RE: Fw: [gnso-acc-sgb] Report for today

["Maria Farrell" <maria.farrell@xxxxxxxxx>]

Dear sub group members,

Please be advised that on GNSO policy mailing lists it is not customary, nor
is it considered acceptable, to question the good faith intentions of
participants. This behaviour may be acceptable in other environments, but it
is not how business is done in the formal GNSO policy-making process where
we have a diversity of interests and cultures.

Best regards, Maria

-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx] On
Behalf Of jwkckid1@xxxxxxxxxxxxx
Sent: Friday, May 25, 2007 2:32 AM
To: Gnso-acc-sgb@xxxxxxxxx
Subject: Re: Fw: [gnso-acc-sgb] Report for today

Dan and all sgb members,

  I could not agree more sith your remarks.  However it seems that Palmer
does not believe that the phisher in Dr. Dierkers real life example is
indeed Bank of America.  I think he believes Dr. Dierkers real life example
is a piggy-back type phishing.  I don't know, but I believe Palmer is
incorrect in his evaluation, and indeed Bank of America *is* the actual
offender/abuser in Dr. Dierkers real life example as I earlier provided the
Whois data for bankofamerica.com and it also resolves to BofA.

  If I am correct, I now have problems for many of the arguments which
Palmer has provided in support for banks having full unrestricted access to
Whois data and begin to believe his motivation in support of same is
entierly different with a entirely different agenda.

-----Original Message-----
>From: Dan Krimm <dan@xxxxxxxxxxxxxxxx>
>Sent: May 24, 2007 7:02 PM
>To: Gnso-acc-sgb@xxxxxxxxx
>Subject: Re: Fw: [gnso-acc-sgb] Report for today
>
>Palmer,
>
>If the bank can get timely access without *direct* access (i.e., 
>through LEAs with direct access), wouldn't that serve your needs?
>
>If the bank can get such timely access as per specific cases of fraud 
>by submitting evidence of such fraud to an approval authority (which 
>would be individually stored as an audit trail as in Susan's proposal), 
>wouldn't that serve your needs?  A phishing example such as below could 
>be submitted as evidence, for example -- whatever brings the fraud to 
>the bank's attention, to start with.
>
>If so, then personally I think we may be able to start talking 
>productively about possible consensus.
>
>No one here has suggested that genuine anti-fraud efforts should not be 
>able to use the private Whois data with good reason that is explicitly 
>demonstrated.  Everything we are discussing has to do with process and 
>enforcement, and narrowing access to appropriate cases.
>
>And I strongly concur with Jeff's point that sometimes the most 
>effective enforcement of policy is prevention of violations rather than 
>the supposed deterrent effect of post-facto punishments.  This is why 
>some sort of pre-screening seems to be in order, and why without at 
>least something generally along the lines of Susan's affidavit process 
>(preferably located procedurally in the LEAs) we will have a harder time
arriving at consensus.
>
>We have a long way to go, but dismissing the pre-screening mode 
>entirely is not likely to get us there, in my personal opinion.
>
>Dan
>
>
>
>At 5:36 PM -0500 5/24/07, Palmer Hamilton wrote:
>>-----Original Message-----
>>From: Palmer Hamilton
>>To: 'hdierker2204@xxxxxxxxx' <hdierker2204@xxxxxxxxx>
>>Sent: Thu May 24 10:07:01 2007
>>Subject: Re: [gnso-acc-sgb] Report for today
>>
>>Eric,
>>
>>I realize that Phillip is appropriately concerned that the email list 
>>not be used to resolve personal situations, but in this instance I 
>>think we need to get to the bottom of it.  I think it proves precisely 
>>my point about the need for WHOIS data.
>>
>>You were phished, and B of A wants the site taken down.  If you will 
>>supply the underlying URL it will expediate B of A's ability to get 
>>the site taken down.
>>
>>B of A says with WHOIS data that it can get a site down in roughly a 
>>day and a half.  If this data is taken away, customers will be 
>>vulnerable to long delays.
>>
>>As I mentioned to you, sopisticated consumers may not be fooled.  You 
>>are a case in point.  Unfortunately, many consumers lack your 
>>sopistication and phishing of this sort works all too often.
>>
>>Thus, I hope Phillip will forgive me for addressing this very specific 
>>case, but it proves my general policy point.  Banks need access to 
>>protect consumers.
>>
>>
>>-----Original Message-----
>>From: Hugh Dierker <hdierker2204@xxxxxxxxx>
>>To: Palmer Hamilton; dan@xxxxxxxxxxxxxxxx <dan@xxxxxxxxxxxxxxxx>; 
>>gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
>>Sent: Thu May 24 08:49:00 2007
>>Subject: Re: [gnso-acc-sgb] Report for today
>>
>>Here is the data from a spam I received from whom it says.  I have no 
>>connection with this institution.
>>
>><<http://us.f529.mail.yahoo.com/ym/ShowLetter?MsgId=3066_6873947_66315
>>_1941_3681_0_55456_10570_4241701953&Idx=33&YY=31291&y5beta=yes&y5beta=
>>yes&inc=25&order=down&sort=date&pos=1&view=a&head=b&box=Inbox#attachme
>>nts>http://us.f529.mail.yahoo.com/ym/ShowLetter?MsgId=3066_6873947_663
>>15_1941_3681_0_55456_10570_4241701953&Idx=33&YY=31291&y5beta=yes&y5bet
>>a=yes&inc=25&order=down&sort=date&pos=1&view=a&head=b&box=Inbox#attach
>>ments>
>>Fwd: Bank of America alert : Sign-in Error : Verify Your Account 
>>Information
>>
>>        "Alert@xxxxxxxxxxxxxxxxx"
>><Onlinebanking@xxxxxxxxxxxxxxxxxxxxxxx>      
>>Date:    Wed, 23 May 2007 06:52:18 -0600       
>>
>>Somehow the policing is down here for this Titan of an institution. 
>>Either this is spam from the bank or this is an example of them not 
>>policing their own domain name.
>>
>>In any case it gives pause to consider allowing "banks" ready access.
>>
>>Eric
>>
>>
>>Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>>
>>        Dan,
>>       
>>        Let me address why the consumer is at risk as well as the bank.
>>       
>>        First, not all risk is off loaded to the bank.  There can be 
>>circumstances where the consumer can be held liable.
>>       
>>        Second, in the case of identity theft, the consumer certainly 
>>experiences the serious and often devastating adverse consequences.
>>Anyone who has been the victim of ID theft can easily speak to this.  
>>It is fine for us to talk about these issues in the abstract, but talk 
>>to a victim of ID theft, and he or she will likely not be too 
>>impressed some of the arguments we have been hearing.
>>       
>>        So, yes, banks do have an interest in limiiting their 
>>exposure, but that interest coincides with the interest of the 
>>consumer.  And, yes, there are unfortunately circumstances where life
savings can be wiped out.
>>This isn't rhetoric.  This is unfortunate reality.
>>       
>>        I would submit that good public policy requires a careful 
>>balancing of interests.  When this is done, I think it is clear that a 
>>construct exists that will protect the consumer and protect the 
>>privacy concerns being expressed.  I fear that our subgroup does not 
>>seem to be engaged in this serious work.  Instead, we seem to be 
>>holding fast to positions without exploring creative constructs that 
>>protect multiple interests.
>>       
>>        To totally ignore the risk to the consumer, it seems to me, in 
>>order to uphold the theoretical, is neither wise nor justifiable.
>>       
>>       
>>        -----Original Message-----
>>        From: owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx>
>>        To: gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
>>        Sent: Wed May 23 20:36:29 2007
>>        Subject: Re: [gnso-acc-sgb] Report for tomorrow
>>       
>>        At 5:34 PM -0700 5/23/07, Hugh Dierker wrote:
>>       
>>        >The concept that private IP concerns are interested in the 
>>data to protect
>>        >consumers is very interesting and I think requires some thought.
>>       
>>       
>>        One should not overstate this case.  For one example, as I 
>>understand it
>>        most credit card companies limit liability to customers if they
report
>>        false charges promptly.  (And then they will change the credit 
>>card number,
>>        etc.)
>>       
>>        This off-loads risk from customer to the financial 
>>institutions directly.
>>        Thus in those cases the greatest damage is not to consumers but to
the
>>        financial institutions.
>>       
>>        This is not to discount the interests of financial 
>>institutions, as they
>>        definitely have legitimate interests.  But for example talking
about
>>        "consumers' life savings" rather than "financial institutions'
profit
>>        margins" has a rather different ring to it.
>>       
>>        I'm all for supporting consumers' real interests in contexts 
>>where that
>>        makes sense, but I am rather less patient with rhetoric that holds
up
>>        consumers as proxies for the interests of very wealthy legal
persons.
>>       
>>        (Also: did you really mean "IP" above or "ID"?  I don't see *any*
>>        connection between "intellectual property" interests and consumer
>>        interests, while the financial institution arguments are more 
>>common and on
>>        the surface more plausible.)
>>       
>>        -----
>>       
>>        One other point, with regard to access types:
>>       
>>        I personally don't see any reason that anyone, even LEAs, 
>>would ever need
>>        "bulk access" to Whois data (which I interpret as the ability 
>>to download a
>>        registrar's entire Whois database in a single integrated lump 
>>-- this would
>>        be Type 3 access according to Milton's definition, if I understand
>>        correctly).
>>       
>>        Why would anyone ever need more than ongoing query access (as long
as
>>        queries can sometimes entail multiple domains, such as "all 
>>domains for a
>>        particular registrant")?
>>       
>>        I would suggest that there may be no compelling case that 
>>warrants true
>>        bulk access to Whois data.
>>       
>>        Dan
>>       
>>        PS -- I believe Milton is going to revise the interim SGB 
>>report, so until
>>        we receive that I will endeavor to refrain from a whole lot of
further
>>        comment.  I think it would be useful for us to proceed as much 
>>as possible
>>        from the outcome of our call today.
>>       
>>
>>
>>________________________________
>>
>>Pinpoint customers
>><<http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/a
>>rp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>
>>http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp
>>/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>
>>who are looking for what you sell.
>