Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Volker Greimann <vgreimann@xxxxxxxxxxxxxxx>]

I think it happens all the time, but that would be beside the point as 
they agree to the new registrars agreement and thereby agree to provide 
him with their whois data.
Volker
> Rick,
>
> You make a good point that transfers of data from one registrar to another
> might not be different from transfer in a thin-thick transition. However,
> the jurisdiction issue here refers to companies based in different
> countries. Do you have any idea how common it is for a registrant to move
> a registration across a border when switching registrars?
>
> Thanks.
>
> Don
>
>
> On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> > One point I believe folks are missing in the jurisdiction discussion
> > is that transfers of a domain from one registrar to another are
> > effectively moving this same information between jurisdictions. We
> > have had many millions of transfers in thin registries over the years,
> > many of which moved registrant data between  jurisdictions. We are
> > talking millions and millions of times, without incident.
> >
> > I believe that it is as important to enumerate the volume and time
> > that this has occurred without notice, or catastrophe.
> >
> > -rick
> >
> >
> > On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
> > <alan.greenberg@xxxxxxxxx> wrote:
> > > Roy, some of us (or perhaps all of us) HAVE read the NCUC submission. It
> > > talks a lot about potential problems with respect to privacy laws of the
> > > Whois model. But they apply equally to both thin and thick models.
> > >
> > > It also raises issues such as "ownership" of Whois data (the specific
> > > sentence was "The movement of that that data, and ownership of that
> > > data,
> > > from a European, or Canadian, or Japanese, or Korean jurisdiction (among
> > > regions/countries with strong data protection laws) to another country
> > > (the
> > > US) raises enormous issues."  I cannot recall anyone saying anything
> > > about
> > > ownership. As far as I know, we are talking about the USE of the data
> > > which
> > > is already publicly (and very widely) available.
> > >
> > > If there are any restrictions (regarding revealing or making available
> > > cross-boarders) to what a registrar may do with the data they collect
> > > from
> > > registrants, that problem exists today with a thin model. How does it
> > > change
> > > with thick? In both cases, they are widely broadcasting the data in a
> > > way
> > > that is universal and irretrievable. Once put on a whois server, it is
> > > completely out of their control.
> > >
> > > A specific example of how the models might differ in a real-life
> > > scenario
> > > would be useful.
> > >
> > > Alan
> > >
> > >
> > > At 05/02/2013 09:52 AM, Balleste, Roy wrote:
> > > > Perhaps the question should be, what new threats we have now have to
> > > > consider.  The Internet world has changed.  Any recommendations that
> > > > we make
> > > > will affect millions of users for years to come.
> > > > If I may, a suggestion, please read the submission from NCUC.
> > > >
> > > > Roy Balleste, J.S.D.
> > > > Professor of Law
> > > > Law Library Director
> > > > St. Thomas University
> > > > 16401 NW 37th Avenue
> > > > Miami Gardens, FL 33054  USA
> > > > 1-305-623-2341
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
> > > > [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
> > > > Sent: Tuesday, February 05, 2013 9:44 AM
> > > > To: Alan Greenberg
> > > > Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
> > > > Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
> > > >
> > > >
> > > > Threats of exposure of Personal Information? Isn't the Whois system by
> > > > definition public? And in any event, how would this threat increase if
> > > > we
> > > > went from many down to one holding the information? Not being
> > > > argumentative,
> > > > just trying to understand what the threats are. Also, it seems if
> > > > there are
> > > > threats won't we encounter those as we go forward? Does there really
> > > > need to
> > > > be a separate exercise to identify them?
> > > >
> > > >
> > > > Tim
> > > >
> > > >
> > > > -------- Original Message --------
> > > > Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
> > > > From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
> > > > Date: Mon, February 4, 2013 11:08 am
> > > > To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
> > > > CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
> > > > <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
> > > >
> > > >
> > > > I have yet to observe a single threat in both the transitions I've
> > > > participated over some 13 years of ICANN participation as a registrar
> > > > and service on the SSAC  -- in regards to the Escrow transition and
> > > > the registry transition for .ORG, both of which I actively
> > > > participated in.
> > > >
> > > > If I had observed any issue that could be potentially identified as a
> > > > credible threat, in this regard, I'd be the first to raise it to your
> > > > attention.
> > > >
> > > > -rick
> > > >
> > > > On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
> > > > <alan.greenberg@xxxxxxxxx>
> > > > wrote:
> > > > > Steve, I concur with your analysis. However, various posting have
> > > > > claimed
> > > > > dire results of the transition, and Mikey proposed that we do a
> > > > threat
> > > > > analysis to try to understand how sever the problems is. Once someone
> > > > > comes
> > > > > up with a SPECIFIC threat, we can do this. If none can be construed
> > > > (as
> > > > > we
> > > > > both hypothesize), then the job is done.
> > > > >
> > > > > Alan
> > > > >
> > > > >
> > > > > At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
> > > > >
> > > > > These questions might be relevant to the Whois PDP that is slated for
> > > > > this
> > > > > year pursuant to the board�s November resolutions; but I don�t
> > > > > understand
> > > > > their relevance to our job.
> > > > >
> > > > > At most the question would be whether the �threat� changes if all
> > > > gTLD
> > > > > registries were thick --- but that would first require agreement on
> > > > what
> > > > > the
> > > > > �threat� is today.  This would be an extremely long path to take to
> > > > our
> > > > > goal.
> > > > >
> > > > > In any case, if the �threat� is �disclosure of non-public registrant
> > > > > information,� then the threshold question is whether the transition
> > > > to
> > > > > thick
> > > > > Whois has any impact whatsoever on �non-public registrant
> > > > information.�
> > > > > To
> > > > > my knowledge the answer is no, and so all the subsequent questions
> > > > > become
> > > > > irrelevant.
> > > > >
> > > > > If, as our chair has stated, �we're edging pretty close to Beijing
> > > > and
> > > > > need
> > > > > to think through what we're going to be able to deliver by then,� I
> > > > > think
> > > > > this type of excursion ought to be avoided.
> > > > >
> > > > > Steve Metalitz
> > > > > From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
> > > > > mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
> > > > O'Connor
> > > > > Sent: Sunday, February 03, 2013 7:30 PM
> > > > > To: Thick Whois WG
> > > > > Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
> > > > >
> > > > > hi all,
> > > > >
> > > > > i promised to send along some materials extracted from the DSSA (DNS
> > > > > Security and Stability Analysis) working group where i serve as GNSO
> > > > > co-chair and day-to-day project leader.  this is in the "break a
> > > > large
> > > > > puzzle into smaller pieces" department.
> > > > >
> > > > > i've attached a one page summary of the process that we've been
> > > > working
> > > > > on
> > > > > (it's based on NIST SP 800-30 for you in the security world), and
> > > > > thought
> > > > > i'd build a list of questions that people could use as a starting
> > > > point
> > > > > in
> > > > > building risk scenarios associated with the transition from thin to
> > > > > thick
> > > > > Whois.
> > > > >
> > > > > Questions:
> > > > >
> > > > > -- What is the description of the threat event?  [1st-try, open to
> > > > > editing,
> > > > > guess -- "disclosure of non-public registrant information"]
> > > > >
> > > > >
> > > > > -- What is the source of this threat?  [options/examples --
> > > > criminals,
> > > > > governments, businesses, etc.]
> > > > >
> > > > > -- What are the capability, intent and targeting of that threat
> > > > source?
> > > > > -- What vulnerabilities might these threat-sources exploit in order
> > > > to
> > > > > achieve their aim?  [categories -- managerial, operational or
> > > > technical
> > > > > vulnerabilities]
> > > > >
> > > > > -- Where [registries, registrars?], and how severe are these
> > > > > vulnerabilities?
> > > > >
> > > > > -- What is the likelihood that such a threat would be initiated?
> > > > >
> > > > > -- What would the impact on the registrant be?
> > > > >
> > > > > -- How likely is it that this impact will be felt?
> > > > >
> > > > > -- How severe is the impact?
> > > > >
> > > > > -- What's the range of impact (how many registrants would this be a
> > > > > problem
> > > > > for)?
> > > > >
> > > > >
> > > > >
> > > > > if you want to read more about this DSSA stuff, here's a link to a
> > > > page
> > > > > where you can download the final Phase I report;
> > > > >
> > > > >              
> > > > https://community.icann.org/display/AW/Phase+1+Final+Report
> > > > > and here's a link to a page where you can download an Excel worksheet
> > > > > that
> > > > > we've been developing as an alpha-test of this tool
> > > > >
> > > > >
> > > > > https://community.icann.org/display/AW/Risk+Scenario+worksheet
> > > > >
> > > > > thanks,
> > > > >
> > > > > mikey