[NCUC-DISCUSS] [Info] Welcome to new NCUC members December 2015

Shane Kerr shane at time-travellers.org
Tue Dec 8 14:58:22 CET 2015 

Rafik,

Interesting.

tl;dr RDAP is cool. It may not be widely used. It also may have some
      implications for anonymity and access to private data.



[ I apologize if this stuff has been discussed before. I had a scan
  through the documents, but clearly those are the outcome of lots of
  previous discussion. I also apologize for the length of this mail. ]

Note that I was involved with the most recent previous attempt to
replace WHOIS with a better protocol, the IETF CRISP working group,
which created the IRIS protocol. I was working at the RIPE NCC at the
time. I have not followed the RDAP work closely, because I don't work
in that space now.



I am not sure if the RDAP will achieve widespread success, but I do
support the goals.

An issue with replacing WHOIS has been that WHOIS is very, very old and
very, very simple, and thus is very, very, VERY widely adopted.

ICANN does not have the ability to force adoption of a new protocol. It
can mandate this for gTLD, but ccTLD and RIR pre-date ICANN and will
(properly) resist ICANN efforts to tell them how to manage their
registries.

Even if ICANN could mandate that ccTLD and RIR also use RDAP, there is
no way to require that *end-users* use a new protocol.

Hopefully RDAP has learned from the mistakes of WHOIS++, RWhois, and
IRIS (the previous efforts to extend/replace WHOIS). Hopefully it will
provide benefits for users *and* be easy to implement. If that is
true, then end-users will want to use RDAP, and the problem will
eventually solve itself. Only time will tell.



Looking at it from the point of view of the NCUC, RDAP provides some
real benefits, such as allowing much more control over access to
private information.

I saw a brief mention along the lines of "there may be privacy
issues... if these arise we'll bring it up".

I think that RDAP may provide one specific risk that we should watch out
for in the future: once a registry can safely block access to
information about registrants from an unauthorized (anonymous) search,
there may be temptation to make it more difficult to allow registrants
to make anonymous registrations.

That is, today in order to get a domain name people have to publish many
details to the whole world that they should not have to. Using "whois"
anyone in the world can get my home address and phone number, for
example (please don't dox me, thanks). Because of this, there are
anonymous services to register domains.

If only authenticated & authorized people can get this information,
then maybe we don't need to allow such anonymous registration any
more. While this would be somewhat helpful in fighting Internet abuse,
it does mean yet another way to be anonymous online goes away.

 

A further issue that seems not to be discussed is the nature of who
gets access to this data in the new system.

For example, we assume that law enforcement will have some special
authentication for this. To be done properly though, this will incur
costs for both registries and the law enforcement agencies. Users will
lose their credentials, and these need to be updated periodically. Logs
of access will need to be kept, with some rules about retention, who
gets access to THAT data, and so on.

One reasonable concern may be that without any financial or other
incentive, registries will happily give out credentials without being
strict about it. For example, they may give a single login that allows
an entire police department to query unlimited amounts, with no
revocation date. It would only take a single hacked computer for a
criminal to get this information and be able to access the private data
via the RDAP system.

What I think might be useful is some recommendations and guidelines
for the handling of credentials and logs of RDAP access. Some of these
may be limited by laws, but we can push for these to be as transparent
and fair as possible. For example, it could recommend that RDAP server
operators build a transparency report based on the access:

https://en.wikipedia.org/wiki/Transparency_report
 
"Canadian police looked up 457 user records last year. American police
looked up more than 0 user records last year, but we are not allowed
to say how many. UK police looked up 2423511 records last year. The RIAA
looked up 51421734 records last year. 23431 records were looked up
by users who reported their credentials stolen, and 12112 of the
individuals were notified successfully that their information was
leaked."



Apologies again for the length.

If any of this makes sense I suppose I could put help together feedback
to one or both of the proposals. We have time, even with Christmas
coming. :)

Cheers,

--
Shane

At 2015-12-08 19:51:30 +0900
Rafik Dammak <rafik.dammak at gmail.com> wrote:

> Hi Shane,
> 
> thanks for this introduction and looking forward your participation. you
> input will be definitely helpful and things lsuch Yeti DNS project would
> interest many here. there are several topics that needs technical insight
> like policy around whois (
> https://www.icann.org/public-comments/rdap-profile-2015-12-03-en and
> https://www.icann.org/public-comments/rdds-output-2015-12-03-en)
> 
> with regard to ICANN accountability, there is a NCSG webinar scheduled
> today at 16:00UTC to discuss the latest report and the response to it. the
> confcall details will be sent by our admin support soon.
> 
> Best,
> 
> Rafik
> 
> 2015-12-08 2:15 GMT+09:00 Shane Kerr <shane at time-travellers.org>:
> 
> > Dear Rafik and other fellow NCUC members,
> >
> > At 2015-12-07 21:18:27 +0900
> > Rafik Dammak <rafik.dammak at gmail.com> wrote:
> >  
> > > I am happy as first task as chair to welcome our new NCUC members.  
> >
> > Thanks! It is good to be aboard. :)
> >  
> > > Please feel free to introduce yourself to colleagues here and share
> > > any particular interests and activities related to NCUC, ICANN, etc.  
> >
> > I'm a long-time ICANN skeptic (like 15+ years of skepticism). I come
> > from a mostly technical background, focusing in DNS for the past few
> > years (running and writing DNS servers, working on the protocol, and so
> > on).
> >
> > I was at the ICANN meeting in Dublin and sat in the NCSG session just
> > to see what was going on. I was pleased to see the NCSG-related work
> > that seems to be going on in accountability and in other areas. I
> > mentioned this to several people afterwards, and a couple of NCUC
> > members (you know who you are) suggested that the NCUC could use more
> > technical people.
> >
> > I'm happy to help as best I can, hopefully more on the side of
> > providing some input from the technical community and not so much on
> > the policy development side. ;) Feel free to contact me here or directly
> > for any reason.
> >
> > Cheers,
> >
> > --
> > Shane
> >

More information about the Ncuc-discuss mailing list