Re: [gnso-acc-sgb] "Apply for Access" proposal questions

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Dan and all sgb members,

  Dan, you ask some very good and relevant questions here
IMHO.  I hope to see some answers from David.

  My answers FWIW, are below Dan's very good questions.

Dan Krimm wrote:

> I don't want to play favorites here, so I have a few questions for David
> about the BC "apply for access" proposal.
>
>  (1) Given the suggestion for "self-certification", how exactly would that
> be evaluated and enforced?  Specifically, why should any random applicant
> be believed when they claim to be legitimate?

My ans:  Self-certification is a non starter simply because there is no
meaningful way to either evaluate or enforce any penalty on such an
applicant.  First an entity must apply, then is evaluated by some
yet to be defined evaluation process, and then is either approved
after to agreeing to comply by whatever rules that also have yet
to be determined and I will assume for now be under some probationary
period in which random non announced and in depth inspections and
reviews are done during the probationary period.

>
>
> It seems that this process would pretty much admit just about anyone to
> access the privileged data.  I mean, any random person has an interest in
> "combatting spam" for example -- under that broad criterion everyone could
> get access.

Yes it would seem.  And as such, this notion/idea is for ethical reasons
alone, a non starter.  For instance I can't reasonably imagine Spamhous
being allowed to self certify as a third party given their recent legal fiasco.

>
>
> It will be very difficult to define classes of legitimacy that are both
> accurate and verifiable.  The ones that are verifiable will be very crude,
> and the ones that are accurate will be difficult to verify without formal
> due process.

Yes agreed.

>
>
>  (2) Given that access would be all-or-nothing in this schema, how is there
> any means to ensure that access is only for legitimate purposes?  If an
> applicant may have a single legitimate reason to access a single domain's
> private info, does that mean that the applicant should be given access to
> the full Whois data whole hog?  That would be pretty hard to swallow, even
> if the access is only temporary.

Given what I understand of Davids "Apply for Access" proposal,
the answer to the first question here is none, and to the second
question, yes.  Hence again IMHO, why Self-certification is a non starter.

>
>
> Perhaps it would be better for private entities with narrow interests to
> get narrow access second-hand through public entities with broad access who
> will be responsible for the use of data by those with narrow interests to
> whom they provide access.

Maybe.  The problem with a public entity taking the job, and if indeed
one did, that in had enforcement ability and also was a legitimate well
behaved public entity.  I am assuming by "public entity" you mean a
public sector entity.  Correct me if I am wrong in that assumption...

>
>
>  (3) Third parties would agree not to share the password, but what would be
> the penalty for violation and how would it be enforced?  If ICANN does not
> have the resources to enforce this policy, then it must fall to others,
> such as registrars or public law enforcement.  If public law enforcement,
> then this might fall under contract law or some similar domain, and without
> significant penalties there will be little incentive to adhere to the
> agreement.

Also agreed.  And ICANN has shown it cannot effectively enforce
many of it's own policies, nor follow same.  Additionally some law
enforcement agencies, also cannot, do not, will not, or have not
effectively enforced it's policies and on occasion also do not
follow same, example L.A. police department investigative division.


>
>
> An agreement in principle with no enforcement teeth is non-binding in
> practical, de facto terms.  It is worse than no agreement at all, because
> it has the surface appearance of substantive constraint with no meaningful
> constraint in reality.

Very much agreed.  Some one or some entity has to take personal
and full legal restitutional responsibility. And I am sure these some ones
or some entities are not law firms and/or legal organizations, financial
institutions, some law enforcement agencies, most government agencies,
educational institutions, or auditing firms... And definitely not ICANN,
registrars, registries, or the GNSO.

>
>
> Dan

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827