On 3/23/2012 11:21 AM, Lutz Donnerhacke wrote:
On Thu, Mar 22, 2012 at 10:05:36PM -0500, Carlton Samuels wrote:
http://www.iccwbo.org/uploadedFiles/Law_enforcement_access_to_company_data_f...
Thank you for pointing to this document. To my honest surprise the paper asks the the Law Enforcement Agencies to respect the laws in other countries and urges them to use cross-country law enforcement frameworks.
Breaking it down to WHOIS, it declares the "global, unrestricted access to complete data" as a violation of data protection and privacy laws.
That would depend on which country you are in :) However, here is the problem: Currently we have grossly inaccurate and unvalidated WHOIS information we now wish to hide under privay laws. The end result to that is that the ordinary user on the net will become more of a target than ever before. It is common to see some West African registrant claiming to live in another country, in turn claims to be a business in a third like a bank, courier, lawyer etc. It is also not uncommon to link the real registrant whoever he is to credit card fraud and identity theft based upon the claimed whois details. Also remember: Law enforcement officials will not examine each and every occurrence of fraud on the internet, they simply do not have the resources. Right now law enforcement depends on non-law enforcement parties to alert them to issues. WHOIS data is part of this process and law enforcement will lose access to a lot of these alerts. I find it ironical that so many whois abuse studies are done, yet so few studies on legitimate usage. Also, say we have official channels to obtain data for criminals operating on the net, how long does it take before the reply gets back to law enforcement? What do you do if the reply is "Yogi Bear, 12 Yellowstone Park"? How much time and other resources would have been wasted? Remember some of these issues are also time sensitive. History has also shown a crisis in one country may not constitute a crisis in another country. We do however need privacy and desperately so. So how do we get to it? We first need to resolve the current WHOIS mess, then we can throw a blanket of privacy over it. Doing it the wrong way around is a recipe for a disaster. Also note distinction is made between companies and individuals. So what will we do if we notice a domain like the-real-bank.info with web content claiming to be the-real-bank.com, yet the first on cheap shared hosting and no security and with obfuscated WHOIS details. The real the-real-bank.com may act if it is phishing (targeting their clients), but history has shown the real owner tends to be less responsive if it's a 419 domain (not targeting their clients). What do we do if it is some-fictitious-bank.com that does not exist in reality (we see a lot of them)? Privacy requires accountability - you cannot separate the two. Currently there is no accountability in the system. Once we fix that we are on the road to responsible privacy. Derek