.CAT WHOIS Proposed Changes - call for public comments - Think hard!!
Timothe Litt
litt at ACM.ORG
Mon Jan 23 17:54:15 CET 2012
I understand how the tech is supposed to work. What you did happened AFTER
I saw the garbling. Really.
The section "We do not understand" above KK's paragraph was completely
missing when I opened a new browser window - despite the fact that it showed
(but not in green) on the old one. And yes, I had clicked "save".
There were other sections that I had added or edited that didn't appear.
The strike-out section had been an in-line edit when I sent the first mail.
But the edit had also disappeared. So when I re-did it, I struck out the
partial line instead.
I also had tried scrolling back thru the time line to find my missing edits
- but they weren't there.
I've spent many years as an engineer - I don't blame tech casually. You can
believe what I report actually happened to me....whatever your experience
has been.
FWIW, I was editing using IE 8 under XP SP3 - in an XP mode window under
windows 7 ultimate.
I actually was hoping that etherpad would work as advertised :-)
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Avri
Doria
Sent: Monday, January 23, 2012 10:10
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
Hi,
I do not beleive it was garbling of the page. It is rather that I went in
afterwards and deleted the line you struck out and brought the two segments
of the line together, making some other edits.
That is the way this technology works, we can all interact with it in real
time and change the document.
If you prefer to go back to email iterations, i suppose that works too.
avri
On 23 Jan 2012, at 07:41, Timothe Litt wrote:
> I returned to the page and saw that it was garbled and that some of my
markup was missing. So this technology isn't reliable.
>
> I attempted to re-create what I produced, and have pasted it here. This
loses the colors, but at least it preserves the text.
>
> I hope I got it all - really have to run now...
>
>
>
> The NCxy wishes to express its support for punctCat's proposed amendment
that would allow natural persons an opt out measure by which some WHOIS data
would be withheld.
>
> We recognize that this proposed ammendement is intended to enable
punctCaat to comply with EU data privacy laws. However, it raises broader
issues that we believe should also be considered at this time to establish
general policy for all domains. In addition, we have some technical
concerns with the proproposal.
>
> We do not believe this request goes far enough in terms of
>
> We also, however want to state that we do not beleive this request goes
far enough in terms of offering the opt-out opportunity. The NCxy believes
there are several types of institution that require a similar opportunity.
Among those institutional types are organizations that:
>
> protect natural persons
> deal with political freedoms,
> deal with religious freedoms,
> deal with sexual preference and expression,
> deal with political minorities,
> deal with religious minorities,
> parents groups that deal with children's activities such as sports
teams, home-schooling and other childcare issues.
>
>
> Whether or not these organizations have suitable protections under EU law,
we believe that the technical means for providing them data privacy should
be incorporated into WHOIS as part of this proposal. This will allow
consistent implementation of these protections in jurisdictions where they
are allowed/required without another change to WHOIS.
>
> The generally accepted practice for data privacy is to opt-in to sharing
private information; this proposal defaults to sharing (e.g. is an opt-out
mechanism.) The default should be not to share. In any case, care should
be taken to ensure that data is not shared between the time it is provided
and the first opportunity that the submitter has to specify "do not share."
>
> Additionally the NCxy is concerned by several aspects of the request that
allow law enforcement and trademark enforcement unbridled access without
prior due process provisions ...
>
> Access to private data should require a reason that is logged with each
access. While the allowable reasons may vary by jurisdiction, they must be
disclosed to the registrant before private data is accepted. The subject
of the the private data should be notified of such access promptly (delayed
if a competent authority rules that notification would impede a criminal
investigation).
>
> The submitter of private data must be able to validate that the data
submitted is correctly displayed by the WHOIS system, despite the privacy
controls.
>
> The propsal incorporates a whitelist of IP addresses to allow "Law
Enforcement" and others unrestricted access to private data. IP addresses
are not a sufficient security mechanism for personal data. IP addresses can
be spoofed. Further, IP addresses do not provide sufficient granularity or
tracability of access. Current practice requires that accesses to private
data must be tracable to a specific individual to provide the capability for
audit as well as individual accountability for data use. Thus, access
should be controlled by individual account privileges - e.g. using
username/passwords, X..509 certificates, physical tokens or the like.
>
> We do not understand what a "trademark protection representative" is, nor
why such representatives should have the same access to private data as do
law enforcement repreeresentatives. We believe that the current trademark
protection regime offered in the context of gTLDs (old and new) is
sufficient to deal with issues of infringement. Trademark protection
representatives should be able to use the webform proxy to contact
registrants, or involve law enforcement as necessary. Why is this not
sufficient?
>
> And, here there should be a clear distinction - Law enforcement
and trademark enforcement constitute different things serving different
purposes. Whilst NCxx is concerned about the degree of information provided
to law enforcement agencies, at the same time, we are more concerned about
data provided for trademark enforcement purposes. We believe that the
current trademark protection regime offered in the context of gTLDs (old and
new) is sufficient to deal with issues of infringement and, thus, no more
information should be provided about domain name registrants.
>
>
> --- Email References----useful for cutting and pasting-- to be deleted
> or at least not included---
>
>
> .CAT proposes to revise its Registry agreement to support withholding
> of some WHOIS data by individuals who opt out. It will not offer this
> opt-out to legal persons.
>
> I propose that NCSG support this amendment, with a simple: "NCSG
> supports the availability of WHOIS privacy options for natural persons.
> Accordingly, we support puntCAT's proposed amendment."
>
> --Wendy
>
> ---
>
>
> I agree, but I wonder whether it is worth suggesting something that goes
one step further, the protection of some legal persons (mostly NGO and other
civil society orgs) whose day to day operations are concerned with
protecting natural persons facing a variety of physical threats.
>
> So, I suggest we support, but say it does not go far enough.
>
> (have not read it yet, going on your abstract - if they do have such
> an exception - i support it all the way)
>
> avri
>
> ----
>
> I had a cursory look at the supporting documents for this.
> (http://www.icann.org/en/registries/rsep/puntcat-cat-request-05oct11-e
> n.pdf)
>
> In general, I think that the request moves practice in the right
direction.
>
> However, I am somewhat concerned by the following language:
>
> "Law enforcement and trademark protection representatives will be
> granted full access to puntCAT database. An IP white list will be
> established to provide full access to gather all data associated with
> any concrete domain name."
>
> ("IP" clearly means "IP address" if you read the whole document.)
>
> A) What is a "trademark protection representative", and why are they
> granted equal access to the privacy-protected data of natural persons
> as law enforcement?
>
> B) Why can't they use the webform proxy for contacting the domain
> owner, or present a case to law enforcement for access if the owner is
unresponsive?
>
> C) It also seems that both have the ability to troll thru the database
> at will for any purpose, without cause, judicial review or documenting
> when and why private information is accessed.
>
> D) Note that this ability is based on IP address - not an X.509
> certificate, password or any other user-specific security mechanism.
> Hence is is susceptible to IP spoofing, and access is not traceable to
> the individual accessing the data. This makes it difficult
> (impossible?) to hold anyone accountable for misuse of these privileges.
>
> E) Also, disclosure is described as "opt-in (default option)" - as the
> following language in the document makes clear, privacy is not the
> default and must be requested. This is not consistent with maximizing
> privacy, and potentially introduces race conditions if establishing
> the privacy option is not atomic with registering a domain. For
> natural persons, privacy should be the default.
>
> Thus, although this is a positive step in the direction of protecting
> the privacy of natural persons, there is room for improvement.
>
> I leave to those more experienced in the politics of ICANN the
> political question of whether to take what's on offer now and fight
> the next battle later, or to raise these points in our comment on the
current request.
>
>
> Timothe Litt
> ACM Distinguished Engineer
>
> ---
>
> I think this is a very dangerous slippery slope. Natural persons deserve
privacy, yes, and that completely consistent with the EU Data Protection
Directive. But in the US and other places around the world Organizations
deserve privacy protection too. If we give this up now, we will never get
it back.
>
> I strongly agree with Avri that the organizations that protect natural
> persons are important, and so too are the organizations that deal with
> political freedoms, religious freedoms, political minorities,
> religious minorities, and even organizations who are parents
> organizing baseball teams, soccer teams and home-schooling groups.
> Organizations are the **perfect example** of what a Noncommercial
> Message does **not need to be tied into An Physical Address in a
> Globally Available Database.**
>
> What law enforcement really cares about is using the Whois to track
> down those who do e-commerce deals and then cheat someone. That's
> fair, and I and others are working on ways to help them with very
> narrowly-tailored policies. But that does not mean that we give up the
> Privacy of those engaged in Noncommercial Conduct or simply ordinary
> conduct (and in the US, that includes Organizations engaged in an
> array of protected speech -- note: we had a case where law enforcement
> wanted all the members of an NAACP branch, "a civil rights
> organization for ethnic minorities in the united States," and the
> answer was "no" on privacy grounds - organizations have rights of
> privacy and speakers of all types, including those banded together in
> organizations have privacy in their contentious, minority speech.)
>
> Please know: that there is an ongoing move in the gTLDs to eliminate proxy
and privacy services, and if they prevail (now or 10 years from now), we
will be left with only the slim protections, if any, in the ICANN Whois
database. So yes, if .CAT (Catalonia, Spain) wants privacy for its
individuals, that's great. But it sets a precedent for all gTLDs, and in
that precedent, we need all Organizations not actively engaged in e-commerce
protected too.
>
> Big sigh, as that is a lot to talk about. I have lived Whois policies for
the last year as Vice-Chair of the Whois Review Team, and for 10 years
before that as one of the diligent NCUC reps on Whois Task Forces (including
Milton, Wendy, Robin).
>
> As a policy matter, I would ask that our NCUC leaders strongly urge .CAT
to modify its proposal to offer privacy protection for all noncommercial
organizations that request it, too, as a condition of our support.
>
> Best, Kathy (Kleiman)
> Co-Founder, NCUC
> Vice-Chair, Whois Review Team
>
> ---
>
> On this point, there are a couple of US cases that are relevant.
>
> In NAACP v. Alabama (1958) the US Supreme Court held that the state of
> Alabama could not force the disclosure of the NAACP membership lists.
> The Court said that the right to freedom of association would be
> limited if the names of members of unpopular organizations could be
> obtained by the government.
>
> This is a very influential opinion that also contributed to later
> decisions protecting anonymous speech as a part of freedom of
> expression.
>
> More recently, the US Supreme Court held in an open government case
> that AT&T could not claim a right of "personal privacy." Corporations,
> though they may be "legal persons" do not have a right "personal
> privacy."
>
> Obviously, we believe there should be strong privacy safeguards for
> individuals as opposed to corporations.
> But It may be worth considering, in the context of ICANN and WHOIS,
> whether political associations are entitled to some privacy rights,
> given the close relationship to the exercise of political freedom.
>
> This would seem to be a reasonable position for the NCSG to put
> forward.
>
> Regards to all,
>
> Marc Rotenberg.
>
> PS Press associations also, in some contexts, are entitled to greater
> privacy rights
>
>
> >>So what does the word "Law Enforcement" mean? American only - or ANY
country. Seems to me that it would have to mean any country as all countries
are theoretically equal on the Internet.
>
> Fair point. But the emphasis on American is misplaced in this case.
> The stated context for the request is compliance with the EU's data
> privacy protection laws - which are somewhat different (stronger in
> most respects) than US law. .cat is controlled by a Spanish entity.
> So the US is involved only by treaty, international "law", and its
> special role in ICANN. (Some countries are more equal than others -
> at least in practice.)
>
> It's important that the whois privacy rules not rely implicitly on the EU
(or any nation's) administrative rules/processes. This is an area where a
baseline standard should be established for all domains. Domains providing
more (or less) privacy to meet local law or other requirements must be
required to prominently and clearly disclose deviations to applicants.
>
> Our comments on this will establish a precedent for similar requests from
others - so we do need to be careful that they reflect a consistent set of
principles that apply to all domains/registries. Among these should be:
>
> A presumption of privacy for natural persons - with clear
disclosure of deviations from the standard prior to accepting data.
>
> A mechanism (aka privacy proxy) that allows contacting the
registrant (any of the whois contacts) promptly for legitimate purposes:
administrative, technical, abuse, service of process - while maintaing the
registrant/contacts' privacy. This mechanism should be auditable - use
should be logged and tracable.
>
> The database containing the private data must be secure -
protected by per-user security with each access to the private data logged
and tracable back to the individual. Data extracted from the database must
be handled in the same way.
>
> To the extent that "law enforcement" or others have access to the
> entire database, the allowable reasons for accessing data must be
> listed, with procedures for audit and review. (Note that there are
> legitimate reasons for such access - e.g. find the physical address of
> a network disruptor, or identify all domains registered by a criminal
> enterprise. Don't sidetrack on who defines "criminal".)
>
> With respect to the comments on privacy for organizations - I understand
the desire (e.g. a shelter for victims of abuse). However, my understanding
(I'm neither a lawyer nor resident in the EU) is that organizations are
treated differently by the EU privacy law - and generally must disclose
location and contact information. We can't legislate or require registries
to violate local law. (That's what started this - current whois practice
for individuals violates the EU data privacy laws!) We can identify the
need and require that the technical means be in place to protect the privacy
of organizations. We can also, as with natural persons, set a default
standard and require disclosure of deviations. However, I don't think we
want to be in the business of lobbying for specific changes in local laws...
>
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
>
>
>
>
>
>
> ---------------------------------------------------------
> This communication may not represent my employer's views, if any, on
> the matters discussed.
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
> Timothe Litt
> Sent: Monday, January 23, 2012 07:03
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
>
> I added my last e-mail to the end, and also marked up the draft. Note
that for some reason, all of my markup was not colored.
>
> My markup isn't polished, and I don't think it has everything from my
comments, but it's a start - and all I have time for at the moment. I do
think that it ought to start with a statement of principles (e.g. something
like what I started in my last e-mail).
>
> I hope that this is helpful. Feel free to make further changes & I'll try
to check in again later.
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views, if
any, on the matters discussed.
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
> Konstantinos Komaitis
> Sent: Monday, January 23, 2012 04:40
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
>
> Thanks Avri for taking a lead on this - I have added a small paragraph on
trademark enforcement. I really hope we get to do this and I would like to
repeat if there is any objection in sending this as an NCSG position.
>
> Thanks
>
> KK
>
> Dr. Konstantinos Komaitis,
>
> Senior Lecturer,
> Director of Postgraduate Instructional Courses Director of LLM
> Information Technology and Telecommunications Law University of
> Strathclyde, The Law School, Graham Hills building, 50 George Street,
> Glasgow G1 1BA UK
> tel: +44 (0)141 548 4306
> http://www.routledgemedia.com/books/The-Current-State-of-Domain-Name-R
> egulat
> ion-isbn9780415477765
> Selected publications:
> http://hq.ssrn.com/submissions/MyPapers.cfm?partid=501038
> Website: www.komaitis.org
>
>
> -----Original Message-----
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
> Avri Doria
> Sent: ????a??, 22 ?a???a???? 2012 1:40 µµ
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] .CAT WHOIS Proposed Changes - call for public
comments - Think hard!!
>
> http://openetherpad.org/8hyZwpLw9P
>
>
> On 22 Jan 2012, at 08:31, Avri Doria wrote:
>
> > On 22 Jan 2012, at 06:09, Konstantinos Komaitis wrote:
> >
> >> These are all great observations and thanks for bringing them
> >> forward. I
> also agree with Avri, Kathy, Marc and others.
> >>
> >> Would it be possible for someone who has already contributed to
> >> this list
> to also write a brief statement and send it to the list for endorsement?
It would be ideal if it could be a NCSG statement, but in any case it looks
like it can be a NCUC one.
> >
> >
> > I am willing to work on one with others. Perhaps someone can start
> > by collecting the contents into an etherpad of some politically
> > acceptable kind <http://etherpad.org/public-sites/> (speaking of
> > which, do any of the members host an etherpad?)
> >
> > With 10 Feb being the deadline for submission, when would such a
> > draft
> need to be available for the NC-membership review in order to not need a
last minute heroic effort from one of the NCstewards..
> >
> > avri
>
More information about the Ncuc-discuss
mailing list