Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Dr. Dierker and all,

  Indeed expecting or even wanting a third part to do LEA's "leg work"
is a fallacious argument and conspicuously less than reasonably ethical
for any LEA to conduct an investigation on any form of stored electronic

data.

  Oh, and I believe you really meant in your last sentence, keep private
data
private.

Hugh Dierker wrote:

>    Carole,
>
>   I am afraid you answered a bit like a politician ;-) But I am sure
> you knew that.
>   Clearly each situation is unique. Sometimes things are acceptable in
> court and sometimes not.
>   Reality is somewhere between third parties as agents and merely
> witnesses. Of course victims and perpetrators fit in there somewhere.
>
>   So the only fair conclusion is that, using the theory of; doing the
> "legwork" for Law enforcement as a reason to justify business access
> to personal private data is fallacious.
>   We can fairly write this concept off as a reason to keep private
> data public.
>
>   Or am I wrong?
>
>   Eric
>
> Carole Bird <Carole.Bird@xxxxxxxxxxxxxx> wrote:
>   Hi Eric,
>
> Sorry for the delay in getting back to you. I wanted to discuss the
> question you were posing with some of my colleagues.
>
> In short, this may well vary from country to country in terms of who
> is law enforcement, how law enforcement interacts with the private
> sectors and what kind of information is admissable in their courts.
> The reason the latter is important is that it dictates when/whether
> the police can accept information from someone where the information
> comes from another "source of information" not under the person's
> purview or control.
>
> Carole
>
> >>> Hugh Dierker 05/15/07 10:03 AM >>>
> If think the FTC as usual spoke volumes in what they left unsaid.
>
> Where did the concept of banks doing the "legwork" come from.
> I would especially like to hear from the Law Enforcement members on
> that.
> Carole what are your thoughts on this "doing legwork for law
> enforcement" concept.
>
> Eric
>
> Jeff Williams wrote:
> Steven and all sgb members,
>
> It is far more important to recognize what the FTC's own study
> did NOT indicate. Ergo that there was no mention of access
> to PRIVATE Whois data in order to perform their function
> effectively. Hence, why we are here and at the crux of what,
> who, and how we need to focus upon. The FTC's own study
> also did NOT indicate a need for banks to do the "leg work"
> for their study or perform their function.
>
> Metalitz, Steven wrote:
>
> > Of course, the FTC's own study showed the opposite of what EPIC
> stated
> > -- that Whois is not a significant contributor of e-mail addresses
> for
> > spamming purposes.
> > http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.shtm Another
> study
> > by the Center for Democracy and Technology reached the same
> conclusion.
> > See http://www.cdt.org/speech/spam/030319spamreport.shtml {"We
> tested
> > how much spam would be received to an address provided in the WHOIS
> > database. Contrary to our expectations, just one spam e-mail was
> > generated in the six months that our project was operational.") And
> the
> > other testimony presented to Congress at the hearing where EPIC
> > testified is well worth reviewing, including the statements of the
> > Federal Trade Commission about how they rely upon access to Whois
> data
> > to enforce laws that protect consumer privacy, and on how consumer
> > access to Whois data also assists the FTC in its consumer and
> privacy
> > protection mission. See
> > http://financialservices.house.gov/media/pdf/071806eh.pdf (All the
> > hearing testimony is compiled at
> >
> http://financialservices.house.gov/archive/hearings.asp@formmode=detail&;
>
> > hearing=491.html)
> >
> > Steve Metalitz
> >
> > -----Original Message-----
> > From: owner-gnso-whois-wg@xxxxxxxxx
> > [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Robin Gross
> > Sent: Sunday, May 13, 2007 2:00 PM
> > To: jwkckid1@xxxxxxxxxxxxx
> > Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
> > Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> procedure
> >
> > Indeed. Let's not forget that in 2006, the US Federal Trade
> Commission
> > stated that online data mining is the number one crime in the United
>
> > States. Privacy experts at EPIC, testified before US Congress that
> > databases such as whois are among the most significant contributors
> to
> > this problem:
> > http://www.epic.org/privacy/whois/phishing_test.pdf
> >
> > jwkckid1@xxxxxxxxxxxxx wrote:
> >
> > >Dan and all,
> > >
> > > To sum up what you seem to ge getting at is that allowing
> > >banks regardless of which one ergo blanket access, is a bad
> > >and possibly a dangerous idea. And I amongst a growing number
> > >or knowledgable consumers, registrants, and even LEA's, agree.
> > >In fact according to the DOJ fraud, misuse, and other financial
> > >illegal scheme's by banks, financial institutions, and auditing
> > >firms has more than doubled sense 2002.
> > >
> > >-----Original Message-----
> > >
> > >
> > >>From: Dan Krimm
> > >>Sent: May 11, 2007 11:20 PM
> > >>To: gnso-acc-sgb@xxxxxxxxx
> > >>Cc: gnso-whois-wg@xxxxxxxxx
> > >>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> > procedure
> > >>
> > >>Hope,
> > >>
> > >>I am not saying that phishing is not a problem that needs to be
> dealt
> > with.
> > >>I am simply saying that it should be dealt with in a measured way
> and
> > with
> > >>proper controls. And, that there are other serious problems that
> crop
> > up
> > >>
> > >>
> > >Regards,
> > >
> > >Jeffrey A. Williams
> > >Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
> strong!)
> > >"Obedience of the law is the greatest freedom" -
> > > Abraham Lincoln
> > >
> > >"Credit should go with the performance of duty and not with what is
>
> > very
> > >often the accident of glory" - Theodore Roosevelt
> > >
> > >"If the probability be called P; the injury, L; and the burden, B;
> > liability
> > >depends upon whether B is less than L multiplied by
> > >P: i.e., whether B is less than PL."
> > >United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
> > >===============================================================
> > >Updated 1/26/04
> > >CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
>
> > div. of
> > >Information Network Eng. INEG. INC.
> > >ABA member in good standing member ID 01257402 E-Mail
> > jwkckid1@xxxxxxxxxxxxx
> > >Registered Email addr with the USPS Contact Number: 214-244-4827
> > >
> > >
> > >
> > >Regards,
> > >
> > >Jeffrey A. Williams
> > >Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
> strong!)
> > >"Obedience of the law is the greatest freedom" -
> > > Abraham Lincoln
> > >
> > >"Credit should go with the performance of duty and not with what is
>
> > very
> > >often the accident of glory" - Theodore Roosevelt
> > >
> > >"If the probability be called P; the injury, L; and the burden, B;
> > liability
> > >depends upon whether B is less than L multiplied by
> > >P: i.e., whether B is less than PL."
> > >United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
> > >===============================================================
> > >Updated 1/26/04
> > >CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
>
> > div. of
> > >Information Network Eng. INEG. INC.
> > >ABA member in good standing member ID 01257402 E-Mail
> > jwkckid1@xxxxxxxxxxxxx
> > >Registered Email addr with the USPS Contact Number: 214-244-4827
> > >
> > >
> > >
> > >gnso-acc-sgb@xxxxxxxxx
> > >
> > >
> > >
> > >>when the method of dealing with it is not measured and does not
> have
> > proper
> > >>controls.
> > >>
> > >>Secondly, our deliberations here are about more than just banks,
> even
> > if
> > >>Palmer's suggestion was constrained to banks.
> > >>
> > >>My comment about consumers versus customers is about the fact that
>
> > giving
> > >>blanket access to banks for all Whois data provides access to
> personal
> > >>information about consumers who are not their direct customers,
> and
> > the
> > >>banks are not regulatorily restricted from using data about
> consumers
> > that
> > >>are not their direct customers, as they are with regard to their
> own
> > direct
> > >>customers.
> > >>
> > >>Example: I have an account with bank A. I do not have an account
> > with
> > >>bank B. If bank B has blanket access to Whois data in order to
> find
> > >>phishers, because I am an Internet domain registrant, bank B gets
> my
> > >>personal data from Whois even if I am not a phisher. Bank B is
> > regulated
> > >>in many cases with respect to its own customers, as bank A is
> > regulated
> > >>with regard to personal data it collects from me by virtue of
> being a
> > >>customer. But bank B is not regulated with respect to the data
> about
> > me
> > >>that it gleans from sources such as Whois, because I am not a
> customer
> > of
> > >>bank B. I cannot opt-out of bank B using my personal data for
> > anything it
> > >>wishes the way I can opt-out of bank A using my personal data in
> that
> > way.
> > >>
> > >>Personally, that bothers me, because I don't believe that "banks
> are
> > not
> > >>interested in information about millions upon millions (of)
> people" --
> > if
> > >>they can make a buck off of it, why wouldn't they be? If they have
>
> > access
> > >>to that data, they can build a business selling it to people who
> use
> > it for
> > >>marketing (or other) purposes, just as they used to do with their
> > >>customers' information before regulation allowed some customers in
>
> > some
> > >>jurisdictions to opt out from those uses.
> > >>
> > >>Just because the anti-fraud departments of banks are not
> interested in
> > the
> > >>broad range of data doesn't mean that the ancillary-business
> > departments
> > >>(connected to marketing, etc.) of banks are not interested in the
> > data.
> > >>They'd be dumb not to be interested, where there's money to be
> made.
> > They
> > >>already have big businesses built on (currently) legal use of
> personal
> > data
> > >>collected from their customers. It's only because of regulation
> that
> > I
> > >>have the option to opt-out of that use in some cases today. It's
> not
> > like
> > >>the banks have been particularly trustworthy actors in this arena:
>
> > they
> > >>have done only what has been forced down their throats by law,
> > typically
> > >>nothing more, and even that much has not been without a fight.
> > >>
> > >>As a consumer, I am as alarmed as anyone about the problems of
> misuse
> > of
> > >>data leading to fraud and ID theft, etc. The problem with granting
>
> > blanket
> > >>access to private entities without meaningful enforcement against
> > abuse is
> > >>that this creates a systematic incentive for misuse of data in
> > precisely
> > >>the way that can lead secondarily to ID theft, etc. Example: Bank
> B
> > sells
> > >>my personal data to someone posing as a marketer who then tries to
>
> > scam me.
> > >>Bank B may not have done the deed directly, but their "legitimate
> > marketing
> > >>data business" leads to misuse by others in a fraudulent manner.
> > Unless we
> > >>place enforceable limits on what banks may do with all this data,
> this
> > >>potential remains large. I don't see anything in Palmer's proposal
>
> > that
> > >>suggests meaningful enforcement procedures to prevent this sort of
>
> > thing,
> > >>or even demonstrates that meaningful enforcement is possible.
> > >>
> > >>I support providing legitimate anti-fraud efforts what they need
> to do
> > >>their jobs, but no more than that. Blanket access proposals
> without
> > due
> > >>process go *way* beyond the specific needs required to get the bad
>
> > guys,
> > >>and place orders of magnitude more good guys at unnecessary risk
> of
> > abuse
> > >>(without recourse, if the source of the abuse cannot be traced).
> > >>
> > >>Blanket access is easy for banks, but it goes too far and thus
> > endangers
> > >>many others in the process. Our job should not be exclusively to
> make
> > >>things easy for banks at the expense of significant costs to other
>
> > >>stakeholders. Banks should be able to get the job done, but with
> > >>enforceable controls and appropriate pre-screening. Just like any
> > other
> > >>private entities that are involved in anti-fraud activities.
> > >>
> > >>Dan
> > >>
> > >>
> > >>
> > >>At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
> > >>
> > >>
> > >>>Dan,
> > >>>
> > >>>I glad that you are able to recognize a phishing email when you
> see
> > one,
> > >>>unfortunately, not everyone is able to do so. We wouldn't have a
> > problem
> > >>>if that were the case. The fraudsters have become more and more
> > >>>sophisticated every day and I have seen highly educated people
> not be
> > able
> > >>>to recognize phishing emails or be confused as to whether an
> email is
> > >>>legitimate or not. For example, people are often times confused
> or
> > fall
> > >>>for fraudulent emails when their bank merges with another bank.
> The
> > >>>phishing emails address the merger and request. Information
> stating
> > that
> > >>>it necessary for conversion purposes. Of course, this seems
> legitmate
> > to
> > >>>customers because they know their bank is in the process of
> merging
> > and in
> > >>>combination with legitimate advertising or communications via
> regular
> > >>>mail, television or print, even highly sophisticated individuals
> > fall for
> > >>>these schemes.
> > >>>
> > >>>Secondly, I am not sure why you are mixing Credit. Reporting
> Agencies
> > with
> > >>>banks, these are separate and distinct industries.
> > >>>
> > >>>Finally, I am not sure I understand the connection with regard to
>
> > your
> > >>>comment that banks should not have access to Whois information
> > because
> > >>>they have enough information about their customers. One has
> nothing
> > to do
> > >>>with the other. Banks are not interested in information about
> > millions
> > >>>upon millions people but instead are interested in the Whois
> > information
> > >>>specifically related to domains used to perpetrate fraud upon
> > millions of
> > >>>innocent victims. Banks use Whois information in order to combat
> > fraud
> > >>>and identity theft which results from phishing emails. Again,
> banks
> > aren't
> > >>>looking at information of anyone who is not a fraudster. If you
> have
> > the
> > >>>opportunity to speak with someone who has been a victim of
> identity
> > theft
> > >>>or fraud, I would encourage you to do so.
> > >>>
> > >>>
> > >>>----- Original Message -----
> > >>>From: Dan Krimm [dan@xxxxxxxxxxxxxxxx]
> > >>>Sent: 05/11/2007 05:32 PM MST
> > >>>To:
> > >>>Cc:
> > >>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> > procedure
> > >>>
> > >>>
> > >>>
> > >>>I'll let Eric speak for himself with regard to the email he
> receives,
> > but
> > >>>the phishing scams I get are easily recognized and discarded.
> (The
> > first
> > >>>one I ever got -- before it had become prevalent, and before
> there
> > was a
> > >>>word coined for it -- I was temporarily confused, but I was alert
>
> > enough to
> > >>>check out the domain before supplying any info. I have been
> > personally
> > >>>immune ever since.)
> > >>>
> > >>>While I opt-out of all uses of my info by financial institutions
> that
> > I can
> > >>>(and in California I can opt out of more than in other states or
> > countries,
> > >>>because of consumer-friendly state regulation), I am still
> troubled
> > by
> > >>>information collected by credit reporting agencies and other
> sources
> > that I
> > >>>do not know about. I refuse to allow DoubleClick to place cookies
> on
> > my
> > >>>browsers. And still I know this is not enough to be secure in the
>
> > >>>knowledge that data about me is not being used against my
> interests,
> > >>>usually by private entities out to make a buck.
> > >>>
> > >>>Banks already get a lot of personal information from their
> immediate
> > >>>customers. There is no reason to give them unsupervised blanket
> > access to
> > >>>all information in the Whois database about millions upon
> millions of
> > >>>people who are not their direct customers.
> > >>>
> > >>>Information used for legitimate anti-fraud efforts needs to be
> > >>>well-targeted as much as possible, and checks and balances need
> to be
> > in
> > >>>place to assure appropriateness of access as a rule, since
> recourse
> > is not
> > >>>always available in the case of abuse (and thus deterrence may be
>
> > >>>ineffective).
> > >>>
> > >>>If ICANN is not in position to become a fully-functional public
> law
> > >>>enforcement entity in and of itself, with all of the due process
> and
> > >>>accountability that such a role calls for (and it seems pretty
> clear
> > that
> > >>>it is not), then that dynamic needs to be in the system
> somewhere,
> > somehow,
> > >>>and it needs to be designed with some serious effectiveness, not
> just
> > as a
> > >>>cosmetic ruse.
> > >>>
> > >>>Dan
> > >>>
> > >>>
> > >>>
> > >>>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
> > >>>
> > >>>
> > >>>>Those 20 or so spam emails are likely phishing emails or scams.
> > Banks do
> > >>>>not send spam emails. These emails you are referring to are not
> > legitmate
> > >>>>emails, and this is exactly what banks are trying to prevent in
> > order to
> > >>>>protect consumers from identity theft and fraud. Your email
> > highlights
> > >>>>how significant and prevalent this problem is.
> > >>>>
> > >>>>
> > >>>>----- Original Message -----
> > >>>> From: Hugh Dierker [hdierker2204@xxxxxxxxx]
> > >>>> Sent: 05/11/2007 03:26 PM MST
> > >>>> To: gnso-acc-sgb@xxxxxxxxx
> > >>>> Cc: gnso-whois-wg@xxxxxxxxx
> > >>>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> > procedure
> > >>>>
> > >>>>
> > >>>>This really assumes alot. Hypothetical "who done its". Does not
> > justify
> > >>>>giving out confidential information to banks. I get 20 or so
> spams
> > a day
> > >>>>
> > >>>>
> > >>>>from Banks. Junk mail another 5 a day- credit cards galore.
> > >>>
> > >>>
> > >>>>I do not buy that "banks" want my info for purely secure
> reasons.
> > >>>>
> > >>>>Eric
> > >>>>
> > >>>>Palmer Hamilton
> wrote:
> > >>>>
> > >>>>
> > >>>>Dan,
> > >>>>
> > >>>>The problem is a practical one. Law enforcement has limited
> > resources.
> > >>>>We might wish that were not the case, but it is, and,
> realistically,
> > it
> > >>>>will always be the case. Law enforcement, as I set out in my
> earlier
> > >>>>emails to Milton, expects banks to do the legwork before it will
>
> > act.
> > >>>>Maybe it should be otherwise, but this is not the case nor will
> it
> > ever
> > >>>>be the case. In various roles, both in government and working on
> the
> > >>>>side of government, I have spent years working on the side of
> law
> > >>>>enforcement. I think it is fair to say that law enforcement's
> > approach
> > >>>>is virtually an immutable law of nature. And frankly from law
> > >>>>enforcement's standpoint, it must set priorities given its
> limited
> > >>>>resources.
> > >>>>
> > >>>>If banks do not have access to the necessary information,
> internet
> > users
> > >>>>and consumers will be put at much greater risk. It would be nice
> to
> > >>>>think that banks and consumers could simply lodge a complaint
> and
>
> REgards,
> --
> Jeffrey A. Williams
> Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
>
> "Obediance of the law is the greatest freedom" -
> Abraham Lincoln
>
> "Credit should go with the performance of duty and not with what is
> very often the accident of glory" - Theodore Roosevelt
>
> "If the probability be called P; the injury, L; and the burden, B;
> liability depends upon whether B is less than L multiplied by
> P: i.e., whether B is less than PL."
> United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
> ===============================================================
> Updated 1/26/04
> CSO/DIR. Internet Network Eng. SR. Eng. Network data security
> IDNS. div. of Information Network Eng. INEG. INC.
> ABA member in good standing member ID 01257402
> E-Mail jwkckid1@xxxxxxxxxxxxx
> Registered Email addr with the USPS
> Contact Number: 214-244-4827
>
>
>
>
>
> ---------------------------------
> You snooze, you lose. Get messages ASAP with AutoCheck
> in the all-new Yahoo! Mail Beta.
>
>

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827