FW: Withdraw the gun database
The story so far. Coming on the massacre in Connecticut, a suburban NY newspaper published (online) a database of gun owners in their area - all arguably, public information - inclusive of geo-tags. People were understandingly outraged. So a coalition of privacy rights advocate allied with the right to bear arms types jump up and down. The paper backed off and took away the database. Except it cannot do crapola about the mirrors of their site which includes the database. Here's the kick in the teeth: the fellas owing the mirrors, including the geek next door, have the unfettered right to tell you 'go fly a kite'. http://www.lohud.com/article/20130118/NEWS02/301180125/A-letter-from-Journal... -Carlton ============================ Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
Here's the kick in the teeth: the fellas owing the mirrors, including the geek next door, have the unfettered right to tell you 'go fly a kite'.
Yes, it's a copy of a database the contents of which are public by law. What could this possibly have to do with anything related to ICANN? Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
John : For the last time, WHOIS! -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Sat, Jan 19, 2013 at 1:25 PM, John R. Levine <johnl@iecc.com> wrote:
Here's the kick in the teeth: the fellas owing the mirrors, including the geek next door, have the unfettered right to tell you 'go fly a kite'.
Yes, it's a copy of a database the contents of which are public by law.
What could this possibly have to do with anything related to ICANN?
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
John : For the last time, WHOIS!
What about it? Are you suggesting that governments should pass laws mandating the legal status of WHOIS databases? There are millions of databases in the world, many of which contain information about organizations and individuals. Approximately none of them have anything to do with WHOIS or ICANN. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On 01/19/2013 10:25 AM, John R. Levine wrote:
Yes, it's a copy of a database the contents of which are public by law.
What could this possibly have to do with anything related to ICANN?
Well, here is how it could: 1. Guns are are intentionally designed to cause mayhem and death at a distance. Some guns are designed primarily to commit that mayhem on animals. But many guns are designed primarily to commit that mayhem on humans. Other uses are ancillary to that purpose. But even guns used for those other purposes retain their ability to cause great bodily harm to people. Guns are most definitely dangerous instrumentalities of great bodily harm. 2. Domain names, on the other hand, are far from lethal and one would have to be very imaginative to construct a situation in which a domain name could cause physical harm or death to a human. So it is safe to categorize domain names as instrumentalities highly unlikely to cause bodily harm. 3. It stands to reason that absent other considerations that privacy protections should be less for information concerning the possession and use of instrumentalities of great bodily harm than for things that are not generally capable of that kind of damage. 4. Therefore, absent other considerations, if guns ownership is deserving of privacy protections then there is even more reason to protect the privacy of domain name ownership. --karl--
Karl, Which amendment to the constitution provides for the right to have domain names?
On 01/19/2013 10:25 AM, John R. Levine wrote:
Yes, it's a copy of a database the contents of which are public by law.
What could this possibly have to do with anything related to ICANN?
Well, here is how it could:
1. Guns are are intentionally designed to cause mayhem and death at a distance. Some guns are designed primarily to commit that mayhem on animals. But many guns are designed primarily to commit that mayhem on humans. Other uses are ancillary to that purpose. But even guns used for those other purposes retain their ability to cause great bodily harm to people. Guns are most definitely dangerous instrumentalities of great bodily harm.
2. Domain names, on the other hand, are far from lethal and one would have to be very imaginative to construct a situation in which a domain name could cause physical harm or death to a human. So it is safe to categorize domain names as instrumentalities highly unlikely to cause bodily harm.
3. It stands to reason that absent other considerations that privacy protections should be less for information concerning the possession and use of instrumentalities of great bodily harm than for things that are not generally capable of that kind of damage.
4. Therefore, absent other considerations, if guns ownership is deserving of privacy protections then there is even more reason to protect the privacy of domain name ownership.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/19/2013 11:43 AM, Bill Silverstein wrote:
Which amendment to the constitution provides for the right to have domain names?
The First. Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms. --karl--
On 01/19/2013 11:43 AM, Bill Silverstein wrote:
Which amendment to the constitution provides for the right to have domain names?
The First.
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
--karl--
Having or the lack of having a domain name does not impact speech. There are many services which allow one to publically speak on the internet without a domain name. Does that mean I have the right to set up a television transmitter in my backyard to so I can exercise my first amendment rights? -- Bill
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
Oh, right, this inane argument. You know, when ICANN revisits WHOIS yet again, some of us are going to describe actual serious harm done by people with domains with bogus whois. Last year I testified in two court cases where crooks used large numbers of faked domains to enable a multi million dollar fake drug and nutriceutical scheme, and a separate pump and dump stock fraud scheme. While it is certainly important to protect individuals' private information, the vast majority of domains are registered by organizations, and the majority of those for purposes ranging from sleazy to felonious. So the sensible way to protect the handful of individual vanity registrants, while also protecting the vastly larger number of non-registrants who are attacked by crooks, is to treat individual registrants as exceptions. Then some At-Large factions are going to wave their hands about nonexistent harm to hypothetical people, with the ever popular freedom fighter who somehow critically needs a proxy domain registration despite having arranged for mail and web hosting and internet access without the benefit of one. This is a waste of time. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On 01/19/2013 01:24 PM, John R. Levine wrote:
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
Oh, right, this inane argument.
I thank you for that articulate and nuanced contribution to this discussion. Are you really trying to argue that the most basic aspirations of most modern societies are "inane"? I seem to be perceiving an assertion that I can not accept: That the entry of a bit of email into a mailbox is of greater harm than the entry of a bullet into a human body.
You know, when ICANN revisits WHOIS yet again, some of us are going to describe actual serious harm done by people with domains with bogus whois.
Sure, you can do that, and you would not be wrong that people hiding behind firewalls can, sometimes, be trying to harm others. You may want to consider, for example, how corporate shells are used to hide polluters, financiers of false political ads, makers of dangerous goods, or purveyors of fraudulent financial instruments. Perhaps we should open those doors before we toss the privacy of internet users onto the pyre? Perhaps we ought to adopt a regime in which those who want to look at WHOIS records should identify themselves, prove that identity, and state concrete and specific reasons, backed by evidence, why they claim that the person behind that domain name is using that name to engage in unlawful activities. But that is not the point of the thread here. The point being discussed here is that if firearm ownership deserves privacy protection than it stands to reason that domain name ownership deserves at least as much privacy protection. When you can show that an email entering a mailbox presents a greater risk of grievous physical harm or death as a bullet entering a human body then you can claim that WHOIS privacy should be less than gun ownership privacy. --karl--
Hi, Karl. I must admit, you are at least consistent in your inanity.
Perhaps we should open those doors before we toss the privacy of internet users onto the pyre?
Ah, right, the 0.0001% of people who are vanity domain registrants are "users", the 99.999% who just use the internet and have to deal with the consequences are not. As I said, this is a waste of time. R's, John
On 01/19/2013 12:54 PM, Bill Silverstein wrote:
On 01/19/2013 11:43 AM, Bill Silverstein wrote:
Which amendment to the constitution provides for the right to have domain names?
The First.
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
Having or the lack of having a domain name does not impact speech. There are many services which allow one to publically speak on the internet without a domain name.
Really? It seems, therefore, that you would accept being banned from the internet because you would still have the opportunity to stand on the street corner and shout words into the wind? The point still stands, if the ownership of instrumentalities of great bodily harm (guns) is worthy of privacy protection than logic compels the conclusion that ownership of non-lethal instrumentalities such as domain names are worthy of even greater privacy protection. One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms. Only if one supports a privacy protected WHOIS can one consistently argue for privacy protected lists of gun ownership. --karl--
I am hesitant to buy into this, but this should not be about the privacy of owning guns versus the privacy issues involved in Whois data. The 2nd amendment was all about the colonists protesting (finally rebelling) against a government regime where - as English colonists, which they were - they did not have the same rights that those who lived in England had. (as an aside, many of the Dutch living in what was then New Holland finally sided with the colonists because their only rights in relation to their Dutch overlords was as shareholders in a company run out of Rotterdam). Thus the famous ride of Paul Revere and the 2nd amendment, once the colonists managed to rid themselves of the overlords. So - please - it was about a situation in a colony where the locals did not have the rights they now have as citizens of the USA. So VERY different - both in the kinds of guns that the 2nd amendment was designed to protect over 200 years ago and the VERY different situation now - both in the nature of the guns being protected, and the rights of citizenship that were not available to the colonists then, but are now. DIFFERENT QUESTION please about domain names. The Final Whois Review Team report explicitly recognises the tension between legitimate needs to access Whois data and the equally legitimate right of individuals to privacy. What is being developed by the IETF is the WEIRDS protocol which, amongst other things, will allow differentiated access to Whois data. This will allow those who want to exercise their legitimate right to privacy to do so, while also allowing those with particular need to access that data (particularly law enforcement agencies) to gain access. There are still issues in defining both the agencies that qualify as LEAs, and the process for access. But the principle is there - a balance between legitimate rights to privacy - against the equally legitimate need of those to gain access. And please - no more about guns vs domain names Holly Raiche On 20/01/2013, at 10:49 AM, Karl Auerbach wrote:
On 01/19/2013 12:54 PM, Bill Silverstein wrote:
On 01/19/2013 11:43 AM, Bill Silverstein wrote:
Which amendment to the constitution provides for the right to have domain names?
The First.
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
Having or the lack of having a domain name does not impact speech. There are many services which allow one to publically speak on the internet without a domain name.
Really? It seems, therefore, that you would accept being banned from the internet because you would still have the opportunity to stand on the street corner and shout words into the wind?
The point still stands, if the ownership of instrumentalities of great bodily harm (guns) is worthy of privacy protection than logic compels the conclusion that ownership of non-lethal instrumentalities such as domain names are worthy of even greater privacy protection.
One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms.
Only if one supports a privacy protected WHOIS can one consistently argue for privacy protected lists of gun ownership.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/19/2013 04:11 PM, Holly Raiche wrote:
.. The Final Whois Review Team report explicitly recognises the tension between legitimate needs to access Whois data and the equally legitimate right of individuals to privacy.
You are, of course, absolutely correct that there is a tension. (And I won't mention those bang-bang machines.) Being a lawyer I have seen how tensions play out in practice. And it is rarely as clean-cut as one would like. And apropos the IETF work - rarely can these things be reduced to machinery that applies an algorithm without at least some steps involving discretionary human judgment. Otherwise we have that famous cartoon of a two scientists standing before a chalk board covered with equations and in the middle a cloud that says "a miracle occurs". When searching for ways through this dark forest one generally comes up with some principles to guide the process. For example are we looking at choices that are relatively minor in their effects or are choices that affect fundamental rights of people - such as their right to petition their governments or to conceive children or practice their religious beliefs. And generally one recognizes that law enforcement has both special powers - and special responsibilities - that require the application of other principles, or at least other measures of the weight of competing considerations. I generally take law enforcement out of WHOIS issue because they have the powers to seek judicially supervised warrants, or given sufficient probable cause to act without such warrants. In other words law enforcement, if practiced according to the rules, has a trump card that it can play to enter WHOIS no matter what. The trouble is that a lot of law enforcement are too lazy to bother with path of obtaining a warrant, or are civil administrative bodies that want to dress up as law enforcement in order to spread their writ to places where they are not really supposed to go. So back to that balance - Privacy is a tough thing because it is one of those sort-of negative things - a right to exclude rather than a right to do something. As such it becomes hard to find principles to balance. In a normal balancing act one typically measures the social and constitutional values of X doing act Y against the social and constitutional values of Z preventing act Y. But in privacy we don't get to see what act Y is - because it is private, and in fact there may not even be an act Y to evaluate. Kafka gave us a good start on these sorts of things. "The Trial" begins with a sentence saying (paraphrase from memory) that "Someone had been asking questions about Joseph K. because one fine morning he was arrested and taken away." What Kafka was suggesting is that if somebody is intruding into your affairs that at least the intruder should identify himself, prove his identity, should be able to state what unlawful act you are being accused of, and adduce some concrete evidence to support that accusation. Those kinds of things make sense as much for those thrown in to Guantanamo as those whose WHOIS privacy is being penetrated. One last point - in law there is a concept known as estoppel - it basically means that if you say one thing on day 1 you can't say the opposite on day 2. One of the reasons that those who penetrate whois should be required to assert what rights of theirs are being violated by the accused domain name owner is that that by remembering those accusations we can find those who abusively accuse and, if necessary, hold them to their stories so that they can not make contrary accusations later or claim that they were unaware. --karl--
Hi Karl You are talking to a lawyer - so not much of what you say is new to me although it may be to others. For me (and I suspect you), the hard bit will be working out what amount to legitimate rights to what data - and ensuring that there is a process to ensure that any access that is granted is only done after the bona fides of the access seeker and reasons for access are established. Yes, LEAs can try to get the data - but when every bit of information provided in the Whois data base is either not there or completely inaccurate, having the right to it is of little help. What the Whois Final Report did say is that, if people are more confident about having their privacy respected, they will have less reason to provide false information. At that point, ICANN can and should insist on complete and accurate data being provided. Holly On 20/01/2013, at 11:53 AM, Karl Auerbach wrote:
On 01/19/2013 04:11 PM, Holly Raiche wrote:
.. The Final Whois Review Team report explicitly recognises the tension between legitimate needs to access Whois data and the equally legitimate right of individuals to privacy.
You are, of course, absolutely correct that there is a tension. (And I won't mention those bang-bang machines.)
Being a lawyer I have seen how tensions play out in practice. And it is rarely as clean-cut as one would like. And apropos the IETF work - rarely can these things be reduced to machinery that applies an algorithm without at least some steps involving discretionary human judgment. Otherwise we have that famous cartoon of a two scientists standing before a chalk board covered with equations and in the middle a cloud that says "a miracle occurs".
When searching for ways through this dark forest one generally comes up with some principles to guide the process. For example are we looking at choices that are relatively minor in their effects or are choices that affect fundamental rights of people - such as their right to petition their governments or to conceive children or practice their religious beliefs.
And generally one recognizes that law enforcement has both special powers - and special responsibilities - that require the application of other principles, or at least other measures of the weight of competing considerations.
I generally take law enforcement out of WHOIS issue because they have the powers to seek judicially supervised warrants, or given sufficient probable cause to act without such warrants. In other words law enforcement, if practiced according to the rules, has a trump card that it can play to enter WHOIS no matter what. The trouble is that a lot of law enforcement are too lazy to bother with path of obtaining a warrant, or are civil administrative bodies that want to dress up as law enforcement in order to spread their writ to places where they are not really supposed to go.
So back to that balance - Privacy is a tough thing because it is one of those sort-of negative things - a right to exclude rather than a right to do something. As such it becomes hard to find principles to balance.
In a normal balancing act one typically measures the social and constitutional values of X doing act Y against the social and constitutional values of Z preventing act Y.
But in privacy we don't get to see what act Y is - because it is private, and in fact there may not even be an act Y to evaluate.
Kafka gave us a good start on these sorts of things. "The Trial" begins with a sentence saying (paraphrase from memory) that "Someone had been asking questions about Joseph K. because one fine morning he was arrested and taken away."
What Kafka was suggesting is that if somebody is intruding into your affairs that at least the intruder should identify himself, prove his identity, should be able to state what unlawful act you are being accused of, and adduce some concrete evidence to support that accusation.
Those kinds of things make sense as much for those thrown in to Guantanamo as those whose WHOIS privacy is being penetrated.
One last point - in law there is a concept known as estoppel - it basically means that if you say one thing on day 1 you can't say the opposite on day 2. One of the reasons that those who penetrate whois should be required to assert what rights of theirs are being violated by the accused domain name owner is that that by remembering those accusations we can find those who abusively accuse and, if necessary, hold them to their stories so that they can not make contrary accusations later or claim that they were unaware.
--karl--
On 01/19/2013 05:05 PM, Holly Raiche wrote:
For me (and I suspect you), the hard bit will be working out what amount to legitimate rights to what data - and ensuring that there is a process to ensure that any access that is granted is only done after the bona fides of the access seeker and reasons for access are established.
Thanks for returning us to a rational, and I hope, productive discussion. (By-the-way, if you, or anyone else reading this, are ever in the Monterey Bay area of California and want to chat about details of this stuff drop me a note offline.) The balance of rights is something that I sense needs to be muddled-through via our well trod path of declarations of rules that are adjusted through use in actual situations. For example, simply identifying people making inquiries is hard enough; proving that identity is even harder. Personally I tend to lean towards the "privacy" - because one can usually remedy an incorrect decision to protect privacy when such protection is not warranted. But the converse is not true - once privacy is breached it is hard to put the information back into the bottle. Over the last dozen years I've posited variations on a general process that would be largely, but not entirely, mechanical. The nugget of difficult has always been that "not entirely mechanical" part. Procedure does not scare me - perhaps that is because as an attorney I have learned that good and fair procedure is very, very important. I am very scared about rushes to judgment that trample sane and deliberate processes or, even worse, "Ox Bow Incident" vigilantism. I do think that some WHOIS access procedural aspects can be set forth: 1. Every query would be recorded and that record would persist for at least a couple of years. 2. There would be some means so that data subjects (domain name owners) could obtain records of those queries that relate to their domain names. 3. Anyone who wants to make an inquiry must identify himself and present proofs of that identity. That identify and at least a summery of the proofs would be saved in the access record. (People who make a lot of inquiries, such as IP protection attorneys might pre-establish identities and credentials to make the process faster and reduce costs.) 4. The person making the inquiry would have to assert that some cognizable legal right of that person is being violated by the accused domain name owner. That assertion would have to be fairly specific and be backed by some specific evidence to back that assertion. This accusation and evidence would be saved in the access record and thus be available to the data subject. This could be fairly formulaic - there could be a checklist of common accusations and I am sure that supporting evidence would soon assume a rather standard shape and form. 5. The person making the inquiry would have to put up some $$ to cover the cost of processing the inquiry and also to serve as a bond (payable to the data subject) if the inquiry is found to be frivolous or abusive. The bond portion would be returned after some period of time - perhaps 90 days? (Lest one think that this puts all the costs onto the person making the inquiry, I note that the domain name owner has paid a yearly registry fee and ICANN fee. And that a name that is successfully challenged does not give rise to a refund for those fees.) 6. Unless someone can come up with some sort of super-Turing tool to examine the accusations and evidence, there would have to be some quick and fast review of the accusation and evidence by a human. This is the step that is the most troublesome in terms of cost and delay. If this review sees no clear problem then the data access is granted. 7. A periodic summary of all accesses for each name would be sent to the domain name owner. This would allow the name owner to know who is asking about his names, understand the accusations being made, and see the evidence being presented. (Remember, by this time the record has already been made available to the person making the inquiry.) This would allow the name owner to raise a challenge to sufficiency. Such challenges would be reviewed by someone other than the original reviewer of the initial accusation. If the accusation is found inadequate the bond would be paid to the name owner to at least partially compensate for the violation of their privacy. (This payment ought not be construed as a waiver of any rights to civil action that the domain name owner might have against the accuser for making false accusations or representations.) 8. A periodic gazette (web page) would summarize to the public what names are being inquired-of, who is making the largest numbers of inquiries (broken down by accusation type, success/failure counts, etc) This would let the public see who are being domain name trolls. This is not a free system, and it has friction - which is quite intentional. I have concern that it would take some work to build the machinery and operate it, and that the human steps could cost too much (more than a few dollars per event would be too much) or that it could become merely a rubber stamp. ICANN's new gTLD program has shown us how little things can be ballooned into bloated, expensive, systems of Rube-Goldberg complexity.
...What the Whois Final Report did say is that, if people are more confident about having their privacy respected, they will have less reason to provide false information. At that point, ICANN can and should insist on complete and accurate data being provided.
This is a very good point that ought to carry a lot of weight. --karl--
Thank you Karl Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey. Holly On 20/01/2013, at 8:48 PM, Karl Auerbach wrote:
On 01/19/2013 05:05 PM, Holly Raiche wrote:
For me (and I suspect you), the hard bit will be working out what amount to legitimate rights to what data - and ensuring that there is a process to ensure that any access that is granted is only done after the bona fides of the access seeker and reasons for access are established.
Thanks for returning us to a rational, and I hope, productive discussion. (By-the-way, if you, or anyone else reading this, are ever in the Monterey Bay area of California and want to chat about details of this stuff drop me a note offline.)
The balance of rights is something that I sense needs to be muddled-through via our well trod path of declarations of rules that are adjusted through use in actual situations. For example, simply identifying people making inquiries is hard enough; proving that identity is even harder.
Personally I tend to lean towards the "privacy" - because one can usually remedy an incorrect decision to protect privacy when such protection is not warranted. But the converse is not true - once privacy is breached it is hard to put the information back into the bottle.
Over the last dozen years I've posited variations on a general process that would be largely, but not entirely, mechanical. The nugget of difficult has always been that "not entirely mechanical" part.
Procedure does not scare me - perhaps that is because as an attorney I have learned that good and fair procedure is very, very important. I am very scared about rushes to judgment that trample sane and deliberate processes or, even worse, "Ox Bow Incident" vigilantism.
I do think that some WHOIS access procedural aspects can be set forth:
1. Every query would be recorded and that record would persist for at least a couple of years.
2. There would be some means so that data subjects (domain name owners) could obtain records of those queries that relate to their domain names.
3. Anyone who wants to make an inquiry must identify himself and present proofs of that identity. That identify and at least a summery of the proofs would be saved in the access record. (People who make a lot of inquiries, such as IP protection attorneys might pre-establish identities and credentials to make the process faster and reduce costs.)
4. The person making the inquiry would have to assert that some cognizable legal right of that person is being violated by the accused domain name owner. That assertion would have to be fairly specific and be backed by some specific evidence to back that assertion. This accusation and evidence would be saved in the access record and thus be available to the data subject. This could be fairly formulaic - there could be a checklist of common accusations and I am sure that supporting evidence would soon assume a rather standard shape and form.
5. The person making the inquiry would have to put up some $$ to cover the cost of processing the inquiry and also to serve as a bond (payable to the data subject) if the inquiry is found to be frivolous or abusive. The bond portion would be returned after some period of time - perhaps 90 days? (Lest one think that this puts all the costs onto the person making the inquiry, I note that the domain name owner has paid a yearly registry fee and ICANN fee. And that a name that is successfully challenged does not give rise to a refund for those fees.)
6. Unless someone can come up with some sort of super-Turing tool to examine the accusations and evidence, there would have to be some quick and fast review of the accusation and evidence by a human. This is the step that is the most troublesome in terms of cost and delay. If this review sees no clear problem then the data access is granted.
7. A periodic summary of all accesses for each name would be sent to the domain name owner. This would allow the name owner to know who is asking about his names, understand the accusations being made, and see the evidence being presented. (Remember, by this time the record has already been made available to the person making the inquiry.) This would allow the name owner to raise a challenge to sufficiency. Such challenges would be reviewed by someone other than the original reviewer of the initial accusation. If the accusation is found inadequate the bond would be paid to the name owner to at least partially compensate for the violation of their privacy. (This payment ought not be construed as a waiver of any rights to civil action that the domain name owner might have against the accuser for making false accusations or representations.)
8. A periodic gazette (web page) would summarize to the public what names are being inquired-of, who is making the largest numbers of inquiries (broken down by accusation type, success/failure counts, etc) This would let the public see who are being domain name trolls.
This is not a free system, and it has friction - which is quite intentional. I have concern that it would take some work to build the machinery and operate it, and that the human steps could cost too much (more than a few dollars per event would be too much) or that it could become merely a rubber stamp. ICANN's new gTLD program has shown us how little things can be ballooned into bloated, expensive, systems of Rube-Goldberg complexity.
...What the Whois Final Report did say is that, if people are more confident about having their privacy respected, they will have less reason to provide false information. At that point, ICANN can and should insist on complete and accurate data being provided.
This is a very good point that ought to carry a lot of weight.
--karl--
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
A good place to start would be to admit that the insterests of the vast majority of Internet users who do not register vanity domains are at least worth considering. For every domain registered by an individual, there are hundreds, more likely thousands, registered by criminals who attack those non-registrants. You may not like it, but it's reality. R's, John
Which is exactly my point. And finally - acknowledgement that domain NAME accuracy is important - not only for LEAs - but for all of us as well - to stop the 'thousands' (your words, not mine) of names registered by criminals from attacking the rest of us. So yes, privacy is important and always has been. But so is accuracy - the responsibility of the registrant in the first instance - but also fairly and squarely the registrars under the RAA. Holly On 21/01/2013, at 7:09 AM, John R. Levine wrote:
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
A good place to start would be to admit that the insterests of the vast majority of Internet users who do not register vanity domains are at least worth considering.
For every domain registered by an individual, there are hundreds, more likely thousands, registered by criminals who attack those non-registrants.
You may not like it, but it's reality.
R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
John, Are you sure that the ratio is 1:100 or even 1:1000? I find it hard to believe. (I am just asking) R. -----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large-bounces@atlarge-lists.icann.org] Per conto di John R. Levine Inviato: domenica 20 gennaio 2013 21:09 A: At-Large Worldwide Oggetto: Re: [At-Large] registration fantasies
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
A good place to start would be to admit that the insterests of the vast majority of Internet users who do not register vanity domains are at least worth considering. For every domain registered by an individual, there are hundreds, more likely thousands, registered by criminals who attack those non-registrants. You may not like it, but it's reality. R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
Are you sure that the ratio is 1:100 or even 1:1000?
It's something like that. Spammers and phishers register vast numbers of domains, and as far as I can tell, nobody else does since domain tasting went away. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
.eu had serious problems with lots of domain names being registered for dubious purposes in the past. http://www.domainesinfo.fr/english/093/eurid-blocks-10-000-eu-names.php http://www.wired.com/techbiz/it/news/2006/08/71555 So, sounds like the share of dubious domain names is quite high under .eu. In 2007, some analysis was done on this, and it turned out that 16% of the .eu domain names really were used to make content available (not only ads). This is pretty much 1:5. Source (German): http://www.domain-recht.de/newsletter-archiv/newsletter-archiv-2007/ausgabe-... Best, Peter On 01/21/2013 05:25 PM, John R. Levine wrote:
Are you sure that the ratio is 1:100 or even 1:1000?
It's something like that. Spammers and phishers register vast numbers of domains, and as far as I can tell, nobody else does since domain tasting went away.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Peter Thomassen dotHIV pt@dothiv.org +49 931 2705351 www.dothiv.org join us: facebook.com/dothiv follow us: twitter.com/dothiv support us by shopping: www.shop4.dotHIV.org
Going to the details of the articles, to me that means that quality checking is indeed possible. I am also under the impression that the problem has since being solved, or at least greatly reduced. R.
-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di Peter Thomassen Inviato: martedì 22 gennaio 2013 00:12 A: at-large@atlarge-lists.icann.org Oggetto: Re: [At-Large] R: registration fantasies
.eu had serious problems with lots of domain names being registered for dubious purposes in the past. http://www.domainesinfo.fr/english/093/eurid-blocks-10-000-eu- names.php http://www.wired.com/techbiz/it/news/2006/08/71555
So, sounds like the share of dubious domain names is quite high under .eu. In 2007, some analysis was done on this, and it turned out that 16% of the .eu domain names really were used to make content available (not only ads). This is pretty much 1:5.
Source (German): http://www.domain-recht.de/newsletter-archiv/newsletter-archiv- 2007/ausgabe-374-august-2007-newsletter-domain-recht-11147.html
Best, Peter
On 01/21/2013 05:25 PM, John R. Levine wrote:
Are you sure that the ratio is 1:100 or even 1:1000?
It's something like that. Spammers and phishers register vast numbers of domains, and as far as I can tell, nobody else does since domain tasting went away.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Peter Thomassen dotHIV
pt@dothiv.org +49 931 2705351 www.dothiv.org
join us: facebook.com/dothiv follow us: twitter.com/dothiv support us by shopping: www.shop4.dotHIV.org _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/21/2013 02:25 PM, John R. Levine wrote:
Are you sure that the ratio is 1:100 or even 1:1000?
It's something like that. Spammers and phishers register vast numbers of domains, and as far as I can tell, nobody else does since domain tasting went away.
There is a lot of gold being mined simply registering large numbers of domain names and quite legitimately collecting Google and other advertising revenue from the passing traffic. I work with people who have hundreds of thousands, even millions of registered names and they hold phishing/spamming people in as low esteem as do you and I. Sure there are spammers and there are those who phish and misrepresent. But the claims that are being made are not consistent with my first hand observations. --karl--
On 01/20/2013 11:51 AM, Holly Raiche wrote:
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
I forgot one more step: That the person making the data inquiry agree to a binding contract/terms-of-service that obligates that person to use the data obtained via the inquiry for the sole and exclusive purpose of resolving the specific rights violation being complained of, that the data will not be retained after that resolution, and that the data will not be conveyed to third parties or integrated into any aggregate data. In addition that contract/terms-of-service should explicitly create third party beneficiary rights of enforcement and to receive attorney fees and costs should the person making the inquiry violate the contract/terms-of-service. --karl--
I'm with you -- I think -- if you change "rights violation" to something more general. Fraud and bad-faith uses of domain names is not limited to the appropriation of trademarks. That may dominate the current industry and governement discourse within ICANN but it doesn't IMO reflect the kind of end-user-generated problems that John has been indicating. If your intent is to limit access to WHOIS to the investigation of trade-name abuse, I can't go along with that narrow a definition. - Evan On 21 January 2013 14:10, Karl Auerbach <karl@cavebear.com> wrote:
On 01/20/2013 11:51 AM, Holly Raiche wrote:
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
I forgot one more step:
That the person making the data inquiry agree to a binding contract/terms-of-service that obligates that person to use the data obtained via the inquiry for the sole and exclusive purpose of resolving the specific rights violation being complained of, that the data will not be retained after that resolution, and that the data will not be conveyed to third parties or integrated into any aggregate data. In addition that contract/terms-of-service should explicitly create third party beneficiary rights of enforcement and to receive attorney fees and costs should the person making the inquiry violate the contract/terms-of-service.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Evan Leibovitch Toronto Canada Em: evan at telly dot org Sk: evanleibovitch Tw: el56
Hi Evan (and Karl) I think I agree as well. And yes, it was John who pointed to the 'thousands' of names (ore more) registered by criminals that raise more than just trademark issues. Holly On 22/01/2013, at 6:31 AM, Evan Leibovitch wrote:
I'm with you -- I think -- if you change "rights violation" to something more general. Fraud and bad-faith uses of domain names is not limited to the appropriation of trademarks. That may dominate the current industry and governement discourse within ICANN but it doesn't IMO reflect the kind of end-user-generated problems that John has been indicating.
If your intent is to limit access to WHOIS to the investigation of trade-name abuse, I can't go along with that narrow a definition.
- Evan
On 21 January 2013 14:10, Karl Auerbach <karl@cavebear.com> wrote: On 01/20/2013 11:51 AM, Holly Raiche wrote:
Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey.
I forgot one more step:
That the person making the data inquiry agree to a binding contract/terms-of-service that obligates that person to use the data obtained via the inquiry for the sole and exclusive purpose of resolving the specific rights violation being complained of, that the data will not be retained after that resolution, and that the data will not be conveyed to third parties or integrated into any aggregate data. In addition that contract/terms-of-service should explicitly create third party beneficiary rights of enforcement and to receive attorney fees and costs should the person making the inquiry violate the contract/terms-of-service.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Evan Leibovitch Toronto Canada Em: evan at telly dot org Sk: evanleibovitch Tw: el56
On 01/21/2013 11:31 AM, Evan Leibovitch wrote:
If your intent is to limit access to WHOIS to the investigation of trade-name abuse, I can't go along with that narrow a definition.
Yes, that is within the intent ... but read on. The accusation of a violation of the trademark rights of the person making the inquiry is a valid accusation, as long as it is backed by some concrete evidence that supports that allegation. (There is a subtle aspect to the above paragraph - which is that the complaint be made by someone with "standing", in particular the person who has the mark. At the end of this note I'll mention something more about that.) In other words, if I have domain name foo and you have a trademark of foo or something close to it and you can come up with evidence that I am actually using the domain name in a way that violates your legal rights provided by trademark law, then, after you comply procedures of the process then you should have no trouble getting access to the data. I made a small aside in the original post that suggested that groups that do a lot of whois inquiries could pre-establish credentials to speed access and lower costs. I did not mention that in those case the $$ posting could act as a blanket and thus avoid the per-access charge. In other words, for those who tend to make a lot of inquiries there are ways to streamline the process. I envision most of this stuff being merely a web form - or these days, an app - that one fills out. The main delay would be for some human to look at the contents and bless it as sufficient. That human step is also where I think my proposal has its greatest weakness in that it is a step that is subjective, non-instantaneous, and where the greatest portions of the cost of the system are to be found. Back to the "standing" point - I know that the general public has come to use WHOIS when they are suspicious or curious. We ought to leave some room for that and not burden that access with the weight of the procedures I have suggested. However, in those cases the data returned should be fuzzed to remove significant digits. For example, rather than returning street addresses, only return postal code, and rather than returning telephone numbers return only the area-code. (I might note in passing that WHOIS data has already escaped its proper use. I run several websites on behalf of non-profit historical preservation groups. And the WHOIS information has apparently been merged into AT&T's directory assistance to the degree that if one is looking for the railroad station in San Jose, California [10 largest city in the US] they get my home phone number - I received one of those calls at 5:30am today.) --karl--
On 21 January 2013 17:03, Karl Auerbach <karl@cavebear.com> wrote:
On 01/21/2013 11:31 AM, Evan Leibovitch wrote:
If your intent is to limit access to WHOIS to the investigation of trade-name abuse, I can't go along with that narrow a definition.
Yes, that is within the intent ... but read on.
Nope. Not enough. I guess I'm with John on this. You're being FAR FAR too narrow, and the identification measures you want are not just for trademark holders, As a consumer, I demand a contact point of a website name (the IP# alone is insufficient, especially v4) that sold me bad goods, yet has no "contact us"page on their website. I am as entitled to the contact information as a trademark holder. Without a brick-and-mortar location of the commerce site, WHOIS (or its replacement) is the only way I'm going to have to track down whoever sold me those bad goods. If this is just to be a tool for IP lawyers, with the rest of us "curious" peons tossed access to nothing more than deliberately obfuscated data, then I'm not onboard and this is a waste. Trademarks are amongst the least useful reasons for WHOIS accuracy. I don't have a problem with demanding that people who request WHOIS data to have their identities as public as those of the data they're requesting. But you've carried that to an unacceptable extreme, (I might note in passing that WHOIS data has already escaped its
proper use. I run several websites on behalf of non-profit historical preservation groups. And the WHOIS information has apparently been merged into AT&T's directory assistance to the degree that if one is looking for the railroad station in San Jose, California [10 largest city in the US] they get my home phone number - I received one of those calls at 5:30am today.)
That problem would not have been solved one shred by demanding that AT&T prove that it was AT&T. And it sounds like your railroad problem is one of accuracy and stupidity, not acceptable use. IMO. - Evan
On 01/21/2013 02:36 PM, Evan Leibovitch wrote:
You're being FAR FAR too narrow, and the identification measures you want are not just for trademark holders,
As a consumer, I demand a contact point of a website name
And if your demand is not met to your satisfaction then you have the total choice to refrain from using that website. We ought not to sacrifice the privacy of others simply because you (I say "you" in the generic sense rather than you personally) do not exercise discretion in your choice of network partners. In addition the claim that you are "entitled" falls flat when you are not willing to concede that those who whose privacy you are trying to penetrate do not deserve fair process, including your identity and reason for your inquiry.
If this is just to be a tool for IP lawyers, with the rest of us "curious" peons tossed access to nothing more than deliberately obfuscated data, then I'm not onboard and this is a waste. Trademarks are amongst the least useful reasons for WHOIS accuracy.
The argument you are making is that curiosity trumps privacy; that is something that I do not accept.
(I might note in passing that WHOIS data has already escaped its
proper use. I run several websites on behalf of non-profit historical preservation groups. And the WHOIS information has apparently been merged into AT&T's directory assistance to the degree that if one is looking for the railroad station in San Jose, California [10 largest city in the US] they get my home phone number - I received one of those calls at 5:30am today.)
That problem would not have been solved one shred by demanding that AT&T prove that it was AT&T. And it sounds like your railroad problem is one of accuracy and stupidity, not acceptable use. IMO.
AT&T probably bought the data from someone who simply mined the WHOIS records. Had my procedures been in place that someone would have had to make a concrete accusation and back it by demonstrable evidence. I would have been able to challenge that accusation and collect the $$ bond for my trouble. Or, if they had used the route that I outlined for the merely curious then the phone number would have been simply the area code. --karl--
In the USA, and many other places, if one creates a corporation, registers a fictitious business name, or buys property, they are required to make the information regarding the people behind it public. That is currently required for a domain name. While there are mechanisms for hiding this public disclosure, they are the exceptions not the rule. In addition, when you do use these mechanisms, they can have legal consequence, or at the very least give a negative inference as to the intent of the users of these mechanisms. A domain name is not a requirement to speak anonymously on the internet. On the other hand, having the information public would reduce the amount bad actors. For examples, companies running a web site, scamming people, closing it down, opening another. Making it easier to track spammers. Individuals, not law enforcement does quite a bit of this. Ever hear of Spamhaus? I had done this type of investigative work, which led to the spammer receiving a 47 month sentence. But limiting access to the common people, you limit the ability of law enforcement. Ever hear of neighborhood watch?
On 01/21/2013 02:36 PM, Evan Leibovitch wrote:
You're being FAR FAR too narrow, and the identification measures you want are not just for trademark holders,
As a consumer, I demand a contact point of a website name
And if your demand is not met to your satisfaction then you have the total choice to refrain from using that website.
We ought not to sacrifice the privacy of others simply because you (I say "you" in the generic sense rather than you personally) do not exercise discretion in your choice of network partners.
In addition the claim that you are "entitled" falls flat when you are not willing to concede that those who whose privacy you are trying to penetrate do not deserve fair process, including your identity and reason for your inquiry.
If this is just to be a tool for IP lawyers, with the rest of us "curious" peons tossed access to nothing more than deliberately obfuscated data, then I'm not onboard and this is a waste. Trademarks are amongst the least useful reasons for WHOIS accuracy.
The argument you are making is that curiosity trumps privacy; that is something that I do not accept.
(I might note in passing that WHOIS data has already escaped its
proper use. I run several websites on behalf of non-profit historical preservation groups. And the WHOIS information has apparently been merged into AT&T's directory assistance to the degree that if one is looking for the railroad station in San Jose, California [10 largest city in the US] they get my home phone number - I received one of those calls at 5:30am today.)
That problem would not have been solved one shred by demanding that AT&T prove that it was AT&T. And it sounds like your railroad problem is one of accuracy and stupidity, not acceptable use. IMO.
AT&T probably bought the data from someone who simply mined the WHOIS records. Had my procedures been in place that someone would have had to make a concrete accusation and back it by demonstrable evidence. I would have been able to challenge that accusation and collect the $$ bond for my trouble.
Or, if they had used the route that I outlined for the merely curious then the phone number would have been simply the area code.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/21/2013 03:58 PM, Bill Silverstein wrote:
In the USA, and many other places, if one creates a corporation, registers a fictitious business name, or buys property, they are required to make the information regarding the people behind it public. That is currently required for a domain name.
What you say is not strictly correct. The rules vary from state to state. Indeed many states encourage corporate registrations by making it hard to penetrate any deeper than the name of someone to receive legal process, and that very often is a law firm or a specialized corporation that is not going to divulge the actual ownership information.
A domain name is not a requirement to speak anonymously on the internet.
We are not talking about anonymity, but rather about privacy. One may happily be willing to give a name but not an address or phone number or affiliation.
On the other hand, having the information public would reduce the amount bad actors.
And the cost would be a loss of privacy. Moreover, you are justifying your premise by concluding that anyone who desires privacy must therefore be a "bad actor". Your suspicions, particularly when you are unwilling to identify yourself and make specific allegations backed by concrete evidence, is snooping.
But limiting access to the common people, you limit the ability of law enforcement. Ever hear of neighborhood watch?
As for law enforcement - I have utterly no sympathy for them when they don't have the energy to get a proper warrant or subpoena. When they get those things then they are not restrained by any of the WHOIS rules we are talking about. So let's dispense with the law enforcement red herring. Ever read "The Ox Bow Incident"? Ever heard of "vigilantes"? That seems to be what you are advocating. Neighborhood watch groups are not empowered to penetrate the privacy of people who close their doors and pull their window shades. Virtually every police department tells neighborhood watchers to refrain from action and to call 911 and get the police involved. The anti-spam crusade is nice, but on the other hand a lot of my family were tortured and murdered often because their neighbors violated their privacy. And the act that started these threads - the publication of contact information for those with registered firearms in some New York counties - generated such a reaction that NY state has already modified its laws to give increased privacy to those registrations. --karl--
Agreed with about everything Bill said.
A domain name is not a requirement to speak anonymously on the internet.
This is the fatally flawed assumption in most privacy arguments, including Karl's. ICANN long ago made the policy decision that Internet domains are property, not identity. As such they can (and should) be treated with the same requirements of ownership disclosure as other forms of intellectual property, which by and large are publicly searchable. Functionally (if not technically), WHOIS shouldn't have disclosure policies much different from TESS <http://tess2.uspto.gov/bin/gate.exe?f=tess&state=4005:890zev.1.1>. Such a mechanism may lead one to proxies, but those proxies must themselves provide accurate information that can ultimately, as required, ultimately give a trusted path back to the source. Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data. - Evan
This is pretty much where the Whois Final Report was heading. Work out who can use a privacy/proxy server (the difference between individuals and organisations was discussed), but then ensure access to all information to LEAs - for legitimate LEA reasons. And yes - again - once privacy protections are there (whatever they are called) insist on accuracy. Holly
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data. On 22/01/2013, at 7:58 PM, Evan Leibovitch wrote:
Agreed with about everything Bill said.
A domain name is not a requirement to speak anonymously on the internet.
This is the fatally flawed assumption in most privacy arguments, including Karl's.
ICANN long ago made the policy decision that Internet domains are property, not identity. As such they can (and should) be treated with the same requirements of ownership disclosure as other forms of intellectual property, which by and large are publicly searchable. Functionally (if not technically), WHOIS shouldn't have disclosure policies much different from TESS <http://tess2.uspto.gov/bin/gate.exe?f=tess&state=4005:890zev.1.1>.
Such a mechanism may lead one to proxies, but those proxies must themselves provide accurate information that can ultimately, as required, ultimately give a trusted path back to the source.
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Long before the WHOIS Final Report was published, the ALAC is on record for this - privacy/proxy - position. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Tue, Jan 22, 2013 at 4:19 AM, Holly Raiche <h.raiche@internode.on.net>wrote:
This is pretty much where the Whois Final Report was heading. Work out who can use a privacy/proxy server (the difference between individuals and organisations was discussed), but then ensure access to all information to LEAs - for legitimate LEA reasons. And yes - again - once privacy protections are there (whatever they are called) insist on accuracy.
Holly
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data. On 22/01/2013, at 7:58 PM, Evan Leibovitch wrote:
Agreed with about everything Bill said.
A domain name is not a requirement to speak anonymously on the internet.
This is the fatally flawed assumption in most privacy arguments, including Karl's.
ICANN long ago made the policy decision that Internet domains are property, not identity. As such they can (and should) be treated with the same requirements of ownership disclosure as other forms of intellectual property, which by and large are publicly searchable. Functionally (if not technically), WHOIS shouldn't have disclosure policies much different from TESS <http://tess2.uspto.gov/bin/gate.exe?f=tess&state=4005:890zev.1.1>.
Such a mechanism may lead one to proxies, but those proxies must themselves provide accurate information that can ultimately, as required, ultimately give a trusted path back to the source.
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Emily Taylor <http://news.dot-nxt.com/2013/01/16/deja-whois> "A dangerous sense of déjà vu" Thoughts from the review team chair. Adam On Wed, Jan 23, 2013 at 12:41 AM, Carlton Samuels <carlton.samuels@gmail.com
wrote:
Long before the WHOIS Final Report was published, the ALAC is on record for this - privacy/proxy - position. -Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Tue, Jan 22, 2013 at 4:19 AM, Holly Raiche <h.raiche@internode.on.net
wrote:
This is pretty much where the Whois Final Report was heading. Work out who can use a privacy/proxy server (the difference between individuals and organisations was discussed), but then ensure access to all information to LEAs - for legitimate LEA reasons. And yes - again - once privacy protections are there (whatever they are called) insist on accuracy.
Holly
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data. On 22/01/2013, at 7:58 PM, Evan Leibovitch wrote:
Agreed with about everything Bill said.
A domain name is not a requirement to speak anonymously on the internet.
This is the fatally flawed assumption in most privacy arguments, including Karl's.
ICANN long ago made the policy decision that Internet domains are property, not identity. As such they can (and should) be treated with the same requirements of ownership disclosure as other forms of intellectual property, which by and large are publicly searchable. Functionally (if not technically), WHOIS shouldn't have disclosure policies much different from TESS <http://tess2.uspto.gov/bin/gate.exe?f=tess&state=4005:890zev.1.1 .
Such a mechanism may lead one to proxies, but those proxies must themselves provide accurate information that can ultimately, as required, ultimately give a trusted path back to the source.
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Yessir. Was just discussing it on the monthly ALAC Call. Here's what I posted on the ALAC Adobe Connect chat: "Emily is a sensible person and she knows when 'she's getting tossed'!.......@Emily: I attended a lot of the public WHOIS RT and my views were even directly solicited. That Final Report was a monumental achievement in adept diplomacy and some very incisive work by Emily herself" FWIW, the ALAC endorsed the entire WHOIS Final Report and urged its adoption. The Statement went a wee bit further in recommending some next steps. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Tue, Jan 22, 2013 at 10:49 AM, Adam Peake <ajp@glocom.ac.jp> wrote:
Emily Taylor <http://news.dot-nxt.com/2013/01/16/deja-whois> "A dangerous sense of déjà vu" Thoughts from the review team chair.
Adam
On Wed, Jan 23, 2013 at 12:41 AM, Carlton Samuels < carlton.samuels@gmail.com
wrote:
Long before the WHOIS Final Report was published, the ALAC is on record for this - privacy/proxy - position. -Carlton
============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On Tue, Jan 22, 2013 at 4:19 AM, Holly Raiche <h.raiche@internode.on.net
wrote:
This is pretty much where the Whois Final Report was heading. Work out who can use a privacy/proxy server (the difference between individuals and organisations was discussed), but then ensure access to all information to LEAs - for legitimate LEA reasons. And yes - again - once privacy protections are there (whatever they are called) insist on accuracy.
Holly
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data. On 22/01/2013, at 7:58 PM, Evan Leibovitch wrote:
Agreed with about everything Bill said.
A domain name is not a requirement to speak anonymously on the internet.
This is the fatally flawed assumption in most privacy arguments, including Karl's.
ICANN long ago made the policy decision that Internet domains are property, not identity. As such they can (and should) be treated with the same requirements of ownership disclosure as other forms of intellectual property, which by and large are publicly searchable. Functionally (if not technically), WHOIS shouldn't have disclosure policies much different from TESS < http://tess2.uspto.gov/bin/gate.exe?f=tess&state=4005:890zev.1.1 .
Such a mechanism may lead one to proxies, but those proxies must themselves provide accurate information that can ultimately, as required, ultimately give a trusted path back to the source.
Personally, I like the middle ground of CIRA, the Canadian ccTLD that has different disclosure policies for individials and organizations. It allows individual registrants to hide criticlal parts of WHOIS for casual lookups, but does not offer that facility to organizations. In doing so, it still demands accurate WHOIS data.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 22/01/2013 17:45, Carlton Samuels wrote:
FWIW, the ALAC endorsed the entire WHOIS Final Report and urged its adoption. The Statement went a wee bit further in recommending some next steps.
The ALAC statement can be found on: https://community.icann.org/x/kIVZAg By the way, the Statement was mentioned during the ALAC call today and a short discussion yielded the suggestion that a WHOIS Webinar and discussion should take place soon. Carlton Samuels who is our WHOIS WG Chair will work with At-Large Staff to find a suitable time to hold such a discussion about very vast subject involving law enforcement, privacy, security, technical issues, etc. etc. etc. I hope that this Webinar will be well attended. Watch this space! Kind regards, Olivier
Please find the following announcement: "New Meeting Strategy Working Group Launched" http://www.icann.org/en/news/announcements/announcement-11feb13-en.htm Including the charter and the call for applicants All the best Sébastien Bachollet +33 6 07 66 89 33 Blog: http://sebastien.bachollet.fr/ Mail: Sébastien Bachollet <sebastien@bachollet.com>
I have to say, if I were working for an eastern European crime syndicate, and I wanted to make it as hard as possible for ISPs and law enforcement to track me down, these are exactly the kind of ridiculous hoops I would want to force people to jump through in WHOIS access. R's, John
I forgot one more step:
That the person making the data inquiry agree to a binding contract/terms-of-service that obligates that person to use the data obtained via the inquiry for the sole and exclusive purpose of resolving the specific rights violation being complained of, that the data will not be retained after that resolution, and that the data will not be conveyed to third parties or integrated into any aggregate data. In addition that contract/terms-of-service should explicitly create third party beneficiary rights of enforcement and to receive attorney fees and costs should the person making the inquiry violate the contract/terms-of-service.
On 01/21/2013 02:38 PM, John R. Levine wrote:
I have to say, if I were working for an eastern European crime syndicate, and I wanted to make it as hard as possible for ISPs and law enforcement to track me down, these are exactly the kind of ridiculous hoops I would want to force people to jump through in WHOIS access.
Oooh, aaah, the law enforcement boogyman! Law enforcement has powers and processes (hopefully judicially supervised) to penetrate WHOIS without going through any of these procedures. So your boogyman is just that, a boogyman. If Mr. Sheriff wants access he can go to a judge, present evidence of probable cause, and get a warrant or subpoena. Or if there are exigent circumstances then even that step can be bypassed. And there are international treaties that create processes for international handling of these things. Vigilante "law enforcement" is not law enforcement. --karl--
I forgot one more step:
That the person making the data inquiry agree to a binding contract/terms-of-service that obligates that person to use the data obtained via the inquiry for the sole and exclusive purpose of resolving the specific rights violation being complained of, that the data will not be retained after that resolution, and that the data will not be conveyed to third parties or integrated into any aggregate data. In addition that contract/terms-of-service should explicitly create third party beneficiary rights of enforcement and to receive attorney fees and costs should the person making the inquiry violate the contract/terms-of-service.
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
I have to say, if I were working for an eastern European crime syndicate, and I wanted to make it as hard as possible for ISPs and law enforcement to track me down, these are exactly the kind of ridiculous hoops I would want to force people to jump through in WHOIS access.
Oooh, aaah, the law enforcement boogyman!
Yeah, that's also what I would say if I were working for an eastern European crime syndicate. R's, John
Since I assume that the reasoning works also for crime syndicates located somewhere else in the world, can we please drop in the follow-up of the discussion the unnecessary qualification of "eastern European"? Thanks, R. -----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large-bounces@atlarge-lists.icann.org] Per conto di John R. Levine Inviato: martedì 22 gennaio 2013 02:56 A: At-Large Worldwide Oggetto: Re: [At-Large] FW: Withdraw the gun database
I have to say, if I were working for an eastern European crime syndicate, and I wanted to make it as hard as possible for ISPs and law enforcement to track me down, these are exactly the kind of ridiculous hoops I would want to force people to jump through in WHOIS access.
Oooh, aaah, the law enforcement boogyman!
Yeah, that's also what I would say if I were working for an eastern European crime syndicate. R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
Since I assume that the reasoning works also for crime syndicates located somewhere else in the world, can we please drop in the follow-up of the discussion the unnecessary qualification of "eastern European"?
I wasn't being hypothetical. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
I didn't see anything there about mandating that registrars use verification procedures. Is that on the table? On Tue, Jan 22, 2013 at 1:55 PM, John R. Levine <johnl@iecc.com> wrote:
Since I assume that the reasoning works also for crime syndicates located somewhere else in the world, can we please drop in the follow-up of the discussion the unnecessary qualification of "eastern European"?
I wasn't being hypothetical.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
On 01/22/2013 12:39 PM, Joly MacFie wrote:
I didn't see anything there about mandating that registrars use verification procedures. Is that on the table?
There is also a related issue of "terms of service". In particular whether statements/assertions/accusations made in order to obtain whois access are true and, if not, what are the consequences if they are not true (such as third party beneficiary rights in the registrant)? Such terms of service should be manifested in the form of a web-page click-through, not merely as something noted on the access page. See Eric Goldman's note at http://blog.ericgoldman.org/archives/2012/10/how_zappos_user.htm (Which leaves open how one imposes terms of service on access that does not go through a web interface.) --karl--
On 22 January 2013 16:16, Karl Auerbach <karl@cavebear.com> wrote:
(Which leaves open how one imposes terms of service on access that does not go through a web interface.)
Based on a number of non-related examples, I've seen this problem licked elsewhere, through the requirement for user-specific API keys. The issuance and use of said keys is dependent on the recipients' agreeing to the appropriate ToS. While I'm arguing that WHOIS data should be accurate and available, I do not see registration and ToS acceptance as being an unreasonable barrier to access. - Evan
On 01/22/2013 01:53 PM, Evan Leibovitch wrote:
While I'm arguing that WHOIS data should be accurate and available, I do not see registration and ToS acceptance as being an unreasonable barrier to access.
Terms of service should always obligate the person making the inquiry to several things, including accuracy of any identifications presented or assertions made. And just as important the TOS must give third party beneficiary rights to the registrant to enforce those obligations, including the right to obtain attorney fees and costs of such enforcement. (I might also mention that recent events have indicated that violation of terms of service, at least here in the US, can, if a prosecutor so decides, constitute a Federal crime with some rather severe prison-time penalties.) --karl--
I might accept that, but as a pre-requisite registrants must also warrant the accuracy of their data, including beneficiary rights in case _they_ violate etc etc etc. What's good for one side is good for the other. If a WHOIS searcher is going to be expected to offer such disclosure (and exposure), they have a reasonable expectation that the result of that will not be futile. - Evan On 22 January 2013 17:06, Karl Auerbach <karl@cavebear.com> wrote:
On 01/22/2013 01:53 PM, Evan Leibovitch wrote:
While I'm arguing that WHOIS data should be accurate and available, I do not see registration and ToS acceptance as being an unreasonable barrier to access.
Terms of service should always obligate the person making the inquiry to several things, including accuracy of any identifications presented or assertions made. And just as important the TOS must give third party beneficiary rights to the registrant to enforce those obligations, including the right to obtain attorney fees and costs of such enforcement.
(I might also mention that recent events have indicated that violation of terms of service, at least here in the US, can, if a prosecutor so decides, constitute a Federal crime with some rather severe prison-time penalties.)
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Evan Leibovitch Toronto Canada Em: evan at telly dot org Sk: evanleibovitch Tw: el56
On 01/22/2013 02:18 PM, Evan Leibovitch wrote:
I might accept that, but as a pre-requisite registrants must also warrant the accuracy of their data, including beneficiary rights in case _they_ violate etc etc etc.
What's good for one side is good for the other. If a WHOIS searcher is going to be expected to offer such disclosure (and exposure), they have a reasonable expectation that the result of that will not be futile.
There are already a mountain of accuracy obligations imposed by ICANN onto registrants - with the penalty being loss of a domain name, not to mention the UDRP and rapid takedown, or the "don't be bad' provisions in most registrar agreements - there is no need to add more. Third party beneficiary rights have long been absent from the world of ICANN. ICANN has long had a phobia of third party beneficiary rights. Yet we saw what can happen when they are not present in the registerfly situation when ICANN sat on its hands and let everything crumble. --karl--
On 22 January 2013 17:27, Karl Auerbach <karl@cavebear.com> wrote: THIS:
There are already a mountain of accuracy obligations imposed by ICANN onto registrants - with the penalty being loss of a domain name, not to mention the UDRP and rapid takedown, or the "don't be bad' provisions in most registrar agreements - there is no need to add more.
does not match with THIS: Yet we saw what can happen when they are not present in the registerfly
situation when ICANN sat on its hands and let everything crumble.
Indeed, you make well the case that the status quo does not provide sufficient penalty (or for that matter, any liability beyond loss of the domain name). If you're going to stack up the exposure on searchers, there ought to be at least as much liability on registrants that fake the search responses. OTOH, if you want to leave the existing lax penalties on registrants, fine, but then lay off the exposure demanded from searchers. - Evan
On 01/22/2013 02:33 PM, Evan Leibovitch wrote:
If you're going to stack up the exposure on searchers, there ought to be at least as much liability on registrants that fake the search responses.
To quote from my previous note:
There are already a mountain of accuracy obligations imposed by ICANN onto registrants - with the penalty being loss of a domain name, not to mention the UDRP and rapid takedown, or the "don't be bad' provisions in most registrar agreements - there is no need to add more.
No need to add any more. By-the-way, I find the commercial/non-commercial dichotomy to be somewhat blurry. Here's why: A lot of names are used for both personal and business use, particularly very small business use. I believe that even google.com started out as a non-commercial use of a name. --karl--
When I say procedures, I am thinking of things like responding to a letter posted to the address, answering a phone call, presenting a photo id to a notary, confirming an SMS code, that sort of thing. j On Tue, Jan 22, 2013 at 5:33 PM, Evan Leibovitch <evan@telly.org> wrote:
On 22 January 2013 17:27, Karl Auerbach <karl@cavebear.com> wrote:
THIS:
There are already a mountain of accuracy obligations imposed by ICANN onto registrants - with the penalty being loss of a domain name, not to mention the UDRP and rapid takedown, or the "don't be bad' provisions in most registrar agreements - there is no need to add more.
does not match with THIS:
Yet we saw what can happen when they are not present in the registerfly
situation when ICANN sat on its hands and let everything crumble.
Indeed, you make well the case that the status quo does not provide sufficient penalty (or for that matter, any liability beyond loss of the domain name).
If you're going to stack up the exposure on searchers, there ought to be at least as much liability on registrants that fake the search responses.
OTOH, if you want to leave the existing lax penalties on registrants, fine, but then lay off the exposure demanded from searchers.
- Evan
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
On Tue, Jan 22, 2013 at 4:16 PM, Karl Auerbach <karl@cavebear.com> wrote:
such as third party beneficiary rights in the registrant)?
I'm moving towards the position that this might be a very useful addition to the RAA contractual framework in regard WHOIS. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================
On 01/23/2013 09:32 AM, Carlton Samuels wrote:
On Tue, Jan 22, 2013 at 4:16 PM, Karl Auerbach <karl@cavebear.com> wrote:
such as third party beneficiary rights in the registrant)?
I'm moving towards the position that this might be a very useful addition to the RAA contractual framework in regard WHOIS.
*And* to terms of service to which those who access whois must accept prior to access. --karl--
Thanks Karl One of the issues on the ALAC table is the RAA - dating back to the GNSO group formed years ago to look at/make suggestions on reforming the RAA - which eventually gave rise to the current RAA negotiations. This can be added to that list Holly ----- Original Message ----- From: "At-Large Worldwide" To: Cc: Sent:Wed, 23 Jan 2013 12:53:29 -0800 Subject:Re: [At-Large] R: FW: Withdraw the gun database On 01/23/2013 09:32 AM, Carlton Samuels wrote:
On Tue, Jan 22, 2013 at 4:16 PM, Karl Auerbach wrote:
such as third party beneficiary rights in the registrant)?
I'm moving towards the position that this might be a very useful addition to the RAA contractual framework in regard WHOIS.
*And* to terms of service to which those who access whois must accept prior to access. --karl-- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
On Jan 19, 2013, at 5:05 PM, Holly Raiche <h.raiche@internode.on.net> wrote:
Yes, LEAs can try to get the data - but when every bit of information provided in the Whois data base is either not there or completely inaccurate, having the right to it is of little help.
Moreover, given that most of the work done in anti-abuse is done by entities that are not LEA, the need to have a court order to remove proxy services is too high a barrier. -- Neil Schwartzman Executive Director CAUCE - the Coalition Against Unsolicited Commercial Email Mob: (415) 361-0069 Skype: (303) 800-6345 Web: http://cauce.org Twitter: @cauce Please join the CAUCE J.D. Falk Memorial Kiva Team http://www.kiva.org/team/cauce_falk_memorial
On 01/23/2013 05:31 PM, Neil Schwartzman wrote:
Yes, LEAs can try to get the data - but when every bit of information provided in the Whois data base is either not there or completely inaccurate, having the right to it is of little help.
Moreover, given that most of the work done in anti-abuse is done by entities that are not LEA, the need to have a court order to remove proxy services is too high a barrier.
"too high a barrier" is subjective. And the weights used to calculate it vary depending whether one is on is on the let-me-play-LEA side or on the it's-my-private-data side. It is very dangerous to grant to wannabe law enforcement stand-ins the powers of real law enforcement agents. The latter are bound by lots of procedures and constraints, all of which have been put there in response to centuries of actual experience with what happens when those procedures and constraints are absent. We should not encourage vigilantes on the internet; private "justice" has a rather poor history of being actual justice. --karl--
The 2nd amendment was all about the colonists protesting ...
Colonists? The Bill of Rights was ratified in 1791, a decade after the revolution was over. The 2nd is about southern militias that put down slave rebellions. Read about it here: http://truth-out.org/news/item/13890-the-second-amendment-was-ratified-to-pr... We can certainly agree it has no relevance to anything ICANN does.
What is being developed by the IETF is the WEIRDS protocol which, amongst other things, will allow differentiated access to Whois data. This will allow those who want to exercise their legitimate right to privacy to do so, ...
Sorry, no, that's not what WEIRDS is doing. For one thing, WEIRDS is really about redoing WHOIS for IP addresses. As the group was being chartered, a bunch of people showed up, loudly demanded that we do names as well, and then predictably disappeared without doing any work. (Not quite all, one or two guys are toiling away, but given how poorly the names community understands the issues, I doubt there will be much progress.) So WEIRDS is unlikely to produce anything for names. We knew this would happen, so the charter specifically allows the IP address work to go ahead while the names spin their wheels. Even if it does, the differentiated access is nothing new. Try looking up six names in a row at Godaddy's WHOIS server, and you'll find that it starts providing much less info in each response, unless you're connecting from an IP for which they've relaxed the rate limits. The WEIRDS stuff just provides a cleaner way to do what existing WHOIS servers do with per-IP rate limits and CAPTCHAs. And please keep in mind that the IETF has exactly zero interest in getting involved in policy disputes, so we'll design a way that a client can pass credentials to a WEIRDS server, but not what the server does with those credentials. This project is to provide a spec that the RIRs and perhaps name registries can use to do what they do now, but in a way that scales better and is easier to script. R's, John
Hi John We are not going to worry about US history now. What I am particularly concerned about is differentiated access and privacy. And all I can say is pity about WEIRDS. I attended the WEIRDS briefing in Tornoto and have reread the slides as they were presented.. What was said then was about differentiated access amongst other things - including, and perhaps primarily, having a standard protocol for WHOIS - that doesn't exist now. From what you are saying, the messages given at Toronto aren't going to happen. I hope, therefore, at the Beijing meeting, you - or someone from the group - will give a presentation that clarifies what WEIRDS will and won't do so the rest of us don't think that anything is going to happen on the names front - and then try to address the privacy issues in other ways. Meanwhile, as Karl noted. LEAs will still manage to eventually track the miscreants down. It just won't be as neat, more damage will have been done, and it won't be as respecting of privacy. Not a very satisfying outcome really. Holly On 20/01/2013, at 12:18 PM, John R. Levine wrote:
The 2nd amendment was all about the colonists protesting ...
Colonists? The Bill of Rights was ratified in 1791, a decade after the revolution was over. The 2nd is about southern militias that put down slave rebellions. Read about it here:
http://truth-out.org/news/item/13890-the-second-amendment-was-ratified-to-pr...
We can certainly agree it has no relevance to anything ICANN does.
What is being developed by the IETF is the WEIRDS protocol which, amongst other things, will allow differentiated access to Whois data. This will allow those who want to exercise their legitimate right to privacy to do so, ...
Sorry, no, that's not what WEIRDS is doing.
For one thing, WEIRDS is really about redoing WHOIS for IP addresses. As the group was being chartered, a bunch of people showed up, loudly demanded that we do names as well, and then predictably disappeared without doing any work. (Not quite all, one or two guys are toiling away, but given how poorly the names community understands the issues, I doubt there will be much progress.) So WEIRDS is unlikely to produce anything for names. We knew this would happen, so the charter specifically allows the IP address work to go ahead while the names spin their wheels.
Even if it does, the differentiated access is nothing new. Try looking up six names in a row at Godaddy's WHOIS server, and you'll find that it starts providing much less info in each response, unless you're connecting from an IP for which they've relaxed the rate limits. The WEIRDS stuff just provides a cleaner way to do what existing WHOIS servers do with per-IP rate limits and CAPTCHAs.
And please keep in mind that the IETF has exactly zero interest in getting involved in policy disputes, so we'll design a way that a client can pass credentials to a WEIRDS server, but not what the server does with those credentials. This project is to provide a spec that the RIRs and perhaps name registries can use to do what they do now, but in a way that scales better and is easier to script.
R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
From what you are saying, the messages given at Toronto aren't going to happen.
The IETF is 100% run by volunteers, and is open to anyone willing to show up and do the work. Most of the work is done on mailing lists and by submitting and reviewing draft documents online, so the barriers to participation are very low. Nevertheless, of the many people who insisted it was very very very important that WEIRDS produce a spec for names, approximately none of them are on the WIERDS mailing list or have done any work. Thie tells me, and the rest of the IETF, that in fact the ICANN community does not consider this to be an important problem. (If it's not important enough for you to work on it, it's not important for us, either.)
I hope, therefore, at the Beijing meeting, you - or someone from the group - will give a presentation
Sorry, I have actual work to do for real clients and a $0 budget for ICANN junkets. If someone thinks it's worth putting together a talk for Beijing, the drafts and the list archives are not hard to find. R's, John
On Sat, Jan 19, 2013 at 10:37 PM, Holly Raiche <h.raiche@internode.on.net> wrote:
Hi John
We are not going to worry about US history now. What I am particularly concerned about is differentiated access and privacy. And all I can say is pity about WEIRDS. I attended the WEIRDS briefing in Tornoto and have reread the slides as they were presented.. What was said then was about differentiated access amongst other things - including, and perhaps primarily, having a standard protocol for WHOIS - that doesn't exist now.
Isn't WHOIS a "standard protocol" itself? -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
Isn't WHOIS a "standard protocol" itself?
From SAC051 [1]:
The term "WHOIS" is overloaded, referring to protocols, services, and data types associated with Internet naming and numbering resources, i.e., domain names, Internet Protocol (IP) addresses, and Autonomous System Numbers (ASNs). The ambiguity in terminology further burdens an already challenging set of discussions intended to resolve conflicts related to the evolution of meta-data for Internet naming and numbering. I advise anybody interested in the whois dicussion to read the whole report and also SAC055 [2]. jaap [1] SSAC Report on WHOIS Terminology and Structure (19 September 2011) <http://www.icann.org/en/groups/ssac/documents/sac-051-en.pdf> [2] SSAC Comment on the WHOIS Review Team Final Report (14 September 2012) <http://www.icann.org/en/groups/ssac/documents/sac-055-en.pdf>
Isn't WHOIS a "standard protocol" itself?
Just barely, see RFC 3912. The standard says that the client sends a line of stuff, and the server sends back a blob of stuff that is somehow related to what was on the client's line of stuff. If any of the stuff can't be expressed in seven bit ASCII, too bad. For gTLDs that have thick WHOIS, the ICANN agreements describe in fair detail what the queries and responses are supposed to be, although the details differ from one agreement to another and none of them address IDNs. For gTLDs that have thin WHOIS, there's basically no spec, and the various registrars just make up whatever they want. I have 3000 line perl module that handles a lot of this, but far from all of it, and I constantly have to tweak it as I come across registries with formats that I haven't seen before. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Hi McTim - Yes, it is a protocol - of sourts. But please read SSAC 051 as to its shortcomings (including it needs ASCII text - a problem with IDNs on the horizon) . We do need something better - something that is consistently used, something that can accommodate new gTLDs and IDNs. Holly On 21/01/2013, at 12:32 AM, McTim wrote:
On Sat, Jan 19, 2013 at 10:37 PM, Holly Raiche <h.raiche@internode.on.net> wrote:
Hi John
We are not going to worry about US history now. What I am particularly concerned about is differentiated access and privacy. And all I can say is pity about WEIRDS. I attended the WEIRDS briefing in Tornoto and have reread the slides as they were presented.. What was said then was about differentiated access amongst other things - including, and perhaps primarily, having a standard protocol for WHOIS - that doesn't exist now.
Isn't WHOIS a "standard protocol" itself?
-- Cheers,
McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Actually Holly, I didn't plan further interventions in this thread - happily so! - since the debate was going along swimmingly on all fronts. But I have to take issue with your input on the 2nd Amendment. The 2nd Amendment debate has always been careful to exclude the historical context, if only because it ain't pretty. As is usual with claims to greater moral standing, the facts are more nuanced than the popular hagiography is selling and would have you believe. The scholarship is replete. When you look at the several drafts by Madison, it centred around two words "nation" vs. "state" and the notion of a "militia" vs "slave patrols". Ask yourself, why would men subject themselves to such ignominy? The fact is they rebelled many times, burned, killed and murdered in favour of their freedom. The militia or, if you like, slave patrols, were legal instruments of terror and containment all over the South. These were the 'well regulated militias' of both myth and fact who held the balance of terror and kept slaves in check. And, subject of this 2nd Amendment. There are good people everywhere. So some were unwilling to partake. The anti-slavery coalition centred in the North, in the state of Massachusetts - see William Seward for example: '*since all men are the sons of Adam they are co-heirs, with equal rights unto liberty*' -, believed to destroy slavery meant dismantling and disallowing the slave patrols. So they tried several ways to that objective. The Virginian Patrick Henry, he of '*give me liberty or give me death*' fame, was on principle opposed to slavery. But he, a man of his time and place, simply could not go all the way and advocate freedom for slaves. He, along with George Mason, forcefully argued for preservation of the militias. This was the make-or-break issue for the Virginians, those enlightened stalwarts for liberty and justice for all, for their votes to affirm the constitution of the United States. [The companion determinant was that black people was only 3/5ths human.] This amendment was actually configured to gain Virginia's vote for the United States Constitution and expressly to preserve the right of slave patrols - the 'militias' regulated by law in slave states - to keep and bear arms, thusly prolonging the 'peculiar institution'. For those of you who might wish to be re-educated, you can access Madison's several drafts of the 2nd Amendment. Or, if you want to know more, you might wish to read A. Leon Higginbotham's "In The Matter of Color: Race and the American Legal Process -The Colonial Period". If you don't wish to get all bogged down in the abstruse legal stuff, then try Howard Zinn's "A People's History of the United States". Look carefully at the sources referred in both books. For some of them are now available online, courtesy of Google. Hell, its always better for a man to choose his poison. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Sat, Jan 19, 2013 at 7:11 PM, Holly Raiche <h.raiche@internode.on.net>wrote:
I am hesitant to buy into this, but this should not be about the privacy of owning guns versus the privacy issues involved in Whois data.
The 2nd amendment was all about the colonists protesting (finally rebelling) against a government regime where - as English colonists, which they were - they did not have the same rights that those who lived in England had. (as an aside, many of the Dutch living in what was then New Holland finally sided with the colonists because their only rights in relation to their Dutch overlords was as shareholders in a company run out of Rotterdam). Thus the famous ride of Paul Revere and the 2nd amendment, once the colonists managed to rid themselves of the overlords. So - please - it was about a situation in a colony where the locals did not have the rights they now have as citizens of the USA. So VERY different - both in the kinds of guns that the 2nd amendment was designed to protect over 200 years ago and the VERY different situation now - both in the nature of the guns being protected, and the rights of citizenship that were not available to the colonists then, but are now.
DIFFERENT QUESTION please about domain names. The Final Whois Review Team report explicitly recognises the tension between legitimate needs to access Whois data and the equally legitimate right of individuals to privacy. What is being developed by the IETF is the WEIRDS protocol which, amongst other things, will allow differentiated access to Whois data. This will allow those who want to exercise their legitimate right to privacy to do so, while also allowing those with particular need to access that data (particularly law enforcement agencies) to gain access. There are still issues in defining both the agencies that qualify as LEAs, and the process for access. But the principle is there - a balance between legitimate rights to privacy - against the equally legitimate need of those to gain access.
And please - no more about guns vs domain names
Holly Raiche
On 20/01/2013, at 10:49 AM, Karl Auerbach wrote:
On 01/19/2013 12:54 PM, Bill Silverstein wrote:
On 01/19/2013 11:43 AM, Bill Silverstein wrote:
Which amendment to the constitution provides for the right to have domain names?
The First.
Moreover the right to speech is found in many similar Constitutioal statements of rights around the world, which is something that one can not say about militias and infringement on bearing arms.
Having or the lack of having a domain name does not impact speech. There are many services which allow one to publically speak on the internet without a domain name.
Really? It seems, therefore, that you would accept being banned from the internet because you would still have the opportunity to stand on the street corner and shout words into the wind?
The point still stands, if the ownership of instrumentalities of great bodily harm (guns) is worthy of privacy protection than logic compels the conclusion that ownership of non-lethal instrumentalities such as domain names are worthy of even greater privacy protection.
One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms.
Only if one supports a privacy protected WHOIS can one consistently argue for privacy protected lists of gun ownership.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On Jan 19, 2013, at 3:49 PM, Karl Auerbach <karl@cavebear.com> wrote:
One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms.
Who is arguing for that? I think gun ownership databases should be as open as WHOIS.
On 01/23/2013 05:28 PM, Neil Schwartzman wrote:
On Jan 19, 2013, at 3:49 PM, Karl Auerbach <karl@cavebear.com> wrote:
One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms.
Who is arguing for that? I think gun ownership databases should be as open as WHOIS.
There is a large body of people, and groups such as the legislatures of several States in the US, that are arguing that gun ownership databases should be sealed or that people have many opportunities to opt-out. As I have mentioned, if one can seal or opt out of publication of gun ownership data then the case is even stronger that WHOIS data should be sealed or that people should be able to opt-out. What is happening, and it is really happening, is an inversion in which data about really potentially life threatening things is being made private while data about things that carry no real threat of physical harm (domain names) are required to be wide open. The point is that this is an inconsistent situation. One path to consistency is to seal both guns and whois. Another path is to unseal both guns and whois. And a third path is to unseal guns and seal whois. But it is inconsistent to seal guns and unseal whois. --karl--
As I have mentioned, if one can seal or opt out of publication of gun ownership data then the case is even stronger that WHOIS data should be sealed or that people should be able to opt-out.
Hi, Karl. Does this also apply to the 99.99% or so of domains whose registrants are not natural persons? I'm thinking, for example, of the large pools of domains you mentioned a few days ago that belong to your clients who use them for monetized typosquats. R's, John
On 01/23/2013 07:42 PM, John R. Levine wrote:
As I have mentioned, if one can seal or opt out of publication of gun ownership data then the case is even stronger that WHOIS data should be sealed or that people should be able to opt-out.
Hi, Karl. Does this also apply to the 99.99% or so of domains whose registrants are not natural persons? I'm thinking, for example, of the large pools of domains you mentioned a few days ago that belong to your clients who use them for monetized typosquats.
Except for the accusation of "typosquating" - an accusation that is for the most part imaginary and unfounded - yes, if gun registrations are private than so should be domain registrations. If records of registration of instrumentalities of mayhem and death are worthy of privacy than it stands to reason that registration of mere domain names is even more worthy of privacy. As I mentioned earlier, this is a matter of consistency. One can be consistent and support privacy for both guns and domains, or for open access to both gun records and domain records, or even for open gun records and closed domain records. But the position of closed gun records and open domain records is an inversion of the principle that the more dangerous a thing is the more that the public should know about it. --karl--
Hi, Karl. Could you just answer the question without changing the topic? Do you think that the identity of corporate speculators that own domains, including your typosquatting clients, should be public or secret? For extra credit, don't use the word "gun" in the answer. R's, John
On 01/23/2013 07:42 PM, John R. Levine wrote:
As I have mentioned, if one can seal or opt out of publication of gun ownership data then the case is even stronger that WHOIS data should be sealed or that people should be able to opt-out.
Hi, Karl. Does this also apply to the 99.99% or so of domains whose registrants are not natural persons? I'm thinking, for example, of the large pools of domains you mentioned a few days ago that belong to your clients who use them for monetized typosquats.
Except for the accusation of "typosquating" - an accusation that is for the most part imaginary and unfounded - yes, if gun registrations are private than so should be domain registrations. ...
On 01/24/2013 07:46 AM, John R. Levine wrote:
Hi, Karl. Could you just answer the question without changing the topic?
You are not very polite.
Do you think that the identity of corporate speculators that own domains, including your typosquatting clients, should be public or secret?
You seem to use the words "speculator" and "vanity" as if that were something to be condemned and thrown onto a bonfire. Neither speculation nor vanity is unlawful. Nor in many eyes are they wrong or undesirable. Internet policies ought not to be based on the views of Savonarola. My personal belief that the entire whois system is ill-conceived. I see no purpose in open access to the public of what are really records of private business relationships. My personal belief is that if one wants to try to penetrate those records that one should have to initiate civil legal process by submitting a properly formed legal complaint that states a concrete cause of action and then to use standard procedures to have the registrar of record disclose the desired information. And as you have seen I proposed a streamlined analog to that process. Alternatively one may complain to proper law enforcement, by which I mean proper law enforcement, not some Keystone-Kops band of self-appointed vigilantes, who will themselves decide on whether to use their powers of inquiry and who are bound to exercise those powers only in accord with the proper procedures of their jurisdiction. Notice that I did not distinguish between human or church or corporation. And that holds whether one is accusing or is the registrant. I, personally, might support different rules regarding for-profit corporate registrants, but that difference would only be with regard to the nature and quality of the registration information that may be eventually exposed rather than the burden of proof required to open the records. It is my belief that every person or entity that wants to penetrate the privacy of another ought to carry a burden to prove that he/it has suffered a real and specific legally recognized harm and that there is real reason to belief that that harm occurred through specific unlawful actions that use the accused domain name. A bald accusation that a domain name is speculative or vain falls far short of that standard. --karl--
On 24 January 2013 15:23, Karl Auerbach <karl@cavebear.com> wrote:
On 01/24/2013 07:46 AM, John R. Levine wrote:
Hi, Karl. Could you just answer the question without changing the topic?
You are not very polite.
Blunt, maybe, but i saw no personal insult. And, as a someone for whom the US Second Amendment is Someone Else's Problem, I tire of the comparison of domain names to guns and find it wholly inappropriate. So I'll support John in ridiculing the analogies. Neither speculation nor vanity is unlawful. Nor in many eyes are
they wrong or undesirable.
"Vanity is an excessive belief in one's own abilities, that interferes with the individual's recognition of the grace of God. It has been called the sin from which all others arise."<http://dahlig.deviantart.com/art/The-Seven-Deadly-Sins-VANITY-13310012> Hell, I'm an atheist and I agree with that -- and with at least most of John's characterizations. I tend to see domain speculation as no different from ticket scalping -- an act of re-sale totally devoid of added value. In the case of ticket scalping, the activity is considered unethical and indeed illegal in many jurisdictions. - Evan
On 01/24/2013 12:47 PM, Evan Leibovitch wrote:
On 24 January 2013 15:23, Karl Auerbach <karl@cavebear.com> wrote:
On 01/24/2013 07:46 AM, John R. Levine wrote:
Hi, Karl. Could you just answer the question without changing the topic?
You are not very polite.
Blunt, maybe, but i saw no personal insult. And, as a someone for whom the US Second Amendment is Someone Else's Problem, I tire of the comparison of domain names to guns and find it wholly inappropriate. So I'll support John in ridiculing the analogies.
Clearly you must have not read John L's statements, including words like "inane". When I said that his approach is "not very polite" I was being polite by avoiding stronger words such as "condescending", "insulting", or "rude". As for the gun analogy - I did not raise it. However I did find it a very apt situation in that it raises a question of principle, or to be more specific, it raises the question of what principle justifies the privacy of machines of mayhem yet justifies the breaching of privacy with regard to things that are incapable of causing physical harm to peoples' bodies? Have either you or John L. articulated any principle that would substantiate such a difference in treatment? If you have I must have missed it. The lack of a principle that justifies such a difference quite properly ought to be a cause of discomfort for those who advocate a whois that has less protection than records of far more more dangerous things. Rather than railing against one who points out the inconsistency it would make more sense to give whois at least the same level of privacy protection as given to records of gun registrations or say why such a difference is appropriate.
Neither speculation nor vanity is unlawful. Nor in many eyes are
they wrong or undesirable.
"Vanity is an excessive belief in one's own abilities, that interferes with the individual's recognition of the grace of God. It has been called the sin from which all others arise."<http://dahlig.deviantart.com/art/The-Seven-Deadly-Sins-VANITY-13310012>
I am glad that you make it clear that your justification rises from a personal religious belief, even if you claim to be an "atheist". What principle or law gives your religion-derived belief the power to restrict the actions of others? Clearly you are not alone in the assertion that "your belief allows you to impose that belief to control the actions of others". It was not long ago that I read about a girl named Malala who was shot just because the shooter believed that girls should not go to school. By-the-way, do you cut your hair or shave? There are those who consider those to be signs of vanity. Should such people have access to your home because of their belief in your vanity? I would suspect that your answer would be "no". Yet that accuse-and-intrude position is very close to what you are advocating. I have made it clear in all of my postings that the criteria for penetrating privacy must be an accusation, supported by concrete evidence, that a harm recognized by law has occurred. Neither vanity nor speculation in and of themselves are harms recognized by law. If you want to change that then I suggest that you try to get a law passed that declares vanity or speculation to be unlawful. (In the meantime I'll take a look at the fate of rules against charging interest on money or sumptuary laws to prevent one from wearing clothes above one's station.)
I tend to see domain speculation as no different from ticket scalping -- an act of re-sale totally devoid of added value. In the case of ticket scalping, the activity is considered unethical and indeed illegal in many jurisdictions.
There is a wide difference between "considered unethical" and "illegal". Only "illegal" is illegal. --karl--
Have either you or John L. articulated any principle that would substantiate such a difference in treatment?
Yes, many times.
If you have I must have missed it.
No kidding.
I am not willing to accept that due process is an obsolete concept.
Look, we understand that it's your job to advocate for your client corporations with their big portfolios of "monetized" domains. But this is the ALAC, not the business or registrars group, and your non-sequiturs, obsession with the putative privacy rights of corporations, and constant opposition to policies that benefit the vast majority of Internet users who have never registered a domain and never will are phenomentally out of place here. This is my last message on the topic. (Mail filters adjusted to avoid temptation.) R's, John
On 01/24/2013 06:06 PM, John R. Levine wrote:
I am not willing to accept that due process is an obsolete concept.
Look, we understand that it's your job to advocate for your client corporations with their big portfolios of "monetized" domains.
That is a false accusation one might consider to be made with malice. I do not believe that you can adduce even a scintilla of actual evidence of any wrong doing. I will chose to be charitable and consider your statement to be based on false assumptions, carelessly reached, rather than as a personal attack on my integrity and honesty. --karl--
Dear Karl, thanks for your interesting arguments. On 24/01/2013 21:23, Karl Auerbach wrote:
My personal belief is that if one wants to try to penetrate those records that one should have to initiate civil legal process by submitting a properly formed legal complaint that states a concrete cause of action and then to use standard procedures to have the registrar of record disclose the desired information.
That reasoning is obsolete. This is the Internet. It's international. It is full of people who do not care about this legal mumble jumble. That includes people who get scammed from phishing and make.money.fast schemes. Warmest regards, Olivier (personal views)
On 01/24/2013 02:46 PM, Olivier MJ Crepin-Leblond wrote: :
My personal belief is that if one wants to try to penetrate those records that one should have to initiate civil legal process by submitting a properly formed legal complaint that states a concrete cause of action and then to use standard procedures to have the registrar of record disclose the desired information.
That reasoning is obsolete. This is the Internet. It's international. It is full of people who do not care about this legal mumble jumble. That includes people who get scammed from phishing and make.money.fast schemes.
I am not willing to accept that due process is an obsolete concept. Yes, it is quite true that our current legal systems are not yet as efficient or fast as most of us would like when procedures have to cross jurisdictional boundaries. The answer is to create modern due process rather than abandon due process. The procedures that I have suggested conform, I believe, with fairly widely held conceptions of due process, such as the requirement that those who stand in the role of the plaintiff (the one wanting whois data), have the obligation of stating a prima facie case supported by at least a minimal body of evidence that strongly suggests that the accused has caused some legally cognizable harm to the plaintiff. Notice that I said "strongly suggests" rather than "proves". I did this to bring speed to the proposed system. That's why I added the obligation that the plaintiff must post some money that could be used to partially compensate the accused should the accusation be challenged and shown to have been made frivolously, recklessly, or falsely. Today's whois system does not even require that the accuser identify himself, much less that he make an actual accusation, and even much less to present some evidence that an actual harm has occurred. I have presented a mildly detailed procedure through which we could bring whois access into conformity with widely held (and not just in the US) principles of due process. The procedure that I have presented removes much of the delay and cost of traditional cross-boundary legal procedures yet preserves many (but not all) of the safety protections. And it works on the internet. --karl--
On Fri, Jan 25, 2013 at 11:06 AM, Karl Auerbach <karl@cavebear.com> wrote:
On 01/24/2013 02:46 PM, Olivier MJ Crepin-Leblond wrote: :
My personal belief is that if one wants to try to penetrate those records that one should have to initiate civil legal process by submitting a properly formed legal complaint that states a concrete cause of action and then to use standard procedures to have the registrar of record disclose the desired information.
That reasoning is obsolete. This is the Internet. It's international. It is full of people who do not care about this legal mumble jumble. That includes people who get scammed from phishing and make.money.fast schemes.
I am not willing to accept that due process is an obsolete concept.
Yes, it is quite true that our current legal systems are not yet as efficient or fast as most of us would like when procedures have to cross jurisdictional boundaries.
The answer is to create modern due process rather than abandon due process.
The procedures that I have suggested conform, I believe, with fairly widely held conceptions of due process, such as the requirement that those who stand in the role of the plaintiff (the one wanting whois data), have the obligation of stating a prima facie case supported by at least a minimal body of evidence that strongly suggests that the accused has caused some legally cognizable harm to the plaintiff.
Notice that I said "strongly suggests" rather than "proves". I did this to bring speed to the proposed system. That's why I added the obligation that the plaintiff must post some money that could be used to partially compensate the accused should the accusation be challenged and shown to have been made frivolously, recklessly, or falsely.
Today's whois system does not even require that the accuser identify himself, much less that he make an actual accusation, and even much less to present some evidence that an actual harm has occurred.
I have presented a mildly detailed procedure through which we could bring whois access into conformity with widely held (and not just in the US) principles of due process.
The procedure that I have presented removes much of the delay and cost of traditional cross-boundary legal procedures yet preserves many (but not all) of the safety protections. And it works on the internet.
I find these discussions interesting because on one hand there is due process and on the other hand is inter-agency cooperation between law enforcement authorities where information can be released/disclosed subject to degrees of harmonization of laws. We have seen this kind of inter-agency cooperation take place in recent times during the global clamp down of Operation Ghostnet. On a similar note, I have been patiently waiting for the release of the reports on the studies commissioned by the GNSO which were extended to 2013 when results should have been out in 2012. * http://gnso.icann.org/en/group-activities/other/whois/studies*<http://gnso.icann.org/en/group-activities/other/whois/studies> One thing is for certain, even the OECD has addressed in various reports the need for the likes of revenue authorities to be interested in the development of things like Whois. If we were to examine the categories of inter-agency cooperation based on a series of their core business it could look like this:- - cyber security - revenue authorities; - etc The results of these studies should help add to our discussions. In the meantime, I am enjoying reading all your comments.
--karl--
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Salanieta Tamanikaiwaimaro aka Sala P.O. Box 17862 Suva Fiji Twitter: @SalanietaT Skype:Salanieta.Tamanikaiwaimaro Tel: +679 3544828 Fiji Cell: +679 998 2851
I've been reading the latest round of postings on domain WHOIS info and privacy. This topic is by no means new and no new brilliant suggestions have been forthcoming. In fact I have a sense of deja vu. As such some references to comments and my response thereto. If you would like any evidence for what I'm saying, feel free to contact me off list. Everything here is based on actual incidents and not some hypothetical possibility. Apologies for the long email. But the below needs to be said on behalf of everyday innocent internet users who have as much right as anybody else. Likewise on behalf of hard working, dedicated LE who wish to protect those they were tasked to protect and serve. * Domain WHOIS details are being likened to gun registration details and the assertion made that guns are dangerous, domains are not. Domains are as much part and parcel of the cyber criminal's toolkit as a gun in the hands of an dangerous criminal. In either case it takes take a person/persons behind that tool with ill intentions to use it in a harmful way. Gun legislation is local to a country. Domains have international reach. Abused domains have been used to set up fraudulent web presences in which victims have not only been defrauded, but lured into strange countries which they were not familiar with, where the have been kidnapped and held to ransom, tortured, raped and even murdered. Furthermore some of these syndicates have been linked to the drug trade, money laundering, human trafficking, prostitution and even the funding of terrorism. Guns and domains are both tools. I could turn around and say the gun does not kill, it's the bullet .... which would be petty and not constructive. It needs to be accepted that domains can be used to deceive internet users and in some cases that deceit can lead to mortal danger. Search government websites, newspapers etc as well. * The American constitution, European privacy laws etc have been quoted. That's great for local issues. However in the cyber criminal's case he hardly ever discloses his real location. Privacy is also abused to gain anonymity. All too often in these cases a party living in one country may claim a fake address in another country, the decision of claimed residence simply being what an anonymous proxy shows in many cases. Does the fact that he paid $10 to a offshore registrar suddenly put him out of reach of his local LE and does it provide him the protection of that offshore jurisdiction or the fake claimed address? This is happening. Applying local law to a global issue could also lead to further consequences; if you are not willing to respect our laws regarding issues by using your laws, why should we respect yours? How many internet users and/or registrants (really) live in the USA? How many Europe? Using these as an absolute in terms of this issue will lead to fragmentation and an chaos on the net. Imagine the UK and the USA using the same highway, each using their own rules of the road. Neither is wrong, but not appropriate at the same time on the same highway either. * Whois details was not designed to combat crime, infringements etc Neither was the internet designed for crime. However why should we suddenly limit ourselves to mechanisms other than whois details, if despite being fake, whois details show the extent of an issue by trending and can lead to uncovering the larger extent of fraud/spamming/whatever? Whois details and accuracy have become more important than ever. Right now whois details are used to protect innocent internet users proactively which is more than any suggestion I have heard, which is reactive and too late. * Whois details should be private and only disclosed to recognized LE or their agents. How do you identify those LE or agents. How do you stop abuse by those parties? How would you recognize abuse of any kind? I'm sure certain American registrars would have and issue with certain East Asia countries. And vice versa. At best some tokenism would be present, at worst no cooperation. However we find registrars deliberately setting up mechanisms to frustrate such attempts - a lawyer in Hong Kong, one in the Sudan that will not disclose your details. In fact it's not even asked, only your money which can be done anonymously as they point out. This also does not scale in terms of emergency situations. The international nature of domain registrations would dictate that that a system is available that can be queried 24 x 7. Currently we find that international queries can take weeks. Yet the lifetime of logs on the internet can be measured in days if we are lucky (on that front there is clamoring for no logs in many cases). We also find that an emergency situation in one country does not constitute a crisis in another. This is frustrating to both LE and private parties. Also imagine the frustration of those waiting out the undue long period and receiving something that equates to "Yogi Bear, Yellowstone Park". It happens and has been discussed before. * the law enforcement boogyman and eastern European crime syndicate. I wish it was a boogeyman. It is not. Read up on Heihachi on Webalta, fake whois was manipulated by a criminal domain and hosting reseller serving other criminals (the term criminal qualified by competent LE and courts), the unwillingness of a large American registrar to act despite proven fake whois and proven harm etc. This led to Germany's largest incident of cyber crime in history in terms of financial loss (as per German authorities). In turn part and parcel of this was botnet, ddos'ing and malware hosting operation. The owner of Heihachi had been in trouble with LE before regarding the self same issue, but became a reseller to an offshore American registrar using fake details to do it all again. * no curious parties/"vigilantes" should have WHOIS access / their details should be sent to the registrant with proof of a crime being committed. The very same incident mentioned and similar to the previous point was uncovered by technical savvy non-LE people looking at incidents, connecting the dots and who had to do a lot of hard work to present evidence of organized crime to the authorities for them to start looking into it. These same "curious" parties may also incidentally do a lot of the legwork for overburdened LE in issues such as spamming, botnets, malware, 419 and other forms of cyber-crime. As for a crime being committed as a qualifier - that implies after the fact and a victim. This would be a step in the wrong direction. Many times with sufficient evidence, whois being part of that evidence currently, a crime can be prevented. I would also like to know whose laws will be used as a qualifier? Already we find disparate laws regarding certain issues being exploited in cross jurisdictional discrepancies. * Each domain exposure request should go via a court of law or other relevant due process. Courts tend to be notoriously slow. The crime can last a day, a week a month or however long. Many times the issue continues until someone reports it with evidence of harm being done. There would be no element of prevention. Also which counties court should be considered authoritative? "A five minute crime can take 3.5 years to fully investigate and prosecute" - quoting a comment by a hard working LE party recognized and respected by his peers internationally, expressing his frustrations. At whose cost? As it is currently, a $10 transfer to a registrar grants you a free a domain, SSL certificate, domain privacy and unverified registration details, all thanks to a the likes of anonymous money transfer mechanisms, anonymous proxies and less than honorable resellers. We are assuming that the relevant skills will be available in each country. This seems a bit like the tail wagging the dogs. This is also ridiculous considering the absolute amount of domain abuse going on. This solution simply does not scale. Who has to foot the bill for it? The victim - victimize the victim further? Tax payers in a distant country? Here is news to some of you that may cause a stir: LE tosses a lot of these issues into the corner. Right now as an example 419 fraud is a can of worms and for the bulk does not get investigated apart from tokenism. The amounts Americans are conned out of is staggering. Likewise victims in other countries. Education fails as these scams are forever evolving. 419 fraud proceeds are the 2nd largest income for Nigeria after oil. Domains are part and parcel of 419 fraud and links incidents beautifully for investigations. Ironically these 419 gangs are not that difficult to track, trace or arrest. Yet it does not happen. This is known and the impunity of these gangs grows day by day. Yet as an American citizen, try and get your 419 case investigated in the USA? Changes are great you are doomed to become stats at IC3. Why, even the IC3, FBI, CIA etc has been spoofed many times in 419 fraud. * Disclosure to registrant of accurate details of anyone inquiring to an unverified registrant. Great! This will alert anyone committing crime that someone is on to him and he will immediately morph into a new identity giving him a free next round at harming internet users. Not bad for an unverified $10 domain registration. Additionally in some countries a life is cheap. * private persons vs public persons and privacy The UK's Nominet has this option as an example for private parties. All too many times we find spoofs of banks or other real or imagined companies used in fraud and registered as private. Would this qualify for an immediate suspension until investigated and then either unsuspended or cancelled depending on the outcome, if implemented? Why else have the qualifier? There are many more comments I can make, but what is clear to me is that a lot of suggestions are made well intentioned, but with no real exposure to the total spectrum of domain abuse. Nor the issues facing anyone wishing to investigate, be it LE, a private person or a corporation. The internet was initially built on trust. Today there is very little of it left. Unless verification can be established at all levels, we have zero chance of ever resolving serious issues affecting each and every one of us mentioned in the group and we are at a stalemate. Simply covering the mess that makes up the whois database with privacy, will affect each and every internet use negatively. We should also be careful to not make suggestions that negatively affects the ability of those legally put there to protect us or investigate when harm is done, yet by the same token hold them responsible for protecting us. We are dooming them to failure. The tendency to label LE in general terms as loose cannons should also be measured against the tendency to start off with the registrant being innocent. Why this unbalanced outlook? It's easier to take LE to task than a rouge registrant. We also need to ask where the greater/lesser harm is being done. Think international as well. The internet has created it's own ecosystems and has seen unintentional (or perhaps not?) opportunities being created daily to harm innocent internet users. Derek PS: I still believe the Heihachi / fake German shopkeeper issue should be turned into a case study as to show how the domain system can be manipulated to harm innocent netizens. This would be a great opportunity for many people to learn how cyber crime can affect each of us, also how it could have been avoided and who the role players are. Quite frankly this is a missed opportunity.
On 01/24/2013 03:46 PM, Derek Smythe wrote:
* Domain WHOIS details are being likened to gun registration details and the assertion made that guns are dangerous, domains are not.
Not quite. The discussion has been on the fact that in a lot of places gun registrations are being made private. And because guns are orders of magnitude higher on the relative scale of capacity to cause injury or death than are domain names that it makes sense to give the public more access to gun registration data than to domain registration data. Sure, one can brew up intricate cases where a domain name is used as one element in a scheme that leads to human injury. But the sequence of causative events between domain name and injury in such schemes is rather greater than is for the typical gun related injury. The phrase typically used in law is "proximate cause" - use of a domain names are rarely the proximate cause of violent damage to a human body. The same can not be said for guns. The proponents of the current wide-open whois seem to be suggesting that the entry of a spam email into a person's mailbox is an injury equal to, or even greater, than that of a bullet entering a human body. I hope that the error is on my side, that I am mis-reading their positions. In the situations you cited in which domain names were an element of an unlawful action there appear to have been plenty of unlawful things going on: you use words like "fraudulent" and "defrauded" - these acts are themselves actionable with or without use of a domain name. My suggestion is that you attack the root cause of specific events - such as the misrepresentation of material facts to someone who relies upon those facts to their detriment - rather than discarding the privacy of innocent domain owners everywhere. Yes, the systems of investigation and of enforcement that we have today are slow, cumbersome, and expensive. But rather than throwing all that to the dogs, which seems to the goal of some, we should try to create improved procedures. And to that end I have suggested some concrete processes. It does seem that among those who are on the "open whois" side that there are many who are unwilling to disclose their own identities while trying to obtain the identity of another, to make implicit accusations of wrong doing without making those accusations explicit or backing them with evidence, or to enter into a binding up front terms of service agreement that imposes enforceable obligations on their use of data that is obtained. Such an imbalance is contrary to my sense of justice and due process. --karl--
On 23 Jan 2013, at 20:36, Karl Auerbach wrote:
What is happening, and it is really happening, is an inversion in which data about really potentially life threatening things is being made private while data about things that carry no real threat of physical harm (domain names) are required to be wide open.
This is not inconsistent. We know full well that for most, protecting their property is more important than protecting someone else's life. The main push for Whois is property protection, the main reason issues of privacy and protecting endangered populations always takes a back seat in these discussions. avri
Or even more. I think that if I lived in the US I would be more concerned about the chances of having my children killed in their schools than being spammed. R.
-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di Neil Schwartzman Inviato: giovedì 24 gennaio 2013 02:29 A: At-Large Worldwide Oggetto: Re: [At-Large] Withdraw the gun database
On Jan 19, 2013, at 3:49 PM, Karl Auerbach <karl@cavebear.com> wrote:
One can not consistently simultaneously argue for the current wide open WHOIS and sealed ownership of firearms.
Who is arguing for that? I think gun ownership databases should be as open as WHOIS. _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Bill Silverstein [2013-01-20 01:13]:
Which amendment to the constitution provides for the right to have domain names?
Which amendment to the US Constitution makes the US Constitution the sole reference point for a global system of domain names? There is more to civil liberties than the US Constitution. -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash
2. Domain names, on the other hand, are far from lethal and one would have to be very imaginative to construct a situation in which a domain name could cause physical harm or death to a human. So it is safe to categorize domain names as instrumentalities highly unlikely to cause bodily harm.
So you're saying that nothing short of a death threat merits disclosing WHOIS information? I think that a lot of people who've lost a lot of money to phishing would treat this opinion with the contempt it deserves. R's, John PS: If you're wondering why people don't take ALAC seriously, this argument is a good example.
2. Domain names, on the other hand, are far from lethal and one would have to be very imaginative to construct a situation in which a domain name could cause physical harm or death to a human. So it is safe to categorize domain names as instrumentalities highly unlikely to cause bodily harm.
So you're saying that nothing short of a death threat merits disclosing WHOIS information?
I think that a lot of people who've lost a lot of money to phishing would treat this opinion with the contempt it deserves.
R's, John
PS: If you're wondering why people don't take ALAC seriously, this argument is a good example.
John, Given statements by Congress and the President, the same can be said for them.
On 01/19/2013 11:48 AM, John R. Levine wrote:
2. Domain names, on the other hand, are far from lethal and one would have to be very imaginative to construct a situation in which a domain name could cause physical harm or death to a human. So it is safe to categorize domain names as instrumentalities highly unlikely to cause bodily harm.
So you're saying that nothing short of a death threat merits disclosing WHOIS information?
I think that a lot of people who've lost a lot of money to phishing would treat this opinion with the contempt it deserves.
You are missing the point - which is that if gun ownership should not be public information than domain name ownership even more strongly should not be made public. Thus, if one supports privacy for gun ownership then consistency would suggest that that person should more strongly support privacy for domain names. On the scale of harms I would hope that one can comprehend that a bullet hole in one's body is a greater harm than receipt of a spam email in one's mailbox. --karl--
participants (20)
-
Adam Peake -
Avri Doria -
Bill Silverstein -
Carlton Samuels -
Derek Smythe -
Evan Leibovitch -
h.raiche@internode.on.net -
Holly Raiche
-
Jaap Akkerhuis -
John R. Levine -
Joly MacFie -
Karl Auerbach -
McTim -
Neil Schwartzman -
Olivier MJ Crepin-Leblond -
Peter Thomassen -
Pranesh Prakash -
Roberto Gaetano -
Salanieta T. Tamanikaiwaimaro -
Sébastien Bachollet