ICANN ICANN Email List Archives

[gnso-acc-sgb]


<<< Chronological Index >>>    <<< Thread Index >>>

FW: [gnso-acc-sgb] query-screening paradigm

  • To: <gnso-acc-sgb@xxxxxxxxx>
  • Subject: FW: [gnso-acc-sgb] query-screening paradigm
  • From: "Natris, Wout de" <W.deNatris@xxxxxxx>
  • Date: Tue, 29 May 2007 15:46:43 +0200

OPTA does not have the jurisdiction to do this. We are here for telecom
and post regulation and on this basis investigate and enforce spam and
malware cases. I don't have an answer as to e.g. the police or justice
department could do a sort of sign off in the Netherlands.
 
This sort of debate should also be carried out with governments, e.g.
our Ministry of Economic Affairs, who handles telecommunications law and
the Justice Department. If a sign off is sg2's suggestion as a way
forward for private third parties, laws might have to be changed and
governments have to come on board in this discussion.
 
Wout

________________________________

Van: Hugh Dierker [mailto:hdierker2204@xxxxxxxxx] 
Verzonden: dinsdag 29 mei 2007 15:22
Aan: Natris, Wout de
Onderwerp: RE: [gnso-acc-sgb] query-screening paradigm


If the 3rd party requestor just went to the LEA to ask for some kind of
sign off before requesting the data, would that be in line with your
policies?
 
Eric

"Natris, Wout de" <W.deNatris@xxxxxxx> wrote:

        All,
        
        I think I mentioned this before, but OPTA is not allowed to pass
on
        privacy sensitive information to private persons or
institutions. Only
        to other government agencies.
        
        As I have explained I can only speak for OPTA, but I would be
very much
        surprised if this would be any different for other LEA's in the
        Netherlands and at least in some other EU countries.
        
        This makes this suggested solution very hard to follow through.
        
        Wout 
        
        -----Oorspronkelijk bericht-----
        Van: owner-gnso-acc-sgb@xxxxxxxxx
[mailto:owner-gnso-acc-sgb@xxxxxxxxx]
        Namens Carole Bird
        Verzonden: zaterdag 26 mei 2007 17:44
        Aan: gnso-acc-sgb@xxxxxxxxx
        Onderwerp: Re: [gnso-acc-sgb] query-screening paradigm
        
        Hi Eric, 
        
        Let me clarify the point as I think I didn't articulate it well.

        
        In one of the email exchanges, I believe that someone indicated
that
        one of the options might be for 3rd parties to request
information from
        the WHOIS database from LEAs. The LEA may not legally be allowed
to
        provide the information to the 3rd party - I'm not saying there
is
        anything wrong with that ( I agree that it protects privacy, etc
) nor
        am I say the law should be changed. 
        
        What I'm saying is that if we are looking at a proposed option
based on
        the premise that police or an LEA could act as a conduit for
access to
        the information particularly where there may not be a concurrent
        investigation by the police or the LEA, the premise for that
option may
        be flawed. We may be asking LEAs to do something they simply
cannot
        do. 
        
        Carole 
        
        >>> Hugh Dierker 05/26/07 10:56 AM >>>
        Interesting points here Carole. The first one is just life. And
it is
        further the result of each autonomous governments right to
secure the
        privacy of its citizens.But the way I understand it, it is the
3rd party
        passing on the info to the LEA that is important. And certainly
if it
        first flowed in one direction it can then flow back.
        
        The second is the same, each country will have to decide what an
        affidavit is. For instance I believe some still require an oath
to God.
        Most just want who, what, when, where and how with reasonable
        specificity and an oath that it is true. More often they are
called by
        their more descriptive name "declaration". 
        
        Bare Bones is a term I like and should be the standard for
recipients.
        Operators of Whois data basis should have a norm minimum
requirement
        from here.
        
        Eric
        
        Carole Bird wrote:
        Hi Dan, 
        
        When you say "LEA-operated system" what do you have in mind? My
concern
        here is that, as we discussed at the last teleconference, there
are
        countries where LEAs are not legally allowed to "pass-on" or
distribute
        information from someone else's database unless the LEA is
itself
        conducting an investigation into the matter. Even then, the LEA
may not
        be able to "pass-on" the information but only use it for it's
only
        police investigation. 
        
        Also could you clarify what your definition of an Affidavit is?
(I don't
        want to assume that it is the same definition everywhere or that
the
        elements of an affidavit are the same everywhere.) 
        
        Thanks, 
        
        Carole. 
        
        
        
        >>> Dan Krimm 05/25/07 10:54 PM >>>
        Jeff,
        
        Not sure if I fully understand the question re "institution by
        institution basis" but let me guess -- I would suggest that
non-LEA
        query eligibility be certified and verified for individual
natural
        persons at appropriate individual institutions for specific
"purpose
        domains" appropriate to the individual institution's legitimate
need to
        obtain instances of the private Whois information.
        
        And then of course, individual queries from eligible account
holders
        would go through the application procedure as described. So to
        reiterate, this is a two-stage process:
        
        (1) Certify/verify individuals' eligibility to make queries
through the
        LEA-operated system for certain instances of private Whois
information.
        Institutional affiliation will certainly be of some importance
here.
        (Review certification periodically, perhaps roughly annually.
That
        periodicity is open to comment, IMHO, but I think a one-time
cert would
        not be sufficient. Also, when individuals leave positions where
        performing such queries are in their job descriptions, their
        certifications must be removed immediately.)
        
        (2) Case-specific affidavit/application process with
well-defined
        approval protocols allowed for eligible accounts in the system,
with
        fully individualized audit trail.
        
        
        More detailed criteria need to be defined as to whom would
qualify to be
        certified for query eligibility, but I'm not sure that
institutions or
        industries as a *category* would necessarily be certified as a
group,
        though membership in a group whose members typically satisfy the
        criteria would probably indicate that approval for certification
would
        be likely.
        But I would not suggest defining "eligible groups" so much as
certify
        "eligible individuals in individual eligible institutions"
according to
        specific demonstrated need.
        
        I see no need for institution-*type*-based categorization, as in
Susan's
        proposal. I think it would be better to proceed directly from
actual
        need-based criteria, and define those needs as clearly as we
can.
        
        Frankly, I think the question deserves further exploration.
        Nevertheless, my own instinct is not to create an unnecessary
layer of
        potentially spurious categorization that will confuse the
accuracy of
        the certification process. Legitimacy should be based on the
specific
        use/need, not the "type" of institution, I think. This keeps the
process
        closer to "due process" which is the aim here.
        
        Dan
        
        
        
        At 8:58 PM -0500 5/25/07, jwkckid1@xxxxxxxxxxxxx wrote:
        >Dr. Dierker, Dan and all,
        >
        > I like Dans approach here as it gives third parties what they
need 
        >while also giving reasonable privacy protection, and anti 
        >spaming/reverse phishing.
        >
        > The only part of what Dan is recomending is is what he is
proposing on
        
        >a institution by insititution basis or broader, i.e. all whom
may 
        >apply? Dan, can you clarify that?
        >
        >-----Original Message-----
        >From: Hugh Dierker
        >Sent: May 25, 2007 7:43 PM
        >To: Dan Krimm , gnso-acc-sgb@xxxxxxxxx
        >Subject: Re: [gnso-acc-sgb] query-screening paradigm
        >
        >Yes it will take some effort to get this set up but it should
be
        implemented.
        >The extreme bottom line on this is that it leads an
accountability 
        >paper trail and then can be checked later if something ontoward
happens
        
        >with the data. Of course there is no way to tell for sure in
most
        instances.
        >
        >It is important to realize that "you cannot legislate morality"
and 
        >"any law is made to be broken" With this type of safegaurd I am
in 
        >favor of third party access.
        >
        >The idea is not to make it impossible, which you cannot do
anyway as 
        >courts have something to say about it. It is to make access
accountable
        
        >and not bulk and safe enough to keep mass abuse from occurring.
        >
        >Dan Krimm wrote:
        >
        >At 12:58 PM -0500 5/25/07, wrote:
        >
        >>I wouldn't be opposed to the idea of some type of
"pre-screening"
        >>process for private companies to be able to access the
protected data 
        >>for anti-fraud efforts, but this would need to be done on a
one-time 
        >>basis or maybe on some time of bi-annual renewal basis instead
of 
        >>every time the company has to investigate a fraud. Many of
these large
        
        >>companies like Bank of America are the target of a phishing
attack 
        >>multiple times each day. It's not unusual for them to be
working 25-50
        
        >>separate and distinct fraudulent sites in a given day. If they
needed 
        >>to go through a "screening" process each time, it would be
extremely 
        >>detrimental to the anti-fraud efforts.
        >
        >
        >Okay, seems that it may be worth putting this idea out there in
more 
        >detail, at this juncture.
        >
        >What I imagined possibly happening was: (1) a certification
process to 
        >designate an entity to be eligible to query for private Whois
data 
        >(i.e., to approve the establishment of a verified account in a
system 
        >operated by LEAs), and then (2) a case-specific application
process to 
        >get data for specific queries.
        >
        >As long as the query-screening process is well-defined so that
all 
        >requirements for approval of the query are known beforehand in
an 
        >explicit protocol that is available to all certified entities,
then I 
        >think it need not impose an onerous time cost on the query
process.
        >
        >Provide the evidence of wrongdoing (that has to come to one's
attention
        
        >somehow, so it should be readily at hand), state the purpose to
be 
        >confined to addressing that specific wrongdoing, identify an
individual
        
        >(a natural
        >person) at the entity who is responsible for use of the data
(or 
        >perhaps individualize the certified accounts up front) --
something 
        >along those lines.
        >
        >If the evidence checks out (i.e., the statement of purpose
matches the 
        >operative URL(s) in the evidence -- perhaps a domain in the
extended 
        >header in a forwarded phishing email, or an independent browser

        >retrieval from a pharming URL), then approval could even be
essentially
        
        >automatic at the LEAs (perhaps even algorithmically
programmable in a 
        >SW application without explicit human intervention, providing a
report 
        >of automatic approvals to the LEAs, as all applications and
approved 
        >queries through the LEA authority would presumably be fully
logged in 
        >an audit trail -- this could address Margie's scalability
issues).
        >
        >A single query application could designate a request for
private Whois 
        >data for all domains for a single registrant, if appropriate --
where 
        >it makes sense, there need not be a strict single-domain-only 
        >constraint, while not extending to full unrestricted access.
        >
        >Then upon approval, the actual private data would be retrieved
by the 
        >LEA and provided to the private entity as requested (if under
the 
        >operation of a SW-driven system where the affidavit of purpose
can be 
        >structured with an input form, this presumably could often be
completed
        
        >without human intervention).
        >
        >Bottom line: there are ways this could be streamlined while
still 
        >providing an initial query-screening step with some substance.
Granted,
        
        >this would be distinctly imperfect as compared with strong due
process 
        >before an independent judiciary (that's why going this far
would 
        >already be a very significant compromise from the privacy
advocacy 
        >standpoint) partly because it may be possible to falsify data
in a 
        >query application (such as providing a falsified phishing email
as 
        >evidence), but a full and permanent audit trail would provide
some 
        >additional deterrent on top of that, as any falsification could
come 
        >back to haunt the individual falsifier personally, as well as
the legal
        person s/he represents.
        >
        >That is, in order for post-facto deterrence to be significantly

        >effective, the audit trail has to be robust and independently 
        >controlled. That's what the query-screening step would
basically be 
        >for. If you are following the well-defined protocol, I don't
see that 
        >this has to be significantly time-consuming. If not, then the 
        >post-facto punishment may actually have enough teeth to serve
as 
        >deterrence that constitutes more than just talk with a little
        nudge-nudge-wink-wink, times being what they are.
        >
        >
        >I would like to ask Bertrand in the case of .fr Afnic Whois
that he 
        >recently posted to the full WG list, how does access to
privately 
        >withheld Whois data work? That might provide us with another
model in 
        >addition to the Dutch Govcert process for comparison. The more
working 
        >precedents we have to consider, the better.
        >
        >Thanks,
        >Dan
        >
        >
        >Regards,
        >
        >Jeffrey A. Williams
        >Spokesman for INEGroup LLA. - (Over 134k members/stakeholders
strong!) 
        >"Obedience of the law is the greatest freedom" - Abraham
Lincoln
        >
        >"Credit should go with the performance of duty and not with
what is 
        >very often the accident of glory" - Theodore Roosevelt
        >
        >"If the probability be called P; the injury, L; and the burden,
B; 
        >liability depends upon whether B is less than L multiplied by
        >P: i.e., whether B is less than PL."
        >United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] 
        >===============================================================
        >Updated 1/26/04
        >CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. 
        >div. of Information Network Eng. INEG. INC.
        >ABA member in good standing member ID 01257402 E-Mail 
        >jwkckid1@xxxxxxxxxxxxx Registered Email addr with the USPS
Contact 
        >Number: 214-244-4827
        
        
        
        
        
        ---------------------------------
        Expecting? Get great news right away with email Auto-Check.
        Try the Yahoo! Mail Beta.
        
        
        +++++++++++++++++++++++++++++++++++++++++++++
        Disclaimer
        Dit e-mailbericht kan vertrouwelijke informatie bevatten of
informatie die is beschermd door een beroepsgeheim.
        Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat
elke vorm van verspreiding, vermenigvuldiging
        of ander gebruik ervan niet is toegestaan.
        Indien dit bericht blijkbaar bij vergissing bij u terecht is
gekomen, verzoeken wij u ons daarvan
        direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail
mailto:mail@xxxxxxx en het bericht te vernietigen.
        Dit e-mailbericht is uitsluitend gecontroleerd op virussen.
        OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke
inhoud en juistheid van dit bericht en er kunnen 
        geen rechten aan worden ontleend.
        
        
        This e-mail message may contain confidential information or
information protected by professional privilege.
        If it is not intended for you, you should be aware that any
distribution, copying or other form of use of
        this message is not permitted.
        If it has apparently reached you by mistake, we urge you to
notify us by phone +31 70 315 3500
        or e-mail mailto:mail@xxxxxxx and destroy the message
immediately.
        This e-mail message has only been checked for viruses.
        The accuracy, relevance, timeliness or completeness of the
information provided cannot be guaranteed.
        OPTA expressly disclaims any responsibility in relation to the
information in this e-mail message.
        No rights can be derived from this message.
        
        
        


________________________________

Shape Yahoo! in your own image. Join our Network Research Panel today!
<http://us.rd.yahoo.com/evt=48517/*http://surveylink.yahoo.com/gmrs/yaho
o_panel_invite.asp?a=7>  
+++++++++++++++++++++++++++++++++++++++++++++
Disclaimer
Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is 
beschermd door een beroepsgeheim.
Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van 
verspreiding, vermenigvuldiging
of ander gebruik ervan niet is toegestaan.
Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken 
wij u ons daarvan
direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail 
mailto:mail@xxxxxxx en het bericht te vernietigen.
Dit e-mailbericht is uitsluitend gecontroleerd op virussen.
OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en 
juistheid van dit bericht en er kunnen 
geen rechten aan worden ontleend.


This e-mail message may contain confidential information or information 
protected by professional privilege.
If it is not intended for you, you should be aware that any distribution, 
copying or other form of use of
this message is not permitted.
If it has apparently reached you by mistake, we urge you to notify us by phone 
+31 70 315 3500
or e-mail mailto:mail@xxxxxxx and destroy the message immediately.
This e-mail message has only been checked for viruses.
The accuracy, relevance, timeliness or completeness of the information provided 
cannot be guaranteed.
OPTA expressly disclaims any responsibility in relation to the information in 
this e-mail message.
No rights can be derived from this message.


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy