.CAT WHOIS Proposed Changes - call for public comments
Timothe Litt
litt at ACM.ORG
Sun Jan 22 12:54:32 CET 2012
>>So what does the word "Law Enforcement" mean? American only - or ANY
country. Seems to me that it would have to mean any country as all countries
are theoretically equal on the Internet.
Fair point. But the emphasis on American is misplaced in this case. The
stated context for the request is compliance with the EU's data privacy
protection laws - which are somewhat different (stronger in most respects)
than US law. .cat is controlled by a Spanish entity. So the US is involved
only by treaty, international "law", and its special role in ICANN. (Some
countries are more equal than others - at least in practice.)
It's important that the whois privacy rules not rely implicitly on the EU
(or any nation's) administrative rules/processes. This is an area where a
baseline standard should be established for all domains. Domains providing
more (or less) privacy to meet local law or other requirements must be
required to prominently and clearly disclose deviations to applicants.
Our comments on this will establish a precedent for similar requests from
others - so we do need to be careful that they reflect a consistent set of
principles that apply to all domains/registries. Among these should be:
A presumption of privacy for natural persons - with clear disclosure of
deviations from the standard prior to accepting data.
A mechanism (aka privacy proxy) that allows contacting the registrant (any
of the whois contacts) promptly for legitimate purposes: administrative,
technical, abuse, service of process - while maintaing the
registrant/contacts' privacy. This mechanism should be auditable - use
should be logged and tracable.
The database containing the private data must be secure - protected by
per-user security with each access to the private data logged and tracable
back to the individual. Data extracted from the database must be handled in
the same way.
To the extent that "law enforcement" or others have access to the entire
database, the allowable reasons for accessing data must be listed, with
procedures for audit and review. (Note that there are legitimate reasons
for such access - e.g. find the physical address of a network disruptor, or
identify all domains registered by a criminal enterprise. Don't sidetrack
on who defines "criminal".)
With respect to the comments on privacy for organizations - I understand the
desire (e.g. a shelter for victims of abuse). However, my understanding
(I'm neither a lawyer nor resident in the EU) is that organizations are
treated differently by the EU privacy law - and generally must disclose
location and contact information. We can't legislate or require registries
to violate local law. (That's what started this - current whois practice
for individuals violates the EU data privacy laws!) We can identify the
need and require that the technical means be in place to protect the privacy
of organizations. We can also, as with natural persons, set a default
standard and require disclosure of deviations. However, I don't think we
want to be in the business of lobbying for specific changes in local laws...
Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
_____
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Marc
Perkel
Sent: Saturday, January 21, 2012 23:17
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments
I agree with Adam, I too have a problem with that part:
"Law enforcement and trademark protection representatives will be granted
full access to puntCAT database. An IP white list will be established to
provide full access to gather all data associated with any concrete domain
name."
First - the Internet is a 0 dimensional universe that is not owned by any
one nation. So what does the word "Law Enforcement" mean? American only - or
ANY country. Seems to me that it would have to mean any country as all
countries are theoretically equal on the Internet.
As the founder of the Church of Reality I'm someone who would be put to
death in many countries of the world and I can not be subject to "law
enforcement" of countries like Iran. The same is true to a lesser degree of
all non-Islamic religions and possibly some version of Islam. I can not be
subject to nations who consider my religions blasphemy.
As to trademark protection - I own the US Registered Trademark on the word
"REALITY". Serial Number: 78735626.
http://www.churchofreality.org/wisdom/trademark/
if I had special trademark enforcement powers owning the trademark on
REALITY, well, I really don't think you should give me that kind of power.
If I control REALITY on the Internet - wouldn't that make me a deity? I
don't think that's a good idea.
ICANN and DNS is not about law enforcement, trademark, or intellectual
property protection. It's not about protecting people's money. Our mission
is to make the Internet work and nothing more. These issues are outside the
scope of our mission and we need to draw a hard bright line and tell these
people no.
On 1/21/2012 6:49 PM, Nicolas Adam wrote:
Very sharp cursory look. I also think those points need be raised.
Nicolas
On 1/21/2012 12:33 PM, Timothe Litt wrote:
I had a cursory look at the supporting documents for this.
(http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)
In general, I think that the request moves practice in the right direction.
However, I am somewhat concerned by the following language:
"Law enforcement and trademark protection representatives will be granted
full access to
puntCAT database. An IP white list will be established to provide full
access to gather all
data associated with any concrete domain name."
("IP" clearly means "IP address" if you read the whole document.)
A) What is a "trademark protection representative", and why are they granted
equal access to the privacy-protected data of natural persons as law
enforcement?
B) Why can't they use the webform proxy for contacting the domain owner, or
present a case to law enforcement for access if the owner is unresponsive?
C) It also seems that both have the ability to troll thru the database at
will for any purpose, without cause, judicial review or documenting when and
why private information is accessed.
D) Note that this ability is based on IP address - not an X.509 certificate,
password or any other user-specific security mechanism. Hence is is
susceptible to IP spoofing, and access is not traceable to the individual
accessing the data. This makes it difficult (impossible?) to hold anyone
accountable for misuse of these privileges.
E) Also, disclosure is described as "opt-in (default option)" - as the
following language in the document makes clear, privacy is not the default
and must be requested. This is not consistent with maximizing privacy, and
potentially introduces race conditions if establishing the privacy option is
not atomic with registering a domain. For natural persons, privacy should
be the default.
Thus, although this is a positive step in the direction of protecting the
privacy of natural persons, there is room for improvement.
I leave to those more experienced in the politics of ICANN the political
question of whether to take what's on offer now and fight the next battle
later, or to raise these points in our comment on the current request.
Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Wendy
Seltzer
Sent: Saturday, January 21, 2012 11:50
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments
.CAT proposes to revise its Registry agreement to support withholding of
some WHOIS data by individuals who opt out. It will not offer this opt-out
to legal persons.
I propose that NCSG support this amendment, with a simple: "NCSG supports
the availability of WHOIS privacy options for natural persons.
Accordingly, we support puntCAT's proposed amendment."
--Wendy
-------- Original Message --------
Subject: [council] .CAT WHOIS Proposed Changes - call for public comments
Date: Fri, 20 Jan 2012 14:08:05 -0800
From: Glen de Saint Géry <mailto:Glen at icann.org> <Glen at icann.org>
To: council at gnso.icann.org <mailto:council at gnso.icann.org>
<council at gnso.icann.org>
http://www.icann.org/en/announcements/announcement-20jan12-en.htm
.CAT WHOIS Proposed Changes
Forum Announcement: Comment Period Opens on Date: 20 January2012
Categories/Tags: Contracted Party Agreements
Purpose (Brief):
ICANN is opening today the public comment period for the Fundacio puntCAT's,
request to change its Whois according to EU data protection legislation. The
public comment period will be closed on 3 March 2012.
The .cat registry, submitted a Registry Service Evaluation Process
(RSEP) on August 2011.
At this time, ICANN has conducted a preliminary review in accordance with
the Registry Services Evaluation Policy and process set forth at
http://www.icann.org/registries/rsep/rsep.html. ICANN's preliminary review
(based on the information provided) did not identify any significant
competition, security, or stability issues.
The implementation of the request requires an amendment to the .cat Registry
Agreement signed 23 September 2005. This public forum requests comments
regarding the proposed amendment.
Public Comment Box Link:
http://www.icann.org/en/public-comment/cat-whois-changes-18jan12-en.htm
Glen de Saint Géry
GNSO Secretariat
gnso.secretariat at gnso.icann.org <mailto:gnso.secretariat at gnso.icann.org>
<mailto:gnso.secretariat at gnso.icann.org>
http://gnso.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20120122/438ef1ec/attachment-0001.html>
More information about the Ncuc-discuss
mailing list