<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-acc-sgb] query-screening paradigm
- To: gnso-acc-sgb@xxxxxxxxx
- Subject: Re: [gnso-acc-sgb] query-screening paradigm
- From: jwkckid1@xxxxxxxxxxxxx
- Date: Fri, 25 May 2007 20:58:55 -0500 (GMT-05:00)
<HEAD>
<STYLE>body{font-family:
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color:
#ffffff;color: black;}</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY>
<DIV>Dr. Dierker, Dan and all,</DIV>
<DIV> </DIV>
<DIV> I like Dans approach here as it gives third parties what they need
while also giving</DIV>
<DIV>reasonable privacy protection, and anti spaming/reverse phishing.</DIV>
<DIV> </DIV>
<DIV> The only part of what Dan is recomending is is what he is proposing
on a</DIV>
<DIV>institution by insititution basis or broader, i.e. all whom may
apply? Dan,</DIV>
<DIV>can you clarify that?<BR><BR><BR></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff
2px solid">-----Original Message----- <BR>From: Hugh Dierker
<HDIERKER2204@xxxxxxxxx><BR>Sent: May 25, 2007 7:43 PM <BR>To: Dan Krimm
<DAN@xxxxxxxxxxxxxxxx>, gnso-acc-sgb@xxxxxxxxx <BR>Subject: Re: [gnso-acc-sgb]
query-screening paradigm <BR><BR>
<DIV>Yes it will take some effort to get this set up but it should be
implemented.</DIV>
<DIV>The extreme bottom line on this is that it leads an accountability paper
trail and then can be checked later if something ontoward happens with the
data. Of course there is no way to tell for sure in most instances.</DIV>
<DIV> </DIV>
<DIV>It is important to realize that "you cannot legislate morality" and "any
law is made to be broken" With this type of safegaurd I am in favor of third
party access.</DIV>
<DIV> </DIV>
<DIV>The idea is not to make it impossible, which you cannot do anyway as
courts have something to say about it. It is to make access accountable and not
bulk and safe enough to keep mass abuse from occurring.<BR><BR><B><I>Dan Krimm
<dan@xxxxxxxxxxxxxxxx></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px;
BORDER-LEFT: #1010ff 2px solid">At 12:58 PM -0500 5/25/07,
<MORTENLA@xxxxxxxxxxxxxx>wrote:<BR><BR>>I wouldn't be opposed to the idea of
some type of "pre-screening"<BR>>process for private companies to be able to
access the protected data<BR>>for anti-fraud efforts, but this would need to
be done on a one-time<BR>>basis or maybe on some time of bi-annual renewal
basis instead of every<BR>>time the company has to investigate a fraud. Many
of these large<BR>>companies like Bank of America are the target of a
phishing attack<BR>>multiple times each day. It's not unusual for them to be
working 25-50<BR>>separate and distinct fraudulent sites in a given day. If
they needed<BR>>to go through a "screening" process each time, it would be
extremely<BR>>detrimental to the anti-fraud efforts.<BR><BR><BR>Okay, seems
that it may be worth putting this idea out there in more<BR>detail, at this
juncture.<BR><BR>What I imagined possibly happening was: (1) a certification
process to<BR>designate an entity to be eligible to query for private Whois
data (i.e.,<BR>to approve the establishment of a verified account in a system
operated by<BR>LEAs), and then (2) a case-specific application process to get
data for<BR>specific queries.<BR><BR>As long as the query-screening process is
well-defined so that all<BR>requirements for approval of the query are known
beforehand in an explicit<BR>protocol that is available to all certified
entities, then I think it need<BR>not impose an onerous time cost on the query
process.<BR><BR>Provide the evidence of wrongdoing (that has to come to one's
attention<BR>somehow, so it should be readily at hand), state the purpose to be
confined<BR>to addressing that specific wrongdoing, identify an individual (a
natural<BR>person) at the entity who is responsible for use of the data (or
perhaps<BR>individualize the certified accounts up front) -- something along
those<BR>lines.<BR><BR>If the evidence checks out (i.e., the statement of
purpose matches the<BR>operative URL(s) in the evidence -- perhaps a domain in
the extended header<BR>in a forwarded phishing email, or an independent browser
retrieval from a<BR>pharming URL), then approval could even be essentially
automatic at the<BR>LEAs (perhaps even algorithmically programmable in a SW
application without<BR>explicit human intervention, providing a report of
automatic approvals to<BR>the LEAs, as all applications and approved queries
through the LEA<BR>authority would presumably be fully logged in an audit trail
-- this could<BR>address Margie's scalability issues).<BR><BR>A single query
application could designate a request for private Whois data<BR>for all domains
for a single registrant, if appropriate -- where it makes<BR>sense, there need
not be a strict single-domain-only constraint, while not<BR>extending to full
unrestricted access.<BR><BR>Then upon approval, the actual private data would
be retrieved by the LEA<BR>and provided to the private entity as requested (if
under the operation of<BR>a SW-driven system where the affidavit of purpose can
be structured with an<BR>input form, this presumably could often be completed
without human<BR>intervention).<BR><BR>Bottom line: there are ways this could
be streamlined while still providing<BR>an initial query-screening step with
some substance. Granted, this would<BR>be distinctly imperfect as compared with
strong due process before an<BR>independent judiciary (that's why going this
far would already be a very<BR>significant compromise from the privacy advocacy
standpoint) partly because<BR>it may be possible to falsify data in a query
application (such as<BR>providing a falsified phishing email as evidence), but
a full and permanent<BR>audit trail would provide some additional deterrent on
top of that, as any<BR>falsification could come back to haunt the individual
falsifier personally,<BR>as well as the legal person s/he
represents.<BR><BR>That is, in order for post-facto deterrence to be
significantly effective,<BR>the audit trail has to be robust and independently
controlled. That's what<BR>the query-screening step would basically be for. If
you are following the<BR>well-defined protocol, I don't see that this has to be
significantly<BR>time-consuming. If not, then the post-facto punishment may
actually have<BR>enough teeth to serve as deterrence that constitutes more than
just talk<BR>with a little nudge-nudge-wink-wink, times being what they
are.<BR><BR><BR>I would like to ask Bertrand in the case of .fr Afnic Whois
that he<BR>recently posted to the full WG list, how does access to privately
withheld<BR>Whois data work? That might provide us with another model in
addition to<BR>the Dutch Govcert process for comparison. The more working
precedents we<BR>have to consider, the
better.<BR><BR>Thanks,<BR>Dan<BR></BLOCKQUOTE><BR>
<P>Regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup LLA. - (Over
134k members/stakeholders strong!)<BR>"Obedience of the law is the greatest
freedom" -<BR> Abraham Lincoln<BR><BR>"Credit should go with the
performance of duty and not with what is very<BR>often the accident of glory" -
Theodore Roosevelt<BR><BR>"If the probability be called P; the injury, L; and
the burden, B; liability<BR>depends upon whether B is less than L multiplied
by<BR>P: i.e., whether B is less than PL."<BR>United States v. Carroll
Towing (159 F.2d 169 [2d Cir.
1947]<BR>===============================================================<BR>Updated
1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of<BR>Information Network Eng. INEG. INC.<BR>ABA member in good
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Registered Email
addr with the USPS Contact Number: 214-244-4827<BR><ZZZ!--
--></P></ZZZBODY></BLOCKQUOTE></BODY>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|