[Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

John Horton john.horton at legitscript.com
Tue Jan 7 15:01:36 UTC 2014 

Hi Michele,

Thanks. Nope, my intent wasn't to ask a question or suggest concrete action
at this point -- we'll certainly have some of those later! As Gema did, I
wanted to provide some contextual background on the jurisdictional issue.

Thanks,

John Horton
President, LegitScript



*Follow LegitScript*:
LinkedIn<http://www.linkedin.com/company/legitscript-com>
|  Facebook <https://www.facebook.com/LegitScript>  |
Twitter<https://twitter.com/legitscript>
|  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
<http://blog.legitscript.com>*  |
Google+<https://plus.google.com/112436813474708014933/posts>


On Tue, Jan 7, 2014 at 3:05 AM, Michele Neylon - Blacknight <
michele at blacknight.com> wrote:

>  John
>
>
>
> You’ve given an example of an issue, but unless I’m missing something you
> haven’t actually asked a specific question or suggested any action?
>
>
>
> Or if you have, as I said, I missed it
>
>
>
> Regards
>
>
>
> Michele
>
>
>
>
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting & Colocation, Domains
>
> http://www.blacknight.co/
>
> http://blog.blacknight.com/
>
> http://www.technology.ie
>
> Intl. +353 (0) 59  9183072
>
> Locall: 1850 929 929
>
> Direct Dial: +353 (0)59 9183090
>
> Fax. +353 (0) 1 4811 763
>
> Twitter: http://twitter.com/mneylon
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>
>
>
> *From:* gnso-ppsai-pdp-wg-bounces at icann.org [mailto:
> gnso-ppsai-pdp-wg-bounces at icann.org] *On Behalf Of *John Horton
> *Sent:* Monday, January 6, 2014 8:54 PM
> *To:* Metalitz, Steven
> *Cc:* gnso-ppsai-pdp-wg at icann.org
>
> *Subject:* Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>
>
> Also with apologies for my delay, I wanted to echo Gema's concerns
> (speaking both in my current role and also as a former prosecutor), and
> provide another real-life illustration that, I hope, will be helpful
> context.
>
>
>
> First, as background: my company, LegitScript, works with many registrars
> (and search engines, e-commerce platforms, etc.) to identify and submit
> notification about "rogue" Internet pharmacies -- websites masquerading as
> pharmacies but with no valid (or forged) pharmacy licenses; selling
> falsified drugs; selling drugs without a prescription, and so forth. This
> is not only illegal, but can lead to (and has led to) illness or death. We
> are not a government agency, but are endorsed<http://www.legitscript.com/download/NABP_Recognition_LegitScript_International_Internet_Pharmacy_Standards_2012.pdf>on behalf of those government regulatory authorities in some countries to
> submit notifications to registrars and for registrars to terminate services
> (including, where appropriate, privacy/proxy services) to registrants
> engaged in this illicit activity. We have found that most registrars are
> responsible and take voluntary action to ensure that their services are not
> being used by criminals, who -- unfortunately -- do rely heavily on
> anonymous Whois services.
>
>
>
> As Gema indicates, cybercriminals are adept in using the fundamentally
> "jurisdictionless" aspect of the Internet, combined with some registrars'
> insistence on a court order from their jurisdiction, to create a "safe
> haven" resulting in a practical inability of any law enforcement agency
> anywhere to take any action at all. The insistence on a court order, as
> opposed to taking voluntary action based on one's terms and conditions,
> plays right into the hands of criminals, because it is quite easy to choose
> a registrar in a jurisdiction where it will be almost impossible for any
> court to ever issue an order -- at least, in the area of "rogue pharma."
> Here is a real-life example that we deal with every day. (The countries
> below are merely illustrative examples; they can be easily replaced with
> other countries.)
>
>    - A website is selling fake or toxic drugs (or drugs without a
>    prescription, falsely posing as a pharmacy, etc.) targeting the residents
>    of Country "A." (For illustrative purposes, we will say to the US, but this
>    is not a US-only problem.)
>    - The registrar is in, say, the United Kingdom.
>    - The registrant is in Russia.
>    - The content is being hosted in Japan.
>    - The fake drugs are shipped from Pakistan.
>    - The fake drugs are only being marketed to the US -- not to the UK,
>    Russia, Pakistan or Japan.
>
>  We submit an abuse notification to the registrar, who says that they
> require a court order from the UK -- the registrar's jurisdiction -- to
> take any action. As a practical matter, it is impossible to ever get a
> court order. Here's why:
>
>    - The drugs are not being marketed to the UK. One cannot point to a
>    violation of UK drug safety laws, since the drugs never enter the UK. (Put
>    differently, one cannot ask a court in "Country A" to issue an order based
>    on a violation of the laws in Country "B".) So, the registrar is insisting
>    upon an impossibility.
>    - If the registrar says, "Go talk to the ISP; it's not our problem,"
>    there is also no violation of that country's laws. And, for reasons I can
>    explain another time, it is wholly ineffective to complain to content
>    hosting companies. (And, of course, the content host has nothing to do with
>    the Whois record, if that is the issue.)
>    - Law enforcement in the registrant's country -- in our example,
>    Russia -- similarly has no jurisidction. Why? Because the drugs come from
>    and are targeted at other countries. No violation of Russian drug safety or
>    medicine laws exists unless the drugs are actually shipped into Russia.
>    - Similarly, drug laws in most countries are such that the law of the
>    country where the drugs are shipped from may not be violated if no
>    customers are there.
>    - And also similarly, law enforcement can generally only seek and
>    receive a court order against an entity located in the court's
>    jurisdiction. (Put differently, a court in the US has no jurisdiction over
>    a registrar in the UK: the registrar can simply ignore the court order, so
>    most courts will not even issue the order.)
>
>  You can see here that nobody anywhere has the ability to issue or
> receive a binding court order. This is not merely a rare example; it is a
> very common fact pattern we see with rogue Internet pharmacies: to choose a
> registrar that is not in the jurisdiction where the drugs come from, are
> sold to, or where the registrant is located, so that if -- as the rogue
> Internet pharmacy hopes -- the registrar insists on a court order before
> taking any action, the criminal can rest comfortably knowing that it will
> never be possible. We deal with this type of circumstance -- again, the
> countries change depending on the website -- multiple times each day.
>
>
>
> Again, many registrars we work with understand the conundrum presented
> above, and take voluntary action upon a showing that the website is being
> used in furtherance of this sort of activity, irrespective of jurisdiction.
> We continue to encourage registrars to develop internal anti-abuse policies
> in this area that clarify the circumstances in which they will take
> voluntary action.
>
>
>
> I hope that the illustration above is also helpful and on-point and not
> outside of the scope of this group; please do not hesitate to let me know
> if not. (The example does relate to broader anti-abuse issues, but also to
> the question of privacy/proxy services.) Please do not hesitate to contact
> me should you require any clarification or have any questions.
>
>
>   John Horton
> President, LegitScript
>
>
>
>
>
> *Follow* *Legit**Script*: LinkedIn<http://www.linkedin.com/company/legitscript-com>
> |  Facebook <https://www.facebook.com/LegitScript>  |  Twitter<https://twitter.com/legitscript>
> |  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
> <http://blog.legitscript.com>*  |  Google+<https://plus.google.com/112436813474708014933/posts>
>
>
>
> On Mon, Jan 6, 2014 at 8:16 AM, Metalitz, Steven <met at msk.com> wrote:
>
>  With apologies for delay, I echo Don’s response, and submit that the
> issues Gema raises go to the center of our task.
>
>
>
> Steve Metalitz
>
>
>
>
>
>
>
> *From:* gnso-ppsai-pdp-wg-bounces at icann.org [mailto:
> gnso-ppsai-pdp-wg-bounces at icann.org] *On Behalf Of *Don Blumenthal
> *Sent:* Saturday, December 21, 2013 2:38 PM
> *To:* Campillos Gonzalez, Gema Maria; gnso-ppsai-pdp-wg at icann.org
>
>
> *Subject:* Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>
>
> Gema,
>
>
>
> Thanks very much for your very thorough and interesting post. I appreciate
> your comments, which definitely are not out of scope at all.
>
>
>
> Regards,
>
>
>
> Don
>
>
>
> =========================
>
> *DON M. BLUMENTHAL, Esq.*
>
> Senior Policy Advisor, Public Interest Registry
>
> dblumenthal at pir.org
>
> Office: +1 734 418-8242  | Mobile: +1 202 431-0874 | Skype: donblumenthal
> |
>
> www.pir.org | Facebook <http://www.facebook.com/pir.org> | Twitter<http://twitter.com/PIRegistry>
>  | Instagram <http://instagram.com/piregistry> | YouTube<http://www.youtube.com/PIRegistry>
>
>
>
> *From: *"<Campillos Gonzalez>", Gema Maria <GCAMPILLOS at minetur.es>
> *Date: *Thursday, December 19, 2013 at 2:27 PM
> *To: *"gnso-ppsai-pdp-wg at icann.org" <gnso-ppsai-pdp-wg at icann.org>
> *Subject: *Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>
>
> Dear all,
>
>
>
> First of all, I introduce myself. My name is Gema Campillos and I´m a
> civil servant in Spain. My current position is Deputy Director on
> Information Society Services (in the Ministry of Industry, Energy and
> Tourism) and I represent my country at the GAC. I would like to stress from
> the outset that I´m not a representative for the GAC in this GNSO working
> group.
>
>
>
> My interest in participating in this WG comes from the hurdles proxy and
> privacy services suppose for the exercise or supervisory powers over
> service providers subject to Spanish law. They may serve legitimate
> purposes, like preventing spam or phishing attacks, or even prosecution in
> countries with limited freedom of speech, but in my experience, proxy and
> privacy services are overwhelmingly used by infringers of consumer
> protection and intellectual property laws.
>
>
>
> We oversee websites addressing the Spanish market. The Ministry of
> Education, Culture and Sports supervise websites violating IPRs of right
> holders in Spain as well. They all have to comply with Spanish law. But,
> some of them choose to move to other locations to escape from public
> authorities control (their servers are located outside, their hosting
> providers are beyond our frontiers…), they hide behind “straw men” or hire
> a privacy or proxy service in another country to replace their Whois
> information. But, they still target the residents in Spain by providing
> information in Spanish, pricing in euros, displaying adverts of Spanish
> companies, etc.
>
>
>
> Some of the privacy and proxy services also spread their reach to foreign
> markets. Godaddy is a conspicuous instance. It detects you access the
> Internet through an IP address in Spain and directs you to
> http://es.godaddy.com. There, information is given in Spanish with a
> local telephone number for assistance. Those also fall within the scope of
> Spanish Law 34/2002, of 11 July, on Information Society Services and
> E-Commerce.
>
>
>
> We have addressed proxy and privacy services on several occasions to
> request them to reveal to us the identity of the domain name holder, but
> they have refused to do so, arguing that they can only disclose that
> information to “law enforcement agencies” (aren´t we one of those?) or to
> “a state or federal court located in the United States”. If we were to seek
> a court order to be conveyed to foreign courts, recognized and executed by
> them, which we are not obliged to do according to our national law, the
> website at issue could have disappeared by then and our action would be
> useless. I enclose two sample answers.   *I hope the companies named in
> this e-mail and in the examples don´t take offence. I do not have any
> animosity against them.
>
>
>
> To be fair, I must confess that IP providers, hosting services… also make
> this kind of excuse sometimes. Vey often they don´t even respond to our
> requests.
>
>
>
> The Internet grants providers, however small they are, the ability to sell
> or offer information globally. But, I think that when you benefit from
> access to a market you must be obliged to abide by its rules as well (in
> the EU we apply the “country of origin” principle to the Internet except
> for consumer protection and some other exceptions since there´s a high
> level of harmonization among us). This rule of thumb in the physical world
> is not respected on the Internet to the detriment of recipients of services
> in local markets. A company doing business internationally should be able
> to cooperate with local authorities. Otherwise, it is helping infringers of
> local laws to pursue their illegal activities.
>
>
>
> I understand verifying the authenticity of public authorities requests
> when a company provides its services worldwide, the competence of that
> authority to issue that request and ascertaining the information is not
> going to be used against human rights treaties cannot be automated like all
> the processes of registries, registrars and other Internet service
> providers. But, they should do something to cooperate with public
> authorities. In this regard, I draw your attention to the Internet &
> Jurisdiction project (http://www.internetjurisdiction.net) that is
> undertaking the challenge to devise a protocol based on self-regulation to
> overcome the barriers jurisdiction limits pose to law enforcement efforts.
>
>
>
> Sorry for this long message. You might come to the conclusion at the end
> of it that my concerns are outside the scope of this WG. In this case,
> please let me know and I won´t bother you anymore.
>
>
>
> I attach the questionnaire for the EWG with some questions –the ones I can
> answered- filled in.
>
>
>
> As we are almost in Christmas, I wish you enjoy this season and have a
> happy new year.
>
>
>
>
>
>
>
> Gema Campillos
>
> Deputy Director of Information Society Services
>
> Secretary of State for Telecommunications and Information Society
>
> Telf: 34 91 346 15 97
>
> SPAIN
>
>
>
> *De:* gnso-ppsai-pdp-wg-bounces at icann.org [
> mailto:gnso-ppsai-pdp-wg-bounces at icann.org<gnso-ppsai-pdp-wg-bounces at icann.org>]
> *En nombre de *Mary Wong
> *Enviado el:* miércoles, 18 de diciembre de 2013 0:46
> *Para:* gnso-ppsai-pdp-wg at icann.org
> *Asunto:* [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions
>
>
>
> Dear Working Group members,
>
>
>
> Please find attached the draft questions that were discussed during the WG
> call earlier today. As mentioned, the Expert Working Group intends to send
> out the final text and questions by mid-January, and as such feedback and
> suggestions from this WG should be sent to them no later than *Friday 10
> January 2014*. To expedite WG discussion and finalization of feedback, we
> suggest inserting any comments you may have in the attached document. In
> order to facilitate discussion at the next WG call on *Tuesday 7 January
> 2014*, please send your annotated document to me as soon as you can –
> staff will collate all responses received for the 7 January call. In the
> interest of expediency, you may wish to indicate that your comments are
> made in your personal capacity should it prove difficult to obtain your
> constituency/stakeholder group/community's feedback and sign-off in the
> timeline within which we are working.
>
>
>
> Since waiting to start and finish all WG discussions about this survey in
> that single call on 7 January is an ambitious undertaking, however, it
> would be tremendously helpful if comments, questions and thoughts could be
> posted to this mailing list between now and then. For example, you may wish
> to circulate your written comments on the questions to the list to
> kickstart discussions or raise concerns about particular questions.
>
>
>
> For the most effective and efficient use of your time, you may wish also
> to focus on commenting on the scope and substance of each draft question
> rather than redrafting them. The EWG also welcomes feedback on the types of
> questions that should be asked and that are missing from the current draft.
>
>
>
> Thank you all for an excellent discussion today – and happy holidays to
> you and yours!
>
>
>
> Cheers
>
> Mary
>
>
>
> Mary Wong
>
> Senior Policy Director
>
> Internet Corporation for Assigned Names & Numbers (ICANN)
>
> Telephone: +1 603 574 4892
>
> Email: mary.wong at icann.org
>
>
>
> * One World. One Internet. *
>
>
> _______________________________________________
> Gnso-ppsai-pdp-wg mailing list
> Gnso-ppsai-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140107/3e7fca3a/attachment-0001.html>

More information about the Gnso-ppsai-pdp-wg mailing list