<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- To: <gnso-acc-sgb@xxxxxxxxx>
- Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- From: Dan Krimm <dan@xxxxxxxxxxxxxxxx>
- Date: Fri, 11 May 2007 21:20:05 -0700
Hope,
I am not saying that phishing is not a problem that needs to be dealt with.
I am simply saying that it should be dealt with in a measured way and with
proper controls. And, that there are other serious problems that crop up
when the method of dealing with it is not measured and does not have proper
controls.
Secondly, our deliberations here are about more than just banks, even if
Palmer's suggestion was constrained to banks.
My comment about consumers versus customers is about the fact that giving
blanket access to banks for all Whois data provides access to personal
information about consumers who are not their direct customers, and the
banks are not regulatorily restricted from using data about consumers that
are not their direct customers, as they are with regard to their own direct
customers.
Example: I have an account with bank A. I do not have an account with
bank B. If bank B has blanket access to Whois data in order to find
phishers, because I am an Internet domain registrant, bank B gets my
personal data from Whois even if I am not a phisher. Bank B is regulated
in many cases with respect to its own customers, as bank A is regulated
with regard to personal data it collects from me by virtue of being a
customer. But bank B is not regulated with respect to the data about me
that it gleans from sources such as Whois, because I am not a customer of
bank B. I cannot opt-out of bank B using my personal data for anything it
wishes the way I can opt-out of bank A using my personal data in that way.
Personally, that bothers me, because I don't believe that "banks are not
interested in information about millions upon millions (of) people" -- if
they can make a buck off of it, why wouldn't they be? If they have access
to that data, they can build a business selling it to people who use it for
marketing (or other) purposes, just as they used to do with their
customers' information before regulation allowed some customers in some
jurisdictions to opt out from those uses.
Just because the anti-fraud departments of banks are not interested in the
broad range of data doesn't mean that the ancillary-business departments
(connected to marketing, etc.) of banks are not interested in the data.
They'd be dumb not to be interested, where there's money to be made. They
already have big businesses built on (currently) legal use of personal data
collected from their customers. It's only because of regulation that I
have the option to opt-out of that use in some cases today. It's not like
the banks have been particularly trustworthy actors in this arena: they
have done only what has been forced down their throats by law, typically
nothing more, and even that much has not been without a fight.
As a consumer, I am as alarmed as anyone about the problems of misuse of
data leading to fraud and ID theft, etc. The problem with granting blanket
access to private entities without meaningful enforcement against abuse is
that this creates a systematic incentive for misuse of data in precisely
the way that can lead secondarily to ID theft, etc. Example: Bank B sells
my personal data to someone posing as a marketer who then tries to scam me.
Bank B may not have done the deed directly, but their "legitimate marketing
data business" leads to misuse by others in a fraudulent manner. Unless we
place enforceable limits on what banks may do with all this data, this
potential remains large. I don't see anything in Palmer's proposal that
suggests meaningful enforcement procedures to prevent this sort of thing,
or even demonstrates that meaningful enforcement is possible.
I support providing legitimate anti-fraud efforts what they need to do
their jobs, but no more than that. Blanket access proposals without due
process go *way* beyond the specific needs required to get the bad guys,
and place orders of magnitude more good guys at unnecessary risk of abuse
(without recourse, if the source of the abuse cannot be traced).
Blanket access is easy for banks, but it goes too far and thus endangers
many others in the process. Our job should not be exclusively to make
things easy for banks at the expense of significant costs to other
stakeholders. Banks should be able to get the job done, but with
enforceable controls and appropriate pre-screening. Just like any other
private entities that are involved in anti-fraud activities.
Dan
At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
>Dan,
>
>I glad that you are able to recognize a phishing email when you see one,
>unfortunately, not everyone is able to do so. We wouldn't have a problem
>if that were the case. The fraudsters have become more and more
>sophisticated every day and I have seen highly educated people not be able
>to recognize phishing emails or be confused as to whether an email is
>legitimate or not. For example, people are often times confused or fall
>for fraudulent emails when their bank merges with another bank. The
>phishing emails address the merger and request. Information stating that
>it necessary for conversion purposes. Of course, this seems legitmate to
>customers because they know their bank is in the process of merging and in
>combination with legitimate advertising or communications via regular
>mail, television or print, even highly sophisticated individuals fall for
>these schemes.
>
>Secondly, I am not sure why you are mixing Credit. Reporting Agencies with
>banks, these are separate and distinct industries.
>
>Finally, I am not sure I understand the connection with regard to your
>comment that banks should not have access to Whois information because
>they have enough information about their customers. One has nothing to do
>with the other. Banks are not interested in information about millions
>upon millions people but instead are interested in the Whois information
>specifically related to domains used to perpetrate fraud upon millions of
>innocent victims. Banks use Whois information in order to combat fraud
>and identity theft which results from phishing emails. Again, banks aren't
>looking at information of anyone who is not a fraudster. If you have the
>opportunity to speak with someone who has been a victim of identity theft
>or fraud, I would encourage you to do so.
>
>
>----- Original Message -----
>From: Dan Krimm [dan@xxxxxxxxxxxxxxxx]
>Sent: 05/11/2007 05:32 PM MST
>To: <gnso-acc-sgb@xxxxxxxxx>
>Cc: <gnso-whois-wg@xxxxxxxxx>
>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
>
>
>I'll let Eric speak for himself with regard to the email he receives, but
>the phishing scams I get are easily recognized and discarded. (The first
>one I ever got -- before it had become prevalent, and before there was a
>word coined for it -- I was temporarily confused, but I was alert enough to
>check out the domain before supplying any info. I have been personally
>immune ever since.)
>
>While I opt-out of all uses of my info by financial institutions that I can
>(and in California I can opt out of more than in other states or countries,
>because of consumer-friendly state regulation), I am still troubled by
>information collected by credit reporting agencies and other sources that I
>do not know about. I refuse to allow DoubleClick to place cookies on my
>browsers. And still I know this is not enough to be secure in the
>knowledge that data about me is not being used against my interests,
>usually by private entities out to make a buck.
>
>Banks already get a lot of personal information from their immediate
>customers. There is no reason to give them unsupervised blanket access to
>all information in the Whois database about millions upon millions of
>people who are not their direct customers.
>
>Information used for legitimate anti-fraud efforts needs to be
>well-targeted as much as possible, and checks and balances need to be in
>place to assure appropriateness of access as a rule, since recourse is not
>always available in the case of abuse (and thus deterrence may be
>ineffective).
>
>If ICANN is not in position to become a fully-functional public law
>enforcement entity in and of itself, with all of the due process and
>accountability that such a role calls for (and it seems pretty clear that
>it is not), then that dynamic needs to be in the system somewhere, somehow,
>and it needs to be designed with some serious effectiveness, not just as a
>cosmetic ruse.
>
>Dan
>
>
>
>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
>>Those 20 or so spam emails are likely phishing emails or scams. Banks do
>>not send spam emails. These emails you are referring to are not legitmate
>>emails, and this is exactly what banks are trying to prevent in order to
>>protect consumers from identity theft and fraud. Your email highlights
>>how significant and prevalent this problem is.
>>
>>
>> ----- Original Message -----
>> From: Hugh Dierker [hdierker2204@xxxxxxxxx]
>> Sent: 05/11/2007 03:26 PM MST
>> To: gnso-acc-sgb@xxxxxxxxx
>> Cc: gnso-whois-wg@xxxxxxxxx
>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>>
>>
>>This really assumes alot. Hypothetical "who done its". Does not justify
>>giving out confidential information to banks. I get 20 or so spams a day
>>from Banks. Junk mail another 5 a day- credit cards galore.
>>I do not buy that "banks" want my info for purely secure reasons.
>>
>>Eric
>>
>>Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>>
>>
>>Dan,
>>
>>The problem is a practical one. Law enforcement has limited resources.
>>We might wish that were not the case, but it is, and, realistically, it
>>will always be the case. Law enforcement, as I set out in my earlier
>>emails to Milton, expects banks to do the legwork before it will act.
>>Maybe it should be otherwise, but this is not the case nor will it ever
>>be the case. In various roles, both in government and working on the
>>side of government, I have spent years working on the side of law
>>enforcement. I think it is fair to say that law enforcement's approach
>>is virtually an immutable law of nature. And frankly from law
>>enforcement's standpoint, it must set priorities given its limited
>>resources.
>>
>>If banks do not have access to the necessary information, internet users
>>and consumers will be put at much greater risk. It would be nice to
>>think that banks and consumers could simply lodge a complaint and that
>>the complaint would be immediately acted upon. But this will never
>>happen. Law enforcement has too much on its plate. My banks can give
>>you page after page of examples to corroborate this. And remember for
>>every hour that passes, millions can be lost, including life savings.
>>
>>Please take another look at the example in my email to Milton involving
>>the local police in a foreign jurisdiction that finally agreed to act,
>>but only after the bank had exhausted all avenues and done all the
>>legwork. Realistically, absent bank access to the local address, it is
>>unknown how many innocent consumers would have suffered losses before
>>this fraudulent website was ever closed down.
>>
>>You are right that this is a question of balance. And I would argue
>>that consumer protection needs to be prominently considered, not
>>dismissed as unfortunate collateral damage.
>>
>>Banks are closely regulated and monitored entities with public
>>responsibilities. Those responsibilities are examined regularly by bank
>>examiners. As a result, I would submit, consumer protection ought to
>>prevail in light of the protections from a privacy standpoint in the
>>existing regulatory structure.
>>
>>Palmer
>>
>>-----Original Message-----
>>From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>>On Behalf Of Dan Krimm
>>Sent: Friday, May 11, 2007 3:43 PM
>>To: gnso-acc-sgb@xxxxxxxxx
>>Cc: gnso-whois-wg@xxxxxxxxx
>>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>>
>>Palmer,
>>
>>If I may step in here (and shift this discussion over to the Subgroup B
>>list where it properly belongs):
>>
>>At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>>
>>>Just having the IP address and registrar is not sufficient. For
>>>example, one of my banks had a case in which it had to use local police
>>
>>>in a foreign country to visit the physical address of the website owner
>>
>>>to get the site taken down. The bank had tried to get the registrar to
>>
>>>shut it down without success. The bank had also tried to stop the site
>>
>>>with the administrative contact, the technical contact, the abuse
>>>contact, and the website owner, all with no success. The registrar was
>>
>>>also not interested in working with the local police, but the local
>>>police agreed to assist AFTED the bank provided the police the full
>>>WHOIS information plus a synopsis of its takedown efforts.
>>
>>So the question here is, when the bank is involved in valid efforts that
>>require access to Whois data that is designated as private there
>>certainly should be a process for that data to be engaged in the
>>process, so what should that process be? No one is suggesting that the
>>bank never get any such information whatsoever. But some of us are
>>suggesting that private entities should not get direct access to the
>>Whois data, but rather get information from formally accountable LEAs
>>who have direct access.
>>
>>It doesn't mean that private agents cannot contribute to the
>>investigation process, but that private agents need only be given what
>>they need in a particular context rather than being given the full range
>>of powers granted to publicly-accountable law enforcement. And, that
>>LEAs be responsible for providing appropriate information to private
>>agents that are participating in investigation processes. Once such a
>>policy is well-defined, it is possible to build technological systems
>>that adhere to those policies and operate efficiently without
>>unnecessary human intervention.
>>
>>And if ICANN jurisdiction is insufficient to resolve all structure
>>issues, that still may not be ICANN's responsibility to solve.
>>
>>At some point public law enforcement must step up to the plate to do
>>what needs to be done. ICANN cannot solve all the world's public
>>problems on its own, or even those problems that may relate tangentially
>>to the technical operation of the Internet. ICANN is not a proper venue
>>to determine and conduct public governance activities, or to authorize
>>private execution of public governance.
>>
>>
>>
>>>Having said this, the Dutch model could ultimately help fill a void on
>>>the international level by leveraging international pressure on
>>>recalcitrant governments. But again, this is not really an alternative
>>
>>>to what we are doing in Subgroup B, as I understand it.
>>
>>What exactly are we doing in subgroup B as you understand it?
>>
>>As I understand it, we are trying to reach some consensus on what GNSO
>>should recommend to the ICANN Board with regard to determining to whom
>>and how direct access to private Whois data under the OPoC paradigm
>>should be granted (by registries and/or registrars). This does not
>>speak to indirect access through authorized/certified LEAs.
>>
>>I have no expectation (or illusion) that what we come up with here will
>>create a perfect world. It will certainly continue to be systematically
>>imperfect from a privacy protection standpoint. If you are hoping to
>>find perfection, then that is undoubtedly beyond the scope of this WG or
>>Subgroup B.
>>
>>We are not in a position to dictate a comprehensive and airtight
>>resolution to the full complexity of issues here. So at least *that* is
>>*not* what we are doing here.
>>
>>Dan
>>
>>
>>
>>
>>Need Mail bonding?
>>Go to the
>><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091>Yahoo!
>>Mail Q&A for
>><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091>great
>>tips from Yahoo! Answers users.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|