>>So what does the word "Law Enforcement" mean? American only - or ANY country. Seems to me that it would have to mean any country as all countries are theoretically equal on the Internet. Fair point. But the emphasis on American is misplaced in this case. The stated context for the request is compliance with the EU's data privacy protection laws - which are somewhat different (stronger in most respects) than US law. .cat is controlled by a Spanish entity. So the US is involved only by treaty, international "law", and its special role in ICANN. (Some countries are more equal than others - at least in practice.) It's important that the whois privacy rules not rely implicitly on the EU (or any nation's) administrative rules/processes. This is an area where a baseline standard should be established for all domains. Domains providing more (or less) privacy to meet local law or other requirements must be required to prominently and clearly disclose deviations to applicants. Our comments on this will establish a precedent for similar requests from others - so we do need to be careful that they reflect a consistent set of principles that apply to all domains/registries. Among these should be: A presumption of privacy for natural persons - with clear disclosure of deviations from the standard prior to accepting data. A mechanism (aka privacy proxy) that allows contacting the registrant (any of the whois contacts) promptly for legitimate purposes: administrative, technical, abuse, service of process - while maintaing the registrant/contacts' privacy. This mechanism should be auditable - use should be logged and tracable. The database containing the private data must be secure - protected by per-user security with each access to the private data logged and tracable back to the individual. Data extracted from the database must be handled in the same way. To the extent that "law enforcement" or others have access to the entire database, the allowable reasons for accessing data must be listed, with procedures for audit and review. (Note that there are legitimate reasons for such access - e.g. find the physical address of a network disruptor, or identify all domains registered by a criminal enterprise. Don't sidetrack on who defines "criminal".) With respect to the comments on privacy for organizations - I understand the desire (e.g. a shelter for victims of abuse). However, my understanding (I'm neither a lawyer nor resident in the EU) is that organizations are treated differently by the EU privacy law - and generally must disclose location and contact information. We can't legislate or require registries to violate local law. (That's what started this - current whois practice for individuals violates the EU data privacy laws!) We can identify the need and require that the technical means be in place to protect the privacy of organizations. We can also, as with natural persons, set a default standard and require disclosure of deviations. However, I don't think we want to be in the business of lobbying for specific changes in local laws... Timothe Litt ACM Distinguished Engineer --------------------------------------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. _____ From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of Marc Perkel Sent: Saturday, January 21, 2012 23:17 To: [log in to unmask] Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments I agree with Adam, I too have a problem with that part: "Law enforcement and trademark protection representatives will be granted full access to puntCAT database. An IP white list will be established to provide full access to gather all data associated with any concrete domain name." First - the Internet is a 0 dimensional universe that is not owned by any one nation. So what does the word "Law Enforcement" mean? American only - or ANY country. Seems to me that it would have to mean any country as all countries are theoretically equal on the Internet. As the founder of the Church of Reality I'm someone who would be put to death in many countries of the world and I can not be subject to "law enforcement" of countries like Iran. The same is true to a lesser degree of all non-Islamic religions and possibly some version of Islam. I can not be subject to nations who consider my religions blasphemy. As to trademark protection - I own the US Registered Trademark on the word "REALITY". Serial Number: 78735626. http://www.churchofreality.org/wisdom/trademark/ if I had special trademark enforcement powers owning the trademark on REALITY, well, I really don't think you should give me that kind of power. If I control REALITY on the Internet - wouldn't that make me a deity? I don't think that's a good idea. ICANN and DNS is not about law enforcement, trademark, or intellectual property protection. It's not about protecting people's money. Our mission is to make the Internet work and nothing more. These issues are outside the scope of our mission and we need to draw a hard bright line and tell these people no. On 1/21/2012 6:49 PM, Nicolas Adam wrote: Very sharp cursory look. I also think those points need be raised. Nicolas On 1/21/2012 12:33 PM, Timothe Litt wrote: I had a cursory look at the supporting documents for this. (http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf) In general, I think that the request moves practice in the right direction. However, I am somewhat concerned by the following language: "Law enforcement and trademark protection representatives will be granted full access to puntCAT database. An IP white list will be established to provide full access to gather all data associated with any concrete domain name." ("IP" clearly means "IP address" if you read the whole document.) A) What is a "trademark protection representative", and why are they granted equal access to the privacy-protected data of natural persons as law enforcement? B) Why can't they use the webform proxy for contacting the domain owner, or present a case to law enforcement for access if the owner is unresponsive? C) It also seems that both have the ability to troll thru the database at will for any purpose, without cause, judicial review or documenting when and why private information is accessed. D) Note that this ability is based on IP address - not an X.509 certificate, password or any other user-specific security mechanism. Hence is is susceptible to IP spoofing, and access is not traceable to the individual accessing the data. This makes it difficult (impossible?) to hold anyone accountable for misuse of these privileges. E) Also, disclosure is described as "opt-in (default option)" - as the following language in the document makes clear, privacy is not the default and must be requested. This is not consistent with maximizing privacy, and potentially introduces race conditions if establishing the privacy option is not atomic with registering a domain. For natural persons, privacy should be the default. Thus, although this is a positive step in the direction of protecting the privacy of natural persons, there is room for improvement. I leave to those more experienced in the politics of ICANN the political question of whether to take what's on offer now and fight the next battle later, or to raise these points in our comment on the current request. Timothe Litt ACM Distinguished Engineer --------------------------------------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. -----Original Message----- From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of Wendy Seltzer Sent: Saturday, January 21, 2012 11:50 To: [log in to unmask] Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments .CAT proposes to revise its Registry agreement to support withholding of some WHOIS data by individuals who opt out. It will not offer this opt-out to legal persons. I propose that NCSG support this amendment, with a simple: "NCSG supports the availability of WHOIS privacy options for natural persons. Accordingly, we support puntCAT's proposed amendment." --Wendy -------- Original Message -------- Subject: [council] .CAT WHOIS Proposed Changes - call for public comments Date: Fri, 20 Jan 2012 14:08:05 -0800 From: Glen de Saint Géry <mailto:[log in to unmask]> <[log in to unmask]> To: [log in to unmask] <mailto:[log in to unmask]> <[log in to unmask]> http://www.icann.org/en/announcements/announcement-20jan12-en.htm .CAT WHOIS Proposed Changes Forum Announcement: Comment Period Opens on Date: 20 January2012 Categories/Tags: Contracted Party Agreements Purpose (Brief): ICANN is opening today the public comment period for the Fundacio puntCAT's, request to change its Whois according to EU data protection legislation. The public comment period will be closed on 3 March 2012. The .cat registry, submitted a Registry Service Evaluation Process (RSEP) on August 2011. At this time, ICANN has conducted a preliminary review in accordance with the Registry Services Evaluation Policy and process set forth at http://www.icann.org/registries/rsep/rsep.html. ICANN's preliminary review (based on the information provided) did not identify any significant competition, security, or stability issues. The implementation of the request requires an amendment to the .cat Registry Agreement signed 23 September 2005. This public forum requests comments regarding the proposed amendment. Public Comment Box Link: http://www.icann.org/en/public-comment/cat-whois-changes-18jan12-en.htm Glen de Saint Géry GNSO Secretariat [log in to unmask] <mailto:[log in to unmask]> <mailto:[log in to unmask]> http://gnso.icann.org