[discuss] ICANN policy and "Internet Governance"

John Curran jcurran at arin.net
Sat Jan 4 13:45:16 UTC 2014

On Jan 3, 2014, at 8:38 AM, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:

> Some of the other topics -- international crime and so on -- are only
> "Internet" issues in that they happen to be using the Internet as an
> enabling technology.  Apart from a discussion forum to inform national
> lawmaking, what is needed here? 

Andrew - 
  These are Internet-related issues because they incorporate Internet 
  aspects that are not readily separated from routine law enforcement
  If I respond to an email indicating that I need to reset my bank
  password, dutifully enter my username and password as instructed,
  and then find out that my savings has disappeared, it poses some
  very different challenges for law enforcement than if someone puts 
  a device on the ATM (which copies my card info and pin) and then 
  takes all of my savings.

  Yes, it is true that both approaches share a chance of successful 
  investigation and prosecution based on "following the money", i.e.
  the funds transfer which empties the account.  This is one small
  advantage of crimes have financial components (and it is indeed
  a rather small advantage, given the efforts necessary for its use 
  during routine law enforcement matters.)  

  The reality is that the latter theft (based on efforts in the real
  world) offers an abundance of physical evidence; everything from 
  construction of the skimming device itself, to the ATM video footage
  of its installation and/or its removal...

  In the case of the cyberspace-based theft, done via a phishing 
  email, there is literally nothing to go on... i.e. there may be one
  IP address that could be related to origin of the email (but is far 
  more likely just a botnet-infected home PC doing email origination)
  There will be a domain-name or IP address associated with the web
  site that was used to collect the account info, but neither of these 
  are necessarily are a reliable indicator of even the country of the 
  perpetrator, let alone the organization/entity/individual involved.  
  Even if the perpetrator were particularly sloppy, the relationship 
  between any alleged perpetrator and the website is completely based 
  on information in various Internet databases which contain the IP 
  and DNS registrations, and hence the practices related to entry and
  update of these databases are inherently both Internet and public 
  policy matters.

  You readily dismiss these as '"only "Internet" issues in that they 
  happen to be using the Internet as an enabling technology.'  That
  may be true, but we're not going to be able to ever remove the use
  of Internet registration data from the topic reliable attribution, 
  and the topic itself is inherently a public policy matter (i.e.
  governance) that involves significant consideration of tradeoffs 
  involved between privacy, anonymity, protected/free speech, LEA
  expectations, data misuse, etc.

  Now there are similar questions which end up being the realm of 
  national policy-making - for example, the various identification 
  requirements posed now purchase of prepaid disposal cell phones
  in some countries, but the use of such  devices have physical and 
  geographic constraints which make national lawmaking workable.
  That is not possible to claim with Internet registrations, for the 
  practices in each country has a direct impact on ability to perform 
  attribution for alleged criminal activity affecting users in every 
  other country, i.e. the global nature of Internet traffic makes it
  far more difficult to meaningfully address this issue piecemeal on 
  a nation by nation basis.

  Ergo, reliable attribution is an Internet issue with significant 
  governance aspects, and "Internet Governance" (while imprecise) 
  is a reasonable description of the nature of the challenge.


Disclaimer:  My views alone.

More information about the discuss mailing list