FW: [gnso-acc-sgb] query-screening paradigm

["Natris, Wout de" <W.deNatris@xxxxxxx>]

Dan and all,

First I would like to point out that a lot of countries around the world
and I think all EU countries have anti spam, copyright/trademark,
privacy law, criminal codes etc. To what extend they are upheld is a
matter of resources and prioritization given to the subject in each
individual country.

Secondly, OPTA only has the power to enforce spam and malware (to a
certain extend). That's all.

Thirdly, no we cannot take on all cases. A. By law (privacy, copyright,
criminal, fraud/deception, etc. are all not for OPTA) and b. by numbers.
We do prioritize, the most urgent cases are investigated first, the rest
receives a final warning which is usually sufficient for legitimately
operating businesses that spam.

Four, I agree, as I have mailed yesterday, that governments have to get
into the discussion if third parties have to be granted access through
some sort of waver. For arguments sake, say that OPTA is to grant the
access through a sort of sign off in future, the Telecommunication Act
would have to be altered by our Ministry of Economic Affairs. As it
would have to be if trademark, phishing, etc, issues would all have to
be dealt with by OPTA. (All this is very unlikely though.) In general I,
sorry I am a complete outsider and know nothing about ICANN procedures,
think that some stakeholders are missing in this particular discussion,
which could make it hard to come up with a solution that is acceptable
in a later stage. Questions which are seriously debated here ought to be
asked to governments too, so it might be a good idea to bring some GAC
members in the discussion in Puerto Rico if it is decided that this is a
good way to proceed.

Five, if any of you are involved in copyright issues, the Dutch
copyright organization, Stichting Brein, won a civil court case about
Whois/personal data against an ISP, in which due process plays a major
role. That's about all I know of this case, but they ought to be able to
give you information about that. www.anti-piracy.nl Here's the link, the
site is partially in English.

Six, OPTA is given, in the Telecommunication Act and the General
administrative law powers, to investigate and sanction infringement of
the Telecommunication (and Postal) Act in the Netherlands. This ought to
be enough to be granted access to whois data.

Seven, to coordinate between all the different (cyber crime) enforcers,
private players, government agencies and possible others involved in
potential cyber criminality and attacks, the Dutch government has
started a project that is to connect and protect all players at critical
points in infrastructures against cyber threats. E.G., Schiphol airport,
Rotterdam harbour, oil, gas, energy, water producing businesses,
telecoms, etc. It started last year and the banking business piloted.
With the provisionary notice and take down procedure with Govcert I
wrote about as a first result. I understand there are many more results,
but these do not (yet) catch the public eye. Fact is, our government
takes the lead and there is a will to cooperate by many parties
involved.

In a project like this all third parties we speak about here could be
brought together. At this stage it looks like OPTA will be in the middle
of one node, i.e. telecoms. That is all I can say at this stage, but
this might possibly mean that what Dan suggests, may become a
possibility in the Netherlands. This is very speculative for now as you
understand.

Wout



-----Oorspronkelijk bericht-----
Van: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
Namens Dan Krimm
Verzonden: dinsdag 29 mei 2007 22:24
Aan: gnso-acc-sgb@xxxxxxxxx
Onderwerp: RE: [gnso-acc-sgb] query-screening paradigm

I appreciate this information.  It prompts further questions:

If LEAs do not have this option per se, are there other related
potentials that are not bound in exactly the same manner?

 (1) Do judicial jurisdictions have this authority, and if so could they
be harnessed in this sort of scheme in lieu of LEAs?  This brings the
process even closer to "due process" and the idea of an automatic system
can be applied to reduce bureaucratic delay in whatever jurisdiction it
resides.

 (2) Can LEAs "deputize" certain private parties contractually in a way
that is significant enough to bring them into the LEA realm so that they
may receive certain personal data in controlled circumstances?  (Think
of this as a counterpart to the commercial realm where
closely-contracted service providers must operate under a primary
business's internal privacy policy provisions.)  If so, that could
become part of a certification process for private entities.

There is certainly a fairly robust instance of privatization of public
function over the last 20 years, both in the US and elsewhere such as
the EU, and there are regulatory or contractual bindings that produce
public accountability in those instances.

The idea here is a general framework, and a single obstacle is not
necessarily a reason to stop looking for solutions.  I think it's too
early to give it up just yet.

And in the end if we cannot get around this, then maybe the LEAs should
simply take responsibility for all such investigations, anyway.  If they
are not up to the task, then perhaps the responsibility rests with
governments to figure out how to get the task done, since this is a
public trust requiring public accountability.  At the end of the day,
there may be a circle we're trying to square here, and the ultimate
solution may indeed require some legislative action on the part of
public governments.  If so, it seems to me that ICANN should not place
itself in a position of trying to solve their problems unilaterally.

Is it OPTA's position that it has the resources to address all of the
cases of Internet fraud within its jurisdiction on a timely basis (and
this would continue as long as OPTA retains full per-query access to
private Whois data in the OPoC paradigm)?  If so, then there seems to be
no need to involve private parties in the first place.  But there are
certainly representatives of private parties here who would seem to
disagree.

Dan



At 9:33 AM +0200 5/29/07, Natris, Wout de wrote:
>All,
>
>I think I mentioned this before, but OPTA is not allowed to pass on 
>privacy sensitive information to private persons or institutions. Only 
>to other government agencies.
>
>As I have explained I can only speak for OPTA, but I would be very much

>surprised if this would be any different for other LEA's in the 
>Netherlands and at least in some other EU countries.
>
>This makes this suggested solution very hard to follow through.
>
>Wout
>
>-----Oorspronkelijk bericht-----
>Van: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>Namens Carole Bird
>Verzonden: zaterdag 26 mei 2007 17:44
>Aan: gnso-acc-sgb@xxxxxxxxx
>Onderwerp: Re: [gnso-acc-sgb] query-screening paradigm
>
>Hi Eric,
>
>Let me clarify the point as I think I didn't articulate it well.
>
>In one of the email exchanges,  I believe that someone indicated that 
>one of the options might be for 3rd parties to request information from

>the WHOIS database from LEAs.  The LEA may not legally be allowed to 
>provide the information to the 3rd party - I'm not saying there is 
>anything wrong with that ( I agree that it protects privacy, etc ) nor 
>am I say the law should be changed.
>
>What I'm saying is that if we are looking at a proposed option based on

>the premise that police or an LEA could act as a conduit for access to 
>the information particularly where there may not be a concurrent 
>investigation by the police or the LEA, the premise for that option may

>be flawed.  We  may be asking LEAs to do something they simply cannot 
>do.
>
>Carole
>
>>>> Hugh Dierker <hdierker2204@xxxxxxxxx> 05/26/07 10:56 AM >>>
>Interesting points here Carole. The first one is just life. And it is 
>further the result of each autonomous governments right to secure the 
>privacy of its citizens.But the way I understand it, it is the 3rd 
>party passing on the info to the LEA that is important. And certainly 
>if it first flowed in one direction it can then flow back.
>
>  The second is the same, each country will have to decide what an 
>affidavit is. For instance I believe some still require an oath to God.
>Most just want who, what, when, where and how with reasonable 
>specificity and an oath that it is true. More often they are called by 
>their more descriptive name "declaration".
>
>  Bare Bones is a term I like and should be the standard for
recipients.
>Operators of Whois data basis should have a norm minimum requirement 
>from here.
>
>  Eric
>
>Carole Bird <Carole.Bird@xxxxxxxxxxxxxx> wrote:
>  Hi Dan,
>
>When you say "LEA-operated system" what do you have in mind? My concern

>here is that, as we discussed at the last teleconference, there are 
>countries where LEAs are not legally allowed to "pass-on" or distribute

>information from someone else's database unless the LEA is itself 
>conducting an investigation into the matter. Even then, the LEA may not

>be able to "pass-on" the information but only use it for it's only 
>police investigation.
>
>Also could you clarify what your definition of an Affidavit is? (I 
>don't want to assume that it is the same definition everywhere or that 
>the elements of an affidavit are the same everywhere.)
>
>Thanks,
>
>Carole.
>
>
>
>>>> Dan Krimm 05/25/07 10:54 PM >>>
>Jeff,
>
>Not sure if I fully understand the question re "institution by 
>institution basis" but let me guess -- I would suggest that non-LEA 
>query eligibility be certified and verified for individual natural 
>persons at appropriate individual institutions for specific "purpose 
>domains" appropriate to the individual institution's legitimate need to

>obtain instances of the private Whois information.
>
>And then of course, individual queries from eligible account holders 
>would go through the application procedure as described. So to 
>reiterate, this is a two-stage process:
>
>(1) Certify/verify individuals' eligibility to make queries through the

>LEA-operated system for certain instances of private Whois information.
>Institutional affiliation will certainly be of some importance here.
>(Review certification periodically, perhaps roughly annually. That 
>periodicity is open to comment, IMHO, but I think a one-time cert would

>not be sufficient. Also, when individuals leave positions where 
>performing such queries are in their job descriptions, their 
>certifications must be removed immediately.)
>
>(2) Case-specific affidavit/application process with well-defined 
>approval protocols allowed for eligible accounts in the system, with 
>fully individualized audit trail.
>
>
>More detailed criteria need to be defined as to whom would qualify to 
>be certified for query eligibility, but I'm not sure that institutions 
>or industries as a *category* would necessarily be certified as a 
>group, though membership in a group whose members typically satisfy the

>criteria would probably indicate that approval for certification would 
>be likely.
>But I would not suggest defining "eligible groups" so much as certify 
>"eligible individuals in individual eligible institutions" according to

>specific demonstrated need.
>
>I see no need for institution-*type*-based categorization, as in 
>Susan's proposal. I think it would be better to proceed directly from 
>actual need-based criteria, and define those needs as clearly as we
can.
>
>Frankly, I think the question deserves further exploration.
>Nevertheless, my own instinct is not to create an unnecessary layer of 
>potentially spurious categorization that will confuse the accuracy of 
>the certification process. Legitimacy should be based on the specific 
>use/need, not the "type" of institution, I think. This keeps the 
>process closer to "due process" which is the aim here.
>
>Dan
>
>
>
>At 8:58 PM -0500 5/25/07, jwkckid1@xxxxxxxxxxxxx wrote:
>>Dr. Dierker, Dan and all,
>>
>> I like Dans approach here as it gives third parties what they need 
>>while also giving reasonable privacy protection, and anti 
>>spaming/reverse phishing.
>>
>> The only part of what Dan is recomending is is what he is proposing 
>> on
>
>>a institution by insititution basis or broader, i.e. all whom may 
>>apply? Dan, can you clarify that?
>>
>>-----Original Message-----
>>From: Hugh Dierker
>>Sent: May 25, 2007 7:43 PM
>>To: Dan Krimm , gnso-acc-sgb@xxxxxxxxx
>>Subject: Re: [gnso-acc-sgb] query-screening paradigm
>>
>>Yes it will take some effort to get this set up but it should be
>implemented.
>>The extreme bottom line on this is that it leads an accountability 
>>paper trail and then can be checked later if something ontoward 
>>happens
>
>>with the data. Of course there is no way to tell for sure in most
>instances.
>>
>>It is important to realize that "you cannot legislate morality" and 
>>"any law is made to be broken" With this type of safegaurd I am in 
>>favor of third party access.
>>
>>The idea is not to make it impossible, which you cannot do anyway as 
>>courts have something to say about it. It is to make access 
>>accountable
>
>>and not bulk and safe enough to keep mass abuse from occurring.
>>
>>Dan Krimm wrote:
>>
>>At 12:58 PM -0500 5/25/07, wrote:
>>
>>>I wouldn't be opposed to the idea of some type of "pre-screening"
>>>process for private companies to be able to access the protected data

>>>for anti-fraud efforts, but this would need to be done on a one-time 
>>>basis or maybe on some time of bi-annual renewal basis instead of 
>>>every time the company has to investigate a fraud. Many of these 
>>>large
>
>>>companies like Bank of America are the target of a phishing attack 
>>>multiple times each day. It's not unusual for them to be working 
>>>25-50
>
>>>separate and distinct fraudulent sites in a given day. If they needed

>>>to go through a "screening" process each time, it would be extremely 
>>>detrimental to the anti-fraud efforts.
>>
>>
>>Okay, seems that it may be worth putting this idea out there in more 
>>detail, at this juncture.
>>
>>What I imagined possibly happening was: (1) a certification process to

>>designate an entity to be eligible to query for private Whois data 
>>(i.e., to approve the establishment of a verified account in a system 
>>operated by LEAs), and then (2) a case-specific application process to

>>get data for specific queries.
>>
>>As long as the query-screening process is well-defined so that all 
>>requirements for approval of the query are known beforehand in an 
>>explicit protocol that is available to all certified entities, then I 
>>think it need not impose an onerous time cost on the query process.
>>
>>Provide the evidence of wrongdoing (that has to come to one's 
>>attention
>
>>somehow, so it should be readily at hand), state the purpose to be 
>>confined to addressing that specific wrongdoing, identify an 
>>individual
>
>>(a natural
>>person) at the entity who is responsible for use of the data (or 
>>perhaps individualize the certified accounts up front) -- something 
>>along those lines.
>>
>>If the evidence checks out (i.e., the statement of purpose matches the

>>operative URL(s) in the evidence -- perhaps a domain in the extended 
>>header in a forwarded phishing email, or an independent browser 
>>retrieval from a pharming URL), then approval could even be 
>>essentially
>
>>automatic at the LEAs (perhaps even algorithmically programmable in a 
>>SW application without explicit human intervention, providing a report

>>of automatic approvals to the LEAs, as all applications and approved 
>>queries through the LEA authority would presumably be fully logged in 
>>an audit trail -- this could address Margie's scalability issues).
>>
>>A single query application could designate a request for private Whois

>>data for all domains for a single registrant, if appropriate -- where 
>>it makes sense, there need not be a strict single-domain-only 
>>constraint, while not extending to full unrestricted access.
>>
>>Then upon approval, the actual private data would be retrieved by the 
>>LEA and provided to the private entity as requested (if under the 
>>operation of a SW-driven system where the affidavit of purpose can be 
>>structured with an input form, this presumably could often be 
>>completed
>
>>without human intervention).
>>
>>Bottom line: there are ways this could be streamlined while still 
>>providing an initial query-screening step with some substance. 
>>Granted,
>
>>this would be distinctly imperfect as compared with strong due process

>>before an independent judiciary (that's why going this far would 
>>already be a very significant compromise from the privacy advocacy
>>standpoint) partly because it may be possible to falsify data in a 
>>query application (such as providing a falsified phishing email as 
>>evidence), but a full and permanent audit trail would provide some 
>>additional deterrent on top of that, as any falsification could come 
>>back to haunt the individual falsifier personally, as well as the 
>>legal
>person s/he represents.
>>
>>That is, in order for post-facto deterrence to be significantly 
>>effective, the audit trail has to be robust and independently 
>>controlled. That's what the query-screening step would basically be 
>>for. If you are following the well-defined protocol, I don't see that 
>>this has to be significantly time-consuming. If not, then the 
>>post-facto punishment may actually have enough teeth to serve as 
>>deterrence that constitutes more than just talk with a little
>nudge-nudge-wink-wink, times being what they are.
>>
>>
>>I would like to ask Bertrand in the case of .fr Afnic Whois that he 
>>recently posted to the full WG list, how does access to privately 
>>withheld Whois data work? That might provide us with another model in 
>>addition to the Dutch Govcert process for comparison. The more working

>>precedents we have to consider, the better.
>>
>>Thanks,
>>Dan
>>
>>
>>Regards,
>>
>>Jeffrey A. Williams
>>Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)

>>"Obedience of the law is the greatest freedom" -  Abraham Lincoln
>>
>>"Credit should go with the performance of duty and not with what is 
>>very often the accident of glory" - Theodore Roosevelt
>>
>>"If the probability be called P; the injury, L; and the burden, B; 
>>liability depends upon whether B is less than L multiplied by
>>P: i.e., whether B is less than PL."
>>United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] 
>>===============================================================
>>Updated 1/26/04
>>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
>>div. of Information Network Eng. INEG. INC.
>>ABA member in good standing member ID 01257402 E-Mail 
>>jwkckid1@xxxxxxxxxxxxx Registered Email addr with the USPS Contact
>>Number: 214-244-4827
>
>
>
>
>
>---------------------------------
>Expecting? Get great news right away with email Auto-Check.
>Try the Yahoo! Mail Beta.
>
>
>+++++++++++++++++++++++++++++++++++++++++++++
>Disclaimer
>Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie 
>die is beschermd door een beroepsgeheim.
>Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke 
>vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is

>toegestaan.
>Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, 
>verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 
>070 315 3500 of e-mail mailto:mail@xxxxxxx en het bericht te 
>vernietigen.
>Dit e-mailbericht is uitsluitend gecontroleerd op virussen.
>OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud 
>en juistheid van dit bericht en er kunnen geen rechten aan worden 
>ontleend.
>
>
>This e-mail message may contain confidential information or information

>protected by professional privilege.
>If it is not intended for you, you should be aware that any 
>distribution, copying or other form of use of this message is not 
>permitted.
>If it has apparently reached you by mistake, we urge you to notify us 
>by phone +31 70 315 3500 or e-mail mailto:mail@xxxxxxx and destroy the 
>message immediately.
>This e-mail message has only been checked for viruses.
>The accuracy, relevance, timeliness or completeness of the information 
>provided cannot be guaranteed.
>OPTA expressly disclaims any responsibility in relation to the 
>information in this e-mail message.
>No rights can be derived from this message.


+++++++++++++++++++++++++++++++++++++++++++++
Disclaimer
Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is 
beschermd door een beroepsgeheim.
Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van 
verspreiding, vermenigvuldiging
of ander gebruik ervan niet is toegestaan.
Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken 
wij u ons daarvan
direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail 
mailto:mail@xxxxxxx en het bericht te vernietigen.
Dit e-mailbericht is uitsluitend gecontroleerd op virussen.
OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en 
juistheid van dit bericht en er kunnen 
geen rechten aan worden ontleend.


This e-mail message may contain confidential information or information 
protected by professional privilege.
If it is not intended for you, you should be aware that any distribution, 
copying or other form of use of
this message is not permitted.
If it has apparently reached you by mistake, we urge you to notify us by phone 
+31 70 315 3500
or e-mail mailto:mail@xxxxxxx and destroy the message immediately.
This e-mail message has only been checked for viruses.
The accuracy, relevance, timeliness or completeness of the information provided 
cannot be guaranteed.
OPTA expressly disclaims any responsibility in relation to the information in 
this e-mail message.
No rights can be derived from this message.