RE: [gnso-acc-sgb] Bank question

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Thanks for your reply Palmer,

At 7:42 AM -0500 5/11/07, Palmer Hamilton wrote:

...  Your specific questions about the mechanics of the supervision
>are certainly valid issues that would have to be developed.  For
>example, the bank regulators could withhold further access for
>impermissible use of the data.  Regulators also have various tools they
>can apply to banks acting improperly.  They can assess civil money
>penalties.  They can issue cease & desist orders.  They can order
>restitution in certain cases.


The ultimate question here is whether "the mechanics of the supervision"
create a meaningful deterrent to abuse of data access by banks.  If not,
then they are insufficient to address the privacy issues.

For example, banks have lots of money (not just that of others, but their
own as well) and thus civil money penalties may be entirely acceptable to
banks as a cost of doing business, so if that method is chosen, those fees
would have to be punitive in magnitude in order to be meaningful.

Withholding further access is a double-edged sword, because it could impede
valid anti-fraud activities, thus going too far as punishment.  Yet, it may
be that only something that serious would get the attention of bank
officials.  Perhaps it would be more appropriately targeted to pre-screen
access through some sort of publicly-accountable due process.

C&Ds may take time to work through a court process, and may allow a great
deal of abuse to occur before any resolution is achieved.

And full restitution may not be possible if something like ID theft is
involved.


In short, after-the-fact response to data abuse may not be sufficient to
provide for effective protection of personal privacy of people who are
innocent of wrongdoing.

Banks are indeed powerful institutions in our societies across the world.
When it comes to banks and public governance, sometimes people can honestly
wonder who is running whom.  If banks are going to become a class of
secondary "watchers" in our society, then it is prudent to get answers to
detailed questions about who watches the watchers, and how effective that
watcher-watching is before approving an expanded delegation of authority to
those secondary watchers.

We must place a certain amount of trust in public law enforcement, and it
may be that only after-the-fact monitoring makes sense for such LEAs, but I
would propose that a higher standard ought to apply to non-public agents --
this is why legal due process exists in the first place: to ensure
accountability to the public interest.

Some sort of pre-screening authorization on a case-specific basis seems
warranted for any secondary watchers, rather than blanket access on a
willy-nilly basis.

It seems to me this is a completely different class of behavior from
deposit insurance regulation (where post-facto restitution is generally
more effective), and government regulators whose resources are adequate for
that purpose may not be up to the task of oversight and enforcement of
privacy-related matters.

Not all "government" is commensurable, and you can't just slip a square peg
in a round hole.

Also, it may be that this WG cannot solve this problem of public governance
on its own.  IMHO that should not tie our hands when considering the
protection of privacy of registrant personal data.

The open-access paradigm that is currently in place may be an addiction
that certain sectors of the private anti-fraud world have gotten hooked on,
but I'm not sure that we should take that as a precedent for a healthy
structure of operation for society.  It may be that others in the realm of
public governance will have to work to resolve some of these issues in
their domains, rather than in ICANN's jurisdiction.

Dan