Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc> Currently, every domain name registrant is required to enter "accurate" information in the publicly available WHOIS database, including name, address, telephone number, and email address. Those who wish not to have this personal information displayed publicly must pay extra to registrars for "proxy" services which often allow their information to be revealed anyhow when someone challenges the domain registrant's speech. I believe there are serious free speech, privacy, and anonymity concerns with the current system. ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.) Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue: <http://forum.icann.org/lists/alac/msg02529.html> Notes on WHOIS: The WHOIS draft report reports the majority view for an "Operational Point of Contact" (OPOC), which would have registrants replace the administrative and technical contacts with one or more OPOC, who could be the registrant or a third party delegated by the registrant. This would enable better contactability and allow the registrant to remove personally identifying information from public display. "The purpose of the operational point of contact is to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name." Registrants would be required to list their own name and country, but would be able to keep other information out of the publicly available WHOIS. (Under both proposals, the information would still be collected.) A minority supported the IP constituency's "Special Circumstances" proposal, under which individual non-commercial registrants could protect privacy only if they "can demonstrate that they have a reasonable basis for concern that public access to specific data about themselves (e.g., name, address, e-mail address, telephone number) that would otherwise be publicly displayed in Whois would jeopardize a concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access. An individual would be able to hold special circumstance designation for only a limited number (e.g., 5) gTLD domain names at a time." Proxy services would be disallowed under this proposal. The TF will also discuss recommendations made earlier on compliance with national law, which may require registrars to provide privacy options. Questions: Why (in the special circumstances proposal) are we asking individuals to pay extra for basic privacy rights? How does WHOIS policy accommodate the needs of individual Internet users as domain name registrants? as users of Internet services? Is public display of personal data compatible with national data protection law and public policy? I think we should resist the distinction between commercial and non-commercial registrants because it is unworkable in practice: Is the activist who sells t-shirts to carry his message, or adwords to pay for site hosting a "commercial" user? I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful. -- Wendy Seltzer -- wendy@seltzer.org phone: 718.780.7961 // fax: 718.780.0394 // cell: 914.374.0613 Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
Thanks Wendy, As people are asking "what are the ISSUES?", I thought whois and privacy is one important issue for individual (an other) users of Internet, and wondering if somebody like you could make a brief summary. You read my mind ;-). In Japan, for example, though we have one of the most stringent personal data protection law in place since last year, dot jp registry are given sort of "special exemption" to follow international rule - current ICANN whois policy - to continue to publish quite personal data of domain name registrants. I was also thinking "domain monetizatioin", especially the ones using five days grace period to make vast amount of speculative domain name registrations in a really organized manner by a few players, is another good "hot potato". I don't have time right now to make a summary, but will try. In the mean time, if anyone could do that better, I encourage you do so. izumi 2007/2/9, Wendy Seltzer <wendy@seltzer.com>:
Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc>
Currently, every domain name registrant is required to enter "accurate" information in the publicly available WHOIS database, including name, address, telephone number, and email address. Those who wish not to have this personal information displayed publicly must pay extra to registrars for "proxy" services which often allow their information to be revealed anyhow when someone challenges the domain registrant's speech. I believe there are serious free speech, privacy, and anonymity concerns with the current system.
ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.)
Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue: <http://forum.icann.org/lists/alac/msg02529.html>
Notes on WHOIS: The WHOIS draft report reports the majority view for an "Operational Point of Contact" (OPOC), which would have registrants replace the administrative and technical contacts with one or more OPOC, who could be the registrant or a third party delegated by the registrant. This would enable better contactability and allow the registrant to remove personally identifying information from public display. "The purpose of the operational point of contact is to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name." Registrants would be required to list their own name and country, but would be able to keep other information out of the publicly available WHOIS. (Under both proposals, the information would still be collected.)
A minority supported the IP constituency's "Special Circumstances" proposal, under which individual non-commercial registrants could protect privacy only if they "can demonstrate that they have a reasonable basis for concern that public access to specific data about themselves (e.g., name, address, e-mail address, telephone number) that would otherwise be publicly displayed in Whois would jeopardize a concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access. An individual would be able to hold special circumstance designation for only a limited number (e.g., 5) gTLD domain names at a time." Proxy services would be disallowed under this proposal.
The TF will also discuss recommendations made earlier on compliance with national law, which may require registrars to provide privacy options.
Questions: Why (in the special circumstances proposal) are we asking individuals to pay extra for basic privacy rights? How does WHOIS policy accommodate the needs of individual Internet users as domain name registrants? as users of Internet services? Is public display of personal data compatible with national data protection law and public policy? I think we should resist the distinction between commercial and non-commercial registrants because it is unworkable in practice: Is the activist who sells t-shirts to carry his message, or adwords to pay for site hosting a "commercial" user?
I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful.
-- Wendy Seltzer -- wendy@seltzer.org phone: 718.780.7961 // fax: 718.780.0394 // cell: 914.374.0613 Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
On 2007-02-08 14:08:55 -0500, Wendy Seltzer wrote:
Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc>
That's a "Not found" here...
ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.)
Until when is the thing open for comments, and where can these be submitted? Or is the public comment period closed, and the only avenue would be a comment through ALAC's Counci liaison? (Sorry, but I've pretty thoroughly lost track of these processes... ;)
Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue:
Thanks!
I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful.
Strikes me as a pretty reasonable balance; I'd actually suspect that this would be better for some enforcement interests than the current "exceptional circumstances" proposal. -- Thomas Roessler <roessler@does-not-exist.org>
The public comment period closed 15th January on the report, but it will go before the Council within a month, and of course Alan the GNSO Liaison and Wendy of course will be able to make the At-Large community's views known then. At some point it will go to the ICANN Board, and a there may or may not be a public comment opportunity at that time. On 09/02/07, Thomas Roessler <roessler@does-not-exist.org> wrote:
On 2007-02-08 14:08:55 -0500, Wendy Seltzer wrote:
Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc>
That's a "Not found" here...
ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.)
Until when is the thing open for comments, and where can these be submitted? Or is the public comment period closed, and the only avenue would be a comment through ALAC's Counci liaison?
(Sorry, but I've pretty thoroughly lost track of these processes... ;)
Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue:
Thanks!
I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful.
Strikes me as a pretty reasonable balance; I'd actually suspect that this would be better for some enforcement interests than the current "exceptional circumstances" proposal.
-- Thomas Roessler <roessler@does-not-exist.org>
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
www.alac.icann.org www.icannalac.org
-- -- Regards, Nick Ashton-Hart PO Box 32160 London N4 2XY United Kingdom UK Tel: +44 (20) 8800-1011 USA Tel: +1 (202) 657-5460 Fax: +44 (20) 7681-3135 mobile: +44 (7774) 932798 Win IM: ashtonhart@hotmail.com / AIM/iSight: nashtonhart@mac.com / Skype: nashtonhart Online Bio: https://www.linkedin.com/in/ashtonhart
At 2:08 PM -0500 on 2/8/07, Wendy Seltzer wrote to a bunch of us, saying:
Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc>
Currently, every domain name registrant is required to enter "accurate" information in the publicly available WHOIS database, including name, address, telephone number, and email address. Those who wish not to have this personal information displayed publicly must pay extra to registrars for "proxy" services which often allow their information to be revealed anyhow when someone challenges the domain registrant's speech. I believe there are serious free speech, privacy, and anonymity concerns with the current system.
ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.)
Hi, So much of this is so entirely divergent from the stance of CAUCE and that of many online security professionals I honestly don't know where to begin, but I will try. WHOIS as it stands now offers one clue of sometimes very few when doing a spam, virus, botnet or spyware investigation. These modern-day technologies are far more serious issue regarding the *constant* breach of end-user privacy (personal identification theft and the wholesale, unabated robbery of end-user monies) than any straw man about an activist somewhere requiring a domain could ever be. The vast majority of investigators who man the ramparts in the fight against such things are not law enforcement agencies nor officials, but ad hoc groups and independents such as myself. Skilled investigators, like the people at The Spamhaus Project http://www.spamhaus.org/rokso use the evidence provided in WHOIS records (often there is a communality among them) to tie pernicious attacks on the very infrastructure of the Internet to the criminal gangs who perpetrate them. As a direct result of this work, there have been numerous takedowns of sites, blocklisting of truly evil mail streams, and follow-through with Law Enforcement Agencies. Law Enforcement Agencies, for example, many of those represented at The London Action Plan and the E.U. Contact Network of Spam Authorities (I am a sitting member of the L.A.P. but do not represent the group) are against WHOIS obfuscation. LEA rely on the unique and highly-skilled abilities of amateur investigators *heavily* in their efforts; needless to say 'amateurs' have no ability to get court orders to open the kimono of an obfuscated WHOIS record. Indeed, the courts of the world would become clogged with such requests were investigations even able to get to such a point were amateurs to be unable to do their work, and the additional lag would afford the bad guys extra time to vanish. At present there are obfuscation facilities available to activists who wish to remain anonymous, for a few dollars more than they are paying for their domain name. Moreover the domain name is an entirely optional in the expression of free speech; there are myriad ways in which one can avail oneself of a soapbox that do not require a domain. No-one 'needs' a domain name any more than they 'need' a driving permit. It is a privilege, not a right. At present time we are in a crisis situation with spam, zombie nets, viruses and spyware, and a circumstance which 'we', the good guys may well lose. Any further concession to the criminal gangs behind these attacks on us all will allow them an advantage which they will surely take; at present they are clearly in control of part, if not a majority of the net* and we cannot afford to hinder investigators who might be able to save what we all implicate ourselves with on a daily basis. In other words, obfuscate WHOIS, it will be exploited immediately and rampantly, and we might not have a network to argue about in the ensuing days. respectfully yours. * Some hysterical hand-wringing on my part: http://www.informationweek.com/research/showArticle.jhtml?articleID=19060015... and something that proves my point. Hackers Attack Key Net Traffic Computers http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE=WIRE&SECTION=HO... By TED BRIDIS Associated Press Writer -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
On 2007-02-09 06:07:13 -0500, Neil Schwartzman wrote:
In other words, obfuscate WHOIS, it will be exploited immediately and rampantly, and we might not have a network to argue about in the ensuing days.
So, there's no decent enforcement of accuracy for WHOIS data. There's rampant trade of stolen identities and credit cards that get abused to register domain names. Also, high-level domain names are pretty optional for many spamming and phishing operations. Mind elaborating a bit more as to how further obfuscated WHOIS is going to let the sky fall, and what WHOIS has to do with the recent attacks on the root servers that you chose to use as an example? Regards, -- Thomas Roessler <roessler@does-not-exist.org>
At 12:21 PM +0100 on 2/9/07, Thomas Roessler wrote to a bunch of us, saying:
On 2007-02-09 06:07:13 -0500, Neil Schwartzman wrote:
In other words, obfuscate WHOIS, it will be exploited immediately and rampantly, and we might not have a network to argue about in the ensuing days.
So, there's no decent enforcement of accuracy for WHOIS data. There's rampant trade of stolen identities and credit cards that get abused to register domain names.
Also, high-level domain names are pretty optional for many spamming and phishing operations. Mind elaborating a bit more as to how further obfuscated WHOIS is going to let the sky fall, and what WHOIS has to do with the recent attacks on the root servers that you chose to use as an example?
Ignoring the needlessly sarcastic tone for the moment - forensically speaking, when bad guys register 100s or thousands of domains they do not do so one at a time. They do so in bulk, and more often than you would think, they make mistakes, by referencing pieces of data to which we *can* link to real-world identities. Patterns emerge, and the true face of the enemy is revealed. Should we obfuscate WHOIS, the ability for non-LEA security investigators to do their work will be hamstrung. The results will be, to say the least, deleterious. I am truly sorry you don't see the situation on the Internet as critical as it is; but that's o.k., I have made it my business to alert people to what is actually happening, so thanks for the opportunity to step up onto the soapbox. The recent L.A.P./C.N.S.A. with OECD representation meeting in Brussels was a particularly poignant case in point. I am used to rolled eyes when I say the things I do; on a Canadian Federal Task Force on Spam the lead RCMP officer had the same reaction you did. When I related some tales of net destruction to the assemblage in Belgium during my part of the keynote speeches, there was a period of silence. Then, over the next day and a half, there were four other presentations which served to underscore my points and my contentions. By the end of the meetings there reminded no-one unconvinced. I reiterated my speech and what some have called a manifesto published at http://www.circleid.com/posts/anti_spam_virus_trench_warfare/ at the recent MAAWG meetings in San Francisco, during a phishing session. Investigators, both LEA and non-LEA have been able to track the origins of the botnet controllers to a specific place in Eastern Europe, and tie it to a group of people. WHOIS doubtlessly aided in those investigations. If anyone here believes the infrastructure is robust enough to mitigate such attacks, I would hasten to point out that while the commercial TLDs are indeed redundant enough to likely deal with the size of the recent attack; BUT they were affected by as few as 100 machines. Spamthru, the source of the recent mega-spikes in spam has been used at best to 10% of capacity. Furthermore, few if any CC TLDs are similarly configured. Bottom line: the bad guys can take out a country at will. Tangential to the original question, but I ask you two in return - do you REALLY want to hinder investigations by obfuscating a valuable investigative tool? And, do you REALLY think things are going to get better, security-wise over time? -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman ha scritto:
Tangential to the original question, but I ask you two in return - do you REALLY want to hinder investigations by obfuscating a valuable investigative tool? And, do you REALLY think things are going to get better, security-wise over time?
Just to show you a different point of view - do you think that you really have to expose personal information to each and every user of the Internet, for you to have access to it in case of an investigation? Don't you think that there could be better ways, that give you access to it when you're working in partnership with public law enforcement agencies, while not disclosing it to everyone else? Also, don't you think that people (at least the not clearly ill-intentioned ones) would be more likely to provide accurate information and keep it updated if they knew it was to be used with care, rather than while knowing that it will be out there for everyone to see? (Or, if you prefer - do you *really* think that anyone can force registrants to provide accurate information if they don't want to?) -- vb. Vittorio Bertola - vb [a] bertola.eu <-------- --------> finally with a new website at http://bertola.eu/ <--------
At 2:22 PM +0100 on 2/9/07, Vittorio Bertola wrote to a bunch of us, saying:
Neil Schwartzman ha scritto:
Tangential to the original question, but I ask you two in return - do you REALLY want to hinder investigations by obfuscating a valuable investigative tool? And, do you REALLY think things are going to get better, security-wise over time?
Just to show you a different point of view - do you think that you really have to expose personal information to each and every user of the Internet,
Every domain holder.
for you to have access to it in case of an investigation? Don't you think that there could be better ways, that give you access to it when you're working in partnership with public law enforcement agencies, while not disclosing it to everyone else?
No. The non-LEA investigations go on constantly. The LEA investigations happen on an order of a magnitude less frequently.
Also, don't you think that people (at least the not clearly ill-intentioned ones) would be more likely to provide accurate information and keep it updated if they knew it was to be used with care,
they already do that now.
rather than while knowing that it will be out there for everyone to see? (Or, if you prefer - do you *really* think that anyone can force registrants to provide accurate information if they don't want to?)
Nope. And like I said, even the intentionally bad entries form patterns, which we recognize, and tie to actual individuals. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
On 2007-02-09 08:11:55 -0500, Neil Schwartzman wrote:
Investigators, both LEA and non-LEA have been able to track the origins of the botnet controllers to a specific place in Eastern Europe, and tie it to a group of people. WHOIS doubtlessly aided in those investigations.
I don't dispute that tracking down domain names to their owners can be a useful tool. I don't dispute that online crime is a serious problem, and that botnets are making it worse all the time. What I do dispute is that public WHOIS plays the role some people claim it plays. When I ask about WHOIS's real value, what I mostly hear is somewhere between "the sky is falling", "there are patterns", "don't you dare to question us", and "we need to fight online crime at all cost." And that really doesn't cut it as an argument and makes me respond sarcastically. I remember having heard people who advocated for open access to WHOIS data tell war stories in which, essentially, following the WHOIS trace was a pure distraction and a dead end; the great success they touted was to find out that the registrant data pointed to a real person who had nothing at all to do with the scam. They then went on to follow the payment trail and were much more successful there, if I recall correctly. I remember other war stories in which whois helped law enforcement to find contact information at a major ISP, and therefore was deemed indispensable. Of course, that was really a fine example of "wrong tool for the job." So: Explain what impact obfuscating WHOIS further would really have. Assume you have to jump through some hoop to convince a registrar that you're a good-faith private investigator. Assume you don't have access at all. Assume there's some rule that makes domains which don't have contact information much easier to take down. What happens? How do these options *really* shift the balance?
do you REALLY want to hinder investigations by obfuscating a valuable investigative tool?
That is the "we need to fight this war at all cost" style of argument. It is utterly misplaced in this discussion. Cheers, -- Thomas Roessler <roessler@does-not-exist.org>
At 4:06 PM +0100 on 2/9/07, Thomas Roessler wrote to a bunch of us, saying:
What I do dispute is that public WHOIS plays the role some people claim it plays.
When I ask about WHOIS's real value, what I mostly hear is somewhere between "the sky is falling", "there are patterns", "don't you dare to question us", and "we need to fight online crime at all cost." And that really doesn't cut it as an argument and makes me respond sarcastically.
Then you aren't listening, or hearing what I say. I have offered to produce investigators who plainly say they need this data. Tell me when and where and I will make it happen. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
At 4:06 PM +0100 on 2/9/07, Thomas Roessler wrote to a bunch of us, saying:
So: Explain what impact obfuscating WHOIS further would really have. Assume you have to jump through some hoop to convince a registrar that you're a good-faith private investigator. Assume you don't have access at all. Assume there's some rule that makes domains which don't have contact information much easier to take down. What happens? How do these options *really* shift the balance?
I'll tell you what. If obfuscation goes through, and things don't get worse the way I am saying with dead certainty they will, I will publicly proclaim in blog and print media that you are correct to the 25,000 netizens I represent, and resign my position. Are you personally prepared to be held accountable if I am correct? Is anyone here? Like I said - show me a list of names of people who can't afford the commercial obfuscation systems, who have an identifiable need for a domain and a private whois record, and I will pay out of my own pocket to cover the services. Better yet - why doesn't ICANN set up a facility to do so? -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman wrote:
Like I said - show me a list of names of people who can't afford the commercial obfuscation systems, who have an identifiable need for a domain and a private whois record, and I will pay out of my own pocket to cover the services.
Better yet - why doesn't ICANN set up a facility to do so?
I am not entitled to speak for ICANN, but I know ICANN sufficiently well to try to make an educated guess. My guess is that by setting up a facility to do so it would implicitely endorse the principle that people who can afford to pay for their privacy should do so. I fear that to endorse the principle that "who can pay should" could open up a serious can of worms on all kind of creative exploitation of the domain name market. Unfortunately (or fortunately), this world is multicultural, and there are different opinions about what is a right and what is a privilege. But since the internet is global, we need a mechanism to sort out the differences that takes into account all points of view: the point of view of who says that obfuscate your personal data on the whois is a right, and who says it is a privilege (that you might have to pay for); the point of view of who says that access personal data on the whois is a right, and who says it is a privilege (that you might have to prove you have the credentials for). Anyway, I'm sitting over the fence and gather information, because this matter will eventually end up on the Board's table. I have a lot of respect for who is trying to defend against abuses on all sides: I have only to observe that what is a legitimate action in certain cultural environments is an abuse in others, and vice-versa. Also for this reason, I find this discussion excellent. However, I have one question, or rather one curiosity: why is it that "LEA rely on the unique and highly-skilled abilities of amateur investigators *heavily* in their efforts"? Best regards, Roberto
At 6:52 PM +0100 on 2/9/07, Roberto Gaetano wrote to a bunch of us, saying:
However, I have one question, or rather one curiosity: why is it that "LEA rely on the unique and highly-skilled abilities of amateur investigators *heavily* in their efforts"?
Hi Robert, Frankly, there is a shocking lack of computer, net and technical expertise among the world's police forces. Or perhaps that isn't shocking. The ramp-up of crime online has been rapid, cops less so, plus cops still like to deal with physical crimes, understandably. If you want a little anecdote, last year I sat in a room with 100 investigators, and taught them how to DISPLAY the headers of an email. Never mind reading them. Spam is a highly technical and ever-evolving set of technologies and there are few if any LEAs with the technical expertise at the moment to deal, whereas we 'amateurs' (and that would include a lot of people better deemed professional spamfighters) track the stuff daily. Another thing that happens a lot is that cops get trained on the job, then get hired by private industry. Canada's RCMP computer forensics lab was virtually cleaned out when the lead guy was hired by KPMG, and then hired all his former co-workers. SLAMSPAM is one example of amateur, professional and LEAs trying to do something. CAUCE and The Spamhaus Project being members of the London Action Plan and Anti Spyware Coalition would be another. Me working with The Competition Bureau of Canada to assist in their investigations is yet another. Me working on coordinating discrete groups of experts and LEAs to hold training days is another. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman wrote:
Like I said - show me a list of names of people who can't afford the commercial obfuscation systems, who have an identifiable need for a domain and a private whois record, and I will pay out of my own pocket to cover the services.
How about an orthogonal set: people who need more than obfuscation, but actual anonymity in their domain registrations? I've worked with and talked to people whose names were revealed by "proxy" services such as Domains-by-Proxy based on an unverified complaint from an adverse claimant. These are people engaged in legitimate advocacy and criticism, who have legitimate interests in stable location pointers for their online speech, who fear reprisals if their identities are known. It's not that they can't pay, but that no one offers them the anonymity they want at any price. --Wendy -- Wendy Seltzer -- wendy@seltzer.org phone: 718.780.7961 // fax: 718.780.0394 // cell: 914.374.0613 Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
At 7:50 PM -0500 on 2/11/07, Wendy Seltzer wrote to a bunch of us, saying:
Neil Schwartzman wrote:
Like I said - show me a list of names of people who can't afford the commercial obfuscation systems, who have an identifiable need for a domain and a private whois record, and I will pay out of my own pocket to cover the services.
How about an orthogonal set: people who need more than obfuscation, but actual anonymity in their domain registrations?
I've worked with and talked to people whose names were revealed by "proxy" services such as Domains-by-Proxy based on an unverified complaint from an adverse claimant. These are people engaged in legitimate advocacy and criticism, who have legitimate interests in stable location pointers for their online speech, who fear reprisals if their identities are known.
Hi Wendy, Why do they not use a hosted offshore service and post-through-proxy if they want truly secure anonymity? Anyone with a true desire to post data that could land them in trouble doesn't want a domain in their own name - they want to be several arms lengths away from the public data. I'm also left wondering what these activists did prior to them having Internet access and why are those methods no longer effective? Owning a domain is akin to driving a car, owning a piece of land, or anything else that is public-facing; there is a measure of personal responsibility involved.
It's not that they can't pay, but that no one offers them the anonymity they want at any price.
So is it your position that there needs to be completely anonymous domain registration? Clearly, there will be no end to this discussion, we both remain entrenched in our positions, but please keep in mind, I too am fighting on behalf of activists: tens of thousands of CAUCE members who want spam viruses and spyware to stop violating their personal privacy on a constant, daily basis. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman wrote:
At 7:50 PM -0500 on 2/11/07, Wendy Seltzer wrote to a bunch of us, saying:
Neil Schwartzman wrote:
Like I said - show me a list of names of people who can't afford the commercial obfuscation systems, who have an identifiable need for a domain and a private whois record, and I will pay out of my own pocket to cover the services. How about an orthogonal set: people who need more than obfuscation, but actual anonymity in their domain registrations?
I've worked with and talked to people whose names were revealed by "proxy" services such as Domains-by-Proxy based on an unverified complaint from an adverse claimant. These are people engaged in legitimate advocacy and criticism, who have legitimate interests in stable location pointers for their online speech, who fear reprisals if their identities are known.
Hi Wendy,
Why do they not use a hosted offshore service and post-through-proxy if they want truly secure anonymity? Anyone with a true desire to post data that could land them in trouble doesn't want a domain in their own name - they want to be several arms lengths away from the public data.
Sure, and some use Tor's hidden services or Freenet.
I'm also left wondering what these activists did prior to them having Internet access and why are those methods no longer effective?
Why should the activists be denied access to the most effective new means of communication? Shouldn't they be able to put up posters in bus stops with a URL for more information just as a commercial advertiser can?
Owning a domain is akin to driving a car, owning a piece of land, or anything else that is public-facing; there is a measure of personal responsibility involved.
It's not that they can't pay, but that no one offers them the anonymity they want at any price.
So is it your position that there needs to be completely anonymous domain registration?
Yes, I believe there should be. Speech is not like driving a car and a domain name doesn't go out and commit fraud. Where a domain name is used in a fraud, such as phishing or collecting botnet controls, anti-attack measures such as suspending service could be taken without requiring the identity behind the domain name. --Wendy -- Wendy Seltzer -- wendy@seltzer.org Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
It's not that they can't pay, but that no one offers them the anonymity they want at any price.
I don't see how you can reach that conclusion. It's true, none of the high volume registrars offers a meaningful anonymity service. The WHOIS privacy service my registrar offers costs 17 cents a month, and that's about what it's worth. But all that shows us is that there's a race to the bottom in the registrar business to offer the least service for the lowest price. On the other hand, if I really wanted to register a domain and run a web site anonymously, I don't think it would be at all difficult. I'd hire a lawyer in some place like the BVI or the Seychelles as a nominee, have him set up the domain and web hosting on my behalf, and tell him to ignore any third party questions. If I were really serious, I would start by setting up a bank account with a number and password and pay the lawyer out of that, so the lawyer wouldn't even know who I was. This costs more than 17 cents a month, but it would work and it doesn't require doing anything particularly difficult or exotic. There are also plenty of examples of informal but very secure anonymous domains, of which one of the best examples is SPEWS.ORG, an anti-spam web site. Someone presumably knows who's behind Spews, but a fair number of spammers have attempted to attack it with lawyers with no success. The site is hosted at a data center in California whose management I'm prettty sure do not know who Spews is either, with the content updates pushed at it through a chain of proxies. I don't deny that there are people who need anonymous content hosting and communication, but I have never understood the argument that it's a problem that ICANN has to solve. R's, John
John L wrote:
I don't deny that there are people who need anonymous content hosting and communication, but I have never understood the argument that it's a problem that ICANN has to solve.
They don't have to solve it, but they shouldn't be making it more difficult either. Why should I have to hire a lawyer to engage (in the US) in First Amendment-protected speech, when the technology could make it easy for anyone to do so without going through counsel? --Wendy -- Wendy Seltzer -- wendy@seltzer.org Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
At 9:47 PM -0500 on 2/11/07, Wendy Seltzer wrote to a bunch of us, saying:
John L wrote:
I don't deny that there are people who need anonymous content hosting and communication, but I have never understood the argument that it's a problem that ICANN has to solve.
They don't have to solve it, but they shouldn't be making it more difficult either. Why should I have to hire a lawyer to engage (in the US) in First Amendment-protected speech, when the technology could make it easy for anyone to do so without going through counsel?
Our constitution has not been amended, but I fail to see what anonymity has to do with free speech, unless we are talking about activists in police states. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman ha scritto:
The vast majority of investigators who man the ramparts in the fight against such things are not law enforcement agencies nor officials, but ad hoc groups and independents such as myself.
I must say that my tiny home SMTP server has been too often unjustly blacklisted in anti-spam tools (usually on the basis of "you use an ISP that we don't like", even if it's one of the major ISPs in my country, or just of "your ISP address is dynamic") for me to be sympathetic to the needs of self-appointed, unauthorized sheriffs of the Internet. In any case, you should be aware that there are people that won't accept to give away a bit of their privacy for a bit less of spam and malware. Specifically, this part:
It is a privilege, not a right.
is quite astonishing: you'd better read the Universal Declaration of Human Rights (as well as the Constitutions of many countries and the EU Directives on the matter) before saying this. Privacy is a universally recognized human right, and as such, at least in Europe, people perceive as an insult and a deprivation of rights the suggestion that they should pay for it, as they would do if they had to pay for voting, for basic education, or to get emergency healthcare. How much would it cost is irrelevant. This looks like a fundamental difference in values, and I think that we should just stop trying to prove the other side wrong (see for example:
Moreover the domain name is an entirely optional in the expression of free speech; there are myriad ways in which one can avail oneself of a soapbox that do not require a domain.
- I mean, why do you think that you're entitled to decide for someone else whether his free speech activities would work the same without a domain name?). However, what we could do is to try to find acceptable compromises. For example:
LEA rely on the unique and highly-skilled abilities of amateur investigators *heavily* in their efforts; needless to say 'amateurs' have no ability to get court orders to open the kimono of an obfuscated WHOIS record. Indeed, the courts of the world would become clogged with such requests were investigations even able to get to such a point were amateurs to be unable to do their work, and the additional lag would afford the bad guys extra time to vanish.
I do not think that court orders should necessarily be required to gain access to Whois information. However, I think that there should be an evaluation by public authority. If law enforcement agencies really need cooperation by private parties (and they do), they should be reasonably in touch with them so to be able to help them getting the data when necessary, while at the same time being accountable about what data they disclose. Perhaps, finding acceptable middle ground could be a better way to get out of this deadlock, rather than questioning the legitimacy of each other's requests. -- vb. Vittorio Bertola - vb [a] bertola.eu <-------- --------> finally with a new website at http://bertola.eu/ <--------
At 1:56 PM +0100 on 2/9/07, Vittorio Bertola wrote to a bunch of us, saying:
Neil Schwartzman ha scritto:
The vast majority of investigators who man the ramparts in the fight against such things are not law enforcement agencies nor officials, but ad hoc groups and independents such as myself.
I must say that my tiny home SMTP server has been too often unjustly blacklisted in anti-spam tools (usually on the basis of "you use an ISP that we don't like", even if it's one of the major ISPs in my country, or just of "your ISP address is dynamic") for me to be sympathetic to the needs of self-appointed, unauthorized sheriffs of the Internet.
I won't enter into this debate, sorry.
In any case, you should be aware that there are people that won't accept to give away a bit of their privacy for a bit less of spam and malware. Specifically, this part:
It is a privilege, not a right.
is quite astonishing: you'd better read the Universal Declaration of Human Rights (as well as the Constitutions of many countries and the EU Directives on the matter) before saying this. Privacy is a universally recognized human right, and as such, at least in Europe, people perceive as an insult and a deprivation of rights the suggestion that they should pay for it, as they would do if they had to pay for voting, for basic education, or to get emergency healthcare. How much would it cost is irrelevant.
DOMAINS are a privilege not a right. Please google my name + pipeda if you are wondering about my privacy credibility. I have been working in the privacy field for a decade now, by the way. I look at spam, spyware, and phishing as the most urgent of daily attacks on personal privacy which outstrip the occasions of the needs of an individual to have a personal domain upon which their free speech is simply not contingent on the order of 100s of millions to one. Provide me a list of individuals who need a domain, for which they have to pay, and who cannot pay for obfuscation, and I will personally put out the money to cover them. Are you are willing to look through a list of 100 million spam sent today alone play your part in counterbalancing their 'need'?
LEA rely on the unique and highly-skilled abilities of amateur investigators *heavily* in their efforts; needless to say 'amateurs' have no ability to get court orders to open the kimono of an obfuscated WHOIS record. Indeed, the courts of the world would become clogged with such requests were investigations even able to get to such a point were amateurs to be unable to do their work, and the additional lag would afford the bad guys extra time to vanish.
I do not think that court orders should necessarily be required to gain access to Whois information.
Really? then anyone who asks will be given access? To what end then, the obfuscation?
However, I think that there should be an evaluation by public authority. If law enforcement agencies really need cooperation by private parties (and they do),
They really do. Talk to some, sometime. I'd be happy to coordinate presentation if so requested.
they should be reasonably in touch with them so to be able to help them getting the data when necessary, while at the same time being accountable about what data they disclose.
Perhaps, finding acceptable middle ground could be a better way to get out of this deadlock, rather than questioning the legitimacy of each other's requests.
No, the bay guys move much faster than LEA is able to do given their constraints. -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.
Neil Schwartzman ha scritto:
DOMAINS are a privilege not a right.
Ok, I'm not sure you got my point. Here in Italy, when I open a bank account, the bank has to ask me whether I want to make my information "public" or not. If I say no, they will only use it for the strictly necessary activities to manage my bank account. If I say yes, then they will share it with other companies, use it for marketing, etc. The bank account is a, well, "privilege" - but my privacy is a right, so the law says that I must not be required to give away my privacy just to get a bank account. This is absolutely independent of whether I really need the bank account or not! It applies even if I were to buy "diamond-studded swimming pools" (hint). The law even allows me to be delisted from telephone books - this of course doesn't mean that the telephone company doesn't know who I am or can't tell the police or any authorized party if necessary. Why can't we have something like that?
by the way. I look at spam, spyware, and phishing as the most urgent of daily attacks on personal privacy which outstrip the occasions of the needs of an individual to have a personal domain upon which their free speech is simply not contingent on the order of 100s of millions to one.
You still miss the point that I don't have to have a reason to exercise my right to keep my personal information private. On the other hand, I totally agree that phishing and spyware are very serious problems - I'm just asking why can't there be a solution that lets you do your investigations under reasonable accountability frameworks (as any kind of investigation in any civilized country, including private ones, for which, at least here, you need a license) and yet not disclose my data just to everyone out there.
Perhaps, finding acceptable middle ground could be a better way to get out of this deadlock, rather than questioning the legitimacy of each other's requests.
No, the bay guys move much faster than LEA is able to do given their constraints.
Come on. We could easily get rid of rapers and drug dealers by giving guns to each citizen, and the freedom to use them without "constraints". I guess you understand why we have "constraints" and why many of us are not happy with getting rid of them so easily. I still refuse to think that there cannot be a way to conduct effective investigations without turning the Internet into a mass surveillance tool. -- vb. Vittorio Bertola - vb [a] bertola.eu <-------- --------> finally with a new website at http://bertola.eu/ <--------
Excellent, thanks. RG
-----Original Message----- From: alac-bounces@atlarge-lists.icann.org [mailto:alac-bounces@atlarge-lists.icann.org] On Behalf Of Wendy Seltzer Sent: 08 February 2007 20:09 To: alac@atlarge-lists.icann.org Subject: [At-Large] WHOIS policy
Here's the draft report the WHOIS task force is considering <http://forum.icann.org/lists/gnso-dow123/docUOzrntSDL0.doc>
Currently, every domain name registrant is required to enter "accurate" information in the publicly available WHOIS database, including name, address, telephone number, and email address. Those who wish not to have this personal information displayed publicly must pay extra to registrars for "proxy" services which often allow their information to be revealed anyhow when someone challenges the domain registrant's speech. I believe there are serious free speech, privacy, and anonymity concerns with the current system.
ALAC could submit comments to the Task Force and the GNSO. (As Danny Younger has noted, there are procedural problems with the PDP's lack of opportunity to consider public comment, as well as substantive problems with the proposals.)
Since the debate has changed little since I sent this message in December, I re-send it to spark discussion on this policy issue: <http://forum.icann.org/lists/alac/msg02529.html>
Notes on WHOIS: The WHOIS draft report reports the majority view for an "Operational Point of Contact" (OPOC), which would have registrants replace the administrative and technical contacts with one or more OPOC, who could be the registrant or a third party delegated by the registrant. This would enable better contactability and allow the registrant to remove personally identifying information from public display. "The purpose of the operational point of contact is to resolve, or to reliably pass on data to resolve, operational issues relating to a domain name." Registrants would be required to list their own name and country, but would be able to keep other information out of the publicly available WHOIS. (Under both proposals, the information would still be collected.)
A minority supported the IP constituency's "Special Circumstances" proposal, under which individual non-commercial registrants could protect privacy only if they "can demonstrate that they have a reasonable basis for concern that public access to specific data about themselves (e.g., name, address, e-mail address, telephone number) that would otherwise be publicly displayed in Whois would jeopardize a concrete and real interest in their personal safety or security that cannot be protected other than by suppressing that public access. An individual would be able to hold special circumstance designation for only a limited number (e.g., 5) gTLD domain names at a time." Proxy services would be disallowed under this proposal.
The TF will also discuss recommendations made earlier on compliance with national law, which may require registrars to provide privacy options.
Questions: Why (in the special circumstances proposal) are we asking individuals to pay extra for basic privacy rights? How does WHOIS policy accommodate the needs of individual Internet users as domain name registrants? as users of Internet services? Is public display of personal data compatible with national data protection law and public policy? I think we should resist the distinction between commercial and non-commercial registrants because it is unworkable in practice: Is the activist who sells t-shirts to carry his message, or adwords to pay for site hosting a "commercial" user?
I have recommended an additional option, that a domain name could be suspended if the registrant did not want to reveal personally identifying information. Enforcement interests (stopping a domain-hosted scam, for example) could be realized even before the registrant was identified, while law enforcement would have all the ordinary tools available to it once it demonstrated there was reason to believe the activity was unlawful.
-- Wendy Seltzer -- wendy@seltzer.org phone: 718.780.7961 // fax: 718.780.0394 // cell: 914.374.0613 Visiting Assistant Professor of Law, Brooklyn Law School Fellow, Berkman Center for Internet & Society http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-l ists.icann.org
www.alac.icann.org www.icannalac.org
participants (8)
-
Izumi AIZU -
John L -
Neil Schwartzman -
Nick Ashton-Hart -
Roberto Gaetano -
Thomas Roessler -
Vittorio Bertola -
Wendy Seltzer