<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- To: gnso-acc-sgb@xxxxxxxxx
- Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- From: jwkckid1@xxxxxxxxxxxxx
- Date: Sun, 13 May 2007 00:53:37 -0500 (GMT-05:00)
<HEAD><TITLE>Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure</TITLE>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY>
<DIV id=compText>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
<DIV id=compText>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
<P>Palmer and all,</P>
<P> </P>
<P> My statement was carefully chosen. LEA's do not have blanket or
carte blance</P>
<P>access to customers or non customers data from banks without due </P>
<P>process/subphoena. I checked with the security folks at all 8 of the
</P>
<P>banks I do and have done business with and they all laughed at them</P>
<P>"doing leg work" for LEA's without a unchallenged subphoena unless</P>
<P>they are acting in a very unsatisfactory manner towards their customers.</P>
<P> </P>
<P> In fact not more than 9 months ago one of my banks called me and
ask me</P>
<P>if I would agree to allow the release of my financial data to them from a</P>
<P>unnamed LEA. My answer was definately not. They did not do so as
two</P>
<P>days later that LEA called upon me at my place of business and ask me why</P>
<P>I refused them access, and why I filed a motion to squash their
subphoena.</P>
<P>I not so politely and very bluntly told them because I believed it was a
violation</P>
<P>of my financial privacy rights and given the unclear reasons stated in
the</P>
<P>text of the subphoena, their request was nonsensical. They ceased
to</P>
<P>push for the access they were seeking any further.</P>
<DIV id=compText><BR><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff
2px solid">-----Original Message----- <BR>From: Palmer Hamilton
<PALMERHAMILTON@xxxxxxxxxxx><BR>Sent: May 11, 2007 11:01 PM <BR>To:
jwkckid1@xxxxxxxxxxxxx <BR>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg]
Dutch Govcert procedure <BR><BR><ZZZHTML><ZZZHEAD><ZZZMETA CONTENT="text/html;
charset=utf-8" HTTP-EQUIV="Content-Type"><ZZZMETA CONTENT="MS Exchange Server
version 6.5.7651.59" NAME="Generator"></ZZZHEAD><ZZZBODY><ZZZ!-- -- format
plain text from Converted>
<P><FONT size=2>Jeff,<BR><BR>My earlier email was simply a statement of
fact. Law enforcement relies on banks to do the legwork on cases
involving internet fraud through fraudulent websites purporting to be bank
websites. I am baffled by your statement that "very few" law
enforcement agencies rely on bank legwork. What is your specific evidence
for this contention? It is at complete variance with our banks'
experience. On what do you base your statement?<BR><BR>You state law
enforcement "cannot rely on banks" to do its legwork. I presume by this
you mean they should not rely on baks, since it is incontrovertible that they
do rely on banks to do this work.<BR><BR>This being the case, I would suggest
that we deal with the reality of the situation, not what we might wish were the
case.. This is the way law enforcement works, and, as I indicated in a
prior email, this reality is not going to change.<BR><BR>If we ignore this
reality, we put consumers at risk. While we might wish reality were
different, it is not. So, we need to deal with this fact.<BR><BR>ICANN is
not a law enforcement agency. Nobody is suggesting that it is. This
does not mean, however, that ICANN does not have a duty to the internet
community to take reasonable steps to protect internet users from being victims
of fraud. The WHOIS data is indispensable to banks in allowing them to
protect internet users and consumers.<BR><BR>Your suggestion of using
"warrants" (by which I presume you mean subpoenas) ignores the critical timing
issues involved.. The delay attendant with your suggestion would entail
losses of millions, including losses of life savings. <BR><BR>Don't you
think these consumers deserve better from ICANN? If the use of WHOIS data
can protect consumers, AND privacy protections can be built into this access,
shouldn't ICANN preserve these tools needed to protect the
consumer?<BR><BR><BR><BR>-----Original Message-----<BR>From:
owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx><BR>To:
gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx><BR>CC:
gnso-whois-wg@xxxxxxxxx <gnso-whois-wg@xxxxxxxxx><BR>Sent: Fri May 11
21:10:05 2007<BR>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR><BR>Dan, Palmer and all,<BR><BR> Palmers comments and/or
observations regarding Banks are not<BR>accurate nor appropriate for Whois
data. Law enforcment cannot<BR>rely on banks to do their "Leg Work" so to
speak, and very few<BR>do. Law enforcment do use some bank data on
customers for<BR>financial investigative evidance with a warrant as
required<BR>by law in most US states and federal statute. <BR><BR>
Dan's remarks have merit from where I sit as to ICANN<BR>acting as a law
enforcment or investigative agent for same.<BR>ICANN is not suited for such a
function in regards to Whois<BR>data, nor should it be. Incidently the
Whois was never<BR>intended as a law enforcment tool, and should not be
used<BR>as such other than incidentally. However law enforcment<BR>in the
course of an investigation should be able to obtain<BR>"Any" Whois data via
jurisdictional due process. Ergo<BR>a search and sezier warrant or an
equivalent dependant on<BR>nation of origin, resaprocity,
ect..<BR><BR>Regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup LLA.
- (Over 134k members/stakeholders strong!)<BR>"Obedience of the law is the
greatest freedom" -<BR> Abraham Lincoln<BR><BR>"Credit should go
with the performance of duty and not with what is very<BR>often the accident of
glory" - Theodore Roosevelt<BR><BR>"If the probability be called P; the injury,
L; and the burden, B; liability<BR>depends upon whether B is less than L
multiplied by<BR>P: i.e., whether B is less than PL."<BR>United States v.
Carroll Towing (159 F.2d 169 [2d Cir.
1947]<BR>===============================================================<BR>Updated
1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of<BR>Information Network Eng. INEG. INC.<BR>ABA member in good
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Registered Email
addr with the USPS Contact Number:
214-244-4827<BR><BR><BR><BR><BR><BR><BR>-----Original Message-----<BR>>From:
Dan Krimm <dan@xxxxxxxxxxxxxxxx><BR>>Sent: May 11, 2007 7:32
PM<BR>>To: gnso-acc-sgb@xxxxxxxxx<BR>>Cc:
gnso-whois-wg@xxxxxxxxx<BR>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg]
Dutch Govcert procedure<BR>><BR>>I'll let Eric speak for himself with
regard to the email he receives, but<BR>>the phishing scams I get are easily
recognized and discarded. (The first<BR>>one I ever got -- before it
had become prevalent, and before there was a<BR>>word coined for it -- I was
temporarily confused, but I was alert enough to<BR>>check out the domain
before supplying any info. I have been personally<BR>>immune ever
since.)<BR>><BR>>While I opt-out of all uses of my info by financial
institutions that I can<BR>>(and in California I can opt out of more than in
other states or countries,<BR>>because of consumer-friendly state
regulation), I am still troubled by<BR>>information collected by credit
reporting agencies and other sources that I<BR>>do not know about. I
refuse to allow DoubleClick to place cookies on my<BR>>browsers. And
still I know this is not enough to be secure in the<BR>>knowledge that data
about me is not being used against my interests,<BR>>usually by private
entities out to make a buck.<BR>><BR>>Banks already get a lot of personal
information from their immediate<BR>>customers. There is no reason to
give them unsupervised blanket access to<BR>>all information in the Whois
database about millions upon millions of<BR>>people who are not their direct
customers.<BR>><BR>>Information used for legitimate anti-fraud efforts
needs to be<BR>>well-targeted as much as possible, and checks and balances
need to be in<BR>>place to assure appropriateness of access as a rule, since
recourse is not<BR>>always available in the case of abuse (and thus
deterrence may be<BR>>ineffective).<BR>><BR>>If ICANN is not in
position to become a fully-functional public law<BR>>enforcement entity in
and of itself, with all of the due process and<BR>>accountability that such
a role calls for (and it seems pretty clear that<BR>>it is not), then that
dynamic needs to be in the system somewhere, somehow,<BR>>and it needs to be
designed with some serious effectiveness, not just as a<BR>>cosmetic
ruse.<BR>><BR>>Dan<BR>><BR>><BR>><BR>>At 5:54 PM -0500
5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:<BR>>>Those 20 or so spam emails
are likely phishing emails or scams. Banks do<BR>>>not send spam emails.
These emails you are referring to are not legitmate<BR>>>emails, and this
is exactly what banks are trying to prevent in order to<BR>>>protect
consumers from identity theft and fraud. Your email
highlights<BR>>>how significant and prevalent this problem
is.<BR>>><BR>>><BR>>> ----- Original Message
-----<BR>>> From: Hugh Dierker
[hdierker2204@xxxxxxxxx]<BR>>> Sent: 05/11/2007 03:26 PM
MST<BR>>> To: gnso-acc-sgb@xxxxxxxxx<BR>>> Cc:
gnso-whois-wg@xxxxxxxxx<BR>>> Subject: RE: [gnso-acc-sgb] RE:
[gnso-whois-wg] Dutch Govcert procedure<BR>>><BR>>><BR>>>This
really assumes alot. Hypothetical "who done its". Does not
justify<BR>>>giving out confidential information to banks. I get 20
or so spams a day<BR>>>from Banks. Junk mail another 5 a day- credit
cards galore.<BR>>>I do not buy that "banks" want my info for purely
secure reasons.<BR>>><BR>>>Eric<BR>>><BR>>>Palmer
Hamilton <PalmerHamilton@xxxxxxxxxxx>
wrote:<BR>>><BR>>><BR>>>Dan,<BR>>><BR>>>The
problem is a practical one. Law enforcement has limited
resources.<BR>>>We might wish that were not the case, but it is, and,
realistically, it<BR>>>will always be the case. Law enforcement, as I set
out in my earlier<BR>>>emails to Milton, expects banks to do the legwork
before it will act.<BR>>>Maybe it should be otherwise, but this is not
the case nor will it ever<BR>>>be the case. In various roles, both in
government and working on the<BR>>>side of government, I have spent years
working on the side of law<BR>>>enforcement. I think it is fair to say
that law enforcement's approach<BR>>>is virtually an immutable law of
nature. And frankly from law<BR>>>enforcement's standpoint, it must set
priorities given its limited<BR>>>resources.<BR>>><BR>>>If
banks do not have access to the necessary information, internet
users<BR>>>and consumers will be put at much greater risk. It would be
nice to<BR>>>think that banks and consumers could simply lodge a
complaint and that<BR>>>the complaint would be immediately acted upon.
But this will never<BR>>>happen. Law enforcement has too much on its
plate. My banks can give<BR>>>you page after page of examples to
corroborate this. And remember for<BR>>>every hour that passes, millions
can be lost, including life savings.<BR>>><BR>>>Please take another
look at the example in my email to Milton involving<BR>>>the local police
in a foreign jurisdiction that finally agreed to act,<BR>>>but only after
the bank had exhausted all avenues and done all the<BR>>>legwork.
Realistically, absent bank access to the local address, it
is<BR>>>unknown how many innocent consumers would have suffered losses
before<BR>>>this fraudulent website was ever closed
down.<BR>>><BR>>>You are right that this is a question of balance.
And I would argue<BR>>>that consumer protection needs to be prominently
considered, not<BR>>>dismissed as unfortunate collateral
damage.<BR>>><BR>>>Banks are closely regulated and monitored
entities with public<BR>>>responsibilities. Those responsibilities are
examined regularly by bank<BR>>>examiners. As a result, I would submit,
consumer protection ought to<BR>>>prevail in light of the protections
from a privacy standpoint in the<BR>>>existing regulatory
structure.<BR>>><BR>>>Palmer<BR>>><BR>>>-----Original
Message-----<BR>>>From: owner-gnso-acc-sgb@xxxxxxxxx [<A
href="mailto:owner-gnso-acc-sgb@xxxxxxxxx";
target=_BLANK>mailto:owner-gnso-acc-sgb@xxxxxxxxx</A>]<BR>>>On Behalf Of
Dan Krimm<BR>>>Sent: Friday, May 11, 2007 3:43 PM<BR>>>To:
gnso-acc-sgb@xxxxxxxxx<BR>>>Cc:
gnso-whois-wg@xxxxxxxxx<BR>>>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg]
Dutch Govcert
procedure<BR>>><BR>>>Palmer,<BR>>><BR>>>If I may step
in here (and shift this discussion over to the Subgroup B<BR>>>list where
it properly belongs):<BR>>><BR>>>At 1:44 PM -0500 5/11/07, Palmer
Hamilton wrote:<BR>>><BR>>>>Just having the IP address and
registrar is not sufficient. For<BR>>>>example, one of my banks had a
case in which it had to use local police<BR>>><BR>>>>in a
foreign country to visit the physical address of the website
owner<BR>>><BR>>>>to get the site taken down. The bank had tried
to get the registrar to<BR>>><BR>>>>shut it down without
success. The bank had also tried to stop the
site<BR>>><BR>>>>with the administrative contact, the technical
contact, the abuse<BR>>>>contact, and the website owner, all with no
success. The registrar was<BR>>><BR>>>>also not interested in
working with the local police, but the local<BR>>>>police agreed to
assist AFTED the bank provided the police the full<BR>>>>WHOIS
information plus a synopsis of its takedown efforts.<BR>>><BR>>>So
the question here is, when the bank is involved in valid efforts
that<BR>>>require access to Whois data that is designated as private
there<BR>>>certainly should be a process for that data to be engaged in
the<BR>>>process, so what should that process be? No one is suggesting
that the<BR>>>bank never get any such information whatsoever. But some of
us are<BR>>>suggesting that private entities should not get direct access
to the<BR>>>Whois data, but rather get information from formally
accountable LEAs<BR>>>who have direct access.<BR>>><BR>>>It
doesn't mean that private agents cannot contribute to
the<BR>>>investigation process, but that private agents need only be
given what<BR>>>they need in a particular context rather than being given
the full range<BR>>>of powers granted to publicly-accountable law
enforcement. And, that<BR>>>LEAs be responsible for providing appropriate
information to private<BR>>>agents that are participating in
investigation processes. Once such a<BR>>>policy is well-defined, it is
possible to build technological systems<BR>>>that adhere to those
policies and operate efficiently without<BR>>>unnecessary human
intervention.<BR>>><BR>>>And if ICANN jurisdiction is insufficient
to resolve all structure<BR>>>issues, that still may not be ICANN's
responsibility to solve.<BR>>><BR>>>At some point public law
enforcement must step up to the plate to do<BR>>>what needs to be done.
ICANN cannot solve all the world's public<BR>>>problems on its own, or
even those problems that may relate tangentially<BR>>>to the technical
operation of the Internet. ICANN is not a proper venue<BR>>>to determine
and conduct public governance activities, or to authorize<BR>>>private
execution of public
governance.<BR>>><BR>>><BR>>><BR>>>>Having said
this, the Dutch model could ultimately help fill a void on<BR>>>>the
international level by leveraging international pressure
on<BR>>>>recalcitrant governments. But again, this is not really an
alternative<BR>>><BR>>>>to what we are doing in Subgroup B, as I
understand it.<BR>>><BR>>>What exactly are we doing in subgroup B
as you understand it?<BR>>><BR>>>As I understand it, we are trying
to reach some consensus on what GNSO<BR>>>should recommend to the ICANN
Board with regard to determining to whom<BR>>>and how direct access to
private Whois data under the OPoC paradigm<BR>>>should be granted (by
registries and/or registrars). This does not<BR>>>speak to indirect
access through authorized/certified LEAs.<BR>>><BR>>>I have no
expectation (or illusion) that what we come up with here will<BR>>>create
a perfect world. It will certainly continue to be
systematically<BR>>>imperfect from a privacy protection standpoint. If
you are hoping to<BR>>>find perfection, then that is undoubtedly beyond
the scope of this WG or<BR>>>Subgroup B.<BR>>><BR>>>We are
not in a position to dictate a comprehensive and airtight<BR>>>resolution
to the full complexity of issues here. So at least *that* is<BR>>>*not*
what we are doing
here.<BR>>><BR>>>Dan<BR>>><BR>>><BR>>><BR>>><BR>>>Need
Mail bonding?<BR>>>Go to the<BR>>><<A
href="http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091";
target=_BLANK>http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091</A>>Yahoo!<BR>>>Mail
Q&A for<BR>>><<A
href="http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091";
target=_BLANK>http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091</A>>great<BR>>>tips
from Yahoo! Answers
users.<BR>><BR><BR></FONT></P></ZZZBODY></ZZZHTML></BLOCKQUOTE></DIV></DIV></DIV></BODY>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|