Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Don Blumenthal <dblumenthal@xxxxxxx>]

Rick,

You make a good point that transfers of data from one registrar to another
might not be different from transfer in a thin-thick transition. However,
the jurisdiction issue here refers to companies based in different
countries. Do you have any idea how common it is for a registrant to move
a registration across a border when switching registrars?

Thanks.

Don


On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

>
>One point I believe folks are missing in the jurisdiction discussion
>is that transfers of a domain from one registrar to another are
>effectively moving this same information between jurisdictions. We
>have had many millions of transfers in thin registries over the years,
>many of which moved registrant data between  jurisdictions. We are
>talking millions and millions of times, without incident.
>
>I believe that it is as important to enumerate the volume and time
>that this has occurred without notice, or catastrophe.
>
>-rick
>
>
>On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
><alan.greenberg@xxxxxxxxx> wrote:
>>
>> Roy, some of us (or perhaps all of us) HAVE read the NCUC submission. It
>> talks a lot about potential problems with respect to privacy laws of the
>> Whois model. But they apply equally to both thin and thick models.
>>
>> It also raises issues such as "ownership" of Whois data (the specific
>> sentence was "The movement of that that data, and ownership of that
>>data,
>> from a European, or Canadian, or Japanese, or Korean jurisdiction (among
>> regions/countries with strong data protection laws) to another country
>>(the
>> US) raises enormous issues."  I cannot recall anyone saying anything
>>about
>> ownership. As far as I know, we are talking about the USE of the data
>>which
>> is already publicly (and very widely) available.
>>
>> If there are any restrictions (regarding revealing or making available
>> cross-boarders) to what a registrar may do with the data they collect
>>from
>> registrants, that problem exists today with a thin model. How does it
>>change
>> with thick? In both cases, they are widely broadcasting the data in a
>>way
>> that is universal and irretrievable. Once put on a whois server, it is
>> completely out of their control.
>>
>> A specific example of how the models might differ in a real-life
>>scenario
>> would be useful.
>>
>> Alan
>>
>>
>> At 05/02/2013 09:52 AM, Balleste, Roy wrote:
>>>
>>> Perhaps the question should be, what new threats we have now have to
>>> consider.  The Internet world has changed.  Any recommendations that
>>>we make
>>> will affect millions of users for years to come.
>>> If I may, a suggestion, please read the submission from NCUC.
>>>
>>> Roy Balleste, J.S.D.
>>> Professor of Law
>>> Law Library Director
>>> St. Thomas University
>>> 16401 NW 37th Avenue
>>> Miami Gardens, FL 33054  USA
>>> 1-305-623-2341
>>>
>>>
>>> -----Original Message-----
>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
>>> [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
>>> Sent: Tuesday, February 05, 2013 9:44 AM
>>> To: Alan Greenberg
>>> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
>>> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>
>>>
>>> Threats of exposure of Personal Information? Isn't the Whois system by
>>> definition public? And in any event, how would this threat increase if
>>>we
>>> went from many down to one holding the information? Not being
>>>argumentative,
>>> just trying to understand what the threats are. Also, it seems if
>>>there are
>>> threats won't we encounter those as we go forward? Does there really
>>>need to
>>> be a separate exercise to identify them?
>>>
>>>
>>> Tim
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
>>> Date: Mon, February 4, 2013 11:08 am
>>> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
>>> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
>>> <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>>>
>>>
>>> I have yet to observe a single threat in both the transitions I've
>>> participated over some 13 years of ICANN participation as a registrar
>>> and service on the SSAC  -- in regards to the Escrow transition and
>>> the registry transition for .ORG, both of which I actively
>>> participated in.
>>>
>>> If I had observed any issue that could be potentially identified as a
>>> credible threat, in this regard, I'd be the first to raise it to your
>>> attention.
>>>
>>> -rick
>>>
>>> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
>>><alan.greenberg@xxxxxxxxx>
>>> wrote:
>>> > Steve, I concur with your analysis. However, various posting have
>>> > claimed
>>> > dire results of the transition, and Mikey proposed that we do a
>>>threat
>>> > analysis to try to understand how sever the problems is. Once someone
>>> > comes
>>> > up with a SPECIFIC threat, we can do this. If none can be construed
>>>(as
>>> > we
>>> > both hypothesize), then the job is done.
>>> >
>>> > Alan
>>> >
>>> >
>>> > At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>>> >
>>> > These questions might be relevant to the Whois PDP that is slated for
>>> > this
>>> > year pursuant to the board�s November resolutions; but I don�t
>>> > understand
>>> > their relevance to our job.
>>> >
>>> > At most the question would be whether the �threat� changes if all
>>>gTLD
>>> > registries were thick --- but that would first require agreement on
>>>what
>>> > the
>>> > �threat� is today.  This would be an extremely long path to take to
>>>our
>>> > goal.
>>> >
>>> > In any case, if the �threat� is �disclosure of non-public registrant
>>> > information,� then the threshold question is whether the transition
>>>to
>>> > thick
>>> > Whois has any impact whatsoever on �non-public registrant
>>>information.�
>>> > To
>>> > my knowledge the answer is no, and so all the subsequent questions
>>> > become
>>> > irrelevant.
>>> >
>>> > If, as our chair has stated, �we're edging pretty close to Beijing
>>>and
>>> > need
>>> > to think through what we're going to be able to deliver by then,� I
>>> > think
>>> > this type of excursion ought to be avoided.
>>> >
>>> > Steve Metalitz
>>> > From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
>>> > mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
>>>O'Connor
>>> > Sent: Sunday, February 03, 2013 7:30 PM
>>> > To: Thick Whois WG
>>> > Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>>> >
>>> > hi all,
>>> >
>>> > i promised to send along some materials extracted from the DSSA (DNS
>>> > Security and Stability Analysis) working group where i serve as GNSO
>>> > co-chair and day-to-day project leader.  this is in the "break a
>>>large
>>> > puzzle into smaller pieces" department.
>>> >
>>> > i've attached a one page summary of the process that we've been
>>>working
>>> > on
>>> > (it's based on NIST SP 800-30 for you in the security world), and
>>> > thought
>>> > i'd build a list of questions that people could use as a starting
>>>point
>>> > in
>>> > building risk scenarios associated with the transition from thin to
>>> > thick
>>> > Whois.
>>> >
>>> > Questions:
>>> >
>>> > -- What is the description of the threat event?  [1st-try, open to
>>> > editing,
>>> > guess -- "disclosure of non-public registrant information"]
>>> >
>>> >
>>> > -- What is the source of this threat?  [options/examples --
>>>criminals,
>>> > governments, businesses, etc.]
>>> >
>>> > -- What are the capability, intent and targeting of that threat
>>>source?
>>> >
>>> > -- What vulnerabilities might these threat-sources exploit in order
>>>to
>>> > achieve their aim?  [categories -- managerial, operational or
>>>technical
>>> > vulnerabilities]
>>> >
>>> > -- Where [registries, registrars?], and how severe are these
>>> > vulnerabilities?
>>> >
>>> > -- What is the likelihood that such a threat would be initiated?
>>> >
>>> > -- What would the impact on the registrant be?
>>> >
>>> > -- How likely is it that this impact will be felt?
>>> >
>>> > -- How severe is the impact?
>>> >
>>> > -- What's the range of impact (how many registrants would this be a
>>> > problem
>>> > for)?
>>> >
>>> >
>>> >
>>> > if you want to read more about this DSSA stuff, here's a link to a
>>>page
>>> > where you can download the final Phase I report;
>>> >
>>> >             
>>>https://community.icann.org/display/AW/Phase+1+Final+Report
>>> >
>>> > and here's a link to a page where you can download an Excel worksheet
>>> > that
>>> > we've been developing as an alpha-test of this tool
>>> >
>>> >
>>> > https://community.icann.org/display/AW/Risk+Scenario+worksheet
>>> >
>>> > thanks,
>>> >
>>> > mikey
>>> >
>>
>>
>>
>