Re: [gnso-acc-sgb] Report for tomorrow

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Responses interspersed below:


At 9:09 PM -0500 5/23/07, Palmer Hamilton wrote:
>Dan,
>
>Let me address why the consumer is at risk as well as the bank.
>
>First, not all risk is off loaded to the bank.  There can be circumstances
>where the consumer can be held liable.


**  Certainly there "can" be risk to consumers.  But there remains a
question of how much there actually *is* in practice.  Is there a
quantitative evaluation of relative risk that you can provide?  What is the
practical record of such hypothetical risks?  How many people have actually
lost life savings as opposed to those whose liability was limited to
moderate caps?  What is the relative aggregate amount of losses to
consumers versus financial institutions in the case of, say, credit card
fraud?

There is a big difference between "possibility" and "probability" that
deserves closer attention here, I think.



>Second, in the case of identity theft, the consumer certainly experiences
>the serious and often devastating adverse consequences.  Anyone who has
>been the victim of ID theft can easily speak to this.  It is fine for us
>to talk about these issues in the abstract, but talk to a victim of ID
>theft, and he or she will likely not be too impressed some of the
>arguments we have been hearing.


**  There is also the risk of ID theft from sloppy security (or even
intentionally exploitative business activity) with respect to customer data
on the part of those who aggregate personal data.  And, not all consumers
are customers of a specific bank that may be targeted by a phishing scam.
If I am not a customer of your bank, then I have no contractual
relationship to constrain your use of my personal data if you happen to
gather it from some other source than my voluntary provision to you under
contract.

The greatest threats to ID theft are posed by the existence of large
aggregations of personal data themselves, especially in situations where
regulation does not confine use of the data in a strong manner.  While I
don't wish to necessarily preclude those aggregations, as there are
definitely some very positive potentials that are associated with such
aggregations in some cases, we have to be very careful about how we handle
such informational power in order to protect the power and interests of
individuals (i.e., consumers) whose data are being aggregated.

Believe me, I am very sensitive to the threats of ID theft (I was a victim
of credit card fraud once, though not ID theft so far as I know -- but you
can be darn sure it put me on alert).  That's one of the big reasons why I
am a privacy advocate.  One of the most effective ways to reduce the risk
of ID theft is to constrain the circumstances where personal data is
collected and/or distributed in the first place.  The standards that were
generally sufficient for analog technologies no longer are adequate in the
context of digital technologies.  That's precisely why we're having this
discussion at this time.



>So, yes, banks do have an interest in limiiting their exposure, but that
>interest coincides with the interest of the consumer.  And, yes, there are
>unfortunately circumstances where life savings can be wiped out.  This
>isn't rhetoric.  This is unfortunate reality.
>
>I would submit that good public policy requires a careful balancing of
>interests.  When this is done, I think it is clear that a construct exists
>that will protect the consumer and protect the privacy concerns being
>expressed.  I fear that our subgroup does not seem to be engaged in this
>serious work.  Instead, we seem to be holding fast to positions without
>exploring creative constructs that protect multiple interests.
>
>To totally ignore the risk to the consumer, it seems to me, in order to
>uphold the theoretical, is neither wise nor justifiable.


**  And of course I agree that balance is in order, and I am far from
ignoring risks to consumers.  I am just aware that consumer risks can come
from a variety of sources, and proper balance must recognize all of those
sources on their undistorted merits.  I certainly am not intending to
hamper anti-fraud efforts.  But I see no reason to provide significantly
more access to private personal data than is necessary to do that job
effectively (and good reason not to provide more than necessary).


I haven't given up hope that we can arrive at a balanced consensus in this
WG.  But consensus will require everyone to put themselves in each other's
shoes and address their concerns meaningfully.

Dan



>-----Original Message-----
>From: owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx>
>To: gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
>Sent: Wed May 23 20:36:29 2007
>Subject: Re: [gnso-acc-sgb] Report for tomorrow
>
>At 5:34 PM -0700 5/23/07, Hugh Dierker wrote:
>
>>The concept that private IP concerns are interested in the data to protect
>>consumers is very interesting and I think requires some thought.
>
>
>One should not overstate this case.  For one example, as I understand it
>most credit card companies limit liability to customers if they report
>false charges promptly.  (And then they will change the credit card number,
>etc.)
>
>This off-loads risk from customer to the financial institutions directly.
>Thus in those cases the greatest damage is not to consumers but to the
>financial institutions.
>
>This is not to discount the interests of financial institutions, as they
>definitely have legitimate interests.  But for example talking about
>"consumers' life savings" rather than "financial institutions' profit
>margins" has a rather different ring to it.
>
>I'm all for supporting consumers' real interests in contexts where that
>makes sense, but I am rather less patient with rhetoric that holds up
>consumers as proxies for the interests of very wealthy legal persons.
>
>(Also: did you really mean "IP" above or "ID"?  I don't see *any*
>connection between "intellectual property" interests and consumer
>interests, while the financial institution arguments are more common and on
>the surface more plausible.)
>
>-----
>
>One other point, with regard to access types:
>
>I personally don't see any reason that anyone, even LEAs, would ever need
>"bulk access" to Whois data (which I interpret as the ability to download a
>registrar's entire Whois database in a single integrated lump -- this would
>be Type 3 access according to Milton's definition, if I understand
>correctly).
>
>Why would anyone ever need more than ongoing query access (as long as
>queries can sometimes entail multiple domains, such as "all domains for a
>particular registrant")?
>
>I would suggest that there may be no compelling case that warrants true
>bulk access to Whois data.
>
>Dan
>
>PS -- I believe Milton is going to revise the interim SGB report, so until
>we receive that I will endeavor to refrain from a whole lot of further
>comment.  I think it would be useful for us to proceed as much as possible
>from the outcome of our call today.