FW: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team Discussion Paper
Wendy Seltzer
wendy at SELTZER.COM
Sat Jul 23 14:31:43 CEST 2011
The name-change ate my reply too. I sent in the comment with a modified
discussion of the remove-or-reveal alternative, since NCUC has been
supporting it at least since the OPoC WHOIS Task Force in 2007. If it
turns out to be unworkable or presents too many externalities, then at
least we can close the subject. The Review Team is not supposed to be
making policy, in any event.
Thanks for all the discussion. There's plenty more for us to think
through on whether a domain name could be an instrument of harm, and
whether that could or couldn't be addressed by pulling the name from the
registry, as an alternative to identifying or contacting its owner.
Comment:
<http://forum.icann.org/lists/whoisrt-discussion-paper/msg00014.html>
--Wendy
On 07/23/2011 07:45 AM, Timothe Litt wrote:
> Apparently the old list server ate this response yesterday.
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
> -----Original Message-----
> From: Timothe Litt [mailto:litt at acm.org]
> Sent: Friday, July 22, 2011 16:10
> To: 'NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU'
> Subject: RE: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
> Discussion Paper
>
>
> Mandating registrars to provide proxy services at minimal (or zero) cost is
> fine with me.
>
> Having a standard that external auditors and/or ICANN can apply to 3rd-party
> proxy services is highly desirable, and would encourage development of those
> services. Having a choice of a third party service is important for those
> who want their physical contact information in a different jurisdiction from
> the registrar that they may be forced to use. (E.g. some country code
> registrars may be governments with no privacy standards or who execute their
> political opposition, and one may wish to proxy with someone unreachable by
> those governments.)
>
> Requiring registrars to accept proxied contact information for whois (from
> an audited proxy service) is also necessary.
>
> But no: registry flags saying "inaccurate, feel free to delete" don't work
> for me.
>
> First, they're vulnerable to abuse - getting that flag set is a useful
> attack vector for, as I call them, the crooks.
>
> Second, I really want to be able to contact the registrant. Turning off
> service is a bad thing - and it's hard to do. Besides which, DNS is only
> part of the puzzle. Shut off DNS, and the registrant's servers can still
> send bad data from their IP addresses. Since I actually believe that most
> people are good, and have good intentions - and shutting off anyone risks
> the universal free access that everyone wants - it's in everyone's interest
> to be able to contact the registrant and try to work the issues. It's
> faster, fairer, more likely to be effective. And I don’t want to encourage
> certain registrars who already take a heavy-handed approach to "disabling
> domains first and ignoring questions later."
>
> Third, the crooks won't care. They just register another domain name and
> move on. At least if we try to get accurate contact information and send
> the postcard to validate it, there's a chance they'll slip up - or proxy
> services will refuse to do business with them - or legitimate law
> enforcement can get a lead. But it will hurt the good people.
>
> Fourth, "hard anonymity" - I have trouble with the concept. Attorneys in
> the Cayman Islands seem (according to news reports) to work hard to protect
> people, as have Swiss bankers and others. At one point, Thawte kept its
> servers (for X.509 certificates) in South Africa to make sure that the US
> couldn't get it's hands on personal data. I think it's possible to have
> "hard enough" thru proxies - which, I should note, represent a compromise
> from what operators really want - a direct phone number that answers by the
> second ring! Also, how are these anonymous people paying for their
> registrations? By credit card? Check? PayPal? None of these provide as
> "hard" protection as a proxy service can - and anonymity is only as secure
> as its weakest link.
>
> Proxy contact registry is compromise enough for me. (And I'm very much on
> the side of privacy.)
>
> With respect to Nicolas's question about "doesn't it just hurt the
> registrant"? I thought I responded, but let me be more explicit.
> Eventually, it does. The honest registrant more than the crooks, of course.
> But it hurts the network operators first. And "they" doesn't just mean
> MegaCorp with large resources and deep pockets. It means individuals, small
> organizations whose primary business is NOT network operations too. The
> burden that he referred to falls disproportionately on the small folks -
> many of whom are supposed to be represented here. There is no need to
> exacerbate that burden - providing contact information - especially
> privacy-protected via proxy - really should not be such a hot topic.
>
> As I wrote in response to Nuno's note - a DNS registration is not a
> requirement to access or even publish on the Internet. Requiring accurate
> contact information for the privilege is entirely reasonable, providing that
> reasonable privacy concerns are addressed. I believe that the proxy system
> can do that. I have no problem denying registration to those who don't
> comply. And I would support taking action against the MegaCorps who don't
> comply - not just the "little people."
>
> NCUC should not be advocating for a position that, if adopted, will cause
> harm far outweighing any perceived gain. If we want to be taken seriously,
> we need to advocate for responsible positions. The proposal to permit
> accepting no contact/fraudulent contact information is not responsible.
> Taking it will hurt our credibility. It must NOT go forward.
>
> Making sure that privacy services are universally available, affordable, and
> meet reasonable standards would be a better cause for NCUC to champion.
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
> -----Original Message-----
> From: NCSG-NCUC [mailto:NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Dan
> Krimm
> Sent: Friday, July 22, 2011 14:47
> To: NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
> Discussion Paper
>
> I'm looking for a pragmatic solution here, one that maintains robust privacy
> options, one that minimizes issue-creep, and one that minimizes
> administrative complication.
>
> Wendy suggested that domain registrants be allowed to operate domains
> without providing accurate (or any) contact information, and that if that
> means they have less ability to protest interruptions in service, so be it.
> Frankly, until I had access to a feasible proxy service (I switched
> registrars), I tweaked my contact information in this way in the past.
>
> If that is the case, perhaps we only need formalize the process. First,
> establish a flag in the registry (perhaps directly in WHOIS) for cases where
> contact information is non-existent or inaccurate, so that this is known
> immediately, technologically, on demand by anyone. Then, if technically
> damaging behavior is firmly established as originating from such a domain,
> allow unilateral response to it (such as removing the domain from DNS)
> without input from the registrant.
>
> Think of it as a sort of "pre-clearance" for due process, i.e., the right to
> be contacted and contest interruption of service has been forfeited at the
> outset in return for a hard form of anonymity (as opposed to "soft"
> anonymity which a proxy service offers). It's a trade-off that, as Wendy
> suggests, has been knowingly chosen by the registrant up front.
>
> That way, the registrant gets the full option of anonymity that exists in
> the current "broken" system, with all of the ramifications of reduced
> opportunity to contest interruptions in service that Wendy acceded to, while
> technically there is a quick path to resolution of technical problems.
>
> Also, while we're at it, while proxy services may seem to be emerging
> naturally in the "free" market, if there exist any registrars that don't
> offer it or offer it only at exorbitant prices, perhaps there should be a
> universal mandate for all registrars to offer proxy services at reasonable
> prices. Count this as a "soft paternalistic" approach to regulation, based
> on market failure (information asymmetry that favors registrars against
> registrants). It would flow through registry contracts, via ICANN's
> authority to regulate the behavior of registries.
>
> Can we have our cake and eat it too?
>
> Dan
>
>
> --
> Any opinions expressed in this message are those of the author alone and do
> not necessarily reflect any position of the author's employer.
>
>
>
> On Fri, July 22, 2011 9:57 am, Timothe Litt wrote:
>> Nuno,
>>
>> I think that you are addressing a different issue. Let's stick to the
>> subject at hand. I didn't pick the driving analogy (Nicolas did), but it
>> isn't a bad one. We can use any other, but the underlying issue remains.
>> I'll attempt to differentiate my comments from your remarks.
>>
>> I support full access to the internet by everyone, everywhere, any time -
>> I
>> do not see how you reached the opposite conclusion.
>>
>> Requiring that people who choose to register a domain name are contactable
>> does not deny anyone access to the internet or the information published
>> thereon. You don't need a domain name to access the internet - any ISP,
>> internet cafe, or thousands of other access points suffice. You also do
>> not
>> need a domain name to freely publish on the internet - hosting services
>> (web, ftp and other) abound - many at zero cost.
>>
>> If you register a domain name, you are becoming part of the network
>> infrastructure - and that requires that you be contactable. Perhaps it's
>> that your domain name isn't resolvable from some part of the world - or
>> has
>> invalid signatures that cause web browsing to fail, is supplying poisoned
>> cache records, or is supporting a DDOS attack. Or your mail server is
>> generating spam. Whether you personally operate those servers, or
>> contract
>> someone else to do so for your domain - once you register a domain name,
>> you
>> are responsible for having them operate responsibly. And "responsibly"
>> isn't subjective - it's the subject of the RFCs and standards that make
>> the
>> nework function. This is not religion, politics, morality or personal
>> hygiene. If you register a domain name and do not live up to your
>> responsbilities, the privilege of having a domain name, like that of
>> driving, can be revoked. That doesn't prevent you from using the internet
>> without one - or using postal mail or the telephone.
>>
>> The "crooks" to whom I referred are the people who seek to destabilize the
>> network for fun, and increasingly for profit. The identity thieves, SPAM
>> generators, virus senders, robonet creators, denial of service
>> attackers/extortion specialists, malicious trespassers, information
>> thieves
>> and purveyors of fraud. All these activities violate the network's
>> standards - as well as criminal law in most jurisdictions. I don't think
>> you are one of these - nor should you be supporting a policy that makes it
>> easier for them to conduct their activites beyond any means of contact.
>>
>> I support individual privacy. I am sensitve to the needs of those whose
>> personal safety is at risk if their location were disclosed, as well as of
>> those (including myself) who simply value privacy for its own sake. As a
>> result, I support proxy services as a means of safeguarding the privacy of
>> those who want to register domain names, while providing for stable
>> network
>> operations and accountability. I do not propose to dictate that a
>> particular proxy service must be used. It is the registrant's choice
>> whether to use one, and which one to use. I only insist that proxy
>> services, like registrars, meet minimum service standards. Specifically,
>> that the people behind the proxy actually be contactable through them in a
>> timely maner. And, that a proxy service disclose the extent of privacy
>> protection that it provides. That's hardly putting people in jail. It's
>> a
>> pretty minimal requrement.
>>
>> I support internet freedom of expression and universal access, which are
>> only possible when a stable network exists. Those who choose to become
>> part
>> of the network's operation - "even" by registering a domain name - assume
>> the responsiblity and the duty to meet the standards required for it to
>> deliver those benefits to everyone. If you can't discharge those
>> responsibilites/duties, you can not register a domain name. (But you can
>> access the internet through others.)
>>
>> The draft recomendation under item 14 proposes that registrants be allowed
>> to provide no contact, or fraudlent contact information. This is totally
>> unacceptable. And for NCSG to endorse this recomendation is
>> irresponsible,
>> for the reasons given here and in my previous notes. It must not be put
>> forth as drafted.
>> Other issues of internet access/freedom are valuable, but should not be
>> confounded with this issue - please use another thread.
>>
>>
>> Timothe Litt
>> ACM Distinguished Engineer
>> ---------------------------------------------------------
>> This communication may not represent the ACM or my employer's views,
>> if any, on the matters discussed.
>>
>>
>>
>>
>>
>>
>>
>> _____
>>
>> From: nuno.mgarcia at gmail.com [mailto:nuno.mgarcia at gmail.com] On Behalf Of
>> Nuno Garcia
>> Sent: Friday, July 22, 2011 11:39
>> To: Timothe Litt
>> Cc: NCSG-NCUC-DISCUSS at listserv.syr.edu
>> Subject: Re: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
>> Discussion Paper
>>
>>
>> Hi all, hi Timothe,
>>
>> Allow me to disagree with some of the things you say bellow, mostly
>> because
>> I think the comparison you chose is not adequate.
>>
>> In the Information Society we are all trying to build, to prevent someone
>> from accessing information in the manner it is published is a violation of
>> some of the basic Human Rights (and I mean the ones from the charter of
>> rights published some 50 years ago by the UN).
>>
>> Let me explain: some governenments and almost all companies publish
>> information that is critical to a responsible citizenship in the web,
>> sometimes only in the web, many times free on the web but payable
>> everywhere
>> else.
>>
>> To put it bluntly, in Europe, the access to Internet is view by
>> legislators
>> as as important as the access to electricity, water and health.
>>
>> Please don't get me wrong, I too am a strong advocate of responsible
>> citizenship.
>>
>>
>> Yet I am not ever in favou that this group takes on the responsabilities
>> or
>> tries to impose or define responsabilities onto its represented elements.
>> There are authorities for that and that would be way out of our powers.
>>
>> I propose that if that is the case, we build a charter of rights and
>> responsabilities for a responsible cyber-citizenship (or whatever name you
>> find more suitable).
>>
>> Let me know explain why the example you chose is ill formed.
>>
>> If a driver misbehaves you may prevent him from driving, not as a
>> punishment, but as a mean to safeguard all other users of public roads.
>>
>> Again, the government may prevent him from driving, but unless the offense
>> was a crime, it cannot prevent him from using public transportation, or
>> walking.
>>
>> What you propose is somehow similar to put the citizen in a jail where he
>> cannot move or has limited movements.
>>
>> On another aspect, the Internet (capital I), is a privilede, and a right.
>> A
>> right that derives from the fact that the information it contains is
>> public
>> domain. A right like reading a newspaper, or listening to the news and the
>> music in the radio or watching TV.
>>
>> The Internet is the mean through which many of the rights described in the
>> Human Rights Charter are made available to us.
>>
>> And may I add, even risking to be one of the "crooks" you mention: we
>> should
>> never take this discussion to the point where we define who is a crook and
>> who isn't. This is a very very very dangerous path and this is not the way
>> we should go. In no time we will be discussing religion, moral, and other
>> extremely personal and subjective things.
>>
>> I hope to have contributed to this discussion.
>> Warm regards from Portugal,
>>
>> Nuno Garcia
>>
>>
>> 2011/7/22 Timothe Litt<litt at acm.org>
>>
>>
>> At the risk of becoming even less popular, let's see where your analogy
>> takes us:
>>
>> Like driving, a network presence, including a domain name, is a privilege
>> and not an absolute right.
>>
>> On the roads, there are standards of behavior that are enforced for the
>> safety and convenience of all. And vehicles must have tags that identify
>> the owner/operator. An unidentified vehicle strewing sharp objects (or
>> explosives) down the road is a problem for everyone. While it will
>> eventually be stopped, the damage it causes is amplified by the amount of
>> time that it takes to identify it. So we have registration tags... And
>> those who drive sufficiently irresponsibly have their privilege revoked -
>> even if it means they lose their livelihood.
>>
>> The internet is a far more complex machine. With the privilege of
>> becoming
>> a part of that machine come some responsibilities. Being able to be
>> contacted when, through error, malfunction, or malicious intent one has a
>> negative impact on the machine and/or its users is a basic responsibility.
>> And those "network operators" aren't (just) some big anonymous corporation
>> staffed by paid technicians; they're also individuals with their one PC
>> running their own mail/web/dns server - because they don't want to entrust
>> their personal data to the whims of some ISP. Burdening "them" is
>> burdening
>> "us". And it's hard enough for "us" to get "them" to take action against
>> bad actors when we can identify them - when we can't, it's virtually
>> impossible.
>>
>> Reachability via proxy provides anonymity sufficient for protecting the
>> privacy needs of virtually anyone who needs to be part of the network.
>> Just
>> like the vehicle whose registration address is a trust or corporation's
>> attorney. That scheme protects those with the need (or simply desire) for
>> privacy. The strength of the proxy can be adjusted to need - providing it
>> still provides access. So maybe you trust your government-run ISP to
>> proxy
>> your contact information - or maybe you employ an attorney in a state on
>> the
>> other side of the world with different privacy laws and a private army. I
>> don't care which - as long as I can communicate thru the proxy to someone
>> who can fix or diagnose a problem. And as long as failure to
>> respond/cooperate allows the privilege of being part of the network to be
>> terminated - with due process (and lots of "reasonable" in the
>> definitions).
>>
>> Providing fraudulent/no contact information is not consistent with being a
>> good citizen. Proxies provide an adequate alternative, with sufficient
>> privacy protection for those who need/desire it.
>>
>> We (NCUC) can't be just about "rights"; responsibilities are part of
>> citizenship too. We should not be advocating bad citizenship, or making
>> it
>> "officially acceptable". It's bad for the network. It's bad for our
>> credibility as an organization of responsible people. It's even bad for
>> good people who think it in their interest to be unreachable - because
>> they
>> can lose domain names, connectivity and operational help. The only people
>> it's good for are the crooks/bad actors. And NCUC should not be helping
>> to
>> make their lives easier.
>>
>> It's a choice to be part of the network, just as it's a choice to become a
>> licensed driver. Those who can't/won't accept the rules of good
>> citizenship
>> can employ others to network - or drive - for them. (Yes,
>> bad/unreasonable
>> rules can/should be fought. This isn't one.)
>>
>> We don't tolerate unlicensed drivers or unregistered vehicles - or
>> vandalism
>> of others' vehicles and roads. And while we allow proxy registration of
>> vehicles, driver's licenses have a verifiable name, contact address and
>> photo. Perhaps that's a sacrifice of some absolutist sense of "liberty",
>> but it does make our transportation system work (more or less). I don't
>> think it unreasonable to expect the same of those on the network of
>> electrons as of those on the network of roads.
>>
>>
>> Timothe Litt
>> ACM Distinguished Engineer
>> ---------------------------------------------------------
>> This communication may not represent the ACM or my employer's views,
>> if any, on the matters discussed.
>>
>>
>> -----Original Message-----
>> From: NCSG-NCUC [mailto:NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
>>
>> Nicolas Adam
>>
>> Sent: Thursday, July 21, 2011 22:09
>> To: NCSG-NCUC-DISCUSS at LISTSERV.SYR.EDU
>> Subject: Re: [ncsg-policy] Proposed NCUC Comments on the WHOIS Review Team
>> Discussion Paper
>>
>>
>> I guess in principle (or in theory, if you'd prefer) i would be tempted to
>> say that privacy trumps the pragmatics of efficient network maintenance,
>> but
>> i'm not so sure that I get the whole technical challenge of actually
>> keeping
>> the stuff working ... so....
>>
>> If i may venture a question, at the risk of exposing my ignorance: what if
>> something needs be dealt with and you can't reach a responsible person. In
>> the end, depending on the gravity of the situation of course, won't the
>> unreachable party be the one ultimately penalized by the stabilizing
>> actions
>> of network operators? And if so, and granted that anonymity does indeed
>> put
>> pressure on network operators, isn't the balance achieved one where
>> network
>> operators have a hard(er) job but where anonymous registrants mostly
>> support
>> the risk of potentially drastic actions by network operators striving to
>> keep things going?
>>
>> Because frankly whois rules cannot be made to easily protect every person
>> protected by a restraining order, that would be overreaching, in my
>> opinion.
>> Privacy, in a twisted but important sense, give us a "right"
>> to misbehave in my opinion. It's what gives value to good behavior. Any
>> system that makes it practically impossible to misbehave (think cars with
>> built-in police radars) sap the value of good behavior right out of life.
>> I
>> believe this argument was made often ¯ whether from a moral, legal,
>> political or economical point of view ¯ under the rubric of "liberty".
>>
>> Tentatively,
>>
>> Nicolas
>>
>> On 7/21/2011 8:17 AM, Timothe Litt wrote:
>>> Although I support most of the proposed comments, I disagree with
>>> recommendation 14.
>>
>>
>>
>>
>
--
Wendy Seltzer -- wendy at seltzer.org +1 914-374-0613
Fellow, Princeton Center for Information Technology Policy
Fellow, Berkman Center for Internet & Society at Harvard University
http://cyber.law.harvard.edu/seltzer.html
https://www.chillingeffects.org/
https://www.torproject.org/
http://www.freedom-to-tinker.com/
More information about the Ncuc-discuss
mailing list