Re: [gnso-acc-sgb] GAC's position on Whois

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Ken and all sgb members,

  Unfortunately cctld's are outside the scope of this Whois WG,
which from a practical position really makes whatever we
come up with in this WG very limiting in regards to fighting
fraud, spam, phishing, ect. in a effective manner.

Ken Stubbs wrote:

> I would agree with this statement here. Unfortunately, sometimes we only
> hear from one side or the other on these issues from these countries..
> Many times the LEA's are more active in "getting their perspectives on
> the table" . We need to encourage these countries to
> to provide more "comprehensive"  inputs to this whois process
>
> A good example is the current UK data protection agency requirements
> being imposed on the .tel registry which is going to require amendments
> to their contracts with ICANN in order to comply with the UK data
> protection laws.. (this is the same with .name  registry currently) .
>
> its also interesting to note the inconsistencies in some positions taken
> by some GAC member countries with respect to ICANN gtld whois policies
> and the contradictory data privacy requirements they impose on their own
> CCTLD's.
>
> These conflicting positions make it very difficult to reconcile in some
> cases.
>
> Ken Stubbs
>
> Carole Bird wrote:
> > Hi all,
> >
> > There may well be a difference of opinion or position by different agencies 
> > within a specific country which in my opinion is a healthy thing.  However, 
> > that does not mean that the country/government itself is not in a position 
> > to determine where it needs to strike the balance.
> >
> > If a country has both privacy legislation as well as LEAs, then it's 
> > government (and by this I'm not saying the police) should be able to 
> > determine where it wants/needs to strike the balance.
> >
> > Each country/government may choose to strike a different balance which 
> > would be wholly consistent with it's applicable laws.
> >
> > Carole
> >
> >>>> "Milton Mueller" <mueller@xxxxxxx> 05/12/07 12:28 AM >>>
> > Let me correct what seems to be an increasingly common set of errors on
> > interpreting the GAC principles.
> >
> > First and foremost, the GAC stands for "Governmental Advisory
> > Committee." Its role in the CANN regime is advisory only. (The USG may
> > be an exception of course, because it controls key functions related to
> > ICANN. And the US definitely has a position on Whois ;-))
> >
> > Second, anyone who has followed this issue knows perfectly well that
> > governments are deeply divided on it. When it comes to the proper
> > balance of privacy and access to data, data protection authorities have
> > one view, law enforcement and consumer protection authorites often have
> > a different view. Neither one of them can claim to speak authoritatively
> > for governments, much less the public interest. It is noteworthy,
> > however, that at some GAC meeting data protection authorities have not
> > been allowed to speak, whereas LEAs have been featured.
> >
> > Third, this division of governmental opinion was illustrated just
> > today, with,the announcement that the UK government has required the
> > .telnic registry to remove access to private data from its Whois.
> > Indeed, one of the strangest aspects of this issue is the conflicting
> > signals you get from governmental agencies. You see, for example, the
> > Australian GAC representative demanding no change in Whois while at the
> > same time the Australian national privacy law requires the Australian
> > ccTLD to shield its Whois data.
> >
> > Fourth, the GAC statement on Whois deliberately did _not_ say that
> > access to the whois data as it now exists should be retained. It
> > enumerated several "legitimate activities" that use the whois data. That
> > was compromise wording deliberately chosen to avoid saying what
> > Christopher Gibson is saying below. In other words, in the GAC
> > principles it is the activities that are legitimate, but not necessarily
> > the open access to them that we have now.
> >
> >>>> "Christopher Gibson" <cgibson@xxxxxxxxxxx> 5/11/2007 6:39:16 PM
> >>>>
> > and others, however, serve to confirm the GAC's position that WHOIS
> > services
> > have evolved into a vital, efficient and internationally-tested
> > mechanism in
> > support of a number of legitimate functions.  In this context,
> > following the
> > "first, do no harm" principle means that potential changes to the
> > WHOIS
> > system need to be evaluated and made only when we have confidence that
> > suitable alternative mechanisms to curb abuse are in place.
> >
> >
> >
> > Chris
> >
> >
> >
> > Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
> >
> >
> > Dan,
> >
> > The problem is a practical one. Law enforcement has limited resources.
> > We might wish that were not the case, but it is, and, realistically,
> > it
> > will always be the case. Law enforcement, as I set out in my earlier
> > emails to Milton, expects banks to do the legwork before it will act.
> > Maybe it should be otherwise, but this is not the case nor will it
> > ever
> > be the case. In various roles, both in government and working on the
> > side of government, I have spent years working on the side of law
> > enforcement. I think it is fair to say that law enforcement's approach
> > is virtually an immutable law of nature. And frankly from law
> > enforcement's standpoint, it must set priorities given its limited
> > resources.
> >
> > If banks do not have access to the necessary information, internet
> > users
> > and consumers will be put at much greater risk. It would be nice to
> > think that banks and consumers could simply lodge a complaint and that
> > the complaint would be immediately acted upon. But this will never
> > happen. Law enforcement has too much on its plate. My banks can give
> > you page after page of examples to corroborate this. And remember for
> > every hour that passes, millions can be lost, including life savings.
> >
> > Please take another look at the example in my email to Milton
> > involving
> > the local police in a foreign jurisdiction that finally agreed to act,
> > but only after the bank had exhausted all avenues and done all the
> > legwork. Realistically, absent bank access to the local address, it is
> > unknown how many innocent consumers would have suffered losses before
> > this fraudulent website was ever closed down.
> >
> > You are right that this is a question of balance. And I would argue
> > that consumer protection needs to be prominently considered, not
> > dismissed as unfortunate collateral damage.
> >
> > Banks are closely regulated and monitored entities with public
> > responsibilities. Those responsibilities are examined regularly by
> > bank
> > examiners. As a result, I would submit, consumer protection ought to
> > prevail in light of the protections from a privacy standpoint in the
> > existing regulatory structure.
> >
> > Palmer
> >
> > -----Original Message-----
> > From: owner-gnso-acc-sgb@xxxxxxxxx
> > [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
> > On Behalf Of Dan Krimm
> > Sent: Friday, May 11, 2007 3:43 PM
> > To: gnso-acc-sgb@xxxxxxxxx
> > Cc: gnso-whois-wg@xxxxxxxxx
> > Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
> >
> > Palmer,
> >
> > If I may step in here (and shift this discussion over to the Subgroup
> > B
> > list where it properly belongs):
> >
> > At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
> >
> >> Just having the IP address and registrar is not sufficient. For
> >> example, one of my banks had a case in which it had to use local
> > police
> >
> >> in a foreign country to visit the physical address of the website
> > owner
> >
> >> to get the site taken down. The bank had tried to get the registrar
> > to
> >
> >> shut it down without success. The bank had also tried to stop the
> > site
> >
> >> with the administrative contact, the technical contact, the abuse
> >> contact, and the website owner, all with no success. The registrar
> > was
> >
> >> also not interested in working with the local police, but the local
> >> police agreed to assist AFTED the bank provided the police the full
> >> WHOIS information plus a synopsis of its takedown efforts.
> >
> > So the question here is, when the bank is involved in valid efforts
> > that
> > require access to Whois data that is designated as private there
> > certainly should be a process for that data to be engaged in the
> > process, so what should that process be? No one is suggesting that the
> > bank never get any such information whatsoever. But some of us are
> > suggesting that private entities should not get direct access to the
> > Whois data, but rather get information from formally accountable LEAs
> > who have direct access.
> >
> > It doesn't mean that private agents cannot contribute to the
> > investigation process, but that private agents need only be given what
> > they need in a particular context rather than being given the full
> > range
> > of powers granted to publicly-accountable law enforcement. And, that
> > LEAs be responsible for providing appropriate information to private
> > agents that are participating in investigation processes. Once such a
> > policy is well-defined, it is possible to build technological systems
> > that adhere to those policies and operate efficiently without
> > unnecessary human intervention.
> >
> > And if ICANN jurisdiction is insufficient to resolve all structure
> > issues, that still may not be ICANN's responsibility to solve.
> >
> > At some point public law enforcement must step up to the plate to do
> > what needs to be done. ICANN cannot solve all the world's public
> > problems on its own, or even those problems that may relate
> > tangentially
> > to the technical operation of the Internet. ICANN is not a proper
> > venue
> > to determine and conduct public governance activities, or to authorize
> > private execution of public governance.
> >
> >
> >
> >> Having said this, the Dutch model could ultimately help fill a void on
> >
> >> the international level by leveraging international pressure on
> >> recalcitrant governments. But again, this is not really an
> > alternative
> >
> >> to what we are doing in Subgroup B, as I understand it.
> >
> > What exactly are we doing in subgroup B as you understand it?
> >
> > As I understand it, we are trying to reach some consensus on what GNSO
> > should recommend to the ICANN Board with regard to determining to whom
> > and how direct access to private Whois data under the OPoC paradigm
> > should be granted (by registries and/or registrars). This does not
> > speak to indirect access through authorized/certified LEAs.
> >
> > I have no expectation (or illusion) that what we come up with here
> > will
> > create a perfect world. It will certainly continue to be
> > systematically
> > imperfect from a privacy protection standpoint. If you are hoping to
> > find perfection, then that is undoubtedly beyond the scope of this WG
> > or
> > Subgroup B.
> >
> > We are not in a position to dictate a comprehensive and airtight
> > resolution to the full complexity of issues here. So at least *that*
> > is
> > *not* what we are doing here.
> >
> > Dan
> >
> >
> >
> >
> >
> >   _____
> >
> > Need Mail bonding?
> > Go to the Yahoo!
> > <http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR
> >
> > fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
> > 6091>  Mail Q&A for great
> > <http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOAR
> >
> > fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
> > 6091>  tips from Yahoo! Answers users.
> >
> >
> >
> >

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827