<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=ISO-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19170"></HEAD>
<BODY bgColor=#ffffff text=#000000>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>>><FONT color=#000000 size=3
face="Times New Roman">So what does the word "Law Enforcement" mean? American
only - or ANY country. Seems to me that it would have to mean any country as all
countries are theoretically equal on the Internet. </FONT><BR><BR>Fair
point. But the emphasis on American is misplaced in this case. The
stated context for the request is compliance with the EU's data privacy
protection laws - which are somewhat different (stronger in most respects) than
US law. <STRONG>.cat</STRONG> is controlled by a Spanish entity. So
the US is involved only by treaty, international "law", and its special role in
ICANN. (Some countries are more equal than others - at least in
practice.)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>It's important that the whois privacy rules not rely
implicitly on the EU (or any nation's) administrative rules/processes.
This is an area where a baseline standard should be established for all
domains. Domains providing more (or less) privacy to meet local law or
other requirements must be required to prominently and clearly disclose
deviations to applicants. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>Our comments on this will establish a precedent for
similar requests from others - so we do need to be careful that they reflect a
consistent set of principles that apply to all domains/registries. Among
these should be:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>A presumption of privacy for natural persons - with
clear disclosure of deviations from the standard prior to accepting
data.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>A mechanism (aka privacy proxy) that allows contacting
the registrant (any of the whois contacts) promptly for legitimate purposes:
administrative, technical, abuse, service of process - while maintaing the
registrant/contacts' privacy. This mechanism should be auditable - use
should be logged and tracable.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>The database containing the private data must be secure
- protected by per-user security with each access to the private data logged and
tracable back to the individual. Data extracted from the database must be
handled in the same way.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>To the extent that "law enforcement" or others have
access to the entire database, the allowable reasons for accessing data must be
listed, with procedures for audit and review. (Note that there
<STRONG>are</STRONG> legitimate reasons for such access - e.g. find the physical
address of a network disruptor, or identify all domains registered by a criminal
enterprise. Don't sidetrack on who defines
"criminal".)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=851095610-22012012>With respect to the comments on privacy for
organizations - I understand the desire (e.g. a shelter for victims of
abuse). However, my understanding (I'm neither a lawyer nor resident in
the EU) is that organizations are treated differently by the EU privacy law
- and generally must disclose location and contact information. We can't
legislate or require registries to violate local law. (That's what started
this - current whois practice for individuals violates the EU data privacy
laws!) We <STRONG>can</STRONG> identify the need and require that the
technical means be in place to protect the privacy of organizations. We
can also, as with natural persons, set a default standard and require disclosure
of deviations. However, I don't think we want to be in the business of
lobbying for specific changes in local laws...</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial></FONT> </DIV><!-- Converted from text/plain format --><FONT
color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><BR>
<P><FONT size=2><!-- Converted from text/plain format --></P>
<P><FONT size=2>Timothe Litt<BR>ACM Distinguished
Engineer<BR>---------------------------------------------------------<BR>This
communication may not represent the ACM or my employer's views,<BR>if any, on
the matters discussed.<BR><BR> </FONT> </P></FONT><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> NCSG-Discuss
[mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU] <B>On Behalf Of </B>Marc
Perkel<BR><B>Sent:</B> Saturday, January 21, 2012 23:17<BR><B>To:</B>
NCSG-DISCUSS@LISTSERV.SYR.EDU<BR><B>Subject:</B> Re: [NCSG-Discuss] .CAT WHOIS
Proposed Changes - call for public comments<BR></FONT><BR></DIV>
<DIV></DIV>I agree with Adam, I too have a problem with that
part:<BR><BR><B>"Law enforcement and trademark protection representatives will
be granted full access to puntCAT database. An IP white list will be established
to provide full access to gather all data associated with any concrete domain
name." </B><BR><BR>First - the Internet is a 0 dimensional universe that is not
owned by any one nation. So what does the word "Law Enforcement" mean? American
only - or ANY country. Seems to me that it would have to mean any country as all
countries are theoretically equal on the Internet. <BR><BR>As the founder of the
Church of Reality I'm someone who would be put to death in many countries of the
world and I can not be subject to "law enforcement" of countries like Iran. The
same is true to a lesser degree of all non-Islamic religions and possibly some
version of Islam. I can not be subject to nations who consider my religions
blasphemy. <BR><BR>As to trademark protection - I own the US Registered
Trademark on the word "REALITY". <B>Serial Number:</B><FONT color=#0000ff>
78735626. </FONT><BR><BR><A class=moz-txt-link-freetext
href="http://www.churchofreality.org/wisdom/trademark/">http://www.churchofreality.org/wisdom/trademark/</A><BR><BR>if
I had special trademark enforcement powers owning the trademark on REALITY,
well, I really don't think you should give me that kind of power. If I control
REALITY on the Internet - wouldn't that make me a deity? I don't think that's a
good idea.<BR><BR>ICANN and DNS is not about law enforcement, trademark, or
intellectual property protection. It's not about protecting people's money. Our
mission is to make the Internet work and nothing more. These issues are
outside the scope of our mission and we need to draw a hard bright line and tell
these people no.<BR><BR><BR>On 1/21/2012 6:49 PM, Nicolas Adam wrote:
<BLOCKQUOTE cite=mid:4F1B793C.7090405@gmail.com type="cite">Very sharp cursory
look. I also think those points need be raised. <BR><BR>Nicolas <BR><BR>On
1/21/2012 12:33 PM, Timothe Litt wrote: <BR>
<BLOCKQUOTE type="cite">I had a cursory look at the supporting documents for
this. <BR>(<A class=moz-txt-link-freetext
href="http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf">http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf</A>)
<BR><BR>In general, I think that the request moves practice in the right
direction. <BR><BR>However, I am somewhat concerned by the following
language: <BR><BR>"Law enforcement and trademark protection representatives
will be granted <BR>full access to <BR>puntCAT database. An IP white list
will be established to provide full <BR>access to gather all <BR>data
associated with any concrete domain name." <BR><BR>("IP" clearly means "IP
address" if you read the whole document.) <BR><BR>A) What is a "trademark
protection representative", and why are they granted <BR>equal access to the
privacy-protected data of natural persons as law <BR>enforcement? <BR><BR>B)
Why can't they use the webform proxy for contacting the domain owner, or
<BR>present a case to law enforcement for access if the owner is
unresponsive? <BR><BR>C) It also seems that both have the ability to troll
thru the database at <BR>will for any purpose, without cause, judicial
review or documenting when and <BR>why private information is accessed.
<BR><BR>D) Note that this ability is based on IP address - not an X.509
certificate, <BR>password or any other user-specific security
mechanism. Hence is is <BR>susceptible to IP spoofing, and access is
not traceable to the individual <BR>accessing the data. This makes it
difficult (impossible?) to hold anyone <BR>accountable for misuse of these
privileges. <BR><BR>E) Also, disclosure is described as "opt-in (default
option)" - as the <BR>following language in the document makes clear,
privacy is not the default <BR>and must be requested. This is not
consistent with maximizing privacy, and <BR>potentially introduces race
conditions if establishing the privacy option is <BR>not atomic with
registering a domain. For natural persons, privacy should <BR>be the
default. <BR><BR>Thus, although this is a positive step in the direction of
protecting the <BR>privacy of natural persons, there is room for
improvement. <BR><BR>I leave to those more experienced in the politics of
ICANN the political <BR>question of whether to take what's on offer now and
fight the next battle <BR>later, or to raise these points in our comment on
the current request. <BR><BR><BR>Timothe Litt <BR>ACM Distinguished Engineer
<BR>--------------------------------------------------------- <BR>This
communication may not represent the ACM or my employer's views, <BR>if any,
on the matters discussed. <BR><BR>-----Original Message----- <BR>From:
NCSG-Discuss [<A class=moz-txt-link-freetext
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU</A>]
On Behalf Of Wendy <BR>Seltzer <BR>Sent: Saturday, January 21, 2012 11:50
<BR>To: <A class=moz-txt-link-abbreviated
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">NCSG-DISCUSS@LISTSERV.SYR.EDU</A>
<BR>Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for
public <BR>comments <BR><BR>.CAT proposes to revise its Registry agreement
to support withholding of <BR>some WHOIS data by individuals who opt out. It
will not offer this opt-out <BR>to legal persons. <BR><BR>I propose that
NCSG support this amendment, with a simple: "NCSG supports <BR>the
availability of WHOIS privacy options for natural persons. <BR>Accordingly,
we support puntCAT's proposed amendment." <BR><BR>--Wendy <BR><BR>--------
Original Message -------- <BR>Subject: [council] .CAT WHOIS Proposed Changes
- call for public comments <BR>Date: Fri, 20 Jan 2012 14:08:05 -0800
<BR>From: Glen de Saint Géry<A class=moz-txt-link-rfc2396E
href="mailto:Glen@icann.org"><Glen@icann.org></A> <BR>To: <A
class=moz-txt-link-abbreviated
href="mailto:council@gnso.icann.org">council@gnso.icann.org</A><A
class=moz-txt-link-rfc2396E
href="mailto:council@gnso.icann.org"><council@gnso.icann.org></A>
<BR><BR><A class=moz-txt-link-freetext
href="http://www.icann.org/en/announcements/announcement-20jan12-en.htm">http://www.icann.org/en/announcements/announcement-20jan12-en.htm</A>
<BR>.CAT WHOIS Proposed Changes <BR><BR>Forum Announcement: Comment Period
Opens on Date: 20 January2012 <BR><BR>Categories/Tags: Contracted Party
Agreements <BR><BR>Purpose (Brief): <BR><BR>ICANN is opening today the
public comment period for the Fundacio puntCAT's, <BR>request to change its
Whois according to EU data protection legislation. The <BR>public comment
period will be closed on 3 March 2012. <BR><BR>The .cat registry, submitted
a Registry Service Evaluation Process <BR>(RSEP) on August 2011. <BR><BR>At
this time, ICANN has conducted a preliminary review in accordance with
<BR>the Registry Services Evaluation Policy and process set forth at <BR><A
class=moz-txt-link-freetext
href="http://www.icann.org/registries/rsep/rsep.html">http://www.icann.org/registries/rsep/rsep.html</A>.
ICANN's preliminary review <BR>(based on the information provided) did not
identify any significant <BR>competition, security, or stability issues.
<BR><BR>The implementation of the request requires an amendment to the .cat
Registry <BR>Agreement signed 23 September 2005. This public forum requests
comments <BR>regarding the proposed amendment. <BR>Public Comment Box Link:
<BR><A class=moz-txt-link-freetext
href="http://www.icann.org/en/public-comment/cat-whois-changes-18jan12-en.htm">http://www.icann.org/en/public-comment/cat-whois-changes-18jan12-en.htm</A>
<BR><BR>Glen de Saint Géry <BR>GNSO Secretariat <BR><A
class=moz-txt-link-abbreviated
href="mailto:gnso.secretariat@gnso.icann.org">gnso.secretariat@gnso.icann.org</A><A
class=moz-txt-link-rfc2396E
href="mailto:gnso.secretariat@gnso.icann.org"><mailto:gnso.secretariat@gnso.icann.org></A>
<BR><A class=moz-txt-link-freetext
href="http://gnso.icann.org">http://gnso.icann.org</A>
<BR></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML>