On 3/23/2012 11:21 AM, Lutz Donnerhacke wrote:

On Thu, Mar 22, 2012 at 10:05:36PM -0500, Carlton Samuels wrote:

...

http://www.iccwbo.org/uploadedFiles/Law_enforcement_access_to_company_data_f...

Thank you for pointing to this document. To my honest surprise the paper asks the the Law Enforcement Agencies to respect the laws in other countries and urges them to use cross-country law enforcement frameworks.

Breaking it down to WHOIS, it declares the "global, unrestricted access to complete data" as a violation of data protection and privacy laws.

That would depend on which country you are in :) However, here is the problem: Currently we have grossly inaccurate and unvalidated WHOIS information we now wish to hide under privay laws. The end result to that is that the ordinary user on the net will become more of a target than ever before. It is common to see some West African registrant claiming to live in another country, in turn claims to be a business in a third like a bank, courier, lawyer etc. It is also not uncommon to link the real registrant whoever he is to credit card fraud and identity theft based upon the claimed whois details. Also remember: Law enforcement officials will not examine each and every occurrence of fraud on the internet, they simply do not have the resources. Right now law enforcement depends on non-law enforcement parties to alert them to issues. WHOIS data is part of this process and law enforcement will lose access to a lot of these alerts. I find it ironical that so many whois abuse studies are done, yet so few studies on legitimate usage. Also, say we have official channels to obtain data for criminals operating on the net, how long does it take before the reply gets back to law enforcement? What do you do if the reply is "Yogi Bear, 12 Yellowstone Park"? How much time and other resources would have been wasted? Remember some of these issues are also time sensitive. History has also shown a crisis in one country may not constitute a crisis in another country. We do however need privacy and desperately so. So how do we get to it? We first need to resolve the current WHOIS mess, then we can throw a blanket of privacy over it. Doing it the wrong way around is a recipe for a disaster. Also note distinction is made between companies and individuals. So what will we do if we notice a domain like the-real-bank.info with web content claiming to be the-real-bank.com, yet the first on cheap shared hosting and no security and with obfuscated WHOIS details. The real the-real-bank.com may act if it is phishing (targeting their clients), but history has shown the real owner tends to be less responsive if it's a 419 domain (not targeting their clients). What do we do if it is some-fictitious-bank.com that does not exist in reality (we see a lot of them)? Privacy requires accountability - you cannot separate the two. Currently there is no accountability in the system. Once we fix that we are on the road to responsible privacy. Derek

Personally it was not surprising to me. Just about every business I know consider web resources as assets. So for them, 'search and/or seizure' in the virtual world and any charge on their 'good will' capital have the same impact as would be experienced in the 'brick and mortar' world. Plainly, bad for business. The ALAC WHOIS position embraces several principles 1) a contract as a worthy vehicle to express a consensus policy 2) contract enforcement as a responsible tool for conservation of a consensus policy 3) equal weight to proxy and/or privacy registrations presumed on informed consent with strict liability. In effect, the ALAC posture is for enforcement of Clause 3 of the RAA now in force, predicated on informed consent at collection. This Clause commits the Registrar to collect certain data elements (*the dataset*) and to make them available for public inquiry with certain limitations and exceptions, all outlined in sections of that Clause. The dataset at issue consists of the following elements: 1. The name of the Registered Name; 2. The names of the primary nameserver and secondary nameserver(s) for the Registered Name; 3. The identity of Registrar 4. The original creation date of the registration; 5. The expiration date of the registration; 6. The name and postal address of the Registered Name Holder; 7. The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name 8. The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name. The controversy surrounding privacy in our community is centred on the collection, processing and access to elements 1, 6, 7, 8, especially the finer sub-elements of 6, 7 and 8 and the extent to which these must be faithfully recorded and be accessible. - Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Fri, Mar 23, 2012 at 4:21 AM, Lutz Donnerhacke <lutz@iks-jena.de> wrote:

On Thu, Mar 22, 2012 at 10:05:36PM -0500, Carlton Samuels wrote:

...

http://www.iccwbo.org/uploadedFiles/Law_enforcement_access_to_company_data_f...

Thank you for pointing to this document. To my honest surprise the paper asks the the Law Enforcement Agencies to respect the laws in other countries and urges them to use cross-country law enforcement frameworks.

Breaking it down to WHOIS, it declares the "global, unrestricted access to complete data" as a violation of data protection and privacy laws. _______________________________________________ WHOIS-WG mailing list WHOIS-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/whois-wg

WHOIS WG Wiki: https://st.icann.org/gnso-liaison/index.cgi?whois_policy