>>So what does the word "Law Enforcement" mean? American only - or ANY country. Seems to me that it would have to mean any country as all countries are theoretically equal on the Internet.

Fair point.  But the emphasis on American is misplaced in this case.  The stated context for the request is compliance with the EU's data privacy protection laws - which are somewhat different (stronger in most respects) than US law.  .cat is controlled by a Spanish entity.  So the US is involved only by treaty, international "law", and its special role in ICANN.  (Some countries are more equal than others - at least in practice.)
 
It's important that the whois privacy rules not rely implicitly on the EU (or any nation's) administrative rules/processes.  This is an area where a baseline standard should be established for all domains.  Domains providing more (or less) privacy to meet local law or other requirements must be required to prominently and clearly disclose deviations to applicants. 
 
Our comments on this will establish a precedent for similar requests from others - so we do need to be careful that they reflect a consistent set of principles that apply to all domains/registries.  Among these should be:
 
A presumption of privacy for natural persons - with clear disclosure of deviations from the standard prior to accepting data.
 
A mechanism (aka privacy proxy) that allows contacting the registrant (any of the whois contacts) promptly for legitimate purposes: administrative, technical, abuse, service of process - while maintaing the registrant/contacts' privacy.  This mechanism should be auditable - use should be logged and tracable.
 
The database containing the private data must be secure - protected by per-user security with each access to the private data logged and tracable back to the individual.  Data extracted from the database must be handled in the same way.
 
To the extent that "law enforcement" or others have access to the entire database, the allowable reasons for accessing data must be listed, with procedures for audit and review.  (Note that there are legitimate reasons for such access - e.g. find the physical address of a network disruptor, or identify all domains registered by a criminal enterprise.  Don't sidetrack on who defines "criminal".)
 
With respect to the comments on privacy for organizations - I understand the desire (e.g. a shelter for victims of abuse).  However, my understanding (I'm neither a lawyer nor resident in the EU) is that organizations are treated differently by the EU privacy law - and generally must disclose location and contact information.  We can't legislate or require registries to violate local law.  (That's what started this - current whois practice for individuals violates the EU data privacy laws!)  We can identify the need and require that the technical means be in place to protect the privacy of organizations.  We can also, as with natural persons, set a default standard and require disclosure of deviations.  However, I don't think we want to be in the business of lobbying for specific changes in local laws...
 

Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

 


From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of Marc Perkel
Sent: Saturday, January 21, 2012 23:17
To: [log in to unmask]
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments

I agree with Adam, I too have a problem with that part:

"Law enforcement and trademark protection representatives will be granted full access to puntCAT database. An IP white list will be established to provide full access to gather all data associated with any concrete domain name."

First - the Internet is a 0 dimensional universe that is not owned by any one nation. So what does the word "Law Enforcement" mean? American only - or ANY country. Seems to me that it would have to mean any country as all countries are theoretically equal on the Internet.

As the founder of the Church of Reality I'm someone who would be put to death in many countries of the world and I can not be subject to "law enforcement" of countries like Iran. The same is true to a lesser degree of all non-Islamic religions and possibly some version of Islam. I can not be subject to nations who consider my religions blasphemy. 

As to trademark protection - I own the US Registered Trademark on the word "REALITY". Serial Number: 78735626.

http://www.churchofreality.org/wisdom/trademark/

if I had special trademark enforcement powers owning the trademark on REALITY, well, I really don't think you should give me that kind of power. If I control REALITY on the Internet - wouldn't that make me a deity? I don't think that's a good idea.

ICANN and DNS is not about law enforcement, trademark, or intellectual property protection. It's not about protecting people's money. Our mission is to make the Internet work and nothing more.  These issues are outside the scope of our mission and we need to draw a hard bright line and tell these people no.


On 1/21/2012 6:49 PM, Nicolas Adam wrote:
[log in to unmask] type="cite">Very sharp cursory look. I also think those points need be raised.

Nicolas

On 1/21/2012 12:33 PM, Timothe Litt wrote:
I had a cursory look at the supporting documents for this.
(http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)

In general, I think that the request moves practice in the right direction.

However, I am somewhat concerned by the following language:

"Law enforcement and trademark protection representatives will be granted
full access to
puntCAT database. An IP white list will be established to provide full
access to gather all
data associated with any concrete domain name."

("IP" clearly means "IP address" if you read the whole document.)

A) What is a "trademark protection representative", and why are they granted
equal access to the privacy-protected data of natural persons as law
enforcement?

B) Why can't they use the webform proxy for contacting the domain owner, or
present a case to law enforcement for access if the owner is unresponsive?

C) It also seems that both have the ability to troll thru the database at
will for any purpose, without cause, judicial review or documenting when and
why private information is accessed.

D) Note that this ability is based on IP address - not an X.509 certificate,
password or any other user-specific security mechanism.  Hence is is
susceptible to IP spoofing, and access is not traceable to the individual
accessing the data.  This makes it difficult (impossible?) to hold anyone
accountable for misuse of these privileges.

E) Also, disclosure is described as "opt-in (default option)" - as the
following language in the document makes clear, privacy is not the default
and must be requested.  This is not consistent with maximizing privacy, and
potentially introduces race conditions if establishing the privacy option is
not atomic with registering a domain.  For natural persons, privacy should
be the default.

Thus, although this is a positive step in the direction of protecting the
privacy of natural persons, there is room for improvement.

I leave to those more experienced in the politics of ICANN the political
question of whether to take what's on offer now and fight the next battle
later, or to raise these points in our comment on the current request.


Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-----Original Message-----
From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of Wendy
Seltzer
Sent: Saturday, January 21, 2012 11:50
To: [log in to unmask]
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments

.CAT proposes to revise its Registry agreement to support withholding of
some WHOIS data by individuals who opt out. It will not offer this opt-out
to legal persons.

I propose that NCSG support this amendment, with a simple: "NCSG supports
the availability of WHOIS privacy options for natural persons.
Accordingly, we support puntCAT's proposed amendment."

--Wendy

-------- Original Message --------
Subject: [council] .CAT WHOIS Proposed Changes - call for public comments
Date: Fri, 20 Jan 2012 14:08:05 -0800
From: Glen de Saint Géry<[log in to unmask]>
To: [log in to unmask]<[log in to unmask]>

http://www.icann.org/en/announcements/announcement-20jan12-en.htm
.CAT WHOIS Proposed Changes

Forum Announcement: Comment Period Opens on Date: 20 January2012

Categories/Tags: Contracted Party Agreements

Purpose (Brief):

ICANN is opening today the public comment period for the Fundacio puntCAT's,
request to change its Whois according to EU data protection legislation. The
public comment period will be closed on 3 March 2012.

The .cat registry, submitted a Registry Service Evaluation Process
(RSEP) on August 2011.

At this time, ICANN has conducted a preliminary review in accordance with
the Registry Services Evaluation Policy and process set forth at
http://www.icann.org/registries/rsep/rsep.html. ICANN's preliminary review
(based on the information provided) did not identify any significant
competition, security, or stability issues.

The implementation of the request requires an amendment to the .cat Registry
Agreement signed 23 September 2005. This public forum requests comments
regarding the proposed amendment.
Public Comment Box Link:
http://www.icann.org/en/public-comment/cat-whois-changes-18jan12-en.htm

Glen de Saint Géry
GNSO Secretariat
[log in to unmask]<mailto:[log in to unmask]>
http://gnso.icann.org