<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-acc-sgb] RE: [gnso-whois-wg] GAC's position on Whois
- To: "Hugh Dierker" <hdierker2204@xxxxxxxxx>, "Milton Mueller" <mueller@xxxxxxx>, <gnso-acc-sgb@xxxxxxxxx>
- Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] GAC's position on Whois
- From: "Metalitz, Steven" <met@xxxxxxx>
- Date: Sun, 13 May 2007 14:03:22 -0700
Eric,
cc's are outside the scope of this group. cc's take on no obligations
with respect to Whois when they sign agreements with ICANN.
Steve Metalitz
________________________________
From: owner-gnso-whois-wg@xxxxxxxxx
[mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Hugh Dierker
Sent: Saturday, May 12, 2007 1:20 PM
To: Milton Mueller; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: Re: [gnso-whois-wg] GAC's position on Whois
For some reason, and I am probably just ignorant of it, I do not see
distictions made between ccTLDs and gTLDs. Are ccTLDs just completely
out of the scope of this WG? But yet they are signing agreements with
ICANN at a reasonable rate. What are the contractual whois criteria
being required there?
Eric
Milton Mueller <mueller@xxxxxxx> wrote:
Let me correct what seems to be an increasingly common set of
errors on
interpreting the GAC principles.
First and foremost, the GAC stands for "Governmental Advisory
Committee." Its role in the CANN regime is advisory only. (The
USG may
be an exception of course, because it controls key functions
related to
ICANN. And the US definitely has a position on Whois ;-))
Second, anyone who has followed this issue knows perfectly well
that
governments are deeply divided on it. When it comes to the
proper
balance of privacy and access to data, data protection
authorities have
one view, law enforcement and consumer protection authorites
often have
a different view. Neither one of them can claim to speak
authoritatively
for governments, much less the public interest. It is
noteworthy,
however, that at some GAC meeting data protection authorities
have not
been allowed to speak, whereas LEAs have been featured.
Third, this division of governmental opinion was illustrated
just
today, with,the announcement that the UK government has required
the
.telnic registry to remove access to private data from its
Whois.
Indeed, one of the strangest aspects of this issue is the
conflicting
signals you get from governmental agencies. You see, for
example, the
Australian GAC representative demanding no change in Whois while
at the
same time the Australian national privacy law requires the
Australian
ccTLD to shield its Whois data.
Fourth, the GAC statement on Whois deliberately did _not_ say
that
access to the whois data as it now exists should be retained. It
enumerated several "legitimate activities" that use the whois
data. That
was compromise wording deliberately chosen to avoid saying what
Christopher Gibson is saying below. In other words, in the GAC
principles it is the activities that are legitimate, but not
necessarily
the open access to them that we have now.
>>> "Christopher Gibson" 5/11/2007 6:39:16 PM
>>>
and others, however, serve to confirm the GAC's position that
WHOIS
services
have evolved into a vital, efficient and internationally-tested
mechanism in
support of a number of legitimate functions. In this context,
following the
"first, do no harm" principle means that potential changes to
the
WHOIS
system need to be evaluated and made only when we have
confidence that
suitable alternative mechanisms to curb abuse are in place.
Chris
Palmer Hamilton wrote:
Dan,
The problem is a practical one. Law enforcement has limited
resources.
We might wish that were not the case, but it is, and,
realistically,
it
will always be the case. Law enforcement, as I set out in my
earlier
emails to Milton, expects banks to do the legwork before it will
act.
Maybe it should be otherwise, but this is not the case nor will
it
ever
be the case. In various roles, both in government and working on
the
side of government, I have spent years working on the side of
law
enforcement. I think it is fair to say that law enforcement's
approach
is virtually an immutable law of nature. And frankly from law
enforcement's standpoint, it must set priorities given its
limited
resources.
If banks do not have access to the necessary information,
internet
users
and consumers will be put at much greater risk. It would be nice
to
think that banks and consumers could simply lodge a complaint
and that
the complaint would be immediately acted upon. But this will
never
happen. Law enforcement has too much on its plate. My banks can
give
you page after page of examples to corroborate this. And
remember for
every hour that passes, millions can be lost, including life
savings.
Please take another look at the example in my email to Milton
involving
the local police in a foreign jurisdiction that finally agreed
to act,
but only after the bank had exhausted all avenues and done all
the
legwork. Realistically, absent bank access to the local address,
it is
unknown how many innocent consumers would have suffered losses
before
this fraudulent website was ever closed down.
You are right that this is a question of balance. And I would
argue
that consumer protection needs to be prominently considered, not
dismissed as unfortunate collateral damage.
Banks are closely regulated and monitored entities with public
responsibilities. Those responsibilities are examined regularly
by
bank
examiners. As a result, I would submit, consumer protection
ought to
prevail in light of the protections from a privacy standpoint in
the
existing regulatory structure.
Palmer
-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx
[mailto:owner-gnso-acc-sgb@xxxxxxxxx]
On Behalf Of Dan Krimm
Sent: Friday, May 11, 2007 3:43 PM
To: gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure
Palmer,
If I may step in here (and shift this discussion over to the
Subgroup
B
list where it properly belongs):
At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>Just having the IP address and registrar is not sufficient. For
>example, one of my banks had a case in which it had to use
local
police
>in a foreign country to visit the physical address of the
website
owner
>to get the site taken down. The bank had tried to get the
registrar
to
>shut it down without success. The bank had also tried to stop
the
site
>with the administrative contact, the technical contact, the
abuse
>contact, and the website owner, all with no success. The
registrar
was
>also not interested in working with the local police, but the
local
>police agreed to assist AFTED the bank provided the police the
full
>WHOIS information plus a synopsis of its takedown efforts.
So the question here is, when the bank is involved in valid
efforts
that
require access to Whois data that is designated as private there
certainly should be a process for that data to be engaged in the
process, so what should that process be? No one is suggesting
that the
bank never get any such information whatsoever. But some of us
are
suggesting that private entities should not get direct access to
the
Whois data, but rather get information from formally accountable
LEAs
who have direct access.
It doesn't mean that private agents cannot contribute to the
investigation process, but that private agents need only be
given what
they need in a particular context rather than being given the
full
range
of powers granted to publicly-accountable law enforcement. And,
that
LEAs be responsible for providing appropriate information to
private
agents that are participating in investigation processes. Once
such a
policy is well-defined, it is possible to build technological
systems
that adhere to those policies and operate efficiently without
unnecessary human intervention.
And if ICANN jurisdiction is insufficient to resolve all
structure
issues, that still may not be ICANN's responsibility to solve.
At some point public law enforcement must step up to the plate
to do
what needs to be done. ICANN cannot solve all the world's public
problems on its own, or even those problems that may relate
tangentially
to the technical operation of the Internet. ICANN is not a
proper
venue
to determine and conduct public governance activities, or to
authorize
private execution of public governance.
>Having said this, the Dutch model could ultimately help fill a
void on
>the international level by leveraging international pressure on
>recalcitrant governments. But again, this is not really an
alternative
>to what we are doing in Subgroup B, as I understand it.
What exactly are we doing in subgroup B as you understand it?
As I understand it, we are trying to reach some consensus on
what GNSO
should recommend to the ICANN Board with regard to determining
to whom
and how direct access to private Whois data under the OPoC
paradigm
should be granted (by registries and/or registrars). This does
not
speak to indirect access through authorized/certified LEAs.
I have no expectation (or illusion) that what we come up with
here
will
create a perfect world. It will certainly continue to be
systematically
imperfect from a privacy protection standpoint. If you are
hoping to
find perfection, then that is undoubtedly beyond the scope of
this WG
or
Subgroup B.
We are not in a position to dictate a comprehensive and airtight
resolution to the full complexity of issues here. So at least
*that*
is
*not* what we are doing here.
Dan
_____
Need Mail bonding?
Go to the Yahoo!
fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=3
9654
6091> Mail Q&A for great
fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=3
9654
6091> tips from Yahoo! Answers users.
________________________________
Got a little couch potato?
Check out fun summer activities for kids.
<http://us.rd.yahoo.com/evt=48248/*http://search.yahoo.com/search?fr=oni
_on_mail&p=summer+activities+for+kids&cs=bz>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|