.CAT WHOIS Proposed Changes - call for public comments - Think hard!!
Avri Doria
avri at ACM.ORG
Mon Jan 23 16:10:21 CET 2012
Hi,
I do not beleive it was garbling of the page. It is rather that I went in afterwards and deleted the line you struck out and brought the two segments of the line together, making some other edits.
That is the way this technology works, we can all interact with it in real time and change the document.
If you prefer to go back to email iterations, i suppose that works too.
avri
On 23 Jan 2012, at 07:41, Timothe Litt wrote:
> I returned to the page and saw that it was garbled and that some of my markup was missing. So this technology isn't reliable.
>
> I attempted to re-create what I produced, and have pasted it here. This loses the colors, but at least it preserves the text.
>
> I hope I got it all - really have to run now...
>
>
>
> The NCxy wishes to express its support for punctCat's proposed amendment that would allow natural persons an opt out measure by which some WHOIS data would be withheld.
>
> We recognize that this proposed ammendement is intended to enable punctCaat to comply with EU data privacy laws. However, it raises broader issues that we believe should also be considered at this time to establish general policy for all domains. In addition, we have some technical concerns with the proproposal.
>
> We do not believe this request goes far enough in terms of
>
> We also, however want to state that we do not beleive this request goes far enough in terms of offering the opt-out opportunity. The NCxy believes there are several types of institution that require a similar opportunity. Among those institutional types are organizations that:
>
> • protect natural persons
> • deal with political freedoms,
> • deal with religious freedoms,
> • deal with sexual preference and expression,
> • deal with political minorities,
> • deal with religious minorities,
> • parents groups that deal with children's activities such as sports teams, home-schooling and other childcare issues.
>
>
> Whether or not these organizations have suitable protections under EU law, we believe that the technical means for providing them data privacy should be incorporated into WHOIS as part of this proposal. This will allow consistent implementation of these protections in jurisdictions where they are allowed/required without another change to WHOIS.
>
> The generally accepted practice for data privacy is to opt-in to sharing private information; this proposal defaults to sharing (e.g. is an opt-out mechanism.) The default should be not to share. In any case, care should be taken to ensure that data is not shared between the time it is provided and the first opportunity that the submitter has to specify "do not share."
>
> Additionally the NCxy is concerned by several aspects of the request that allow law enforcement and trademark enforcement unbridled access without prior due process provisions ...
>
> Access to private data should require a reason that is logged with each access. While the allowable reasons may vary by jurisdiction, they must be disclosed to the registrant before private data is accepted. The subject of the the private data should be notified of such access promptly (delayed if a competent authority rules that notification would impede a criminal investigation).
>
> The submitter of private data must be able to validate that the data submitted is correctly displayed by the WHOIS system, despite the privacy controls.
>
> The propsal incorporates a whitelist of IP addresses to allow "Law Enforcement" and others unrestricted access to private data. IP addresses are not a sufficient security mechanism for personal data. IP addresses can be spoofed. Further, IP addresses do not provide sufficient granularity or tracability of access. Current practice requires that accesses to private data must be tracable to a specific individual to provide the capability for audit as well as individual accountability for data use. Thus, access should be controlled by individual account privileges - e.g. using username/passwords, X..509 certificates, physical tokens or the like.
>
> We do not understand what a "trademark protection representative" is, nor why such representatives should have the same access to private data as do law enforcement repreeresentatives. We believe that the current trademark protection regime offered in the context of gTLDs (old and new) is sufficient to deal with issues of infringement. Trademark protection representatives should be able to use the webform proxy to contact registrants, or involve law enforcement as necessary. Why is this not sufficient?
>
> • And, here there should be a clear distinction - Law enforcement and trademark enforcement constitute different things serving different purposes. Whilst NCxx is concerned about the degree of information provided to law enforcement agencies, at the same time, we are more concerned about data provided for trademark enforcement purposes. We believe that the current trademark protection regime offered in the context of gTLDs (old and new) is sufficient to deal with issues of infringement and, thus, no more information should be provided about domain name registrants.
>
>
> --- Email References----useful for cutting and pasting-- to be deleted or at least not included---
>
>
> .CAT proposes to revise its Registry agreement to support withholding of
> some WHOIS data by individuals who opt out. It will not offer this
> opt-out to legal persons.
>
> I propose that NCSG support this amendment, with a simple: "NCSG
> supports the availability of WHOIS privacy options for natural persons.
> Accordingly, we support puntCAT's proposed amendment."
>
> --Wendy
>
> ---
>
>
> I agree, but I wonder whether it is worth suggesting something that goes one step further, the protection of some legal persons (mostly NGO and other civil society orgs) whose day to day operations are concerned with protecting natural persons facing a variety of physical threats.
>
> So, I suggest we support, but say it does not go far enough.
>
> (have not read it yet, going on your abstract - if they do have such an exception - i support it all the way)
>
> avri
>
> ----
>
> I had a cursory look at the supporting documents for this.
> (http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-en.pdf)
>
> In general, I think that the request moves practice in the right direction.
>
> However, I am somewhat concerned by the following language:
>
> "Law enforcement and trademark protection representatives will be granted
> full access to
> puntCAT database. An IP white list will be established to provide full
> access to gather all
> data associated with any concrete domain name."
>
> ("IP" clearly means "IP address" if you read the whole document.)
>
> A) What is a "trademark protection representative", and why are they granted
> equal access to the privacy-protected data of natural persons as law
> enforcement?
>
> B) Why can't they use the webform proxy for contacting the domain owner, or
> present a case to law enforcement for access if the owner is unresponsive?
>
> C) It also seems that both have the ability to troll thru the database at
> will for any purpose, without cause, judicial review or documenting when and
> why private information is accessed.
>
> D) Note that this ability is based on IP address - not an X.509 certificate,
> password or any other user-specific security mechanism. Hence is is
> susceptible to IP spoofing, and access is not traceable to the individual
> accessing the data. This makes it difficult (impossible?) to hold anyone
> accountable for misuse of these privileges.
>
> E) Also, disclosure is described as "opt-in (default option)" - as the
> following language in the document makes clear, privacy is not the default
> and must be requested. This is not consistent with maximizing privacy, and
> potentially introduces race conditions if establishing the privacy option is
> not atomic with registering a domain. For natural persons, privacy should
> be the default.
>
> Thus, although this is a positive step in the direction of protecting the
> privacy of natural persons, there is room for improvement.
>
> I leave to those more experienced in the politics of ICANN the political
> question of whether to take what's on offer now and fight the next battle
> later, or to raise these points in our comment on the current request.
>
>
> Timothe Litt
> ACM Distinguished Engineer
>
> ---
>
> I think this is a very dangerous slippery slope. Natural persons deserve privacy, yes, and that completely consistent with the EU Data Protection Directive. But in the US and other places around the world Organizations deserve privacy protection too. If we give this up now, we will never get it back.
>
> I strongly agree with Avri that the organizations that protect natural persons are important, and so too are the organizations that deal with political freedoms, religious freedoms, political minorities, religious minorities, and even organizations who are parents organizing baseball teams, soccer teams and home-schooling groups. Organizations are the **perfect example** of what a Noncommercial Message does **not need to be tied into An Physical Address in a Globally Available Database.**
>
> What law enforcement really cares about is using the Whois to track down those who do e-commerce deals and then cheat someone. That's fair, and I and others are working on ways to help them with very narrowly-tailored policies. But that does not mean that we give up the Privacy of those engaged in Noncommercial Conduct or simply ordinary conduct (and in the US, that includes Organizations engaged in an array of protected speech -- note: we had a case where law enforcement wanted all the members of an NAACP branch, "a civil rights organization for ethnic minorities in the united States," and the answer was "no" on privacy grounds - organizations have rights of privacy and speakers of all types, including those banded together in organizations have privacy in their contentious, minority speech.)
>
> Please know: that there is an ongoing move in the gTLDs to eliminate proxy and privacy services, and if they prevail (now or 10 years from now), we will be left with only the slim protections, if any, in the ICANN Whois database. So yes, if .CAT (Catalonia, Spain) wants privacy for its individuals, that's great. But it sets a precedent for all gTLDs, and in that precedent, we need all Organizations not actively engaged in e-commerce protected too.
>
> Big sigh, as that is a lot to talk about. I have lived Whois policies for the last year as Vice-Chair of the Whois Review Team, and for 10 years before that as one of the diligent NCUC reps on Whois Task Forces (including Milton, Wendy, Robin).
>
> As a policy matter, I would ask that our NCUC leaders strongly urge .CAT to modify its proposal to offer privacy protection for all noncommercial organizations that request it, too, as a condition of our support.
>
> Best, Kathy (Kleiman)
> Co-Founder, NCUC
> Vice-Chair, Whois Review Team
>
> ---
>
> On this point, there are a couple of US cases that are relevant.
>
> In NAACP v. Alabama (1958) the US Supreme Court held that
> the state of Alabama could not force the disclosure of the NAACP
> membership lists. The Court said that the right to freedom of
> association would be limited if the names of members of
> unpopular organizations could be obtained by the government.
>
> This is a very influential opinion that also contributed to later
> decisions protecting anonymous speech as a part of freedom
> of expression.
>
> More recently, the US Supreme Court held in an open
> government case that AT&T could not claim a right of
> "personal privacy." Corporations, though they may be
> "legal persons" do not have a right "personal privacy."
>
> Obviously, we believe there should be strong privacy
> safeguards for individuals as opposed to corporations.
> But It may be worth considering, in the context of ICANN
> and WHOIS, whether political associations are entitled
> to some privacy rights, given the close relationship to the
> exercise of political freedom.
>
> This would seem to be a reasonable position for the NCSG
> to put forward.
>
> Regards to all,
>
> Marc Rotenberg.
>
> PS Press associations also, in some contexts, are entitled
> to greater privacy rights
>
>
> >>So what does the word "Law Enforcement" mean? American only - or ANY country. Seems to me that it would have to mean any country as all countries are theoretically equal on the Internet.
>
> Fair point. But the emphasis on American is misplaced in this case. The stated context for the request is compliance with the EU's data privacy protection laws - which are somewhat different (stronger in most respects) than US law. .cat is controlled by a Spanish entity. So the US is involved only by treaty, international "law", and its special role in ICANN. (Some countries are more equal than others - at least in practice.)
>
> It's important that the whois privacy rules not rely implicitly on the EU (or any nation's) administrative rules/processes. This is an area where a baseline standard should be established for all domains. Domains providing more (or less) privacy to meet local law or other requirements must be required to prominently and clearly disclose deviations to applicants.
>
> Our comments on this will establish a precedent for similar requests from others - so we do need to be careful that they reflect a consistent set of principles that apply to all domains/registries. Among these should be:
>
> • A presumption of privacy for natural persons - with clear disclosure of deviations from the standard prior to accepting data.
>
> • A mechanism (aka privacy proxy) that allows contacting the registrant (any of the whois contacts) promptly for legitimate purposes: administrative, technical, abuse, service of process - while maintaing the registrant/contacts' privacy. This mechanism should be auditable - use should be logged and tracable.
>
> • The database containing the private data must be secure - protected by per-user security with each access to the private data logged and tracable back to the individual. Data extracted from the database must be handled in the same way.
>
> • To the extent that "law enforcement" or others have access to the entire database, the allowable reasons for accessing data must be listed, with procedures for audit and review. (Note that there are legitimate reasons for such access - e.g. find the physical address of a network disruptor, or identify all domains registered by a criminal enterprise. Don't sidetrack on who defines "criminal".)
>
> With respect to the comments on privacy for organizations - I understand the desire (e.g. a shelter for victims of abuse). However, my understanding (I'm neither a lawyer nor resident in the EU) is that organizations are treated differently by the EU privacy law - and generally must disclose location and contact information. We can't legislate or require registries to violate local law. (That's what started this - current whois practice for individuals violates the EU data privacy laws!) We can identify the need and require that the technical means be in place to protect the privacy of organizations. We can also, as with natural persons, set a default standard and require disclosure of deviations. However, I don't think we want to be in the business of lobbying for specific changes in local laws...
>
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
>
>
>
>
>
>
> ---------------------------------------------------------
> This communication may not represent my employer's views,
> if any, on the matters discussed.
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Timothe Litt
> Sent: Monday, January 23, 2012 07:03
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments - Think hard!!
>
> I added my last e-mail to the end, and also marked up the draft. Note that for some reason, all of my markup was not colored.
>
> My markup isn't polished, and I don't think it has everything from my comments, but it's a start - and all I have time for at the moment. I do think that it ought to start with a statement of principles (e.g. something like what I started in my last e-mail).
>
> I hope that this is helpful. Feel free to make further changes & I'll try to check in again later.
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Konstantinos Komaitis
> Sent: Monday, January 23, 2012 04:40
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments - Think hard!!
>
> Thanks Avri for taking a lead on this - I have added a small paragraph on trademark enforcement. I really hope we get to do this and I would like to repeat if there is any objection in sending this as an NCSG position.
>
> Thanks
>
> KK
>
> Dr. Konstantinos Komaitis,
>
> Senior Lecturer,
> Director of Postgraduate Instructional Courses Director of LLM Information Technology and Telecommunications Law University of Strathclyde, The Law School, Graham Hills building, 50 George Street, Glasgow G1 1BA UK
> tel: +44 (0)141 548 4306
> http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-Regulat
> ion-isbn9780415477765
> Selected publications:
> http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
> Website: www.komaitis.org
>
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Avri Doria
> Sent: Κυριακή, 22 Ιανουαρίου 2012 1:40 μμ
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public comments - Think hard!!
>
> http://openetherpad.org/8hyZwpLw9P
>
>
> On 22 Jan 2012, at 08:31, Avri Doria wrote:
>
> > On 22 Jan 2012, at 06:09, Konstantinos Komaitis wrote:
> >
> >> These are all great observations and thanks for bringing them
> >> forward. I
> also agree with Avri, Kathy, Marc and others.
> >>
> >> Would it be possible for someone who has already contributed to this
> >> list
> to also write a brief statement and send it to the list for endorsement? It would be ideal if it could be a NCSG statement, but in any case it looks like it can be a NCUC one.
> >
> >
> > I am willing to work on one with others. Perhaps someone can start by
> > collecting the contents into an etherpad of some politically
> > acceptable kind <http://etherpad.org/public-sites/> (speaking of
> > which, do any of the members host an etherpad?)
> >
> > With 10 Feb being the deadline for submission, when would such a draft
> need to be available for the NC-membership review in order to not need a last minute heroic effort from one of the NCstewards..
> >
> > avri
>
More information about the Ncuc-discuss
mailing list