[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards
allison nixon
elsakoo at gmail.com
Thu Feb 15 01:36:32 UTC 2018
Hi everyone,
I have already begun to hear unrest from my colleagues who work in infosec
and network operations about the degradation of WHOIS, as registrars have
already begun to act on their own, stripping everything and blocking bulk
queriers on domains frequently used for attacks. Every day of additional
uncertainty equals an additional day of victimization.
Why has no one approached the DPAs with the evidence of security purposes
for WHOIS? How much network degradation will we tolerate before someone
bothers to give them a little hint? How many more judgments from the DPAs
are we going to read that display clear ignorance of all legitimate
cybersecurity purposes? Did no one see this coming?
Since we are talking about cost benefit analysis, here is a quick one I
just did that I would like to share with the group. I did a quick look for
the value of the domain registration industry as a whole. Seems to be ~$4
billion. The losses incurred by the WanaCry malware are estimated to be at
~$8 billion. A single security incident destroying value equal to double
your entire industry.
In May 2017, the FBI stated that over three years the "business email
compromise" scams have topped ~$5 billion in losses, which would be
slightly more than one domain-industry unit of value, and WHOIS is crucial
to fighting it.
source:
https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-could-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB
source:
https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/domain-name-industry
source:
https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thousands-top-5-billion-in-losses-globally.html
Remember, the whole point of GDPR is to force companies to act with more
social responsibility.
On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>
>
> On 14 Feb 2018, at 20:49, John Horton <john.horton at legitscript.com> wrote:
>
> Hmm, well, perhaps it's because I work for a company that processes quite
> a bit of data with a combination of algorithms and some human review, but I
> feel pretty confident that there are ways to simplify that with magic
> algorithms and forms.
>
>
>
> Magic algorithms are fine in pattern detection because there is always a
> human review at some point or the cost of error is low, like in raising an
> abuse case that contains wording like supposedly", "allegedly" etc. In this
> case, every false negative comes with a tremendous liability.
>
> Also, if machine-learning technology and deep pockets for lawsuits become
> a requirement for being a registrar, you can count on the number of
> registrars dropping to single digits.
>
>
>
> Rubens
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
--
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/e88a448b/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list