.CAT WHOIS Proposed Changes - call for public comments - Think hard!!
Timothe Litt
timothe at LITTS.NET
Mon Jan 23 13:41:54 CET 2012
I returned to the page and saw that it was garbled and that some of my
markup was missing. So this technology isn't reliable.
I attempted to re-create what I produced, and have pasted it here. This
loses the colors, but at least it preserves the text.
I hope I got it all - really have to run now...
The NCxy wishes to express its support for punctCat's proposed amendment
that would allow natural persons an opt out measure by which some WHOIS data
would be withheld.
We recognize that this proposed ammendement is intended to enable punctCaat
to comply with EU data privacy laws. However, it raises broader issues that
we believe should also be considered at this time to establish general
policy for all domains. In addition, we have some technical concerns with
the proproposal.
We do not believe this request goes far enough in terms of
We also, however want to state that we do not beleive this request goes far
enough in terms of offering the opt-out opportunity. The NCxy believes
there are several types of institution that require a similar opportunity.
Among those institutional types are organizations that:
* protect natural persons
* deal with political freedoms,
* deal with religious freedoms,
* deal with sexual preference and expression,
* deal with political minorities,
* deal with religious minorities,
* parents groups that deal with children's activities such as sports
teams, home-schooling and other childcare issues.
Whether or not these organizations have suitable protections under EU law,
we believe that the technical means for providing them data privacy should
be incorporated into WHOIS as part of this proposal. This will allow
consistent implementation of these protections in jurisdictions where they
are allowed/required without another change to WHOIS.
The generally accepted practice for data privacy is to opt-in to sharing
private information; this proposal defaults to sharing (e.g. is an opt-out
mechanism.) The default should be not to share. In any case, care should
be taken to ensure that data is not shared between the time it is provided
and the first opportunity that the submitter has to specify "do not share."
Additionally the NCxy is concerned by several aspects of the request that
allow law enforcement and trademark enforcement unbridled access without
prior due process provisions ...
Access to private data should require a reason that is logged with each
access. While the allowable reasons may vary by jurisdiction, they must be
disclosed to the registrant before private data is accepted. The subject
of the the private data should be notified of such access promptly (delayed
if a competent authority rules that notification would impede a criminal
investigation).
The submitter of private data must be able to validate that the data
submitted is correctly displayed by the WHOIS system, despite the privacy
controls.
The propsal incorporates a whitelist of IP addresses to allow "Law
Enforcement" and others unrestricted access to private data. IP addresses
are not a sufficient security mechanism for personal data. IP addresses can
be spoofed. Further, IP addresses do not provide sufficient granularity or
tracability of access. Current practice requires that accesses to private
data must be tracable to a specific individual to provide the capability for
audit as well as individual accountability for data use. Thus, access
should be controlled by individual account privileges - e.g. using
username/passwords, X..509 certificates, physical tokens or the like.
We do not understand what a "trademark protection representative" is, nor
why such representatives should have the same access to private data as do
law enforcement repreeresentatives. We believe that the current trademark
protection regime offered in the context of gTLDs (old and new) is
sufficient to deal with issues of infringement. Trademark protection
representatives should be able to use the webform proxy to contact
registrants, or involve law enforcement as necessary. Why is this not
sufficient?
_____
* And, here there should be a clear distinction - Law enforcement and
trademark enforcement constitute different things serving different
purposes. Whilst NCxx is concerned about the degree of information provided
to law enforcement agencies, at the same time, we are more concerned about
data provided for trademark enforcement purposes. We believe that the
current trademark protection regime offered in the context of gTLDs (old and
new) is sufficient to deal with issues of infringement and, thus, no more
information should be provided about domain name registrants.
--- Email References----useful for cutting and pasting-- to be deleted or at
least not included---
.CAT proposes to revise its Registry agreement to support withholding of
some WHOIS data by individuals who opt out. It will not offer this
opt-out to legal persons.
I propose that NCSG support this amendment, with a simple: "NCSG
supports the availability of WHOIS privacy options for natural persons.
Accordingly, we support puntCAT's proposed amendment."
--Wendy
---
I agree, but I wonder whether it is worth suggesting something that goes
one step further, the protection of some legal persons (mostly NGO and other
civil society orgs) whose day to day operations are concerned with
protecting natural persons facing a variety of physical threats.
So, I suggest we support, but say it does not go far enough.
(have not read it yet, going on your abstract - if they do have such an
exception - i support it all the way)
avri
----
I had a cursory look at the supporting documents for this.
(http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)
In general, I think that the request moves practice in the right direction.
However, I am somewhat concerned by the following language:
"Law enforcement and trademark protection representatives will be granted
full access to
puntCAT database. An IP white list will be established to provide full
access to gather all
data associated with any concrete domain name."
("IP" clearly means "IP address" if you read the whole document.)
A) What is a "trademark protection representative", and why are they granted
equal access to the privacy-protected data of natural persons as law
enforcement?
B) Why can't they use the webform proxy for contacting the domain owner, or
present a case to law enforcement for access if the owner is unresponsive?
C) It also seems that both have the ability to troll thru the database at
will for any purpose, without cause, judicial review or documenting when and
why private information is accessed.
D) Note that this ability is based on IP address - not an X.509 certificate,
password or any other user-specific security mechanism. Hence is is
susceptible to IP spoofing, and access is not traceable to the individual
accessing the data. This makes it difficult (impossible?) to hold anyone
accountable for misuse of these privileges.
E) Also, disclosure is described as "opt-in (default option)" - as the
following language in the document makes clear, privacy is not the default
and must be requested. This is not consistent with maximizing privacy, and
potentially introduces race conditions if establishing the privacy option is
not atomic with registering a domain. For natural persons, privacy should
be the default.
Thus, although this is a positive step in the direction of protecting the
privacy of natural persons, there is room for improvement.
I leave to those more experienced in the politics of ICANN the political
question of whether to take what's on offer now and fight the next battle
later, or to raise these points in our comment on the current request.
Timothe Litt
ACM Distinguished Engineer
---
I think this is a very dangerous slippery slope. Natural persons deserve
privacy, yes, and that completely consistent with the EU Data Protection
Directive. But in the US and other places around the world Organizations
deserve privacy protection too. If we give this up now, we will never get
it back.
I strongly agree with Avri that the organizations that protect natural
persons are important, and so too are the organizations that deal with
political freedoms, religious freedoms, political minorities, religious
minorities, and even organizations who are parents organizing baseball
teams, soccer teams and home-schooling groups. Organizations are the
**perfect example** of what a Noncommercial Message does **not need to be
tied into An Physical Address in a Globally Available Database.**
What law enforcement really cares about is using the Whois to track down
those who do e-commerce deals and then cheat someone. That's fair, and I and
others are working on ways to help them with very narrowly-tailored
policies. But that does not mean that we give up the Privacy of those
engaged in Noncommercial Conduct or simply ordinary conduct (and in the US,
that includes Organizations engaged in an array of protected speech -- note:
we had a case where law enforcement wanted all the members of an NAACP
branch, "a civil rights organization for ethnic minorities in the united
States," and the answer was "no" on privacy grounds - organizations have
rights of privacy and speakers of all types, including those banded together
in organizations have privacy in their contentious, minority speech.)
Please know: that there is an ongoing move in the gTLDs to eliminate proxy
and privacy services, and if they prevail (now or 10 years from now), we
will be left with only the slim protections, if any, in the ICANN Whois
database. So yes, if .CAT (Catalonia, Spain) wants privacy for its
individuals, that's great. But it sets a precedent for all gTLDs, and in
that precedent, we need all Organizations not actively engaged in e-commerce
protected too.
Big sigh, as that is a lot to talk about. I have lived Whois policies for
the last year as Vice-Chair of the Whois Review Team, and for 10 years
before that as one of the diligent NCUC reps on Whois Task Forces (including
Milton, Wendy, Robin).
As a policy matter, I would ask that our NCUC leaders strongly urge .CAT to
modify its proposal to offer privacy protection for all noncommercial
organizations that request it, too, as a condition of our support.
Best, Kathy (Kleiman)
Co-Founder, NCUC
Vice-Chair, Whois Review Team
---
On this point, there are a couple of US cases that are relevant.
In NAACP v. Alabama (1958) the US Supreme Court held that
the state of Alabama could not force the disclosure of the NAACP
membership lists. The Court said that the right to freedom of
association would be limited if the names of members of
unpopular organizations could be obtained by the government.
This is a very influential opinion that also contributed to later
decisions protecting anonymous speech as a part of freedom
of expression.
More recently, the US Supreme Court held in an open
government case that AT&T could not claim a right of
"personal privacy." Corporations, though they may be
"legal persons" do not have a right "personal privacy."
Obviously, we believe there should be strong privacy
safeguards for individuals as opposed to corporations.
But It may be worth considering, in the context of ICANN
and WHOIS, whether political associations are entitled
to some privacy rights, given the close relationship to the
exercise of political freedom.
This would seem to be a reasonable position for the NCSG
to put forward.
Regards to all,
Marc Rotenberg.
PS Press associations also, in some contexts, are entitled
to greater privacy rights
>>So what does the word "Law Enforcement" mean? American only - or ANY
country. Seems to me that it would have to mean any country as all countries
are theoretically equal on the Internet.
Fair point. But the emphasis on American is misplaced in this case. The
stated context for the request is compliance with the EU's data privacy
protection laws - which are somewhat different (stronger in most respects)
than US law. .cat is controlled by a Spanish entity. So the US is involved
only by treaty, international "law", and its special role in ICANN. (Some
countries are more equal than others - at least in practice.)
It's important that the whois privacy rules not rely implicitly on the EU
(or any nation's) administrative rules/processes. This is an area where a
baseline standard should be established for all domains. Domains providing
more (or less) privacy to meet local law or other requirements must be
required to prominently and clearly disclose deviations to applicants.
Our comments on this will establish a precedent for similar requests from
others - so we do need to be careful that they reflect a consistent set of
principles that apply to all domains/registries. Among these should be:
* A presumption of privacy for natural persons - with clear disclosure
of deviations from the standard prior to accepting data.
* A mechanism (aka privacy proxy) that allows contacting the
registrant (any of the whois contacts) promptly for legitimate purposes:
administrative, technical, abuse, service of process - while maintaing the
registrant/contacts' privacy. This mechanism should be auditable - use
should be logged and tracable.
* The database containing the private data must be secure - protected
by per-user security with each access to the private data logged and
tracable back to the individual. Data extracted from the database must be
handled in the same way.
* To the extent that "law enforcement" or others have access to the
entire database, the allowable reasons for accessing data must be listed,
with procedures for audit and review. (Note that there are legitimate
reasons for such access - e.g. find the physical address of a network
disruptor, or identify all domains registered by a criminal enterprise.
Don't sidetrack on who defines "criminal".)
With respect to the comments on privacy for organizations - I understand the
desire (e.g. a shelter for victims of abuse). However, my understanding
(I'm neither a lawyer nor resident in the EU) is that organizations are
treated differently by the EU privacy law - and generally must disclose
location and contact information. We can't legislate or require registries
to violate local law. (That's what started this - current whois practice
for individuals violates the EU data privacy laws!) We can identify the
need and require that the technical means be in place to protect the privacy
of organizations. We can also, as with natural persons, set a default
standard and require disclosure of deviations. However, I don't think we
want to be in the business of lobbying for specific changes in local laws...
Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
Timothe Litt
Sent: Monday, January 23, 2012 07:03
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
I added my last e-mail to the end, and also marked up the draft. Note that
for some reason, all of my markup was not colored.
My markup isn't polished, and I don't think it has everything from my
comments, but it's a start - and all I have time for at the moment. I do
think that it ought to start with a statement of principles (e.g. something
like what I started in my last e-mail).
I hope that this is helpful. Feel free to make further changes & I'll try
to check in again later.
Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views, if any,
on the matters discussed.
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
Konstantinos Komaitis
Sent: Monday, January 23, 2012 04:40
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
Thanks Avri for taking a lead on this - I have added a small paragraph on
trademark enforcement. I really hope we get to do this and I would like to
repeat if there is any objection in sending this as an NCSG position.
Thanks
KK
Dr. Konstantinos Komaitis,
Senior Lecturer,
Director of Postgraduate Instructional Courses Director of LLM Information
Technology and Telecommunications Law University of Strathclyde, The Law
School, Graham Hills building, 50 George Street, Glasgow G1 1BA UK
tel: +44 (0)141 548 4306
http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat
ion-isbn9780415477765
Selected publications:
http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
Website: www.komaitis.org
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Avri
Doria
Sent: Κυριακή, 22 Ιανουαρίου 2012 1:40 μμ
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
http://openetherpad.org/8hyZwpLw9P
On 22 Jan 2012, at 08:31, Avri Doria wrote:
> On 22 Jan 2012, at 06:09, Konstantinos Komaitis wrote:
>
>> These are all great observations and thanks for bringing them
>> forward. I
also agree with Avri, Kathy, Marc and others.
>>
>> Would it be possible for someone who has already contributed to this
>> list
to also write a brief statement and send it to the list for endorsement? It
would be ideal if it could be a NCSG statement, but in any case it looks
like it can be a NCUC one.
>
>
> I am willing to work on one with others. Perhaps someone can start by
> collecting the contents into an etherpad of some politically
> acceptable kind <http://etherpad.org/public-sites/> (speaking of
> which, do any of the members host an etherpad?)
>
> With 10 Feb being the deadline for submission, when would such a draft
need to be available for the NC-membership review in order to not need a
last minute heroic effort from one of the NCstewards..
>
> avri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20120123/49347362/attachment-0001.html>
More information about the Ncuc-discuss
mailing list