Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Dr. Dierker and all,

  I for one agree.  And Dan made a very good case as to why.

  I do however believe that this sgb can come up with some rules
and/or requirement by which SOME banks can be certified or
licensed for third party access to Whois data if those rules
and/or requirements are specific, stringent and have independent
review/examination by a non interested group.

  However I far and away favor no Banks/financial institutions becoming
third party accessors as the cost of doing so are far too prohibitive.

Hugh Dierker wrote:

>    This really assumes alot.  Hypothetical "who done its".  Does not
> justify giving out confidential information to banks.  I get 20 or so
> spams a day from Banks. Junk mail another 5 a day- credit cards
> galore.
>   I do not buy that "banks" want my info for purely secure reasons.
>
>   Eric
>
> Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>
> Dan,
>
> The problem is a practical one. Law enforcement has limited resources.
>
> We might wish that were not the case, but it is, and, realistically,
> it
> will always be the case. Law enforcement, as I set out in my earlier
> emails to Milton, expects banks to do the legwork before it will act.
> Maybe it should be otherwise, but this is not the case nor will it
> ever
> be the case. In various roles, both in government and working on the
> side of government, I have spent years working on the side of law
> enforcement. I think it is fair to say that law enforcement's approach
>
> is virtually an immutable law of nature. And frankly from law
> enforcement's standpoint, it must set priorities given its limited
> resources.
>
> If banks do not have access to the necessary information, internet
> users
> and consumers will be put at much greater risk. It would be nice to
> think that banks and consumers could simply lodge a complaint and that
>
> the complaint would be immediately acted upon. But this will never
> happen. Law enforcement has too much on its plate. My banks can give
> you page after page of examples to corroborate this. And remember for
> every hour that passes, millions can be lost, including life savings.
>
> Please take another look at the example in my email to Milton
> involving
> the local police in a foreign jurisdiction that finally agreed to act,
>
> but only after the bank had exhausted all avenues and done all the
> legwork. Realistically, absent bank access to the local address, it is
>
> unknown how many innocent consumers would have suffered losses before
> this fraudulent website was ever closed down.
>
> You are right that this is a question of balance. And I would argue
> that consumer protection needs to be prominently considered, not
> dismissed as unfortunate collateral damage.
>
> Banks are closely regulated and monitored entities with public
> responsibilities. Those responsibilities are examined regularly by
> bank
> examiners. As a result, I would submit, consumer protection ought to
> prevail in light of the protections from a privacy standpoint in the
> existing regulatory structure.
>
> Palmer
>
> -----Original Message-----
> From: owner-gnso-acc-sgb@xxxxxxxxx
> [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
> On Behalf Of Dan Krimm
> Sent: Friday, May 11, 2007 3:43 PM
> To: gnso-acc-sgb@xxxxxxxxx
> Cc: gnso-whois-wg@xxxxxxxxx
> Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
> Palmer,
>
> If I may step in here (and shift this discussion over to the Subgroup
> B
> list where it properly belongs):
>
> At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>
> >Just having the IP address and registrar is not sufficient. For
> >example, one of my banks had a case in which it had to use local
> police
>
> >in a foreign country to visit the physical address of the website
> owner
>
> >to get the site taken down. The bank had tried to get the registrar
> to
>
> >shut it down without success. The bank had also tried to stop the
> site
>
> >with the administrative contact, the technical contact, the abuse
> >contact, and the website owner, all with no success. The registrar
> was
>
> >also not interested in working with the local police, but the local
> >police agreed to assist AFTED the bank provided the police the full
> >WHOIS information plus a synopsis of its takedown efforts.
>
> So the question here is, when the bank is involved in valid efforts
> that
> require access to Whois data that is designated as private there
> certainly should be a process for that data to be engaged in the
> process, so what should that process be? No one is suggesting that the
>
> bank never get any such information whatsoever. But some of us are
> suggesting that private entities should not get direct access to the
> Whois data, but rather get information from formally accountable LEAs
> who have direct access.
>
> It doesn't mean that private agents cannot contribute to the
> investigation process, but that private agents need only be given what
>
> they need in a particular context rather than being given the full
> range
> of powers granted to publicly-accountable law enforcement. And, that
> LEAs be responsible for providing appropriate information to private
> agents that are participating in investigation processes. Once such a
> policy is well-defined, it is possible to build technological systems
> that adhere to those policies and operate efficiently without
> unnecessary human intervention.
>
> And if ICANN jurisdiction is insufficient to resolve all structure
> issues, that still may not be ICANN's responsibility to solve.
>
> At some point public law enforcement must step up to the plate to do
> what needs to be done. ICANN cannot solve all the world's public
> problems on its own, or even those problems that may relate
> tangentially
> to the technical operation of the Internet. ICANN is not a proper
> venue
> to determine and conduct public governance activities, or to authorize
>
> private execution of public governance.
>
>
>
> >Having said this, the Dutch model could ultimately help fill a void
> on
> >the international level by leveraging international pressure on
> >recalcitrant governments. But again, this is not really an
> alternative
>
> >to what we are doing in Subgroup B, as I understand it.
>
> What exactly are we doing in subgroup B as you understand it?
>
> As I understand it, we are trying to reach some consensus on what GNSO
>
> should recommend to the ICANN Board with regard to determining to whom
>
> and how direct access to private Whois data under the OPoC paradigm
> should be granted (by registries and/or registrars). This does not
> speak to indirect access through authorized/certified LEAs.
>
> I have no expectation (or illusion) that what we come up with here
> will
> create a perfect world. It will certainly continue to be
> systematically
> imperfect from a privacy protection standpoint. If you are hoping to
> find perfection, then that is undoubtedly beyond the scope of this WG
> or
> Subgroup B.
>
> We are not in a position to dictate a comprehensive and airtight
> resolution to the full complexity of issues here. So at least *that*
> is
> *not* what we are doing here.
>
> Dan
>
>
>
>

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obediance of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827