[gnso-rds-pdp-wg] possible requirements from GAC / law enforcement recommended documents

Rob Golding rob.golding at astutium.com
Thu Jul 14 19:31:30 UTC 2016 

On 2016-07-14 17:38, Terri Stumme wrote:
> Law enforcement never requested "personal details, home address etc of
> senior STAFF of a Registrar listed on a website."

My recollections from what is around 7 years ago now are:

* the original "ask" dating back to pre 2009 was for the names and 
contact information for all executives and senior staff to be published

Other Registrars may recall the Brussels meeting (and earlier ones) 
where I believe this was discussed on our Tuesday
and or have access to RrSG mailings which may hold more data (as I only 
joined that mailling list at the start of 2010

There was a meeting I believe in Washington in 2010 between registrars 
and leas which I couldn't attend, which may also provide more details on 
their wants and whys

* this was then reduced down to just the names and I thought optional 
for other contact data

I certainly recall meeting with representatives from LEAs (including 
SOCA, FBI and Interpol) and discussing which jurisdictions 
provided/published publicly the company officer and ownership data 
whilst at the San Francisco meeting

"Registrar will display on the Registrar’s main website, and update as 
necessary, the name of the company’s executive management personnel, 
including its CEO and President as well as any other responsible 
officer(s) or executive(s)" with notes from 2011/2012
is on 
https://community.icann.org/display/RAA/Disclosure+of+Additional+Registrar+Information

And differences between one wishlist and another are summarised at
http://www.statewatch.org/news/2013/dec/icann-raa-lea-recommendations-11-03-01.pdf

Which is after Registrars / GNSO rejected the request, but were mostly 
prepared to let ICANN have the data (and had already become part of the 
accreditation process for new registrars to inform icann of such)

* my understanding was that the RAA negotiations team / GNSO had reduced 
this officially reduced down to just "told to ICANN"
and whilst I dont have a document showing that to hand, it is implied on
https://community.icann.org/display/RAA/Point+of+Contact+on+Malicious+Conduct+Issues

* the final version of the RAA went back to having it on the website
and there was some discussion post-publication of the final RAA as to 
why that had reappeared having been removed once.

I don't know if my browser is simply broken or the urls have simply 
moved, but
http://gnso.icann.org/en/correspondence/rap/idt/to/gnso/council/15nov10/en.pdf
cant be found which I thought might have more details

Perhaps someone from the Registrar RAA Negotiating Team can provide more 
details.



This is getting away from the salient point(s) which I would suggest are

1. if documents are circulated (and there is likely to be a lot of them) 
- a summary in the email of what the doc is and why it's being 
circulated will help all of us

2. remembering that many items are just someones "wish-list" and not 
always actual/current/real/practical/legally-permissable requirements

3. we're all going to disagree with others on this subject as we all 
have our own separate opinions, history, agenda and expectations

I felt Volker got "jumped on" (and he has a significant amount of 
valuable history within ICANN & Regstrars to draw upon) who has attended 
more meetings with Compliance and LEAs than I (and I've been to a lot of 
them) which was unnecessary.

Particularly when his comments related to highlighting that part of the 
LEA wants detailled all sorts of data collection and retention 
requirements including "techy stuff" about the IP/User-Agnet/etc which 
doesn't tally with the actual way things are necessarily done, along 
with being specifically illegal/outlawed in certain areas


I highly recommend reading
https://www.icann.org/en/system/files/correspondence/kohnstamm-to-crocker-atallah-26sep12-en.pdf

QUOTE: 'The Working Party finds the proposed new requirement to annually 
re-verify both the telephone number and the e-mail address and publish 
these contact details in the publicly accessible WHOIS database 
excessive and therefore unlawful.'

Amongst other useful "gems"

Which leaves us as Registrars the dilema that Law Enforcement have 
worked to add Contractual Requirements which the Law makers say are 
Unlawful !

>> On 2016-07-14 08:58, Catalyst-Vaibhav Aggarwal wrote:
>>> So now v agree to say that GAC / Law enforcement is over reaching

Yes, in some cases they are significantly over-reaching and/or trying to 
shift responsibility/work-load and/or trying to bypass "due-process" - 
everyone wants to make their life/job easier and cheaper :p

>> On 2016-07-14 08:58, Catalyst-Vaibhav Aggarwal wrote:
>>> YET we come back to the table and talk of Privacy and other
>>> related factors. How can it be ?

http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-WHOIS_.html


The purpose of the gTLD Whois service is to provide information 
sufficient to contact a responsible party for a particular gTLD domain 
name who can resolve, or reliably pass on data to a party who can 
resolve, issues related to the configuration of the records associated 
with the domain name within a DNS nameserver.



Rob

More information about the gnso-rds-pdp-wg mailing list