Re: [gnso-acc-sgb] Report for tomorrow

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Dan and all sgb members,

  Nicely articulated here Dan.  Well done!

Dan Krimm wrote:

> Responses interspersed below:
>
> At 9:09 PM -0500 5/23/07, Palmer Hamilton wrote:
> >Dan,
> >
> >Let me address why the consumer is at risk as well as the bank.
> >
> >First, not all risk is off loaded to the bank.  There can be circumstances
> >where the consumer can be held liable.
>
> **  Certainly there "can" be risk to consumers.  But there remains a
> question of how much there actually *is* in practice.  Is there a
> quantitative evaluation of relative risk that you can provide?  What is the
> practical record of such hypothetical risks?  How many people have actually
> lost life savings as opposed to those whose liability was limited to
> moderate caps?  What is the relative aggregate amount of losses to
> consumers versus financial institutions in the case of, say, credit card
> fraud?
>
> There is a big difference between "possibility" and "probability" that
> deserves closer attention here, I think.
>
> >Second, in the case of identity theft, the consumer certainly experiences
> >the serious and often devastating adverse consequences.  Anyone who has
> >been the victim of ID theft can easily speak to this.  It is fine for us
> >to talk about these issues in the abstract, but talk to a victim of ID
> >theft, and he or she will likely not be too impressed some of the
> >arguments we have been hearing.
>
> **  There is also the risk of ID theft from sloppy security (or even
> intentionally exploitative business activity) with respect to customer data
> on the part of those who aggregate personal data.  And, not all consumers
> are customers of a specific bank that may be targeted by a phishing scam.
> If I am not a customer of your bank, then I have no contractual
> relationship to constrain your use of my personal data if you happen to
> gather it from some other source than my voluntary provision to you under
> contract.
>
> The greatest threats to ID theft are posed by the existence of large
> aggregations of personal data themselves, especially in situations where
> regulation does not confine use of the data in a strong manner.  While I
> don't wish to necessarily preclude those aggregations, as there are
> definitely some very positive potentials that are associated with such
> aggregations in some cases, we have to be very careful about how we handle
> such informational power in order to protect the power and interests of
> individuals (i.e., consumers) whose data are being aggregated.
>
> Believe me, I am very sensitive to the threats of ID theft (I was a victim
> of credit card fraud once, though not ID theft so far as I know -- but you
> can be darn sure it put me on alert).  That's one of the big reasons why I
> am a privacy advocate.  One of the most effective ways to reduce the risk
> of ID theft is to constrain the circumstances where personal data is
> collected and/or distributed in the first place.  The standards that were
> generally sufficient for analog technologies no longer are adequate in the
> context of digital technologies.  That's precisely why we're having this
> discussion at this time.
>
> >So, yes, banks do have an interest in limiiting their exposure, but that
> >interest coincides with the interest of the consumer.  And, yes, there are
> >unfortunately circumstances where life savings can be wiped out.  This
> >isn't rhetoric.  This is unfortunate reality.
> >
> >I would submit that good public policy requires a careful balancing of
> >interests.  When this is done, I think it is clear that a construct exists
> >that will protect the consumer and protect the privacy concerns being
> >expressed.  I fear that our subgroup does not seem to be engaged in this
> >serious work.  Instead, we seem to be holding fast to positions without
> >exploring creative constructs that protect multiple interests.
> >
> >To totally ignore the risk to the consumer, it seems to me, in order to
> >uphold the theoretical, is neither wise nor justifiable.
>
> **  And of course I agree that balance is in order, and I am far from
> ignoring risks to consumers.  I am just aware that consumer risks can come
> from a variety of sources, and proper balance must recognize all of those
> sources on their undistorted merits.  I certainly am not intending to
> hamper anti-fraud efforts.  But I see no reason to provide significantly
> more access to private personal data than is necessary to do that job
> effectively (and good reason not to provide more than necessary).
>
> I haven't given up hope that we can arrive at a balanced consensus in this
> WG.  But consensus will require everyone to put themselves in each other's
> shoes and address their concerns meaningfully.
>
> Dan
>
> >-----Original Message-----
> >From: owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx>
> >To: gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
> >Sent: Wed May 23 20:36:29 2007
> >Subject: Re: [gnso-acc-sgb] Report for tomorrow
> >
> >At 5:34 PM -0700 5/23/07, Hugh Dierker wrote:
> >
> >>The concept that private IP concerns are interested in the data to protect
> >>consumers is very interesting and I think requires some thought.
> >
> >
> >One should not overstate this case.  For one example, as I understand it
> >most credit card companies limit liability to customers if they report
> >false charges promptly.  (And then they will change the credit card number,
> >etc.)
> >
> >This off-loads risk from customer to the financial institutions directly.
> >Thus in those cases the greatest damage is not to consumers but to the
> >financial institutions.
> >
> >This is not to discount the interests of financial institutions, as they
> >definitely have legitimate interests.  But for example talking about
> >"consumers' life savings" rather than "financial institutions' profit
> >margins" has a rather different ring to it.
> >
> >I'm all for supporting consumers' real interests in contexts where that
> >makes sense, but I am rather less patient with rhetoric that holds up
> >consumers as proxies for the interests of very wealthy legal persons.
> >
> >(Also: did you really mean "IP" above or "ID"?  I don't see *any*
> >connection between "intellectual property" interests and consumer
> >interests, while the financial institution arguments are more common and on
> >the surface more plausible.)
> >
> >-----
> >
> >One other point, with regard to access types:
> >
> >I personally don't see any reason that anyone, even LEAs, would ever need
> >"bulk access" to Whois data (which I interpret as the ability to download a
> >registrar's entire Whois database in a single integrated lump -- this would
> >be Type 3 access according to Milton's definition, if I understand
> >correctly).
> >
> >Why would anyone ever need more than ongoing query access (as long as
> >queries can sometimes entail multiple domains, such as "all domains for a
> >particular registrant")?
> >
> >I would suggest that there may be no compelling case that warrants true
> >bulk access to Whois data.
> >
> >Dan
> >
> >PS -- I believe Milton is going to revise the interim SGB report, so until
> >we receive that I will endeavor to refrain from a whole lot of further
> >comment.  I think it would be useful for us to proceed as much as possible
> >from the outcome of our call today.

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827