::

Public key: https://www.eff.org/files/2016/11/27/key_jmalcolm.txt
PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171003/27f23658/signature.asc>

More information about the gnso-rds-pdp-wg mailing list