RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Chris,

I would contend that Whois services have also evolved into a mechanism for
serious abuse of personal privacy that is likely already doing harm in it
own right.

The OPoC proposal suggests making measured changes in such a way as to
restore balance with regard to the various considerations at large.

I would offer that our charge in this WG is to explore how we might best
satisfy the full balance of interests at the table, and choosing one form
of harm over another is not the goal.  No question that this is difficult,
but by the same token we should not be looking to "take the easy way out"
but rather we should be looking for whatever we can find that can address
the greatest range of interests.

If ICANN *does* have jurisdiction for issues of general public policy
interest, then ICANN needs to develop a truly representative political
process to formulate and implement such policy.  I'm sorry to report that
ICANN is nowhere near a state of embodying the kind of structural
accountability necessary to satisfy that role.  Thus, I think we cannot
rely upon ICANN to take responsibility for such jurisdiction at this time.

Let's see what we can come up with in terms of alternative options, shall
we?  You don't know what's out there until you actually go and take a look,
and it seems that many people here simply don't want to even look in the
first place.  That would seem to contradict our charge most explicitly.

Dan



At 6:39 PM -0400 5/11/07, Christopher Gibson wrote:
>Dan,
>
>Given the difficult tasks facing the subgroups, it's tempting to suggest
>that ICANN doesn't have jurisdiction or responsibility, and that law
>enforcement agencies (LEAs) should do more.  The examples provided by
>Palmer and others, however, serve to confirm the GAC's position that WHOIS
>services have evolved into a vital, efficient and internationally-tested
>mechanism in support of a number of legitimate functions.  In this
>context, following the "first, do no harm" principle means that potential
>changes to the WHOIS system need to be evaluated and made only when we
>have confidence that suitable alternative mechanisms to curb abuse are in
>place.
>
>Chris
>
>Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>
>
>Dan,
>
>The problem is a practical one. Law enforcement has limited resources.
>We might wish that were not the case, but it is, and, realistically, it
>will always be the case. Law enforcement, as I set out in my earlier
>emails to Milton, expects banks to do the legwork before it will act.
>Maybe it should be otherwise, but this is not the case nor will it ever
>be the case. In various roles, both in government and working on the
>side of government, I have spent years working on the side of law
>enforcement. I think it is fair to say that law enforcement's approach
>is virtually an immutable law of nature. And frankly from law
>enforcement's standpoint, it must set priorities given its limited
>resources.
>
>If banks do not have access to the necessary information, internet users
>and consumers will be put at much greater risk. It would be nice to
>think that banks and consumers could simply lodge a complaint and that
>the complaint would be immediately acted upon. But this will never
>happen. Law enforcement has too much on its plate. My banks can give
>you page after page of examples to corroborate this. And remember for
>every hour that passes, millions can be lost, including life savings.
>
>Please take another look at the example in my email to Milton involving
>the local police in a foreign jurisdiction that finally agreed to act,
>but only after the bank had exhausted all avenues and done all the
>legwork. Realistically, absent bank access to the local address, it is
>unknown how many innocent consumers would have suffered losses before
>this fraudulent website was ever closed down.
>
>You are right that this is a question of balance. And I would argue
>that consumer protection needs to be prominently considered, not
>dismissed as unfortunate collateral damage.
>
>Banks are closely regulated and monitored entities with public
>responsibilities. Those responsibilities are examined regularly by bank
>examiners. As a result, I would submit, consumer protection ought to
>prevail in light of the protections from a privacy standpoint in the
>existing regulatory structure.
>
>Palmer
>
>-----Original Message-----
>From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>On Behalf Of Dan Krimm
>Sent: Friday, May 11, 2007 3:43 PM
>To: gnso-acc-sgb@xxxxxxxxx
>Cc: gnso-whois-wg@xxxxxxxxx
>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
>Palmer,
>
>If I may step in here (and shift this discussion over to the Subgroup B
>list where it properly belongs):
>
>At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>
>>Just having the IP address and registrar is not sufficient. For
>>example, one of my banks had a case in which it had to use local police
>
>>in a foreign country to visit the physical address of the website owner
>
>>to get the site taken down. The bank had tried to get the registrar to
>
>>shut it down without success. The bank had also tried to stop the site
>
>>with the administrative contact, the technical contact, the abuse
>>contact, and the website owner, all with no success. The registrar was
>
>>also not interested in working with the local police, but the local
>>police agreed to assist AFTED the bank provided the police the full
>>WHOIS information plus a synopsis of its takedown efforts.
>
>So the question here is, when the bank is involved in valid efforts that
>require access to Whois data that is designated as private there
>certainly should be a process for that data to be engaged in the
>process, so what should that process be? No one is suggesting that the
>bank never get any such information whatsoever. But some of us are
>suggesting that private entities should not get direct access to the
>Whois data, but rather get information from formally accountable LEAs
>who have direct access.
>
>It doesn't mean that private agents cannot contribute to the
>investigation process, but that private agents need only be given what
>they need in a particular context rather than being given the full range
>of powers granted to publicly-accountable law enforcement. And, that
>LEAs be responsible for providing appropriate information to private
>agents that are participating in investigation processes. Once such a
>policy is well-defined, it is possible to build technological systems
>that adhere to those policies and operate efficiently without
>unnecessary human intervention.
>
>And if ICANN jurisdiction is insufficient to resolve all structure
>issues, that still may not be ICANN's responsibility to solve.
>
>At some point public law enforcement must step up to the plate to do
>what needs to be done. ICANN cannot solve all the world's public
>problems on its own, or even those problems that may relate tangentially
>to the technical operation of the Internet. ICANN is not a proper venue
>to determine and conduct public governance activities, or to authorize
>private execution of public governance.
>
>
>
>>Having said this, the Dutch model could ultimately help fill a void on
>>the international level by leveraging international pressure on
>>recalcitrant governments. But again, this is not really an alternative
>
>>to what we are doing in Subgroup B, as I understand it.
>
>What exactly are we doing in subgroup B as you understand it?
>
>As I understand it, we are trying to reach some consensus on what GNSO
>should recommend to the ICANN Board with regard to determining to whom
>and how direct access to private Whois data under the OPoC paradigm
>should be granted (by registries and/or registrars). This does not
>speak to indirect access through authorized/certified LEAs.
>
>I have no expectation (or illusion) that what we come up with here will
>create a perfect world. It will certainly continue to be systematically
>imperfect from a privacy protection standpoint. If you are hoping to
>find perfection, then that is undoubtedly beyond the scope of this WG or
>Subgroup B.
>
>We are not in a position to dictate a comprehensive and airtight
>resolution to the full complexity of issues here. So at least *that* is
>*not* what we are doing here.
>
>Dan
>
>
>
>
>Need Mail bonding?
>Go to the
><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091>Yahoo!
>Mail Q&A for
><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091>great
>tips from Yahoo! Answers users.