[gnso-acc-sgb] query-screening paradigm

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

At 12:58 PM -0500 5/25/07, <mortenla@xxxxxxxxxxxxxx> wrote:

>I wouldn't be opposed to the idea of some type of "pre-screening"
>process for private companies to be able to access the protected data
>for anti-fraud efforts, but this would need to be done on a one-time
>basis or maybe on some time of bi-annual renewal basis instead of every
>time the company has to investigate a fraud.  Many of these large
>companies like Bank of America are the target of a phishing attack
>multiple times each day.  It's not unusual for them to be working 25-50
>separate and distinct fraudulent sites in a given day.  If they needed
>to go through a "screening" process each time, it would be extremely
>detrimental to the anti-fraud efforts.


Okay, seems that it may be worth putting this idea out there in more
detail, at this juncture.

What I imagined possibly happening was: (1) a certification process to
designate an entity to be eligible to query for private Whois data (i.e.,
to approve the establishment of a verified account in a system operated by
LEAs), and then (2) a case-specific application process to get data for
specific queries.

As long as the query-screening process is well-defined so that all
requirements for approval of the query are known beforehand in an explicit
protocol that is available to all certified entities, then I think it need
not impose an onerous time cost on the query process.

Provide the evidence of wrongdoing (that has to come to one's attention
somehow, so it should be readily at hand), state the purpose to be confined
to addressing that specific wrongdoing, identify an individual (a natural
person) at the entity who is responsible for use of the data (or perhaps
individualize the certified accounts up front) -- something along those
lines.

If the evidence checks out (i.e., the statement of purpose matches the
operative URL(s) in the evidence -- perhaps a domain in the extended header
in a forwarded phishing email, or an independent browser retrieval from a
pharming URL), then approval could even be essentially automatic at the
LEAs (perhaps even algorithmically programmable in a SW application without
explicit human intervention, providing a report of automatic approvals to
the LEAs, as all applications and approved queries through the LEA
authority would presumably be fully logged in an audit trail -- this could
address Margie's scalability issues).

A single query application could designate a request for private Whois data
for all domains for a single registrant, if appropriate -- where it makes
sense, there need not be a strict single-domain-only constraint, while not
extending to full unrestricted access.

Then upon approval, the actual private data would be retrieved by the LEA
and provided to the private entity as requested (if under the operation of
a SW-driven system where the affidavit of purpose can be structured with an
input form, this presumably could often be completed without human
intervention).

Bottom line: there are ways this could be streamlined while still providing
an initial query-screening step with some substance.  Granted, this would
be distinctly imperfect as compared with strong due process before an
independent judiciary (that's why going this far would already be a very
significant compromise from the privacy advocacy standpoint) partly because
it may be possible to falsify data in a query application (such as
providing a falsified phishing email as evidence), but a full and permanent
audit trail would provide some additional deterrent on top of that, as any
falsification could come back to haunt the individual falsifier personally,
as well as the legal person s/he represents.

That is, in order for post-facto deterrence to be significantly effective,
the audit trail has to be robust and independently controlled.  That's what
the query-screening step would basically be for.  If you are following the
well-defined protocol, I don't see that this has to be significantly
time-consuming.  If not, then the post-facto punishment may actually have
enough teeth to serve as deterrence that constitutes more than just talk
with a little nudge-nudge-wink-wink, times being what they are.


I would like to ask Bertrand in the case of .fr Afnic Whois that he
recently posted to the full WG list, how does access to privately withheld
Whois data work?  That might provide us with another model in addition to
the Dutch Govcert process for comparison.  The more working precedents we
have to consider, the better.

Thanks,
Dan