[gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Palmer,

If I may step in here (and shift this discussion over to the Subgroup B
list where it properly belongs):

At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:

>Just having the IP address and registrar is not sufficient.  For
>example, one of my banks had a case in which it had to use local police
>in a foreign country to visit the physical address of the website owner
>to get the site taken down.  The bank had tried to get the registrar to
>shut it down without success.  The bank had also tried to stop the site
>with the administrative contact, the technical contact, the abuse
>contact, and the website owner, all with no success.  The registrar was
>also not interested in working with the local police, but the local
>police agreed to assist AFTED the bank provided the police the full
>WHOIS information plus a synopsis of its takedown efforts.

So the question here is, when the bank is involved in valid efforts that
require access to Whois data that is designated as private there certainly
should be a process for that data to be engaged in the process, so what
should that process be?  No one is suggesting that the bank never get any
such information whatsoever.  But some of us are suggesting that private
entities should not get direct access to the Whois data, but rather get
information from formally accountable LEAs who have direct access.

It doesn't mean that private agents cannot contribute to the investigation
process, but that private agents need only be given what they need in a
particular context rather than being given the full range of powers granted
to publicly-accountable law enforcement.  And, that LEAs be responsible for
providing appropriate information to private agents that are participating
in investigation processes.  Once such a policy is well-defined, it is
possible to build technological systems that adhere to those policies and
operate efficiently without unnecessary human intervention.

And if ICANN jurisdiction is insufficient to resolve all structure issues,
that still may not be ICANN's responsibility to solve.

At some point public law enforcement must step up to the plate to do what
needs to be done.  ICANN cannot solve all the world's public problems on
its own, or even those problems that may relate tangentially to the
technical operation of the Internet.  ICANN is not a proper venue to
determine and conduct public governance activities, or to authorize private
execution of public governance.



>Having said this, the Dutch model could ultimately help fill a void on
>the international level by leveraging international pressure on
>recalcitrant governments.  But again, this is not really an alternative
>to what we are doing in Subgroup B, as I understand it.

What exactly are we doing in subgroup B as you understand it?

As I understand it, we are trying to reach some consensus on what GNSO
should recommend to the ICANN Board with regard to determining to whom and
how direct access to private Whois data under the OPoC paradigm should be
granted (by registries and/or registrars).  This does not speak to indirect
access through authorized/certified LEAs.

I have no expectation (or illusion) that what we come up with here will
create a perfect world.  It will certainly continue to be systematically
imperfect from a privacy protection standpoint.  If you are hoping to find
perfection, then that is undoubtedly beyond the scope of this WG or
Subgroup B.

We are not in a position to dictate a comprehensive and airtight resolution
to the full complexity of issues here.  So at least *that* is *not* what we
are doing here.

Dan