+1. John Horton President and CEO, LegitScript *Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Google+ <https://plus.google.com/112436813474708014933/posts>* On February 9, 2017 at 8:39:31 AM, Greg Aaron (gca@icginc.com) wrote: Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent. Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto: gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for: mashable.com/2017/02/07/sean-spicer-who-is also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-priv... While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper. I hope this helps remind folks that getting private data out of the public view is a good thing. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data. A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200 On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote: Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent. Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for: mashable.com/2017/02/07/sean-spicer-who-is also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-priv... While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper. I hope this helps remind folks that getting private data out of the public view is a good thing. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Dnsservers, domainstatus, various dates, Registrar None of these data are personal data imo The only info you see in Whois are the contact ID the user have at the registrar/ registry Sent from my iPhone On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com<mailto:nathaliecoupet@yahoo.com>> wrote: Benny, All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability? Nathalie On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>> wrote: Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data. A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200 On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of gca@icginc.com<mailto:gca@icginc.com>> wrote: Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent. Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Dangers of public whois As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for: mashable.com/2017/02/07/sean-spicer-who-is<http://mashable.com/2017/02/07/sean-spicer-who-is> also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-priv... While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper. I hope this helps remind folks that getting private data out of the public view is a good thing. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Unless the person takes careful measures to keep their fake identity/domain separate, and never mention the domain from their real names, domain whois won't even be necessary to find out who they are. Public records and social media are another resource for accomplishing this task. Tracking the average person down is not hard, because they usually don't put any effort into hiding. On Thu, Feb 9, 2017 at 12:25 PM, nathalie coupet via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

If someone or a group of people were to be the subject of a smear campaign, persectution or harassment by an individual, would the contact ID be sufficient to initiate proceeding to find out the identity of the author? What is the procedure for collecting a contact ID? Is there some type of ID verification?

Thank you, Nathalie

On Thursday, February 9, 2017 12:18 PM, "benny@nordreg.se" < benny@nordreg.se> wrote:

Dnsservers, domainstatus, various dates, Registrar

None of these data are personal data imo

The only info you see in Whois are the contact ID the user have at the registrar/ registry

Sent from my iPhone

On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com> wrote:

Benny,

All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability?

Nathalie

On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se" < benny@nordreg.se> wrote:

Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data.

A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638

Phone: +46.42197080 <+46%2042%2019%2070%2080> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote:

Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent.

Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone.

All best, --Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois

As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for:

mashable.com/2017/02/07/sean-spicer-who-is

also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings- attention-whois-privacy/

While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper.

I hope this helps remind folks that getting private data out of the public view is a good thing.

--

Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

The data are collected just not shown, court order can release data For private persons living in Sweden there social security number are collected for control and validation but never presented For private persons outside Sweden a unique number must be sett from the registrar to identify the registrant in the system Anyway that is not the thing we are discussing in RDS The personal info can be hidden by default and policy can restrict how to reveal that date Sent from my iPhone On 9 Feb 2017, at 18:23, nathalie coupet <nathaliecoupet@yahoo.com<mailto:nathaliecoupet@yahoo.com>> wrote: If someone or a group of people were to be the subject of a smear campaign, persectution or harassment by an individual, would the contact ID be sufficient to initiate proceeding to find out the identity of the author? What is the procedure for collecting a contact ID? Is there some type of ID verification? Thank you, Nathalie On Thursday, February 9, 2017 12:18 PM, "benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>> wrote: Dnsservers, domainstatus, various dates, Registrar None of these data are personal data imo The only info you see in Whois are the contact ID the user have at the registrar/ registry Sent from my iPhone On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com<mailto:nathaliecoupet@yahoo.com>> wrote: Benny, All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability? Nathalie On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>> wrote: Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data. A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200 On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of gca@icginc.com<mailto:gca@icginc.com>> wrote: Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent. Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Dangers of public whois As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for: mashable.com/2017/02/07/sean-spicer-who-is<http://mashable.com/2017/02/07/sean-spicer-who-is> also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-priv... While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper. I hope this helps remind folks that getting private data out of the public view is a good thing. -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net/> / www.RRPproxy.net<http://www.rrpproxy.net/> www.domaindiscount24.com<http://www.domaindiscount24.com/> / www.BrandShelter.com<http://www.brandshelter.com/> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu/> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Access to Whois data is also necessary for protection -- protection of internet users (some of whom are registrants, some not) and even non-users (since you can be a victim of Internet-based abuse without being on the Internet yourself (e.g., bank fraud, identity theft, child porn, etc.)). As Greg A. pointed out, registrants have options in terms "protection" (e.g., privacy/proxy, getting a third level domain (so common for blogs), forming an entity, etc. Victims often don't have options (or if they do, the link between the failure to pick the right option and the harm is much more attenuated). If we have to choose between protecting people from their own stupidity and protecting people from other people's abusive, illegal and/or malicious acts, I'll choose the latter one. I don't think we have to make that choice (at least not in a binary fashion), but it's important to weigh both sides of the equation. Greg Shatan *Greg Shatan *C: 917-816-6428 S: gsshatan gregshatanipc@gmail.com On Thu, Feb 9, 2017 at 12:26 PM, allison nixon <elsakoo@gmail.com> wrote:

After registering my very first domain, I started receiving spam and learned pretty quickly that the information was public.

Only so much can/should be done to protect the Spicers of this world from themselves.

Pivoting off domain whois is my #1 valued resource in cybercrime investigations.

On Thu, Feb 9, 2017 at 12:16 PM, benny@nordreg.se <benny@nordreg.se> wrote:

...

Dnsservers, domainstatus, various dates, Registrar

None of these data are personal data imo

The only info you see in Whois are the contact ID the user have at the registrar/ registry

Sent from my iPhone

On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com> wrote:

Benny,

All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability?

Nathalie

On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se" < benny@nordreg.se> wrote:

Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data.

A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638

Phone: +46.42197080 <+46%2042%2019%2070%2080> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote:

Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent.

Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone.

All best, --Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto: gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois

As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for:

mashable.com/2017/02/07/sean-spicer-who-is

also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-atte ntion-whois-privacy/

While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper.

I hope this helps remind folks that getting private data out of the public view is a good thing.

--

Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

+1 to Volker Spot on, we cant let the criminals endanger all innocents life by default expose data as we do today -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 10 Feb 2017, at 10:41, Volker Greimann <vgreimann@key-systems.net> wrote:

...

Pivoting off domain whois is my #1 valued resource in cybercrime investigations.

Judging from the amount of abuse and spam out there, it is also the #1 valued resource of spammers, cyber criminals, nigerian princes, domain slammers ,etc etc.

And that leads to the question: Is it really worth giving up the private data of all registrants to whoever wants it just to catch a few bad guys? And to answer that: I'd rather see a few criminals uncaught if that means the innocent majority will be that much less at risk to be victimized.

Best, Volker

...

On Thu, Feb 9, 2017 at 12:16 PM, benny@nordreg.se <benny@nordreg.se> wrote: Dnsservers, domainstatus, various dates, Registrar

None of these data are personal data imo

The only info you see in Whois are the contact ID the user have at the registrar/ registry

Sent from my iPhone

On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com> wrote:

...

Benny,

All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability?

Nathalie

On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se" <benny@nordreg.se> wrote:

Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data.

A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638

Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote:

Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent.

Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone.

All best, --Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois

As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for:

mashable.com/2017/02/07/sean-spicer-who-is

also here: http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-whois-priv...

While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper.

I hope this helps remind folks that getting private data out of the public view is a good thing.

--

Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:

www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP

www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:

www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP

www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I don’t see this as an edge case, it is a dammed big problem that the data are public A private person or for that matter company has not by registering a domain and accepted to give info for the matter of registration in the same time accepted to get his email or other info published in the whois used and abused. That is a key problem we need to solve in the group. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 10 Feb 2017, at 17:01, Victoria Sheckler <vsheckler@riaa.com> wrote:

We need to find balance and a constructive way to propose solutions, not this endless back and forth of edge cases.

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Friday, February 10, 2017 4:44 AM To: Volker Greimann <vgreimann@key-systems.net> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

+1 to Volker

Spot on, we cant let the criminals endanger all innocents life by default expose data as we do today

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 10 Feb 2017, at 10:41, Volker Greimann <vgreimann@key-systems.net> wrote:

...

Pivoting off domain whois is my #1 valued resource in cybercrime investigations.

Judging from the amount of abuse and spam out there, it is also the #1 valued resource of spammers, cyber criminals, nigerian princes, domain slammers ,etc etc.

And that leads to the question: Is it really worth giving up the private data of all registrants to whoever wants it just to catch a few bad guys? And to answer that: I'd rather see a few criminals uncaught if that means the innocent majority will be that much less at risk to be victimized.

Best, Volker

...

On Thu, Feb 9, 2017 at 12:16 PM, benny@nordreg.se <benny@nordreg.se> wrote: Dnsservers, domainstatus, various dates, Registrar

None of these data are personal data imo

The only info you see in Whois are the contact ID the user have at the registrar/ registry

Sent from my iPhone

On 9 Feb 2017, at 18:10, nathalie coupet <nathaliecoupet@yahoo.com> wrote:

...

Benny,

All personal info on personal domains are hidden by default. What are the info that remain available for public view - after personal information have been hidden by default - which still enable technical operability?

Nathalie

On Thursday, February 9, 2017 11:46 AM, "benny@nordreg.se" <benny@nordreg.se> wrote:

Maybe not but there are nothing who prevent us from trying to protect people from there mistakes and stupidity and still be able to have certain level of technical operability with whois data.

A good example are .se which have a whois policy where all personal info on personal domains are hidden by default. The registrant need to opt out of the privacy actively by making a decision. That might be the way we should think instead of what to do to hide data.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638

Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 09/02/2017, 17:38, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote:

Is ICANN (or anyone else) responsible for protecting Spicer from himself? A lot of the articles about this subject point out that Spicer was neglectful and occasionally incompetent.

Here are some facts to consider: * Privacy protection was available and Spicer didn’t obtain it. That was his choice. * Spicer agreed to have his data published in WHOIS. So that was either OK with him, or he didn't read the terms of service in his domain registration agreement. Either way, it was his choice. * Spicer tweeted out his own Twitter password. He's responsible for that. * Spicer himself published his email address in many, many public places over the years. A simple Google search will tell you what his email address was. * Those data breaches that Volker mentions have nothing to do with domain registration data. They did not reveal domain registration data. Domain registration data didn't allow hackers to penetrate Dropbox, LinkedIn, and MySpace, and the other places where Spicer's credentials were lost over the years. Bad corporate security allowed those breaches to happen. * Spicer has a very different risk profile than the average person. He's been a prominent PR and political operative for many years (and is now working for the most scrutinized entity in the world). A key tenet of risk assessment is that exceptional cases may not justify making rules that affect everyone.

All best, --Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 9, 2017 4:28 AM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Dangers of public whois

As we tend to get lost in the thick and nitty gritty from time to time, this recent article should remind us what we are working for:

mashable.com/2017/02/07/sean-spicer-who-is

also here:

http://domainnamewire.com/2017/02/08/sean-spicer-brings-attention-wh ois-privacy/

While it could not have hit a nicer guy, he completely and accurately followed policy and look where it lead. Hi private address and telephone number as well as email address known to the world, other domains he registered for himself and his family published, etc. As his email address was compromised in no less than three leaks (plus one honorable mention on Wikileaks), and he recently tweeted his password, it may even be possible to dig deeper.

I hope this helps remind folks that getting private data out of the public view is a good thing.

--

Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:

www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP

www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:

www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP

www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

How about puting 'fat' information behind a 'thin' wall? For example, to prevent public viewing of a registrant's personal information, why not require an email registration or some other light form of identification? It would deter spammers and other frauds, while insuring a certain level of public viewing (also to deter fraud).  To the argument that the vast majority of Internet users do not use WHOIS, this might be true now but not in the future. Furthermore, this argument was also used by people who opposed the paper version of the phone book, and a survey shoed that about 11% of households rely on the phone book to get information. The consensus was that people who do not have access to the Internet need it, therefore it qualifies as a public service which has to be kept for the public good.    Scott Hollenbeck's RDAP project requires exactly that: identification through email (right, Scott?). This is simple enough and everybody could live with this solution, I think.      Nathalie  On Monday, February 13, 2017 8:42 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59  9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

All, So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…) Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it. I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. Alex On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote: I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people! Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers. On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote:

I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote:

...

All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *--------------------------------------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ---------------------------------------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.com Phone: 613 476-0429 cell: 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

Hi Allison, Would you be able to carry out your investigations normally if access to WHOIS thick were restricted only by the need to enter an email?  With regards to privacy by design, instead of pushing for the implementation of this concept inside the realm of WHOIS where it is foreign, since it is an engineering concept, why not advocate for its implementation at the design level of the Internet, where it belongs?   Nathalie  On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo@gmail.com> wrote: This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!  Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry. I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner. Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-: There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side). More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task. Sam L On 2017-02-14 1:23 AM, Deacon, Alex wrote: All, So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email).  I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we?  Hopefully I didn’t miss the party…) Focusing on thin data for the moment I struggle to understand how it is personal data.  I do not believe it is.    As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it. I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws.   Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. Alex On 2/13/17, 5:42 AM,  <gnso-rds-pdp-wg-bounces@icann .org on behalf of michele@blacknight.com> wrote:      I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed.           Also it’s one of the biggest sources of complaints we get from our clients (registrants)           It’s definitely not an “edge case”.           Regards           Michele                --      Mr Michele Neylon      Blacknight Solutions      Hosting, Colocation & Domains      https://www.blacknight.com/      http://blacknight.blog/      Intl. +353 (0) 59 9183072      Direct Dial: +353 (0)59 9183090      Social: http://mneylon.social      Some thoughts: http://ceo.hosting/      ----------------------------- --      Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty      Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845           ______________________________ _________________      gnso-rds-pdp-wg mailing list      gnso-rds-pdp-wg@icann.org      https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg -- *----------------------------- ---------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ------------------------------ ---------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca   Skype: slanfranco blog:  http://samlanfranco.blogspot.c om Phone: 613 476-0429 cell: 416-816-2852 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton Sent: Tuesday, February 14, 2017 9:00 AM To: nathalie coupet <nathaliecoupet@yahoo.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois Nathalie and others, I wanted to take a moment and explain why I'm strongly opposed to requiring email or other registration in order to view thin or thick details. For the reasons outlined below, I think it's antithetical to the open and decentralized nature of the internet, and constitutes a form of internet surveillance. First, putting aside repressive regimes, private networks and edge cases, one of the hallmark principles of the internet is that it's open; you don't have to register or justify your need to access information on the internet. [SAH] [snip] I have to disagree with “you don't have to register or justify your need to access information on the internet”. While there are certainly examples of *some* information being available openly, there are just as many examples where some form of registration or user identification is a required part of gaining access to content. One example: the Virginia Department of Motor Vehicles maintains information about the registration of my personal vehicles that is accessible through a web site. That information *is not* available to the general public, and I had to go through a series of steps to prove to the DMV that I am the one and only person who should have online access to that information. Taking the statement above at face value would imply that my registration information should be freely available to anyone, and I cannot accept that as fact. Scott

Hi John, I agree we do not want to create a centralized registration and surveillance scheme. Such a system would be subject to many regulations and fines from Data Regulators. If we do not execute privacy properly we are creating a system that will cost millions of dollars in fines alone. Tho that would actually answer the question are the costs of RDS viable. The answer would be no. Theo On 14-2-2017 14:59, John Horton wrote:

Nathalie and others,

I wanted to take a moment and explain why I'm strongly opposed to requiring email or other registration in order to view thin or thick details. For the reasons outlined below, I think it's antithetical to the open and decentralized nature of the internet, and constitutes a form of internet surveillance.

First, putting aside repressive regimes, private networks and edge cases, one of the hallmark principles of the internet is that it's open; you don't have to register or justify your need to access information on the internet. And, it's decentralized. Historically, its open nature has included not only being able to see a website, but also the registration details for the website's domain name. And, whatever governments may do (which isn't the question here), there's no centralized internet surveillance or registration authority for internet users generally.

If we impose a scheme where there is a central organization with the authority to a) require registration and b) centrally control access, and c) (as has been proposed) require the user to provide a reason for their access, that organization then also has the ability to d) make judgment calls about what reasons are valid and which are not and e) maintain data on who accessed what RDS data, for what reason, for how long and why. Note also that at least one version of the EWG report said that f) the organization would be empowered to levy punitive measures against internet users who accessed more data than the RDS deems appropriate.

So: you have a system that surveils internet users who access some information and maintains data on their use of that data. Let's think about the following scenarios from the point of view of openness, decentralization and civil liberties.

* A journalist (or blogger) is writing an investigative article and wants to find out who is behind a domain name. If we require registration and disclosure of the reason, that in essence creates a situation where the RDS de facto is monitoring that journalist and determining if their basis for conducting the investigation is worthy. It also allows the RDS the ability to monitor the journalist's use of the domain name registration data. This potentially chills free speech. * Consider a political activist who wishes to expose corruption by an elected politician and wants to access RDS information to show, for example, conflicts of interests in the politician's business operations. Once the political activist has to disclose who they are, let alone why they are accessing the information, that not only chills legitimate political activism but also potentially opens up a route for government abuse (e.g., if a government agency were able to subpoena the list of who accessed RDS information for which domain names and why). * Academic researchers periodically review Whois/RDS data; requiring them to register before reviewing data and disclose why they are doing the research potentially empowers the RDS to monitor academic research and determine its worthiness. * Imagine that a cybercrime network is under investigation (as they are wont to be); requiring law enforcement to register -- particularly if there is a log of which domain names they reviewed RDS for -- can potentially compromise the investigation if that information is disclosed. Would registrants have the right to be informed every time that someone registered to review their RDS details?

For one central entity to possess that much power over internet users is something that I think we should avoid, and it's antithetical to the principles of openness and decentralization. There are other well-known solutions to spam and inappropriate contacts; forcing all other legitimate activities to grind to a screeching halt -- particular under the umbrella of a surveillance scheme -- is a cure worse than the disease.

I recognize and agree that we should try to find constructive solutions to this that require some compromise, and I'm grateful not only for the expertise that Stephanie and others have brought to this group, but also that Benny and others have pointed out some of the problems with Whois details being inappropriately used (e.g., for spam). However, I wanted to outline my strong concerns about creating a centralized registration and surveillance scheme over one subset of internet users as part of the solutions.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>

On Tue, Feb 14, 2017 at 4:10 AM, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Hi Allison,

Would you be able to carry out your investigations normally if access to WHOIS thick were restricted only by the need to enter an email?

With regards to privacy by design, instead of pushing for the implementation of this concept inside the realm of WHOIS where it is foreign, since it is an engineering concept, why not advocate for its implementation at the design level of the Internet, where it belongs?

Nathalie

On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote:

I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote:

All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann .org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social <http://mneylon.social/> Some thoughts: http://ceo.hosting/ ----------------------------- -- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- *----------------------------- ---------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ------------------------------ ---------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.c om <http://samlanfranco.blogspot.com/> Phone: 613 476-0429 cell: 416-816-2852

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

That old horse again?

Here are some hard facts about the volume of abuse going on: https://www.spamhaus.org/statistics/tlds/ Right now, 93.3 percent of all domains registered under the .science TLD are malicious!

Those statistics are only their perceived truth just like the audience at Trumps inauguration was the largest ever! Their statistics are deeply flawed as they only look at a small part of domain names and disregard major pieces of the puzzle: According to nTLD stats, .science has 232,611 domains, yet the Spamhaus reports bases their badness rating on an arbitrary number of domains "seen". They even state that if a domain is not in the focus of their anti-abuse systems, it will not be counted as seen. By ignoring the majority of domains in a TLD one can dream up any percentage one likes, apparently. Look at the numbers for .top: Apparently 400,469 domains are used maliciously. 400,469! That is a lot of abuse that I somehow have not heard about from any other source, never seen in my spam filters, etc. But I will not dispute that there may be a large number of domains in that TLD may be used for abuse. Yet the report does not go into further detail? Could a contributing factor of "badness" be a low price, attracting the wrong kind of customer? How is this badness distributed amongst registrars? They also do not detail how they decided a domain was malicious in the first place? Yet on the other hand they accuse registries and registrars of knowingly aiding and abetting criminals. Without providing proof. Or even complaining to ICANN about them, apparently. I would assume that when you make such bold statements as Spamhaus does, they have the evidence to back them up... I trust these statistics by spamhaus less than anything coming out of the mouth of the orange menace. And that is saying something. Best, Volker

...

...

the question should be: Do you have a legally enforceable right to access that data and do with it whatever you please.

At the moment, the answer to that is yes. And network owners also have a right to decide who they want to interact with. WHOIS is used as part of that determination. Not only is registrant data correlated with past malicious registrants, but the age of the domain is also determined through WHOIS. Without this granularity, network owners will absolutely err on the side of blocking too much over too little. We already see this with residential ISPs blocking entire TCP and UDP ports for their customer base, because the alternative is a level of abuse that takes the entire network down. Where is the "free and open Internet" when the Internet doesn't work anymore? Those are the battles that are being fought right now, and pretending this isn't a problem is a "wall" on yalls part, not mine.

Here is a list of all the ports that Comcast blocks for its users. This has nothing to do with freedom of speech and everything to do with the fact that Comcast's network will die if they don't do this. As a consequence I can't send outbound TCP/25 SMTP anymore: https://www.xfinity.com/support/internet/list-of-blocked-ports/

And over-blocking is going to be a worse problem when granularity is taken away from network defenders. When Spamhaus decides an entire country's TLD has too much abuse, most network operators will agree, and legitimate sites (like that country's government, companies, and media outlets) are an acceptable loss. You're going to see more of this, and that country's government has little recourse aside from cleaning up their entire TLD so network operators can be convinced to remove the blocks. But since abuse-laden TLDs are usually that way due to lack of budget, it's more likely that the entire country will simply suffer harms instead.

I am really surprised at how little credence is being given to these problems.

On Tue, Feb 14, 2017 at 9:41 AM, theo geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> wrote:

Hi John,

I agree we do not want to create a centralized registration and surveillance scheme.

Such a system would be subject to many regulations and fines from Data Regulators. If we do not execute privacy properly we are creating a system that will cost millions of dollars in fines alone. Tho that would actually answer the question are the costs of RDS viable. The answer would be no.

Theo On 14-2-2017 14:59, John Horton wrote:

...

Nathalie and others,

I wanted to take a moment and explain why I'm strongly opposed to requiring email or other registration in order to view thin or thick details. For the reasons outlined below, I think it's antithetical to the open and decentralized nature of the internet, and constitutes a form of internet surveillance.

First, putting aside repressive regimes, private networks and edge cases, one of the hallmark principles of the internet is that it's open; you don't have to register or justify your need to access information on the internet. And, it's decentralized. Historically, its open nature has included not only being able to see a website, but also the registration details for the website's domain name. And, whatever governments may do (which isn't the question here), there's no centralized internet surveillance or registration authority for internet users generally.

If we impose a scheme where there is a central organization with the authority to a) require registration and b) centrally control access, and c) (as has been proposed) require the user to provide a reason for their access, that organization then also has the ability to d) make judgment calls about what reasons are valid and which are not and e) maintain data on who accessed what RDS data, for what reason, for how long and why. Note also that at least one version of the EWG report said that f) the organization would be empowered to levy punitive measures against internet users who accessed more data than the RDS deems appropriate.

So: you have a system that surveils internet users who access some information and maintains data on their use of that data. Let's think about the following scenarios from the point of view of openness, decentralization and civil liberties.

* A journalist (or blogger) is writing an investigative article and wants to find out who is behind a domain name. If we require registration and disclosure of the reason, that in essence creates a situation where the RDS de facto is monitoring that journalist and determining if their basis for conducting the investigation is worthy. It also allows the RDS the ability to monitor the journalist's use of the domain name registration data. This potentially chills free speech. * Consider a political activist who wishes to expose corruption by an elected politician and wants to access RDS information to show, for example, conflicts of interests in the politician's business operations. Once the political activist has to disclose who they are, let alone why they are accessing the information, that not only chills legitimate political activism but also potentially opens up a route for government abuse (e.g., if a government agency were able to subpoena the list of who accessed RDS information for which domain names and why). * Academic researchers periodically review Whois/RDS data; requiring them to register before reviewing data and disclose why they are doing the research potentially empowers the RDS to monitor academic research and determine its worthiness. * Imagine that a cybercrime network is under investigation (as they are wont to be); requiring law enforcement to register -- particularly if there is a log of which domain names they reviewed RDS for -- can potentially compromise the investigation if that information is disclosed. Would registrants have the right to be informed every time that someone registered to review their RDS details?

For one central entity to possess that much power over internet users is something that I think we should avoid, and it's antithetical to the principles of openness and decentralization. There are other well-known solutions to spam and inappropriate contacts; forcing all other legitimate activities to grind to a screeching halt -- particular under the umbrella of a surveillance scheme -- is a cure worse than the disease.

I recognize and agree that we should try to find constructive solutions to this that require some compromise, and I'm grateful not only for the expertise that Stephanie and others have brought to this group, but also that Benny and others have pointed out some of the problems with Whois details being inappropriately used (e.g., for spam). However, I wanted to outline my strong concerns about creating a centralized registration and surveillance scheme over one subset of internet users as part of the solutions.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>

On Tue, Feb 14, 2017 at 4:10 AM, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Hi Allison,

Would you be able to carry out your investigations normally if access to WHOIS thick were restricted only by the need to enter an email?

With regards to privacy by design, instead of pushing for the implementation of this concept inside the realm of WHOIS where it is foreign, since it is an engineering concept, why not advocate for its implementation at the design level of the Internet, where it belongs?

Nathalie

On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote:

I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote:

All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann .org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social <http://mneylon.social/> Some thoughts: http://ceo.hosting/ ----------------------------- -- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- *----------------------------- ---------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ------------------------------ ---------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca <mailto:Lanfran@Yorku.ca> Skype: slanfranco blog: http://samlanfranco.blogspot.c om <http://samlanfranco.blogspot.com/> Phone: 613 476-0429 cell: 416-816-2852

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

I would appreciate reviewing that data. -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kiran Malancharuvil via gnso-rds-pdp-wg Sent: Tuesday, February 14, 2017 5:36 PM To: Volker Greimann <vgreimann@key-systems.net> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois I'm happy to work with group leadership to provide hard data from MarkMonitor (perhaps other consumer protection and anti-abuse groups can join) about volume of abuse. These are not "alternative facts." It's also incredibly inappropriate to continue trying to discredit arguments for transparency by comparing us to the current US administration. K Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Feb 14, 2017, at 9:13 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: That old horse again? Here are some hard facts about the volume of abuse going on: https://www.spamhaus.org/statistics/tlds/ Right now, 93.3 percent of all domains registered under the .science TLD are malicious! Those statistics are only their perceived truth just like the audience at Trumps inauguration was the largest ever! Their statistics are deeply flawed as they only look at a small part of domain names and disregard major pieces of the puzzle: According to nTLD stats, .science has 232,611 domains, yet the Spamhaus reports bases their badness rating on an arbitrary number of domains "seen". They even state that if a domain is not in the focus of their anti-abuse systems, it will not be counted as seen. By ignoring the majority of domains in a TLD one can dream up any percentage one likes, apparently. Look at the numbers for .top: Apparently 400,469 domains are used maliciously. 400,469! That is a lot of abuse that I somehow have not heard about from any other source, never seen in my spam filters, etc. But I will not dispute that there may be a large number of domains in that TLD may be used for abuse. Yet the report does not go into further detail? Could a contributing factor of "badness" be a low price, attracting the wrong kind of customer? How is this badness distributed amongst registrars? They also do not detail how they decided a domain was malicious in the first place? Yet on the other hand they accuse registries and registrars of knowingly aiding and abetting criminals. Without providing proof. Or even complaining to ICANN about them, apparently. I would assume that when you make such bold statements as Spamhaus does, they have the evidence to back them up... I trust these statistics by spamhaus less than anything coming out of the mouth of the orange menace. And that is saying something. Best, Volker

...

the question should be: Do you have a legally enforceable right to access that data and do with it whatever you please.

At the moment, the answer to that is yes. And network owners also have a right to decide who they want to interact with. WHOIS is used as part of that determination. Not only is registrant data correlated with past malicious registrants, but the age of the domain is also determined through WHOIS. Without this granularity, network owners will absolutely err on the side of blocking too much over too little. We already see this with residential ISPs blocking entire TCP and UDP ports for their customer base, because the alternative is a level of abuse that takes the entire network down. Where is the "free and open Internet" when the Internet doesn't work anymore? Those are the battles that are being fought right now, and pretending this isn't a problem is a "wall" on yalls part, not mine. Here is a list of all the ports that Comcast blocks for its users. This has nothing to do with freedom of speech and everything to do with the fact that Comcast's network will die if they don't do this. As a consequence I can't send outbound TCP/25 SMTP anymore: https://www.xfinity.com/support/internet/list-of-blocked-ports/ And over-blocking is going to be a worse problem when granularity is taken away from network defenders. When Spamhaus decides an entire country's TLD has too much abuse, most network operators will agree, and legitimate sites (like that country's government, companies, and media outlets) are an acceptable loss. You're going to see more of this, and that country's government has little recourse aside from cleaning up their entire TLD so network operators can be convinced to remove the blocks. But since abuse-laden TLDs are usually that way due to lack of budget, it's more likely that the entire country will simply suffer harms instead. I am really surprised at how little credence is being given to these problems. On Tue, Feb 14, 2017 at 9:41 AM, theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> wrote: Hi John, I agree we do not want to create a centralized registration and surveillance scheme. Such a system would be subject to many regulations and fines from Data Regulators. If we do not execute privacy properly we are creating a system that will cost millions of dollars in fines alone. Tho that would actually answer the question are the costs of RDS viable. The answer would be no. Theo On 14-2-2017 14:59, John Horton wrote: Nathalie and others, I wanted to take a moment and explain why I'm strongly opposed to requiring email or other registration in order to view thin or thick details. For the reasons outlined below, I think it's antithetical to the open and decentralized nature of the internet, and constitutes a form of internet surveillance. First, putting aside repressive regimes, private networks and edge cases, one of the hallmark principles of the internet is that it's open; you don't have to register or justify your need to access information on the internet. And, it's decentralized. Historically, its open nature has included not only being able to see a website, but also the registration details for the website's domain name. And, whatever governments may do (which isn't the question here), there's no centralized internet surveillance or registration authority for internet users generally. If we impose a scheme where there is a central organization with the authority to a) require registration and b) centrally control access, and c) (as has been proposed) require the user to provide a reason for their access, that organization then also has the ability to d) make judgment calls about what reasons are valid and which are not and e) maintain data on who accessed what RDS data, for what reason, for how long and why. Note also that at least one version of the EWG report said that f) the organization would be empowered to levy punitive measures against internet users who accessed more data than the RDS deems appropriate. So: you have a system that surveils internet users who access some information and maintains data on their use of that data. Let's think about the following scenarios from the point of view of openness, decentralization and civil liberties. * A journalist (or blogger) is writing an investigative article and wants to find out who is behind a domain name. If we require registration and disclosure of the reason, that in essence creates a situation where the RDS de facto is monitoring that journalist and determining if their basis for conducting the investigation is worthy. It also allows the RDS the ability to monitor the journalist's use of the domain name registration data. This potentially chills free speech. * Consider a political activist who wishes to expose corruption by an elected politician and wants to access RDS information to show, for example, conflicts of interests in the politician's business operations. Once the political activist has to disclose who they are, let alone why they are accessing the information, that not only chills legitimate political activism but also potentially opens up a route for government abuse (e.g., if a government agency were able to subpoena the list of who accessed RDS information for which domain names and why). * Academic researchers periodically review Whois/RDS data; requiring them to register before reviewing data and disclose why they are doing the research potentially empowers the RDS to monitor academic research and determine its worthiness. * Imagine that a cybercrime network is under investigation (as they are wont to be); requiring law enforcement to register -- particularly if there is a log of which domain names they reviewed RDS for -- can potentially compromise the investigation if that information is disclosed. Would registrants have the right to be informed every time that someone registered to review their RDS details? For one central entity to possess that much power over internet users is something that I think we should avoid, and it's antithetical to the principles of openness and decentralization. There are other well-known solutions to spam and inappropriate contacts; forcing all other legitimate activities to grind to a screeching halt -- particular under the umbrella of a surveillance scheme -- is a cure worse than the disease. I recognize and agree that we should try to find constructive solutions to this that require some compromise, and I'm grateful not only for the expertise that Stephanie and others have brought to this group, but also that Benny and others have pointed out some of the problems with Whois details being inappropriately used (e.g., for spam). However, I wanted to outline my strong concerns about creating a centralized registration and surveillance scheme over one subset of internet users as part of the solutions. John Horton President and CEO, LegitScript [cid:] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com> | Google+<https://plus.google.com/112436813474708014933/posts> [cid:][cid:] On Tue, Feb 14, 2017 at 4:10 AM, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: Hi Allison, Would you be able to carry out your investigations normally if access to WHOIS thick were restricted only by the need to enter an email? With regards to privacy by design, instead of pushing for the implementation of this concept inside the realm of WHOIS where it is foreign, since it is an engineering concept, why not advocate for its implementation at the design level of the Internet, where it belongs? Nathalie On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo@gmail.com<mailto:elsakoo@gmail.com>> wrote: This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people! Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers. On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net<mailto:sam@lanfranco.net>> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner. Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-: There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side). More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task. Sam L On 2017-02-14 1:23 AM, Deacon, Alex wrote: All, So it seems the debate has progressed from "thin data" to "thick data" (i.e. data that includes email). I know we are all super excited to talk about "thick data" but I don't think we are there yet (are we? Hopefully I didn't miss the party.) Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because "thin data" can be used to link/point/discover other data then "thin data" equals "personal data") I just don't buy it. I don't disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. Alex On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann .org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com<mailto:michele@blacknight.com>> wrote: I agree and I know from how I've used various email addresses that they are actively being harvested and spammed. Also it's one of the biggest sources of complaints we get from our clients (registrants) It's definitely not an "edge case". Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social<http://mneylon.social/> Some thoughts: http://ceo.hosting/ ----------------------------- -- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg<https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg<https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> -- *----------------------------- ---------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ------------------------------ ---------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca<mailto:Lanfran@Yorku.ca> Skype: slanfranco blog: http://samlanfranco.blogspot.c om<http://samlanfranco.blogspot.com/> Phone: 613 476-0429 cell: 416-816-2852 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg<https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Volker Greimann wrote:

That old horse again?

...

Here are some hard facts about the volume of abuse going on: https://www.spamhaus.org/statistics/tlds/ Right now, 93.3 percent of all domains registered under the .science TLD are malicious!

Those statistics are only their perceived truth just like the audience at Trumps inauguration was the largest ever!

Can you please make less emotionally charged statements?

Their statistics are deeply flawed as they only look at a small part of domain names and disregard major pieces of the puzzle: According to nTLD stats, .science has 232,611 domains, yet the Spamhaus reports bases their badness rating on an arbitrary number of domains "seen". They even state that if a domain is not in the focus of their anti-abuse systems, it will not be counted as seen. By ignoring the majority of domains in a TLD one can dream up any percentage one likes, apparently.

I'll give you an example; Let's say that I am a widget manufacture, and I have a new widget that I'm selling -- But this widget has a flaw where that at may burst into flames and explode. There have only been 100 sold and of those 78 have exploded... But I have 1,000,000 more of these things in storage and not currently in use by anyone. What percentage of exploding widgets would you recommend reporting? Spamhaus doesn't really care about domains parked and attempting to be sold by some domainer, nor do we care about domains registered defensively in order to protect one's brand. Honestly, there is a number of good reasons that domains exist, but are not actively used. -- Denny Watson Sr. Investigator The Spamhaus Project

The thing with private data is that it is amazing what you can legitimately and illegitimately do with it. You can correlate, investigate, use, abuse it in any shape or form, but at the end of the day, the question should be: Do you have a legally enforceable right to access that data and do with it whatever you please. Many jurisdictions have decided that the protection of the individual weighs heavier than any potentially beneficial uses. And if you have a right to access the data, you will still be able to do so. Best, Volker Am 14.02.2017 um 13:10 schrieb nathalie coupet via gnso-rds-pdp-wg:

Hi Allison,

Would you be able to carry out your investigations normally if access to WHOIS thick were restricted only by the need to enter an email?

With regards to privacy by design, instead of pushing for the implementation of this concept inside the realm of WHOIS where it is foreign, since it is an engineering concept, why not advocate for its implementation at the design level of the Internet, where it belongs?

Nathalie

On Tuesday, February 14, 2017 12:38 AM, allison nixon <elsakoo@gmail.com> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote:

I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote:

All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann .org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social <http://mneylon.social/> Some thoughts: http://ceo.hosting/ ----------------------------- -- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- *----------------------------- ---------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ------------------------------ ---------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.c om <http://samlanfranco.blogspot.com/> Phone: 613 476-0429 cell: 416-816-2852

______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

I think Benny is right that we are going to all have to "look past our own walls and find a solution which are to the better for all". That will be hard but I am still optimistic that we can do it. Chuck -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Tuesday, February 14, 2017 8:29 AM To: allison nixon <elsakoo@gmail.com> Cc: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way… Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all.. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote: All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *--------------------------------------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ---------------------------------------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.com Phone: 613 476-0429 cell: 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save… To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights… Welcome to the discussion -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com> wrote:

Let me translate Allison's comments in the light of your mockery.

You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online?

If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously.

That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains.

But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had.

Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call.

And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help.

Sent from my iPhone

...

On Feb 14, 2017, at 05:28, "benny@nordreg.se" <benny@nordreg.se> wrote:

So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way…

Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all..

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote: All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *--------------------------------------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ---------------------------------------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.com Phone: 613 476-0429 cell: 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen... -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 14 Feb 2017, at 17:58, allison nixon <elsakoo@gmail.com> wrote:

Benny, dude, you just wrote "Buhu my work will get harder", so please don't complain about adult and mature answers

On Tue, Feb 14, 2017 at 11:56 AM, benny@nordreg.se <benny@nordreg.se> wrote: A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save…

To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights…

Welcome to the discussion

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com> wrote:

Let me translate Allison's comments in the light of your mockery.

You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online?

If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously.

That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains.

But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had.

Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call.

And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help.

Sent from my iPhone

...

On Feb 14, 2017, at 05:28, "benny@nordreg.se" <benny@nordreg.se> wrote:

So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way…

Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all..

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote: All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *--------------------------------------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ---------------------------------------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.com Phone: 613 476-0429 cell: 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

Hi John, indeed, stricter data protection laws, court decisions or a different appreciation of the need of users to be protected from abuse of their private data may dictate stricter handling in the future. I hope you are not arguing against allowing for such changes? Best, Volker Am 14.02.2017 um 18:18 schrieb John Horton:

​Hi Benny,

Let me try to dig into that a little bit with a serious question. What assurance do those of us engaged in cybercrime investigation -- or not yet created organizations that are legitimate -- have that we would have the same level of access in the future? Is it possible for this group to make that assurance? To be sure, this isn't my only concern or objection, but part of what I'm trying to get at is: even if those of us on this working group were to agree that cybercrime-mitigation entities should have the same access we have today, what's to prevent a stricter regime from changing the rules in the future? In other words, if we create a system that empowers one central organization to say that Allison's reasons (for example) are valid now, there's nothing to prevent that organization from deciding to block her in the future because they don't believe her reasons for investigating cybercrime are valid. Put another way, my concern isn't that you personally or anyone on this group wants to block cybercrime mitigation from happening -- rather, I'm wondering how this group could bind a future RDS 1, 5 or 10 years down the road not to change the goalposts.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>

On Tue, Feb 14, 2017 at 9:05 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote:

Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen...

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 <tel:%2B46.42197080> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

> On 14 Feb 2017, at 17:58, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote: > > Benny, dude, you just wrote "Buhu my work will get harder", so please don't complain about adult and mature answers > > On Tue, Feb 14, 2017 at 11:56 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: > A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save… > > To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. > In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights… > > Welcome to the discussion > > > > -- > Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > > Benny Samuelsen > Registry Manager - Domainexpert > > Nordreg AB - ICANN accredited registrar > IANA-ID: 638 > Phone: +46.42197080 <tel:%2B46.42197080> > Direct: +47.32260201 <tel:%2B47.32260201> > Mobile: +47.40410200 <tel:%2B47.40410200> > > > On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com <mailto:jcb@bambenekconsulting.com>> wrote: > > > > Let me translate Allison's comments in the light of your mockery. > > > > You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online? > > > > If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously. > > > > That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains. > > > > But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had. > > > > Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call. > > > > And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help. > > > > Sent from my iPhone > > > >> On Feb 14, 2017, at 05:28, "benny@nordreg.se <mailto:benny@nordreg.se>" <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: > >> > >> So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? > >> How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way… > >> > >> Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all.. > >> > >> > >> -- > >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > >> > >> Benny Samuelsen > >> Registry Manager - Domainexpert > >> > >> Nordreg AB - ICANN accredited registrar > >> IANA-ID: 638 > >> Phone: +46.42197080 <tel:%2B46.42197080> > >> Direct: +47.32260201 <tel:%2B47.32260201> > >> Mobile: +47.40410200 <tel:%2B47.40410200> > >> > >>> On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote: > >>> > >>> This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people! > >>> > >>> Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. > >>> > >>> This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. > >>> > >>> I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. > >>> > >>> With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. > >>> > >>> Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse? > >>> > >>> From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry. > >>> > >>> I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers. > >>> > >>> > >>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote: > >>> I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner. > >>> > >>> Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-: > >>> > >>> There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side). > >>> > >>> More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task. > >>> > >>> Sam L > >>> > >>> > >>> On 2017-02-14 1:23 AM, Deacon, Alex wrote: > >>> All, > >>> > >>> So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…) > >>> > >>> Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it. > >>> > >>> I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. > >>> > >>> Alex > >>> > >>> > >>> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com <mailto:michele@blacknight.com>> wrote: > >>> > >>> I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. > >>> Also it’s one of the biggest sources of complaints we get from our clients (registrants) > >>> It’s definitely not an “edge case”. > >>> Regards > >>> Michele > >>> -- > >>> Mr Michele Neylon > >>> Blacknight Solutions > >>> Hosting, Colocation & Domains > >>> https://www.blacknight.com/ > >>> http://blacknight.blog/ > >>> Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%209183072> > >>> Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090> > >>> Social: http://mneylon.social > >>> Some thoughts: http://ceo.hosting/ > >>> ------------------------------- > >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > >>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> -- > >>> *--------------------------------------------* > >>> "It is a disgrace to be rich and honoured > >>> in an unjust state" -Confucius > >>> ---------------------------------------------- > >>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) > >>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 > >>> YorkU email: Lanfran@Yorku.ca Skype: slanfranco > >>> blog: http://samlanfranco.blogspot.com <http://samlanfranco.blogspot.com> > >>> Phone: 613 476-0429 <tel:613%20476-0429> cell: 416-816-2852 > >>> > >>> > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> > >>> > >>> -- > >>> _________________________________ > >>> Note to self: Pillage BEFORE burning. > >> > >> _______________________________________________ > >> gnso-rds-pdp-wg mailing list > >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Can we elevate the level of this discussion please? To those of us who have spent our careers dealing with these matters, and patiently listening to arguments on all sides, It is just plain discouraging. We are trying to find what is best for all. That will not make everyone happy. Grabbing the pendulum and swinging it the other way against the wall seems a little intemperate to me, we are trying to engage in effective discussion. Everyone recognizes there are cost and paperwork repercussions for gated access, I hope, but it is reasonable to believe those costs have gone down thanks to technological innovations. Most importantly from the perspective of ICANN and its multistakeholder experiment, if we cannot work this out effectively in a PDP, ICANN will have failed and we will have to revert to national solutions. I don't think anyone wants that. Stephanie Perrin On 2017-02-14 13:52, John Bambenek via gnso-rds-pdp-wg wrote:

All public policy is weighed against the pantheon of interests. Very rarely is only one interest the only person in the room. Yes there are data privacy laws, but there also is the need of criminal investigations. The reason I keep bringing up child sexual exploitation is the fact that governments consistently use that to justify overreach. Sociologically laws operate on a pendulum. Swing it one way too hard, a prevailing force swings it the other way. We are seeing this play out in real time with the political dynamics in many countries in Europe and the US.

So yes, protect privacy but that's not the only interest. You can say "boo hoo" about that and then knuckledraggers like me show up, grab the pendulum and swing it the other way against the wall.

Sent from my iPhone

On Feb 14, 2017, at 09:22, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

...

Hi John,

indeed, stricter data protection laws, court decisions or a different appreciation of the need of users to be protected from abuse of their private data may dictate stricter handling in the future. I hope you are not arguing against allowing for such changes?

Best,

Volker

Am 14.02.2017 um 18:18 schrieb John Horton:

...

​Hi Benny,

Let me try to dig into that a little bit with a serious question. What assurance do those of us engaged in cybercrime investigation -- or not yet created organizations that are legitimate -- have that we would have the same level of access in the future? Is it possible for this group to make that assurance? To be sure, this isn't my only concern or objection, but part of what I'm trying to get at is: even if those of us on this working group were to agree that cybercrime-mitigation entities should have the same access we have today, what's to prevent a stricter regime from changing the rules in the future? In other words, if we create a system that empowers one central organization to say that Allison's reasons (for example) are valid now, there's nothing to prevent that organization from deciding to block her in the future because they don't believe her reasons for investigating cybercrime are valid. Put another way, my concern isn't that you personally or anyone on this group wants to block cybercrime mitigation from happening -- rather, I'm wondering how this group could bind a future RDS 1, 5 or 10 years down the road not to change the goalposts.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>

On Tue, Feb 14, 2017 at 9:05 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote:

Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen...

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 <tel:%2B46.42197080> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

> On 14 Feb 2017, at 17:58, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote: > > Benny, dude, you just wrote "Buhu my work will get harder", so please don't complain about adult and mature answers > > On Tue, Feb 14, 2017 at 11:56 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: > A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save… > > To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. > In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights… > > Welcome to the discussion > > > > -- > Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > > Benny Samuelsen > Registry Manager - Domainexpert > > Nordreg AB - ICANN accredited registrar > IANA-ID: 638 > Phone: +46.42197080 <tel:%2B46.42197080> > Direct: +47.32260201 <tel:%2B47.32260201> > Mobile: +47.40410200 <tel:%2B47.40410200> > > > On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com <mailto:jcb@bambenekconsulting.com>> wrote: > > > > Let me translate Allison's comments in the light of your mockery. > > > > You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online? > > > > If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously. > > > > That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains. > > > > But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had. > > > > Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call. > > > > And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help. > > > > Sent from my iPhone > > > >> On Feb 14, 2017, at 05:28, "benny@nordreg.se <mailto:benny@nordreg.se>" <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: > >> > >> So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? > >> How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way… > >> > >> Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all.. > >> > >> > >> -- > >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > >> > >> Benny Samuelsen > >> Registry Manager - Domainexpert > >> > >> Nordreg AB - ICANN accredited registrar > >> IANA-ID: 638 > >> Phone: +46.42197080 <tel:%2B46.42197080> > >> Direct: +47.32260201 <tel:%2B47.32260201> > >> Mobile: +47.40410200 <tel:%2B47.40410200> > >> > >>> On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote: > >>> > >>> This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people! > >>> > >>> Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. > >>> > >>> This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. > >>> > >>> I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. > >>> > >>> With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. > >>> > >>> Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse? > >>> > >>> From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry. > >>> > >>> I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers. > >>> > >>> > >>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote: > >>> I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner. > >>> > >>> Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-: > >>> > >>> There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side). > >>> > >>> More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task. > >>> > >>> Sam L > >>> > >>> > >>> On 2017-02-14 1:23 AM, Deacon, Alex wrote: > >>> All, > >>> > >>> So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…) > >>> > >>> Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it. > >>> > >>> I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. > >>> > >>> Alex > >>> > >>> > >>> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of michele@blacknight.com <mailto:michele@blacknight.com>> wrote: > >>> > >>> I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. > >>> Also it’s one of the biggest sources of complaints we get from our clients (registrants) > >>> It’s definitely not an “edge case”. > >>> Regards > >>> Michele > >>> -- > >>> Mr Michele Neylon > >>> Blacknight Solutions > >>> Hosting, Colocation & Domains > >>> https://www.blacknight.com/ > >>> http://blacknight.blog/ > >>> Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%209183072> > >>> Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090> > >>> Social: http://mneylon.social > >>> Some thoughts: http://ceo.hosting/ > >>> ------------------------------- > >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > >>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> -- > >>> *--------------------------------------------* > >>> "It is a disgrace to be rich and honoured > >>> in an unjust state" -Confucius > >>> ---------------------------------------------- > >>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) > >>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 > >>> YorkU email: Lanfran@Yorku.ca Skype: slanfranco > >>> blog: http://samlanfranco.blogspot.com <http://samlanfranco.blogspot.com> > >>> Phone: 613 476-0429 <tel:613%20476-0429> cell: 416-816-2852 > >>> > >>> > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > >>> > >>> > >>> > >>> -- > >>> _________________________________ > >>> Note to self: Pillage BEFORE burning. > >> > >> _______________________________________________ > >> gnso-rds-pdp-wg mailing list > >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net

Web:www.key-systems.net /www.RRPproxy.net www.domaindiscount24.com /www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net

Web:www.key-systems.net /www.RRPproxy.net www.domaindiscount24.com /www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

Here you go with the edge cases again.

The mother of all edge cases is the main contention of this entire working group. The theory that an innocent domain registrant's privacy is either "violated" or "not violated" and that this somehow hinges on the privacy status of the WHOIS data. This is absolutely a false premise. If I want to find someone, and they frequently use the Internet and aren't extremely OPSEC-aware, I'm going to find them. WHOIS privacy absolutely will not protect them. Does anyone believe this premise that also has experience in investigations? I do not believe any such person exists, because when you are experienced in tracking people down, you will know that this premise is factually untrue.

...

Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen

Is this an assurance? Because the talk I see here is about requiring paperwork like subpeonas and search warrants and that isn't feasible both from an investigation or automation standpoint as well as the fact that the vast majority of the anti-abuse community are not cops. There's no sign whatsoever that there is consideration towards anti-abuse.

...

I trust these statistics by spamhaus less than anything coming out of the mouth of the orange menace. And that is saying something.

You stand alone in that opinion. Spamhaus is not perfect but they are the most widely used blocklists among network operators. The amount of harm prevented by Spamhaus's block lists eclipses the harm prevented by registrants receiving WHOIS spam. It is like comparing the size of the sun to the size of an ant. If you have ever tried to operate from infrastructure that's on Spamhaus's block lists, your access to the Internet at large will be very poor indeed. How many of you people actually have day to day experience in fighting spam and preventing the massive privacy invasions that happen on a daily basis to innocent people? I am getting the feeling that this group badly needs to gain some perspective. WHOIS spam is a problem and is an annoyance, privacy is important, but this group keeps talking about WHOIS privacy and completely ignoring the fact that by volume such a scheme would cause great harms for mostly imaginary gain. To me this shows a sign that many of the arguments here are about idealism without practical experience. On Tue, Feb 14, 2017 at 12:24 PM, benny@nordreg.se <benny@nordreg.se> wrote:

Hi John

None in the group can do that, just as little as the opposite if we dont work together on the needs, give and take on it, we will not move forward. But the attitude which I see where the Status Quo are the driver for the discussions are not really productive…

Everything can be changed with new privacy laws coming in to force

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 18:18, John Horton <john.horton@legitscript.com> wrote:

​Hi Benny,

Let me try to dig into that a little bit with a serious question. What assurance do those of us engaged in cybercrime investigation -- or not yet created organizations that are legitimate -- have that we would have the same level of access in the future? Is it possible for this group to make that assurance? To be sure, this isn't my only concern or objection, but part of what I'm trying to get at is: even if those of us on this working group were to agree that cybercrime-mitigation entities should have the same access we have today, what's to prevent a stricter regime from changing the rules in the future? In other words, if we create a system that empowers one central organization to say that Allison's reasons (for example) are valid now, there's nothing to prevent that organization from deciding to block her in the future because they don't believe her reasons for investigating cybercrime are valid. Put another way, my concern isn't that you personally or anyone on this group wants to block cybercrime mitigation from happening -- rather, I'm wondering how this group could bind a future RDS 1, 5 or 10 years down the road not to change the goalposts.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Google+

On Tue, Feb 14, 2017 at 9:05 AM, benny@nordreg.se <benny@nordreg.se> wrote: Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen...

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 17:58, allison nixon <elsakoo@gmail.com> wrote:

Benny, dude, you just wrote "Buhu my work will get harder", so please don't complain about adult and mature answers

On Tue, Feb 14, 2017 at 11:56 AM, benny@nordreg.se <benny@nordreg.se> wrote: A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save…

To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights…

Welcome to the discussion

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com> wrote:

Let me translate Allison's comments in the light of your mockery.

You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online?

If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously.

That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains.

But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had.

Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call.

And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help.

Sent from my iPhone

...

On Feb 14, 2017, at 05:28, "benny@nordreg.se" <benny@nordreg.se> wrote:

So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way…

Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all..

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com> wrote:

This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!

Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.

This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.

I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.

With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.

Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?

From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.

I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.

On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.

Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:

There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).

More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.

Sam L

On 2017-02-14 1:23 AM, Deacon, Alex wrote: All,

So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…)

Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.

I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.

Alex

On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote:

I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. Also it’s one of the biggest sources of complaints we get from our clients (registrants) It’s definitely not an “edge case”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *--------------------------------------------* "It is a disgrace to be rich and honoured in an unjust state" -Confucius ---------------------------------------------- Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 YorkU email: Lanfran@Yorku.ca Skype: slanfranco blog: http://samlanfranco.blogspot.com Phone: 613 476-0429 cell: 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

...

So you are saying that none of this spam are not originating from whois harvesting?

Do you understand how spam emails are harvested? WHOIS is one source of emails, and there are many other sources of emails that are subsequently fed into botnets, "lead lists" et cetera. Shutting off the spigot for one source of emails is unlikely to make any significant impact in the volume of spam you, or the average person will receive. And if the email WHOIS was deliberately disclosed by a company or person, that e-mail will also be on their website and will still be spammed. The only category of people who would be harmed exclusively by this WHOIS status quo are people who made a foolish mistake and didn't intend to disclose something publicly. It's a far more effective solution to start an investigation against these scammers that send emails and snailmail to registrants making false claims about their domain expiration. That should have happened years ago, honestly.

...

So since that is only a small part of the problem as you state it then we shall not do the effort to reduce it as a part of the change we want? I am trying to understand the viewpoint and the argument for letting public whois info being used to generate spam and scams as less important here

Because the anti-abuse community are simply members of the public. There appears to be a low level of respect given here for the efforts of that community, so I have a corresponding low level of confidence that continued access to this data will be allowed. On Tue, Feb 14, 2017 at 12:50 PM, benny@nordreg.se <benny@nordreg.se> wrote:

...

On 14 Feb 2017, at 18:39, allison nixon <elsakoo@gmail.com> wrote:

You stand alone in that opinion. Spamhaus is not perfect but they are the most widely used blocklists among network operators. The amount of harm prevented by Spamhaus's block lists eclipses the harm prevented by registrants receiving WHOIS spam. It is like comparing the size of the sun to the size of an ant. If you have ever tried to operate from infrastructure that's on Spamhaus's block lists, your access to the Internet at large will be very poor indeed.

So you are saying that none of this spam are not originating from whois harvesting?

...

How many of you people actually have day to day experience in fighting

spam and preventing the massive privacy invasions that happen on a daily basis to innocent people? I am getting the feeling that this group badly needs to gain some perspective. WHOIS spam is a problem and is an annoyance, privacy is important, but this group keeps talking about WHOIS privacy and completely ignoring the fact that by volume such a scheme would cause great harms for mostly imaginary gain. To me this shows a sign that many of the arguments here are about idealism without practical experience.

So since that is only a small part of the problem as you state it then we shall not do the effort to reduce it as a part of the change we want?

I am trying to understand the viewpoint and the argument for letting public whois info being used to generate spam and scams as less important here

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

-- _________________________________ Note to self: Pillage BEFORE burning.

...

Ah come on… dont’t give me that, answer my question without a lecture, been working with this for more than 20 years so please dont use that ignorant “do you understand”… I know very well how this is working...

Then why ask that question? So many of the things I read in this thread appear to demonstrate a lack of experience in practical situations where privacy is violated(rightly AND wrongly). I don't know you or what you spent 20 years doing, I am only addressing the points you brought up.

...

So I have heard but none hava managed to stop it and they are harming innocent people everyday with there scams but apparently not important...

It is important, and the fact that it hasn't been addressed yet is a direct consequence of the large amount of Internet abuse compared to the small number of people equipped to investigate it.

...

Have you ever thought about that the level of respect arise from the level of respect from the anti-abuse community towards the ones who can and will help if they are shown the respect they should have? I think this is a two-way problem which in the last ICANN meetings have been in initiatives to help and the dialog has been open and positive. A change are needed on both sides absolutely

I have no history participating in those communities, and I have almost no history posting to this list. I am mostly too busy to read all the longwinded emails exchanged here, but this thread was just so off-base that I had to respond. It seems that people here use an Internet where cybercrime doesn't exist and isn't a concern. That was what concerned me. I don't know almost any of you and I'm not asking for your respect. The lack of concern for the major issue of cyber crime is what moved me to post. If there was proper consideration given to that issue within this group, I'd probably disappear back into the ether On Tue, Feb 14, 2017 at 1:20 PM, benny@nordreg.se <benny@nordreg.se> wrote:

...

On 14 Feb 2017, at 18:59, allison nixon <elsakoo@gmail.com> wrote:

...

...

So you are saying that none of this spam are not originating from whois harvesting?

Do you understand how spam emails are harvested? WHOIS is one source of emails, and there are many other sources of emails that are subsequently fed into botnets, "lead lists" et cetera. Shutting off the spigot for one source of emails is unlikely to make any significant impact in the volume of spam you, or the average person will receive. And if the email WHOIS was deliberately disclosed by a company or person, that e-mail will also be on their website and will still be spammed. The only category of people who would be harmed exclusively by this WHOIS status quo are people who made a foolish mistake and didn't intend to disclose something publicly.

Ah come on… dont’t give me that, answer my question without a lecture, been working with this for more than 20 years so please dont use that ignorant “do you understand”… I know very well how this is working...

...

It's a far more effective solution to start an investigation against

these scammers that send emails and snailmail to registrants making false claims about their domain expiration. That should have happened years ago, honestly.

So I have heard but none hava managed to stop it and they are harming innocent people everyday with there scams but apparently not important...

...

...

...

So since that is only a small part of the problem as you state it then

we shall not do the effort to reduce it as a part of the change we want?

...

...

...

I am trying to understand the viewpoint and the argument for letting public whois info being used to generate spam and scams as less important here

Because the anti-abuse community are simply members of the public. There appears to be a low level of respect given here for the efforts of that community, so I have a corresponding low level of confidence that continued access to this data will be allowed.

Have you ever thought about that the level of respect arise from the level of respect from the anti-abuse community towards the ones who can and will help if they are shown the respect they should have? I think this is a two-way problem which in the last ICANN meetings have been in initiatives to help and the dialog has been open and positive. A change are needed on both sides absolutely

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

-- _________________________________ Note to self: Pillage BEFORE burning.

...

to your first point: the right to privacy of ones own data may be different where I live and where you live. Suffice it to say that in our day-to-day business we get eough complaints from customers who feel their rivacy has been violated either by our putting their data out for everyone to see or by customers of ours who provide services that do the same. And we both agree that whois privacy will not protect you 100%.

So put your contact address as "123 fake st" and your phone number as "555-555-5555". Make a fake email. No one is forcing you to disclose more than you want to. And the only people who disclose too much are doing so by mistake, not by coercion.

...

to your second point: why is requiring the same legal standard for accessing data of customers of hosting service providers, of ebay account holders, of Amazon sellers and many other areas where the data is not public suddenly not feasible for customers of domain name registrars? Our privacy service gets regular subpoenas for data of customers. Why is making that the standard suddenly the end of the world?

Because when I purchase something from Amazon, I need to give my credit card number, address, zip, etc. Similarly, we do not get payment details from the registrar, even though they require billing address and zip code, which is a completely different dataset than the zip codes in WHOIS data. WHOIS data is completely arbitrary and not required to complete any transactions.

...

And while I appreciate the good work that many like John are doing on a private level, ultimately they are not law enforcement and are not entitled to the same level of access as law enforcement has just like a rent-a-cop does not have the same law enforcement powers a real cop has.

Your comparisons between anti-abuse and rent-a-cops further demonstrates your disrespect. I am happy to allow law enforcement to fully take over this work, but this field has not matured enough yet, and the literacy just isn't there. The skills, experience, and power rests almost fully in the private sector. This isn't some mall cop operation. It's the last line of defense between you and all manner of bad things happening to you. You might not like that, and you probably don't want to recognize that as legitimate, but it's reality. You should thank the people defending your networks, and the people defending the networks of companies you do business with.

...

Re:Spamhaus: I have worked with them and while they provide a valuable anti-spam service, some of their methods or publications leave a lot to be desired. The fact that they ofter outright refuse to provide evidence of their claims, the fact that they outright lie to ICANN compliance, and the fact that they bend numbers anyway they need to fit their narrative do not help to build trust and work with them as partners. I think they provide a good service but ultimately they are vigilantes and often overshoot their mark. This "study" is one such instance where they present a result without allowing the reader to look at the work that led to the result. And that makes it worthless for peer review or for basing anything on their results.

And it shows how bad the situation is when an operation of this quality is still the best and most used blocklist out there. When the volume of abuse is so high that "due process" is, literally, a mathematically impossible order. And despite all of those flaws, their actions do more to protect privacy than anything discussed in this working group. On Tue, Feb 14, 2017 at 1:03 PM, Volker Greimann <vgreimann@key-systems.net> wrote:

Hi Allion,

to your first point: the right to privacy of ones own data may be different where I live and where you live. Suffice it to say that in our day-to-day business we get eough complaints from customers who feel their rivacy has been violated either by our putting their data out for everyone to see or by customers of ours who provide services that do the same. And we both agree that whois privacy will not protect you 100%.

to your second point: why is requiring the same legal standard for accessing data of customers of hosting service providers, of ebay account holders, of Amazon sellers and many other areas where the data is not public suddenly not feasible for customers of domain name registrars? Our privacy service gets regular subpoenas for data of customers. Why is making that the standard suddenly the end of the world?

And while I appreciate the good work that many like John are doing on a private level, ultimately they are not law enforcement and are not entitled to the same level of access as law enforcement has just like a rent-a-cop does not have the same law enforcement powers a real cop has.

Re:Spamhaus: I have worked with them and while they provide a valuable anti-spam service, some of their methods or publications leave a lot to be desired. The fact that they ofter outright refuse to provide evidence of their claims, the fact that they outright lie to ICANN compliance, and the fact that they bend numbers anyway they need to fit their narrative do not help to build trust and work with them as partners. I think they provide a good service but ultimately they are vigilantes and often overshoot their mark. This "study" is one such instance where they present a result without allowing the reader to look at the work that led to the result. And that makes it worthless for peer review or for basing anything on their results.

Best,

Volker

Am 14.02.2017 um 18:39 schrieb allison nixon:

...

...

Here you go with the edge cases again.

The mother of all edge cases is the main contention of this entire working group. The theory that an innocent domain registrant's privacy is either "violated" or "not violated" and that this somehow hinges on the privacy status of the WHOIS data. This is absolutely a false premise. If I want to find someone, and they frequently use the Internet and aren't extremely OPSEC-aware, I'm going to find them. WHOIS privacy absolutely will not protect them.

Does anyone believe this premise that also has experience in investigations? I do not believe any such person exists, because when you are experienced in tracking people down, you will know that this premise is factually untrue.

...

...

Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen

Is this an assurance? Because the talk I see here is about requiring paperwork like subpeonas and search warrants and that isn't feasible both from an investigation or automation standpoint as well as the fact that the vast majority of the anti-abuse community are not cops. There's no sign whatsoever that there is consideration towards anti-abuse.

...

...

I trust these statistics by spamhaus less than anything coming out of the mouth of the orange menace. And that is saying something.

You stand alone in that opinion. Spamhaus is not perfect but they are the most widely used blocklists among network operators. The amount of harm prevented by Spamhaus's block lists eclipses the harm prevented by registrants receiving WHOIS spam. It is like comparing the size of the sun to the size of an ant. If you have ever tried to operate from infrastructure that's on Spamhaus's block lists, your access to the Internet at large will be very poor indeed.

How many of you people actually have day to day experience in fighting spam and preventing the massive privacy invasions that happen on a daily basis to innocent people? I am getting the feeling that this group badly needs to gain some perspective. WHOIS spam is a problem and is an annoyance, privacy is important, but this group keeps talking about WHOIS privacy and completely ignoring the fact that by volume such a scheme would cause great harms for mostly imaginary gain. To me this shows a sign that many of the arguments here are about idealism without practical experience.

On Tue, Feb 14, 2017 at 12:24 PM, benny@nordreg.se <benny@nordreg.se> wrote:

...

Hi John

None in the group can do that, just as little as the opposite if we dont work together on the needs, give and take on it, we will not move forward. But the attitude which I see where the Status Quo are the driver for the discussions are not really productive…

Everything can be changed with new privacy laws coming in to force

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 18:18, John Horton <john.horton@legitscript.com> wrote:

​Hi Benny,

Let me try to dig into that a little bit with a serious question. What assurance do those of us engaged in cybercrime investigation -- or not yet created organizations that are legitimate -- have that we would have the same level of access in the future? Is it possible for this group to make that assurance? To be sure, this isn't my only concern or objection, but part of what I'm trying to get at is: even if those of us on this working group were to agree that cybercrime-mitigation entities should have the same access we have today, what's to prevent a stricter regime from changing the rules in the future? In other words, if we create a system that empowers one central organization to say that Allison's reasons (for example) are valid now, there's nothing to prevent that organization from deciding to block her in the future because they don't believe her reasons for investigating cybercrime are valid. Put another way, my concern isn't that you personally or anyone on this group wants to block cybercrime mitigation from happening -- rather, I'm wondering how this group could bind a future RDS 1, 5 or 10 years down the road not to change the goalposts.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Google+

On Tue, Feb 14, 2017 at 9:05 AM, benny@nordreg.se <benny@nordreg.se> wrote: Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen...

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 17:58, allison nixon <elsakoo@gmail.com> wrote:

Benny, dude, you just wrote "Buhu my work will get harder", so please don't complain about adult and mature answers

On Tue, Feb 14, 2017 at 11:56 AM, benny@nordreg.se <benny@nordreg.se> wrote: A very adult and mature answer… with some nice baked in threats, funny its only your kind of crimes which matter apparantly… oh and the final on which always are been draged out when there are no more arguments, think about the one child we can save…

To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution. In you ignorance you completely miss the point that by have all these data public there are commited crimes every minut by using those data nut hey what does that matter as long as you business can roll on… I guess those people will thank you for you helpful insights…

Welcome to the discussion

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 14 Feb 2017, at 17:29, John Bambenek <jcb@bambenekconsulting.com> wrote:

Let me translate Allison's comments in the light of your mockery.

You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online?

If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously.

That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains.

But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had.

Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call.

And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help.

Sent from my iPhone

...

On Feb 14, 2017, at 05:28, "benny@nordreg.se" <benny@nordreg.se> wrote:

So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans? How can anyone defend that we have data published to get abused just because some bad guys registrer domains? And those of you who does will still have access to the date just not in the same easy way…

Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all..

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

> On 14 Feb 2017, at 06:38, allison nixon <elsakoo@gmail.com> wrote: > > This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people! > > Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it. > > This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now. > > I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations. > > With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing. > > Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse? > > From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry. > > I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers. > > > On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam@lanfranco.net> wrote: > I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner. > > Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-: > > There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side). > > More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task. > > Sam L > > > On 2017-02-14 1:23 AM, Deacon, Alex wrote: > All, > > So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email). I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we? Hopefully I didn’t miss the party…) > > Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it. > > I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO. > > Alex > > > On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of michele@blacknight.com> wrote: > > I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed. > Also it’s one of the biggest sources of complaints we get from our clients (registrants) > It’s definitely not an “edge case”. > Regards > Michele > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > http://blacknight.blog/ > Intl. +353 (0) 59 9183072 <+353%2059%20918%203072> > Direct Dial: +353 (0)59 9183090 > Social: http://mneylon.social > Some thoughts: http://ceo.hosting/ > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > -- > *--------------------------------------------* > "It is a disgrace to be rich and honoured > in an unjust state" -Confucius > ---------------------------------------------- > Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) > Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 > YorkU email: Lanfran@Yorku.ca Skype: slanfranco > blog: http://samlanfranco.blogspot.com > Phone: 613 476-0429 <(613)%20476-0429> cell: 416-816-2852 <(416)%20816-2852> > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>

Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously? worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. On Tue, Feb 14, 2017 at 1:31 PM, Hollenbeck, Scott <shollenbeck@verisign.com

wrote:

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org] *On Behalf Of *allison nixon *Sent:* Tuesday, February 14, 2017 1:21 PM *To:* Volker Greimann <vgreimann@key-systems.net> *Cc:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

...

to your first point: the right to privacy of ones own data may be different where I live and where you live. Suffice it to say that in our day-to-day business we get eough complaints from customers who feel their rivacy has been violated either by our putting their data out for everyone to see or by customers of ours who provide services that do the same. And we both agree that whois privacy will not protect you 100%.

So put your contact address as "123 fake st" and your phone number as "555-555-5555". Make a fake email. No one is forcing you to disclose more than you want to. And the only people who disclose too much are doing so by mistake, not by coercion.

[SAH] Actually, there **are** requirements to provide valid data and for registrars to perform validation processing:

https://www.icann.org/resources/pages/approved-with- specs-2013-09-17-en#whois-accuracy

Scott

-- _________________________________ Note to self: Pillage BEFORE burning.

Scott, when I say fake email for WHOIS, most people generally understand it to mean a junk email address, a "mailinator" or "yopmail" address, or a newly created email address that will never be used again. The "verification" process is straightforward and quickly learned by anyone that doesn't understand, and no part of the process forces people to use an e-mail address that they actively use. At this point in time most Internet users understand the concept of a junk email address.

...

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

The fact that it happened twice, three, and ten years ago does not change the daily reality that this information is not verified, even when reported through a registrar's abuse channels. I'm going to continue stating that this policy is a joke until the reality of the bad state of WHOIS data changes, and then I will change my mind based on the evidence. On Tue, Feb 14, 2017 at 1:56 PM, Hollenbeck, Scott <shollenbeck@verisign.com

wrote:

*From:* allison nixon [mailto:elsakoo@gmail.com] *Sent:* Tuesday, February 14, 2017 1:35 PM *To:* Hollenbeck, Scott <shollenbeck@verisign.com> *Cc:* vgreimann@key-systems.net; gnso-rds-pdp-wg@icann.org *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously?

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

https://www.icann.org/news/announcement-2-2007-03-16-en

https://www.icann.org/en/system/files/correspondence/ serad-to-patel-2-18jul14-en.pdf

worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that.

Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA).

Scott

-- _________________________________ Note to self: Pillage BEFORE burning.

Scott, when I say fake email for WHOIS, most people generally understand it to mean a junk email address, a "mailinator" or "yopmail" address, or a newly created email address that will never be used again. The "verification" process is straightforward and quickly learned by anyone that doesn't understand, and no part of the process forces people to use an e-mail address that they actively use. At this point in time most Internet users understand the concept of a junk email address. That is a completely different issue as the whois is essentially correct and the address fulfills all policy requirements. The availability and use of such addresses may also have legitimate purposes. The fact that it happened twice, three, and ten years ago does not change the daily reality that this information is not verified, even when reported through a registrar's abuse channels. I'm going to continue stating that this policy is a joke until the reality of the bad state of WHOIS data changes, and then I will change my mind based on the evidence. Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

Best, Volker

On Tue, Feb 14, 2017 at 1:56 PM, Hollenbeck, Scott <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>> wrote:

*From:*allison nixon [mailto:elsakoo@gmail.com <mailto:elsakoo@gmail.com>] *Sent:* Tuesday, February 14, 2017 1:35 PM *To:* Hollenbeck, Scott <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>> *Cc:* vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

>>[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously?

*//*

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

https://www.icann.org/news/announcement-2-2007-03-16-en <https://www.icann.org/news/announcement-2-2007-03-16-en>

https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... <https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1...>

worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that.

Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA).

Scott

-- _________________________________ Note to self: Pillage BEFORE burning.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Greg, I used the email address example only to address this statement originally sent by Allison (with emphasis added in bold italics for people with HTML-capable mail readers): “So put your contact address as "123 fake st" and your phone number as "555-555-5555". Make a fake email” All I’m trying to do is note that this kind of advice can cause real unintended operational consequences for well-meaning registrants who might think it’s a great way to avoid having their PII published via services like WHOIS. It isn’t. Scott From: Greg Aaron [mailto:gca@icginc.com] Sent: Tuesday, February 14, 2017 2:20 PM To: Hollenbeck, Scott <shollenbeck@verisign.com>; 'elsakoo@gmail.com' <elsakoo@gmail.com> Cc: 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Dangers of public whois No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: 'elsakoo@gmail.com' <elsakoo@gmail.com<mailto:elsakoo@gmail.com>> Cc: 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> Cc: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously? Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: https://www.icann.org/news/announcement-2-2007-03-16-en https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). Scott

Focusing on “fake”, I’m interpreting “fake email” as an address that is syntactically valid (it is formatted as local-part@domain as specified in Section 2.3.11 of RFC 5321) but incapable of receiving messages due to errors in processing either the local-part or the domain when attempting to deliver mail to the address. As I noted earlier, inability to deliver email sent to a contact address is one of the reasons for which an RAA-compliant registrar may suspend a registered domain. Scott From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 2:45 PM To: Hollenbeck, Scott <shollenbeck@verisign.com> Cc: gca@icginc.com; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois Why isn't it? I've been doing it for years. It's a great way to avoid having my PII abused. Please demonstrate these consequences to me. On Tue, Feb 14, 2017 at 2:34 PM, Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> wrote: Greg, I used the email address example only to address this statement originally sent by Allison (with emphasis added in bold italics for people with HTML-capable mail readers): “So put your contact address as "123 fake st" and your phone number as "555-555-5555". Make a fake email” All I’m trying to do is note that this kind of advice can cause real unintended operational consequences for well-meaning registrants who might think it’s a great way to avoid having their PII published via services like WHOIS. It isn’t. Scott From: Greg Aaron [mailto:gca@icginc.com<mailto:gca@icginc.com>] Sent: Tuesday, February 14, 2017 2:20 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>; 'elsakoo@gmail.com<mailto:elsakoo@gmail.com>' <elsakoo@gmail.com<mailto:elsakoo@gmail.com>> Cc: 'gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Dangers of public whois No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: 'elsakoo@gmail.com<mailto:elsakoo@gmail.com>' <elsakoo@gmail.com<mailto:elsakoo@gmail.com>> Cc: 'gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> Cc: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously? Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: https://www.icann.org/news/announcement-2-2007-03-16-en https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). Scott -- _________________________________ Note to self: Pillage BEFORE burning.

Hi Greg, that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible. Volker Am 14.02.2017 um 20:19 schrieb Greg Aaron:

No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names.

All best,

--Greg

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Hollenbeck, Scott *Sent:* Tuesday, February 14, 2017 1:57 PM *To:* 'elsakoo@gmail.com' <elsakoo@gmail.com> *Cc:* 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Dangers of public whois

*From:*allison nixon [mailto:elsakoo@gmail.com] *Sent:* Tuesday, February 14, 2017 1:35 PM *To:* Hollenbeck, Scott <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>> *Cc:* vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously?

*//*

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

https://www.icann.org/news/announcement-2-2007-03-16-en

https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1...

worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that.

Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA).

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Allison, I think it would be helpful if you didn’t lump all registrars into the same bucket just because you have had some bad experiences. That would make it easier for all of us to work collaboratively to find solutions going forward. Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of allison nixon Sent: Wednesday, February 15, 2017 10:30 AM To: Volker Greimann <vgreimann@key-systems.net> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data.

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke.

...

I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating.

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response. Cue yakety sax. The emperor wears no clothes.

...

Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena.

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions.

...

There has to be some form of due process, anything else is anarchy.

The Internet is in a state of anarchy.

...

Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong. On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi Greg, that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible. Volker Am 14.02.2017 um 20:19 schrieb Greg Aaron: No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: 'elsakoo@gmail.com<mailto:elsakoo@gmail.com>' <elsakoo@gmail.com><mailto:elsakoo@gmail.com> Cc: 'gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>' <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> Cc: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois >>[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing: How do you expect toothless policy to work *on the Internet*? Seriously? Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: https://www.icann.org/news/announcement-2-2007-03-16-en https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- _________________________________ Note to self: Pillage BEFORE burning.

Yes I have a case like that now where the validation was rejected by the contact, they want to change to another fake adress and the answer to that request are no that are not ok -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 15 Feb 2017, at 16:57, allison nixon <elsakoo@gmail.com> wrote:

Would any other registrar have responded to my address change with a "no, that is not your correct address"?

On Wed, Feb 15, 2017 at 10:46 AM, Gomes, Chuck <cgomes@verisign.com> wrote: Allison,

I think it would be helpful if you didn’t lump all registrars into the same bucket just because you have had some bad experiences. That would make it easier for all of us to work collaboratively to find solutions going forward.

Chuck

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of allison nixon Sent: Wednesday, February 15, 2017 10:30 AM To: Volker Greimann <vgreimann@key-systems.net> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org>

Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

...

That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data.

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke.

...

...

I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating.

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response.

Cue yakety sax.

The emperor wears no clothes.

...

...

Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena.

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions.

...

...

There has to be some form of due process, anything else is anarchy.

The Internet is in a state of anarchy.

...

...

Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong.

On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann <vgreimann@key-systems.net> wrote:

Hi Greg,

that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible.

Volker

Am 14.02.2017 um 20:19 schrieb Greg Aaron:

No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names.

All best,

--Greg

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: 'elsakoo@gmail.com' <elsakoo@gmail.com> Cc: 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott <shollenbeck@verisign.com> Cc: vgreimann@key-systems.net; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously?

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

https://www.icann.org/news/announcement-2-2007-03-16-en

https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1...

worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that.

Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA).

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

_________________________________ Note to self: Pillage BEFORE burning.

-- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I am not in a position to speak for registrars. Chuck From: allison nixon [mailto:elsakoo@gmail.com] Sent: Wednesday, February 15, 2017 10:57 AM To: Gomes, Chuck <cgomes@verisign.com> Cc: vgreimann@key-systems.net; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois Would any other registrar have responded to my address change with a "no, that is not your correct address"? On Wed, Feb 15, 2017 at 10:46 AM, Gomes, Chuck <cgomes@verisign.com<mailto:cgomes@verisign.com>> wrote: Allison, I think it would be helpful if you didn’t lump all registrars into the same bucket just because you have had some bad experiences. That would make it easier for all of us to work collaboratively to find solutions going forward. Chuck From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of allison nixon Sent: Wednesday, February 15, 2017 10:30 AM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data.

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke.

...

I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating.

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response. Cue yakety sax. The emperor wears no clothes.

...

Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena.

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions.

...

There has to be some form of due process, anything else is anarchy.

The Internet is in a state of anarchy.

...

Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong. On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Hi Greg, that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible. Volker Am 14.02.2017 um 20:19 schrieb Greg Aaron: No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: 'elsakoo@gmail.com<mailto:elsakoo@gmail.com>' <elsakoo@gmail.com><mailto:elsakoo@gmail.com> Cc: 'gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>' <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois From: allison nixon [mailto:elsakoo@gmail.com] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> Cc: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois >>[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing: How do you expect toothless policy to work *on the Internet*? Seriously? Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: https://www.icann.org/news/announcement-2-2007-03-16-en https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- _________________________________ Note to self: Pillage BEFORE burning. -- _________________________________ Note to self: Pillage BEFORE burning.

You seem to be saying: Let's abolish whois altogether since it is all fake info anyway...? Am 15.02.2017 um 16:29 schrieb allison nixon:

...

...

That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data.

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke.

...

...

I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating.

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response.

Cue yakety sax.

The emperor wears no clothes.

...

...

Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena.

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions.

...

...

There has to be some form of due process, anything else is anarchy.

The Internet is in a state of anarchy.

...

...

Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong.

On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

Hi Greg,

that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible.

Volker

Am 14.02.2017 um 20:19 schrieb Greg Aaron:

...

No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names.

All best,

--Greg

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Hollenbeck, Scott *Sent:* Tuesday, February 14, 2017 1:57 PM *To:* 'elsakoo@gmail.com <mailto:elsakoo@gmail.com>' <elsakoo@gmail.com> <mailto:elsakoo@gmail.com> *Cc:* 'gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>' <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Dangers of public whois

*From:*allison nixon [mailto:elsakoo@gmail.com] *Sent:* Tuesday, February 14, 2017 1:35 PM *To:* Hollenbeck, Scott <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>> *Cc:* vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

>>[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously?

*//*

Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples:

https://www.icann.org/news/announcement-2-2007-03-16-en <https://www.icann.org/news/announcement-2-2007-03-16-en>

https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... <https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1...>

worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that.

Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA).

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.:+49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.:+49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

HI Allison, I have kept quiet for most of the debate back and forward and have not put my head above the parapet for the odd comment made through fear of the "oh another registrar - comment". However, if you have had a bad experience with a registrar, you report it to ICANN, please do not hang around, we like you want the bad actors to change their direction and be good and worthwhile registrars - whois inaccuracy reports come from ICANN and I have my fair share of them. I certainly do not risk my ICANN creds over someone’s whois - if there is a report, and the address looks bogus (and even if not as we have to provide ICANN some proof and "google maps" doesn’t cut it) we require ID, generally government based proving the address that has been updated is correct. Now, that does not prove verification, that proves validation, I am sure as you I believe suggested you could put down anyone’s address and it would be valid, however, verifying it is completely different, and costly, I believe Volker mentioned it before, if a solution can be found and it is commercially viable - confirm who is paying for it, as it is unfair to burden the registrant with extra cost, similar to the registrar, nor the registry. I cited once before, I know my neighbours name, his address (should do, he is my neighbour after all), his age, and because of cake last year, his birthday - lastly I know his height and can have a stab at his mothers maiden name (he mentioned it once before in passing conversation as it was similar to my mothers), thus quite a bit of information not really out in the public. You are probably now thinking where am I going with this. Verification can ONLY be done with the tools the governments of our world have, they know your passport number, driving license number, marriage date and other such dates. Only the governments can provide a way of verification that is as close as damn it to being the person you are dealing with. One final point to your comment " Really? Because a lot of domains have WHOIS privacy enabled, which is as good as a fake address. " We pay plenty for our office address per year, this is our privacy/proxy service address, so please don't tar all services with the same brush, some are great, some do as they need and some don't. Kind regards, Chris From: "allison nixon" <elsakoo@gmail.com> To: "Volker Greimann" <vgreimann@key-systems.net> Cc: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Wednesday, 15 February, 2017 16:31:40 Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

...

Yet we hear claims on this list again and again that it is used by internet users all the time to verify whether the site they want to conduct commercial transactions on is legit.

Really? Because a lot of domains have WHOIS privacy enabled, which is as good as a fake address.

...

If provided with actual evidence of wilful use of incorrect data and the data either remains uncorrected or no evidence of acuracy of the correction is presented, then you will find that many registrars will deactivate the domain. For many, the threat of suspension of their domain is compulsion enough.

And if the registrant doesn't flagrantly admit to doing so, and they use an address of the nearest football stadium or enemy's house, the song and dance continues. Or they use existing whois privacy, input 123 fake st, and the complainant has no standing to make additional complaints

...

You seem to be saying: Let's abolish whois altogether since it is all fake info anyway...?

Not really, just pointing out the ridiculousness of the assumptions being made here. On Wed, Feb 15, 2017 at 11:22 AM, Volker Greimann < vgreimann@key-systems.net > wrote: You seem to be saying: Let's abolish whois altogether since it is all fake info anyway...? Am 15.02.2017 um 16:29 schrieb allison nixon: BQ_BEGIN

...

That would be providing incorrect whois data and can trigger an investigation by ICANN and the registrar, if noticed. Not a good idea. Let's not make the option to violate registration policy an argument against protection of private data.

Really? because I saw firsthand exactly how serious such an investigation is and it's a joke.

...

I am sorry you had that experience. Normally, if evidence is provided by the complainant that the whois is incorrect, most registrars will require that the registrant provides evidence that the updated data is correct, if only to avoid a follow-on complaint. If evidence suggests that the address is obviously and intentionally fake and the domain likely used in abuse, we may not even wait for the feedback of the customer before deactivating.

While my domain was not involved in abuse, making a single address change, and saying "I assure you, this is where people should send mail" is more than enough to satisfy my registrar. Nothing stops someone from making a second complaint against a domain, especially if the goal is for takedown or harassment (which it almost always would be). And that second complaint would be as equally valid as the first one, and equally valid as my subsequent response. Cue yakety sax. The emperor wears no clothes.

...

Ah, you misunderstood me. I meant that when I, a customer, get ripped off by an Amazon marketplace seller, Amazon will in all likelyhood not provide me with all data they have on the culprit. Even the police may need a subpoena.

And the registrar doesn't publish payment info when the customer pays with a fake credit card. the comparison to WHOIS is nonsensical. WHOIS is not involved in private commercial transactions.

...

There has to be some form of due process, anything else is anarchy.

The Internet is in a state of anarchy.

...

Verification may be impossible. Validation on the other hand is possible. If you do not like the policy as it stands, propose an alternative solution. Ideally also tell us who will pay for it.

I do not actually think that physical addresses and phone numbers should be verified. I am saying that this dance around the issue of correct WHOIS data is a hilarious joke. You seem to have legal obligations to pretend otherwise, as a registrar, but I don't and I'm pointing out the nakedness of this particular emperor. There is absolutely no compulsion to provide correct info. I challenge you to prove me wrong. On Wed, Feb 15, 2017 at 5:00 AM, Volker Greimann < vgreimann@key-systems.net > wrote: BQ_BEGIN Hi Greg, that is a totally different issue. Maybe such services need better regulation, but as long as the policy requirements are met, taking action solely based on the use of such services is impossible. Volker Am 14.02.2017 um 20:19 schrieb Greg Aaron: BQ_BEGIN No, the RAA validation steps are trivially easy to get around. You use the example of a fake email address. Criminals know not to use fake email addresses, and they don’t need to because they can get email addresses for free. One can sign up for free email accounts anonymously. There are even underground services that will generate freemail accounts in bulk. These services cater to criminals such as spammers who need to register lots of domain names. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org [ mailto:gnso-rds-pdp-wg-bounces@icann.org ] On Behalf Of Hollenbeck, Scott Sent: Tuesday, February 14, 2017 1:57 PM To: ' elsakoo@gmail.com ' <elsakoo@gmail.com> Cc: ' gnso-rds-pdp-wg@icann.org ' <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois From: allison nixon [ mailto:elsakoo@gmail.com ] Sent: Tuesday, February 14, 2017 1:35 PM To: Hollenbeck, Scott < shollenbeck@verisign.com > Cc: vgreimann@key-systems.net ; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Dangers of public whois

...

[SAH] Actually, there *are* requirements to provide valid data and for registrars to perform validation processing:

How do you expect toothless policy to work *on the Internet*? Seriously? Yes, seriously. Registrars who do not implement the policy are subject to having their accreditation revoked. ICANN has, in fact, revoked or suspended accreditations. Here are two examples: https://www.icann.org/news/announcement-2-2007-03-16-en https://www.icann.org/en/system/files/correspondence/serad-to-patel-2-18jul1... worst that can happen when you put in fake whois data is that your domain gets reported, you change "123 fake st" to "124 fake st", and your registrar is satisfied because what more can they possibly do. I know this because I went through this with an old sinkhole domain. It's a total joke. Let's not pretend it's anything more than that. Not true. A fake email address, for example, can be detected easily when email sent to it (one of the registrar’s validation requirements) gets bounced back. The worst that can happen is that your domain gets put into some non-operational state (“suspend the registration” per the RAA). Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END -- _________________________________ Note to self: Pillage BEFORE burning. BQ_END -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. BQ_END -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Another post about the problems with public whois How anyone here can still defend this abuse of info as a the best system I have serious problems understanding. http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocalling-base... -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Allison

As others have said, if you have an issue please report it to ICANN, law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn’t very helpful for constructive dialogue. We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it’s very obvious that the details provided are bogus, but in others it’s not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits.

We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C

Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that’s a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don’t live at any of them, but you can send me physical mail and I will get it. You could argue that the address is “fake”, but as I can get mail to it I’d suspect that in many cases it’d be considered valid.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Let us take a simple example A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort. So why on earth are we forcing registrants to give up this right to choose to whom they share that info? Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here. The Status Quo hammering are not productive at all. RDS are meant to make change to the better! Sent from my iPhone

On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote:

Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me.

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Friday, February 17, 2017 8:25 AM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Another post about the problems with public whois

How anyone here can still defend this abuse of info as a the best system I have serious problems understanding.

http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocalling-base...

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Allison

As others have said, if you have an issue please report it to ICANN, law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn’t very helpful for constructive dialogue. We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it’s very obvious that the details provided are bogus, but in others it’s not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits.

We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C

Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that’s a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don’t live at any of them, but you can send me physical mail and I will get it. You could argue that the address is “fake”, but as I can get mail to it I’d suspect that in many cases it’d be considered valid.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I have no problem understanding your example but come up with an idea which can secure that access and also benefit the privacy of those not doing anything wrong buy still are abused on a daily basis. Funny that you choose a trademark as an example because there are so many categories of trademarks that another's use of for example xp.sometld don't have to be an infringement on Microsoft's trademark for XP but that's another discussion Sent from my iPhone

On 17 Feb 2017, at 20:50, Mark Svancarek <marksv@microsoft.com> wrote:

Counter example "Joe" has a web site which is used to abuse my trademark. I can't contact Joe because his thin data is incorrect or hidden (I don't know that Joe is actually Joe.). I then contact the registrar. They follow up with the privacy proxy service if needed. Hopefully all this happens quickly and the cease and desist message is actually delivered.

In actual practice, there is a noteworthy difference in effectiveness if we have to go through the registrar, compared to us contacting directly. If the registrar isn't responsive, then I may have to pressure ICANN to enforce the registrar contract, which has its own issues.

In either case, your abuse of my trademark is probably a civil issue, so starting with law enforcement isn't a great option, even if they had the inclination and bandwidth to help out in a timely fashion.

-----Original Message----- From: benny@nordreg.se [mailto:benny@nordreg.se] Sent: Friday, February 17, 2017 9:41 AM To: Mark Svancarek <marksv@microsoft.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Let us take a simple example

A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort.

So why on earth are we forcing registrants to give up this right to choose to whom they share that info?

Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here.

The Status Quo hammering are not productive at all.

RDS are meant to make change to the better!

Sent from my iPhone

...

On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote:

Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me.

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Friday, February 17, 2017 8:25 AM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Another post about the problems with public whois

How anyone here can still defend this abuse of info as a the best system I have serious problems understanding.

http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocallin g-based-whois-info/

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Allison

As others have said, if you have an issue please report it to ICANN, law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn't very helpful for constructive dialogue. We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it's very obvious that the details provided are bogus, but in others it's not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits.

We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C

Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that's a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don't live at any of them, but you can send me physical mail and I will get it. You could argue that the address is "fake", but as I can get mail to it I'd suspect that in many cases it'd be considered valid.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

When you say web site, it should be taken up with the web host not the registrar as the registrant is not necessarily the correct content. Problems with domain -> registrant Problems with content -> Web host Best, Volker Am 17.02.2017 um 20:49 schrieb Mark Svancarek via gnso-rds-pdp-wg:

Counter example "Joe" has a web site which is used to abuse my trademark. I can't contact Joe because his thin data is incorrect or hidden (I don't know that Joe is actually Joe.). I then contact the registrar. They follow up with the privacy proxy service if needed. Hopefully all this happens quickly and the cease and desist message is actually delivered.

In actual practice, there is a noteworthy difference in effectiveness if we have to go through the registrar, compared to us contacting directly. If the registrar isn't responsive, then I may have to pressure ICANN to enforce the registrar contract, which has its own issues.

In either case, your abuse of my trademark is probably a civil issue, so starting with law enforcement isn't a great option, even if they had the inclination and bandwidth to help out in a timely fashion.

-----Original Message----- From: benny@nordreg.se [mailto:benny@nordreg.se] Sent: Friday, February 17, 2017 9:41 AM To: Mark Svancarek <marksv@microsoft.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Let us take a simple example

A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort.

So why on earth are we forcing registrants to give up this right to choose to whom they share that info?

Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here.

The Status Quo hammering are not productive at all.

RDS are meant to make change to the better!

Sent from my iPhone

...

On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote:

Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me.

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Friday, February 17, 2017 8:25 AM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Another post about the problems with public whois

How anyone here can still defend this abuse of info as a the best system I have serious problems understanding.

http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocallin g-based-whois-info/

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Allison

As others have said, if you have an issue please report it to ICANN, law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn't very helpful for constructive dialogue. We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it's very obvious that the details provided are bogus, but in others it's not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits.

We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C

Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that's a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don't live at any of them, but you can send me physical mail and I will get it. You could argue that the address is "fake", but as I can get mail to it I'd suspect that in many cases it'd be considered valid.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Well, the registrant may not be the right contact in all cases, especially if it comes down to subdomains. But yes, if the registrant is known, then he should probably be contacted right after a known website operator. But if the registrant is unknown, the next contact should be the host as he is closer to the alleged violation than the registrar. Best, Volker Am 20.02.2017 um 11:28 schrieb Michele Neylon - Blacknight:

Volker

Really? As a hosting provider I’d strongly disagree.

If you’ve got a problem with content on a website you should contact the registrant first.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 20/02/2017, 09:54, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Volker Greimann" <gnso-rds-pdp-wg-bounces@icann.org on behalf of vgreimann@key-systems.net> wrote:

When you say web site, it should be taken up with the web host not the registrar as the registrant is not necessarily the correct content.

Problems with domain -> registrant

Problems with content -> Web host

Best,

Volker

Am 17.02.2017 um 20:49 schrieb Mark Svancarek via gnso-rds-pdp-wg: > Counter example > "Joe" has a web site which is used to abuse my trademark. I can't contact Joe because his thin data is incorrect or hidden (I don't know that Joe is actually Joe.). I then contact the registrar. They follow up with the privacy proxy service if needed. Hopefully all this happens quickly and the cease and desist message is actually delivered. > > In actual practice, there is a noteworthy difference in effectiveness if we have to go through the registrar, compared to us contacting directly. If the registrar isn't responsive, then I may have to pressure ICANN to enforce the registrar contract, which has its own issues. > > In either case, your abuse of my trademark is probably a civil issue, so starting with law enforcement isn't a great option, even if they had the inclination and bandwidth to help out in a timely fashion. > > -----Original Message----- > From: benny@nordreg.se [mailto:benny@nordreg.se] > Sent: Friday, February 17, 2017 9:41 AM > To: Mark Svancarek <marksv@microsoft.com> > Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois > > Let us take a simple example > > A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort. > > So why on earth are we forcing registrants to give up this right to choose to whom they share that info? > > Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here. > > The Status Quo hammering are not productive at all. > > RDS are meant to make change to the better! > > > Sent from my iPhone > >> On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote: >> >> Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me. >> >> >> >> -----Original Message----- >> From: gnso-rds-pdp-wg-bounces@icann.org >> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of >> benny@nordreg.se >> Sent: Friday, February 17, 2017 8:25 AM >> To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> >> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois >> >> Another post about the problems with public whois >> >> How anyone here can still defend this abuse of info as a the best system I have serious problems understanding. >> >> http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocallin >> g-based-whois-info/ >> >> >> -- >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen >> >> Benny Samuelsen >> Registry Manager - Domainexpert >> >> Nordreg AB - ICANN accredited registrar >> IANA-ID: 638 >> Phone: +46.42197080 >> Direct: +47.32260201 >> Mobile: +47.40410200 >> >>> On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote: >>> >>> Allison >>> >>> As others have said, if you have an issue please report it to ICANN, >>> law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn't very helpful for constructive dialogue. >>> We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it's very obvious that the details provided are bogus, but in others it's not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits. >>> >>> We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: >>> https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C >>> >>> Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that's a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don't live at any of them, but you can send me physical mail and I will get it. You could argue that the address is "fake", but as I can get mail to it I'd suspect that in many cases it'd be considered valid. >>> >>> Regards >>> >>> Michele >>> >>> -- >>> Mr Michele Neylon >>> Blacknight Solutions >>> Hosting, Colocation & Domains >>> https://www.blacknight.com/ >>> http://blacknight.blog/ >>> Intl. +353 (0) 59 9183072 >>> Direct Dial: +353 (0)59 9183090 >>> Personal blog: https://michele.blog/ >>> Some thoughts: https://ceo.hosting/ >>> ------------------------------- >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >>> Park,Sleaty >>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 >>> _______________________________________________ >>> gnso-rds-pdp-wg mailing list >>> gnso-rds-pdp-wg@icann.org >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Agreed. The question is who is next if the details are not available. If it is content, the next port of call should be the host as the host has the ability to remove said content and also bears certain legal obligations in case of obvious violations while the registrar does not. As the registrar may not even know the actual registrant, for example for registrations under third party privacy services, it does not even make sense to contact the registrar. Best, Volker Am 20.02.2017 um 12:08 schrieb Michele Neylon - Blacknight:

Volker

The key thing is the sequence. If the contact’s details are available either via whois OR on the website then they’re the first port of call.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 20/02/2017, 10:46, "Volker Greimann" <vgreimann@key-systems.net> wrote:

Well, the registrant may not be the right contact in all cases, especially if it comes down to subdomains. But yes, if the registrant is known, then he should probably be contacted right after a known website operator. But if the registrant is unknown, the next contact should be the host as he is closer to the alleged violation than the registrar.

Best,

Volker

Am 20.02.2017 um 11:28 schrieb Michele Neylon - Blacknight: > Volker > > Really? > As a hosting provider I’d strongly disagree. > > If you’ve got a problem with content on a website you should contact the registrant first. > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > http://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > > On 20/02/2017, 09:54, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Volker Greimann" <gnso-rds-pdp-wg-bounces@icann.org on behalf of vgreimann@key-systems.net> wrote: > > When you say web site, it should be taken up with the web host not the > registrar as the registrant is not necessarily the correct content. > > Problems with domain -> registrant > > Problems with content -> Web host > > Best, > > Volker > > > Am 17.02.2017 um 20:49 schrieb Mark Svancarek via gnso-rds-pdp-wg: > > Counter example > > "Joe" has a web site which is used to abuse my trademark. I can't contact Joe because his thin data is incorrect or hidden (I don't know that Joe is actually Joe.). I then contact the registrar. They follow up with the privacy proxy service if needed. Hopefully all this happens quickly and the cease and desist message is actually delivered. > > > > In actual practice, there is a noteworthy difference in effectiveness if we have to go through the registrar, compared to us contacting directly. If the registrar isn't responsive, then I may have to pressure ICANN to enforce the registrar contract, which has its own issues. > > > > In either case, your abuse of my trademark is probably a civil issue, so starting with law enforcement isn't a great option, even if they had the inclination and bandwidth to help out in a timely fashion. > > > > -----Original Message----- > > From: benny@nordreg.se [mailto:benny@nordreg.se] > > Sent: Friday, February 17, 2017 9:41 AM > > To: Mark Svancarek <marksv@microsoft.com> > > Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> > > Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois > > > > Let us take a simple example > > > > A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort. > > > > So why on earth are we forcing registrants to give up this right to choose to whom they share that info? > > > > Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here. > > > > The Status Quo hammering are not productive at all. > > > > RDS are meant to make change to the better! > > > > > > Sent from my iPhone > > > >> On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote: > >> > >> Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me. > >> > >> > >> > >> -----Original Message----- > >> From: gnso-rds-pdp-wg-bounces@icann.org > >> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of > >> benny@nordreg.se > >> Sent: Friday, February 17, 2017 8:25 AM > >> To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> > >> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois > >> > >> Another post about the problems with public whois > >> > >> How anyone here can still defend this abuse of info as a the best system I have serious problems understanding. > >> > >> http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocallin > >> g-based-whois-info/ > >> > >> > >> -- > >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > >> > >> Benny Samuelsen > >> Registry Manager - Domainexpert > >> > >> Nordreg AB - ICANN accredited registrar > >> IANA-ID: 638 > >> Phone: +46.42197080 > >> Direct: +47.32260201 > >> Mobile: +47.40410200 > >> > >>> On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote: > >>> > >>> Allison > >>> > >>> As others have said, if you have an issue please report it to ICANN, > >>> law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn't very helpful for constructive dialogue. > >>> We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it's very obvious that the details provided are bogus, but in others it's not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits. > >>> > >>> We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: > >>> https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C > >>> > >>> Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that's a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don't live at any of them, but you can send me physical mail and I will get it. You could argue that the address is "fake", but as I can get mail to it I'd suspect that in many cases it'd be considered valid. > >>> > >>> Regards > >>> > >>> Michele > >>> > >>> -- > >>> Mr Michele Neylon > >>> Blacknight Solutions > >>> Hosting, Colocation & Domains > >>> https://www.blacknight.com/ > >>> http://blacknight.blog/ > >>> Intl. +353 (0) 59 9183072 > >>> Direct Dial: +353 (0)59 9183090 > >>> Personal blog: https://michele.blog/ > >>> Some thoughts: https://ceo.hosting/ > >>> ------------------------------- > >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > >>> Park,Sleaty > >>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > >>> _______________________________________________ > >>> gnso-rds-pdp-wg mailing list > >>> gnso-rds-pdp-wg@icann.org > >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > >> _______________________________________________ > >> gnso-rds-pdp-wg mailing list > >> gnso-rds-pdp-wg@icann.org > >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > _______________________________________________ > > gnso-rds-pdp-wg mailing list > > gnso-rds-pdp-wg@icann.org > > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > -- > Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. > > Mit freundlichen Grüßen, > > Volker A. Greimann > - Rechtsabteilung - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.: +49 (0) 6894 - 9396 901 > Fax.: +49 (0) 6894 - 9396 851 > Email: vgreimann@key-systems.net > > Web: www.key-systems.net / www.RRPproxy.net > www.domaindiscount24.com / www.BrandShelter.com > > Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: > www.facebook.com/KeySystems > www.twitter.com/key_systems > > Geschäftsführer: Alexander Siffrin > Handelsregister Nr.: HR B 18835 - Saarbruecken > Umsatzsteuer ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu > > Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. > > -------------------------------------------- > > Should you have any further questions, please do not hesitate to contact us. > > Best regards, > > Volker A. Greimann > - legal department - > > Key-Systems GmbH > Im Oberen Werk 1 > 66386 St. Ingbert > Tel.: +49 (0) 6894 - 9396 901 > Fax.: +49 (0) 6894 - 9396 851 > Email: vgreimann@key-systems.net > > Web: www.key-systems.net / www.RRPproxy.net > www.domaindiscount24.com / www.BrandShelter.com > > Follow us on Twitter or join our fan community on Facebook and stay updated: > www.facebook.com/KeySystems > www.twitter.com/key_systems > > CEO: Alexander Siffrin > Registration No.: HR B 18835 - Saarbruecken > V.A.T. ID.: DE211006534 > > Member of the KEYDRIVE GROUP > www.keydrive.lu > > This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. > > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > >

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Hi Volker, Just for clarity - what are the registrars responsible for?. They may be a few on this list who may be a bit confused with this latest thread. Cheers Dick Richard Leaning RIPE NCC External Relations (Sent by iPhone)

On 20 Feb 2017, at 12:24, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Volker

From our perspective the frustration is when the client (registrant) has their details in whois and / or on the website and the complainant makes zero attempt to contact them. The first we hear about the alleged issues is when I get a 100 page takedown notice on my desk. So if they can at least attempt to contact the website operator then it makes our lives a lot easier. As the hosting provider we *should* have details of how to reach the site owner, but not always, as we also offer dedicated servers, colo etc., but we’ll know who the IPs are assigned to

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 20/02/2017, 11:21, "Volker Greimann" <vgreimann@key-systems.net> wrote:

Agreed. The question is who is next if the details are not available. If it is content, the next port of call should be the host as the host has the ability to remove said content and also bears certain legal obligations in case of obvious violations while the registrar does not.

As the registrar may not even know the actual registrant, for example for registrations under third party privacy services, it does not even make sense to contact the registrar.

Best,

Volker

...

Am 20.02.2017 um 12:08 schrieb Michele Neylon - Blacknight: Volker

The key thing is the sequence. If the contact’s details are available either via whois OR on the website then they’re the first port of call.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 20/02/2017, 10:46, "Volker Greimann" <vgreimann@key-systems.net> wrote:

Well, the registrant may not be the right contact in all cases, especially if it comes down to subdomains. But yes, if the registrant is known, then he should probably be contacted right after a known website operator. But if the registrant is unknown, the next contact should be the host as he is closer to the alleged violation than the registrar.

Best,

Volker

...

Am 20.02.2017 um 11:28 schrieb Michele Neylon - Blacknight: Volker

Really? As a hosting provider I’d strongly disagree.

If you’ve got a problem with content on a website you should contact the registrant first.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 20/02/2017, 09:54, "gnso-rds-pdp-wg-bounces@icann.org on behalf of Volker Greimann" <gnso-rds-pdp-wg-bounces@icann.org on behalf of vgreimann@key-systems.net> wrote:

When you say web site, it should be taken up with the web host not the registrar as the registrant is not necessarily the correct content.

Problems with domain -> registrant

Problems with content -> Web host

Best,

Volker

...

Am 17.02.2017 um 20:49 schrieb Mark Svancarek via gnso-rds-pdp-wg: Counter example "Joe" has a web site which is used to abuse my trademark. I can't contact Joe because his thin data is incorrect or hidden (I don't know that Joe is actually Joe.). I then contact the registrar. They follow up with the privacy proxy service if needed. Hopefully all this happens quickly and the cease and desist message is actually delivered.

In actual practice, there is a noteworthy difference in effectiveness if we have to go through the registrar, compared to us contacting directly. If the registrar isn't responsive, then I may have to pressure ICANN to enforce the registrar contract, which has its own issues.

In either case, your abuse of my trademark is probably a civil issue, so starting with law enforcement isn't a great option, even if they had the inclination and bandwidth to help out in a timely fashion.

-----Original Message----- From: benny@nordreg.se [mailto:benny@nordreg.se] Sent: Friday, February 17, 2017 9:41 AM To: Mark Svancarek <marksv@microsoft.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Let us take a simple example

A phone number can you as the one it's registered on choose by yourself if it shall be published in the phone book, if you give the number to someone it's your choice as an individual! If the police want your number they will get without to much effort.

So why on earth are we forcing registrants to give up this right to choose to whom they share that info?

Forget what Whois are as we know it and come up with ideas how we can make a new system which takes reasonable interest of all sides here.

The Status Quo hammering are not productive at all.

RDS are meant to make change to the better!

Sent from my iPhone

...

On 17 Feb 2017, at 18:28, Mark Svancarek <marksv@microsoft.com> wrote:

Spam and DDOS will always be with us, and the need to mitigate them does not eliminate the need to have public data. It seems orthogonal to me.

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of benny@nordreg.se Sent: Friday, February 17, 2017 8:25 AM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

Another post about the problems with public whois

How anyone here can still defend this abuse of info as a the best system I have serious problems understanding.

http://domainnamewire.com/2017/02/16/control-block-sms-spam-robocallin g-based-whois-info/

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197080 Direct: +47.32260201 Mobile: +47.40410200

...

On 17 Feb 2017, at 14:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Allison

As others have said, if you have an issue please report it to ICANN, law enforcement, consumer protection etc., Some of us take our obligations very seriously and lumping all registrars and providers into one big bucket isn't very helpful for constructive dialogue. We get a number of whois complaints from ICANN every year and we investigate each and every one of them. In some cases it's very obvious that the details provided are bogus, but in others it's not and we have to spend time energy and effort going back and forth with our client and ICANN to resolve it. Sometimes this leads to domains being suspended or deleted, sometimes the whois gets updated, sometimes the complaint is denied. But each complaint is handled on its merits.

We also have a whois privacy service. It is NOT a fake address. You can check it in the Irish company office: https://search.cro.ie/company/CompanyDetails.aspx?id=480317&type=C

Now you may not like that people and organisations choose to obfuscate their contact details via services like that one, but that's a different issue entirely. I also personally have correspondence addresses in the US, mainland UK and a couple in Northern Ireland. I don't live at any of them, but you can send me physical mail and I will get it. You could argue that the address is "fake", but as I can get mail to it I'd suspect that in many cases it'd be considered valid.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg