Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Don Blumenthal <dblumenthal@xxxxxxx>]

True but some things have changed in data protection laws since 2003, both
new statutes/regulations and changes to existing ones. I don't know how
they might affect what we're considering but the issue has to be checked.

For folks on the DP sub team, I'll send a note out tomorrow. The WG has
taken up much more to day's time than planned. Good because it's
interesting stuff but sadly I had to give up on choosing the interesting
vs mundane a long time ago.


On 2/5/13 4:26 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

>Volker,
>
>When .ORG was transitioned the same situation applied. To the best of
>my knowledge there are no records of complaint. While I agree that in
>the case of the registrant executing a transfer they agree to the
>terms, it does demonstrate that the registrant data does move cross
>jurisdiction daily. The fact that registrants, registrars and
>registries participate in this activity daily and have for years is a
>significant observation which deserves recording.
>
>-rick
>
>
>On Tue, Feb 5, 2013 at 1:13 PM, Volker Greimann
><vgreimann@xxxxxxxxxxxxxxx> wrote:
>> I think it happens all the time, but that would be beside the point as
>>they
>> agree to the new registrars agreement and thereby agree to provide him
>>with
>> their whois data.
>>
>> Volker
>>
>>> Rick,
>>>
>>> You make a good point that transfers of data from one registrar to
>>>another
>>> might not be different from transfer in a thin-thick transition.
>>>However,
>>> the jurisdiction issue here refers to companies based in different
>>> countries. Do you have any idea how common it is for a registrant to
>>>move
>>> a registration across a border when switching registrars?
>>>
>>> Thanks.
>>>
>>> Don
>>>
>>>
>>> On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>>> One point I believe folks are missing in the jurisdiction discussion
>>>> is that transfers of a domain from one registrar to another are
>>>> effectively moving this same information between jurisdictions. We
>>>> have had many millions of transfers in thin registries over the years,
>>>> many of which moved registrant data between  jurisdictions. We are
>>>> talking millions and millions of times, without incident.
>>>>
>>>> I believe that it is as important to enumerate the volume and time
>>>> that this has occurred without notice, or catastrophe.
>>>>
>>>> -rick
>>>>
>>>>
>>>> On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
>>>> <alan.greenberg@xxxxxxxxx> wrote:
>>>>>
>>>>> Roy, some of us (or perhaps all of us) HAVE read the NCUC
>>>>>submission. It
>>>>> talks a lot about potential problems with respect to privacy laws of
>>>>>the
>>>>> Whois model. But they apply equally to both thin and thick models.
>>>>>
>>>>> It also raises issues such as "ownership" of Whois data (the specific
>>>>> sentence was "The movement of that that data, and ownership of that
>>>>> data,
>>>>> from a European, or Canadian, or Japanese, or Korean jurisdiction
>>>>>(among
>>>>> regions/countries with strong data protection laws) to another
>>>>>country
>>>>> (the
>>>>> US) raises enormous issues."  I cannot recall anyone saying anything
>>>>> about
>>>>> ownership. As far as I know, we are talking about the USE of the data
>>>>> which
>>>>> is already publicly (and very widely) available.
>>>>>
>>>>> If there are any restrictions (regarding revealing or making
>>>>>available
>>>>> cross-boarders) to what a registrar may do with the data they collect
>>>>> from
>>>>> registrants, that problem exists today with a thin model. How does it
>>>>> change
>>>>> with thick? In both cases, they are widely broadcasting the data in a
>>>>> way
>>>>> that is universal and irretrievable. Once put on a whois server, it
>>>>>is
>>>>> completely out of their control.
>>>>>
>>>>> A specific example of how the models might differ in a real-life
>>>>> scenario
>>>>> would be useful.
>>>>>
>>>>> Alan
>>>>>
>>>>>
>>>>> At 05/02/2013 09:52 AM, Balleste, Roy wrote:
>>>>>>
>>>>>> Perhaps the question should be, what new threats we have now have to
>>>>>> consider.  The Internet world has changed.  Any recommendations that
>>>>>> we make
>>>>>> will affect millions of users for years to come.
>>>>>> If I may, a suggestion, please read the submission from NCUC.
>>>>>>
>>>>>> Roy Balleste, J.S.D.
>>>>>> Professor of Law
>>>>>> Law Library Director
>>>>>> St. Thomas University
>>>>>> 16401 NW 37th Avenue
>>>>>> Miami Gardens, FL 33054  USA
>>>>>> 1-305-623-2341
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
>>>>>> [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
>>>>>> Sent: Tuesday, February 05, 2013 9:44 AM
>>>>>> To: Alan Greenberg
>>>>>> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
>>>>>> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>
>>>>>>
>>>>>> Threats of exposure of Personal Information? Isn't the Whois system
>>>>>>by
>>>>>> definition public? And in any event, how would this threat increase
>>>>>>if
>>>>>> we
>>>>>> went from many down to one holding the information? Not being
>>>>>> argumentative,
>>>>>> just trying to understand what the threats are. Also, it seems if
>>>>>> there are
>>>>>> threats won't we encounter those as we go forward? Does there really
>>>>>> need to
>>>>>> be a separate exercise to identify them?
>>>>>>
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>>
>>>>>> -------- Original Message --------
>>>>>> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
>>>>>> Date: Mon, February 4, 2013 11:08 am
>>>>>> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
>>>>>> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
>>>>>> <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>>>>>>
>>>>>>
>>>>>> I have yet to observe a single threat in both the transitions I've
>>>>>> participated over some 13 years of ICANN participation as a
>>>>>>registrar
>>>>>> and service on the SSAC  -- in regards to the Escrow transition and
>>>>>> the registry transition for .ORG, both of which I actively
>>>>>> participated in.
>>>>>>
>>>>>> If I had observed any issue that could be potentially identified as
>>>>>>a
>>>>>> credible threat, in this regard, I'd be the first to raise it to
>>>>>>your
>>>>>> attention.
>>>>>>
>>>>>> -rick
>>>>>>
>>>>>> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
>>>>>> <alan.greenberg@xxxxxxxxx>
>>>>>> wrote:
>>>>>>>
>>>>>>> Steve, I concur with your analysis. However, various posting have
>>>>>>> claimed
>>>>>>> dire results of the transition, and Mikey proposed that we do a
>>>>>>
>>>>>> threat
>>>>>>>
>>>>>>> analysis to try to understand how sever the problems is. Once
>>>>>>>someone
>>>>>>> comes
>>>>>>> up with a SPECIFIC threat, we can do this. If none can be construed
>>>>>>
>>>>>> (as
>>>>>>>
>>>>>>> we
>>>>>>> both hypothesize), then the job is done.
>>>>>>>
>>>>>>> Alan
>>>>>>>
>>>>>>>
>>>>>>> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>>>>>>>
>>>>>>> These questions might be relevant to the Whois PDP that is slated
>>>>>>>for
>>>>>>> this
>>>>>>> year pursuant to the board�s November resolutions; but I don�t
>>>>>>> understand
>>>>>>> their relevance to our job.
>>>>>>>
>>>>>>> At most the question would be whether the �threat� changes if all
>>>>>>
>>>>>> gTLD
>>>>>>>
>>>>>>> registries were thick --- but that would first require agreement on
>>>>>>
>>>>>> what
>>>>>>>
>>>>>>> the
>>>>>>> �threat� is today.  This would be an extremely long path to take to
>>>>>>
>>>>>> our
>>>>>>>
>>>>>>> goal.
>>>>>>>
>>>>>>> In any case, if the �threat� is �disclosure of non-public
>>>>>>>registrant
>>>>>>> information,� then the threshold question is whether the transition
>>>>>>
>>>>>> to
>>>>>>>
>>>>>>> thick
>>>>>>> Whois has any impact whatsoever on �non-public registrant
>>>>>>
>>>>>> information.�
>>>>>>>
>>>>>>> To
>>>>>>> my knowledge the answer is no, and so all the subsequent questions
>>>>>>> become
>>>>>>> irrelevant.
>>>>>>>
>>>>>>> If, as our chair has stated, �we're edging pretty close to Beijing
>>>>>>
>>>>>> and
>>>>>>>
>>>>>>> need
>>>>>>> to think through what we're going to be able to deliver by then,� I
>>>>>>> think
>>>>>>> this type of excursion ought to be avoided.
>>>>>>>
>>>>>>> Steve Metalitz
>>>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
>>>>>>> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
>>>>>>
>>>>>> O'Connor
>>>>>>>
>>>>>>> Sent: Sunday, February 03, 2013 7:30 PM
>>>>>>> To: Thick Whois WG
>>>>>>> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>>
>>>>>>> hi all,
>>>>>>>
>>>>>>> i promised to send along some materials extracted from the DSSA
>>>>>>>(DNS
>>>>>>> Security and Stability Analysis) working group where i serve as
>>>>>>>GNSO
>>>>>>> co-chair and day-to-day project leader.  this is in the "break a
>>>>>>
>>>>>> large
>>>>>>>
>>>>>>> puzzle into smaller pieces" department.
>>>>>>>
>>>>>>> i've attached a one page summary of the process that we've been
>>>>>>
>>>>>> working
>>>>>>>
>>>>>>> on
>>>>>>> (it's based on NIST SP 800-30 for you in the security world), and
>>>>>>> thought
>>>>>>> i'd build a list of questions that people could use as a starting
>>>>>>
>>>>>> point
>>>>>>>
>>>>>>> in
>>>>>>> building risk scenarios associated with the transition from thin to
>>>>>>> thick
>>>>>>> Whois.
>>>>>>>
>>>>>>> Questions:
>>>>>>>
>>>>>>> -- What is the description of the threat event?  [1st-try, open to
>>>>>>> editing,
>>>>>>> guess -- "disclosure of non-public registrant information"]
>>>>>>>
>>>>>>>
>>>>>>> -- What is the source of this threat?  [options/examples --
>>>>>>
>>>>>> criminals,
>>>>>>>
>>>>>>> governments, businesses, etc.]
>>>>>>>
>>>>>>> -- What are the capability, intent and targeting of that threat
>>>>>>
>>>>>> source?
>>>>>>>
>>>>>>> -- What vulnerabilities might these threat-sources exploit in order
>>>>>>
>>>>>> to
>>>>>>>
>>>>>>> achieve their aim?  [categories -- managerial, operational or
>>>>>>
>>>>>> technical
>>>>>>>
>>>>>>> vulnerabilities]
>>>>>>>
>>>>>>> -- Where [registries, registrars?], and how severe are these
>>>>>>> vulnerabilities?
>>>>>>>
>>>>>>> -- What is the likelihood that such a threat would be initiated?
>>>>>>>
>>>>>>> -- What would the impact on the registrant be?
>>>>>>>
>>>>>>> -- How likely is it that this impact will be felt?
>>>>>>>
>>>>>>> -- How severe is the impact?
>>>>>>>
>>>>>>> -- What's the range of impact (how many registrants would this be a
>>>>>>> problem
>>>>>>> for)?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> if you want to read more about this DSSA stuff, here's a link to a
>>>>>>
>>>>>> page
>>>>>>>
>>>>>>> where you can download the final Phase I report;
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> https://community.icann.org/display/AW/Phase+1+Final+Report
>>>>>>>
>>>>>>> and here's a link to a page where you can download an Excel
>>>>>>>worksheet
>>>>>>> that
>>>>>>> we've been developing as an alpha-test of this tool
>>>>>>>
>>>>>>>
>>>>>>> https://community.icann.org/display/AW/Risk+Scenario+worksheet
>>>>>>>
>>>>>>> thanks,
>>>>>>>
>>>>>>> mikey
>>>>>>>
>>>>>
>>>>>
>>>
>>