I returned to the page and saw that it was garbled and that some
of my markup was missing. So this technology isn't reliable.
I
attempted to re-create what I produced, and have pasted it here. This
loses the colors, but at least it preserves the text.
I hope I got it all - really have
to run now...
The NCxy wishes to
express its support for punctCat's proposed amendment that would allow natural
persons an opt out measure by which some WHOIS data would be
withheld.
We recognize that this proposed ammendement
is intended to enable punctCaat to comply with EU data privacy laws.
However, it raises broader issues that we believe should also be considered at
this time to establish general policy for all domains. In addition, we
have some technical concerns with the proproposal.
We do not believe this request goes far
enough in terms of
We also, however want to state that
we do not beleive this request goes far enough in terms of offering the opt-out opportunity. The
NCxy believes there are several types of institution that require a similar
opportunity. Among those institutional types are organizations
that:
- deal with political
freedoms,
- deal with religious
freedoms,
- deal with sexual preference and
expression,
- deal with political
minorities,
- deal with religious
minorities,
- parents groups that deal with
children's activities such as sports teams, home-schooling and other childcare
issues.
Whether or not
these organizations have suitable protections under EU law, we believe that the
technical means for providing them data privacy should be incorporated into
WHOIS as part of this proposal. This will allow consistent implementation
of these protections in jurisdictions where they are allowed/required without
another change to WHOIS.
The generally
accepted practice for data privacy is to opt-in to sharing private information;
this proposal defaults to sharing (e.g. is an opt-out mechanism.) The
default should be not to share. In any case, care should be taken to
ensure that data is not shared between the time it is provided and the first
opportunity that the submitter has to specify "do not share."
Additionally the
NCxy is concerned by several aspects of the request that allow law
enforcement and trademark enforcement unbridled access without prior due
process provisions ...
Access to private data should require a
reason that is logged with each access. While the allowable reasons may
vary by jurisdiction, they must be disclosed to the registrant before
private data is accepted. The subject of the the private data should
be notified of such access promptly (delayed if a competent authority rules that
notification would impede a criminal investigation).
The submitter of private data must be able
to validate that the data submitted is correctly displayed by the WHOIS system,
despite the privacy controls.
The propsal
incorporates a whitelist of IP addresses to allow "Law Enforcement" and others
unrestricted access to private data. IP addresses are not a sufficient
security mechanism for personal data. IP addresses can be spoofed.
Further, IP addresses do not provide sufficient granularity or tracability of
access. Current practice requires that accesses to private data must be
tracable to a specific individual to provide the capability for audit as well as
individual accountability for data use. Thus, access should be controlled
by individual account privileges - e.g. using username/passwords, X..509
certificates, physical tokens or the like.
We do not understand what a "trademark
protection representative" is, nor why such representatives should have the same
access to private data as do law enforcement repreeresentatives. We
believe that the current trademark protection regime offered in the context of
gTLDs (old and new) is sufficient to deal with issues of infringement.
Trademark protection representatives should be able to use the webform proxy to
contact registrants, or involve law enforcement as necessary. Why is this
not sufficient?
- And, here there should be a clear
distinction - Law enforcement and trademark enforcement constitute different
things serving different purposes. Whilst NCxx is concerned about the degree
of information provided to law enforcement agencies, at the same time, we are
more concerned about data provided for trademark enforcement purposes. We
believe that the current trademark protection regime offered in the context of
gTLDs (old and new) is sufficient to deal with issues of infringement and,
thus, no more information should be provided about domain name
registrants.
--- Email
References----useful for cutting and pasting-- to be deleted or at least not
included---
.CAT proposes to
revise its Registry agreement to support withholding of
some WHOIS data
by individuals who opt out. It will not offer this
opt-out to legal
persons.
I propose that
NCSG support this amendment, with a simple: "NCSG
supports the
availability of WHOIS privacy options for natural persons.
Accordingly, we
support puntCAT's proposed amendment."
--Wendy
---
I agree, but I
wonder whether it is worth suggesting something that goes one step
further, the protection of some legal persons (mostly NGO and other civil
society orgs) whose day to day operations are concerned with protecting natural
persons facing a variety of physical threats.
So, I suggest we
support, but say it does not go far enough.
(have not read it
yet, going on your abstract - if they do have such an exception - i
support it all the way)
avri
----
I had a cursory
look at the supporting documents for this.
In general, I
think that the request moves practice in the right direction.
However, I am
somewhat concerned by the following language:
"Law enforcement
and trademark protection representatives will be granted
full access
to
puntCAT database.
An IP white list will be established to provide full
access to gather
all
data associated
with any concrete domain name."
("IP" clearly
means "IP address" if you read the whole document.)
A) What is a
"trademark protection representative", and why are they granted
equal access to
the privacy-protected data of natural persons as law
enforcement?
B) Why can't they
use the webform proxy for contacting the domain owner, or
present a case to
law enforcement for access if the owner is unresponsive?
C) It also seems
that both have the ability to troll thru the database at
will for any
purpose, without cause, judicial review or documenting when and
why private
information is accessed.
D) Note that this
ability is based on IP address - not an X.509 certificate,
password or any
other user-specific security mechanism. Hence is is
susceptible to IP
spoofing, and access is not traceable to the individual
accessing the
data. This makes it difficult (impossible?) to hold anyone
accountable for
misuse of these privileges.
E) Also,
disclosure is described as "opt-in (default option)" - as the
following
language in the document makes clear, privacy is not the default
and must be
requested. This is not consistent with maximizing privacy,
and
potentially
introduces race conditions if establishing the privacy option is
not atomic with
registering a domain. For natural persons, privacy should
be the
default.
Thus, although
this is a positive step in the direction of protecting the
privacy of
natural persons, there is room for improvement.
I leave to those
more experienced in the politics of ICANN the political
question of
whether to take what's on offer now and fight the next battle
later, or to
raise these points in our comment on the current request.
Timothe
Litt
ACM
Distinguished Engineer
---
I think this is
a very dangerous slippery slope. Natural persons deserve privacy, yes, and that
completely consistent with the EU Data Protection Directive. But in the US
and other places around the world Organizations deserve privacy protection
too. If we give this up now, we will never get it back.
I strongly agree
with Avri that the organizations that protect natural persons are important, and
so too are the organizations that deal with political freedoms, religious
freedoms, political minorities, religious minorities, and even organizations who
are parents organizing baseball teams, soccer teams and home-schooling
groups. Organizations are the **perfect example** of what a Noncommercial
Message does **not need to be tied into An Physical Address in a Globally
Available Database.**
What law
enforcement really cares about is using the Whois to track down those who do
e-commerce deals and then cheat someone. That's fair, and I and others are
working on ways to help them with very narrowly-tailored policies. But that does
not mean that we give up the Privacy of those engaged in Noncommercial Conduct
or simply ordinary conduct (and in the US, that includes Organizations engaged
in an array of protected speech -- note: we had a case where law enforcement
wanted all the members of an NAACP branch, "a civil rights organization for
ethnic minorities in the united States," and the answer was "no" on privacy
grounds - organizations have rights of privacy and speakers of all types,
including those banded together in organizations have privacy in their
contentious, minority speech.)
Please know:
that there is an ongoing move in the gTLDs to eliminate proxy and privacy
services, and if they prevail (now or 10 years from now), we will be left with
only the slim protections, if any, in the ICANN Whois database. So yes, if
.CAT (Catalonia, Spain) wants privacy for its individuals, that's great. But it
sets a precedent for all gTLDs, and in that precedent, we need all Organizations
not actively engaged in e-commerce protected too.
Big sigh, as
that is a lot to talk about. I have lived Whois policies for the last year as
Vice-Chair of the Whois Review Team, and for 10 years before that as one of the
diligent NCUC reps on Whois Task Forces (including Milton, Wendy,
Robin).
As a policy
matter, I would ask that our NCUC leaders strongly urge .CAT to modify its
proposal to offer privacy protection for all noncommercial organizations that
request it, too, as a condition of our support.
Best, Kathy
(Kleiman)
Co-Founder,
NCUC
Vice-Chair,
Whois Review Team
---
On this point,
there are a couple of US cases that are relevant.
In NAACP v.
Alabama (1958) the US Supreme Court held that
the state of
Alabama could not force the disclosure of the NAACP
membership
lists. The Court said that the right to freedom of
association
would be limited if the names of members of
unpopular
organizations could be obtained by the government.
This is a very
influential opinion that also contributed to later
decisions
protecting anonymous speech as a part of freedom
of
expression.
More recently,
the US Supreme Court held in an open
government case
that AT&T could not claim a right of
"personal
privacy." Corporations, though they may be
"legal persons"
do not have a right "personal privacy."
Obviously, we
believe there should be strong privacy
safeguards for
individuals as opposed to corporations.
But It may be
worth considering, in the context of ICANN
and WHOIS,
whether political associations are entitled
to some privacy
rights, given the close relationship to the
exercise of
political freedom.
This would seem
to be a reasonable position for the NCSG
to put
forward.
Regards to
all,
Marc
Rotenberg.
PS Press
associations also, in some contexts, are entitled
to greater
privacy rights
>>So what
does the word "Law Enforcement" mean? American only - or ANY country. Seems to
me that it would have to mean any country as all countries are theoretically
equal on the Internet.
Fair
point. But the emphasis on American is misplaced in this case. The
stated context for the request is compliance with the EU's data privacy
protection laws - which are somewhat different (stronger in most respects) than
US law. .cat is controlled by a Spanish entity. So
the US is involved only by treaty, international "law", and its special role in
ICANN. (Some countries are more equal than others - at least in
practice.)
It's important
that the whois privacy rules not rely implicitly on the EU (or any nation's)
administrative rules/processes. This is an area where a baseline standard
should be established for all domains. Domains providing more (or less)
privacy to meet local law or other requirements must be required to prominently
and clearly disclose deviations to applicants.
Our comments on
this will establish a precedent for similar requests from others - so we do need
to be careful that they reflect a consistent set of principles that apply to all
domains/registries. Among these should be:
- A presumption of privacy for
natural persons - with clear disclosure of deviations from the standard prior
to accepting data.
- A mechanism (aka privacy proxy)
that allows contacting the registrant (any of the whois contacts) promptly for
legitimate purposes: administrative, technical, abuse, service of process -
while maintaing the registrant/contacts' privacy. This mechanism should
be auditable - use should be logged and tracable.
- The database containing the
private data must be secure - protected by per-user security with each access
to the private data logged and tracable back to the individual. Data
extracted from the database must be handled in the same
way.
- To the extent that "law
enforcement" or others have access to the entire database, the allowable
reasons for accessing data must be listed, with procedures for audit and
review. (Note that there are legitimate reasons for such access - e.g.
find the physical address of a network disruptor, or identify all domains
registered by a criminal enterprise. Don't sidetrack on who defines
"criminal".)
With respect to
the comments on privacy for organizations - I understand the desire (e.g. a
shelter for victims of abuse). However, my understanding (I'm neither a
lawyer nor resident in the EU) is that organizations are treated differently by
the EU privacy law - and generally must disclose location and contact
information. We can't legislate or require registries to violate local
law. (That's what started this - current whois practice for individuals
violates the EU data privacy laws!) We can identify the need and require that the
technical means be in place to protect the privacy of organizations. We
can also, as with natural persons, set a default standard and require disclosure
of deviations. However, I don't think we want to be in the business of
lobbying for specific changes in local laws...
Timothe
Litt
ACM
Distinguished Engineer
---------------------------------------------------------
This
communication may not represent the ACM or my employer's views,
if any, on the
matters discussed.
---------------------------------------------------------
This
communication may not represent my employer's views,
if any, on the matters
discussed.
-----Original Message-----
From: NCSG-Discuss [mailto:[log in to unmask]]
On Behalf Of Timothe Litt
Sent: Monday, January 23, 2012 07:03
To:
[log in to unmask]
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed
Changes - call for public comments - Think hard!!
I added my last e-mail
to the end, and also marked up the draft. Note that for some reason, all
of my markup was not colored.
My markup isn't polished, and I don't think
it has everything from my comments, but it's a start - and all I have time for
at the moment. I do think that it ought to start with a statement of
principles (e.g. something like what I started in my last e-mail).
I hope
that this is helpful. Feel free to make further changes & I'll try to
check in again later.
Timothe Litt
ACM Distinguished
Engineer
---------------------------------------------------------
This
communication may not represent the ACM or my employer's views, if any, on the
matters discussed.
-----Original Message-----
From: NCSG-Discuss
[mailto:[log in to unmask]]
On Behalf Of Konstantinos Komaitis
Sent: Monday, January 23, 2012
04:40
To: [log in to unmask]
Subject: Re: [NCSG-Discuss] .CAT
WHOIS Proposed Changes - call for public comments - Think hard!!
Thanks
Avri for taking a lead on this - I have added a small paragraph on trademark
enforcement. I really hope we get to do this and I would like to repeat if there
is any objection in sending this as an NCSG
position.
Thanks
KK
Dr. Konstantinos
Komaitis,
Senior Lecturer,
Director of Postgraduate Instructional
Courses Director of LLM Information Technology and Telecommunications Law
University of Strathclyde, The Law School, Graham Hills building, 50 George
Street, Glasgow G1 1BA UK
tel: +44 (0)141 548 4306
http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat
ion-isbn9780415477765
Selected
publications:
http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
Website:
www.komaitis.org
-----Original Message-----
From: NCSG-Discuss [mailto:[log in to unmask]]
On Behalf Of Avri Doria
Sent: Κυριακή, 22 Ιανουαρίου 2012 1:40 μμ
To:
[log in to unmask]
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed
Changes - call for public comments - Think hard!!
http://openetherpad.org/8hyZwpLw9P
On
22 Jan 2012, at 08:31, Avri Doria wrote:
> On 22 Jan 2012, at 06:09,
Konstantinos Komaitis wrote:
>
>> These are all great
observations and thanks for bringing them
>> forward. I
also agree
with Avri, Kathy, Marc and others.
>>
>> Would it be
possible for someone who has already contributed to this
>> list
to
also write a brief statement and send it to the list for endorsement? It would
be ideal if it could be a NCSG statement, but in any case it looks like it can
be a NCUC one.
>
>
> I am willing to work on one with
others. Perhaps someone can start by
> collecting the contents into
an etherpad of some politically
> acceptable kind <http://etherpad.org/public-sites/>
(speaking of
> which, do any of the members host an
etherpad?)
>
> With 10 Feb being the deadline for submission, when
would such a draft
need to be available for the NC-membership review in order
to not need a last minute heroic effort from one of the
NCstewards..
>
> avri