[At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

[Carlton Samuels]

A big +1 to Holly's comments. Since we two are the ones who have
consistently tagteamed WHOIS matters from the At-Large community in the
last 7 or so years, maybe I expand on the perspective a little bit.

What we know for sure is that by virtue of time in place and divergent
uses, the WHOIS matter is  complex enough to demand a sufficiently nuanced
response. So we advised and decided an holistic view, all the way from
embracing registration data collection, its management, curation and,
eventually access.

Even before the last WHOIS Review and the EWG's work, the ALAC has largely
agreed that the 'one-size fits all' WHOIS is no longer fit to purpose. We
know there is potentially a much larger dataset collected by registrars in
ordinary course of business, much larger than the deliberative WHOIS
dataset. We accept the conceptual underpinnings of legal and natural
persons and the status inherent to both groups. We accept there would be
commercial concerns to divulge data and information, not just those
pertaining the rights to privacy.

Spurred largely by the work of Garth Bruen and his ALS Knujon, we have
embraced WHOIS accuracy and agitated for a regime for improvement and
active monitoring. We held the unregulated privacy/proxy registration
schema as inimical to the interests of end users. We even agreed that
embracing a Thick WHOIS model was tactically advantageous to the policy
goals we advocated; everyone at the same level simplified evolution to the
new dispensation. We positioned for a more vigilant ICANN compliance
program, hitherto largely geared to matters concerning fee collection.

Our positions have been delivered in numerous pertinent statements, some
more sharply worded than others, since 2007

So those who were paying attention would have noticed we were out the box
and on record for differentiated access to WHOIS, a WHOIS Accuracy program
and enforceable service specifications for privacy/proxy registration
services for many years now. Holly, myself and others of the At-Large
community continue to participate in the policy development WGs in these
areas; the IAG-WHOIS Conflicts and the PPSAI, for two.

Policy development has always been a long and uneven slog, especially for
those of us who are true volunteers. So, for example, we go to the
IAG-WHOIS Conflicts and survey the implementation even as we denounce the
process as intuitively insensate as a small pet rock. [Mind you, if I were
a lawyer with my shingle hanging out I would likely embrace this grand make
work confection.] We continue to agitate for and still believe that a
re-imagined compliance program and practice must emerge from ICANN.

Finally and so you know, a series of PDPs surrounding these matters are
coming on steam in the new year. We hope those of you with an interest will
show up for work.

-Carlton


==============================
Carlton A Samuels
Mobile: 876-818-1799
*Strategy, Planning, Governance, Assessment & Turnaround*
=============================

On Thu, Dec 17, 2015 at 7:29 PM, Holly Raiche <h.raiche at internode.on.net>
wrote:

> Hi Derek
>
> Just to correct a few things.
>
> First - this is NOT about collecting less WHOIS information - it is about
> MAKING PUBLIC less WHOIS information.
>
> Next, it is NOT about not providing access to the WHOIS information for
> law enforcement agencies.  Generally, data protection law makes exceptions
> on access to personal information for law enforcement agencies and other,
> enumerated purposes.  So they WILL have access to the data - whether or not
> it is faked.  The idea is NOT to make it harder for LEA types to have
> access to data for legitimate purposes - it is to make it harder for just
> anyone for no reason to have access to that data. And really, what the
> waivers do is simply allow compliance with national laws - to manage
> personal information so that it is NOT generally publicly available, but is
> available for legitimate purposes - including LEA
>
> Next - if you look at the 2013 RAA, there are enhanced requirements for
> registrars checking on data so that accuracy of data is improved. (read the
> Whois Review Final Report in relation to that issue).  It does not
> eliminate fake data - but makes it just that much harder to have registrars
> accept fake data.  So while the call is about respecting data protection
> laws in relation to making WHOIS data public, it is NOT about removing
> requirements for registrars taking steps to make sure that data is correct
> - and checking regularly to be sure.  Of course, rules are honoured in the
> breach.  Of course, there are registrars who do not follow ICANN rules on
> data accuracy.  But that should not be a call to ignore those rules  - it
> should be a call for more enforcement.
>
> And yes, there are jurisdictions where the criminals can hide.  But that
> is about national sovereignty and the failure of governments to control
> their country codes - which is beyond ICANN’s jurisdiction.
>
> So please, waivers are there to strike a balance between protecting
> personal information from general unregulated publication as against the
> legitimate needs of LEAs (and other institutions given access to personal
> information under enumerated circumstances) for access to that information.
>
> Holly
>
> On 18 Dec 2015, at 9:29 am, Derek Smythe <derek at aa419.org> wrote:
>
> > On 2015-12-17 07:44 PM, John R. Levine wrote:
> >
> >> People with no experience with large networks, which includes pretty
> >> much everyone on the ALAC, often seem to believe that collecting less
> >> information about domain registrants always improves the privacy of
> >> Internet users.  The reality is much more subtle.
> >>
> >> The vast majority of users have never registered a domain and never
> >> will, so WHOIS doesn't affect them, while the vast majority of domains
> >> are registered for commercial purposes, and a dismaying number for
> >> criminal purposes.  A large registrar often turns off 10,000 domains a
> >> day for malware, phishing, and other malevolent behavior.
> >>
> >> The WHOIS information that most of the waivers concern is very useful
> >> for identifying and dealing with criminals.  That is so even though a
> >> lot of it is faked, since the crooks tend to have patterns when they
> >> fake stuff. I'm not guessing about this, I talk to people every day at
> >> network operators who are protecting their users and law enforcement
> >> who are protecting their citizens.
> >>
> >> Registrars should certainly comply with their national laws, and I
> >> agree that some of ICANN's rules are silly, e.g., when they grant a
> >> waiver, it should automatically apply to other registrars or
> >> registries in the same jurisdiction.  But when you make it harder to
> >> tell who's behind a domain, you're also making it easier for criminals
> >> to siphon the money out of your grandmother's bank account.  That may
> >> be a reasonable tradeoff, but it's a tradeoff and one that deserves
> >> better than the kneejerk reeactions we always see here.
> >>
> >> R's,
> >> John
> >
> > +1
> >
> > To illustrate the point, search for "fjrasile at yahoo.com". Hint:
> > Supplying bogus data has nothing to do with privacy. Also look at the
> > period over which those domains were registered with the registrar
> > constantly being made aware of the issue. You'll also find this party
> > uses more than one registrar.
> >
> > This is just one of many such.
> >
> > We also do not wish to subject the public to domains such as
> > eicu-ae.com (spoofing eic.ac.ae ); "beautiful" WHOIS not even meeting
> > the basic sanity checks. Yet we wish to hide this with privacy? Such
> > issues are seen daily on domains that are registered for purposes to
> > the detriment of the ordinary innocent user.
> >
> > The problem is the majority of registrants are not malicious. But a
> > small handful are and they are extremely active in registering domains
> > with ever changing fake WHOIS details. Even fake WHOIS details may
> > leave patterns (as John said).
> >
> > Ironically I've alerted victims of credit card fraud that their
> > details are being abused by a fraudster in WHOIS where the the pattern
> > did not match the other circumstances. Were it not for WHOIS, this
> > would have slipped past the victim due to the small amounts involved.
> >
> > Here's the problem. Unaccountable privacy is nothing more than
> > anonymity and can be used to devastating effect against the ordinary
> > innocent people using the internet. Some Registrars have shown
> > themselves to not really do WHOIS sanity checks or care, some are
> > deliberately obstructive and discourage reporting fake WHOIS, ignoring
> > ongoing linked issues. The WDPRS system has shown itself to not be
> > effective in such cases. Some registrars simply does not care.
> >
> > Laws differ from country to country. Some Registrars and resellers use
> > this as a strategic marketing tool to attract a certain type of
> > client. Some openly attract clients practising what would be
> > considered illegal activities, such a fraud, in Europe, the US and
> > most parts of the word, simply due to a jurisdiction issues and they
> > way local law is structured. So for a mere $10-$15 a repeat malicious
> > registrant can go jurisdiction shopping, targeting whomever he wishes,
> > even residents of the country he lives in.
> >
> > E.g.: http://mediaon.com/Real-Whois-Protection.php
> > Ironically the initial home of the German "Fake Shopkeeper Gang" who
> > was responsible for Germany largest cyber fraud losses up to 2012.
> >
> > The gang moved to 'Russian' reseller Heihachi (Home of the disavowed
> > Wikileaks copy). Later both the German gang and the Austrian owner of
> > Heihachi were arrested. The owner of Heihachi had a prior criminal
> > record, yet was a reseller for one of America's largest Registrars,
> > had fake whois details as was constantly pointed out to the registrar
> > and ICANN. So the reseller was offered a WHOIS proxy service by the
> > registrar. In turn Heihachi offered WHOIS proxy services for domains
> > belonging to carders, botnet herders, malware creators and
> > distributors etc.
> >
> > Is this the Internet we we want?
> >
> > The problem is law enforcement simply does not have the resources to
> > cater for all of the abuse found on the net. Then there is the
> > international social/political issues. This is no reflection on the
> > authorities, rather the state of the net and certain realities. That
> > is why the authorities rely on partnerships with other private groups.
> >
> > Regards,
> >
> > Derek Smythe
> > Artists Against 419
> > http://www.aa419.org
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > At-Large mailing list
> > At-Large at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >
> > At-Large Official Site: http://atlarge.icann.org
>
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
> At-Large Official Site: http://atlarge.icann.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20151220/67106010/attachment-0001.html>