Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Don Blumenthal <dblumenthal@xxxxxxx>]

That's part of what we need to look at in the data protection group. I'm
not sure whether the issue is so clear cut universally.

On 2/5/13 4:13 PM, "Volker Greimann" <vgreimann@xxxxxxxxxxxxxxx> wrote:

>I think it happens all the time, but that would be beside the point as
>they agree to the new registrars agreement and thereby agree to provide
>him with their whois data.
>
>Volker
>> Rick,
>>
>> You make a good point that transfers of data from one registrar to
>>another
>> might not be different from transfer in a thin-thick transition.
>>However,
>> the jurisdiction issue here refers to companies based in different
>> countries. Do you have any idea how common it is for a registrant to
>>move
>> a registration across a border when switching registrars?
>>
>> Thanks.
>>
>> Don
>>
>>
>> On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>> One point I believe folks are missing in the jurisdiction discussion
>>> is that transfers of a domain from one registrar to another are
>>> effectively moving this same information between jurisdictions. We
>>> have had many millions of transfers in thin registries over the years,
>>> many of which moved registrant data between  jurisdictions. We are
>>> talking millions and millions of times, without incident.
>>>
>>> I believe that it is as important to enumerate the volume and time
>>> that this has occurred without notice, or catastrophe.
>>>
>>> -rick
>>>
>>>
>>> On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
>>> <alan.greenberg@xxxxxxxxx> wrote:
>>>> Roy, some of us (or perhaps all of us) HAVE read the NCUC submission.
>>>>It
>>>> talks a lot about potential problems with respect to privacy laws of
>>>>the
>>>> Whois model. But they apply equally to both thin and thick models.
>>>>
>>>> It also raises issues such as "ownership" of Whois data (the specific
>>>> sentence was "The movement of that that data, and ownership of that
>>>> data,
>>>> from a European, or Canadian, or Japanese, or Korean jurisdiction
>>>>(among
>>>> regions/countries with strong data protection laws) to another country
>>>> (the
>>>> US) raises enormous issues."  I cannot recall anyone saying anything
>>>> about
>>>> ownership. As far as I know, we are talking about the USE of the data
>>>> which
>>>> is already publicly (and very widely) available.
>>>>
>>>> If there are any restrictions (regarding revealing or making available
>>>> cross-boarders) to what a registrar may do with the data they collect
>>>> from
>>>> registrants, that problem exists today with a thin model. How does it
>>>> change
>>>> with thick? In both cases, they are widely broadcasting the data in a
>>>> way
>>>> that is universal and irretrievable. Once put on a whois server, it is
>>>> completely out of their control.
>>>>
>>>> A specific example of how the models might differ in a real-life
>>>> scenario
>>>> would be useful.
>>>>
>>>> Alan
>>>>
>>>>
>>>> At 05/02/2013 09:52 AM, Balleste, Roy wrote:
>>>>> Perhaps the question should be, what new threats we have now have to
>>>>> consider.  The Internet world has changed.  Any recommendations that
>>>>> we make
>>>>> will affect millions of users for years to come.
>>>>> If I may, a suggestion, please read the submission from NCUC.
>>>>>
>>>>> Roy Balleste, J.S.D.
>>>>> Professor of Law
>>>>> Law Library Director
>>>>> St. Thomas University
>>>>> 16401 NW 37th Avenue
>>>>> Miami Gardens, FL 33054  USA
>>>>> 1-305-623-2341
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
>>>>> [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
>>>>> Sent: Tuesday, February 05, 2013 9:44 AM
>>>>> To: Alan Greenberg
>>>>> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
>>>>> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>
>>>>>
>>>>> Threats of exposure of Personal Information? Isn't the Whois system
>>>>>by
>>>>> definition public? And in any event, how would this threat increase
>>>>>if
>>>>> we
>>>>> went from many down to one holding the information? Not being
>>>>> argumentative,
>>>>> just trying to understand what the threats are. Also, it seems if
>>>>> there are
>>>>> threats won't we encounter those as we go forward? Does there really
>>>>> need to
>>>>> be a separate exercise to identify them?
>>>>>
>>>>>
>>>>> Tim
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
>>>>> Date: Mon, February 4, 2013 11:08 am
>>>>> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
>>>>> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
>>>>> <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>>>>>
>>>>>
>>>>> I have yet to observe a single threat in both the transitions I've
>>>>> participated over some 13 years of ICANN participation as a registrar
>>>>> and service on the SSAC  -- in regards to the Escrow transition and
>>>>> the registry transition for .ORG, both of which I actively
>>>>> participated in.
>>>>>
>>>>> If I had observed any issue that could be potentially identified as a
>>>>> credible threat, in this regard, I'd be the first to raise it to your
>>>>> attention.
>>>>>
>>>>> -rick
>>>>>
>>>>> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
>>>>> <alan.greenberg@xxxxxxxxx>
>>>>> wrote:
>>>>>> Steve, I concur with your analysis. However, various posting have
>>>>>> claimed
>>>>>> dire results of the transition, and Mikey proposed that we do a
>>>>> threat
>>>>>> analysis to try to understand how sever the problems is. Once
>>>>>>someone
>>>>>> comes
>>>>>> up with a SPECIFIC threat, we can do this. If none can be construed
>>>>> (as
>>>>>> we
>>>>>> both hypothesize), then the job is done.
>>>>>>
>>>>>> Alan
>>>>>>
>>>>>>
>>>>>> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>>>>>>
>>>>>> These questions might be relevant to the Whois PDP that is slated
>>>>>>for
>>>>>> this
>>>>>> year pursuant to the board�s November resolutions; but I don�t
>>>>>> understand
>>>>>> their relevance to our job.
>>>>>>
>>>>>> At most the question would be whether the �threat� changes if all
>>>>> gTLD
>>>>>> registries were thick --- but that would first require agreement on
>>>>> what
>>>>>> the
>>>>>> �threat� is today.  This would be an extremely long path to take to
>>>>> our
>>>>>> goal.
>>>>>>
>>>>>> In any case, if the �threat� is �disclosure of non-public registrant
>>>>>> information,� then the threshold question is whether the transition
>>>>> to
>>>>>> thick
>>>>>> Whois has any impact whatsoever on �non-public registrant
>>>>> information.�
>>>>>> To
>>>>>> my knowledge the answer is no, and so all the subsequent questions
>>>>>> become
>>>>>> irrelevant.
>>>>>>
>>>>>> If, as our chair has stated, �we're edging pretty close to Beijing
>>>>> and
>>>>>> need
>>>>>> to think through what we're going to be able to deliver by then,� I
>>>>>> think
>>>>>> this type of excursion ought to be avoided.
>>>>>>
>>>>>> Steve Metalitz
>>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
>>>>>> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
>>>>> O'Connor
>>>>>> Sent: Sunday, February 03, 2013 7:30 PM
>>>>>> To: Thick Whois WG
>>>>>> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>
>>>>>> hi all,
>>>>>>
>>>>>> i promised to send along some materials extracted from the DSSA (DNS
>>>>>> Security and Stability Analysis) working group where i serve as GNSO
>>>>>> co-chair and day-to-day project leader.  this is in the "break a
>>>>> large
>>>>>> puzzle into smaller pieces" department.
>>>>>>
>>>>>> i've attached a one page summary of the process that we've been
>>>>> working
>>>>>> on
>>>>>> (it's based on NIST SP 800-30 for you in the security world), and
>>>>>> thought
>>>>>> i'd build a list of questions that people could use as a starting
>>>>> point
>>>>>> in
>>>>>> building risk scenarios associated with the transition from thin to
>>>>>> thick
>>>>>> Whois.
>>>>>>
>>>>>> Questions:
>>>>>>
>>>>>> -- What is the description of the threat event?  [1st-try, open to
>>>>>> editing,
>>>>>> guess -- "disclosure of non-public registrant information"]
>>>>>>
>>>>>>
>>>>>> -- What is the source of this threat?  [options/examples --
>>>>> criminals,
>>>>>> governments, businesses, etc.]
>>>>>>
>>>>>> -- What are the capability, intent and targeting of that threat
>>>>> source?
>>>>>> -- What vulnerabilities might these threat-sources exploit in order
>>>>> to
>>>>>> achieve their aim?  [categories -- managerial, operational or
>>>>> technical
>>>>>> vulnerabilities]
>>>>>>
>>>>>> -- Where [registries, registrars?], and how severe are these
>>>>>> vulnerabilities?
>>>>>>
>>>>>> -- What is the likelihood that such a threat would be initiated?
>>>>>>
>>>>>> -- What would the impact on the registrant be?
>>>>>>
>>>>>> -- How likely is it that this impact will be felt?
>>>>>>
>>>>>> -- How severe is the impact?
>>>>>>
>>>>>> -- What's the range of impact (how many registrants would this be a
>>>>>> problem
>>>>>> for)?
>>>>>>
>>>>>>
>>>>>>
>>>>>> if you want to read more about this DSSA stuff, here's a link to a
>>>>> page
>>>>>> where you can download the final Phase I report;
>>>>>>
>>>>>>             
>>>>> https://community.icann.org/display/AW/Phase+1+Final+Report
>>>>>> and here's a link to a page where you can download an Excel
>>>>>>worksheet
>>>>>> that
>>>>>> we've been developing as an alpha-test of this tool
>>>>>>
>>>>>>
>>>>>> https://community.icann.org/display/AW/Risk+Scenario+worksheet
>>>>>>
>>>>>> thanks,
>>>>>>
>>>>>> mikey
>>>>>>
>>>>
>>>>
>>
>