I think we are forging ahead into territories reserved for future times, but when that time comes, I will be interested in learning however law enforcement manages to do its job without this needed and useful data in areas where it is not public, such as web hosting, twitter, forum posts, etc. Best, Volker Am 04.08.2016 um 16:31 schrieb Terri Stumme:

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical >> =========== >> We have seen a couple of proposed use cases that seem to be ideas >> that people have for useful or harmful ways that RDS can be used, but >> that do not exist today (at least not that anyone can fully >> document). >> >> For example, there seems to be a desire to use the RDS as a way to >> issue warrants for information about registrants. While this may be >> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob -- Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com> Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> *******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- /Terri Stumme/ /Investigative Analyst/

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Yet IP Whois will usually only yield the webhost or the IS. How is having to ask them for the data any different from having to ask the registrar. Are LEAs lobbying for webhost and internet subscriber public whois? Best, Volker Am 04.08.2016 um 17:09 schrieb Terri Stumme:

Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps.

On Thu, Aug 4, 2016 at 10:49 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think we are forging ahead into territories reserved for future times, but when that time comes, I will be interested in learning however law enforcement manages to do its job without this needed and useful data in areas where it is not public, such as web hosting, twitter, forum posts, etc.

Best,

Volker

Am 04.08.2016 um 16:31 schrieb Terri Stumme:

...

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical >> =========== >> We have seen a couple of proposed use cases that seem to be ideas >> that people have for useful or harmful ways that RDS can be used, but >> that do not exist today (at least not that anyone can fully >> document). >> >> For example, there seems to be a desire to use the RDS as a way to >> issue warrants for information about registrants. While this may be >> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob -- Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com> Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> *******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- /Terri Stumme/ /Investigative Analyst/

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.:+49 (0) 6894 - 9396 901 <tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.:+49 (0) 6894 - 9396 851 <tel:%2B49%20%280%29%206894%20-%209396%20851> Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- /Terri Stumme/ /Investigative Analyst/ -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Volker, It might be helpful, in advance of this discussion, for you and others who are curious, to review the terms of service and reporting policies of Twitter, etc. No comment intended on the efficacy of these internal procedures, but may help frame the discussion. K Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Aug 4, 2016, at 8:51 AM, Terri Stumme <terri.stumme@legitscript.com<mailto:terri.stumme@legitscript.com>> wrote: I'm not law enforcement anymore, but perhaps they should be lobbying for webhost and internet subscriber public whois. Again, different methodologies for different types of criminal activity. A domain name being utilized to facilitate criminal activity, you start with the registrant of the domain name and then the account holder (who paid to have the domain name registered). As you stated -- conversation for a later time. On Thu, Aug 4, 2016 at 11:13 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Yet IP Whois will usually only yield the webhost or the IS. How is having to ask them for the data any different from having to ask the registrar. Are LEAs lobbying for webhost and internet subscriber public whois? Best, Volker Am 04.08.2016 um 17:09 schrieb Terri Stumme: Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps. On Thu, Aug 4, 2016 at 10:49 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: I think we are forging ahead into territories reserved for future times, but when that time comes, I will be interested in learning however law enforcement manages to do its job without this needed and useful data in areas where it is not public, such as web hosting, twitter, forum posts, etc. Best, Volker Am 04.08.2016 um 16:31 schrieb Terri Stumme: Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations. On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu<mailto:gregory.mounier@europol.europa.eu>> wrote: Dear Rob, Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions. If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step. Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call. Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes. In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement. Best, Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

Theoretical =========== We have seen a couple of proposed use cases that seem to be ideas that people have for useful or harmful ways that RDS can be used, but that do not exist today (at least not that anyone can fully document).

For example, there seems to be a desire to use the RDS as a way to issue warrants for information about registrants. While this may be useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent) Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar. I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it" Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on. Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ? Rob -- Rob Golding rob.golding@astutium.com<mailto:rob.golding@astutium.com> Astutium Ltd, Number One Poultry, London. EC2R 8JR * domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Terri Stumme Investigative Analyst _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Terri Stumme Investigative Analyst -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:%2B49%20%280%29%206894%20-%209396%20901> Fax.: +49 (0) 6894 - 9396 851<tel:%2B49%20%280%29%206894%20-%209396%20851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. -- Terri Stumme Investigative Analyst _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

note that: Any customer of an RIR has its contact data published in RIR WHOIS

Which is of course no different to saying "Any customer of a Registry (aka Registrar) has it's contact data published" And in practice it's _most_ customers of _most_ RIRs - lots of the lookups for certain regions just-don’t-work (tm) and with the amount of 'funkiness' that goes on with IPv4 routing post-runout, what details you see on an IP lookup at an RIR has little-to-no bearing now on who is actually using it - what you're able to see is "who should be (directly or indirectly) paying the RIRs fees"

Yet IP Whois will usually only yield the webhost or the IS. How is having to ask them for the data any different from having to ask the registrar.

I would say it's not any different at all in effect, but may be less likely to yield a response due to the limited "policy" capabilities when it comes to "unregulated" industries.

Are LEAs lobbying for webhost and internet subscriber public whois?

I feel I should suggest that they can probably just extract the data from the NSA or GCHQ or their-local-equivalent, so no need to make it "public" ;)

I will be interested in learning however law enforcement manages to do its job without this needed and useful data

The caveats being that "useful" is subjective and "needed" depends on circumstances. I don't see anyone suggesting that there shouldn’t be methods in place so that Law Enforcement can do their job. I do however think that the concept of punishing everyone because there are a very small %age of "bad actors" is, in a civilised society, not even remotely appropriate. Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

Thanks Dick. I think you and Greg have made the point that intelligence services are generally not so quick to share their data with the dog catcher. However, if you are going to offer offline tutorials, may we beg a digest of those tutorials for the list? It is hard to get good information on these actual practices. Some of the legislative and policy initiatives in western democracies to share data between investigative agencies, not to mention further investment in big data techniques for profiling without disclosure (not the technical term but I am sure you know what I am referring to) would lead one to conclude that such data sharing is well in hand. Best regards stephanie perrin On 2016-08-05 5:49, Richard Leaning wrote:

Hi Rob,

Not sure where to start on this response, i will try and keep it short.

Am not sure that by speaking to one ex FBI agent and couple of Police officers in Sheffield is a true reflection of the Global LEA position on this WG. It concerns me greatly that you take this view.

Its a big +1 to Greg Mounier, Greg Aaron and Terri.

As an ex Senior Detective from the UK having just retired last year after 30 years service, spending the last 7 years or so involved investigating Cyber crime Nationally and Internationally within SOCA, NCA and then EC3 (European Cyber Crime Centre - Europol) am more than happy to spend some time with you outside this group to explain the difference between the Intelligence services and LEA.

Also as am now be working for RIPE NCC (a RIR) as a Consultant am also happy at the same time, explain to you about the RIPE Database.

Kind Regards

Dick

Richard Leaning External Relations RIPE NCC

...

On 4 Aug 2016, at 21:20, Rob Golding <rob.golding@astutium.com> wrote:

...

note that: Any customer of an RIR has its contact data published in RIR WHOIS Which is of course no different to saying "Any customer of a Registry (aka Registrar) has it's contact data published"

And in practice it's _most_ customers of _most_ RIRs - lots of the lookups for certain regions just-don’t-work (tm) and with the amount of 'funkiness' that goes on with IPv4 routing post-runout, what details you see on an IP lookup at an RIR has little-to-no bearing now on who is actually using it - what you're able to see is "who should be (directly or indirectly) paying the RIRs fees"

...

Yet IP Whois will usually only yield the webhost or the IS. How is having to ask them for the data any different from having to ask the registrar. I would say it's not any different at all in effect, but may be less likely to yield a response due to the limited "policy" capabilities when it comes to "unregulated" industries.

...

Are LEAs lobbying for webhost and internet subscriber public whois? I feel I should suggest that they can probably just extract the data from the NSA or GCHQ or their-local-equivalent, so no need to make it "public" ;)

...

I will be interested in learning however law enforcement manages to do its job without this needed and useful data The caveats being that "useful" is subjective and "needed" depends on circumstances.

I don't see anyone suggesting that there shouldn’t be methods in place so that Law Enforcement can do their job.

I do however think that the concept of punishing everyone because there are a very small %age of "bad actors" is, in a civilised society, not even remotely appropriate.

Rob

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Stephanie, There are fusion centers for information sharing purposes, several in the US, established since 9/11. (See: https://www.dhs.gov/national-network-fusion-centers-fact-sheet). While information sharing does occur among agencies (some work together better than others), it does not occur in a consistent manner. Depending upon which agency initiates the investigation, the type of crime being investigated, as well as the individuals involved in the case, real information sharing typically occurs when (if) a conflict arises among agencies investigating the same individuals and/or organizations; a meeting is held at the executive level to negotiate who will be the lead agency, and what information is shared. On Fri, Aug 5, 2016 at 10:58 AM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

Thanks Dick. I think you and Greg have made the point that intelligence services are generally not so quick to share their data with the dog catcher. However, if you are going to offer offline tutorials, may we beg a digest of those tutorials for the list? It is hard to get good information on these actual practices. Some of the legislative and policy initiatives in western democracies to share data between investigative agencies, not to mention further investment in big data techniques for profiling without disclosure (not the technical term but I am sure you know what I am referring to) would lead one to conclude that such data sharing is well in hand.

Best regards

stephanie perrin

On 2016-08-05 5:49, Richard Leaning wrote:

Hi Rob,

Not sure where to start on this response, i will try and keep it short.

Am not sure that by speaking to one ex FBI agent and couple of Police officers in Sheffield is a true reflection of the Global LEA position on this WG. It concerns me greatly that you take this view.

Its a big +1 to Greg Mounier, Greg Aaron and Terri.

As an ex Senior Detective from the UK having just retired last year after 30 years service, spending the last 7 years or so involved investigating Cyber crime Nationally and Internationally within SOCA, NCA and then EC3 (European Cyber Crime Centre - Europol) am more than happy to spend some time with you outside this group to explain the difference between the Intelligence services and LEA.

Also as am now be working for RIPE NCC (a RIR) as a Consultant am also happy at the same time, explain to you about the RIPE Database.

Kind Regards

Dick

Richard Leaning External Relations RIPE NCC

On 4 Aug 2016, at 21:20, Rob Golding <rob.golding@astutium.com> <rob.golding@astutium.com> wrote:

note that: Any customer of an RIR has its contact data published in RIR WHOIS

Which is of course no different to saying "Any customer of a Registry (aka Registrar) has it's contact data published"

And in practice it's _most_ customers of _most_ RIRs - lots of the lookups for certain regions just-don’t-work (tm) and with the amount of 'funkiness' that goes on with IPv4 routing post-runout, what details you see on an IP lookup at an RIR has little-to-no bearing now on who is actually using it - what you're able to see is "who should be (directly or indirectly) paying the RIRs fees"

Yet IP Whois will usually only yield the webhost or the IS. How is having to ask them for the data any different from having to ask the registrar.

I would say it's not any different at all in effect, but may be less likely to yield a response due to the limited "policy" capabilities when it comes to "unregulated" industries.

Are LEAs lobbying for webhost and internet subscriber public whois?

I feel I should suggest that they can probably just extract the data from the NSA or GCHQ or their-local-equivalent, so no need to make it "public" ;)

I will be interested in learning however law enforcement manages to do its job without this needed and useful data

The caveats being that "useful" is subjective and "needed" depends on circumstances.

I don't see anyone suggesting that there shouldn’t be methods in place so that Law Enforcement can do their job.

I do however think that the concept of punishing everyone because there are a very small %age of "bad actors" is, in a civilised society, not even remotely appropriate.

Rob

--- This email has been checked for viruses by Avast antivirus software.https://www.avast.com/antivirus

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *Terri Stumme* *Investigative Analyst*

Hi Rob, You make some very valid points. Which the WG will spend many a sleepless night worrying about i suspect. I am of course fully aware that an RIR database has it faults, which we are all working very hard to resolve and you know that takes time. But as has been mentioned before, comparing an RIR database and an DNS database is sometimes confusing - they don’t really do the same thing. Am always up for a beer - its in my DNA as a (x) cop ;-) I spend half my time when not on the road between London and Brussels - so name the date, time and city and ill be there ;-) Stephanie - Maybe we could find sometime during the next f2f meeting in India. In the meantime i will try to summarise quickly the main difference in the context of this WG. The caveat is, this is my way of explaining it from a European, mainly UK perspective. LEA are mostly reactive - a crime has been committed and they investigate to ID the individuals involved and bring them to justice. To do so they need evidence that will stand up to cross examination and prove without doubt that an individual(s) is guilty of the crime they are accused of. This evidence is collected under a legal frame work - information/intelligence/hearsay is not evidence - (its a bit more complicated than that but hopefully you get the point). LEA do exchange of course information/intelligence/evidence with each other but under a strict legal frame work - MLATs for example. Intelligence services are pro-active. Preventing a criminal act for example. They rarely, if ever attend a court of law in any type of criminal prosecution so they are more focussed on information and intelligence. But they still gather this under a legal frame work. They, no matter what 007 or Jason Bourne would like you to believe, they don’t have a free rein to do what ever they want. I know some will find that hard to believe but trust me, its true. So in the context of this WG - a LE officer will look at the database to see what information it holds that will lead to ID an individual involved in a criminal act and then evidence it. We also need to remember that LEAs have many investigative methods to ID individuals, there is not one method that works every time, each investigation is different. The DNS database in one investigation may be useless but on another will be extremely important. Not sure this has helped, it will properly lead to more questions then answers ;-) Maybe if the other LEA guys and cyber investigators - (Terri and Ade) would like to add their perspective? Cheers Dick Richard Leaning External Relations RIPE NCC

On 5 Aug 2016, at 19:25, Rob Golding <rob.golding@astutium.com> wrote:

Hi Richard

...

retired last year

Congrats :)

...

to explain the difference between the Intelligence services and LEA.

Because many in the WG have not yet met each-other face-to-face, I do of course accept that there will be instances where we are all unable to determine the attitude / involvement / education / skill-level / whatever of other participants.

For the avoidance of doubt, and because several on and off-list replies have brought this up, I am well aware of the differences between those 'roles'.

Whilst never considered as "smartest person in the room" (and wouldn't want to be, how else will I learn anything) I would place myself slightly to the right of "crazy" but squarely in the middle of "not actually stupid".

That I also find myself in the position of reminding to a learned group of individuals on an Internet Policy mailing list how to interpret tone and intent from a text-based medium (which is primarily done through the use of the use of a "smiley") shouldn't, but somehow does, astound me - so for those that missed it, the comment was clearly marked by the :wink: at the end of the line.

...

Also as am now be working for RIPE NCC (a RIR) as a Consultant am also happy at the same time, explain to you about the RIPE Database.

Having been a RIPE LIR for more than 10 years before you started being an LEA Rep for them, feel I have a reasonably good understanding of the DB, but thank you for the offer.

When opportunity arises, and I sincerely hope it does (assuming Brits are still allowed to travel to Belgium after Brexit) I'd love to sit down with you for beers and a chat about RIPE and, far more interesting to me, your other roles/experience.

But, the fact remains, however well maintained and managed the RIPE-DB is, "hole-punching" has been a common practice for 20 years (and not all RIRs follow the same practices in the same way as the RIPE NCC) and it is extremely prevalent now, and sub-allocation/assignment are industry norms.

So we need to dispell any attempt at creating/perpetuating a myth that any RIR DB could be a 1-stop-shop for finding out who is "behind" an IP address and it's obvious parallel that any RDAP-DB will be a 1-stop-shop for finding out who is "behind" a domain name

As to the possible criminality of a domain name - as opposed to the possible criminality of something accessed over the public internet which may or may not involve a domain name at somepoint during an access method - whole different discussion.

? Can the current WHOIS data provide insight/help/whatever to (insert-group-with-agenda-here) ? Probably, correctly interpreted _data_ can be used for a purpose.

? Should (insert-group-with-agenda-here) have free, unrestricted access to the data ? Debatable, depends on the 'group' and the viewpoint of the data subject.

? Are there parallels of other 'ownership' databases being public ? Not sure, I'm not aware of any supplier who makes a complete list of all their customers private/location/purchase details public.

Consider :

? Why doesn't every Gov't make a complete list of all its' citizens and their private/location details public ? Because ... a. they don't know b. what they do know would only be accurate as at compilation time c. someone knows keeping such data private inherrently makes the people more secure etc

That's before adding that through interpretation/extrapolation it would ultimately allow the use of that list by anyone to ensure it becomes ultimately trivial to find out any other piece of information about that citizen.

Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR * domains * hosting * vps * servers * cloud * backups *

Terri, Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps. I do not find this line of reasoning particularly persuasive. Transparency in how these bodies operate is hugely important, because law enforcement and intelligence agencies are entrusted with special privileges and immense powers. The citizenry can only hold these bodies to account when the public has sufficient access to information as to how they are operating. - Ayden On Thu, Aug 4, 2016 4:09 PM, Terri Stumme terri.stumme@legitscript.com wrote: Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps. On Thu, Aug 4, 2016 at 10:49 AM, Volker Greimann < vgreimann@key-systems.net > wrote: I think we are forging ahead into territories reserved for future times, but when that time comes, I will be interested in learning however law enforcement manages to do its job without this needed and useful data in areas where it is not public, such as web hosting, twitter, forum posts, etc. Best, Volker Am 04.08.2016 um 16:31 schrieb Terri Stumme: Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations. On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory < gregory.mounier@europol. europa.eu > wrote: Dear Rob, Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions. If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step. Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call. Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes. In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement. Best, Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann. org [mailto: gnso-rds-pdp-wg-bounce s@icann.org ] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

Theoretical =========== We have seen a couple of proposed use cases that seem to be ideas that people have for useful or harmful ways that RDS can be used, but that do not exist today (at least not that anyone can fully document).

For example, there seems to be a desire to use the RDS as a way to issue warrants for information about registrants. While this may be useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent) Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar. I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it" Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on. Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ? Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR * domains * hosting * vps * servers * cloud * backups * ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg -- Terri Stumme Investigative Analyst _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystemswww.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystemswww.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. ______________________________ _________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-wg -- Terri Stumme Investigative Analyst Ayden Férdeline Statement of Interest

Thanks for sharing your experience here, Terri. I value your input. There are laws and regulations governing law enforcement and intelligence

agencies, and the appropriately appointed governing bodies perform oversight and enforce compliance of both law enforcement and intelligence agencies.

I am less confident than you are that intelligence agencies are accountable and comply with the law. Much to the contrary, take a look at the NSA. This is an institution that I consider to be destitute of any principles I share. Look at to whom it is accountable — certainly not to Congress. In my view secret courts, secret laws, and secret interpretations of laws have absolutely no place in a democracy. In the words of Lord Acton, "Power tends to corrupt, and absolute power corrupts absolutely." If law enforcement and intelligence agencies had the special privileges and

immense powers you presume they do, the many challenges they face in fighting cybercrime would not be an issue, and the need for LE to be a part of, and participate in the ICANN stakeholder community would, therefore, be unnecessary.

That these entities already have access to this information does not mean they act upon it, or know how to interpret all that they collect. As best I can tell, and this is true in Europe at least, intelligence agencies overwhelm themselves collecting too much data when they do not have the capability to make sense of it in a timely fashion. - Ayden On 9 August 2016 at 16:31, Terri Stumme <terri.stumme@legitscript.com> wrote:

Ayden,

I respect your opinion regarding transparency; I cannot and do not speak to the methodologies of other law enforcement and/or government jurisdictions, and I am not attempting to be persuasive -- my statement speaks to the reality of my experience, and the rules and regulations in place that I was, and am required to abide by. There are laws and regulations governing law enforcement and intelligence agencies, and the appropriately appointed governing bodies perform oversight and enforce compliance of both law enforcement and intelligence agencies.

If law enforcement and intelligence agencies had the special privileges and immense powers you presume they do, the many challenges they face in fighting cybercrime would not be an issue, and the need for LE to be a part of, and participate in the ICANN stakeholder community would, therefore, be unnecessary.

On Mon, Aug 8, 2016 at 8:13 AM, Ayden Férdeline <icann@ferdeline.com> wrote:

...

Terri,

Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps.

I do not find this line of reasoning particularly persuasive. Transparency in how these bodies operate is hugely important, because law enforcement and intelligence agencies are entrusted with special privileges and immense powers. The citizenry can only hold these bodies to account when the public has sufficient access to information as to how they are operating.

- Ayden

On Thu, Aug 4, 2016 4:09 PM, Terri Stumme terri.stumme@legitscript.com wrote:

...

Law enforcement investigative methodologies are not typically divulged, for obvious reasons; there are several approaches to cyber investigations, and depending on the type of criminal activity, different methodologies utilized. There is domain name Whois and IP Whois -- both critical first steps.

On Thu, Aug 4, 2016 at 10:49 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

I think we are forging ahead into territories reserved for future times, but when that time comes, I will be interested in learning however law enforcement manages to do its job without this needed and useful data in areas where it is not public, such as web hosting, twitter, forum posts, etc.

Best,

Volker

Am 04.08.2016 um 16:31 schrieb Terri Stumme:

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory < gregory.mounier@europol.europa.eu> wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounce s@icann.org] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

...

Theoretical =========== We have seen a couple of proposed use cases that seem to be ideas that people have for useful or harmful ways that RDS can be used, but that do not exist today (at least not that anyone can fully document).

For example, there seems to be a desire to use the RDS as a way to issue warrants for information about registrants. While this may be useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg *******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *Terri Stumme* *Investigative Analyst*

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *Terri Stumme* *Investigative Analyst*

Ayden Férdeline Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI>

-- *Terri Stumme* *Investigative Analyst*

Ayden, These were *recommendations*; nothing more, nothing less. Although included in the 2013 RAA Multiple stakeholders around the world have compelling reasons and competing interests when it comes to accessing electronic data. As does LE I understand that law enforcement and intelligence agencies need the ability to fulfil their mission to prevent serious crime (or, failing that, to bring the perpetrators to justice). At the same time, the protection and promotion of civil liberties, human rights, and the right to privacy are not equally as strong in every territory around the world. Some countries are more authoritarian than others. I support a balance here; my personal information, as well as the personal information of my family members, as well as thousands of US federal employees, was compromised in the hack of the Office of Personnel Management federal employee records. Attaching themselves to the unquestionably valid objectives that law enforcement and intelligence agencies have are private entities who do not have the same legal mandates or privileged access to information. There is no privileged access to information afforded to LE, and appropriate legal processes are abided by throughout investigations. Private entities have become attached to the unquestionably valid objectives of law enforcement due to the inherent nature of the beast. *"Because the private sector owns and operates a vast majority of the nation's critical infrastructure, partnerships between the public and private sectors are essential to maintaining critical infrastructure security and resilience. These partnerships create an environment to share critical threat information, risk mitigation, and other vital information and resources." Source: * https://www.dhs.gov/critical- infrastructure-sector-partnerships. I think it is important that we make this distinction. On Mon, Aug 8, 2016 at 8:12 AM, Ayden Férdeline <icann@ferdeline.com> wrote:

Terri,

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

These were *recommendations*; nothing more, nothing less.

Multiple stakeholders around the world have compelling reasons and competing interests when it comes to accessing electronic data.

I understand that law enforcement and intelligence agencies need the ability to fulfil their mission to prevent serious crime (or, failing that, to bring the perpetrators to justice).

At the same time, the protection and promotion of civil liberties, human rights, and the right to privacy are not equally as strong in every territory around the world. Some countries are more authoritarian than others.

Attaching themselves to the unquestionably valid objectives that law enforcement and intelligence agencies have are private entities who do not have the same legal mandates or privileged access to information.

I think it is important that we make this distinction.

- Ayden

On Thu, Aug 4, 2016 3:31 PM, Terri Stumme terri.stumme@legitscript.com wrote:

...

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory < gregory.mounier@europol.europa.eu> wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounce s@icann.org] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

...

Theoretical =========== We have seen a couple of proposed use cases that seem to be ideas that people have for useful or harmful ways that RDS can be used, but that do not exist today (at least not that anyone can fully document).

For example, there seems to be a desire to use the RDS as a way to issue warrants for information about registrants. While this may be useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg *******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *Terri Stumme* *Investigative Analyst*

Ayden Férdeline Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI>

-- *Terri Stumme* *Investigative Analyst*

Ayden, You are correct. NSA collects data without warrants and without probable cause. However, the purpose for the collection of the data is in the interest of national security. The data collected by the NSA is not shared with any other three-letter agency in the US without that agency providing probable cause, presented in the form of a signed court order. If an individual is not involved in criminal activity, then their data sitting in a government data center should not be of concern. Of more concern should be what private companies do with the data they collect, sell it for a profit. Regarding your statement: "The only 'check' that there is on the NSA's surveillance techniques is that of the Foreign Intelligence Surveillance Court, a secret body of judges that hears arguments from only one side: the NSA." I can tell you (although you probably won't believe it anyway) that there are very stringent internal regulations and oversight of the NSA program. And, I would bet that the US is not the only government that has a program like NSA's. You just haven't heard about those ... The private sector owns and operates a vast majority of the entire Internet infrastructure, and that includes critical components of the infrastructure. The point is that the same joint effort of the private sector and government towards enhancing the security and resilience of the nation's critical infrastructure, can and should be applied to protecting the public against cybercriminals involved in identity theft, human trafficking, drug trafficking, child abuse, etc. On Wed, Aug 10, 2016 at 6:01 PM, Ayden Férdeline <icann@ferdeline.com> wrote:

Hi Terri,

Please see my responses in-line.

Thanks,

Ayden

On 9 August 2016 at 17:51, Terri Stumme <terri.stumme@legitscript.com> wrote:

...

Ayden,

These were *recommendations*; nothing more, nothing less. Although included in the 2013 RAA

An agreement containing, I have been told, a litany of unintended consequences.

...

Multiple stakeholders around the world have compelling reasons and competing interests when it comes to accessing electronic data. As does LE

Absolutely. I do not mean to suggest otherwise.

...

I understand that law enforcement and intelligence agencies need the ability to fulfil their mission to prevent serious crime (or, failing that, to bring the perpetrators to justice).

At the same time, the protection and promotion of civil liberties, human rights, and the right to privacy are not equally as strong in every territory around the world. Some countries are more authoritarian than others. I support a balance here; my personal information, as well as the personal information of my family members, as well as thousands of US federal employees, was compromised in the hack of the Office of Personnel Management federal employee records.

I am sorry to hear you were the victim of cybercrime.

And a balance is precisely what I am advocating for, so it seems like we are on the same page. This shouldn't be a zero-sum game. Privacy and security should be mutually reinforcing.

In addition, strengthened data and security practices also decrease the risks associated with personal data collection and processing for both end-users and businesses. A study from IBM in 2015 <https://securityintelligence.com/cost-of-a-data-breach-2015/> found that the average data breach cost each impacted company USD $3.79 million, without factoring in for the consumer confidence lost as a result of their personally-identifiable data being stolen or misused.

...

Attaching themselves to the unquestionably valid objectives that law enforcement and intelligence agencies have are private entities who do not have the same legal mandates or privileged access to information. There is no privileged access to information afforded to LE, and appropriate legal processes are abided by throughout investigations.

Yes, there is privileged access to information afforded to intelligence agencies. It is common knowledge that the NSA has a 1-million-square-foot data centre in Utah sucking up the data of people without warrants, and without probable cause. The only 'check' that there is on the NSA's surveillance techniques is that of the Foreign Intelligence Surveillance Court, a secret body of judges that hears arguments from only one side: the NSA. I would suggest that it is not a beacon of accountability.

As for law enforcement, this varies by country and perhaps in the US law enforcement does not have such a right (I don't know, but I'd be willing to bet that "officer discretion", "exigent circumstances", etc. would be enough to justify a lot of actions.) Their authority, combined with a badge, a "trusted third party" data sharing agreement, or a simple request, is likely to be more fruitful than if I was to request the same information as a private citizen.

...

Private entities have become attached to the unquestionably valid objectives of law enforcement due to the inherent nature of the beast.

I take a rather bleak view of companies which gather data on individuals without their knowledge or consent.

...

*"Because the private sector owns and operates a vast majority of the nation's critical infrastructure, partnerships between the public and private sectors are essential to maintaining critical infrastructure security and resilience. These partnerships create an environment to share critical threat information, risk mitigation, and other vital information and resources." Source: * https://www.dhs.gov/c ritical-infrastructure-sector-partnerships.

I would agree that we get better answers to complex questions when a range of experts and interests can meaningfully take part in the discussions.

However, this quote is referring to the investment made by private sector actors who invest in, construct, and/or own pieces of critical infrastructure (things like dams, nuclear reactors, water systems, satellites). I agree that the public and private sectors, here, need to work together to identify threats and vulnerabilities in a collaborative and creative manner.

This quote is not suggesting that all private sector actors should have the same scope to collect data as intelligence agencies or law enforcement might be able to. And, I will insist here, they should not. Some private investigators may like to attach themselves to the "cloak of legitimacy" which is afforded public actors, but in some instances I find these perceived associations to be highly problematic. I suppose this is a conversation for another time.

...

I think it is important that we make this distinction.

On Mon, Aug 8, 2016 at 8:12 AM, Ayden Férdeline <icann@ferdeline.com> wrote:

...

Terri,

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

These were *recommendations*; nothing more, nothing less.

Multiple stakeholders around the world have compelling reasons and competing interests when it comes to accessing electronic data.

I understand that law enforcement and intelligence agencies need the ability to fulfil their mission to prevent serious crime (or, failing that, to bring the perpetrators to justice).

At the same time, the protection and promotion of civil liberties, human rights, and the right to privacy are not equally as strong in every territory around the world. Some countries are more authoritarian than others.

Attaching themselves to the unquestionably valid objectives that law enforcement and intelligence agencies have are private entities who do not have the same legal mandates or privileged access to information.

I think it is important that we make this distinction.

- Ayden

On Thu, Aug 4, 2016 3:31 PM, Terri Stumme terri.stumme@legitscript.com wrote:

...

Absolutely, Greg. The 2009 law enforcement recommendations regarding amendments to the RAA addressed Whois data, specifically the need for validating registrant information. The reason this recommendation was included in the recommendations is because LE utilizes the data in cyber investigations. There are many transcripts related to this issue, and LE has conveyed to the ICANN community on several occasions the importance of Whois data, and how LE utilizes the data in cyber investigations.

On Thu, Aug 4, 2016 at 8:59 AM, Mounier, Grégory < gregory.mounier@europol.europa.eu> wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounce s@icann.org] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

...

Theoretical =========== We have seen a couple of proposed use cases that seem to be ideas that people have for useful or harmful ways that RDS can be used, but that do not exist today (at least not that anyone can fully document).

For example, there seems to be a desire to use the RDS as a way to issue warrants for information about registrants. While this may be useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg *******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- *Terri Stumme* *Investigative Analyst*

Ayden Férdeline Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI>

-- *Terri Stumme* *Investigative Analyst*

-- *Terri Stumme* *Investigative Analyst*

Thanks for making this point. One of the risks to law abiding end users, who are not checking their domain registrations every day like big corporations do, is that identity theft will surely follow greater accuracy requirements. Since many governments have failed to take ownership of the problem of ID theft (I can speak knowledgeably for Canada, but plenty of international work on this topic leads me to believe the matter is falling between stools elsewhere) we need to focus on this genuine risk to end users. Not much written about it, do we have a document we can add to our list so that we can digest a potential requirement? Thanks for raising this, Stephanie. I do not have any reference documents to introduce but I agree it is a potential requirement we need to be addressing. In the case of ID theft, it is not only the individual whose data which has been stolen who is the victim, but the government too, albeit with different consequences. If the RDS collects what (in my view is) registrar-registrant contract information, any data breach would present a harm not only to the end-user, but also to the company whose customer's data has been stolen, perhaps for coercive purposes. - Ayden On Fri, Aug 5, 2016 3:52 PM, Stephanie Perrin stephanie.perrin@mail.utoronto.ca wrote: Thanks for making this point. One of the risks to law abiding end users, who are not checking their domain registrations every day like big corporations do, is that identity theft will surely follow greater accuracy requirements. Since many governments have failed to take ownership of the problem of ID theft (I can speak knowledgeably for Canada, but plenty of international work on this topic leads me to believe the matter is falling between stools elsewhere) we need to focus on this genuine risk to end users. Not much written about it, do we have a document we can add to our list so that we can digest a potential requirement? regards Stephanie Perrin On 2016-08-04 8:59, Mounier, Grégory wrote:

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).

It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg Ayden Férdeline Statement of Interest

We don't know, because we have no statistics on the matter, but as was originally stated, at the moment there is no requirement to steal real identities and use their phone numbers and addresses if there is incomplete verification done. Now, registrars (notably Elliot Noss) were stating last year that in response to the RAA requirements to cut off unverifiable phone numbers, they found no incidence of crime. However, the crime of ID theft is not going to start until the accuracy requirements cause problems...and it is not clear (without stats) that this is the case yet. Just my 2cents Andrew, but it seems logical. Stephanie On 2016-08-08 9:02, Andrew Sullivan wrote:

On Fri, Aug 05, 2016 at 10:52:04AM -0400, Stephanie Perrin wrote:

...

corporations do, is that identity theft will surely follow greater accuracy requirements. This is an interesting assertion, but I'm not sure how to evaluate its truth conditions. Why is that sure?

Best regards,

A