[db-wg] IRT object postal address

My apologies to all for this tardy reply.  I am juggling too many alligators.

In message <CAKvLzuE+RoNgGXL8TU3r4E5dOtOd3uweB9UzFJhgnOmpBruU+g at mail.gmail.com>
denis walker <ripedenis at gmail.com> wrote:
>{... snipped...}

There's a famous line from the classic Paul Newman movie "Cool Hand Luke"
(1967) that I am often reminded of:  "What we have here iis a failure to
communicate."

Although I place the odds  of my being able to rectify this unfortunate state
of affairs at no better than 50/50 I am obliged now to at least make the
attempt, which I shall do by providing some brief context about myself and
my background which may help to explain my outlook and viewpoint(s).  I will
then expend a fw electrons also on explaining exactly why the data that is
being proposed for redaction is of value to open source researchers, and
thus, by implication, why none of it should actually be redacted.

Many people on this list, and elsewhere, don't know a thing about me and
thus don't know why I tilt so strongly in the direction of transparency
and accountability over personal privacy, at least in some contexts.

Briefly, I have been on the Internet since before it was the Internet.  After
graduating MS/CS, in the year 1984 I took a software development job with a
small software company in Silicon Valley that was developing educational
software for what was then the recently introduced IBM PC.  (That company
has long since gone bust.)  I had several job offers to choose from at that
time, but I specifically elected to join that company because they had a
shiny new DEC VAX 11/750 _and_ a connection to what was then still called
the Arpanet.  I had a strong suspicion, even back then, that networking of
computers would become an important thing to know about in the future.

Fast forward to around 1999/2000 and you'll find me at home in Sunnyvale,
California doing contract software development work in the second bedroom
of my apartment on my personal Sun workstation which had its own unique
node name on what was called USENET, which was somewhat of a forerunner
of the Internet, at least for a lot of us who could only afford dial-up
connections at that time.

At around this time, email spam became a thing.  I was horrified.  In that
era, back before the arrival of the many "instant messenger" apps that we
know today, email _was_ our "instant messaging" and I usually responded to
incoming emails within seconds.  You may all thus understand my irritation
at being frequently interrupted from what I was doing by the latest piece
of incoming email spam... those frequent interruption producing in me a
state of mind that was arguably similar to a type of enraged psychosis.

I knew then as I know now that mass email spamming could be the death knell
of email as a useful interpersonal communications medium if left unchecked.
And indeed, in some of the years since, some estimates have put the percentage
of total emails sent that are spam as high as 95%.  I resolved way back at
the dawn of the new millennium to do all that I could to fight back against
this scourge of spam.

In the period 2005-2008 I was among the first people in the United States to
actually sue spammers under the relatively new state and federal anti-spam
laws.  This effort was unfortunately hamstrung by my relatively ineffective
legal representation at the time, but it did produce at least some deterrent
effect, and also at least some positive results in the way of putting some
spammers out of business.

One of the first lessons my attorney taught me during this time period was
one that seems self-evident when you know anything about legal processes:
Before you can sue someone you have to know both who they are and where
they are... so that you can name them and serve them with papers.

Because spammers, both then and now, go to extraordinary lengths to hide
both who they are and where they are, it was.. and remains... far more of
a challenge to find this information than most people would imagine.  And
since my lawyer was a relative neophyte at doing what has since become
known as "open source research" it fell to me to try to suss out the
identities and locations of various spammers so that we could sue them,
based mostly on whatever small scraps of information and inference could
be had in relation to any given case/spammer.

I dove into this task head first and over the years have became pretty good
at teasing out the identities of these Internet miscreants to the point where
nowadays, due to various data bases I have access to and various software
tools I have written, I can positively identify upwards of 90% of all
spammer operations, because even though they try their best to obfsucate
both who they are and where they are, almost all of them make a number of
small mistakes -- small slip-ups in their OPSEC that can be leveraged
against them.

More recently, I have applied a lot of these same techniques and open source
research approaches to finding and outing other type of Internet miscreants,
and I have had many good success at this also.

But to return to the beginning, as noted above, I started down this path
because _my_ privacy was being routinely violated... by email spammers.

I am an ardent believer in personal privacy, but I also believe fervently in
transparency and accountability, specifically for those Internet miscreants
who abuse the privacy of others, as spammers routinely do, as well as any
and all criminals on the Internet.   They deserve no quarter and I give them
none.

In the old days, if one was being spammed from some domain name `D', and
if one wanted to ind out who was doing this, then one could begin by simply
looking at the WHOIS record for domain `D' to find out who registered that
domain name.  This was, of course, most helpful to any effort to hold the
relevant spammer(s) accountable.

All that began to change when ICANN, in its infinite wisdom (and under
pressure from greedy and unprincipled commercial interests) decided to
approve a scheme under which people could use proxy agents to register
domain names on their behalf, paying the proxy agent some small fee in
return for the proxy agent putting _their_ contact information into the
relevant WHOIS records instead of the {name,address,phone,email} info that
belonged to the actual domain name registrant. Naturally, this new ICANN-
approved "feature" quickly became a huge leap forward and a huge advantage
to spammers and other Internet miscreants who wished to hide themselves
from any and all public accountability.  And vast numbers of them have since
leveraged this ICANN-approved "feature" to the hilt.

More recently, an even more deleterious and damaging innovation has arisen,
this time with only the tacit and implicit blessing of ICANN, which, we
should remember, is funded 100% via domain registration fees.

In a nutshell, the arrival of GDPR has allowed most domain name registrars,
both large and small, to make two claims, only the first of which is even
arguably true:

   *)  GDPR compels us to redact out of the domain name WHOIS records that we
       publish the normal contact information in cases where the domain name
       registrant is a natural person.

   *)  It is too hard for us to figure out which domain names are registered
       to entities other than natural persons, so we're just going to redact
       out ALL information from ALL of the WHOIS records that we publish
       (and if ICANN doesn't like the fact that this is a clear breach of
       our accreditation agreement then they can sue us).

The result of these two claims, and of ICANN's reluctance to actually hold
any of the accredited registrar companies that send them fat checks every
month accountable means that today, and for some several years now, many/most
domain name registrars have redacted out all or nearly all useful information
from all or essentially all domain name WHOIS records.  This is true for
GoDaddy, for Enom, and for many many others.

Quite obviously, this makes the task of holding domain name registrants
publicly accountable essentially impossible, short of a full blown lawsuit,
and expensive _preliminary_ discovery, just to find out who the hell the
real domain name registrant even is.

In effect, any small-time crime associated with a given domain name is not
worth anyone going to court over unless the loss involved amounts to at
least a five figure sum, in either dollars or euros.  All of the small
time crooks and all spammers thus get what amounts to a free pass, all
courtesy of reg domain registrars and their lapdog/lobbyist, ICANN.

(Note that the one and only party that has legal "standing" to sue over these
gross breaches of written and signed ICANN accreditation agreements is ICANN.
None of us mere mortals can do a damn thing about any of this crap if ICAAN
itself donesn't feel like doing anything about it.  And ICANN clearly doesn't.
It quite sensibly has elected not to bite the hands that feed it, i.e. the
domain name registrar companies.)

For years the domain name registrar companies have all wanted to make
WHOIS records... which to them represent their customer lists... private.
The reason is both simple and obvious.  They don't want their competitors
poaching their customers from them... something that might be possible if
domain name WHOIS records were not redacted.  And indeed, domain name
registrars became a LOT more interested in the idea of suppressing the
traditional domain name WHOIS records after one company among them (Verio)
was caught red handed, poaching customers from a competing domain name
registrar (Register.com) back in 2000:

https://www.whoisfinder.com/news/200007/verio-poach-customers.html

The bottom line is that for anyone doing "open source" research, the greed
of the for-profit domain name registration industry, coupled with the
obvious connivance of ICANN has rendered the entire WHOIS system for domain
names utterly useless.  And it has been in that state for several years
already.  The whole damn thing is just one big joke now... a sad and
moribund echo of a forgotten era when people people of good will who
believed in accountability made the rules on the Internet, rather than
corporations, jelously guarding what they feel are their proprietary
corporate secrets and interests.

This... the utter destruction of the entire global WHOIS system for domain
names... was all done using GDPR as a convenient and readily available excuse,
even though by its clear terms GDPR only applies to the personal information
of natural persons and _not_ to the contact information for corporate entities,
or academic or government institutions.  The dmain name registrar companies
don't care.  They happliy threw out the baby with the bathwater and have
redacted _all_ domain name WHOIS records, regardless of the type of legal
entity (natural or non-natural) of the associated registrant.  (Meanwhile,
ICANN stands around with its thumb firmly up its backside, because it suits
ICANN's obvious financial interests not to make any waves about any of this.)

The above is the backdrop against which everyone should consider these
recent proposals to redact stuff out of the RIR WHOIS data bases.  There
is history and there is precedent to be mindful of, i.e. the global WHOIS
system for domain names.  That has ended as badly as possible, as any
fair-minded and neutral observer with open eyes can readily see.  The
entire system was whittled away, little by little, until it was rendered
entirely useless by the purely commercial interests that had an agenda
to kill it by any means necessary (and GDPR became their convenient excuse
to do exactly that).

This end result may serve those narrow commercial interests.  I would argue
however that by reducing public accountability, this final death of the
domain name WHOIS system has _not_ served the interests of the broader
worldwide community of Internet end users, and that quite the opposite,
we all got screwed.

But let's get down to brass tacks and look at the specific claims that
have been made in defense of these recent RIPE WHOIS redaction proposals.

The easiest claim to dispense with is denis' claim that I have some sort
of secret unspoken agenda.  I have none.  My only agenda is the same one
that I have been quite publicly pursuing for more than 20 years now, i.e.
transparency and public accountability for public acts.  (And I should
clarify that as far as I am concerned, ownership of a domain name or a
block of IP addreses on the global Internet is inherently a very public act.
Anyone wishing anonymity can easily obtain that by availing themselves
of the ample opportunities for anonymous speech provided by any number of
existing services and/or web sites on the Internet that cater to exactly
that, and anyone who claims that they can't speak or interact freely on
the Internet without owning their own domain name or IP block is simply
lying in defense of an inherently and provably indefensible position.)

Conversely, I believe that it is more than a little appropriate to raise
the question of the unstated and private political agendas of the only
two people who seem to be pushing these redaction proposals.  I believe
that their views on these matters may be rightly considered to be out of
the mainstream, and perhaps even motivated by personal rather than public
interests.

Denis goes on to argue that because no one will ever physically visit any
mailing address that is present in any RIPE WHOIS record, that these things
are thus, and by definition, useless.  He further argues that since any
address or any other member-specific field in any RIPE WHOIS record may
have been entered, by the member, with malice aforethought and to be
intentionally and deliberately wrong and misleading, that this information
cannot be either used or useful.

Speaking as one who has twenty+ years of open source research to his credit
I assert most adamantly that both of these contentions on Denis' part are
not only wrong, but provably so.

It is not necessary to physically visit a given mailing address in order for
that address to be useful to a researcher.  Through the wonders of modern
technology, it is now possible, courtesy of Google Street Views to virtually
stand outside of the (alleged) place of business of the vast majority of
RIPE members no matter where on planet earth they claim to be.  And I myself
have done so innumerable times -- an exercize which can be quite enlightening
in many cases.  For example, if you find yourself virttually standing out
in front of what should be a web hosting company, but are instead face to
face with a plastics recycling plant, then that fact alone can and does
speak volumes about the honesty, or lack thereof, of the web hosting company
in question.

Seprately and additionally, just by googling the alleged street address of
a given member, or a given member's purported admin or tech contact, you
can often learn things that can be of much interest to a legitimate open
source researcher.  One such case arose recently in connection with an
ARIN member, designated by the symbolic handle SL-206, whose purported
mailing address in the Caribbean nation of Nevis & St. Kitts turns out to
be one that is inhabited by a veritable plethora of corporate entities,
all apparently doing businss out of the same single tiny mailbox on the
island of Nevis.  (For more info on this case, see the recent large thread
about this on the ARIN Public Policy mailing list -- arin-ppml.)

Finally, and perhaps somewhat counter-intutively to those who are not in
the habit of doing open source research, it is not necessary for the
mailing address of any given person or entity to be _either_ correct /
accurate _or_ even real in order for the address itself to be useful to
researchers.

As noted in the preceeding paragraphs, one of the first things that any
researcher worthy of the name will do when given an address, either real or
fictitious, is simply to google it.  I cannot count the number of times
that this extremely simple-minded and obvious step has led to a wealth of
other relevant and useful information, even if the address in question is
totally fictitious.  (A lot of spammers and cybercriminals are just lazy,
and once they have selected and begun to use a given mailing address, even
if it is totally fake, like "1 North Pole", they quite often will use it
over and over again, in connection withy other Internet resources they
have registered and/or on various web sites, including but not limited to
social media web sites.)

In addition to all the points above, I should also note, for completness,
that sometime it isn't even the specific text of a mailing address that
is of significants to the researcher.  Sometimes it can even be just the
form or format of the address that represents a telltale sine qua non of
a particular Bad Actor.  I know of at least one case where I have already
found this to be true, some time ago, in relation to one specific Bad Actor
in the RIPE region, specifically.  But I shall not discuss that case at all
here or now.  For now, I will just mention a different case that I worked
of a spamming enterprise that almost invariably registered its multitudes
of domain names with Register.com and which invariably did use mailing
addresses that all ended with some specific box number.  I can't go into
this case in too much depth either, but suffice it to say that although
the number and street name and the box number were always different, the
lexical syntax in which these three address elements appeared in all of
the relevant domain name WHOIS records was both somewhat unique, and also
always the same.  Here again, even though I would indeed never physically
visit any of these P.O. boxes, and even though none of them may have even
really existed, the mere presence of the lexically/sytlistically consistant
mailing addresses was useful when it came to being able to associate
multiple (domain name) assets with a single specific Bad Actor.

The bottom line is that asumptions about what may or what may not be useful,
e.g. to open source researchers, should probably not be made by people who
are not themselves actively engaged in doing this often difficult work.
For us, *all* information is potentially useful, and this fact alone
explains why I personally hold the opinion that I do with respect to
current proposals to perform what would seem to be unnecessary data
redactions... redactions that are being pushed by just two individuals,
apparently based on (a) misunderstandings of applicable law and also (b)
personal preferences and prejudices that value privacy above either
transparency or accountability.


Regards,
rfg