[gnso-acc-sgb] GAC's position on Whois

["Milton Mueller" <mueller@xxxxxxx>]

Let me correct what seems to be an increasingly common set of errors on
interpreting the GAC principles. 

First and foremost, the GAC stands for "Governmental Advisory
Committee." Its role in the CANN regime is advisory only. (The USG may
be an exception of course, because it controls key functions related to
ICANN. And the US definitely has a position on Whois ;-))

Second, anyone who has followed this issue knows perfectly well that
governments are deeply divided on it. When it comes to the proper
balance of privacy and access to data, data protection authorities have
one view, law enforcement and consumer protection authorites often have
a different view. Neither one of them can claim to speak authoritatively
for governments, much less the public interest. It is noteworthy,
however, that at some GAC meeting data protection authorities have not
been allowed to speak, whereas LEAs have been featured. 

Third, this division of governmental opinion was illustrated just
today, with,the announcement that the UK government has required the
.telnic registry to remove access to private data from its Whois.
Indeed, one of the strangest aspects of this issue is the conflicting
signals you get from governmental agencies. You see, for example, the
Australian GAC representative demanding no change in Whois while at the
same time the Australian national privacy law requires the Australian
ccTLD to shield its Whois data. 

Fourth, the GAC statement on Whois deliberately did _not_ say that
access to the whois data as it now exists should be retained. It
enumerated several "legitimate activities" that use the whois data. That
was compromise wording deliberately chosen to avoid saying what
Christopher Gibson is saying below. In other words, in the GAC
principles it is the activities that are legitimate, but not necessarily
the open access to them that we have now. 

>>> "Christopher Gibson" <cgibson@xxxxxxxxxxx> 5/11/2007 6:39:16 PM
>>>
and others, however, serve to confirm the GAC's position that WHOIS
services
have evolved into a vital, efficient and internationally-tested
mechanism in
support of a number of legitimate functions.  In this context,
following the
"first, do no harm" principle means that potential changes to the
WHOIS
system need to be evaluated and made only when we have confidence that
suitable alternative mechanisms to curb abuse are in place.

 

Chris

 

Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:


Dan,

The problem is a practical one. Law enforcement has limited resources.
We might wish that were not the case, but it is, and, realistically,
it
will always be the case. Law enforcement, as I set out in my earlier
emails to Milton, expects banks to do the legwork before it will act.
Maybe it should be otherwise, but this is not the case nor will it
ever
be the case. In various roles, both in government and working on the
side of government, I have spent years working on the side of law
enforcement. I think it is fair to say that law enforcement's approach
is virtually an immutable law of nature. And frankly from law
enforcement's standpoint, it must set priorities given its limited
resources.

If banks do not have access to the necessary information, internet
users
and consumers will be put at much greater risk. It would be nice to
think that banks and consumers could simply lodge a complaint and that
the complaint would be immediately acted upon. But this will never
happen. Law enforcement has too much on its plate. My banks can give
you page after page of examples to corroborate this. And remember for
every hour that passes, millions can be lost, including life savings.

Please take another look at the example in my email to Milton
involving
the local police in a foreign jurisdiction that finally agreed to act,
but only after the bank had exhausted all avenues and done all the
legwork. Realistically, absent bank access to the local address, it is
unknown how many innocent consumers would have suffered losses before
this fraudulent website was ever closed down.

You are right that this is a question of balance. And I would argue
that consumer protection needs to be prominently considered, not
dismissed as unfortunate collateral damage.

Banks are closely regulated and monitored entities with public
responsibilities. Those responsibilities are examined regularly by
bank
examiners. As a result, I would submit, consumer protection ought to
prevail in light of the protections from a privacy standpoint in the
existing regulatory structure.

Palmer

-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx
[mailto:owner-gnso-acc-sgb@xxxxxxxxx] 
On Behalf Of Dan Krimm
Sent: Friday, May 11, 2007 3:43 PM
To: gnso-acc-sgb@xxxxxxxxx 
Cc: gnso-whois-wg@xxxxxxxxx 
Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

Palmer,

If I may step in here (and shift this discussion over to the Subgroup
B
list where it properly belongs):

At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:

>Just having the IP address and registrar is not sufficient. For 
>example, one of my banks had a case in which it had to use local
police

>in a foreign country to visit the physical address of the website
owner

>to get the site taken down. The bank had tried to get the registrar
to

>shut it down without success. The bank had also tried to stop the
site

>with the administrative contact, the technical contact, the abuse 
>contact, and the website owner, all with no success. The registrar
was

>also not interested in working with the local police, but the local 
>police agreed to assist AFTED the bank provided the police the full 
>WHOIS information plus a synopsis of its takedown efforts.

So the question here is, when the bank is involved in valid efforts
that
require access to Whois data that is designated as private there
certainly should be a process for that data to be engaged in the
process, so what should that process be? No one is suggesting that the
bank never get any such information whatsoever. But some of us are
suggesting that private entities should not get direct access to the
Whois data, but rather get information from formally accountable LEAs
who have direct access.

It doesn't mean that private agents cannot contribute to the
investigation process, but that private agents need only be given what
they need in a particular context rather than being given the full
range
of powers granted to publicly-accountable law enforcement. And, that
LEAs be responsible for providing appropriate information to private
agents that are participating in investigation processes. Once such a
policy is well-defined, it is possible to build technological systems
that adhere to those policies and operate efficiently without
unnecessary human intervention.

And if ICANN jurisdiction is insufficient to resolve all structure
issues, that still may not be ICANN's responsibility to solve.

At some point public law enforcement must step up to the plate to do
what needs to be done. ICANN cannot solve all the world's public
problems on its own, or even those problems that may relate
tangentially
to the technical operation of the Internet. ICANN is not a proper
venue
to determine and conduct public governance activities, or to authorize
private execution of public governance.



>Having said this, the Dutch model could ultimately help fill a void on

>the international level by leveraging international pressure on 
>recalcitrant governments. But again, this is not really an
alternative

>to what we are doing in Subgroup B, as I understand it.

What exactly are we doing in subgroup B as you understand it?

As I understand it, we are trying to reach some consensus on what GNSO
should recommend to the ICANN Board with regard to determining to whom
and how direct access to private Whois data under the OPoC paradigm
should be granted (by registries and/or registrars). This does not
speak to indirect access through authorized/certified LEAs.

I have no expectation (or illusion) that what we come up with here
will
create a perfect world. It will certainly continue to be
systematically
imperfect from a privacy protection standpoint. If you are hoping to
find perfection, then that is undoubtedly beyond the scope of this WG
or
Subgroup B.

We are not in a position to dictate a comprehensive and airtight
resolution to the full complexity of issues here. So at least *that*
is
*not* what we are doing here.

Dan

 

  

  _____  

Need Mail bonding?
Go to the Yahoo!
<http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR

fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
6091>  Mail Q&A for great
<http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR

fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
6091>  tips from Yahoo! Answers users.