Re: Fwd: [gnso-whois-wg] Re: [gnso-acc-sgb] GAC's position on Whois

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Dr. Dierker and all sgb members,

  I am glad you agree.  Would you further agree that not all members of
the GAC, this WG and subgroups, several USG departments also are
not fully aware that the privacy rights and laws in many Jurisdictions
( States ) have and are changing, as well as some types of privacy
rights and laws only effect some Whois data elements.

  I mean after all do we want to infringe on US states
rights and laws which they believe better protects their
consumers and their business community members?  

Hugh Dierker wrote:

>    It occured to me that perhaps this should be a portion of the Who
> What When and How, and now should add Where.
>
>   Eric
>
> Jeff Williams <jwkckid1@xxxxxxxxxxxxx> wrote:
>   Dr. Dierker and all sgb members,
>
> Agreed. We also must consider that the privacy rights and laws in
> many Jurisdictions have and are changing, as well as some types
> of privacy rights and laws only effect some Whois data elements.
>
> Hugh Dierker wrote:
>
> > One thing I think is important to note is Jurisdiction. The
> > Jurisdicition is going to be where the data is stored. Obviously
> > foreign sovereigns have agreements within and without but the
> > jurisdiction over the data is where the data is and not where a
> wrong
> > occurred.
> > Clearly within each jurisdiction the law will trump whatever we
> > conclude. However within the law we are able to set standards which
> > must be followed.
> >
> > Certainly that makes the case that we must have as stringent of
> > privacy protection as any jurisdiction requires. That is the lowest
> > threshold. We probably should have a higher theshold.
> >
> > This means more privacy rights for the registrant whether we like it
>
> > or not.
> >
> > Eric
> >
> > Mawaki Chango wrote:
> > Sent this previously from the wrong email account; sorry for the
> > cumulated delay.
> >
> > ---------- Forwarded message ----------
> > From: Mawaki Chango
> > Date: May 17, 2007 8:56 AM
> > Subject: Re: [gnso-whois-wg] Re: [gnso-acc-sgb] GAC's position on
> > Whois
> > To: Ken Stubbs
> > Cc: gnso-acc-sgb@xxxxxxxxx, gnso-whois-wg@xxxxxxxxx
> >
> >
> > Ken et al.
> >
> > I'm jumping in late in this thread to note maybe a clarifying point.
>
> > It seems to me that there is an interesting contradiction in the
> whole
> >
> > dynamics you're rightly observing.
> >
> > Cases like the UK data protection agency and .tel occur because all
> or
> >
> > most of the data protection agencies (DPAs) exist because there is
> in
> > the concerned country or region an existing and enforceable data
> > protection legislation on which their mission, positions and actions
>
> > are directly based.
> >
> > LEAs of course are also based on legislation; more interstingly,
> they
> > depend on various legislations to which they are of course legally
> > bound. For example there is a body of legislation they must abide by
>
> > for them to access private properties; ergo, private or personal
> data.
> >
> > Cases in courts can be voided otherwise.
> >
> > So that's why as far as accessing personal data (e.g., WHOIS) is
> > concerned, data protection related legislation would/should both
> > *logically and legally* prevail. And that's why the UK's DPA may
> have
> > its request enforced on .tel, while in the same time, its LEAs may
> > want a different outcome.
> >
> > In those conditions, it seem clearer to me that if we need inputs
> from
> >
> > countries/governments and are facing those contradictions, data
> > protection legislation should be primarily considered, unless unless
>
> > all the relevant national authorities work out a somehow official
> > consensus among them (at the very least, the data protection norms
> > deriving from those legislations will have to be embedded in our
> > relevant policies).
> >
> > But as you note -- and this is the interesting contradiction I was
> > noting at biginning -- we hear more from LEAs than from DPAs. I just
>
> > suspect the reason may be that the latter are more confident on
> their
> > national legislation to revert any illegal practice, while the
> former
> > know that they are limited by their national legislation and can
> only
> > rely on global processes and resources like ICANN's (when available)
>
> > to discretly circumvent the limititations of their national law.
> > Clearly, I would have also try if I was in their shoes.
> >
> > Regards,
> >
> > Mawaki
> >
> > On 5/15/07, Ken Stubbs wrote:
> > >
> > > I would agree with this statement here. Unfortunately, sometimes
> we
> > only
> > > hear from one side or the other on these issues from these
> > countries..
> > > Many times the LEA's are more active in "getting their
> perspectives
> > on
> > > the table" . We need to encourage these countries to
> > > to provide more "comprehensive" inputs to this whois process
> > >
> > > A good example is the current UK data protection agency
> requirements
> >
> > > being imposed on the .tel registry which is going to require
> > amendments
> > > to their contracts with ICANN in order to comply with the UK data
> > > protection laws.. (this is the same with .name registry currently)
> .
> >
> > >
> > > its also interesting to note the inconsistencies in some positions
>
> > taken
> > > by some GAC member countries with respect to ICANN gtld whois
> > policies
> > > and the contradictory data privacy requirements they impose on
> their
> > own
> > > CCTLD's.
> > >
> > > These conflicting positions make it very difficult to reconcile in
>
> > some
> > > cases.
> > >
> > > Ken Stubbs
> > >
> > >
> > > Carole Bird wrote:
> > > > Hi all,
> > > >
> > > > There may well be a difference of opinion or position by
> different
> > agencies within a specific country which in my opinion is a healthy
> > thing. However, that does not mean that the country/government
> itself
> > is not in a position to determine where it needs to strike the
> > balance.
> > > >
> > > > If a country has both privacy legislation as well as LEAs, then
> > it's government (and by this I'm not saying the police) should be
> able
> > to determine where it wants/needs to strike the balance.
> > > >
> > > > Each country/government may choose to strike a different balance
>
> > which would be wholly consistent with it's applicable laws.
> > > >
> > > > Carole
> > > >
> > > >>>> "Milton Mueller" 05/12/07 12:28 AM >>>
> > > > Let me correct what seems to be an increasingly common set of
> > errors on
> > > > interpreting the GAC principles.
> > > >
> > > > First and foremost, the GAC stands for "Governmental Advisory
> > > > Committee." Its role in the CANN regime is advisory only. (The
> USG
> > may
> > > > be an exception of course, because it controls key functions
> > related to
> > > > ICANN. And the US definitely has a position on Whois ;-))
> > > >
> > > > Second, anyone who has followed this issue knows perfectly well
> > that
> > > > governments are deeply divided on it. When it comes to the
> proper
> > > > balance of privacy and access to data, data protection
> authorities
> > have
> > > > one view, law enforcement and consumer protection authorites
> often
> > have
> > > > a different view. Neither one of them can claim to speak
> > authoritatively
> > > > for governments, much less the public interest. It is
> noteworthy,
> > > > however, that at some GAC meeting data protection authorities
> have
> > not
> > > > been allowed to speak, whereas LEAs have been featured.
> > > >
> > > > Third, this division of governmental opinion was illustrated
> just
> > > > today, with,the announcement that the UK government has required
>
> > the
> > > > .telnic registry to remove access to private data from its
> Whois.
> > > > Indeed, one of the strangest aspects of this issue is the
> > conflicting
> > > > signals you get from governmental agencies. You see, for
> example,
> > the
> > > > Australian GAC representative demanding no change in Whois while
>
> > at the
> > > > same time the Australian national privacy law requires the
> > Australian
> > > > ccTLD to shield its Whois data.
> > > >
> > > > Fourth, the GAC statement on Whois deliberately did _not_ say
> that
> >
> > > > access to the whois data as it now exists should be retained. It
>
> > > > enumerated several "legitimate activities" that use the whois
> > data. That
> > > > was compromise wording deliberately chosen to avoid saying what
> > > > Christopher Gibson is saying below. In other words, in the GAC
> > > > principles it is the activities that are legitimate, but not
> > necessarily
> > > > the open access to them that we have now.
> > > >
> > > >>>> "Christopher Gibson" 5/11/2007 6:39:16 PM
> > > >>>>
> > > > and others, however, serve to confirm the GAC's position that
> > WHOIS
> > > > services
> > > > have evolved into a vital, efficient and internationally-tested
> > > > mechanism in
> > > > support of a number of legitimate functions. In this context,
> > > > following the
> > > > "first, do no harm" principle means that potential changes to
> the
> > > > WHOIS
> > > > system need to be evaluated and made only when we have
> confidence
> > that
> > > > suitable alternative mechanisms to curb abuse are in place.
> > > >
> > > >
> > > >
> > > > Chris
> > > >
> > > >
> > > >
> > > > Palmer Hamilton
> > wrote:
> > > >
> > > >
> > > > Dan,
> > > >
> > > > The problem is a practical one. Law enforcement has limited
> > resources.
> > > > We might wish that were not the case, but it is, and,
> > realistically,
> > > > it
> > > > will always be the case. Law enforcement, as I set out in my
> > earlier
> > > > emails to Milton, expects banks to do the legwork before it will
>
> > act.
> > > > Maybe it should be otherwise, but this is not the case nor will
> it
> >
> > > > ever
> > > > be the case. In various roles, both in government and working on
>
> > the
> > > > side of government, I have spent years working on the side of
> law
> > > > enforcement. I think it is fair to say that law enforcement's
> > approach
> > > > is virtually an immutable law of nature. And frankly from law
> > > > enforcement's standpoint, it must set priorities given its
> limited
> >
> > > > resources.
> > > >
> > > > If banks do not have access to the necessary information,
> internet
> >
> > > > users
> > > > and consumers will be put at much greater risk. It would be nice
>
> > to
> > > > think that banks and consumers could simply lodge a complaint
> and
> > that
> > > > the complaint would be immediately acted upon. But this will
> never
> >
> > > > happen. Law enforcement has too much on its plate. My banks can
> > give
> > > > you page after page of examples to corroborate this. And
> remember
> > for
> > > > every hour that passes, millions can be lost, including life
> > savings.
> > > >
> > > > Please take another look at the example in my email to Milton
> > > > involving
> > > > the local police in a foreign jurisdiction that finally agreed
> to
> > act,
> > > > but only after the bank had exhausted all avenues and done all
> the
> >
> > > > legwork. Realistically, absent bank access to the local address,
>
> > it is
> > > > unknown how many innocent consumers would have suffered losses
> > before
> > > > this fraudulent website was ever closed down.
> > > >
> > > > You are right that this is a question of balance. And I would
> > argue
> > > > that consumer protection needs to be prominently considered, not
>
> > > > dismissed as unfortunate collateral damage.
> > > >
> > > > Banks are closely regulated and monitored entities with public
> > > > responsibilities. Those responsibilities are examined regularly
> by
> >
> > > > bank
> > > > examiners. As a result, I would submit, consumer protection
> ought
> > to
> > > > prevail in light of the protections from a privacy standpoint in
>
> > the
> > > > existing regulatory structure.
> > > >
> > > > Palmer
> > > >
> > > > -----Original Message-----
> > > > From: owner-gnso-acc-sgb@xxxxxxxxx
> > > > [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
> > > > On Behalf Of Dan Krimm
> > > > Sent: Friday, May 11, 2007 3:43 PM
> > > > To: gnso-acc-sgb@xxxxxxxxx
> > > > Cc: gnso-whois-wg@xxxxxxxxx
> > > > Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
> > procedure
> > > >
> > > > Palmer,
> > > >
> > > > If I may step in here (and shift this discussion over to the
> > Subgroup
> > > > B
> > > > list where it properly belongs):
> > > >
> > > > At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
> > > >
> > > >> Just having the IP address and registrar is not sufficient. For
>
> > > >> example, one of my banks had a case in which it had to use
> local
> > > > police
> > > >
> > > >> in a foreign country to visit the physical address of the
> website
> >
> > > > owner
> > > >
> > > >> to get the site taken down. The bank had tried to get the
> > registrar
> > > > to
> > > >
> > > >> shut it down without success. The bank had also tried to stop
> the
> >
> > > > site
> > > >
> > > >> with the administrative contact, the technical contact, the
> abuse
> >
> > > >> contact, and the website owner, all with no success. The
> > registrar
> > > > was
> > > >
> > > >> also not interested in working with the local police, but the
> > local
> > > >> police agreed to assist AFTED the bank provided the police the
> > full
> > > >> WHOIS information plus a synopsis of its takedown efforts.
> > > >
> > > > So the question here is, when the bank is involved in valid
> > efforts
> > > > that
> > > > require access to Whois data that is designated as private there
>
> > > > certainly should be a process for that data to be engaged in the
>
> > > > process, so what should that process be? No one is suggesting
> that
> > the
> > > > bank never get any such information whatsoever. But some of us
> are
> >
> > > > suggesting that private entities should not get direct access to
>
> > the
> > > > Whois data, but rather get information from formally accountable
>
> > LEAs
> > > > who have direct access.
> > > >
> > > > It doesn't mean that private agents cannot contribute to the
> > > > investigation process, but that private agents need only be
> given
> > what
> > > > they need in a particular context rather than being given the
> full
> >
> > > > range
> > > > of powers granted to publicly-accountable law enforcement. And,
> > that
> > > > LEAs be responsible for providing appropriate information to
> > private
> > > > agents that are participating in investigation processes. Once
> > such a
> > > > policy is well-defined, it is possible to build technological
> > systems
> > > > that adhere to those policies and operate efficiently without
> > > > unnecessary human intervention.
> > > >
> > > > And if ICANN jurisdiction is insufficient to resolve all
> structure
> >
> > > > issues, that still may not be ICANN's responsibility to solve.
> > > >
> > > > At some point public law enforcement must step up to the plate
> to
> > do
> > > > what needs to be done. ICANN cannot solve all the world's public
>
> > > > problems on its own, or even those problems that may relate
> > > > tangentially
> > > > to the technical operation of the Internet. ICANN is not a
> proper
> > > > venue
> > > > to determine and conduct public governance activities, or to
> > authorize
> > > > private execution of public governance.
> > > >
> > > >
> > > >
> > > >> Having said this, the Dutch model could ultimately help fill a
> > void on
> > > >
> > > >> the international level by leveraging international pressure on
>
> > > >> recalcitrant governments. But again, this is not really an
> > > > alternative
> > > >
> > > >> to what we are doing in Subgroup B, as I understand it.
> > > >
> > > > What exactly are we doing in subgroup B as you understand it?
> > > >
> > > > As I understand it, we are trying to reach some consensus on
> what
> > GNSO
> > > > should recommend to the ICANN Board with regard to determining
> to
> > whom
> > > > and how direct access to private Whois data under the OPoC
> > paradigm
> > > > should be granted (by registries and/or registrars). This does
> not
> >
> > > > speak to indirect access through authorized/certified LEAs.
> > > >
> > > > I have no expectation (or illusion) that what we come up with
> here
> >
> > > > will
> > > > create a perfect world. It will certainly continue to be
> > > > systematically
> > > > imperfect from a privacy protection standpoint. If you are
> hoping
> > to
> > > > find perfection, then that is undoubtedly beyond the scope of
> this
> > WG
> > > > or
> > > > Subgroup B.
> > > >
> > > > We are not in a position to dictate a comprehensive and airtight
>
> > > > resolution to the full complexity of issues here. So at least
> > *that*
> > > > is
> > > > *not* what we are doing here.
> > > >
> > > > Dan
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _____
> > > >
> > > > Need Mail bonding?
> > > > Go to the Yahoo!
> > > > > >
> > > >
> >
> fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
>
> >
> > > > 6091> Mail Q&A for great
> > > > > >
> > > >
> >
> fcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask&sid=39654
>
> >
> > > > 6091> tips from Yahoo! Answers users.
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> > --
> > Mawaki Chango
> > Ph.D. Program
> > iSchool, Syracuse University
> > Hinds Hall 217
> > Syracuse, NY 13244
> >
> >
> > --
> > Regards
> >
> > ********
> > Mawaki Chango
> > Ph.D. Program
> > iSchool, Syracuse University
> > Hinds Hall 217
> > Syracuse, NY 13244
> >
> >
> >
>
>

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827