<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- To: "Metalitz, Steven" <met@xxxxxxx>, gnso-acc-sgb@xxxxxxxxx
- Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
- From: Jeff Williams <jwkckid1@xxxxxxxxxxxxx>
- Date: Tue, 15 May 2007 22:50:59 -0700
Steven and all sgb members,
I was referring to http://www.ftc.gov/opa/2006/09/whois.shtm ,
which clearly leaves a significant amount of the verbage a matter
of interpretation and doesn't mention what so ever as to what
is "Open and transparent" in regards to a registrants personal
and private information, which again is address and personal
phone number.
Secondly again, there is NO mention of banks doing the
"leg work" for LEA's what so ever.
Metalitz, Steven wrote:
> To the contrary, the FTC congressional testimony discusses at
> length, on
> pages 13-16, how private sector access to Whois helps FTC do its job,
> and concludes: "The simple yet crucial point is this: many legitimate
>
> uses of Whois data by the business community and other
> non-governmental
> organizations have an important, and often ignored, consumer
> protection
> dimension. Their continued access to Whois information often helps
> protect consumers from online scams and deception."
>
> See http://financialservices.house.gov/media/pdf/071806eh.pdf.
>
> Steve Metalitz
> ________________________________
>
> From: owner-gnso-whois-wg@xxxxxxxxx
> [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Hugh Dierker
> Sent: Tuesday, May 15, 2007 10:03 AM
> To: Jeff Williams; gnso-acc-sgb@xxxxxxxxx
> Cc: gnso-whois-wg@xxxxxxxxx
> Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> procedure
>
>
> If think the FTC as usual spoke volumes in what they left unsaid.
>
> Where did the concept of banks doing the "legwork" come from.
> I would especially like to hear from the Law Enforcement members on
> that.
> Carole what are your thoughts on this "doing legwork for law
> enforcement" concept.
>
> Eric
>
> Jeff Williams <jwkckid1@xxxxxxxxxxxxx> wrote:
>
> Steven and all sgb members,
>
> It is far more important to recognize what the FTC's own study
>
> did NOT indicate. Ergo that there was no mention of access
> to PRIVATE Whois data in order to perform their function
> effectively. Hence, why we are here and at the crux of what,
> who, and how we need to focus upon. The FTC's own study
> also did NOT indicate a need for banks to do the "leg work"
> for their study or perform their function.
>
> Metalitz, Steven wrote:
>
> > Of course, the FTC's own study showed the opposite of what
> EPIC stated
> > -- that Whois is not a significant contributor of e-mail
> addresses for
> > spamming purposes.
> > http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.shtm
> Another study
> > by the Center for Democracy and Technology reached the same
> conclusion.
> > See http://www.cdt.org/speech/spam/030319spamreport.shtml
> {"We
> tested
> > how much spam would be received to an address provided in
> the
> WHOIS
> > database. Contrary to our expectations, just one spam e-mail
>
> was
> > generated in the six months that our project was
> operational.") And the
> > other testimony presented to Congress at the hearing where
> EPIC
> > testified is well worth reviewing, including the statements
> of
> the
> > Federal Trade Commission about how they rely upon access to
> Whois data
> > to enforce laws that protect consumer privacy, and on how
> consumer
> > access to Whois data also assists the FTC in its consumer
> and
> privacy
> > protection mission. See
> > http://financialservices.house.gov/media/pdf/071806eh.pdf
> (All
> the
> > hearing testimony is compiled at
> >
> http://fi
> ancialservices.house.gov/archive/hearings.asp@formmode=detail&
> > hearing=491.html)
> >
> > Steve Metalitz
> >
> > -----Original Message-----
> > From: owner-gnso-whois-wg@xxxxxxxxx
> > [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Robin
> Gross
> > Sent: Sunday, May 13, 2007 2:00 PM
> > To: jwkckid1@xxxxxxxxxxxxx
> > Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
> > Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
> Govcert
> procedure
> >
> > Indeed. Let's not forget that in 2006, the US Federal Trade
> Commission
> > stated that online data mining is the number one crime in
> the
> United
> > States. Privacy experts at EPIC, testified before US
> Congress
> that
> > databases such as whois are among the most significant
> contributors to
> > this problem:
> > http://www.epic.org/privacy/whois/phishing_test.pdf
> >
> > jwkckid1@xxxxxxxxxxxxx wrote:
> >
> > >Dan and all,
> > >
> > > To sum up what you seem to ge getting at is that allowing
> > >banks regardless of which one ergo blanket access, is a bad
>
> > >and possibly a dangerous idea. And I amongst a growing
> number
> > >or knowledgable consumers, registrants, and even LEA's,
> agree.
> > >In fact according to the DOJ fraud, misuse, and other
> financial
> > >illegal scheme's by banks, financial institutions, and
> auditing
> > >firms has more than doubled sense 2002.
> > >
> > >-----Original Message-----
> > >
> > >
> > >>From: Dan Krimm
> > >>Sent: May 11, 2007 11:20 PM
> > >>To: gnso-acc-sgb@xxxxxxxxx
> > >>Cc: gnso-whois-wg@xxxxxxxxx
> > >>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
> Govcert
> > procedure
> > >>
> > >>Hope,
> > >>
> > >>I am not saying that phishing is not a problem that needs
> to
> be dealt
> > with.
> > >>I am simply saying that it should be dealt with in a
> measured way and
> > with
> > >>proper controls. And, that there are other serious
> problems
> that crop
> > up
> > >>
> > >>
> > >Regards,
> > >
> > >Jeffrey A. Williams
> > >Spokesman for INEGroup LLA. - (Over 134k
> members/stakeholders
> strong!)
> > >"Obedience of the law is the greatest freedom" -
> > > Abraham Lincoln
> > >
> > >"Credit should go with the performance of duty and not with
>
> what is
> > very
> > >often the accident of glory" - Theodore Roosevelt
> > >
> > >"If the probability be called P; the injury, L; and the
> burden, B;
> > liability
> > >depends upon whether B is less than L multiplied by
> > >P: i.e., whether B is less than PL."
> > >United States v. Carroll Towing (159 F.2d 169 [2d Cir.
> 1947]
> >
> >===============================================================
> > >Updated 1/26/04
> > >CSO/DIR. Internet Network Eng. SR. Eng. Network data
> security
> IDNS.
> > div. of
> > >Information Network Eng. INEG. INC.
> > >ABA member in good standing member ID 01257402 E-Mail
> > jwkckid1@xxxxxxxxxxxxx
> > >Registered Email addr with the USPS Contact Number:
> 214-244-4827
> > >
> > >
> > >
> > >Regards,
> > >
> > >Jeffrey A. Williams
> > >Spokesman for INEGroup LLA. - (Over 134k
> members/stakeholders
> strong!)
> > >"Obedience of the law is the greatest freedom" -
> > > Abraham Lincoln
> > >
> > >"Credit should go with the performance of duty and not with
>
> what is
> > very
> > >often the accident of glory" - Theodore Roosevelt
> > >
> > >"If the probability be called P; the injury, L; and the
> burden, B;
> > liability
> > >depends upon whether B is less than L multiplied by
> > >P: i.e., whether B is less than PL."
> > >United States v. Carroll Towing (159 F.2d 169 [2d Cir.
> 1947]
> >
> >===============================================================
> > >Updated 1/26/04
> > >CSO/DIR. Internet Network Eng. SR. Eng. Network data
> security
> IDNS.
> > div. of
> > >Information Network Eng. INEG. INC.
> > >ABA member in good standing member ID 01257402 E-Mail
> > jwkckid1@xxxxxxxxxxxxx
> > >Registered Email addr with the USPS Contact Number:
> 214-244-4827
> > >
> > >
> > >
> > >gnso-acc-sgb@xxxxxxxxx
> > >
> > >
> > >
> > >>when the method of dealing with it is not measured and
> does
> not have
> > proper
> > >>controls.
> > >>
> > >>Secondly, our deliberations here are about more than just
> banks, even
> > if
> > >>Palmer's suggestion was constrained to banks.
> > >>
> > >>My comment about consumers versus customers is about the
> fact that
> > giving
> > >>blanket access to banks for all Whois data provides access
>
> to personal
> > >>information about consumers who are not their direct
> customers, and
> > the
> > >>banks are not regulatorily restricted from using data
> about
> consumers
> > that
> > >>are not their direct customers, as they are with regard to
>
> their own
> > direct
> > >>customers.
> > >>
> > >>Example: I have an account with bank A. I do not have an
> account
> > with
> > >>bank B. If bank B has blanket access to Whois data in
> order
> to find
> > >>phishers, because I am an Internet domain registrant, bank
> B
> gets my
> > >>personal data from Whois even if I am not a phisher. Bank
> B
> is
> > regulated
> > >>in many cases with respect to its own customers, as bank A
>
> is
> > regulated
> > >>with regard to personal data it collects from me by virtue
>
> of being a
> > >>customer. But bank B is not regulated with respect to the
> data about
> > me
> > >>that it gleans from sources such as Whois, because I am
> not
> a customer
> > of
> > >>bank B. I cannot opt-out of bank B using my personal data
> for
> > anything it
> > >>wishes the way I can opt-out of bank A using my personal
> data in that
> > way.
> > >>
> > >>Personally, that bothers me, because I don't believe that
> "banks are
> > not
> > >>interested in information about millions upon millions
> (of)
> people" --
> > if
> > >>they can make a buck off of it, why wouldn't they be? If
> they have
> > access
> > >>to that data, they can build a business selling it to
> people
> who use
> > it for
> > >>marketing (or other) purposes, just as they used to do
> with
> their
> > >>customers' information before regulation allowed some
> customers in
> > some
> > >>jurisdictions to opt out from those uses.
> > >>
> > >>Just because the anti-fraud departments of banks are not
> interested in
> > the
> > >>broad range of data doesn't mean that the
> ancillary-business
> > departments
> > >>(connected to marketing, etc.) of banks are not interested
>
> in the
> > data.
> > >>They'd be dumb not to be interested, where there's money
> to
> be made.
> > They
> > >>already have big businesses built on (currently) legal use
>
> of personal
> > data
> > >>collected from their customers. It's only because of
> regulation that
> > I
> > >>have the option to opt-out of that use in some cases
> today.
> It's not
> > like
> > >>the banks have been particularly trustworthy actors in
> this
> arena:
> > they
> > >>have done only what has been forced down their throats by
> law,
> > typically
> > >>nothing more, and even that much has not been without a
> fight.
> > >>
> > >>As a consumer, I am as alarmed as anyone about the
> problems
> of misuse
> > of
> > >>data leading to fraud and ID theft, etc. The problem with
> granting
> > blanket
> > >>access to private entities without meaningful enforcement
> against
> > abuse is
> > >>that this creates a systematic incentive for misuse of
> data
> in
> > precisely
> > >>the way that can lead secondarily to ID theft, etc.
> Example:
> Bank B
> > sells
> > >>my personal data to someone posing as a marketer who then
> tries to
> > scam me.
> > >>Bank B may not have done the deed directly, but their
> "legitimate
> > marketing
> > >>data business" leads to misuse by others in a fraudulent
> manner.
> > Unless we
> > >>place enforceable limits on what banks may do with all
> this
> data, this
> > >>potential remains large. I don't see anything in Palmer's
> proposal
> > that
> > >>suggests meaningful enforcement procedures to prevent this
>
> sort of
> > thing,
> > >>or even demonstrates that meaningful enforcement is
> possible.
> > >>
> > >>I support providing legitimate anti-fraud efforts what
> they
> need to do
> > >>their jobs, but no more than that. Blanket access
> proposals
> without
> > due
> > >>process go *way* beyond the specific needs required to get
>
> the bad
> > guys,
> > >>and place orders of magnitude more good guys at
> unnecessary
> risk of
> > abuse
> > >>(without recourse, if the source of the abuse cannot be
> traced).
> > >>
> > >>Blanket access is easy for banks, but it goes too far and
> thus
> > endangers
> > >>many others in the process. Our job should not be
> exclusively to make
> > >>things easy for banks at the expense of significant costs
> to
> other
> > >>stakeholders. Banks should be able to get the job done,
> but
> with
> > >>enforceable controls and appropriate pre-screening. Just
> like any
> > other
> > >>private entities that are involved in anti-fraud
> activities.
> > >>
> > >>Dan
> > >>
> > >>
> > >>
> > >>At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
> > >>
> > >>
> > >>>Dan,
> > >>>
> > >>>I glad that you are able to recognize a phishing email
> when
> you see
> > one,
> > >>>unfortunately, not everyone is able to do so. We wouldn't
>
> have a
> > problem
> > >>>if that were the case. The fraudsters have become more
> and
> more
> > >>>sophisticated every day and I have seen highly educated
> people not be
> > able
> > >>>to recognize phishing emails or be confused as to whether
>
> an email is
> > >>>legitimate or not. For example, people are often times
> confused or
> > fall
> > >>>for fraudulent emails when their bank merges with another
>
> bank. The
> > >>>phishing emails address the merger and request.
> Information
> stating
> > that
> > >>>it necessary for conversion purposes. Of course, this
> seems
> legitmate
> > to
> > >>>customers because they know their bank is in the process
> of
> merging
> > and in
> > >>>combination with legitimate advertising or communications
>
> via regular
> > >>>mail, television or print, even highly sophisticated
> individuals
> > fall for
> > >>>these schemes.
> > >>>
> > >>>Secondly, I am not sure why you are mixing Credit.
> Reporting Agencies
> > with
> > >>>banks, these are separate and distinct industries.
>
Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS
Contact Number: 214-244-4827
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|