<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- To: gnso-acc-sgb@xxxxxxxxx
- Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- From: jwkckid1@xxxxxxxxxxxxx
- Date: Sun, 13 May 2007 13:38:00 -0500 (GMT-05:00)
<HEAD><TITLE>Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure</TITLE>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY>
<DIV id=compText>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
<DIV id=compText>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
<DIV id=compText>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR>
<DIV>Palmer and all,</DIV>
<DIV> </DIV>
<DIV> Of course I didn't name my bank(s) for privacy reasons. I
believe this to personal</DIV>
<DIV>policy to be a good, reasonable and effective one as well as one
recomended by</DIV>
<DIV>the US FTC.</DIV>
<DIV> </DIV>
<DIV> Secondly, deregulation of the financial industry in the early 90's
changed how</DIV>
<DIV>financial institutions can treat and otherwise use data which in the case
of</DIV>
<DIV>any financial institution having blanket and/or carte blance access and
use thereof</DIV>
<DIV>of registrants data in Whois as a third party, a significant and very
potentially </DIV>
<DIV>dangerous consideration. I am not saying that these dangers cannot
be overcome</DIV>
<DIV>if specific rules which have significant penilities in place by which
misuse is</DIV>
<DIV>defined as it applies to the use of Whois data. But to say any
financial institution</DIV>
<DIV>"does the leg work for LEA's" is simply false and as my banks stated,
laughable.<BR><BR><BR></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff
2px solid">-----Original Message----- <BR>From: Palmer Hamilton
<PALMERHAMILTON@xxxxxxxxxxx><BR>Sent: May 13, 2007 8:33 AM <BR>To:
jwkckid1@xxxxxxxxxxxxx <BR>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg]
Dutch Govcert procedure <BR><BR><ZZZHTML><ZZZHEAD><ZZZMETA CONTENT="text/html;
charset=utf-8" HTTP-EQUIV="Content-Type"><ZZZMETA CONTENT="MS Exchange Server
version 6.5.7651.59" NAME="Generator"></ZZZHEAD><ZZZBODY><ZZZ!-- -- format
plain text from Converted>
<P><FONT size=2>Let me see if I can explain this area os the law in hopes it
will clarify things.<BR><BR>Since the 1970s, banks have been prohibited from
releasing customer information to LEAs without a subpoena. This was done
as a measure to protect the privacy of bank customers from overreach by
LEAs.<BR><BR>Obviously, I was not suggesting banks were handling over such
information when I said they did the leg work for law enforcement. I was
speaking of their checking the WHOIS data which is available to anyone and
using that information to prevent consumer fraud. <BR><BR>So, your
discussions with the unnamed banks related to the wrong question. I
certainly concur that banks can't hand over customer information without a
subpoena.<BR><BR>But this isn't the leg work at issue in our emails. What
we are talking about is leg work using the WHOIS data, and I am not aware of a
single sizeable bank that does not do this leg work for
LEAs.<BR><BR><BR><BR>-----Original Message-----<BR>From:
owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx><BR>To:
gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx><BR>CC:
gnso-whois-wg@xxxxxxxxx <gnso-whois-wg@xxxxxxxxx><BR>Sent: Sun May 13
00:53:37 2007<BR>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR><BR>Palmer and all,<BR><BR><BR><BR> My statement was
carefully chosen. LEA's do not have blanket or carte blance<BR><BR>access
to customers or non customers data from banks without
due<BR><BR>process/subphoena. I checked with the security folks at all 8
of the<BR><BR>banks I do and have done business with and they all laughed at
them<BR><BR>"doing leg work" for LEA's without a unchallenged subphoena
unless<BR><BR>they are acting in a very unsatisfactory manner towards their
customers.<BR><BR><BR><BR> In fact not more than 9 months ago one of my
banks called me and ask me<BR><BR>if I would agree to allow the release of my
financial data to them from a<BR><BR>unnamed LEA. My answer was
definately not. They did not do so as two<BR><BR>days later that LEA
called upon me at my place of business and ask me why<BR><BR>I refused them
access, and why I filed a motion to squash their subphoena.<BR><BR>I not so
politely and very bluntly told them because I believed it was a
violation<BR><BR>of my financial privacy rights and given the unclear reasons
stated in the<BR><BR>text of the subphoena, their request was
nonsensical. They ceased to<BR><BR>push for the access they were seeking
any further.<BR><BR><BR><BR><BR>
-----Original Message-----<BR> From:
Palmer Hamilton<BR> Sent: May 11,
2007 11:01 PM<BR> To:
jwkckid1@xxxxxxxxxxxxx<BR> Subject:
Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR> <BR> <BR><BR>
Jeff,<BR> <BR>
My earlier email was simply a statement of fact. Law enforcement relies
on banks to do the legwork on cases involving internet fraud through fraudulent
websites purporting to be bank websites. I am baffled by your statement
that "very few" law enforcement agencies rely on bank legwork. What
is your specific evidence for this contention? It is at complete variance
with our banks' experience. On what do you base your
statement?<BR> <BR>
You state law enforcement "cannot rely on banks" to do its legwork. I
presume by this you mean they should not rely on baks, since it is
incontrovertible that they do rely on banks to do this
work.<BR> <BR>
This being the case, I would suggest that we deal with the reality of the
situation, not what we might wish were the case.. This is the way law
enforcement works, and, as I indicated in a prior email, this reality is not
going to
change.<BR> <BR>
If we ignore this reality, we put consumers at risk. While we might wish
reality were different, it is not. So, we need to deal with this
fact.<BR> <BR>
ICANN is not a law enforcement agency. Nobody is suggesting that it
is. This does not mean, however, that ICANN does not have a duty to the
internet community to take reasonable steps to protect internet users from
being victims of fraud. The WHOIS data is indispensable to banks in
allowing them to protect internet users and
consumers.<BR> <BR>
Your suggestion of using "warrants" (by which I presume you mean subpoenas)
ignores the critical timing issues involved.. The delay attendant with
your suggestion would entail losses of millions, including losses of life
savings.<BR> <BR>
Don't you think these consumers deserve better from ICANN? If the use of
WHOIS data can protect consumers, AND privacy protections can be built into
this access, shouldn't ICANN preserve these tools needed to protect the
consumer?<BR> <BR> <BR> <BR>
-----Original Message-----<BR> From:
owner-gnso-acc-sgb@xxxxxxxxx
<owner-gnso-acc-sgb@xxxxxxxxx><BR>
To: gnso-acc-sgb@xxxxxxxxx
<gnso-acc-sgb@xxxxxxxxx><BR>
CC: gnso-whois-wg@xxxxxxxxx
<gnso-whois-wg@xxxxxxxxx><BR>
Sent: Fri May 11 21:10:05 2007<BR>
Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR> <BR>
Dan, Palmer and
all,<BR> <BR>
Palmers comments and/or observations regarding Banks are
not<BR> accurate nor appropriate for
Whois data. Law enforcment
cannot<BR> rely on banks to do their
"Leg Work" so to speak, and very
few<BR> do. Law enforcment do
use some bank data on customers
for<BR> financial investigative
evidance with a warrant as
required<BR> by law in most US states
and federal
statute.<BR> <BR>
Dan's remarks have merit from where I sit as to
ICANN<BR> acting as a law enforcment
or investigative agent for same.<BR>
ICANN is not suited for such a function in regards to
Whois<BR> data, nor should it
be. Incidently the Whois was
never<BR> intended as a law
enforcment tool, and should not be
used<BR> as such other than
incidentally. However law
enforcment<BR> in the course of an
investigation should be able to
obtain<BR> "Any" Whois data via
jurisdictional due process.
Ergo<BR> a search and sezier warrant
or an equivalent dependant on<BR>
nation of origin, resaprocity,
ect..<BR> <BR>
Regards,<BR> <BR>
Jeffrey A. Williams<BR> Spokesman
for INEGroup LLA. - (Over 134k members/stakeholders
strong!)<BR> "Obedience of the law is
the greatest freedom" -<BR>
Abraham
Lincoln<BR> <BR>
"Credit should go with the performance of duty and not with what is
very<BR> often the accident of glory"
- Theodore
Roosevelt<BR> <BR>
"If the probability be called P; the injury, L; and the burden, B;
liability<BR> depends upon whether B
is less than L multiplied by<BR> P:
i.e., whether B is less than PL."<BR>
United States v. Carroll Towing (159 F.2d 169 [2d Cir.
1947]<BR>
===============================================================<BR>
Updated 1/26/04<BR> CSO/DIR.
Internet Network Eng. SR. Eng. Network data security IDNS. div.
of<BR> Information Network Eng.
INEG. INC.<BR> ABA member in good
standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx<BR> Registered
Email addr with the USPS Contact Number:
214-244-4827<BR> <BR> <BR> <BR> <BR> <BR> <BR>
-----Original Message-----<BR>
>From: Dan Krimm
<dan@xxxxxxxxxxxxxxxx><BR>
>Sent: May 11, 2007 7:32 PM<BR>
>To: gnso-acc-sgb@xxxxxxxxx<BR>
>Cc: gnso-whois-wg@xxxxxxxxx<BR>
>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR>
><BR> >I'll let Eric speak for
himself with regard to the email he receives,
but<BR> >the phishing scams I get
are easily recognized and discarded. (The
first<BR> >one I ever got --
before it had become prevalent, and before there was
a<BR> >word coined for it -- I was
temporarily confused, but I was alert enough
to<BR> >check out the domain
before supplying any info. I have been
personally<BR> >immune ever
since.)<BR>
><BR> >While I opt-out of all
uses of my info by financial institutions that I
can<BR> >(and in California I can
opt out of more than in other states or
countries,<BR> >because of
consumer-friendly state regulation), I am still troubled
by<BR> >information collected by
credit reporting agencies and other sources that
I<BR> >do not know about. I
refuse to allow DoubleClick to place cookies on
my<BR> >browsers. And still
I know this is not enough to be secure in
the<BR> >knowledge that data about
me is not being used against my
interests,<BR> >usually by private
entities out to make a buck.<BR>
><BR> >Banks already get a lot
of personal information from their
immediate<BR> >customers.
There is no reason to give them unsupervised blanket access
to<BR> >all information in the
Whois database about millions upon millions
of<BR> >people who are not their
direct customers.<BR>
><BR> >Information used for
legitimate anti-fraud efforts needs to
be<BR> >well-targeted as much as
possible, and checks and balances need to be
in<BR> >place to assure
appropriateness of access as a rule, since recourse is
not<BR> >always available in the
case of abuse (and thus deterrence may
be<BR>
>ineffective).<BR>
><BR> >If ICANN is not in
position to become a fully-functional public
law<BR> >enforcement entity in and
of itself, with all of the due process
and<BR> >accountability that such
a role calls for (and it seems pretty clear
that<BR> >it is not), then that
dynamic needs to be in the system somewhere,
somehow,<BR> >and it needs to be
designed with some serious effectiveness, not just as
a<BR> >cosmetic
ruse.<BR>
><BR>
>Dan<BR>
><BR>
><BR>
><BR> >At 5:54 PM -0500
5/11/07, Hope.Mehlman@xxxxxxxxxxx
wrote:<BR> >>Those 20 or so
spam emails are likely phishing emails or scams. Banks
do<BR> >>not send spam emails.
These emails you are referring to are not
legitmate<BR> >>emails, and
this is exactly what banks are trying to prevent in order
to<BR> >>protect consumers from
identity theft and fraud. Your email
highlights<BR> >>how
significant and prevalent this problem
is.<BR>
>><BR>
>><BR> >> ----- Original
Message -----<BR> >>
From: Hugh Dierker
[hdierker2204@xxxxxxxxx]<BR>
>> Sent: 05/11/2007 03:26 PM
MST<BR> >> To:
gnso-acc-sgb@xxxxxxxxx<BR>
>> Cc:
gnso-whois-wg@xxxxxxxxx<BR>
>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR>
>><BR>
>><BR> >>This really
assumes alot. Hypothetical "who done its". Does not
justify<BR> >>giving out
confidential information to banks. I get 20 or so spams a
day<BR> >>from Banks. Junk mail
another 5 a day- credit cards
galore.<BR> >>I do not buy that
"banks" want my info for purely secure
reasons.<BR>
>><BR>
>>Eric<BR>
>><BR> >>Palmer Hamilton
<PalmerHamilton@xxxxxxxxxxx>
wrote:<BR>
>><BR>
>><BR>
>>Dan,<BR>
>><BR> >>The problem is a
practical one. Law enforcement has limited
resources.<BR> >>We might wish
that were not the case, but it is, and, realistically,
it<BR> >>will always be the
case. Law enforcement, as I set out in my
earlier<BR> >>emails to Milton,
expects banks to do the legwork before it will
act.<BR> >>Maybe it should be
otherwise, but this is not the case nor will it
ever<BR> >>be the case. In
various roles, both in government and working on
the<BR> >>side of government, I
have spent years working on the side of
law<BR> >>enforcement. I think
it is fair to say that law enforcement's
approach<BR> >>is virtually an
immutable law of nature. And frankly from
law<BR> >>enforcement's
standpoint, it must set priorities given its
limited<BR>
>>resources.<BR>
>><BR> >>If banks do not
have access to the necessary information, internet
users<BR> >>and consumers will
be put at much greater risk. It would be nice
to<BR> >>think that banks and
consumers could simply lodge a complaint and
that<BR> >>the complaint would
be immediately acted upon. But this will
never<BR> >>happen. Law
enforcement has too much on its plate. My banks can
give<BR> >>you page after page
of examples to corroborate this. And remember
for<BR> >>every hour that
passes, millions can be lost, including life
savings.<BR>
>><BR> >>Please take
another look at the example in my email to Milton
involving<BR> >>the local
police in a foreign jurisdiction that finally agreed to
act,<BR> >>but only after the
bank had exhausted all avenues and done all
the<BR> >>legwork.
Realistically, absent bank access to the local address, it
is<BR> >>unknown how many
innocent consumers would have suffered losses
before<BR> >>this fraudulent
website was ever closed down.<BR>
>><BR> >>You are right
that this is a question of balance. And I would
argue<BR> >>that consumer
protection needs to be prominently considered,
not<BR> >>dismissed as
unfortunate collateral damage.<BR>
>><BR> >>Banks are
closely regulated and monitored entities with
public<BR> >>responsibilities.
Those responsibilities are examined regularly by
bank<BR> >>examiners. As a
result, I would submit, consumer protection ought
to<BR> >>prevail in light of
the protections from a privacy standpoint in
the<BR> >>existing regulatory
structure.<BR>
>><BR>
>>Palmer<BR>
>><BR> >>-----Original
Message-----<BR> >>From:
owner-gnso-acc-sgb@xxxxxxxxx [<A href="mailto:owner-gnso-acc-sgb@xxxxxxxxx";
target=_BLANK>mailto:owner-gnso-acc-sgb@xxxxxxxxx</A>]<BR>
>>On Behalf Of Dan Krimm<BR>
>>Sent: Friday, May 11, 2007 3:43
PM<BR> >>To:
gnso-acc-sgb@xxxxxxxxx<BR>
>>Cc:
gnso-whois-wg@xxxxxxxxx<BR>
>>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure<BR>
>><BR>
>>Palmer,<BR>
>><BR> >>If I may step in
here (and shift this discussion over to the Subgroup
B<BR> >>list where it properly
belongs):<BR>
>><BR> >>At 1:44 PM -0500
5/11/07, Palmer Hamilton wrote:<BR>
>><BR> >>>Just having
the IP address and registrar is not sufficient.
For<BR> >>>example, one of
my banks had a case in which it had to use local
police<BR>
>><BR> >>>in a foreign
country to visit the physical address of the website
owner<BR>
>><BR> >>>to get the
site taken down. The bank had tried to get the registrar
to<BR>
>><BR> >>>shut it down
without success. The bank had also tried to stop the
site<BR>
>><BR> >>>with the
administrative contact, the technical contact, the
abuse<BR> >>>contact, and
the website owner, all with no success. The registrar
was<BR>
>><BR> >>>also not
interested in working with the local police, but the
local<BR> >>>police agreed
to assist AFTED the bank provided the police the
full<BR> >>>WHOIS
information plus a synopsis of its takedown
efforts.<BR>
>><BR> >>So the question
here is, when the bank is involved in valid efforts
that<BR> >>require access to
Whois data that is designated as private
there<BR> >>certainly should be
a process for that data to be engaged in
the<BR> >>process, so what
should that process be? No one is suggesting that
the<BR> >>bank never get any
such information whatsoever. But some of us
are<BR> >>suggesting that
private entities should not get direct access to
the<BR> >>Whois data, but
rather get information from formally accountable
LEAs<BR> >>who have direct
access.<BR>
>><BR> >>It doesn't mean
that private agents cannot contribute to
the<BR> >>investigation
process, but that private agents need only be given
what<BR> >>they need in a
particular context rather than being given the full
range<BR> >>of powers granted
to publicly-accountable law enforcement. And,
that<BR> >>LEAs be responsible
for providing appropriate information to
private<BR> >>agents that are
participating in investigation processes. Once such
a<BR> >>policy is well-defined,
it is possible to build technological
systems<BR> >>that adhere to
those policies and operate efficiently
without<BR> >>unnecessary human
intervention.<BR>
>><BR> >>And if ICANN
jurisdiction is insufficient to resolve all
structure<BR> >>issues, that
still may not be ICANN's responsibility to
solve.<BR>
>><BR> >>At some point
public law enforcement must step up to the plate to
do<BR> >>what needs to be done.
ICANN cannot solve all the world's
public<BR> >>problems on its
own, or even those problems that may relate
tangentially<BR> >>to the
technical operation of the Internet. ICANN is not a proper
venue<BR> >>to determine and
conduct public governance activities, or to
authorize<BR> >>private
execution of public governance.<BR>
>><BR>
>><BR>
>><BR> >>>Having said
this, the Dutch model could ultimately help fill a void
on<BR> >>>the international
level by leveraging international pressure
on<BR> >>>recalcitrant
governments. But again, this is not really an
alternative<BR>
>><BR> >>>to what we
are doing in Subgroup B, as I understand
it.<BR>
>><BR> >>What exactly are
we doing in subgroup B as you understand
it?<BR>
>><BR> >>As I understand
it, we are trying to reach some consensus on what
GNSO<BR> >>should recommend to
the ICANN Board with regard to determining to
whom<BR> >>and how direct
access to private Whois data under the OPoC
paradigm<BR> >>should be
granted (by registries and/or registrars). This does
not<BR> >>speak to indirect
access through authorized/certified
LEAs.<BR>
>><BR> >>I have no
expectation (or illusion) that what we come up with here
will<BR> >>create a perfect
world. It will certainly continue to be
systematically<BR> >>imperfect
from a privacy protection standpoint. If you are hoping
to<BR> >>find perfection, then
that is undoubtedly beyond the scope of this WG
or<BR> >>Subgroup
B.<BR>
>><BR> >>We are not in a
position to dictate a comprehensive and
airtight<BR> >>resolution to
the full complexity of issues here. So at least *that*
is<BR> >>*not* what we are
doing here.<BR>
>><BR>
>>Dan<BR>
>><BR>
>><BR>
>><BR>
>><BR> >>Need Mail
bonding?<BR> >>Go to
the<BR> >><<A
href="http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091";
target=_BLANK>http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091</A>>Yahoo!<BR>
>>Mail Q&A for<BR>
>><<A
href="http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091";
target=_BLANK>http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=396546091</A>>great<BR>
>>tips from Yahoo! Answers
users.<BR>
><BR> <BR> <BR><BR></FONT></P>
<P><FONT size=2>Regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup
LLA. - (Over 134k members/stakeholders strong!)<BR>"Obedience of the law is the
greatest freedom" -<BR> Abraham Lincoln<BR><BR>"Credit should go
with the performance of duty and not with what is very<BR>often the accident of
glory" - Theodore Roosevelt<BR><BR>"If the probability be called P; the injury,
L; and the burden, B; liability<BR>depends upon whether B is less than L
multiplied by<BR>P: i.e., whether B is less than PL."<BR>United States v.
Carroll Towing (159 F.2d 169 [2d Cir.
1947]<BR>===============================================================<BR>Updated
1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of<BR>Information Network Eng. INEG. INC.<BR>ABA member in good
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Registered Email
addr with the USPS Contact Number:
214-244-4827<BR></P></FONT></ZZZBODY></ZZZHTML></BLOCKQUOTE></DIV></DIV></DIV></BODY>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|