Re: [gnso-whois-study] 15 April WHOIS call review and next steps

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

Liz, and study group contributors,

First, my apologies for not responding sooner, and for missing 
yesterday's call, it conflicted with a conference call that I coordinate 
as CTO of CORE.
Second, I simply want to mention that I've been involved with "whois" 
since Ken Herrenstein, Mary Stahl and Jake Feinler wrote RFC 954 in 
1985, and in the early "modern period" (ICANN MdR 11/00 and IETF-51 
8/01), with Dave Crocker, held the WhoisFix BoF, and a year later wrote 
the first Internet Draft to change the status RFC 954 from "Unknown" to 
"Historic" -- an effort to drive a wooden stake through the heart of 
something that should have died when DARPA transfered control of net 10 
to the NSF. Leslie Daigle of Verisign gets the honor for getting RFC 954 
obsoleted however, as VGRS promoted first "Universal WHOIS" and later 
(and to the present) its IRIS (IETF CRISP WG) product.
Third, I had the pleasure of listening to Dr. Cranor on many P3P Spec 
Working Group calls, and occasionally made some suggestions, but more 
relevant to this activity, I took the P3P model of data collection 
policy and added it to the EPP specification, providing registries the 
ability to announce their data collection policies to registrars, which 
in turn allows registrars to announce that, and any additional data 
collection policies the registrar may have, such as for its websites, to 
end user registrars.
In a nutshell, the server (registry) announces its data collection 
policy when a client (registrar) initiates a session, and the policy 
applies to all data in the session. If the XML makes you sleepy, don't 
worry, it has that effect on me too and you can scroll down ... but 
before you fall asleep or scroll madly down, at a high level P3P 
attempted to create a mechanism to allow the EU's Data Protection 
Directive, the OEDC hybrid model, and US contractual privacy to be  
expressed in legal prose and the soporific verse of well-formed XML.
Enjoy.

  <!--
  Data Collection Policy types.
  -->
    <complexType name="dcpType">
      <sequence>
        <element name="access" type="epp:dcpAccessType"/>
        <element name="statement" type="epp:dcpStatementType"
         maxOccurs="unbounded"/>
        <element name="expiry" type="epp:dcpExpiryType"
         minOccurs="0"/>
      </sequence>
    </complexType>

    <complexType name="dcpAccessType">
      <choice>
        <element name="all"/>
        <element name="none"/>
        <element name="null"/>
        <element name="other"/>
        <element name="personal"/>
        <element name="personalAndOther"/>
      </choice>
    </complexType>

    <complexType name="dcpStatementType">
      <sequence>
        <element name="purpose" type="epp:dcpPurposeType"/>
        <element name="recipient" type="epp:dcpRecipientType"/>
        <element name="retention" type="epp:dcpRetentionType"/>
      </sequence>
    </complexType>

    <complexType name="dcpPurposeType">
      <sequence>
        <element name="admin"
         minOccurs="0"/>
        <element name="contact"
         minOccurs="0"/>
        <element name="other"
         minOccurs="0"/>
        <element name="prov"
         minOccurs="0"/>
      </sequence>
    </complexType>

    <complexType name="dcpRecipientType">
      <sequence>
        <element name="other"
         minOccurs="0"/>
        <element name="ours" type="epp:dcpOursType"
         minOccurs="0" maxOccurs="unbounded"/>
        <element name="public"
         minOccurs="0"/>
        <element name="same"
         minOccurs="0"/>
        <element name="unrelated"
         minOccurs="0"/>
      </sequence>
    </complexType>

    <complexType name="dcpOursType">
      <sequence>
        <element name="recDesc" type="epp:dcpRecDescType"
         minOccurs="0"/>
      </sequence>
    </complexType>

    <simpleType name="dcpRecDescType">
      <restriction base="token">
        <minLength value="1"/>
        <maxLength value="255"/>
      </restriction>
    </simpleType>

    <complexType name="dcpRetentionType">
      <choice>
        <element name="business"/>
        <element name="indefinite"/>
        <element name="legal"/>
        <element name="none"/>
        <element name="stated"/>
      </choice>
    </complexType>

    <complexType name="dcpExpiryType">
      <choice>
        <element name="absolute" type="dateTime"/>
        <element name="relative" type="duration"/>
      </choice>
    </complexType>

Turning to the in-scope Public Suggestions, following the same 
organization as the Cranor/Gasster report of 02/25/08
Suggestions #1, #14, #15 and #21, the first category (aka "WHOIS 
misuse"), can not generate significantly new data, and the technique 
proposed in particular in #14 and #15 is quite naive, though in 
principle, seeding the stream of domain add operations with covert 
samples could be used to monitor a wide range of registrar and registry 
operational art. Unfortunately, ICANN's operational art has not reached 
the stage of technical maturity to engage in direct systematic covert 
observation of the primary users of the DNS. So these are a waste of time.
Suggestions #16, #22 and #23, the second category (aka "compliance with 
data protection laws and the RAA") revisits without the benefit of prior 
work the general corpus of the W3C's P3P activity, which is why I 
mentioned it in such tedious detail above. We have three general legal 
regimes, EU, OEDC, and US, and there is very little to be gained from 
attempting to collect stamps from every country. The leading DP 
jurisdictions, and I'm personally fond of Berlin, should be known simply 
because they are leading, but everything else is just noise at the 
general studies level.
Suggestions #2 and #5 may validate the theory that there exists a market 
for privacy, but that is as useful as validation of a theory that 
gravity exists.
Suggestions #17, #18 and #19 share the basic property of Suggestions #2 
and #5, of validating, from the other side of the check out counter, the 
theory that there exists a market for privacy.
Suggestion #6 is simply daft. Domain price is the principle driver, as 
every registrar gets "bulk purchase" inquiries looking for registrar 
margins of a small fractional part of the VGRS base cost. It also 
overlooks the temporal properties of the overwhelming modes of 
fraudulent use, the scam is done within days, within the event horizon 
of the AGP, so any check that passes the major credit card 
authentication checks and is fraudulent will also pass any commercially 
feasible "restrictive access". Suggestion #13 has the slight, slight 
originality of suggesting that there may be a weak corrolation between 
attack assets which are thrown away within hours, and at most days, of 
initial use, and "bomb proof hosting services", which generally host 
long-term non-fraudulent businesses such as sex sites and bulk mailers 
(spammers).
Suggestion #12 assumes the creation of a persistent identifier creates a 
law enforcement interest. This of course is insane.
The domain names:

"3.141592653589793238462643383279502884197169399375105820974944592.com"
or
"edge-cases-in-memory-allocators.net"
or
"issues-in-indigenous-character-repertoires-and-sort-orders-and-classic-mayan.org"

are persistent identifiers. Their creation causes no "law enforcement 
interest" to arise, outside of police states such as the former DDR.
Suggestions #3 simply revisits the RAA terrain, to no useful effect, and 
#20 is yet another flight of fantasy of the IPC looking for more "data" 
to support their business model, and they've quite a few bits out of 
that wrinkled apple.
Suggestion Metalitz (Hi Steve!) proposes to measure "self-inflicted 
injury". Who really cares if people chose to be stupid, with adverse 
outcomes only to their interests? Measuring dumbness is fun, but is it 
useful?
Suggestions #8 and #11 are simply funny. In a universe of 120,000,000 
domains, of which 27,000,000 are some form of monitization scheme (aka 
"parked domains"),  some  statistical properties are to be extracted 
from some samples, oh, and IDNs are bad, because, um, we don't speak IDN.
In a perfect universe, so one without ICANN and quite a bit else, like 
every LEO I've ever met, and I've advised the Chief Scientist of the 
NSA, which is why we have CERT today, studies of the temporal 
characteristics of criminal commercial enterprises applied to the DNS, 
the Microsoft monopoly market and "palative" after-markets, and the IPv4 
allocations, aka "ISPs" would be productive.
This pile of "suggestions" is incurious and uniformed at best, at worst, 
its more time spent walking around a wicked dead horse we'd all be 
better off burying rather than trying to saddle up and ride off to some 
fairy castle.
I greatly appreciate Dr. Cranor and Counselor Gasster expending the 
time, and patience, to sort and analyze this sack of muck. I hope they 
charged K Street hourly rates.
Cheers,
Eric Brunner-Williams