RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

["Fares, David" <DFares@xxxxxxxxxxxx>]

Dan,

Could you please point us to a quantitative analysis on the extent of
the problems that you mention we know about?  We always ask governments
not to make policy in a vacuum but based on sound evidence.  There have
been many references to problems but we need to quantify them so that we
can make informed policy decisions.

David

-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
On Behalf Of Dan Krimm
Sent: Tuesday, May 15, 2007 4:10 PM
To: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

Since this stuff is all under the radar (data mining companies do not
want
to betray their sources, both for "trade secret" reasons as well as
negative branding for both them and their sources), I imagine it's much
more difficult to find evidence, because so much effort is being put
into
hiding it from the general public.

As for Tim's suggestion that this may be less of an issue moving
forward,
how about some evidence of *that* while we're at it?  How do we know
that
the "various forms of preventive measures" are in fact effective (and if
they are today, will remain so tomorrow)?

Eric's point about the distinction between "private enterprise ad hoc
procedures" and "standardization and required protocols" is a lucid one.
Market forces have their ups and downs, and voluntary behavior may not
be
entirely reliable over the long run.

Who has the burden of proof here?  I would suggest it ought to be on
those
claiming everything is A-O-K, since we know there have been problems in
the
past.

Dan



At 6:26 AM -0700 5/15/07, Hugh Dierker wrote:
>I really want the whois wrapped up tight in the cloak of privacy. But
this
>is a really good point. Is there empirical data to support claims of
>misuse?
>
>Eric
>
>Christopher Gibson <cgibson@xxxxxxxxxxx> wrote:
>
>Steve makes a good point. While there have been many comments
indicating
>legitimate use of WHOIS services, several comments have raised the
>theoretical prospect that access to WHOIS data might result in its
misuse
>(the GAC principles on WHOIS services echo this concern). Can anyone
>provide any data showing that such misuse has actually taken place on
any
>significant scale? I note that the GAC recommended that further study
be
>made on this point (i.e., how WHOIS data is used and misused). Misuse
of
>WHOIS data (quite apart from any potential privacy/data protection law
>concerns) could be an overstated concern.
>
>Chris Gibson
>
>-----Original Message-----
>From: owner-gnso-whois-wg@xxxxxxxxx
[mailto:owner-gnso-whois-wg@xxxxxxxxx]
>On Behalf Of Metalitz, Steven
>Sent: Monday, May 14, 2007 4:05 PM
>To: robin@xxxxxxxxxxxxx; jwkckid1@xxxxxxxxxxxxx
>Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
>Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
>Of course, the FTC's own study showed the opposite of what EPIC stated
>-- that Whois is not a significant contributor of e-mail addresses for
>spamming purposes.
>http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.shtm Another study
>by the Center for Democracy and Technology reached the same conclusion.
>See http://www.cdt.org/speech/spam/030319spamreport.shtml {"We tested
>how much spam would be received to an address provided in the WHOIS
>database. Contrary to our expectations, just one spam e-mail was
>generated in the six months that our project was operational.") And the
>other testimony presented to Congress at the hearing where EPIC
>testified is well worth reviewing, including the statements of the
>Federal Trade Commission about how they rely upon access to Whois data
>to enforce laws that protect consumer privacy, and on how consumer
>access to Whois data also assists the FTC in its consumer and privacy
>protection mission. See
>http://financialservices.house.gov/media/pdf/071806eh.pdf (All the
>hearing testimony is compiled at
>http://financialservices.house.gov/archive/hearings.asp@formmode=detail
&
>hearing=491.html)
>
>Steve Metalitz
>
>-----Original Message-----
>From: owner-gnso-whois-wg@xxxxxxxxx
>[mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Robin Gross
>Sent: Sunday, May 13, 2007 2:00 PM
>To: jwkckid1@xxxxxxxxxxxxx
>Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
>Indeed. Let's not forget that in 2006, the US Federal Trade Commission
>stated that online data mining is the number one crime in the United
>States. Privacy experts at EPIC, testified before US Congress that
>databases such as whois are among the most significant contributors to
>this problem:
>http://www.epic.org/privacy/whois/phishing_test.pdf
>
>
>
>jwkckid1@xxxxxxxxxxxxx wrote:
>
>>Dan and all,
>>
>> To sum up what you seem to ge getting at is that allowing
>>banks regardless of which one ergo blanket access, is a bad
>>and possibly a dangerous idea. And I amongst a growing number
>>or knowledgable consumers, registrants, and even LEA's, agree.
>>In fact according to the DOJ fraud, misuse, and other financial
>>illegal scheme's by banks, financial institutions, and auditing
>>firms has more than doubled sense 2002.
>>
>>-----Original Message-----
>>
>>
>>>From: Dan Krimm
>>>Sent: May 11, 2007 11:20 PM
>>>To: gnso-acc-sgb@xxxxxxxxx
>>>Cc: gnso-whois-wg@xxxxxxxxx
>>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
>procedure
>>>
>>>Hope,
>>>
>>>I am not saying that phishing is not a problem that needs to be dealt
>with.
>>>I am simply saying that it should be dealt with in a measured way and
>with
>>>proper controls. And, that there are other serious problems that crop
>up
>>>
>>>
>>Regards,
>>
>>Jeffrey A. Williams
>>Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
>>"Obedience of the law is the greatest freedom" -
>> Abraham Lincoln
>>
>>"Credit should go with the performance of duty and not with what is
>very
>>often the accident of glory" - Theodore Roosevelt
>>
>>"If the probability be called P; the injury, L; and the burden, B;
>liability
>>depends upon whether B is less than L multiplied by
>>P: i.e., whether B is less than PL."
>>United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
>>===============================================================
>>Updated 1/26/04
>>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
>div. of
>>Information Network Eng. INEG. INC.
>>ABA member in good standing member ID 01257402 E-Mail
>jwkckid1@xxxxxxxxxxxxx
>>Registered Email addr with the USPS Contact Number: 214-244-4827
>>
>>
>>
>>Regards,
>>
>>Jeffrey A. Williams
>>Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
>>"Obedience of the law is the greatest freedom" -
>> Abraham Lincoln
>>
>>"Credit should go with the performance of duty and not with what is
>very
>>often the accident of glory" - Theodore Roosevelt
>>
>>"If the probability be called P; the injury, L; and the burden, B;
>liability
>>depends upon whether B is less than L multiplied by
>>P: i.e., whether B is less than PL."
>>United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
>>===============================================================
>>Updated 1/26/04
>>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
>div. of
>>Information Network Eng. INEG. INC.
>>ABA member in good standing member ID 01257402 E-Mail
>jwkckid1@xxxxxxxxxxxxx
>>Registered Email addr with the USPS Contact Number: 214-244-4827
>>
>>
>>
>>gnso-acc-sgb@xxxxxxxxx
>>
>>
>>
>>>when the method of dealing with it is not measured and does not have
>proper
>>>controls.
>>>
>>>Secondly, our deliberations here are about more than just banks, even
>if
>>>Palmer's suggestion was constrained to banks.
>>>
>>>My comment about consumers versus customers is about the fact that
>giving
>>>blanket access to banks for all Whois data provides access to
personal
>>>information about consumers who are not their direct customers, and
>the
>>>banks are not regulatorily restricted from using data about consumers
>that
>>>are not their direct customers, as they are with regard to their own
>direct
>>>customers.
>>>
>>>Example: I have an account with bank A. I do not have an account
>with
>>>bank B. If bank B has blanket access to Whois data in order to find
>>>phishers, because I am an Internet domain registrant, bank B gets my
>>>personal data from Whois even if I am not a phisher. Bank B is
>regulated
>>>in many cases with respect to its own customers, as bank A is
>regulated
>>>with regard to personal data it collects from me by virtue of being a
>>>customer. But bank B is not regulated with respect to the data about
>me
>>>that it gleans from sources such as Whois, because I am not a
customer
>of
>>>bank B. I cannot opt-out of bank B using my personal data for
>anything it
>>>wishes the way I can opt-out of bank A using my personal data in that
>way.
>>>
>>>Personally, that bothers me, because I don't believe that "banks are
>not
>>>interested in information about millions upon millions (of) people"
--
>if
>>>they can make a buck off of it, why wouldn't they be? If they have
>access
>>>to that data, they can build a business selling it to people who use
>it for
>>>marketing (or other) purposes, just as they used to do with their
>>>customers' information before regulation allowed some customers in
>some
>>>jurisdictions to opt out from those uses.
>>>
>>>Just because the anti-fraud departments of banks are not interested
in
>the
>>>broad range of data doesn't mean that the ancillary-business
>departments
>>>(connected to marketing, etc.) of banks are not interested in the
>data.
>>>They'd be dumb not to be interested, where there's money to be made.
>They
>>>already have big businesses built on (currently) legal use of
personal
>data
>>>collected from their customers. It's only because of regulation that
>I
>>>have the option to opt-out of that use in some cases today. It's not
>like
>>>the banks have been particularly trustworthy actors in this arena:
>they
>>>have done only what has been forced down their throats by law,
>typically
>>>nothing more, and even that much has not been without a fight.
>>>
>>>As a consumer, I am as alarmed as anyone about the problems of misuse
>of
>>>data leading to fraud and ID theft, etc. The problem with granting
>blanket
>>>access to private entities without meaningful enforcement against
>abuse is
>>>that this creates a systematic incentive for misuse of data in
>precisely
>>>the way that can lead secondarily to ID theft, etc. Example: Bank B
>sells
>>>my personal data to someone posing as a marketer who then tries to
>scam me.
>>>Bank B may not have done the deed directly, but their "legitimate
>marketing
>>>data business" leads to misuse by others in a fraudulent manner.
>Unless we
>>>place enforceable limits on what banks may do with all this data,
this
>>>potential remains large. I don't see anything in Palmer's proposal
>that
>>>suggests meaningful enforcement procedures to prevent this sort of
>thing,
>>>or even demonstrates that meaningful enforcement is possible.
>>>
>>>I support providing legitimate anti-fraud efforts what they need to
do
>>>their jobs, but no more than that. Blanket access proposals without
>due
>>>process go *way* beyond the specific needs required to get the bad
>guys,
>>>and place orders of magnitude more good guys at unnecessary risk of
>abuse
>>>(without recourse, if the source of the abuse cannot be traced).
>>>
>>>Blanket access is easy for banks, but it goes too far and thus
>endangers
>>>many others in the process. Our job should not be exclusively to make
>>>things easy for banks at the expense of significant costs to other
>>>stakeholders. Banks should be able to get the job done, but with
>>>enforceable controls and appropriate pre-screening. Just like any
>other
>>>private entities that are involved in anti-fraud activities.
>>>
>>>Dan
>>>
>>>
>>>
>>>At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
>>>
>>>
>>>>Dan,
>>>>
>>>>I glad that you are able to recognize a phishing email when you see
>one,
>>>>unfortunately, not everyone is able to do so. We wouldn't have a
>problem
>>>>if that were the case. The fraudsters have become more and more
>>>>sophisticated every day and I have seen highly educated people not
be
>able
>>>>to recognize phishing emails or be confused as to whether an email
is
>>>>legitimate or not. For example, people are often times confused or
>fall
>>>>for fraudulent emails when their bank merges with another bank. The
>>>>phishing emails address the merger and request. Information stating
>that
>>>>it necessary for conversion purposes. Of course, this seems
legitmate
>to
>>>>customers because they know their bank is in the process of merging
>and in
>>>>combination with legitimate advertising or communications via
regular
>>>>mail, television or print, even highly sophisticated individuals
>fall for
>>>>these schemes.
>>>>
>>>>Secondly, I am not sure why you are mixing Credit. Reporting
Agencies
>with
>>>>banks, these are separate and distinct industries.
>>>>
>>>>Finally, I am not sure I understand the connection with regard to
>your
>>>>comment that banks should not have access to Whois information
>because
>>>>they have enough information about their customers. One has nothing
>to do
>>>>with the other. Banks are not interested in information about
>millions
>>>>upon millions people but instead are interested in the Whois
>information
>>>>specifically related to domains used to perpetrate fraud upon
>millions of
>>>>innocent victims. Banks use Whois information in order to combat
>fraud
>>>>and identity theft which results from phishing emails. Again, banks
>aren't
>>>>looking at information of anyone who is not a fraudster. If you have
>the
>>>>opportunity to speak with someone who has been a victim of identity
>theft
>>>>or fraud, I would encourage you to do so.
>>>>
>>>>
>>>>----- Original Message -----
>>>>From: Dan Krimm [dan@xxxxxxxxxxxxxxxx]
>>>>Sent: 05/11/2007 05:32 PM MST
>>>>To:
>>>>Cc:
>>>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
>procedure
>>>>
>>>>
>>>>
>>>>I'll let Eric speak for himself with regard to the email he
receives,
>but
>>>>the phishing scams I get are easily recognized and discarded. (The
>first
>>>>one I ever got -- before it had become prevalent, and before there
>was a
>>>>word coined for it -- I was temporarily confused, but I was alert
>enough to
>>>>check out the domain before supplying any info. I have been
>personally
>>>>immune ever since.)
>>>>
>>>>While I opt-out of all uses of my info by financial institutions
that
>I can
>>>>(and in California I can opt out of more than in other states or
>countries,
>>>>because of consumer-friendly state regulation), I am still troubled
>by
>>>>information collected by credit reporting agencies and other sources
>that I
>>>>do not know about. I refuse to allow DoubleClick to place cookies on
>my
>>>>browsers. And still I know this is not enough to be secure in the
>>>>knowledge that data about me is not being used against my interests,
>>>>usually by private entities out to make a buck.
>>>>
>>>>Banks already get a lot of personal information from their immediate
>>>>customers. There is no reason to give them unsupervised blanket
>access to
>>>>all information in the Whois database about millions upon millions
of
>>>>people who are not their direct customers.
>>>>
>>>>Information used for legitimate anti-fraud efforts needs to be
>>>>well-targeted as much as possible, and checks and balances need to
be
>in
>>>>place to assure appropriateness of access as a rule, since recourse
>is not
>>>>always available in the case of abuse (and thus deterrence may be
>>>>ineffective).
>>>>
>>>>If ICANN is not in position to become a fully-functional public law
>>>>enforcement entity in and of itself, with all of the due process and
>>>>accountability that such a role calls for (and it seems pretty clear
>that
>>>>it is not), then that dynamic needs to be in the system somewhere,
>somehow,
>>>>and it needs to be designed with some serious effectiveness, not
just
>as a
>>>>cosmetic ruse.
>>>>
>>>>Dan
>>>>
>>>>
>>>>
>>>>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
>>>>
>>>>
>>>>>Those 20 or so spam emails are likely phishing emails or scams.
>Banks do
>>>>>not send spam emails. These emails you are referring to are not
>legitmate
>>>>>emails, and this is exactly what banks are trying to prevent in
>order to
>>>>>protect consumers from identity theft and fraud. Your email
>highlights
>>>>>how significant and prevalent this problem is.
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>> From: Hugh Dierker [hdierker2204@xxxxxxxxx]
>>>>> Sent: 05/11/2007 03:26 PM MST
>>>>> To: gnso-acc-sgb@xxxxxxxxx
>>>>> Cc: gnso-whois-wg@xxxxxxxxx
>>>>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
>procedure
>>>>>
>>>>>
>>>>>This really assumes alot. Hypothetical "who done its". Does not
>justify
>>>>>giving out confidential information to banks. I get 20 or so spams
>a day
>>>>>
>>>>>
>>>>>from Banks. Junk mail another 5 a day- credit cards galore.
>>>>
>>>>
>>>>>I do not buy that "banks" want my info for purely secure reasons.
>>>>>
>>>>>Eric
>>>>>
>>>>>Palmer Hamilton wrote:
>>>>>
>>>>>
>>>>>Dan,
>>>>>
>>>>>The problem is a practical one. Law enforcement has limited
>resources.
>>>>>We might wish that were not the case, but it is, and,
realistically,
>it
>>>>>will always be the case. Law enforcement, as I set out in my
earlier
>>>>>emails to Milton, expects banks to do the legwork before it will
>act.
>>>>>Maybe it should be otherwise, but this is not the case nor will it
>ever
>>>>>be the case. In various roles, both in government and working on
the
>>>>>side of government, I have spent years working on the side of law
>>>>>enforcement. I think it is fair to say that law enforcement's
>approach
>>>>>is virtually an immutable law of nature. And frankly from law
>>>>>enforcement's standpoint, it must set priorities given its limited
>>>>>resources.
>>>>>
>>>>>If banks do not have access to the necessary information, internet
>users
>>>>>and consumers will be put at much greater risk. It would be nice to
>>>>>think that banks and consumers could simply lodge a complaint and
>that
>>>>>the complaint would be immediately acted upon. But this will never
>>>>>happen. Law enforcement has too much on its plate. My banks can
give
>>>>>you page after page of examples to corroborate this. And remember
>for
>>>>>every hour that passes, millions can be lost, including life
>savings.
>>>>>
>>>>>Please take another look at the example in my email to Milton
>involving
>>>>>the local police in a foreign jurisdiction that finally agreed to
>act,
>>>>>but only after the bank had exhausted all avenues and done all the
>>>>>legwork. Realistically, absent bank access to the local address, it
>is
>>>>>unknown how many innocent consumers would have suffered losses
>before
>>>>>this fraudulent website was ever closed down.
>>>>>
>>>>>You are right that this is a question of balance. And I would argue
>>>>>that consumer protection needs to be prominently considered, not
>>>>>dismissed as unfortunate collateral damage.
>>>>>
>>>>>Banks are closely regulated and monitored entities with public
>>>>>responsibilities. Those responsibilities are examined regularly by
>bank
>>>>>examiners. As a result, I would submit, consumer protection ought
to
>>>>>prevail in light of the protections from a privacy standpoint in
the
>>>>>existing regulatory structure.
>>>>>
>>>>>Palmer
>>>>>
>>>>>-----Original Message-----
>>>>>From: owner-gnso-acc-sgb@xxxxxxxxx
>[mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>>>>>On Behalf Of Dan Krimm
>>>>>Sent: Friday, May 11, 2007 3:43 PM
>>>>>To: gnso-acc-sgb@xxxxxxxxx
>>>>>Cc: gnso-whois-wg@xxxxxxxxx
>>>>>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>>>>>
>>>>>Palmer,
>>>>>
>>>>>If I may step in here (and shift this discussion over to the
>Subgroup B
>>>>>list where it properly belongs):
>>>>>
>>>>>At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Just having the IP address and registrar is not sufficient. For
>>>>>>example, one of my banks had a case in which it had to use local
>police
>>>>>>
>>>>>>
>>>>>>in a foreign country to visit the physical address of the website
>owner
>>>>>>
>>>>>>
>>>>>>to get the site taken down. The bank had tried to get the
registrar
>to
>>>>>>
>>>>>>
>>>>>>shut it down without success. The bank had also tried to stop the
>site
>>>>>>
>>>>>>
>>>>>>with the administrative contact, the technical contact, the abuse
>>>>>>contact, and the website owner, all with no success. The registrar
>was
>>>>>>
>>>>>>
>>>>>>also not interested in working with the local police, but the
local
>>>>>>police agreed to assist AFTED the bank provided the police the
full
>>>>>>WHOIS information plus a synopsis of its takedown efforts.
>>>>>>
>>>>>>
>>>>>So the question here is, when the bank is involved in valid efforts
>that
>>>>>require access to Whois data that is designated as private there
>>>>>certainly should be a process for that data to be engaged in the
>>>>>process, so what should that process be? No one is suggesting that
>the
>>>>>bank never get any such information whatsoever. But some of us are
>>>>>suggesting that private entities should not get direct access to
the
>>>>>Whois data, but rather get information from formally accountable
>LEAs
>>>>>who have direct access.
>>>>>
>>>>>It doesn't mean that private agents cannot contribute to the
>>>>>investigation process, but that private agents need only be given
>what
>>>>>they need in a particular context rather than being given the full
>range
>>>>>of powers granted to publicly-accountable law enforcement. And,
that
>>>>>LEAs be responsible for providing appropriate information to
private
>>>>>agents that are participating in investigation processes. Once such
>a
>>>>>policy is well-defined, it is possible to build technological
>systems
>>>>>that adhere to those policies and operate efficiently without
>>>>>unnecessary human intervention.
>>>>>
>>>>>And if ICANN jurisdiction is insufficient to resolve all structure
>>>>>issues, that still may not be ICANN's responsibility to solve.
>>>>>
>>>>>At some point public law enforcement must step up to the plate to
do
>>>>>what needs to be done. ICANN cannot solve all the world's public
>>>>>problems on its own, or even those problems that may relate
>
>=== message truncated ===
>
>
>
>
>Got a little couch potato?
>Check out fun
><http://us.rd.yahoo.com/evt=48248/*http://search.yahoo.com/search?fr=on
i_on_mail&p=summer+activities+for+kids&cs=bz>summer
>activities for kids.



This message and its attachments may contain legally privileged or
confidential information. It is intended solely for the named
addressee. If you are not the addressee indicated in this message
(or responsible for delivery of the message to the addressee), you
may not copy or deliver this message or its attachments to anyone.
Rather, you should permanently delete this message and its
attachments and kindly notify the sender by reply e-mail. Any
content of this message and its attachments that does not relate to
the official business of News America Incorporated or its
subsidiaries must be taken not to have been sent or endorsed by any
of them. No representation is made that this email or its
attachments are without defect.