RE: [gnso-whois-wg] Consultant's report on US law enforcement agencies and accreditation for access to unpublished Whois data

[Tim Ruiz <tim@xxxxxxxxxxx>]

<html><body>I don't recall - Has there been any discussion of 
indemnification/liability in regards to registrars being required to rely on a 
third party's accreditation of LEs for access? Specifically, who if anyone 
would provide such indemnification, ICANN, the third party? Or is the thinking 
that registrars are&nbsp;expected to take on that liability?<BR><BR>Tim <BR>
<div     ><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px 
solid" webmail="1">-------- Original Message --------<BR>Subject: Re: 
[gnso-whois-wg] Consultant's report on US law enforcement<BR>agencies and 
accreditation for access to unpublished Whois data<BR>From: Dan Krimm 
&lt;dan@xxxxxxxxxxxxxxxx&gt;<BR>Date: Fri, July 20, 2007 12:44 pm<BR>To: 
&lt;gnso-whois-wg@xxxxxxxxx&gt;<BR><BR><PRE>Thanks for this, Maria.

I did find a contradiction regarding the summary statement: "At this
juncture, I am not confident that there is an organization that can
properly accredit law enforcement agencies in the United States alone,
let
alone internationally."

Compare with the item about HTCC- High Tech Crime Cops stating: "HTCC is
predominantly comprised of LEOs with a small number of non-sworn civilian
computer forensics examiners.  HTCC is willing to accredit law
enforcement
agencies."

Thus, the report seems to me neither abjectly confirming nor abjectly
disconfirming the idea that accreditation is possible.  It is a useful
partial and preliminary report, but not ultimately conclusive.  Given the
confined time frame allowed for it, this is not particularly surprising.

It was helpful in identifying a number of potential candidates that
currently exist, but I don't know that we should necessarily be
limited to
only existing candidates in the long run.  As the report states in the
numbered criteria points on page 2, point number 2 "Selection and
Validation of Agencies":  "Validating agents might be new or existing
entities."

In fact, given how quickly and exponentially ICANN's own budget is
expanding, it occurs to me that ICANN itself might reasonably consider
building this institutional capacity internally (or with internal funding
on an outsourced contractual basis, as appears to be popular at ICANN) at
it looks around to see what it can spend all this new money on.  If it
did
so, it might well be able to address a global reach under a single
integrated roof.

Bottom line:  I don't see this report as ruling out the potential for
effective pre-authentication methods for Access to personal contact
information of natural person registrants in the Whois database.  If it
takes a bit of time to develop this institutional capacity somewhere,
then
it seems to me the OPoC paradigm can wait for that to be developed, as
long
as the development process is conducted on a good-faith basis by ICANN,
either internally or collaborating with an external agent or agents.

We should consider all possibilities, as the OPoC paradigm would
establish
a substantial precedent with far reaching consequences.  If some
institutional capacity development is required in order to fully
implement
the paradigm in a way that effectively protects privacy while
providing all
necessary access of legitimate purposes, then that should not inhibit us
from setting a policy that requires that capacity.


I would suggest the following:

The OPoC paradigm should be implemented *only* on condition that
effective
authentication capacity has been established that genuinely satisfies
both
goals of effective privacy protection and timely access for legitimate
needs.  If both of these criteria cannot be satisfied simultaneously,
then
the OPoC paradigm should not be implemented for now.  But, a strong
pro-active project to seek to develop effective authentication capacity
should be embarked upon immediately and should be conducted by ICANN in
good faith, in order to enable the OPoC paradigm to be implemented in the
future.  We should certainly not abandon the OPoC paradigm (or some
equivalent) for the long term, but it needs to implemented in an
effective
manner or not at all.

Dan

PS -- I do not consider self-declaration to be an adequate method of
authentication to provide an effective protection of privacy,
especially if
post facto "challenge" processes and enforcement procedures are
burdensome
and ineffective at preventing abuse.  I suspect that might be a matter of
disagreement within the WG.  If so, we should report it as such.
</PRE></BLOCKQUOTE></DIV></body></html>