<<<
Chronological Index
>>> <<<
Thread Index
>>>
Confessions of an ex-opponent of Whois Privacy
- To: comments-ppsai-initial-05may15@xxxxxxxxx
- Subject: Confessions of an ex-opponent of Whois Privacy
- From: Mark Jeftovic <no-reply@xxxxxxxxxxxx>
- Date: Thu, 2 Jul 2015 23:02:20 +0000 (GMT)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">
p, td { line-height: 1.3; }
p { padding-bottom: 1em; }
a { color: #3697b3; font-weight: bold; text-decoration: none; }
a:hover { color: #000; text-decoration: underline; }
a:active { color: #000; text-decoration: underline; }
</style>
</head>
<body style="font-size:12px;color:#262626;line-height:1.3;font-family:Arial,
Helvetica, sans-serif;background-color:#fff;">
<table cellspacing="0" cellpadding="0" width="100%"
style="padding-bottom:20px;padding-top:10px;">
<tr>
<td
style="text-align:left;padding-bottom:20px;font-size:14px;line-height:1;font-family:Helvetica,
Arial,
sans-serif;border-bottom-width:2px;border-bottom-style:solid;border-bottom-color:#292929;">
Enclosed please find the easyDNS public comments on the GNSO Privacy &
Proxy Services Accreditation Issues Working Group Initial
Report.<br/><br/>Thank you.<br/><br/>- mark
</td>
</tr>
<tr>
<td style="line-height:1;text-align:left;padding-bottom:0px;">
</td>
</tr>
<tr>
<td
style="line-height:1.3;text-align:left;padding-top:0px;padding-bottom:7px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#b5b5b5;font-size:11px;">
<h1
style="margin-top:0;margin-bottom:0;margin-right:0;margin-left:0;padding-bottom:0;padding-right:0;padding-left:0;color:#262626;font-weight:bold;padding-top:5px;font-size:18px;">Confessions
of an ex-opponent of Whois Privacy</h1>
</td>
</tr>
</table>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="ennote">
I submit these comments as a CEO of an ICANN accredited registrar, a former
director to CIRA and a lifelong anti spam contributor with an unblemished
record of running a managed DNS provider that maintains zero tolerance for net
abuse or cybercrime and as someone who maintains a healthy working relationship
with the units of our local and federal Law Enforcement Agencies that deal with
cybercrime.
<div><br/></div>
<div>In the past easyDNS was opposed to Whois Privacy. We did not offer it and
we strongly cautioned our customers against using it. </div>
<div><br/></div>
<div>Our rationale was twofold:</div>
<div><br/></div>
<div> #1) We felt that those connecting to the internet to originate
traffic and consume system resources of external parties (i.e. people sending
email) had an obligation and a responsibility to be identifiable. In other
words, we felt (and still do) that nobody has an obligation to accept email
from a domain whose contact details are anonymized (in fact we have been
working on an experimental reputation zone that penalizes domains at the MTA
level when they have privacy enabled) - This belief still does not conflict
with our advocacy of Whois Privacy.</div>
<div><br/></div>
<div> #2) There was agency risk to the Registrants' themselves, as once
they enabled whois privacy on their domains the "official" owner (or
rights holder) to their names became the privacy provider and not the actual
registrant. (This fear was bourne out as many Registrants did in fact lose
their names in the failure of RegisterFly).</div>
<div><br/></div>
<div>We eventually relented to customer pressure and implemented Whois Privacy
and have since completely reversed our opinions on the efficacy of employing it
and necessity of making it an option. <i>(For the record, our opinion was not
swayed by the additional</i> <i><u>revenues</u> we garner from offering it. The
vast majority of our Registrants making use of Whois Privacy get it at no
cost).</i></div>
<div><i><br/></i></div>
<div>It is important to note that once we did change directions and offer Whois
Privacy, we found that doing so had absolutely no material effect on
occurrences of net abuse, known cases of cybercrime or any other form of civil
misdeed such as copyright violations or intellectual property
infringement. </div>
<div><br/></div>
<div>We think we know why this is, they are the same reasons the policy shift
being considered will have zero effect toward their intended outcome and why
the second order effects will be primarily negative and disruptive to those who
are not guilty of any malfeasance (we refer to these innocent bystanders as
"rule followers").</div>
<div><br/></div>
<div>As a result of these experiences, we believe that absent a breach of
service terms such as net abuse, the only basis for disclosing underlying
Registrant data, especially to copyright and trademark complainants should be
subject to</div>
<div>
<ul>
<li><span style="font-family: Calibri; font-size: 11pt;">a court order (in a
competent jurisdiction to the Proxy provider)</span></li>
<li><span style="font-size: 11pt; font-family: Calibri;">a subpoena (in a
competent jurisdiction to the Proxy provider)</span></li>
<li><span style="font-size: 11pt; font-family: Calibri;">a pending civil
action</span></li>
<li><span style="font-size: 11pt; font-family: Calibri;">a URS or UDRP
action.</span></li>
</ul>
<div><font face="Calibri"><span style="font-size: 15px;">In other words, we
feel that Section D of Annex E of the </span></font>Initial Report on
the Privacy & Proxy Services Accreditation Issues PDP should have precisely
the opposite requirement that it now proposes.</div>
<div title="Page 1"></div>
</div>
<div><a
href="http://gnso.icann.org/en/issues/raa/ppsai-initial-05may15-en.pdf";>http://gnso.icann.org/en/issues/raa/ppsai-initial-05may15-en.pdf</a><font
face="Calibri"><span style="font-size: 15px;"><br/></span></font></div>
<div><br/></div>
<div>We will explain our reasoning below. It is based on real world experiences
of nearly 20 years in the domain and managed DNS business:</div>
<div><br/></div>
<div><b>Many Registrants Don't Even Know That the Whois Exists or What's In
It.</b></div>
<div><br/></div>
<div>Understanding that a consequence of simply registering a domain name
results in one's personal contact details being published in a world viewable,
digital database is actually quite limited. People who earn their livelihood
online are possibly cognizant of it, although even within this cutting edge
technologically literate segment <i>a significant number of participants are
not.</i> Your average bricklayer, baker or candlestick maker is for the most
part oblivious to the existence of Whois.</div>
<div><br/></div>
<div>What they do know, is that when they finally get motivated to "join
the digital age" and register their first domain name, and after dutifully
filling out the online form, which is like any other online form they fill out,
within days, <i>or even minutes</i> they are receiving unwanted spam, phone
calls or junk faxes because their personal details have been harvested from the
Whois almost immediately. </div>
<div><br/></div>
<div>Blame, or at the very least suspicion is then directed toward the
Registrar ("You sold my personal data!")</div>
<div><br/></div>
<div>This reason in itself is enough motivation for Registrars to create
privacy mechanisms to safeguard Registrants against these unwanted
intrusions. </div>
<div><br/></div>
<div><br/></div>
<div><b>Criminals Lie.</b></div>
<div><b><br/></b></div>
<div>The ostensible justification for the types of changes being considered to
Whois Privacy requirements are to make it easier for primarily rights holders
and law enforcement agencies (LEA) to track down infringers and bad
actors.</div>
<div><br/></div>
<div>But the fact is that actual criminals <i>do not use</i> their true, actual
contact data in domain registrations. In fact in our experience whenever we
takedown a known infringing or cybercrime website, whether the domain
registrations details are privacy masked or not, they <i>always supply bogus
Registrant data (often culled from a <b>previous</b> <b>victim</b>).</i></div>
<div><i><br/></i></div>
<div>Similar to our objections against the highly destructive and impotent
Whois Accuracy Program, implementing the proposed changes to Whois Privacy
requirements will not get anybody any closer to apprehending a single
cyber-criminal or preventing a single cybercrime, but will only succeed in
making it easier for rule followers with legitimate requirements for Whois
Privacy (i.e. whistleblowers, political dissidents, victims of abuse, et al)
to have their privacy violated.</div>
<div><i><br/></i></div>
<div><b>Open To Abuse</b></div>
<div><b><br/></b></div>
<div>We have ample first-hand experience with complainants abusing allegations
of trademark or copyright infringement in an attempt to do one or more of the
following:</div>
<div>
<ul>
<li>cause a website / domain takedown without due process.</li>
<li>force a disclosure of Registrant data with no legal basis.</li>
<li>suppress websites or specific pages from search engine results.</li>
</ul>
<div>If Section D of Annex E is adopted as proposed we foresee this as an ideal
attack vector to compel Registrant data disclosure without being tested by due
process.</div>
</div>
<div><br/></div>
<div><b>Third Time's a A Charm?</b></div>
<div><b><br/></b></div>
<div>Any changes in Whois Privacy requirements must be considered against the
backdrop of previous Whois reform initiatives, because at the end of the day,
it's the end-user Registrants who have to adjust to functioning under the
combined effect of all of these new policy modifications.</div>
<div><br/></div>
<div>ICANN has thus far implemented two policies around Whois reform which
should be considered failures in that they:</div>
<div>
<ol>
<li>do not accomplish their stated goals, </li>
<li>only succeed in penalizing "rule followers" </li>
<li>create new unintended attack vectors against legitimate
Registrants.<br/></li>
</ol>
<div>The first was the Whois Data Reminder Policy (WDRP) which on it's own was
a annoyance and created a new spearphishing vector but the second-order effects
were to induce a type of "Whois Notification Blindness" in
Registrants by inculcating them with a belief that these notices are harmless
annoyances which can be ignored (or worse, filtered away).</div>
</div>
<div><br/></div>
<div>Even the creator of the WDRP has gone on record to state that the policy
is a failure and should be killed.</div>
<div><a
href="http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/";>http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/</a><br/></div>
<div><br/></div>
<div>Next came the Whois Accuracy Program (WAP) which has done nothing
whatsoever to prevent cybercrime but has left a trail of destruction across the
internet as legitimate production websites (some of them providing internet
infrastructure functionality) inexplicably go offline for the flimsiest of
reasons. </div>
<div><br/></div>
<div>What makes WAP so pernicious is that to the average Registrant there is no
discernible difference between a WDRP notice (which can be safely ignored) and
a WAP notice (which can't!)</div>
<div><br/></div>
<div>After a one-two punch of ineffective policy failures around Whois, the
idea now is to take the one remaining aspect of Whois that actually serves a
purpose, which is Whois Privacy, that actually accomplishes it's primary goals,
that provides an invaluable service to law abiding citizens but makes no real
difference to criminals, in other words the last vestige of useful
functionality in the current Whois model and we're going to make a new policy
that maims it and provides easy mechanisms to game the system and end-run
Registrant privacy?</div>
<div><br/></div>
<div>Surely by now ICANN has learned from WDRP and WAP that trying to retrofit
accountability processes onto the existing Whois implementation isn't working.
We don't need a third policy to ignite yet another round of collateral
catastrophes to hammer this lesson home.</div>
<div><br/></div>
<div><b>Recommendations</b></div>
<div><b><br/></b></div>
<div>Everybody close to this probably concurs that the current Port 43 Whois
implementation was never designed for the type of all-reaching global internet
we find ourselves in today. Change is certainly needed but it needs to be
genuine change, a ground up rewrite of the entire protocol.</div>
<div><br/></div>
<div>ICANN already had a separate EWG working on the next generation of Whois
(RDS) and in their initial findings they asked the question: </div>
<div><a
href="https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf";><i>https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf</i></a><br/></div>
<div title="Page 5">
<div>
<div>
<p><span style="font-size: 11.000000pt; font-family: 'Calibri,BoldItalic'">Is
there an alternative to today’s WHO</span><span style="font-size: 11.000000pt;
font-family: 'Calibri,BoldItalic'">IS to better serve the global Internet
community? </span></p>
</div>
</div>
</div>
<div>"<span style="font-size: 12pt; font-family: Calibri;">Yes, there
is.</span> <span style="font-size: 12pt; font-family: Calibri;">The EWG
unanimously recommends abandoning today’s WHOIS model</span> <span
style="font-size: 12pt; font-family: Calibri;">of giving every user the same
entirely anonymous public access to (often inaccurate) gTLD registration
data."</span></div>
<div><span style="font-size: 12pt; font-family: Calibri;"><br/></span></div>
<div>"I<span style="font-family: Calibri; font-size: 12pt;">nstead, the
EWG recommends a paradigm shift to a next-generation RDS that collects,
validates and discloses gTLD registration data for permissible purposes
only.</span></div>
<div title="Page 5">
<div>
<div>
<div><br/></div>
<div><span style="font-size: 12.000000pt; font-family: 'Calibri'">While basic
data would remain publicly available, the rest would be accessible only to
accredited requestors who identify themselves, state their purpose, and agree
to be held accountable for appropriate use."</span></div>
<div><span style="font-size: 12.000000pt; font-family: 'Calibri'"> </span></div>
<div>These are the groundwork for appropriate guiding principles for the next
generation of Whois, of course the devil will be in the details of who has the
right to request data and under what circumstances.</div>
<div><br/></div>
<div>We here at easyDNS have spent an inordinate amount of effort over the past
years to educate complainants, plaintiffs and even certain law enforcement
agencies that there exists in civil society and democracies "due
process" and that an allegation has to be proven legally before sanctions
can be imposed on people's websites, or before their personal data can be
surrendered. </div>
<div><br/></div>
<div>So we have two main recommendations for charting the path forward:</div>
<div><br/></div>
<div>1) The entire Whois Privacy Policy revisions should be tabled until the
entire Whois database is re-engineered as the next generation RDS</div>
<div><br/></div>
<div>2) That a guiding principle of any future RDS Working Groups should
incorporate legal due process and <b>end-user</b>, that is
<b>Registrant</b> control over their own data records, complete with automated
mechanisms to alert Registrants when inquiries are made into their records,
what the purpose of those inquiries are and allowing Registrants the ability to
withhold disclosure (except in cases of overt net abuse or where a law
enforcement agency is pursuing a legitimate investigation subject to a valid
warrant).</div>
<div><br/></div>
<div>Thank you.</div>
<div><br/></div>
<div><br/></div>
</div>
</div>
</div>
<div>Mark Jeftovic, CEO <markjr@xxxxxxxxxxxx></div>
<div>easyDNS Technologies Inc.</div>
<div>http://www.easydns.com</div>
<div><br/></div>
<div><br/></div>
<div><br/></div>
<div><br/></div>
</div>
<table cellspacing="0" cellpadding="0" width="100%"
style="margin-bottom:16px;margin-top:32px;padding-top:16px;border-top:1px solid
#d3d3d3;">
<tr>
<td
style="text-align:left;font-size:13px;line-height:18px;color:#747474;font-family:Helvetica,
Arial, sans-serif;">
Evernote helps you remember everything and get organized effortlessly. <a
href='https://www.evernote.com/getit?email_name=emailNote&email_guid=db3acf91-cc1f-4853-88b6-c113d63706f9&email_link=download_app'
target='_blank' style='color: #5fb336; text-decoration: none;'>Download
Evernote</a>.
</td>
</tr>
</table>
</body>
</html>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|