Re: [gnso-acc-sgb] query-screening paradigm

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Jeff,

No private firm would automatically be eligible.  Any individual at any
private firm could apply for eligibility, under well-defined use/need-based
criteria, to be determined (and if an individual from the same institution
has already been granted eligibility, that institutional component of
eligibility can likely be applied easily to another individual).

As for LEAs, I'm aware that you would like to distinguish among LEAs.  For
the moment my proposal does not, aside from the need to establish a
certification chain of some kind for LEAs, as has been suggested
previously.  I know there may be some questions about that idea (Carole had
mentioned some misgivings about it), but I think we need to explore that
process further and see what we can come up with.  The key here seems to be
that we need our system to be able to adhere to national laws.

As for Margie's scalability issue, I understood that to refer to individual
queries, which I believe my idea addresses seriously in terms of automating
whatever is feasibly able to be automated in the process, thus removing the
bulk of bureaucratic friction and time delay.  Scalability at the
eligibility level should not be nearly as onerous, but that will likely
need human intervention.

I would suggest that no non-LEA should have "unrestricted" access to the
private Whois data, even after a certification step.  The two-stage
certification and affidavit process is intended to address due process in a
way that puts appropriate attention at appropriate steps in the process.
Certification addresses general need and identification, which should only
be required periodically.  Case/query-screening addresses specific need and
post-enforcement deterrence for actual information requests, which I think
is important in terms of due process.  Machine-automating the steps that
would otherwise be handled by a bureaucratic human pencil-pusher in largely
the same routine mode should allow that process to scale.  Separating the
human-decided certification component from the machine-executed query
approval is intended to use human resources as efficiently and feasibly as
possible, as identification only needs to happen periodically but cases
need to be addressed on their individual merits and to create a robust
audit trail.

This does depend upon devising well-considered protocols for query
approval, as well as query-eligibility certification.  Questions are
time-consuming.  But eligibility should be a moderate hurdle to surpass for
those with real needs -- shouldn't that hard to demonstrate legitimate
need, but those criteria should be very clear.  And, as long as the
query-approval protocols are really well-defined, they can be addressed
algorithmically and largely automated.  There is a fall-back for human
intervention in the query process for special circumstances beyond the
scope of auto-approval criteria, but that should not be a common occurrence
in proportion to the total volume of queries.

This is not intended as a comprehensive solution, merely a partial
framework that can allow us to talk about the details, and get past the
extremes that continue to distract us from discovering consensus, if it
indeed exists.  The idea is that some sort of prior due process could be
devised that is not bureaucratically onerous.  Technology can help to
address the problems that technology creates, yes?

So, yes, most of your immediate questions here have yet to be answered in
this framework.  If this indeed helps us with a step forward (that remains
to be seen from the responses of the rest of the group), by the same token
we still have a ways to go to nail down the remaining details.  Not
entirely unlike what the last Whois Task Force left for this Working Group,
but perhaps one circle narrower in scope.  And yes, the devil remains in
the details that remain.

Dan



At 11:33 PM -0400 5/25/07, jwkckid1@xxxxxxxxxxxxx wrote:
>Dan and all sgb members,
>
>  Well you almost understood what I meant.  By intitution by institution
>basis, I mean would any and all for instances banks and financial
>institutions or auditing firms, ect, be elegible and/or is their
>some criterion which "Each" institution needs to meet?
>
>  Second,  are you saying that ALL LEA's qualify as third parties
>whom would then be responsible for some level of oversight for non-LEA
>eligibility?  It seems to me that what you are saying in different terms,
>is that all LEA's are assumed trustworthy, that they in turn determing
>eligibility for non-LEA's based on some specific criterion, and that
>those approved non-LEA institutions have levels of access and/or
>limited to private/unrestricted Whois data based on a defined need
>in each instance.  Am I understanding you correctly here?  If so,
>I like most of your idea except that an each instance basis as
>Margie likely rightly earlier stated, that part of your idea
>may very well not scale.
>
>  So I would suggest drop that part of your idea, and concentrate
>on under what set of terms a non-LEA must meet and adhear to
>in order to have unrestricted access to whois data.
>
>  Oh btw, I also have a concern regarding ALL LEA's being
>elegible themselves..
>
>
>-----Original Message-----
>>From: Dan Krimm <dan@xxxxxxxxxxxxxxxx>
>>Sent: May 25, 2007 10:54 PM
>>To: gnso-acc-sgb@xxxxxxxxx
>>Subject: Re: [gnso-acc-sgb] query-screening paradigm
>>
>>Jeff,
>>
>>Not sure if I fully understand the question re "institution by institution
>>basis" but let me guess -- I would suggest that non-LEA query eligibility
>>be certified and verified for individual natural persons at appropriate
>>individual institutions for specific "purpose domains" appropriate to the
>>individual institution's legitimate need to obtain instances of the private
>>Whois information.
>>
>>And then of course, individual queries from eligible account holders would
>>go through the application procedure as described.  So to reiterate, this
>>is a two-stage process:
>>
>> (1) Certify/verify individuals' eligibility to make queries through the
>>LEA-operated system for certain instances of private Whois information.
>>Institutional affiliation will certainly be of some importance here.
>>(Review certification periodically, perhaps roughly annually.  That
>>periodicity is open to comment, IMHO, but I think a one-time cert would not
>>be sufficient.  Also, when individuals leave positions where performing
>>such queries are in their job descriptions, their certifications must be
>>removed immediately.)
>>
>> (2) Case-specific affidavit/application process with well-defined approval
>>protocols allowed for eligible accounts in the system, with fully
>>individualized audit trail.
>>
>>
>>More detailed criteria need to be defined as to whom would qualify to be
>>certified for query eligibility, but I'm not sure that institutions or
>>industries as a *category* would necessarily be certified as a group,
>>though membership in a group whose members typically satisfy the criteria
>>would probably indicate that approval for certification would be likely.
>>But I would not suggest defining "eligible groups" so much as certify
>>"eligible individuals in individual eligible institutions" according to
>>specific demonstrated need.
>>
>>I see no need for institution-*type*-based categorization, as in Susan's
>>proposal.  I think it would be better to proceed directly from actual
>>need-based criteria, and define those needs as clearly as we can.
>>
>>Frankly, I think the question deserves further exploration.  Nevertheless,
>>my own instinct is not to create an unnecessary layer of potentially
>>spurious categorization that will confuse the accuracy of the certification
>>process.  Legitimacy should be based on the specific use/need, not the
>>"type" of institution, I think.  This keeps the process closer to "due
>>process" which is the aim here.
>>
>>Dan
>>
>>
>>
>>At 8:58 PM -0500 5/25/07, jwkckid1@xxxxxxxxxxxxx wrote:
>>>Dr. Dierker, Dan and all,
>>>
>>>  I like Dans approach here as it gives third parties what they need while
>>>also giving
>>>reasonable privacy protection, and anti spaming/reverse phishing.
>>>
>>>  The only part of what Dan is recomending is is what he is proposing on a
>>>institution by insititution basis or broader, i.e. all whom may apply?  Dan,
>>>can you clarify that?
>>>
>>>-----Original Message-----
>>>From: Hugh Dierker
>>>Sent: May 25, 2007 7:43 PM
>>>To: Dan Krimm , gnso-acc-sgb@xxxxxxxxx
>>>Subject: Re: [gnso-acc-sgb] query-screening paradigm
>>>
>>>Yes it will take some effort to get this set up but it should be
>>>implemented.
>>>The extreme bottom line on this is that it leads an accountability paper
>>>trail and then can be checked later if something ontoward happens with the
>>>data. Of course there is no way to tell for sure in most instances.
>>>
>>>It is important to realize that "you cannot legislate morality" and "any
>>>law is made to be broken" With this type of safegaurd I am in favor of
>>>third party access.
>>>
>>>The idea is not to make it impossible, which you cannot do anyway as
>>>courts have something to say about it. It is to make access accountable
>>>and not bulk and safe enough to keep mass abuse from occurring.
>>>
>>>Dan Krimm <dan@xxxxxxxxxxxxxxxx> wrote:
>>>
>>>At 12:58 PM -0500 5/25/07, wrote:
>>>
>>>>I wouldn't be opposed to the idea of some type of "pre-screening"
>>>>process for private companies to be able to access the protected data
>>>>for anti-fraud efforts, but this would need to be done on a one-time
>>>>basis or maybe on some time of bi-annual renewal basis instead of every
>>>>time the company has to investigate a fraud. Many of these large
>>>>companies like Bank of America are the target of a phishing attack
>>>>multiple times each day. It's not unusual for them to be working 25-50
>>>>separate and distinct fraudulent sites in a given day. If they needed
>>>>to go through a "screening" process each time, it would be extremely
>>>>detrimental to the anti-fraud efforts.
>>>
>>>
>>>Okay, seems that it may be worth putting this idea out there in more
>>>detail, at this juncture.
>>>
>>>What I imagined possibly happening was: (1) a certification process to
>>>designate an entity to be eligible to query for private Whois data (i.e.,
>>>to approve the establishment of a verified account in a system operated by
>>>LEAs), and then (2) a case-specific application process to get data for
>>>specific queries.
>>>
>>>As long as the query-screening process is well-defined so that all
>>>requirements for approval of the query are known beforehand in an explicit
>>>protocol that is available to all certified entities, then I think it need
>>>not impose an onerous time cost on the query process.
>>>
>>>Provide the evidence of wrongdoing (that has to come to one's attention
>>>somehow, so it should be readily at hand), state the purpose to be confined
>>>to addressing that specific wrongdoing, identify an individual (a natural
>>>person) at the entity who is responsible for use of the data (or perhaps
>>>individualize the certified accounts up front) -- something along those
>>>lines.
>>>
>>>If the evidence checks out (i.e., the statement of purpose matches the
>>>operative URL(s) in the evidence -- perhaps a domain in the extended header
>>>in a forwarded phishing email, or an independent browser retrieval from a
>>>pharming URL), then approval could even be essentially automatic at the
>>>LEAs (perhaps even algorithmically programmable in a SW application without
>>>explicit human intervention, providing a report of automatic approvals to
>>>the LEAs, as all applications and approved queries through the LEA
>>>authority would presumably be fully logged in an audit trail -- this could
>>>address Margie's scalability issues).
>>>
>>>A single query application could designate a request for private Whois data
>>>for all domains for a single registrant, if appropriate -- where it makes
>>>sense, there need not be a strict single-domain-only constraint, while not
>>>extending to full unrestricted access.
>>>
>>>Then upon approval, the actual private data would be retrieved by the LEA
>>>and provided to the private entity as requested (if under the operation of
>>>a SW-driven system where the affidavit of purpose can be structured with an
>>>input form, this presumably could often be completed without human
>>>intervention).
>>>
>>>Bottom line: there are ways this could be streamlined while still providing
>>>an initial query-screening step with some substance. Granted, this would
>>>be distinctly imperfect as compared with strong due process before an
>>>independent judiciary (that's why going this far would already be a very
>>>significant compromise from the privacy advocacy standpoint) partly because
>>>it may be possible to falsify data in a query application (such as
>>>providing a falsified phishing email as evidence), but a full and permanent
>>>audit trail would provide some additional deterrent on top of that, as any
>>>falsification could come back to haunt the individual falsifier personally,
>>>as well as the legal person s/he represents.
>>>
>>>That is, in order for post-facto deterrence to be significantly effective,
>>>the audit trail has to be robust and independently controlled. That's what
>>>the query-screening step would basically be for. If you are following the
>>>well-defined protocol, I don't see that this has to be significantly
>>>time-consuming. If not, then the post-facto punishment may actually have
>>>enough teeth to serve as deterrence that constitutes more than just talk
>>>with a little nudge-nudge-wink-wink, times being what they are.
>>>
>>>
>>>I would like to ask Bertrand in the case of .fr Afnic Whois that he
>>>recently posted to the full WG list, how does access to privately withheld
>>>Whois data work? That might provide us with another model in addition to
>>>the Dutch Govcert process for comparison. The more working precedents we
>>>have to consider, the better.
>>>
>>>Thanks,
>>>Dan
>>>
>>>
>Regards,
>
>Jeffrey A. Williams
>Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
>"Obedience of the law is the greatest freedom" -
>   Abraham Lincoln
>
>"Credit should go with the performance of duty and not with what is very
>often the accident of glory" - Theodore Roosevelt
>
>"If the probability be called P; the injury, L; and the burden, B; liability
>depends upon whether B is less than L multiplied by
>P: i.e., whether B is less than PL."
>United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
>===============================================================
>Updated 1/26/04
>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
>Information Network Eng.  INEG. INC.
>ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
>Registered Email addr with the USPS Contact Number: 214-244-4827