<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-acc-sgb] RE: [gnso-whois-wg] GAC's position on Whois
- To: gnso-acc-sgb@xxxxxxxxx
- Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] GAC's position on Whois
- From: jwkckid1@xxxxxxxxxxxxx
- Date: Sun, 13 May 2007 00:10:48 -0500 (GMT-05:00)
<HEAD>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY><BR><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff
2px solid">-----Original Message----- <BR>From: Hugh Dierker
<HDIERKER2204@xxxxxxxxx><BR>Sent: May 12, 2007 11:02 AM <BR>To: Christopher
Gibson <CGIBSON@xxxxxxxxxxx>, 'Milton Mueller' <MUELLER@xxxxxxx>,
gnso-acc-sgb@xxxxxxxxx <BR>Cc: gnso-whois-wg@xxxxxxxxx <BR>Subject: RE:
[gnso-whois-wg] GAC's position on Whois <BR><BR>
<DIV>There is no question and I venture no opposition to the need for access is
such a scenario.</DIV>
<DIV>In fact this is one place where proactive help would be desired. Not just
waiting to be asked but asking for help.</DIV>
<DIV> </DIV>
<DIV>Eric<BR><BR><B><I>Christopher Gibson <cgibson@xxxxxxxxxxx></I></B>
wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px;
BORDER-LEFT: #1010ff 2px solid">Milton,<BR><BR>Thanks for your comments. Last
year a client of mine found that the website<BR>of its credit union (with more
than 20,000 members) had been subject to a<BR>pharming/phishing attack, so that
credit union members were submitting<BR>passwords and usernames to fraudulent
sites. Using WHOIS services to trace<BR>through several domain name
registrations provided invaluable information in<BR>aid of taking the site down
very quickly and pursuing the perpetrators.<BR>This is the type of "legitimate
activities" recognized in the extensive list<BR>enumerated by the GAC when it
spoke with one voice concerning the "Public<BR>Policy Aspects of WHOIS Data" in
its balanced statement concerning
WHOIS<BR>principles.<BR><BR>Chris<BR><BR>-----Original Message-----<BR>From:
owner-gnso-whois-wg@xxxxxxxxx [mailto:owner-gnso-whois-wg@xxxxxxxxx]<BR>On
Behalf Of Milton Mueller<BR>Sent: Saturday, May 12, 2007 12:29 AM<BR>To:
gnso-acc-sgb@xxxxxxxxx<BR>Cc: gnso-whois-wg@xxxxxxxxx<BR>Subject:
[gnso-whois-wg] GAC's position on Whois<BR><BR>Let me correct what seems to be
an increasingly common set of errors on<BR>interpreting the GAC principles.
<BR><BR>First and foremost, the GAC stands for "Governmental
Advisory<BR>Committee." Its role in the CANN regime is advisory only. (The USG
may<BR>be an exception of course, because it controls key functions related
to<BR>ICANN. And the US definitely has a position on Whois ;-))<BR><BR>Second,
anyone who has followed this issue knows perfectly well that<BR>governments are
deeply divided on it. When it comes to the proper<BR>balance of privacy and
access to data, data protection authorities have<BR>one view, law enforcement
and consumer protection authorites often have<BR>a different view. Neither one
of them can claim to speak authoritatively<BR>for governments, much less the
public interest. It is noteworthy,<BR>however, that at some GAC meeting data
protection authorities have not<BR>been allowed to speak, whereas LEAs have
been featured. <BR><BR>Third, this division of governmental opinion was
illustrated just<BR>today, with,the announcement that the UK government has
required the<BR>.telnic registry to remove access to private data from its
Whois.<BR>Indeed, one of the strangest aspects of this issue is the
conflicting<BR>signals you get from governmental agencies. You see, for
example, the<BR>Australian GAC representative demanding no change in Whois
while at the<BR>same time the Australian national privacy law requires the
Australian<BR>ccTLD to shield its Whois data. <BR><BR>Fourth, the GAC statement
on Whois deliberately did _not_ say that<BR>access to the whois data as it now
exists should be retained. It<BR>enumerated several "legitimate activities"
that use the whois data. That<BR>was compromise wording deliberately chosen to
avoid saying what<BR>Christopher Gibson is saying below. In other words, in the
GAC<BR>principles it is the activities that are legitimate, but not
necessarily<BR>the open access to them that we have now. <BR><BR>>>>
"Christopher Gibson" <CGIBSON@xxxxxxxxxxx>5/11/2007 6:39:16
PM<BR>>>><BR>and others, however, serve to confirm the GAC's position
that WHOIS<BR>services<BR>have evolved into a vital, efficient and
internationally-tested<BR>mechanism in<BR>support of a number of legitimate
functions. In this context,<BR>following the<BR>"first, do no harm" principle
means that potential changes to the<BR>WHOIS<BR>system need to be evaluated and
made only when we have confidence that<BR>suitable alternative mechanisms to
curb abuse are in place.<BR><BR><BR><BR>Chris<BR><BR><BR><BR>Palmer Hamilton
<PALMERHAMILTON@xxxxxxxxxxx>wrote:<BR><BR><BR>Dan,<BR><BR>The problem is a
practical one. Law enforcement has limited resources.<BR>We might wish that
were not the case, but it is, and, realistically,<BR>it<BR>will always be the
case. Law enforcement, as I set out in my earlier<BR>emails to Milton, expects
banks to do the legwork before it will act.<BR>Maybe it should be otherwise,
but this is not the case nor will it<BR>ever<BR>be the case. In various roles,
both in government and working on the<BR>side of government, I have spent years
working on the side of law<BR>enforcement. I think it is fair to say that law
enforcement's approach<BR>is virtually an immutable law of nature. And frankly
from law<BR>enforcement's standpoint, it must set priorities given its
limited<BR>resources.<BR><BR>If banks do not have access to the necessary
information, internet<BR>users<BR>and consumers will be put at much greater
risk. It would be nice to<BR>think that banks and consumers could simply lodge
a complaint and that<BR>the complaint would be immediately acted upon. But this
will never<BR>happen. Law enforcement has too much on its plate. My banks can
give<BR>you page after page of examples to corroborate this. And remember
for<BR>every hour that passes, millions can be lost, including life
savings.<BR><BR>Please take another look at the example in my email to
Milton<BR>involving<BR>the local police in a foreign jurisdiction that finally
agreed to act,<BR>but only after the bank had exhausted all avenues and done
all the<BR>legwork. Realistically, absent bank access to the local address, it
is<BR>unknown how many innocent consumers would have suffered losses
before<BR>this fraudulent website was ever closed down.<BR><BR>You are right
that this is a question of balance. And I would argue<BR>that consumer
protection needs to be prominently considered, not<BR>dismissed as unfortunate
collateral damage.<BR><BR>Banks are closely regulated and monitored entities
with public<BR>responsibilities. Those responsibilities are examined regularly
by<BR>bank<BR>examiners. As a result, I would submit, consumer protection ought
to<BR>prevail in light of the protections from a privacy standpoint in
the<BR>existing regulatory structure.<BR><BR>Palmer<BR><BR>-----Original
Message-----<BR>From:
owner-gnso-acc-sgb@xxxxxxxxx<BR>[mailto:owner-gnso-acc-sgb@xxxxxxxxx] <BR>On
Behalf Of Dan Krimm<BR>Sent: Friday, May 11, 2007 3:43 PM<BR>To:
gnso-acc-sgb@xxxxxxxxx <BR>Cc: gnso-whois-wg@xxxxxxxxx <BR>Subject:
[gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR><BR>Palmer,<BR><BR>If I may step in here (and shift this
discussion over to the Subgroup<BR>B<BR>list where it properly
belongs):<BR><BR>At 1:44 PM -0500 5/11/07, Palmer Hamilton
wrote:<BR><BR>>Just having the IP address and registrar is not sufficient.
For <BR>>example, one of my banks had a case in which it had to use
local<BR>police<BR><BR>>in a foreign country to visit the physical address
of the website<BR>owner<BR><BR>>to get the site taken down. The bank had
tried to get the registrar<BR>to<BR><BR>>shut it down without success. The
bank had also tried to stop the<BR>site<BR><BR>>with the administrative
contact, the technical contact, the abuse <BR>>contact, and the website
owner, all with no success. The registrar<BR>was<BR><BR>>also not interested
in working with the local police, but the local <BR>>police agreed to assist
AFTED the bank provided the police the full <BR>>WHOIS information plus a
synopsis of its takedown efforts.<BR><BR>So the question here is, when the bank
is involved in valid efforts<BR>that<BR>require access to Whois data that is
designated as private there<BR>certainly should be a process for that data to
be engaged in the<BR>process, so what should that process be? No one is
suggesting that the<BR>bank never get any such information whatsoever. But some
of us are<BR>suggesting that private entities should not get direct access to
the<BR>Whois data, but rather get information from formally accountable
LEAs<BR>who have direct access.<BR><BR>It doesn't mean that private agents
cannot contribute to the<BR>investigation process, but that private agents need
only be given what<BR>they need in a particular context rather than being given
the full<BR>range<BR>of powers granted to publicly-accountable law enforcement.
And, that<BR>LEAs be responsible for providing appropriate information to
private<BR>agents that are participating in investigation processes. Once such
a<BR>policy is well-defined, it is possible to build technological
systems<BR>that adhere to those policies and operate efficiently
without<BR>unnecessary human intervention.<BR><BR>And if ICANN jurisdiction is
insufficient to resolve all structure<BR>issues, that still may not be ICANN's
responsibility to solve.<BR><BR>At some point public law enforcement must step
up to the plate to do<BR>what needs to be done. ICANN cannot solve all the
world's public<BR>problems on its own, or even those problems that may
relate<BR>tangentially<BR>to the technical operation of the Internet. ICANN is
not a proper<BR>venue<BR>to determine and conduct public governance activities,
or to authorize<BR>private execution of public
governance.<BR><BR><BR><BR>>Having said this, the Dutch model could
ultimately help fill a void on<BR><BR>>the international level by leveraging
international pressure on <BR>>recalcitrant governments. But again, this is
not really an<BR>alternative<BR><BR>>to what we are doing in Subgroup B, as
I understand it.<BR><BR>What exactly are we doing in subgroup B as you
understand it?<BR><BR>As I understand it, we are trying to reach some consensus
on what GNSO<BR>should recommend to the ICANN Board with regard to determining
to whom<BR>and how direct access to private Whois data under the OPoC
paradigm<BR>should be granted (by registries and/or registrars). This does
not<BR>speak to indirect access through authorized/certified LEAs.<BR><BR>I
have no expectation (or illusion) that what we come up with
here<BR>will<BR>create a perfect world. It will certainly continue to
be<BR>systematically<BR>imperfect from a privacy protection standpoint. If you
are hoping to<BR>find perfection, then that is undoubtedly beyond the scope of
this WG<BR>or<BR>Subgroup B.<BR><BR>We are not in a position to dictate a
comprehensive and airtight<BR>resolution to the full complexity of issues here.
So at least *that*<BR>is<BR>*not* what we are doing
here.<BR><BR>Dan<BR><BR><BR><BR><BR><BR>_____ <BR><BR>Need Mail bonding?<BR>Go
to the Yahoo!<BR><HTTP: answers.yahoo.com
index;_ylc="X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR<br"><BR>fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654<BR>6091>
Mail Q&A for great<BR><HTTP: answers.yahoo.com
index;_ylc="X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR<br"><BR>fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654<BR>6091>
tips from Yahoo! Answers users.<BR><BR><BR><BR></BLOCKQUOTE><BR>
<P>
<HR SIZE=1>
Ready for the edge of your seat? <A
href="http://us.rd.yahoo.com/evt=48220/*http://tv.yahoo.com/"
target=_blank>Check out tonight's top picks</A> on Yahoo! TV.
</BLOCKQUOTE>There is no question and I venture no opposition to the need for
access is such a scenario. In fact this is one place where proactive help would
be desired. Not just waiting to be asked but asking for help.
Eric<BR><BR><B><I>Christopher Gibson <cgibson@xxxxxxxxxxx></I></B> wrote:
</BODY>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|