RE: Fw: [gnso-acc-sgb] Report for today

[jwkckid1@xxxxxxxxxxxxx]

Maria and all sgb members,

  None of my remarks were in any reasonably construed to be
questioning anyones good faith, only their arguments.  

-----Original Message-----
>From: Maria Farrell <maria.farrell@xxxxxxxxx>
>Sent: May 25, 2007 4:52 AM
>To: 'gnso wg-sgb' <gnso-acc-sgb@xxxxxxxxx>
>Subject: RE: Fw: [gnso-acc-sgb] Report for today
>
>Dear sub group members,
>
>Please be advised that on GNSO policy mailing lists it is not customary, nor
>is it considered acceptable, to question the good faith intentions of
>participants. This behaviour may be acceptable in other environments, but it
>is not how business is done in the formal GNSO policy-making process where
>we have a diversity of interests and cultures.
>
>Best regards, Maria
>
>-----Original Message-----
>From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx] On
>Behalf Of jwkckid1@xxxxxxxxxxxxx
>Sent: Friday, May 25, 2007 2:32 AM
>To: Gnso-acc-sgb@xxxxxxxxx
>Subject: Re: Fw: [gnso-acc-sgb] Report for today
>
>Dan and all sgb members,
>
>  I could not agree more sith your remarks.  However it seems that Palmer
>does not believe that the phisher in Dr. Dierkers real life example is
>indeed Bank of America.  I think he believes Dr. Dierkers real life example
>is a piggy-back type phishing.  I don't know, but I believe Palmer is
>incorrect in his evaluation, and indeed Bank of America *is* the actual
>offender/abuser in Dr. Dierkers real life example as I earlier provided the
>Whois data for bankofamerica.com and it also resolves to BofA.
>
>  If I am correct, I now have problems for many of the arguments which
>Palmer has provided in support for banks having full unrestricted access to
>Whois data and begin to believe his motivation in support of same is
>entierly different with a entirely different agenda.
>
>-----Original Message-----
>>From: Dan Krimm <dan@xxxxxxxxxxxxxxxx>
>>Sent: May 24, 2007 7:02 PM
>>To: Gnso-acc-sgb@xxxxxxxxx
>>Subject: Re: Fw: [gnso-acc-sgb] Report for today
>>
>>Palmer,
>>
>>If the bank can get timely access without *direct* access (i.e., 
>>through LEAs with direct access), wouldn't that serve your needs?
>>
>>If the bank can get such timely access as per specific cases of fraud 
>>by submitting evidence of such fraud to an approval authority (which 
>>would be individually stored as an audit trail as in Susan's proposal), 
>>wouldn't that serve your needs?  A phishing example such as below could 
>>be submitted as evidence, for example -- whatever brings the fraud to 
>>the bank's attention, to start with.
>>
>>If so, then personally I think we may be able to start talking 
>>productively about possible consensus.
>>
>>No one here has suggested that genuine anti-fraud efforts should not be 
>>able to use the private Whois data with good reason that is explicitly 
>>demonstrated.  Everything we are discussing has to do with process and 
>>enforcement, and narrowing access to appropriate cases.
>>
>>And I strongly concur with Jeff's point that sometimes the most 
>>effective enforcement of policy is prevention of violations rather than 
>>the supposed deterrent effect of post-facto punishments.  This is why 
>>some sort of pre-screening seems to be in order, and why without at 
>>least something generally along the lines of Susan's affidavit process 
>>(preferably located procedurally in the LEAs) we will have a harder time
>arriving at consensus.
>>
>>We have a long way to go, but dismissing the pre-screening mode 
>>entirely is not likely to get us there, in my personal opinion.
>>
>>Dan
>>
>>
>>
>>At 5:36 PM -0500 5/24/07, Palmer Hamilton wrote:
>>>-----Original Message-----
>>>From: Palmer Hamilton
>>>To: 'hdierker2204@xxxxxxxxx' <hdierker2204@xxxxxxxxx>
>>>Sent: Thu May 24 10:07:01 2007
>>>Subject: Re: [gnso-acc-sgb] Report for today
>>>
>>>Eric,
>>>
>>>I realize that Phillip is appropriately concerned that the email list 
>>>not be used to resolve personal situations, but in this instance I 
>>>think we need to get to the bottom of it.  I think it proves precisely 
>>>my point about the need for WHOIS data.
>>>
>>>You were phished, and B of A wants the site taken down.  If you will 
>>>supply the underlying URL it will expediate B of A's ability to get 
>>>the site taken down.
>>>
>>>B of A says with WHOIS data that it can get a site down in roughly a 
>>>day and a half.  If this data is taken away, customers will be 
>>>vulnerable to long delays.
>>>
>>>As I mentioned to you, sopisticated consumers may not be fooled.  You 
>>>are a case in point.  Unfortunately, many consumers lack your 
>>>sopistication and phishing of this sort works all too often.
>>>
>>>Thus, I hope Phillip will forgive me for addressing this very specific 
>>>case, but it proves my general policy point.  Banks need access to 
>>>protect consumers.
>>>
>>>
>>>-----Original Message-----
>>>From: Hugh Dierker <hdierker2204@xxxxxxxxx>
>>>To: Palmer Hamilton; dan@xxxxxxxxxxxxxxxx <dan@xxxxxxxxxxxxxxxx>; 
>>>gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
>>>Sent: Thu May 24 08:49:00 2007
>>>Subject: Re: [gnso-acc-sgb] Report for today
>>>
>>>Here is the data from a spam I received from whom it says.  I have no 
>>>connection with this institution.
>>>
>>><<http://us.f529.mail.yahoo.com/ym/ShowLetter?MsgId=3066_6873947_66315
>>>_1941_3681_0_55456_10570_4241701953&Idx=33&YY=31291&y5beta=yes&y5beta=
>>>yes&inc=25&order=down&sort=date&pos=1&view=a&head=b&box=Inbox#attachme
>>>nts>http://us.f529.mail.yahoo.com/ym/ShowLetter?MsgId=3066_6873947_663
>>>15_1941_3681_0_55456_10570_4241701953&Idx=33&YY=31291&y5beta=yes&y5bet
>>>a=yes&inc=25&order=down&sort=date&pos=1&view=a&head=b&box=Inbox#attach
>>>ments>
>>>Fwd: Bank of America alert : Sign-in Error : Verify Your Account 
>>>Information
>>>
>>>        "Alert@xxxxxxxxxxxxxxxxx"
>>><Onlinebanking@xxxxxxxxxxxxxxxxxxxxxxx>      
>>>Date:    Wed, 23 May 2007 06:52:18 -0600       
>>>
>>>Somehow the policing is down here for this Titan of an institution. 
>>>Either this is spam from the bank or this is an example of them not 
>>>policing their own domain name.
>>>
>>>In any case it gives pause to consider allowing "banks" ready access.
>>>
>>>Eric
>>>
>>>
>>>Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>>>
>>>        Dan,
>>>       
>>>        Let me address why the consumer is at risk as well as the bank.
>>>       
>>>        First, not all risk is off loaded to the bank.  There can be 
>>>circumstances where the consumer can be held liable.
>>>       
>>>        Second, in the case of identity theft, the consumer certainly 
>>>experiences the serious and often devastating adverse consequences.
>>>Anyone who has been the victim of ID theft can easily speak to this.  
>>>It is fine for us to talk about these issues in the abstract, but talk 
>>>to a victim of ID theft, and he or she will likely not be too 
>>>impressed some of the arguments we have been hearing.
>>>       
>>>        So, yes, banks do have an interest in limiiting their 
>>>exposure, but that interest coincides with the interest of the 
>>>consumer.  And, yes, there are unfortunately circumstances where life
>savings can be wiped out.
>>>This isn't rhetoric.  This is unfortunate reality.
>>>       
>>>        I would submit that good public policy requires a careful 
>>>balancing of interests.  When this is done, I think it is clear that a 
>>>construct exists that will protect the consumer and protect the 
>>>privacy concerns being expressed.  I fear that our subgroup does not 
>>>seem to be engaged in this serious work.  Instead, we seem to be 
>>>holding fast to positions without exploring creative constructs that 
>>>protect multiple interests.
>>>       
>>>        To totally ignore the risk to the consumer, it seems to me, in 
>>>order to uphold the theoretical, is neither wise nor justifiable.
>>>       
>>>       
>>>        -----Original Message-----
>>>        From: owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx>
>>>        To: gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
>>>        Sent: Wed May 23 20:36:29 2007
>>>        Subject: Re: [gnso-acc-sgb] Report for tomorrow
>>>       
>>>        At 5:34 PM -0700 5/23/07, Hugh Dierker wrote:
>>>       
>>>        >The concept that private IP concerns are interested in the 
>>>data to protect
>>>        >consumers is very interesting and I think requires some thought.
>>>       
>>>       
>>>        One should not overstate this case.  For one example, as I 
>>>understand it
>>>        most credit card companies limit liability to customers if they
>report
>>>        false charges promptly.  (And then they will change the credit 
>>>card number,
>>>        etc.)
>>>       
>>>        This off-loads risk from customer to the financial 
>>>institutions directly.
>>>        Thus in those cases the greatest damage is not to consumers but to
>the
>>>        financial institutions.
>>>       
>>>        This is not to discount the interests of financial 
>>>institutions, as they
>>>        definitely have legitimate interests.  But for example talking
>about
>>>        "consumers' life savings" rather than "financial institutions'
>profit
>>>        margins" has a rather different ring to it.
>>>       
>>>        I'm all for supporting consumers' real interests in contexts 
>>>where that
>>>        makes sense, but I am rather less patient with rhetoric that holds
>up
>>>        consumers as proxies for the interests of very wealthy legal
>persons.
>>>       
>>>        (Also: did you really mean "IP" above or "ID"?  I don't see *any*
>>>        connection between "intellectual property" interests and consumer
>>>        interests, while the financial institution arguments are more 
>>>common and on
>>>        the surface more plausible.)
>>>       
>>>        -----
>>>       
>>>        One other point, with regard to access types:
>>>       
>>>        I personally don't see any reason that anyone, even LEAs, 
>>>would ever need
>>>        "bulk access" to Whois data (which I interpret as the ability 
>>>to download a
>>>        registrar's entire Whois database in a single integrated lump 
>>>-- this would
>>>        be Type 3 access according to Milton's definition, if I understand
>>>        correctly).
>>>       
>>>        Why would anyone ever need more than ongoing query access (as long
>as
>>>        queries can sometimes entail multiple domains, such as "all 
>>>domains for a
>>>        particular registrant")?
>>>       
>>>        I would suggest that there may be no compelling case that 
>>>warrants true
>>>        bulk access to Whois data.
>>>       
>>>        Dan
>>>       
>>>        PS -- I believe Milton is going to revise the interim SGB 
>>>report, so until
>>>        we receive that I will endeavor to refrain from a whole lot of
>further
>>>        comment.  I think it would be useful for us to proceed as much 
>>>as possible
>>>        from the outcome of our call today.
>>>       
>>>
>>>
>>>________________________________
>>>
>>>Pinpoint customers
>>><<http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/a
>>>rp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>
>>>http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp
>>>/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>
>>>who are looking for what you sell.
>>
>