ICANN ICANN Email List Archives

[gnso-acc-sgb]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

  • To: <gnso-acc-sgb@xxxxxxxxx>
  • Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
  • From: "Metalitz, Steven" <met@xxxxxxx>
  • Date: Tue, 15 May 2007 07:26:31 -0700

To the contrary, the FTC congressional testimony discusses at length, on
pages 13-16, how private sector access to Whois helps FTC do its job,
and concludes:  "The simple yet crucial point is this: many legitimate
uses of Whois data by the business community and other non-governmental
organizations have an important, and often ignored, consumer protection
dimension.  Their continued access to Whois information often helps
protect consumers from online scams and deception." 
 
See http://financialservices.house.gov/media/pdf/071806eh.pdf.
 
Steve Metalitz
________________________________

From: owner-gnso-whois-wg@xxxxxxxxx
[mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Hugh Dierker
Sent: Tuesday, May 15, 2007 10:03 AM
To: Jeff Williams; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure


If think the FTC as usual spoke volumes in what they left unsaid.
 
Where did the concept of banks doing the "legwork" come from.
I would especially like to hear from the Law Enforcement members on
that.
Carole what are your thoughts on this "doing legwork for law
enforcement" concept.
 
Eric

Jeff Williams <jwkckid1@xxxxxxxxxxxxx> wrote:

        Steven and all sgb members,
        
        It is far more important to recognize what the FTC's own study
        did NOT indicate. Ergo that there was no mention of access
        to PRIVATE Whois data in order to perform their function
        effectively. Hence, why we are here and at the crux of what,
        who, and how we need to focus upon. The FTC's own study
        also did NOT indicate a need for banks to do the "leg work"
        for their study or perform their function.
        
        Metalitz, Steven wrote:
        
        > Of course, the FTC's own study showed the opposite of what
EPIC stated
        > -- that Whois is not a significant contributor of e-mail
addresses for
        > spamming purposes.
        > http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.shtm
Another study
        > by the Center for Democracy and Technology reached the same
conclusion.
        > See http://www.cdt.org/speech/spam/030319spamreport.shtml {"We
tested
        > how much spam would be received to an address provided in the
WHOIS
        > database. Contrary to our expectations, just one spam e-mail
was
        > generated in the six months that our project was
operational.") And the
        > other testimony presented to Congress at the hearing where
EPIC
        > testified is well worth reviewing, including the statements of
the
        > Federal Trade Commission about how they rely upon access to
Whois data
        > to enforce laws that protect consumer privacy, and on how
consumer
        > access to Whois data also assists the FTC in its consumer and
privacy
        > protection mission. See
        > http://financialservices.house.gov/media/pdf/071806eh.pdf (All
the
        > hearing testimony is compiled at
        >
http://financialservices.house.gov/archive/hearings.asp@formmode=detail&;
        > hearing=491.html)
        >
        > Steve Metalitz
        >
        > -----Original Message-----
        > From: owner-gnso-whois-wg@xxxxxxxxx
        > [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Robin
Gross
        > Sent: Sunday, May 13, 2007 2:00 PM
        > To: jwkckid1@xxxxxxxxxxxxx
        > Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
        > Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure
        >
        > Indeed. Let's not forget that in 2006, the US Federal Trade
Commission
        > stated that online data mining is the number one crime in the
United
        > States. Privacy experts at EPIC, testified before US Congress
that
        > databases such as whois are among the most significant
contributors to
        > this problem:
        > http://www.epic.org/privacy/whois/phishing_test.pdf
        >
        > jwkckid1@xxxxxxxxxxxxx wrote:
        >
        > >Dan and all,
        > >
        > > To sum up what you seem to ge getting at is that allowing
        > >banks regardless of which one ergo blanket access, is a bad
        > >and possibly a dangerous idea. And I amongst a growing number
        > >or knowledgable consumers, registrants, and even LEA's,
agree.
        > >In fact according to the DOJ fraud, misuse, and other
financial
        > >illegal scheme's by banks, financial institutions, and
auditing
        > >firms has more than doubled sense 2002.
        > >
        > >-----Original Message-----
        > >
        > >
        > >>From: Dan Krimm 
        > >>Sent: May 11, 2007 11:20 PM
        > >>To: gnso-acc-sgb@xxxxxxxxx
        > >>Cc: gnso-whois-wg@xxxxxxxxx
        > >>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
        > procedure
        > >>
        > >>Hope,
        > >>
        > >>I am not saying that phishing is not a problem that needs to
be dealt
        > with.
        > >>I am simply saying that it should be dealt with in a
measured way and
        > with
        > >>proper controls. And, that there are other serious problems
that crop
        > up
        > >>
        > >>
        > >Regards,
        > >
        > >Jeffrey A. Williams
        > >Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
strong!)
        > >"Obedience of the law is the greatest freedom" -
        > > Abraham Lincoln
        > >
        > >"Credit should go with the performance of duty and not with
what is
        > very
        > >often the accident of glory" - Theodore Roosevelt
        > >
        > >"If the probability be called P; the injury, L; and the
burden, B;
        > liability
        > >depends upon whether B is less than L multiplied by
        > >P: i.e., whether B is less than PL."
        > >United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
        >
>===============================================================
        > >Updated 1/26/04
        > >CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS.
        > div. of
        > >Information Network Eng. INEG. INC.
        > >ABA member in good standing member ID 01257402 E-Mail
        > jwkckid1@xxxxxxxxxxxxx
        > >Registered Email addr with the USPS Contact Number:
214-244-4827
        > >
        > >
        > >
        > >Regards,
        > >
        > >Jeffrey A. Williams
        > >Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
strong!)
        > >"Obedience of the law is the greatest freedom" -
        > > Abraham Lincoln
        > >
        > >"Credit should go with the performance of duty and not with
what is
        > very
        > >often the accident of glory" - Theodore Roosevelt
        > >
        > >"If the probability be called P; the injury, L; and the
burden, B;
        > liability
        > >depends upon whether B is less than L multiplied by
        > >P: i.e., whether B is less than PL."
        > >United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
        >
>===============================================================
        > >Updated 1/26/04
        > >CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS.
        > div. of
        > >Information Network Eng. INEG. INC.
        > >ABA member in good standing member ID 01257402 E-Mail
        > jwkckid1@xxxxxxxxxxxxx
        > >Registered Email addr with the USPS Contact Number:
214-244-4827
        > >
        > >
        > >
        > >gnso-acc-sgb@xxxxxxxxx
        > >
        > >
        > >
        > >>when the method of dealing with it is not measured and does
not have
        > proper
        > >>controls.
        > >>
        > >>Secondly, our deliberations here are about more than just
banks, even
        > if
        > >>Palmer's suggestion was constrained to banks.
        > >>
        > >>My comment about consumers versus customers is about the
fact that
        > giving
        > >>blanket access to banks for all Whois data provides access
to personal
        > >>information about consumers who are not their direct
customers, and
        > the
        > >>banks are not regulatorily restricted from using data about
consumers
        > that
        > >>are not their direct customers, as they are with regard to
their own
        > direct
        > >>customers.
        > >>
        > >>Example: I have an account with bank A. I do not have an
account
        > with
        > >>bank B. If bank B has blanket access to Whois data in order
to find
        > >>phishers, because I am an Internet domain registrant, bank B
gets my
        > >>personal data from Whois even if I am not a phisher. Bank B
is
        > regulated
        > >>in many cases with respect to its own customers, as bank A
is
        > regulated
        > >>with regard to personal data it collects from me by virtue
of being a
        > >>customer. But bank B is not regulated with respect to the
data about
        > me
        > >>that it gleans from sources such as Whois, because I am not
a customer
        > of
        > >>bank B. I cannot opt-out of bank B using my personal data
for
        > anything it
        > >>wishes the way I can opt-out of bank A using my personal
data in that
        > way.
        > >>
        > >>Personally, that bothers me, because I don't believe that
"banks are
        > not
        > >>interested in information about millions upon millions (of)
people" --
        > if
        > >>they can make a buck off of it, why wouldn't they be? If
they have
        > access
        > >>to that data, they can build a business selling it to people
who use
        > it for
        > >>marketing (or other) purposes, just as they used to do with
their
        > >>customers' information before regulation allowed some
customers in
        > some
        > >>jurisdictions to opt out from those uses.
        > >>
        > >>Just because the anti-fraud departments of banks are not
interested in
        > the
        > >>broad range of data doesn't mean that the ancillary-business
        > departments
        > >>(connected to marketing, etc.) of banks are not interested
in the
        > data.
        > >>They'd be dumb not to be interested, where there's money to
be made.
        > They
        > >>already have big businesses built on (currently) legal use
of personal
        > data
        > >>collected from their customers. It's only because of
regulation that
        > I
        > >>have the option to opt-out of that use in some cases today.
It's not
        > like
        > >>the banks have been particularly trustworthy actors in this
arena:
        > they
        > >>have done only what has been forced down their throats by
law,
        > typically
        > >>nothing more, and even that much has not been without a
fight.
        > >>
        > >>As a consumer, I am as alarmed as anyone about the problems
of misuse
        > of
        > >>data leading to fraud and ID theft, etc. The problem with
granting
        > blanket
        > >>access to private entities without meaningful enforcement
against
        > abuse is
        > >>that this creates a systematic incentive for misuse of data
in
        > precisely
        > >>the way that can lead secondarily to ID theft, etc. Example:
Bank B
        > sells
        > >>my personal data to someone posing as a marketer who then
tries to
        > scam me.
        > >>Bank B may not have done the deed directly, but their
"legitimate
        > marketing
        > >>data business" leads to misuse by others in a fraudulent
manner.
        > Unless we
        > >>place enforceable limits on what banks may do with all this
data, this
        > >>potential remains large. I don't see anything in Palmer's
proposal
        > that
        > >>suggests meaningful enforcement procedures to prevent this
sort of
        > thing,
        > >>or even demonstrates that meaningful enforcement is
possible.
        > >>
        > >>I support providing legitimate anti-fraud efforts what they
need to do
        > >>their jobs, but no more than that. Blanket access proposals
without
        > due
        > >>process go *way* beyond the specific needs required to get
the bad
        > guys,
        > >>and place orders of magnitude more good guys at unnecessary
risk of
        > abuse
        > >>(without recourse, if the source of the abuse cannot be
traced).
        > >>
        > >>Blanket access is easy for banks, but it goes too far and
thus
        > endangers
        > >>many others in the process. Our job should not be
exclusively to make
        > >>things easy for banks at the expense of significant costs to
other
        > >>stakeholders. Banks should be able to get the job done, but
with
        > >>enforceable controls and appropriate pre-screening. Just
like any
        > other
        > >>private entities that are involved in anti-fraud activities.
        > >>
        > >>Dan
        > >>
        > >>
        > >>
        > >>At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
        > >>
        > >>
        > >>>Dan,
        > >>>
        > >>>I glad that you are able to recognize a phishing email when
you see
        > one,
        > >>>unfortunately, not everyone is able to do so. We wouldn't
have a
        > problem
        > >>>if that were the case. The fraudsters have become more and
more
        > >>>sophisticated every day and I have seen highly educated
people not be
        > able
        > >>>to recognize phishing emails or be confused as to whether
an email is
        > >>>legitimate or not. For example, people are often times
confused or
        > fall
        > >>>for fraudulent emails when their bank merges with another
bank. The
        > >>>phishing emails address the merger and request. Information
stating
        > that
        > >>>it necessary for conversion purposes. Of course, this seems
legitmate
        > to
        > >>>customers because they know their bank is in the process of
merging
        > and in
        > >>>combination with legitimate advertising or communications
via regular
        > >>>mail, television or print, even highly sophisticated
individuals
        > fall for
        > >>>these schemes.
        > >>>
        > >>>Secondly, I am not sure why you are mixing Credit.
Reporting Agencies
        > with
        > >>>banks, these are separate and distinct industries.
        > >>>
        > >>>Finally, I am not sure I understand the connection with
regard to
        > your
        > >>>comment that banks should not have access to Whois
information
        > because
        > >>>they have enough information about their customers. One has
nothing
        > to do
        > >>>with the other. Banks are not interested in information
about
        > millions
        > >>>upon millions people but instead are interested in the
Whois
        > information
        > >>>specifically related to domains used to perpetrate fraud
upon
        > millions of
        > >>>innocent victims. Banks use Whois information in order to
combat
        > fraud
        > >>>and identity theft which results from phishing emails.
Again, banks
        > aren't
        > >>>looking at information of anyone who is not a fraudster. If
you have
        > the
        > >>>opportunity to speak with someone who has been a victim of
identity
        > theft
        > >>>or fraud, I would encourage you to do so.
        > >>>
        > >>>
        > >>>----- Original Message -----
        > >>>From: Dan Krimm [dan@xxxxxxxxxxxxxxxx]
        > >>>Sent: 05/11/2007 05:32 PM MST
        > >>>To: 
        > >>>Cc: 
        > >>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
        > procedure
        > >>>
        > >>>
        > >>>
        > >>>I'll let Eric speak for himself with regard to the email he
receives,
        > but
        > >>>the phishing scams I get are easily recognized and
discarded. (The
        > first
        > >>>one I ever got -- before it had become prevalent, and
before there
        > was a
        > >>>word coined for it -- I was temporarily confused, but I was
alert
        > enough to
        > >>>check out the domain before supplying any info. I have been
        > personally
        > >>>immune ever since.)
        > >>>
        > >>>While I opt-out of all uses of my info by financial
institutions that
        > I can
        > >>>(and in California I can opt out of more than in other
states or
        > countries,
        > >>>because of consumer-friendly state regulation), I am still
troubled
        > by
        > >>>information collected by credit reporting agencies and
other sources
        > that I
        > >>>do not know about. I refuse to allow DoubleClick to place
cookies on
        > my
        > >>>browsers. And still I know this is not enough to be secure
in the
        > >>>knowledge that data about me is not being used against my
interests,
        > >>>usually by private entities out to make a buck.
        > >>>
        > >>>Banks already get a lot of personal information from their
immediate
        > >>>customers. There is no reason to give them unsupervised
blanket
        > access to
        > >>>all information in the Whois database about millions upon
millions of
        > >>>people who are not their direct customers.
        > >>>
        > >>>Information used for legitimate anti-fraud efforts needs to
be
        > >>>well-targeted as much as possible, and checks and balances
need to be
        > in
        > >>>place to assure appropriateness of access as a rule, since
recourse
        > is not
        > >>>always available in the case of abuse (and thus deterrence
may be
        > >>>ineffective).
        > >>>
        > >>>If ICANN is not in position to become a fully-functional
public law
        > >>>enforcement entity in and of itself, with all of the due
process and
        > >>>accountability that such a role calls for (and it seems
pretty clear
        > that
        > >>>it is not), then that dynamic needs to be in the system
somewhere,
        > somehow,
        > >>>and it needs to be designed with some serious
effectiveness, not just
        > as a
        > >>>cosmetic ruse.
        > >>>
        > >>>Dan
        > >>>
        > >>>
        > >>>
        > >>>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
        > >>>
        > >>>
        > >>>>Those 20 or so spam emails are likely phishing emails or
scams.
        > Banks do
        > >>>>not send spam emails. These emails you are referring to
are not
        > legitmate
        > >>>>emails, and this is exactly what banks are trying to
prevent in
        > order to
        > >>>>protect consumers from identity theft and fraud. Your
email
        > highlights
        > >>>>how significant and prevalent this problem is.
        > >>>>
        > >>>>
        > >>>>----- Original Message -----
        > >>>> From: Hugh Dierker [hdierker2204@xxxxxxxxx]
        > >>>> Sent: 05/11/2007 03:26 PM MST
        > >>>> To: gnso-acc-sgb@xxxxxxxxx
        > >>>> Cc: gnso-whois-wg@xxxxxxxxx
        > >>>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
        > procedure
        > >>>>
        > >>>>
        > >>>>This really assumes alot. Hypothetical "who done its".
Does not
        > justify
        > >>>>giving out confidential information to banks. I get 20 or
so spams
        > a day
        > >>>>
        > >>>>
        > >>>>from Banks. Junk mail another 5 a day- credit cards
galore.
        > >>>
        > >>>
        > >>>>I do not buy that "banks" want my info for purely secure
reasons.
        > >>>>
        > >>>>Eric
        > >>>>
        > >>>>Palmer Hamilton wrote:
        > >>>>
        > >>>>
        > >>>>Dan,
        > >>>>
        > >>>>The problem is a practical one. Law enforcement has
limited
        > resources.
        > >>>>We might wish that were not the case, but it is, and,
realistically,
        > it
        > >>>>will always be the case. Law enforcement, as I set out in
my earlier
        > >>>>emails to Milton, expects banks to do the legwork before
it will
        > act.
        > >>>>Maybe it should be otherwise, but this is not the case nor
will it
        > ever
        > >>>>be the case. In various roles, both in government and
working on the
        > >>>>side of government, I have spent years working on the side
of law
        > >>>>enforcement. I think it is fair to say that law
enforcement's
        > approach
        > >>>>is virtually an immutable law of nature. And frankly from
law
        > >>>>enforcement's standpoint, it must set priorities given its
limited
        > >>>>resources.
        > >>>>
        > >>>>If banks do not have access to the necessary information,
internet
        > users
        > >>>>and consumers will be put at much greater risk. It would
be nice to
        > >>>>think that banks and consumers could simply lodge a
complaint and
        
        REgards,
        --
        Jeffrey A. Williams
        Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
strong!)
        "Obediance of the law is the greatest freedom" -
        Abraham Lincoln
        
        "Credit should go with the performance of duty and not with what
is
        very often the accident of glory" - Theodore Roosevelt
        
        "If the probability be called P; the injury, L; and the burden,
B;
        liability depends upon whether B is less than L multiplied by
        P: i.e., whether B is less than PL."
        United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
        ===============================================================
        Updated 1/26/04
        CSO/DIR. Internet Network Eng. SR. Eng. Network data security
        IDNS. div. of Information Network Eng. INEG. INC.
        ABA member in good standing member ID 01257402
        E-Mail jwkckid1@xxxxxxxxxxxxx
        Registered Email addr with the USPS
        Contact Number: 214-244-4827
        
        
        


________________________________

You snooze, you lose. Get messages ASAP with AutoCheck
<http://us.rd.yahoo.com/evt=47959/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_html.html> 
in the all-new Yahoo! Mail Beta. 


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy