|
In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today, I felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform:
Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams.
Should access to WHOIS data be redacted in any way beyond what it is at present, my work will be made impossible. I spend 90% of my day in WHOIS data, the other 10% sculpting the data in a manner to provide reason and proof to hosting provider and registrars to take action against real-life criminals on their networks.
I also prepare cases for law enforcement to act upon. Contrary to popular belief in some quarters, LE cannot possibly begin to know about the stuff I (and my many, many colleagues) see until we tell them. That’s how it works. Any of the big botnet and crime ring take-downs and arrests you’ve ever seen have involved a public-private collaboration between individuals, researchers such as myself, and law enforcement.
So, I’d like to issue congratulations to all those who want to redact. You will, without a single iota of uncertainty, will expose many more people to real—not potential or hypothetical—privacy issues of a far more serious nature than you could possibly imagine, all in the badly mangled, misguided, and muddleheaded notion of what privacy actually is in the real world. ‘Cut off your nose to spite your face’ has never been more apt.
I hope you tell your Mom, family and your friends what you are trying to do here, while I spend my time trying to protect them from real evil: Revenge porn. Identity Theft. Plain old theft. Stalking. Photographic representation of the rape of children. Trolling, leading to the destruction of people’s lives. Emptied bank accounts.
Tell them you don’t want me to be able to do my job, and that you are trying to make it impossible, because you think access to the data that has been public and without challenge under the world’s privacy laws for twenty years is better off limited to the point of uselessness, sacrificed on some misshapen altar of privacy.
If I sound angry at what you are attempting to do, then I’ve hit my mark. I am furious. The security sector is furious. We are terrified that you may have any degree of success in this regard, because you apparently don’t know, or don’t care what the actual results will be. Placating with ‘gated access’ means there will be some among my peers and colleagues, far more talented and effective than I, who simply cannot gain access, and the resulting mess will be on your head, and at risk of overstating my case, the blood on your hands.
So again, congratulations. Mother’s Day is coming up. Be sure to make mention of this in the card you send. Now, if you’ll excuse me, I’ll go back to diving in the data lake of WHOIS, trying to keep spam and far worse evil off’ve your network.
K bye tnx.
Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Twitter : @cauce
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
I have to agree with the above, and I’d go one step further: WHOIS information is not and should not be private. Ever.
In law there’s a separation between a person and a business. Even if that business is a sole proprietorship and pretty much equivalent to the person, it’s still considered different from the person under the law. As a person I have a right to keep my information private. The business, however, affects the public and is public and the law says the public has a right to know who’s legally responsible for what the business does so they can hold the business legally responsible when needed. No matter what contortions I go through, I can’t use my right to privacy as an individual to mask from the public who’s legally responsible for my business. If I operate a car, even as an individual I can’t keep my identity as the owner of that car private. It’s on file with the DMV, I’m legally required to disclose it as part of registering the car. If my car then causes an accident, the victims can find out who’s legally responsible for the damage the car caused and I can’t hide from them. A domain should be no different. When you set up a domain you step into a realm where what you do affects the rest of the Internet. You are no longer just a private individual, you now have another hat to wear as the entity responsible for a domain and what it does.
You’re worried about being spammed? Welcome to the real world, bucko. You think business owners don’t get lots of annoying mail? Hah. That’s one of the things that comes with operating a public entity. I’ve figured out how to deal with it over the years, literally millions of other people have, you can too. You’re worried about your address being public? Suck it up, buttercup, your address is probably already public and published in the phone book. If it’s a major problem, get a post-office box and use that as your snail-mail contact point. Phone number? There’s too many VoIP options you can use to weed out the telemarketers and scammers, and again this is something anybody operating a public entity’s had to deal with for decades. And think about all of those problems and where they come from. That’s right, domains and networks that conceal the identity of those legally responsible for what those domains and networks do. If they couldn’t conceal that from the public, you wouldn’t have the problems you’re trying to complain about.
I’ve been operating a domain with my contact information public for 17 years now. Don’t tell me it can’t be feasibly done. And don’t tell me it’s too technical either. For crying out loud we’re close to finishing the second decade of the 21st century, basic technical skills should be as common now as the ability to do basic car maintenance (change the oil, replace a flat tire) was when I was growing up.
Dear Neil, My mother already knows what I do and she is very proud of it. She was the one who taught me never to give out my name and address without knowing who they were going to and how they would be used. She was the one who taught me about the persecution of people who share unpopular ideas, even if those ideas are valid, even if those ideas change and help the world. I have since gone on to work with noncommercial organizations worldwide, including political dissidents, religious minorities, ethnic minority organizations and groups who work on unpopular but critical sexual, gender and political issues lead to threats against them. My family and friends support fervently the effort to protect Free Speech and Free Expression, and the right of people to share unpopular ideas (including in the DNS) without sacrificing their lives or their families' freedom. What you forget is that the right of anonymous political speech is protected under the First Amendment (check the Bill of Rights at the National Archives, which my sister proudly helps run). Just 22 years ago, the US Supreme Court clearly proclaimed: ""Anonymous pamphlets, leaflets, brochures and even books have played an important role in the progress of mankind." Talley v. California, 362 U.S. 60, 64 (1960). Great works of literature have frequently been produced by authors writing under assumed names. [n.4] Despite readers' curiosity and the public's interest in identifying the creator of a work of art, an author generally is free to decide whether or not to disclose her true identity. The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible. Whatever the motivation may be, at least in the field of literary endeavor, the interest in having anonymous works enter the marketplace of ideas unquestionably outweighs any public interest in requiring disclosure as a condition of entry. [n.5] Accordingly, an author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment." McIntyre v. Ohio Elections Comm'n, 514 U.S. 334 (1995). Even if we can't have anonymity, we can have and maintain privacy. Since your organization is based in the US, your might want to tell "your Mom, family and your friends" that you don't really believe in the First Amendment. But for my family and community, we celebrate Free Speech and Free Expression with the protection of not having to put our name and address on every potentially unpopular statement - it is a right and a protection we proudly defend.
First off, domains themselves aren't speech. What you post on servers in those domains is speech, but the mechanics of the domain itself aren't. It's much like operating a car: you may be using the car to distribute material that's speech and whose author's entitled to anonymity, but the operation of the car's entirely separate and isn't subject to any free-speech protection. Second, even if they were speech, not all speech is amenable to anonymity. If you want to set up a storefront to distribute your writings, you aren't going to be able to do that anonymously. You're going to need to provide your identity for the business and other licenses you need to set up the storefront and the city isn't going to accept you refusing to provide it because you want to remain anonymous. Similarly if you want to hold a rally at a public park, you're going to have to provide your identity to get the permits to hold the rally. Whether or not your materials themselves qualify for protection of anonymity, if you choose those methods of distributing them then anonymity simply isn't an option.
I agree with you on the notion that those engaged in business activities ought to obtain appropriate business licenses. But that is a matter quite divorced and separate from domain name registration information and the two activities ought not to be conflated. I'm not sure, however, that users would check those licenses, our experience with TLS certificates has not been all that good: It would be nice if internet users could be taught to walk back chains of license credentials - even alerts generated by the limited walkbacks by browsers of TLS credentials are often ignored by users. BTW, over the decades (I've been on the net since it began in the early 1970's) I've used several (as in probably well more than a hundred) domain names for various activities, both commercial, personal, and community. Pretty much every registration has resulted in an avalanche of unsolicited contacts, online and off, promoting all kinds of snake oil. Much of it continues for years even after a domain name has been transferred or abandoned. We've pretty much gone to "private" registrations for everything and found our lives much improved. BTW, you might like the thought experiment I set up: http://cavebear.com/eweregistry - a registry that is intended to be 100% legal yet would violate a large number of ICANN privacy busting and business-intruding requirements. (I really ought to finish the code and deploy it for real. ;-)
You are basically saying that because there is some good coming from public whois, because it helps some private vigilantes to carry out their investigations more easily, it is absolutely fine to violate the privacy rights of millions of registrants who would rather not have their private data plastered across the internet, harvested by anyone for whatever purpose, be spammed by domain slammers or worse, have their legal right to privacy violated?
It is OK to put contracted parties in a position where they knowingly would have to violate applicable law and face extremely high penalties (coming soon)just to facilitate the hunt for a few criminals?
Sorry, or rather not sorry, but no! Public whois must go!
So you claim:
“I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams.”
Good for you, but have you ever stopped and though about where those criminals got the data of their victims? Some of that data comes directly from whois.
Very little. WHOIS first off includes data on a relatively small portion of the Internet population, and an even smaller portion of it's data on individuals as opposed to corporate or organizational entities (who should be using corporate/organization contact information rather than the information of a particular individual to avoid succession problems as responsibility shifts from person to person within the company/organization). Of the data that's there, only phone numbers are in any way confidential and the people doing phone spam or scams aren't the sort to be collecting their data from WHOIS (or from any source, more often it looks like they get the list of exchanges for a given area and then hit all possible 4-digit lines in each exchange).
I believe that domain name registration information is private and must be kept that way.
Those who want to play as if they were law enforcement must follow the same rules that law enforcement is supposed to follow: Before they can access private information they must do several things:
1. Identify themselves to the data subject so that, unlike Joseph K in “The Trial” the data subject, and the public, will know who is looking.
2. Make a concrete accusation of why the accused person and domain name are in violation of a specific law.
3. Produce concrete evidence to support #2, above, to a degree that creates “probable cause” that the accusation is, in fact, true.
4. A third, disinterested, party looks at the accusation and evidence and makes a ruling whether it is adequate to proceed.
5. Notice is given to the accused and an opportunity is given to rebut the accusation.
6. Take only materials related to that accusation, and make a log of what is taken.
5. Disclose that information only those working on that matter and destroying that information when the matter is closed.
I would go further and suggest that this ability to even ask to open domain name registration records be restricted only to bonded licensed persons who will lose that bond and license should they abuse their powers. Moreover, at the end of every year there should be a public journal of their actions so that the public may see who apparently acting in ways that might suggest abuse of authority.
I also recommend that those who go forth on white horses to attack putative ill doers of the domain name space read two books - “The Oxbow Incident” and “Don Quixote”
I hope that nobody involved in this exchange of words remains under any delusion that there is an actual conversation going on here. This disagreement has been going on for longer than this website, and the parties on each side should simply acknowledge that they are ideological enemies with incompatible belief systems. You can cheer if the powers that be make arbitrary decisions of which you approve, per Neil, or piss and moan if they don’t, but I doubt that anyone with the actual authority to make such decisions cares about any of the principles being debated here, or what any of us think.
In other words, to the limited extent that this tedious exchange of words is not simply tub-thumping, it’s basically futile anyhow. You can tub-thump if you want to, of course, but don’t mistake your activity for productive debate or effective political agitation.
yup. We all have touched this stove and burned our hands. In that I mean we fire our "word cannons" at the comment thread in support of their (or their employers') facts, opinions, perspectives or feelings. The challenge in sitting back and not engaging on the dialog is that it allows one perspective to dominate and be perceived as truth. Often those who make policy read the comments in places like this and use the discourse as part of their measurement of public opinion or if they have prejudice in one direction or another, pull arguments that support their position from places like this as rationale for action.
Neil, first off, thank you for your tireless efforts.
That may not be said enough
Now that it is said…
The very same a-holes you are combatting are empowered by the data that is being campained for. For every domain I register without privacy, I receive some form of harrasment. These harrasments come in many forms, by email, post, and telephone, and range from nuissance solicitations of commercial offers to perform web design or hosting all the way to fraudulent lawsuit theats alleging to be from the IRS by robo-dialers.
These coincide exactly with accurate whois information being provided as the vector used by the peers and marketers, because I have tested this by alternating the email address and phone number and address used with registration to those that I set up specifically for a registration.
While I applaud your work in “cleaning up the streets”, if we better enable those who offend or enrich a higher volume of crap in order to aid you, this will only serve to compound the very problem you seek to solve, and worsen the experience of many for the sake of the few.
I suspect LEA have better than good access to the data you seek. Perhaps to the degree which your efforts might be aligned, perhaps it might be prudent to collaborate more closely with them.
A few questions to try to move this forward a bit:
1) Did you really mean that WHOIS data should be public or just that it should remain available to anti-abuse researchers?
2) If it was not public but was available to anti-abuse researchers under special license and you were identity checked first then would you agree to that?
3) Would you be able to do your job if that license prevented you from sharing the WHOIS data you had special access to?
The problem comes when we start looking at the definition:
Can anyone self-declare as “anti-abuse researcher”?
Can Iranian or Syrian thought police?
Can spammers?
Can whois republishers?
Should access be limited by jurisdictional borders, e.g. “researchers” in a certain jurisdiction only access data on data subjects in their own jurisdictional boundaries, maybe with a notice whom to contact if they need access to the data of someone outside their jurisdiction?