[discuss] ICANN policy and "Internet Governance"
John Curran
jcurran at arin.net
Sat Jan 4 13:45:16 UTC 2014
On Jan 3, 2014, at 8:38 AM, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> Some of the other topics -- international crime and so on -- are only
> "Internet" issues in that they happen to be using the Internet as an
> enabling technology. Apart from a discussion forum to inform national
> lawmaking, what is needed here?
Andrew -
These are Internet-related issues because they incorporate Internet
aspects that are not readily separated from routine law enforcement
components...
If I respond to an email indicating that I need to reset my bank
password, dutifully enter my username and password as instructed,
and then find out that my savings has disappeared, it poses some
very different challenges for law enforcement than if someone puts
a device on the ATM (which copies my card info and pin) and then
takes all of my savings.
Yes, it is true that both approaches share a chance of successful
investigation and prosecution based on "following the money", i.e.
the funds transfer which empties the account. This is one small
advantage of crimes have financial components (and it is indeed
a rather small advantage, given the efforts necessary for its use
during routine law enforcement matters.)
The reality is that the latter theft (based on efforts in the real
world) offers an abundance of physical evidence; everything from
construction of the skimming device itself, to the ATM video footage
of its installation and/or its removal...
In the case of the cyberspace-based theft, done via a phishing
email, there is literally nothing to go on... i.e. there may be one
IP address that could be related to origin of the email (but is far
more likely just a botnet-infected home PC doing email origination)
There will be a domain-name or IP address associated with the web
site that was used to collect the account info, but neither of these
are necessarily are a reliable indicator of even the country of the
perpetrator, let alone the organization/entity/individual involved.
Even if the perpetrator were particularly sloppy, the relationship
between any alleged perpetrator and the website is completely based
on information in various Internet databases which contain the IP
and DNS registrations, and hence the practices related to entry and
update of these databases are inherently both Internet and public
policy matters.
You readily dismiss these as '"only "Internet" issues in that they
happen to be using the Internet as an enabling technology.' That
may be true, but we're not going to be able to ever remove the use
of Internet registration data from the topic reliable attribution,
and the topic itself is inherently a public policy matter (i.e.
governance) that involves significant consideration of tradeoffs
involved between privacy, anonymity, protected/free speech, LEA
expectations, data misuse, etc.
Now there are similar questions which end up being the realm of
national policy-making - for example, the various identification
requirements posed now purchase of prepaid disposal cell phones
in some countries, but the use of such devices have physical and
geographic constraints which make national lawmaking workable.
That is not possible to claim with Internet registrations, for the
practices in each country has a direct impact on ability to perform
attribution for alleged criminal activity affecting users in every
other country, i.e. the global nature of Internet traffic makes it
far more difficult to meaningfully address this issue piecemeal on
a nation by nation basis.
Ergo, reliable attribution is an Internet issue with significant
governance aspects, and "Internet Governance" (while imprecise)
is a reasonable description of the nature of the challenge.
FYI,
/John
Disclaimer: My views alone.
More information about the discuss
mailing list