Re: From Christian -- Re: [gnso-ff-pdp-may08] Meta: Strawman - Process vs. Policy

["Mike O'Connor" <mike@xxxxxxxxxx>]

Just a quick note -- Christian, your note  reminded me that I wanted 
to push this picture up to the wiki.
https://st.icann.org/pdp-wg-ff/index.cgi?security_trade_off

This is an age-old picture out of the information-security 
world.  The point I usually made when this picture was up on the 
screen is that there are always trade-offs to be made between 
information-availability, information-confidentiality and 
information-integrity.  Each of us, and each constituency, may find 
ourselves favoring a different place in this map.
I was running security for a gaggle of higher-education institutions 
when I swiped this picture.  The academics wanted Availability, or 
sometimes Availability+Integrity.  The trend in 
information-protection law (in the US those are things like HIPPA and 
Sorbanes-Oxley) meant that we had to nudge the academics off that 
position a bit in order to deliver the Confidentiality required by 
the changing law.   The cops at the same institutions were equally 
adamant in their enthusiasm for Confidentiality (and maybe Integrity, 
if pushed) and had a hard time accepting Availability requirements 
that were imposed on them by the fact that they were working in an 
academic setting.  By definition, nobody is ever completely satisfied 
with the final result.
I think we find ourselves in the same position -- it's about choices. 
We (as ICANN, as well as individual stakeholders) *have* to make 
these choices because we're participants in the information system 
(in our case, the Internet).   We *will* place ICANN on this map, 
either by action or inaction.   If, for example, we put ICANN on the 
Availability+Confidentiality side of the map, people who need 
Integrity will have to go elsewhere.  Etc.
"Better to acknowledge the trade-off" is what I was trying to get at 
-- not state my position on where I fall.  I'm not sure my opinion is 
relevant -- I really *am* trying to stay as neutral in my Chair 
role.  By the way, if anybody perceives me to be unfairly favoring 
one point of view over another, please call me on it.  At the same 
time, I'm also trying to stimulate discussion because I perceive us 
to be on the verge of making some real progress.
Thanks,

m

At 03:56 PM 8/3/2008, Christian Curtis wrote:
>     Dave, please don't misunderstand me.  I'm not referring 
> specifically to all attempts to identify trusted sources, and I'm 
> not referring specifically to the proposal you brought up at the 
> end of the call.  Honestly, that exchange happened so quickly that 
> I didn't quite understand what you were proposing.  I'm speaking 
> more directly to the dangers that are inherent in endowing private 
> parties with a policing function.  Mike O'Connor's comments about 
> reaching a compromise between individual rights and the needs of 
> law enforcement made me particularly nervous, because I don't 
> believe that ICANN is the proper entity to balance these concerns.
>     Mike Rodenbaugh, I think that you might actually be making my 
> point for me.  It is that fact that constitutional protections do 
> not apply between contracting parties that makes me nervous.  We've 
> been asked to address the question of criminal conduct here.  To 
> some degree, law enforcement agencies are applying pressure on us 
> to do their jobs with the assertion that we're the only ones who 
> can.  I'm really not comfortable taking that role.
>     Part of the inefficiencies inherent to law enforcement are 
> there to preserve justice and individual liberties.  It would, 
> after all, be far more efficient to combat crime without trials, 
> warrants, or defendants' rights.  When it comes to speech crimes 
> it's even more efficient to require the speaker to get permission 
> before being allowed to speak at all.  Free societies, however, 
> specifically require the more inefficient route for good 
> reason.  I'm not comfortable circumventing these limitations by 
> placing the onus of crime prevention on private entities.
>       --Christian
>
> On Sat, Aug 2, 2008 at 9:15 AM, Mike O'Connor 
> <<mailto:mike@xxxxxxxxxx>mike@xxxxxxxxxx> wrote:
> My silence on this thread is partly due to it's quality.  This is a 
> very rich discussion and I've still got several emails to 
> read/ponder before I try to contribute.  But I'd like to merge two 
> threads.  Mike Rodebaugh just floated a detailed proposal in the 
> "[gnso-ff-pdp-may08] Question for Registrars - What kinds of 
> solutions scare you?" thread, which I'm taking the liberty of 
> attaching to this one.
> Why?  Because I'm curious whether there are sufficient safeguards in 
> that proposal to address the concerns that have been raised here -- 
> and to look for suggestions on how it could be improved.
> I see the glimmer of light at the end of the tunnel -- if we can get 
> a speedy process defined (to thwart nimble bad-guys) that addresses 
> due-process concerns, we're on the edge of a Very Good Thing.
> m
>
>
> At 08:02 AM 8/2/2008, Dave Piscitello wrote:
> Once again, since my words are being misrepresented again, I will 
> reiterate that there is a difference between private (which is the 
> opposite of public) and trusted.
> By (at least my) definition, trusted parties have some form of 
> "oversight" (in this case, certification) and some form of controls 
> over their behavior. How else do you assert trust?
> Now, if the accreditation/certification requirements (establishing 
> trust) demand some form of transparency, that's a valid topic for 
> discussion, and a laudable one.
> Next, consider the possible consequences of this transparency to the 
> accredited responder. Responders are put at risk of real-world 
> (physical) harm where criminal elements are involved. This is fact, 
> not fiction. The responder deserves no less concern for his safety 
> (and his family's) than the registrant. Transparency (e.g., public 
> disclosure of identities and contact information) is inappropriate 
> (my opinion). However, transparency could well take the form of 
> (again) trusted parties who are responsible for ensuring that 
> accredited responders do not abuse their privileges and thus protect 
> the privileges of registrants.
> I'm trying hard here to illustrate that I take your point about 
> safeguards seriously, but that you are misrepresenting what is being 
> suggested with the accreditation process. Please do not dismiss the 
> suggestion that accredited responders are targets for criminals lightly.]
> If we are going to debate  a topic, please let's debate it with more 
> precision. I think there are issues here that are being too quickly 
> reacted to in a very polarizing fashion. Democratic forms of 
> government typically have checks and balances.
> Perhaps we can make better progress if we agree to a refinement of 
> our process. If you offer a check (solution), consider also the 
> impact to a registrant. If someone proposes a check, and you have 
> misgivings over that check, by all means express that concern, but 
> please take a moment to think of a balance and offer that along with 
> your concern.
> Lastly, and please offline, I would be very interested in discussing 
> whether registering a domain is a privilege or a right.
>
> On 8/1/08 9:58 PM, "Mike O'Connor" 
> <<mailto:mike@xxxxxxxxxx>mike@xxxxxxxxxx> wrote:
>
>
> the list and Christian's email address aren't getting along at the
> moment.  so i'm acting as intermediary for him while we get it
> figured out.  Christian's post follows...
>
> m
>
>
> >Date: Fri, 1 Aug 2008 16:34:23 -0400
> >From: "Christian Curtis" 
> <<mailto:wilderbeast@xxxxxxxxx>wilderbeast@xxxxxxxxx>
> >To: <mailto:gnso-ff-pdp-may08@xxxxxxxxx>gnso-ff-pdp-may08@xxxxxxxxx
> >Subject: Re: [gnso-ff-pdp-may08] Meta: Strawman - Process vs. Policy
> >Cc: "Mike O'Connor" <<mailto:mike@xxxxxxxxxx>mike@xxxxxxxxxx>
> >X-Antivirus: AVG for E-mail 8.0.138 [270.5.10/1585]
> >
> >     I wanted to comment on the discussion we had at the end of the
> > call, and I believe that this is the proper thread.  I'll leave the
> > straw man alone for now, but I'd like to comment on the NCUC's
> > broader concerns.
> >
> >     Democratic governments have certain safe-guards in place to
> > prevent those entrusted with power from running rough-shod over
> > personal freedoms we consider important.  One of these protections
> > is the electoral process itself, which ensures that those who
> > create the policies of the state and those who wield its power are
> > ultimately accountable to the citizenry at large.  Other
> > protections include separation of powers, access to courts, and the
> > constitutional enshrinement of certain fundamental liberties.
> >
> >     Professor Setlzer commented that she gets very nervous when
> > private entities start to act like governments.  Both I and the
> > NCUC, share this concern.  Private entities like registries,
> > registrars and ICANN are not encumbered by the same
> > liberty-preserving safeguards as governments.  For example, the
> > U.S. constitution protects its citizens from certain invasive or
> > unjust conduct by the government.  It places little, if any,
> > similar restrictions on similar conduct by private parties.
> >
> >    Any discussion about combating illegal activity at ICANN
> > inherently raises these problems.  There is a distinct danger that
> > remedies at this level could transform private parties into a sort
> > of 'speech cop' charged with determining what content is
> > permissible and what is not.  As the debacle with Dynadot and
> > Wikileaks demonstrates, it may well be in the best interests of a
> > registrar to ignore the free speech interests of its customer in
> > the face of a powerful angry party.  Thrusting registrars,
> > registries or ICANN into this role creates the danger that they
> > could be pushed to implement more restrictive or arbitrary controls
> > than the government can.
> >
> >     Though I respect Mike's comments about compromise generally, I
> > do not believe that it is appropriate with regards to this
> > issue.  ICANN does not exist to balance the policies of protecting
> > civil liberties and combatting crime.  ICANN exists to coordinate
> > the Internet.  The sort of policies we are discussing when we get
> > into balancing free speech concerns against crime prevention belong
> > to democratic governments with their carefully balanced structures
> > and controls.
> >
> >     Respectfully, I must vigorously oppose any proposition that
> > ventures into this forbidden territory.
> >
> >      --Christian
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - <http://www.avg.com>http://www.avg.com
> Version: 8.0.138 / Virus Database: 270.5.10/1586 - Release Date: 
> 8/1/2008 6:59 PM
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.138 / Virus Database: 270.5.12/1589 - Release Date: 
> 8/3/2008 1:00 PM