Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx>]

We could look at transfers between registrars, and group registrars by
their respective country they operate tracking transfers between
countries would give us a rough estimate of the number of times the
whois data has crossed political boundaries. So, yes it is a very
feasible study for one to do. I am sure ICANN/GNSO could fund such a
study by a 3rd party.

Disclaimer: I'm not fishing for a consulting contract here, I'm not
interested in preforming such work; just commenting that it is
feasible and would give some hard facts to the discussion.

-rick


On Tue, Feb 5, 2013 at 12:15 PM, Don Blumenthal <dblumenthal@xxxxxxx> wrote:
> Rick,
>
> You make a good point that transfers of data from one registrar to another
> might not be different from transfer in a thin-thick transition. However,
> the jurisdiction issue here refers to companies based in different
> countries. Do you have any idea how common it is for a registrant to move
> a registration across a border when switching registrars?
>
> Thanks.
>
> Don
>
>
> On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>>
>>One point I believe folks are missing in the jurisdiction discussion
>>is that transfers of a domain from one registrar to another are
>>effectively moving this same information between jurisdictions. We
>>have had many millions of transfers in thin registries over the years,
>>many of which moved registrant data between  jurisdictions. We are
>>talking millions and millions of times, without incident.
>>
>>I believe that it is as important to enumerate the volume and time
>>that this has occurred without notice, or catastrophe.
>>
>>-rick
>>
>>
>>On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
>><alan.greenberg@xxxxxxxxx> wrote:
>>>
>>> Roy, some of us (or perhaps all of us) HAVE read the NCUC submission. It
>>> talks a lot about potential problems with respect to privacy laws of the
>>> Whois model. But they apply equally to both thin and thick models.
>>>
>>> It also raises issues such as "ownership" of Whois data (the specific
>>> sentence was "The movement of that that data, and ownership of that
>>>data,
>>> from a European, or Canadian, or Japanese, or Korean jurisdiction (among
>>> regions/countries with strong data protection laws) to another country
>>>(the
>>> US) raises enormous issues."  I cannot recall anyone saying anything
>>>about
>>> ownership. As far as I know, we are talking about the USE of the data
>>>which
>>> is already publicly (and very widely) available.
>>>
>>> If there are any restrictions (regarding revealing or making available
>>> cross-boarders) to what a registrar may do with the data they collect
>>>from
>>> registrants, that problem exists today with a thin model. How does it
>>>change
>>> with thick? In both cases, they are widely broadcasting the data in a
>>>way
>>> that is universal and irretrievable. Once put on a whois server, it is
>>> completely out of their control.
>>>
>>> A specific example of how the models might differ in a real-life
>>>scenario
>>> would be useful.
>>>
>>> Alan
>>>
>>>
>>> At 05/02/2013 09:52 AM, Balleste, Roy wrote:
>>>>
>>>> Perhaps the question should be, what new threats we have now have to
>>>> consider.  The Internet world has changed.  Any recommendations that
>>>>we make
>>>> will affect millions of users for years to come.
>>>> If I may, a suggestion, please read the submission from NCUC.
>>>>
>>>> Roy Balleste, J.S.D.
>>>> Professor of Law
>>>> Law Library Director
>>>> St. Thomas University
>>>> 16401 NW 37th Avenue
>>>> Miami Gardens, FL 33054  USA
>>>> 1-305-623-2341
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
>>>> [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
>>>> Sent: Tuesday, February 05, 2013 9:44 AM
>>>> To: Alan Greenberg
>>>> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
>>>> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>
>>>>
>>>> Threats of exposure of Personal Information? Isn't the Whois system by
>>>> definition public? And in any event, how would this threat increase if
>>>>we
>>>> went from many down to one holding the information? Not being
>>>>argumentative,
>>>> just trying to understand what the threats are. Also, it seems if
>>>>there are
>>>> threats won't we encounter those as we go forward? Does there really
>>>>need to
>>>> be a separate exercise to identify them?
>>>>
>>>>
>>>> Tim
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
>>>> Date: Mon, February 4, 2013 11:08 am
>>>> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
>>>> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
>>>> <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>>>>
>>>>
>>>> I have yet to observe a single threat in both the transitions I've
>>>> participated over some 13 years of ICANN participation as a registrar
>>>> and service on the SSAC  -- in regards to the Escrow transition and
>>>> the registry transition for .ORG, both of which I actively
>>>> participated in.
>>>>
>>>> If I had observed any issue that could be potentially identified as a
>>>> credible threat, in this regard, I'd be the first to raise it to your
>>>> attention.
>>>>
>>>> -rick
>>>>
>>>> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
>>>><alan.greenberg@xxxxxxxxx>
>>>> wrote:
>>>> > Steve, I concur with your analysis. However, various posting have
>>>> > claimed
>>>> > dire results of the transition, and Mikey proposed that we do a
>>>>threat
>>>> > analysis to try to understand how sever the problems is. Once someone
>>>> > comes
>>>> > up with a SPECIFIC threat, we can do this. If none can be construed
>>>>(as
>>>> > we
>>>> > both hypothesize), then the job is done.
>>>> >
>>>> > Alan
>>>> >
>>>> >
>>>> > At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>>>> >
>>>> > These questions might be relevant to the Whois PDP that is slated for
>>>> > this
>>>> > year pursuant to the board�s November resolutions; but I don�t
>>>> > understand
>>>> > their relevance to our job.
>>>> >
>>>> > At most the question would be whether the �threat� changes if all
>>>>gTLD
>>>> > registries were thick --- but that would first require agreement on
>>>>what
>>>> > the
>>>> > �threat� is today.  This would be an extremely long path to take to
>>>>our
>>>> > goal.
>>>> >
>>>> > In any case, if the �threat� is �disclosure of non-public registrant
>>>> > information,� then the threshold question is whether the transition
>>>>to
>>>> > thick
>>>> > Whois has any impact whatsoever on �non-public registrant
>>>>information.�
>>>> > To
>>>> > my knowledge the answer is no, and so all the subsequent questions
>>>> > become
>>>> > irrelevant.
>>>> >
>>>> > If, as our chair has stated, �we're edging pretty close to Beijing
>>>>and
>>>> > need
>>>> > to think through what we're going to be able to deliver by then,� I
>>>> > think
>>>> > this type of excursion ought to be avoided.
>>>> >
>>>> > Steve Metalitz
>>>> > From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
>>>> > mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
>>>>O'Connor
>>>> > Sent: Sunday, February 03, 2013 7:30 PM
>>>> > To: Thick Whois WG
>>>> > Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>> >
>>>> > hi all,
>>>> >
>>>> > i promised to send along some materials extracted from the DSSA (DNS
>>>> > Security and Stability Analysis) working group where i serve as GNSO
>>>> > co-chair and day-to-day project leader.  this is in the "break a
>>>>large
>>>> > puzzle into smaller pieces" department.
>>>> >
>>>> > i've attached a one page summary of the process that we've been
>>>>working
>>>> > on
>>>> > (it's based on NIST SP 800-30 for you in the security world), and
>>>> > thought
>>>> > i'd build a list of questions that people could use as a starting
>>>>point
>>>> > in
>>>> > building risk scenarios associated with the transition from thin to
>>>> > thick
>>>> > Whois.
>>>> >
>>>> > Questions:
>>>> >
>>>> > -- What is the description of the threat event?  [1st-try, open to
>>>> > editing,
>>>> > guess -- "disclosure of non-public registrant information"]
>>>> >
>>>> >
>>>> > -- What is the source of this threat?  [options/examples --
>>>>criminals,
>>>> > governments, businesses, etc.]
>>>> >
>>>> > -- What are the capability, intent and targeting of that threat
>>>>source?
>>>> >
>>>> > -- What vulnerabilities might these threat-sources exploit in order
>>>>to
>>>> > achieve their aim?  [categories -- managerial, operational or
>>>>technical
>>>> > vulnerabilities]
>>>> >
>>>> > -- Where [registries, registrars?], and how severe are these
>>>> > vulnerabilities?
>>>> >
>>>> > -- What is the likelihood that such a threat would be initiated?
>>>> >
>>>> > -- What would the impact on the registrant be?
>>>> >
>>>> > -- How likely is it that this impact will be felt?
>>>> >
>>>> > -- How severe is the impact?
>>>> >
>>>> > -- What's the range of impact (how many registrants would this be a
>>>> > problem
>>>> > for)?
>>>> >
>>>> >
>>>> >
>>>> > if you want to read more about this DSSA stuff, here's a link to a
>>>>page
>>>> > where you can download the final Phase I report;
>>>> >
>>>> >
>>>>https://community.icann.org/display/AW/Phase+1+Final+Report
>>>> >
>>>> > and here's a link to a page where you can download an Excel worksheet
>>>> > that
>>>> > we've been developing as an alpha-test of this tool
>>>> >
>>>> >
>>>> > https://community.icann.org/display/AW/Risk+Scenario+worksheet
>>>> >
>>>> > thanks,
>>>> >
>>>> > mikey
>>>> >
>>>
>>>
>>>
>>
>