igf/igf2018-talks/igf-2018-ws-50-whois-collected-disclosed-and-protected-certs-viewpoint.txt

IGF 2018 WS #50 Whois collected, disclosed and protected: CERTs viewpoint
Format:
Round Table - 60 Min
Theme:
Cybersecurity, Trust and Privacy
Subtheme:
DATA PRIVACY & PROTECTION
Organizer 1:
PABLO HINOJOSA
, APNIC
Organizer 2:
Madeline Carr
, University College London
Organizer 3:
Duncan Hollis
, Temple University Law School
Speaker 1:
Cristine Hoepers
, Technical Community, Latin American and Caribbean Group (GRULAC)
Speaker 2:
Adli Wahid
, Technical Community, Asia-Pacific Group
Speaker 3:
Madeline Carr
, Civil Society, Western European and Others Group (WEOG)
Speaker 4:
Chris Buckridge
, Technical Community, Western European and Others Group (WEOG)
Speaker 5:
Alice Munyua
, Government, African Group
Additional Speakers:
Becky Burr. ICANN Board member.
Farzaneh Badii. Noncommercial Stakeholder Group. ICANN.
Relevance:
This roundtable is about the importance of CERT continued access to Whois data, with proper balancing of renewed privacy considerations, as a key topic for international cyber security discussions. This is a topic that has not been explored enough in the recently intensified debate about privacy in the Whois databases.
--
All of us recognize the utility and importance of the Whois database. It started as a directory service to contact network operators or domain name holders whenever there is an issue. It also has served as a title registration system. Over the years, law enforcement agencies have used the Whois database for attribution, basically to help them identify bad behavior online. With GDPR into effect, there have been renewed discussions about Whois and privacy: What data is or should be collected? What data should be disclosed? How can privacy be protected?
--
In March 2018, the Chair of the Forum of Incident Response and Security Teams (First.org), sent a letter to ICANN and the GAC arguing in favor of CERTs eligibility to access non-public Whois data. "An incident responder within private sector, academia, may have responsibility over multiple client or organization networks, and need access to Whois data to investigate malicious activity", the letter says. However, further complicating this dynamic, incident response teams are not always accredited by respective governments, likely preventing their continued access if a tiered access policy is established.
--
This roundtable will be the 3rd iteration of a series of IGF workshops (Guadalajara, Geneva and, hopefully, Paris), that have successfully brought together the CERT and the technical / policy communities to discuss relevant cyber-policy matters. In 2016 we opened the debate with “NetGov please meet Cybernorms”. In 2017 we discussed “International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity”. In 2018 we would like to talk about the importance of CERT access to Whois data as a key topic for international cybersecurity.
Session Content:
The objective is to have a discussion about Whois that is not ICANN-centric and not GDPR-focused. Reference to diversity of Whois services available. Talk about the original technical purpose and the importance of continuity of service.
Much has happened at ICANN in terms of an Expedite Policy Developing Process and discussion about an Universal Access Model, that I think it is important to share, though with not much detail.
Of interest is the CERT community assessment that Whois is an important tool for their work and their concerns about how to legitimize their access even if they are not National CERTS.
See:
https://www.icann.org/en/system/files/files/gdpr-comments-first-icann-proposed-compliance-models-25mar18-en.pdf
The workshop is part of a series about bridging Internet governance community with the security community. This will be the third workshop,
first one
in Guadalajara called “NetGov, please meet Cybernorms. Opening the Debate. The
second one
in Geneva called “International Cooperation between CERTs: Technical Diplomacy for Cybersecurity.
As Whois is quite narrow in the great scheme of cybersecurity issues it is important that this workshop won't go deep into the status and details of the discussions about EPDP, but more about the overall importance of Whois for technical purposes and how the Security community, including governments, can get a better understanding of why this is important and how the policy decision-making process works: Is it community lead? Or government imposed? And how are the interests being aggregated. The need as well, for the security community to have a say on these matters.
Interventions:
We have approached members of the CERT community (First.org and CERT.Br), academia (UCL and Temple University), Whois implementers (ICANN and RIRs), government and policy experts (GAC, national). We are also planning to have private sector participants, particularly from ISP's and Domain Name Registrars. We have non-commercial stakeholders onboard (NCSG of ICANN). This will provide a broad view of the subject and, being a roundtable, an open discussion that will accept questions from an interested group of participants.
Diversity:
We have gender and geographic diversity in the group of people that have committed to participate in this workshop. We have North-South perspectives, and also important for this discussion, European and non-European perspectives.
Online Participation:
In our previous workshops we brought remote participants that successfully contributed views to the workshop. We also had good turnout of live attendants. And also many viewers after the workshop. It is the same expectation this time, with more targeted promotion through social media and direct invitations to experts previous to the workshop.
Discussion Facilitation:
In the past workshops, a team of speakers have been responsible of laying out the core of the discussion. Team members have learned about each others points of view and have had coordination meetings beforehand, so at the time of the workshop their interventions are well prepared and not improvised. This has proved successful in keeping the discussion focused. Just as in previous workshops, we are promoting a roundtable format and not a panel. This means that there will be other participants that would be welcomed into the discussion, that are expected to provide fresh views and pointed questions. These interventions will be artfully interlaced by the moderator throughout the session, without loosing sight of the overall outline. This has proved to be a successful formula for having open discussions, yet also ones that arrive to a conclusion or agreement at the end.
Onsite Moderator:
Duncan Hollis
Online Moderator:
Adli Wahid
Rapporteur:
Pablo Hinojosa
Reference Document:
https://www.icann.org/en/system/files/files/gdpr-comments-first-icann-pr...
Agenda:
10 minutes - Introduction: primary use and purpose of WHOIS. Accountability on the Internet. Anonymous behavior.
30 minutes - Discussion: Use of Whois by the CERT community. How IP address operators or domain name holders are informed about a security incident affecting them? Can registration data help identify individual malicious actors? Why is important that CERTs maintain access to Whois private data? To what degree has the security community made a successful case for the collection of WHOIS data under GDPR rules? What existing or new technical means of access can be used and deployed to provide access to a limited set of accredited security actors? Who accredits the security actors?
20 minutes - Answering to questions.
10 minutes - Closing
Session Time:
Wednesday, 14 November, 2018 -
12:30
to
13:30
Room:
Salle IX