<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META content="text/html; charset=iso-8859-7" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19170"></HEAD>
<BODY><!-- Converted from text/plain format -->
<P><FONT size=2>I returned to the page and saw that it was garbled and that some
of my markup was missing. So this technology isn't reliable.<BR><BR>I
attempted to re-create what I produced, and have pasted it here. This
loses the colors, but at least it preserves the text.<BR></FONT></P>
<P><FONT size=2><FONT color=#0000ff face=Arial>I hope I got it all - really have
to run now...</FONT><BR><BR></P>
<DIV id=magicdomid2 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid3><SPAN class=author-g-0qjpkz122zuh8wirqosk>The NCxy wishes to
express its support for punctCat's proposed amendment that would allow natural
persons an opt out measure by which some WHOIS data would be
withheld. </SPAN></DIV>
<DIV id=magicdomid4 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid188 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>We recognize that this proposed ammendement
is intended to enable punctCaat to comply with EU data privacy laws.
However, it raises broader issues that we believe should also be considered at
this time to establish general policy for all domains. In addition, we
have some technical concerns with the proproposal.</SPAN></DIV>
<DIV id=magicdomid190 class=ace-line _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid501 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>We do not believe this request goes far
enough in terms of </SPAN></DIV>
<DIV id=magicdomid6 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid239 class=ace-line><SPAN
class="author-g-0qjpkz122zuh8wirqosk s"><S>We also, however want to state that
we do not beleive this request goes far enough in terms of </S></SPAN><SPAN
class=author-g-0qjpkz122zuh8wirqosk>offering the opt-out opportunity. The
NCxy believes there are several types of institution that require a similar
opportunity. Among those institutional types are organizations
that:</SPAN></DIV>
<DIV id=magicdomid8 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid9>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>protect natural
persons </SPAN></LI></UL></DIV>
<DIV id=magicdomid10>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>deal with political
freedoms, </SPAN></LI></UL></DIV>
<DIV id=magicdomid11>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>deal with religious
freedoms, </SPAN></LI></UL></DIV>
<DIV id=magicdomid12>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>deal with sexual preference and
expression,</SPAN></LI></UL></DIV>
<DIV id=magicdomid13>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>deal with political
minorities, </SPAN></LI></UL></DIV>
<DIV id=magicdomid14>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>deal with religious
minorities, </SPAN></LI></UL></DIV>
<DIV id=magicdomid15>
<UL class=list-bullet1>
<LI><SPAN class=author-g-0qjpkz122zuh8wirqosk>parents groups that deal with
children's activities such as sports teams, home-schooling and other childcare
issues. </SPAN></LI></UL></DIV>
<DIV id=magicdomid16 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid17 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid18><SPAN class=author-g-ktd32g8mb3qelz122zwr>Whether or not
these organizations have suitable protections under EU law, we believe that the
technical means for providing them data privacy should be incorporated into
WHOIS as part of this proposal. This will allow consistent implementation
of these protections in jurisdictions where they are allowed/required without
another change to WHOIS.</SPAN></DIV>
<DIV id=magicdomid19 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid20><SPAN class=author-g-ktd32g8mb3qelz122zwr>The generally
accepted practice for data privacy is to opt-in to sharing private information;
this proposal defaults to sharing (e.g. is an opt-out mechanism.) The
default should be not to share. In any case, care should be taken to
ensure that data is not shared between the time it is provided and the first
opportunity that the submitter has to specify "do not share." </SPAN></DIV>
<DIV id=magicdomid502 class=ace-line _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid21><SPAN class=author-g-0qjpkz122zuh8wirqosk>Additionally the
NCxy is concerned by several aspects of the request that allow law
enforcement and trademark enforcement unbridled access without prior due
process provisions ...</SPAN></DIV>
<DIV id=magicdomid22 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid892 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>Access to private data should require a
reason that is logged with each access. While the allowable reasons may
vary by jurisdiction, they must be disclosed to the registrant before
private data is accepted. The subject of the the private data should
be notified of such access promptly (delayed if a competent authority rules that
notification would impede a criminal investigation).</SPAN></DIV>
<DIV id=magicdomid760 class=ace-line _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid889 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>The submitter of private data must be able
to validate that the data submitted is correctly displayed by the WHOIS system,
despite the privacy controls.</SPAN></DIV>
<DIV id=magicdomid883 class=ace-line _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid23><SPAN class=author-g-ktd32g8mb3qelz122zwr>The propsal
incorporates a whitelist of IP addresses to allow "Law Enforcement" and others
unrestricted access to private data. IP addresses are not a sufficient
security mechanism for personal data. IP addresses can be spoofed.
Further, IP addresses do not provide sufficient granularity or tracability of
access. Current practice requires that accesses to private data must be
tracable to a specific individual to provide the capability for audit as well as
individual accountability for data use. Thus, access should be controlled
by individual account privileges - e.g. using username/passwords, X..509
certificates, physical tokens or the like.</SPAN></DIV>
<DIV id=magicdomid240 class=ace-line _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid499 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>We do not understand what a "trademark
protection representative" is, nor why such representatives should have the same
access to private data as do law enforcement repreeresentatives. We
believe that the current trademark protection regime offered in the context of
gTLDs (old and new) is sufficient to deal with issues of infringement.
Trademark protection representatives should be able to use the webform proxy to
contact registrants, or involve law enforcement as necessary. Why is this
not sufficient?</SPAN></DIV>
<DIV id=magicdomid500 class=ace-line><SPAN
class=author-g-ktd32g8mb3qelz122zwr>
<HR>
</SPAN></DIV>
<DIV id=magicdomid25>
<UL class=list-bullet1>
<LI><SPAN class=author-g-85r43r07k6b6elvj>And, here there should be a clear
distinction - Law enforcement and trademark enforcement constitute different
things serving different purposes. Whilst NCxx is concerned about the degree
of information provided to law enforcement agencies, at the same time, we are
more concerned about data provided for trademark enforcement purposes. We
believe that the current trademark protection regime offered in the context of
gTLDs (old and new) is sufficient to deal with issues of infringement and,
thus, no more information should be provided about domain name
registrants. </SPAN></LI></UL></DIV>
<DIV id=magicdomid26 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid27 _magicdom_shouldBeEmpty="true"><FONT color=#0000ff
face=Arial></FONT> </DIV>
<DIV id=magicdomid28><SPAN class=author-g-0qjpkz122zuh8wirqosk>--- Email
References----useful for cutting and pasting-- to be deleted or at least not
included---</SPAN></DIV>
<DIV id=magicdomid29 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid30 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid31><SPAN class=author-g-0qjpkz122zuh8wirqosk>.CAT proposes to
revise its Registry agreement to support withholding of</SPAN></DIV>
<DIV id=magicdomid32><SPAN class=author-g-0qjpkz122zuh8wirqosk>some WHOIS data
by individuals who opt out. It will not offer this</SPAN></DIV>
<DIV id=magicdomid33><SPAN class=author-g-0qjpkz122zuh8wirqosk>opt-out to legal
persons.</SPAN></DIV>
<DIV id=magicdomid34 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid35><SPAN class=author-g-0qjpkz122zuh8wirqosk>I propose that
NCSG support this amendment, with a simple: "NCSG</SPAN></DIV>
<DIV id=magicdomid36><SPAN class=author-g-0qjpkz122zuh8wirqosk>supports the
availability of WHOIS privacy options for natural persons.</SPAN></DIV>
<DIV id=magicdomid37><SPAN class=author-g-0qjpkz122zuh8wirqosk>Accordingly, we
support puntCAT's proposed amendment."</SPAN></DIV>
<DIV id=magicdomid38 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid39><SPAN
class=author-g-0qjpkz122zuh8wirqosk>--Wendy</SPAN></DIV>
<DIV id=magicdomid40 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid41><SPAN class=author-g-0qjpkz122zuh8wirqosk>---</SPAN></DIV>
<DIV id=magicdomid42 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid43 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid44><SPAN class=author-g-0qjpkz122zuh8wirqosk>I agree, but I
wonder whether it is worth suggesting something that goes one step
further, the protection of some legal persons (mostly NGO and other civil
society orgs) whose day to day operations are concerned with protecting natural
persons facing a variety of physical threats.</SPAN></DIV>
<DIV id=magicdomid45 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid46><SPAN class=author-g-0qjpkz122zuh8wirqosk>So, I suggest we
support, but say it does not go far enough.</SPAN></DIV>
<DIV id=magicdomid47 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid48><SPAN class=author-g-0qjpkz122zuh8wirqosk>(have not read it
yet, going on your abstract - if they do have such an exception - i
support it all the way)</SPAN></DIV>
<DIV id=magicdomid49 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid50><SPAN class=author-g-0qjpkz122zuh8wirqosk>avri</SPAN></DIV>
<DIV id=magicdomid51 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid52><SPAN class=author-g-0qjpkz122zuh8wirqosk>----</SPAN></DIV>
<DIV id=magicdomid53 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid54><SPAN class=author-g-0qjpkz122zuh8wirqosk>I had a cursory
look at the supporting documents for this.</SPAN></DIV>
<DIV id=magicdomid55><SPAN class=author-g-0qjpkz122zuh8wirqosk>(</SPAN><SPAN
class="author-g-0qjpkz122zuh8wirqosk url"><A
href="http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)">http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)</A></SPAN></DIV>
<DIV id=magicdomid56 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid57><SPAN class=author-g-0qjpkz122zuh8wirqosk>In general, I
think that the request moves practice in the right direction.</SPAN></DIV>
<DIV id=magicdomid58 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid59><SPAN class=author-g-0qjpkz122zuh8wirqosk>However, I am
somewhat concerned by the following language:</SPAN></DIV>
<DIV id=magicdomid60 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid61><SPAN class=author-g-0qjpkz122zuh8wirqosk>"Law enforcement
and trademark protection representatives will be granted</SPAN></DIV>
<DIV id=magicdomid62><SPAN class=author-g-0qjpkz122zuh8wirqosk>full access
to</SPAN></DIV>
<DIV id=magicdomid63><SPAN class=author-g-0qjpkz122zuh8wirqosk>puntCAT database.
An IP white list will be established to provide full</SPAN></DIV>
<DIV id=magicdomid64><SPAN class=author-g-0qjpkz122zuh8wirqosk>access to gather
all</SPAN></DIV>
<DIV id=magicdomid65><SPAN class=author-g-0qjpkz122zuh8wirqosk>data associated
with any concrete domain name."</SPAN></DIV>
<DIV id=magicdomid66 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid67><SPAN class=author-g-0qjpkz122zuh8wirqosk>("IP" clearly
means "IP address" if you read the whole document.)</SPAN></DIV>
<DIV id=magicdomid68 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid69><SPAN class=author-g-0qjpkz122zuh8wirqosk>A) What is a
"trademark protection representative", and why are they granted</SPAN></DIV>
<DIV id=magicdomid70><SPAN class=author-g-0qjpkz122zuh8wirqosk>equal access to
the privacy-protected data of natural persons as law</SPAN></DIV>
<DIV id=magicdomid71><SPAN
class=author-g-0qjpkz122zuh8wirqosk>enforcement? </SPAN></DIV>
<DIV id=magicdomid72 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid73><SPAN class=author-g-0qjpkz122zuh8wirqosk>B) Why can't they
use the webform proxy for contacting the domain owner, or</SPAN></DIV>
<DIV id=magicdomid74><SPAN class=author-g-0qjpkz122zuh8wirqosk>present a case to
law enforcement for access if the owner is unresponsive?</SPAN></DIV>
<DIV id=magicdomid75 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid76><SPAN class=author-g-0qjpkz122zuh8wirqosk>C) It also seems
that both have the ability to troll thru the database at</SPAN></DIV>
<DIV id=magicdomid77><SPAN class=author-g-0qjpkz122zuh8wirqosk>will for any
purpose, without cause, judicial review or documenting when and</SPAN></DIV>
<DIV id=magicdomid78><SPAN class=author-g-0qjpkz122zuh8wirqosk>why private
information is accessed. </SPAN></DIV>
<DIV id=magicdomid79 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid80><SPAN class=author-g-0qjpkz122zuh8wirqosk>D) Note that this
ability is based on IP address - not an X.509 certificate,</SPAN></DIV>
<DIV id=magicdomid81><SPAN class=author-g-0qjpkz122zuh8wirqosk>password or any
other user-specific security mechanism. Hence is is</SPAN></DIV>
<DIV id=magicdomid82><SPAN class=author-g-0qjpkz122zuh8wirqosk>susceptible to IP
spoofing, and access is not traceable to the individual</SPAN></DIV>
<DIV id=magicdomid83><SPAN class=author-g-0qjpkz122zuh8wirqosk>accessing the
data. This makes it difficult (impossible?) to hold anyone</SPAN></DIV>
<DIV id=magicdomid84><SPAN class=author-g-0qjpkz122zuh8wirqosk>accountable for
misuse of these privileges.</SPAN></DIV>
<DIV id=magicdomid85 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid86><SPAN class=author-g-0qjpkz122zuh8wirqosk>E) Also,
disclosure is described as "opt-in (default option)" - as the</SPAN></DIV>
<DIV id=magicdomid87><SPAN class=author-g-0qjpkz122zuh8wirqosk>following
language in the document makes clear, privacy is not the default</SPAN></DIV>
<DIV id=magicdomid88><SPAN class=author-g-0qjpkz122zuh8wirqosk>and must be
requested. This is not consistent with maximizing privacy,
and</SPAN></DIV>
<DIV id=magicdomid89><SPAN class=author-g-0qjpkz122zuh8wirqosk>potentially
introduces race conditions if establishing the privacy option is</SPAN></DIV>
<DIV id=magicdomid90><SPAN class=author-g-0qjpkz122zuh8wirqosk>not atomic with
registering a domain. For natural persons, privacy should</SPAN></DIV>
<DIV id=magicdomid91><SPAN class=author-g-0qjpkz122zuh8wirqosk>be the
default.</SPAN></DIV>
<DIV id=magicdomid92 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid93><SPAN class=author-g-0qjpkz122zuh8wirqosk>Thus, although
this is a positive step in the direction of protecting the</SPAN></DIV>
<DIV id=magicdomid94><SPAN class=author-g-0qjpkz122zuh8wirqosk>privacy of
natural persons, there is room for improvement. </SPAN></DIV>
<DIV id=magicdomid95 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid96><SPAN class=author-g-0qjpkz122zuh8wirqosk>I leave to those
more experienced in the politics of ICANN the political</SPAN></DIV>
<DIV id=magicdomid97><SPAN class=author-g-0qjpkz122zuh8wirqosk>question of
whether to take what's on offer now and fight the next battle</SPAN></DIV>
<DIV id=magicdomid98><SPAN class=author-g-0qjpkz122zuh8wirqosk>later, or to
raise these points in our comment on the current request.</SPAN></DIV>
<DIV id=magicdomid99 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid100 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid101><SPAN class=author-g-0qjpkz122zuh8wirqosk>Timothe
Litt</SPAN></DIV>
<DIV id=magicdomid102><SPAN class=author-g-0qjpkz122zuh8wirqosk>ACM
Distinguished Engineer</SPAN></DIV>
<DIV id=magicdomid103 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid104><SPAN class=author-g-0qjpkz122zuh8wirqosk>---</SPAN></DIV>
<DIV id=magicdomid105 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid106><SPAN class=author-g-0qjpkz122zuh8wirqosk>I think this is
a very dangerous slippery slope. Natural persons deserve privacy, yes, and that
completely consistent with the EU Data Protection Directive. But in the US
and other places around the world Organizations deserve privacy protection
too. If we give this up now, we will never get it back.</SPAN></DIV>
<DIV id=magicdomid107 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid108><SPAN class=author-g-0qjpkz122zuh8wirqosk>I strongly agree
with Avri that the organizations that protect natural persons are important, and
so too are the organizations that deal with political freedoms, religious
freedoms, political minorities, religious minorities, and even organizations who
are parents organizing baseball teams, soccer teams and home-schooling
groups. Organizations are the **perfect example** of what a Noncommercial
Message does **not need to be tied into An Physical Address in a Globally
Available Database.**</SPAN></DIV>
<DIV id=magicdomid109 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid110><SPAN class=author-g-0qjpkz122zuh8wirqosk>What law
enforcement really cares about is using the Whois to track down those who do
e-commerce deals and then cheat someone. That's fair, and I and others are
working on ways to help them with very narrowly-tailored policies. But that does
not mean that we give up the Privacy of those engaged in Noncommercial Conduct
or simply ordinary conduct (and in the US, that includes Organizations engaged
in an array of protected speech -- note: we had a case where law enforcement
wanted all the members of an NAACP branch, "a civil rights organization for
ethnic minorities in the united States," and the answer was "no" on privacy
grounds - organizations have rights of privacy and speakers of all types,
including those banded together in organizations have privacy in their
contentious, minority speech.)</SPAN></DIV>
<DIV id=magicdomid111 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid112><SPAN class=author-g-0qjpkz122zuh8wirqosk>Please know:
that there is an ongoing move in the gTLDs to eliminate proxy and privacy
services, and if they prevail (now or 10 years from now), we will be left with
only the slim protections, if any, in the ICANN Whois database. So yes, if
.CAT (Catalonia, Spain) wants privacy for its individuals, that's great. But it
sets a precedent for all gTLDs, and in that precedent, we need all Organizations
not actively engaged in e-commerce protected too.</SPAN></DIV>
<DIV id=magicdomid113 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid114><SPAN class=author-g-0qjpkz122zuh8wirqosk>Big sigh, as
that is a lot to talk about. I have lived Whois policies for the last year as
Vice-Chair of the Whois Review Team, and for 10 years before that as one of the
diligent NCUC reps on Whois Task Forces (including Milton, Wendy,
Robin).</SPAN></DIV>
<DIV id=magicdomid115 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid116><SPAN class=author-g-0qjpkz122zuh8wirqosk>As a policy
matter, I would ask that our NCUC leaders strongly urge .CAT to modify its
proposal to offer privacy protection for all noncommercial organizations that
request it, too, as a condition of our support.</SPAN></DIV>
<DIV id=magicdomid117 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid118><SPAN class=author-g-0qjpkz122zuh8wirqosk>Best, Kathy
(Kleiman)</SPAN></DIV>
<DIV id=magicdomid119><SPAN class=author-g-0qjpkz122zuh8wirqosk>Co-Founder,
NCUC</SPAN></DIV>
<DIV id=magicdomid120><SPAN class=author-g-0qjpkz122zuh8wirqosk>Vice-Chair,
Whois Review Team</SPAN></DIV>
<DIV id=magicdomid121 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid122><SPAN class=author-g-0qjpkz122zuh8wirqosk>---</SPAN></DIV>
<DIV id=magicdomid123 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid124><SPAN class=author-g-0qjpkz122zuh8wirqosk>On this point,
there are a couple of US cases that are relevant.</SPAN></DIV>
<DIV id=magicdomid125 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid126><SPAN class=author-g-0qjpkz122zuh8wirqosk>In NAACP v.
Alabama (1958) the US Supreme Court held that </SPAN></DIV>
<DIV id=magicdomid127><SPAN class=author-g-0qjpkz122zuh8wirqosk>the state of
Alabama could not force the disclosure of the NAACP </SPAN></DIV>
<DIV id=magicdomid128><SPAN class=author-g-0qjpkz122zuh8wirqosk>membership
lists. The Court said that the right to freedom of </SPAN></DIV>
<DIV id=magicdomid129><SPAN class=author-g-0qjpkz122zuh8wirqosk>association
would be limited if the names of members of </SPAN></DIV>
<DIV id=magicdomid130><SPAN class=author-g-0qjpkz122zuh8wirqosk>unpopular
organizations could be obtained by the government.</SPAN></DIV>
<DIV id=magicdomid131 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid132><SPAN class=author-g-0qjpkz122zuh8wirqosk>This is a very
influential opinion that also contributed to later</SPAN></DIV>
<DIV id=magicdomid133><SPAN class=author-g-0qjpkz122zuh8wirqosk>decisions
protecting anonymous speech as a part of freedom</SPAN></DIV>
<DIV id=magicdomid134><SPAN class=author-g-0qjpkz122zuh8wirqosk>of
expression.</SPAN></DIV>
<DIV id=magicdomid135 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid136><SPAN class=author-g-0qjpkz122zuh8wirqosk>More recently,
the US Supreme Court held in an open </SPAN></DIV>
<DIV id=magicdomid137><SPAN class=author-g-0qjpkz122zuh8wirqosk>government case
that AT&T could not claim a right of </SPAN></DIV>
<DIV id=magicdomid138><SPAN class=author-g-0qjpkz122zuh8wirqosk>"personal
privacy." Corporations, though they may be </SPAN></DIV>
<DIV id=magicdomid139><SPAN class=author-g-0qjpkz122zuh8wirqosk>"legal persons"
do not have a right "personal privacy."</SPAN></DIV>
<DIV id=magicdomid140 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid141><SPAN class=author-g-0qjpkz122zuh8wirqosk>Obviously, we
believe there should be strong privacy </SPAN></DIV>
<DIV id=magicdomid142><SPAN class=author-g-0qjpkz122zuh8wirqosk>safeguards for
individuals as opposed to corporations.</SPAN></DIV>
<DIV id=magicdomid143><SPAN class=author-g-0qjpkz122zuh8wirqosk>But It may be
worth considering, in the context of ICANN</SPAN></DIV>
<DIV id=magicdomid144><SPAN class=author-g-0qjpkz122zuh8wirqosk>and WHOIS,
whether political associations are entitled </SPAN></DIV>
<DIV id=magicdomid145><SPAN class=author-g-0qjpkz122zuh8wirqosk>to some privacy
rights, given the close relationship to the </SPAN></DIV>
<DIV id=magicdomid146><SPAN class=author-g-0qjpkz122zuh8wirqosk>exercise of
political freedom.</SPAN></DIV>
<DIV id=magicdomid147 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid148><SPAN class=author-g-0qjpkz122zuh8wirqosk>This would seem
to be a reasonable position for the NCSG</SPAN></DIV>
<DIV id=magicdomid149><SPAN class=author-g-0qjpkz122zuh8wirqosk>to put
forward.</SPAN></DIV>
<DIV id=magicdomid150 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid151><SPAN class=author-g-0qjpkz122zuh8wirqosk>Regards to
all,</SPAN></DIV>
<DIV id=magicdomid152 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid153><SPAN class=author-g-0qjpkz122zuh8wirqosk>Marc
Rotenberg.</SPAN></DIV>
<DIV id=magicdomid154 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid155><SPAN class=author-g-0qjpkz122zuh8wirqosk>PS Press
associations also, in some contexts, are entitled</SPAN></DIV>
<DIV id=magicdomid156><SPAN class=author-g-0qjpkz122zuh8wirqosk>to greater
privacy rights</SPAN></DIV>
<DIV id=magicdomid157 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid158 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid159><SPAN class=author-g-ktd32g8mb3qelz122zwr>>>So what
does the word "Law Enforcement" mean? American only - or ANY country. Seems to
me that it would have to mean any country as all countries are theoretically
equal on the Internet. </SPAN></DIV>
<DIV id=magicdomid160 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid161><SPAN class=author-g-ktd32g8mb3qelz122zwr>Fair
point. But the emphasis on American is misplaced in this case. The
stated context for the request is compliance with the EU's data privacy
protection laws - which are somewhat different (stronger in most respects) than
US law. </SPAN><SPAN
class="author-g-ktd32g8mb3qelz122zwr b"><B>.cat</B></SPAN><SPAN
class=author-g-ktd32g8mb3qelz122zwr> is controlled by a Spanish entity. So
the US is involved only by treaty, international "law", and its special role in
ICANN. (Some countries are more equal than others - at least in
practice.)</SPAN></DIV>
<DIV id=magicdomid162><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid163><SPAN class=author-g-ktd32g8mb3qelz122zwr>It's important
that the whois privacy rules not rely implicitly on the EU (or any nation's)
administrative rules/processes. This is an area where a baseline standard
should be established for all domains. Domains providing more (or less)
privacy to meet local law or other requirements must be required to prominently
and clearly disclose deviations to applicants. </SPAN></DIV>
<DIV id=magicdomid164><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid165><SPAN class=author-g-ktd32g8mb3qelz122zwr>Our comments on
this will establish a precedent for similar requests from others - so we do need
to be careful that they reflect a consistent set of principles that apply to all
domains/registries. Among these should be:</SPAN></DIV>
<DIV id=magicdomid166><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid167>
<UL class=list-bullet1>
<LI><SPAN class=author-g-ktd32g8mb3qelz122zwr>A presumption of privacy for
natural persons - with clear disclosure of deviations from the standard prior
to accepting data.</SPAN></LI></UL></DIV>
<DIV id=magicdomid168><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid169>
<UL class=list-bullet1>
<LI><SPAN class=author-g-ktd32g8mb3qelz122zwr>A mechanism (aka privacy proxy)
that allows contacting the registrant (any of the whois contacts) promptly for
legitimate purposes: administrative, technical, abuse, service of process -
while maintaing the registrant/contacts' privacy. This mechanism should
be auditable - use should be logged and tracable.</SPAN></LI></UL></DIV>
<DIV id=magicdomid170><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid171>
<UL class=list-bullet1>
<LI><SPAN class=author-g-ktd32g8mb3qelz122zwr>The database containing the
private data must be secure - protected by per-user security with each access
to the private data logged and tracable back to the individual. Data
extracted from the database must be handled in the same
way.</SPAN></LI></UL></DIV>
<DIV id=magicdomid172><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid173>
<UL class=list-bullet1>
<LI><SPAN class=author-g-ktd32g8mb3qelz122zwr>To the extent that "law
enforcement" or others have access to the entire database, the allowable
reasons for accessing data must be listed, with procedures for audit and
review. (Note that there </SPAN><SPAN
class="author-g-ktd32g8mb3qelz122zwr b"><B>are</B></SPAN><SPAN
class=author-g-ktd32g8mb3qelz122zwr> legitimate reasons for such access - e.g.
find the physical address of a network disruptor, or identify all domains
registered by a criminal enterprise. Don't sidetrack on who defines
"criminal".)</SPAN></LI></UL></DIV>
<DIV id=magicdomid174><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid175><SPAN class=author-g-ktd32g8mb3qelz122zwr>With respect to
the comments on privacy for organizations - I understand the desire (e.g. a
shelter for victims of abuse). However, my understanding (I'm neither a
lawyer nor resident in the EU) is that organizations are treated differently by
the EU privacy law - and generally must disclose location and contact
information. We can't legislate or require registries to violate local
law. (That's what started this - current whois practice for individuals
violates the EU data privacy laws!) We </SPAN><SPAN
class="author-g-ktd32g8mb3qelz122zwr b"><B>can</B></SPAN><SPAN
class=author-g-ktd32g8mb3qelz122zwr> identify the need and require that the
technical means be in place to protect the privacy of organizations. We
can also, as with natural persons, set a default standard and require disclosure
of deviations. However, I don't think we want to be in the business of
lobbying for specific changes in local laws...</SPAN></DIV>
<DIV id=magicdomid176><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid177 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid178><SPAN class=author-g-ktd32g8mb3qelz122zwr>Timothe
Litt</SPAN></DIV>
<DIV id=magicdomid179><SPAN class=author-g-ktd32g8mb3qelz122zwr>ACM
Distinguished Engineer</SPAN></DIV>
<DIV id=magicdomid180><SPAN
class=author-g-ktd32g8mb3qelz122zwr>---------------------------------------------------------</SPAN></DIV>
<DIV id=magicdomid181><SPAN class=author-g-ktd32g8mb3qelz122zwr>This
communication may not represent the ACM or my employer's views,</SPAN></DIV>
<DIV id=magicdomid182><SPAN class=author-g-ktd32g8mb3qelz122zwr>if any, on the
matters discussed.</SPAN></DIV>
<DIV id=magicdomid183 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid184><SPAN
class=author-g-ktd32g8mb3qelz122zwr></SPAN> </DIV>
<DIV id=magicdomid185 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid186 _magicdom_shouldBeEmpty="true"> </DIV>
<DIV id=magicdomid187 _magicdom_shouldBeEmpty="true"> </DIV>
<P><FONT color=#0000ff
face=Arial></FONT><BR><BR><BR>---------------------------------------------------------<BR>This
communication may not represent my employer's views,<BR>if any, on the matters
discussed.<BR><BR>-----Original Message-----<BR>From: NCSG-Discuss [<A
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU</A>]
On Behalf Of Timothe Litt<BR>Sent: Monday, January 23, 2012 07:03<BR>To:
NCSG-DISCUSS@LISTSERV.SYR.EDU<BR>Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed
Changes - call for public comments - Think hard!!<BR><BR>I added my last e-mail
to the end, and also marked up the draft. Note that for some reason, all
of my markup was not colored.<BR><BR>My markup isn't polished, and I don't think
it has everything from my comments, but it's a start - and all I have time for
at the moment. I do think that it ought to start with a statement of
principles (e.g. something like what I started in my last e-mail).<BR><BR>I hope
that this is helpful. Feel free to make further changes & I'll try to
check in again later.<BR><BR>Timothe Litt<BR>ACM Distinguished
Engineer<BR>---------------------------------------------------------<BR>This
communication may not represent the ACM or my employer's views, if any, on the
matters discussed.<BR><BR> -----Original Message-----<BR>From: NCSG-Discuss
[<A
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU</A>]
On Behalf Of Konstantinos Komaitis<BR>Sent: Monday, January 23, 2012
04:40<BR>To: NCSG-DISCUSS@LISTSERV.SYR.EDU<BR>Subject: Re: [NCSG-Discuss] .CAT
WHOIS Proposed Changes - call for public comments - Think hard!!<BR><BR>Thanks
Avri for taking a lead on this - I have added a small paragraph on trademark
enforcement. I really hope we get to do this and I would like to repeat if there
is any objection in sending this as an NCSG
position.<BR><BR>Thanks<BR><BR>KK<BR><BR>Dr. Konstantinos
Komaitis,<BR><BR>Senior Lecturer,<BR>Director of Postgraduate Instructional
Courses Director of LLM Information Technology and Telecommunications Law
University of Strathclyde, The Law School, Graham Hills building, 50 George
Street, Glasgow G1 1BA UK<BR>tel: +44 (0)141 548 4306<BR><A
href="http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat">http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat</A><BR>ion-isbn9780415477765<BR>Selected
publications:<BR><A
href="http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038">http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038</A><BR>Website:
www.komaitis.org<BR><BR><BR>-----Original Message-----<BR>From: NCSG-Discuss [<A
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU</A>]
On Behalf Of Avri Doria<BR>Sent: Κυριακή, 22 Ιανουαρίου 2012 1:40 μμ<BR>To:
NCSG-DISCUSS@LISTSERV.SYR.EDU<BR>Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed
Changes - call for public comments - Think hard!!<BR><BR><A
href="http://openetherpad.org/8hyZwpLw9P">http://openetherpad.org/8hyZwpLw9P</A><BR><BR><BR>On
22 Jan 2012, at 08:31, Avri Doria wrote:<BR><BR>> On 22 Jan 2012, at 06:09,
Konstantinos Komaitis wrote:<BR>><BR>>> These are all great
observations and thanks for bringing them<BR>>> forward. I<BR>also agree
with Avri, Kathy, Marc and others.<BR>>><BR>>> Would it be
possible for someone who has already contributed to this<BR>>> list<BR>to
also write a brief statement and send it to the list for endorsement? It would
be ideal if it could be a NCSG statement, but in any case it looks like it can
be a NCUC one.<BR>><BR>><BR>> I am willing to work on one with
others. Perhaps someone can start by<BR>> collecting the contents into
an etherpad of some politically<BR>> acceptable kind <<A
href="http://etherpad.org/public-sites/">http://etherpad.org/public-sites/</A>>
(speaking of<BR>> which, do any of the members host an
etherpad?)<BR>><BR>> With 10 Feb being the deadline for submission, when
would such a draft<BR>need to be available for the NC-membership review in order
to not need a last minute heroic effort from one of the
NCstewards..<BR>><BR>> avri<BR></FONT></P></BODY></HTML>