@EXT: RE: Use case - LEA
Dear David, Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies. But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. Looking forward to continuing the discussion. Kind regards, Greg -----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it. So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear. David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. *******************
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly.
Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally.
Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too.
Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either.
If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case. David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime. Stephanie Perrin On 2016-07-27 1:32, David Cake wrote:
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case.
David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi Stephanie, It's far from settled that ICANN policies have nothing to do with content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on getting use cases out without making these kinds of judgments about them? Thanks, Kiran Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Jul 27, 2016, at 6:06 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime. Stephanie Perrin On 2016-07-27 1:32, David Cake wrote: On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote: Dear David, Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions. These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies. But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case. David Looking forward to continuing the discussion. Kind regards, Greg -----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it. So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear. David On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote: Dear all, Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online. Regards, Greg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
https://www.icann.org/news/blog/icann-is-not-the-internet-content-police /"//The simple fact is that many laws in effect in numerous countries render content itself illegal. However the 2013 //RAA//is interpreted, it cannot mean that //ICANN//is responsible for making factual and legal determinations as to whether content violates the law. //ICANN//cannot be put in the position of requiring suspension of domain names on the basis of allegations of blasphemy, hate speech, holocaust denial, political organizing, full or partial nudity or a host of other content that may be illegal somewhere in the world. That would be inconsistent with //ICANN//'s mission, //ICANN//'s limited remit and //ICANN//'s responsibility to operate in accordance with a consensus-driven multistakeholder model.//*"*/ https://www.icann.org/resources/pages/content-2013-05-03-en /"Complaints about website content are outside of //ICANN//'s scope and authority; for these types of complaints, please refer to one of the options listed below" /https://www.icann.org/en/system/files/correspondence/crocker-to-shatan-30jun... "This does not mean, however, that ICANN is required or qualified to make factual or legal determinations as to whether a Registered Name Holder or a website operator is violation applicable laws and governmental regulations, and to assess what would be an appropriate remedy for such activities in any particular situation. (...) (ICANN) was not intended to displace other legal remedies (...) that may apply. (...) these initiatives are outside ICANN's limited remit (...)". /Need more quotes on how this matter is settled?/ / Am 27.07.2016 um 17:03 schrieb Kiran Malancharuvil via gnso-rds-pdp-wg:
Hi Stephanie,
It's far from settled that ICANN policies have nothing to do with content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on getting use cases out without making these kinds of judgments about them?
Thanks,
Kiran
Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m)
Sent from my mobile, please excuse any typos.
On Jul 27, 2016, at 6:06 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime.
Stephanie Perrin On 2016-07-27 1:32, David Cake wrote:
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly.
Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally.
Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too.
Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either.
If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case.
David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Thanks Gregory for sharing this use case. I think the core point made is how the WHOIS was used in a law enforcement investigation to assist in the attribution of criminal activity; an example of the type of useful and relevant information; and how ready access facilitated progress in the investigation. I would welcome further examples. Kind regards, Nick Nick Shorey BA (Hons), MSc Senior Policy Advisor, International Internet Governance Department for Culture, Media & Sport Email: nick.shorey@culture.gov.uk Phone: +44 (0) 7741 256 320 Sent from my iPhone On 28 Jul 2016, at 10:10, Volker Greimann <vgreimann@key-systems.net> wrote: https://www.icann.org/news/blog/icann-is-not-the-internet-content-police *"**The simple fact is that many laws in effect in numerous countries render content itself illegal. However the 2013 **RAA** is interpreted, it cannot mean that **ICANN** is responsible for making factual and legal determinations as to whether content violates the law. **ICANN** cannot be put in the position of requiring suspension of domain names on the basis of allegations of blasphemy, hate speech, holocaust denial, political organizing, full or partial nudity or a host of other content that may be illegal somewhere in the world. That would be inconsistent with **ICANN**'s mission, **ICANN**'s limited remit and **ICANN**'s responsibility to operate in accordance with a consensus-driven multistakeholder model.**"* https://www.icann.org/resources/pages/content-2013-05-03-en *"Complaints about website content are outside of **ICANN* *'s scope and authority; for these types of complaints, please refer to one of the options listed below" * https://www.icann.org/en/system/files/correspondence/crocker-to-shatan-30jun... * "This does not mean, however, that ICANN is required or qualified to make factual or legal determinations as to whether a Registered Name Holder or a website operator is violation applicable laws and governmental regulations, and to assess what would be an appropriate remedy for such activities in any particular situation. (...) (ICANN) was not intended to displace other legal remedies (...) that may apply. (...) these initiatives are outside ICANN's limited remit (...)". *Need more quotes on how this matter is settled? Am 27.07.2016 um 17:03 schrieb Kiran Malancharuvil via gnso-rds-pdp-wg: Hi Stephanie, It's far from settled that ICANN policies have nothing to do with content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on getting use cases out without making these kinds of judgments about them? Thanks, Kiran Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Jul 27, 2016, at 6:06 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca> <stephanie.perrin@mail.utoronto.ca>> wrote: Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime. Stephanie Perrin On 2016-07-27 1:32, David Cake wrote: On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu> <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> <gregory.mounier@europol.europa.eu> wrote: Dear David, Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions. These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies. But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case. David Looking forward to continuing the discussion. Kind regards, Greg -----Original Message----- From: David Cake [mailto:dave@davecake.net <dave@davecake.net>] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it. So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear. David On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu> <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> <gregory.mounier@europol.europa.eu> wrote: Dear all, Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online. Regards, Greg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUPwww.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUPwww.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Although I'm loathe to engage with this style of communication (not least because it's premature, as Chuck had pointed out a thousand times), I will simply point out that none of these quotes have anything to do with whether elements of ICANN policies relate to content. Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Jul 28, 2016, at 5:39 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: https://www.icann.org/news/blog/icann-is-not-the-internet-content-police "The simple fact is that many laws in effect in numerous countries render content itself illegal. However the 2013 RAA is interpreted, it cannot mean that ICANN is responsible for making factual and legal determinations as to whether content violates the law. ICANN cannot be put in the position of requiring suspension of domain names on the basis of allegations of blasphemy, hate speech, holocaust denial, political organizing, full or partial nudity or a host of other content that may be illegal somewhere in the world. That would be inconsistent with ICANN's mission, ICANN's limited remit and ICANN's responsibility to operate in accordance with a consensus-driven multistakeholder model." https://www.icann.org/resources/pages/content-2013-05-03-en "Complaints about website content are outside of ICANN's scope and authority; for these types of complaints, please refer to one of the options listed below" https://www.icann.org/en/system/files/correspondence/crocker-to-shatan-30jun... "This does not mean, however, that ICANN is required or qualified to make factual or legal determinations as to whether a Registered Name Holder or a website operator is violation applicable laws and governmental regulations, and to assess what would be an appropriate remedy for such activities in any particular situation. (...) (ICANN) was not intended to displace other legal remedies (...) that may apply. (...) these initiatives are outside ICANN's limited remit (...)". Need more quotes on how this matter is settled? Am 27.07.2016 um 17:03 schrieb Kiran Malancharuvil via gnso-rds-pdp-wg: Hi Stephanie, It's far from settled that ICANN policies have nothing to do with content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on getting use cases out without making these kinds of judgments about them? Thanks, Kiran Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m) Sent from my mobile, please excuse any typos. On Jul 27, 2016, at 6:06 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca>> wrote: Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime. Stephanie Perrin On 2016-07-27 1:32, David Cake wrote: On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote: Dear David, Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions. These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies. But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case. David Looking forward to continuing the discussion. Kind regards, Greg -----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it. So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear. David On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote: Dear all, Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online. Regards, Greg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I was merely responding to your statement that the question of content it is not settled by providing documentary evidence that it is settled as it is outside ICANNs remit. There may have been some inroads, but those mostly relate to contractual obligations. Am 28.07.2016 um 16:33 schrieb Kiran Malancharuvil:
Although I'm loathe to engage with this style of communication (not least because it's premature, as Chuck had pointed out a thousand times), I will simply point out that none of these quotes have anything to do with whether elements of ICANN policies relate to content.
Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m)
Sent from my mobile, please excuse any typos.
On Jul 28, 2016, at 5:39 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote:
https://www.icann.org/news/blog/icann-is-not-the-internet-content-police
"The simple fact is that many laws in effect in numerous countries render content itself illegal. However the 2013 RAA is interpreted, it cannot mean that ICANN is responsible for making factual and legal determinations as to whether content violates the law. ICANN cannot be put in the position of requiring suspension of domain names on the basis of allegations of blasphemy, hate speech, holocaust denial, political organizing, full or partial nudity or a host of other content that may be illegal somewhere in the world. That would be inconsistent with ICANN's mission, ICANN's limited remit and ICANN's responsibility to operate in accordance with a consensus-driven multistakeholder model."
https://www.icann.org/resources/pages/content-2013-05-03-en
"Complaints about website content are outside of ICANN's scope and authority; for these types of complaints, please refer to one of the options listed below"
https://www.icann.org/en/system/files/correspondence/crocker-to-shatan-30jun...
"This does not mean, however, that ICANN is required or qualified to make factual or legal determinations as to whether a Registered Name Holder or a website operator is violation applicable laws and governmental regulations, and to assess what would be an appropriate remedy for such activities in any particular situation. (...) (ICANN) was not intended to displace other legal remedies (...) that may apply. (...) these initiatives are outside ICANN's limited remit (...)".
Need more quotes on how this matter is settled?
Am 27.07.2016 um 17:03 schrieb Kiran Malancharuvil via gnso-rds-pdp-wg:
Hi Stephanie,
It's far from settled that ICANN policies have nothing to do with content (see UDRP, URS, most RPMs, PICs, etc.). Can we concentrate on getting use cases out without making these kinds of judgments about them?
Thanks,
Kiran
Kiran Malancharuvil Policy Counselor MarkMonitor 415-419-9138 (m)
Sent from my mobile, please excuse any typos.
On Jul 27, 2016, at 6:06 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime.
Stephanie Perrin On 2016-07-27 1:32, David Cake wrote:
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly.
Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally.
Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too.
Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either.
If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case.
David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu><mailto:gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann - Rechtsabteilung -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>
Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann - legal department -
Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>
Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com>
Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems>
CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Yet even with universally accepted crimes, details and interpretations may vary between jurisdictions. Taking this unsavory example we have on the table now, there is variation in the interpretation of what constitutes such material. Does animated or drawn imagery count? Japan seems not to think so? Do simple nudes (such as your own childrens bathing pictures) count? Is a third party (for example a service provider) even allowed to investigate complaints that such content is present (Not in Germany!). In the end, there is a legal process in place for complaints and investigations that law enforcement can and should follow. The legal rights and obligations or law enforcements and the protections of data rights that exist are there for a reason. Volker Am 27.07.2016 um 14:48 schrieb Stephanie Perrin:
Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not? I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime.
Stephanie Perrin On 2016-07-27 1:32, David Cake wrote:
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory<gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case.
David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc:gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory<gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
On 27 Jul 2016, at 8:48 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:
Some crimes are recognized nearly universally, and child abuse is one, we have signed treaties have we not?
The definitions of what, exactly, constitutes child abuse material does vary between jurisdictions however, which is why I suggested that whether or not the material was on the INTERPOL list was a useful thing to specify, as material on that list is clearly illegal in fairly much every jurisdiction, so it makes a good example for LEA access where jurisdictional definitions of the offence is not a significant issue. For example, I think in some jurisdictions fictional and non-realistic material such as sketches or cartoons are included but in others they are not. In Australia there are significant discrepancies between state and federal law. Child abuse is, indeed, a nearly universally recognised crime, but the definition is not universal. I realise it sounds as if I’m quibbling on the legal details of a serious crime here, but there was a very useful discussion at the IGF last year about the issue of ‘sexting’ in which I think it was very clear that these details matter, vary across jurisdictions, and can lead to profoundly inappropriate responses by law enforcement in some circumstances (and I talked about the new laws in the Australian state of Victoria, which I made a submission to the inquiry concerning). But if you are looking for a category of material that is absolutely almost universally regarded as seriously illegal material that merits international co-operation, and has strong objective criteria so it is beyond doubt, material on the INTERPOL ‘worst-of’ list would be a good example. The criteria are here http://www.interpol.int/Crime-areas/Crimes-against-children/Access-blocking/... <http://www.interpol.int/Crime-areas/Crimes-against-children/Access-blocking/...> and guarantee that it is indeed not just awful and illegal, but verified as such by at least two agencies.
I think that is a good reason to use this example, but we must remember that ICANN is not in the business of analyzing content on websites, (or setting policy for same) it is in the business of assisting in the execution of lawful orders to take down a website when served. I realize this seems like a quibble, but it seems to me it is an important one. As opposed to other crimes that might not be universally recognized (eg hate speech, political speech that is banned in only one country) an order for an action in the matter of child abuse would be universally accepted. ICANN would also be in the business of setting policy with respect to assisting in the investigation of the offence with a view to providing information useful to criminal prosecution. However, as the data commissioners have pointed out in their correspondence with ICANN (see Article 29 letters re RAA) they should not be in the business of compelling illegal data retention just in case a registrant might commit a crime.
Indeed. I think a use case of ‘what do when LEA requests cooperation with an issue that is clearly illegal in a way that leaves no doubt about cross-jurisdictional issues’ may be useful, but there are a great deal of situations in which the legality is not clear, especially across jurisdictions, and should be considered a different use case. Regards David
Stephanie Perrin On 2016-07-27 1:32, David Cake wrote:
On 26 Jul 2016, at 11:25 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu> <mailto:gregory.mounier@europol.europa.eu> wrote:
Dear David,
Thank you very much for your constructive comments. These are indeed not "compromised websites" as in "stolen domains" but regular domains, registered for illegal purpose. I have amended the use case accordingly. Thank you for clarifying. The two cases are very different in terms of how they should interact with the RDS and domain name system generally. Now, I am not sure I understand your point about "designing a case to appear urgent and emotive". It just happens that EC3 has 3 different teams of cyber investigators: one is working on intrusion/malwares/botnets, the second one on online payment fraud and the second one on online child sexual exploitation and distribution of CAM. I asked each teams to give me examples of cases they were currently working on and in which they used WHOIS data. So far I have received this one and I thought that it was illustrative of the use made of WHOIS information in criminal investigations so I decided to share it with the group. I will certainly get some more examples from the malware team and I'll share them too. Thank you for clarifying the origin. FWIW, I’m unsure whether we should simply treat it as clearly illegal material, that is illegal across multiple jurisdictions, or specifically address child abuse material as something that poses unique challenges. If the latter, I would probably want slightly more info, such as, is this material that is clearly illegal across most jurisdictions such as material on the INTERPOL list, or only in some jurisdictions.
These are real use cases and not scenarios: I have checked the urls today and the websites are is still online as we speak. And yes, I do have colleagues (1/3 of EC3's work force) working every day on online child abuse cases because this is a major problem in our digitalised and connected societies.
But if the group decides that we should not mention content or give context because it could make the use cases "emotive" then I am happy to simply talk about "illegal activities". But then we should not mention Turkey either. If you think the specific nature of the material involved is significant to the approach we should take (and it may be) then that should be clear in the use case.
David
Looking forward to continuing the discussion.
Kind regards,
Greg
-----Original Message----- From: David Cake [mailto:dave@davecake.net <mailto:dave@davecake.net>] Sent: 26 July 2016 09:32 To: Mounier, Grégory Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT Use case - LEA
At a first glance, this seems contradictory. You state that the web sites are compromised - then assume that not just some WHOIS data is valid, but enough of it to find cross-correlations. If the domains were compromised, this would be meaningless - a linked email address would just indicate that multiple sites belonging to the same original person were compromised at the same time, presumably by compromise of a shared host or shared controlling organisation, and its rare that sites are compromised unless its entirely done by via DNS mechanisms, in which case we could probably deal with that issue (stolen domains) without bringing content into it.
So your use case assumes that the sites were not compromised, but registered for illegal purpose, which is an entirely different situation. This seems like a poorly constructed use case to me, in that while it seems designed to appear very urgent and emotive by focussing on content that no one would support, the actual DNS scenario we are trying to address here is very unclear.
David
On 26 Jul 2016, at 6:25 AM, Mounier, Grégory <gregory.mounier@europol.europa.eu> <mailto:gregory.mounier@europol.europa.eu> wrote:
Dear all,
Please find attached a use case which shows how accurate WHOIS information, combined with other types of evidence, can help attributing crime online.
Regards,
Greg
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* <EUROPOL-Use_case_-_Compromised_websites_distributing_child_abuse_material_-_PDP_NG_RDS_WHOIS.pdf>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
participants (6)
-
David Cake -
Kiran Malancharuvil -
Mounier, Grégory -
Nick Shorey -
Stephanie Perrin -
Volker Greimann