[council] Regarding law enforcement access to data

Bruce Tonkin Bruce.Tonkin at melbourneit.com.au
Tue Apr 11 05:37:52 UTC 2006 

Hello Philip,

Much seems to be made of the law enforcement issues of access to data.

The argument seems to be:
(1) Law enforcement need access to data for investigation

(2) The data must be made public for everyone in the world to see for
this to happen

I can't understand this logic.

The policy development process is focussed on the release of information
to the public via the WHOIS service (either through the port-43 protocol
or the http protocol).

Registrars have substantial data that is useful for law enforcement
efforts including credit card information, the source IP addresses used
in transactions, etc that is not published in the WHOIS.  ISPs also have
information relating to who was allocated a particular IP address at any
point in time.  Registrars already have processes for supplying
necessary data to law enforcement.  I am sure this can be improved - but
that should be either the subject of a separate policy development
effort, or, in the first instance, a discussion between law enforcement
and registrars.

You mention the issue of data protection laws.  It is quite common for
data protection laws to specifically take into account requirements for
law enforcement.  This does not need to be explicitly included in a
registration agreement relating to the purpose or use of data collected.

For example, from the Australian National privacy principles at:
http://www.privacy.gov.au/publications/npps01.html

It states under the heading of "Use and disclosure":
"An organisation must not use or disclose personal information about an
individual for a purpose (the secondary purpose) other than the primary
purpose of collection UNLESS:

"(f) the organisation has reason to suspect that unlawful activity has
been, is being or may be engaged in, and uses or discloses the personal
information as a necessary part of its investigation of the matter or in
reporting its concerns to relevant persons or authorities; or

(g) the use or disclosure is required or authorised by or under law; or

(h) the organisation reasonably believes that the use or disclosure is
reasonably necessary for one or more of the following by or on behalf of
an enforcement body:

	(i) the prevention, detection, investigation, prosecution or
punishment of 	criminal offences, breaches of a law imposing a penalty
or sanction or 	breaches of a prescribed law;

	(ii) the enforcement of laws relating to the confiscation of the
proceeds of 	crime;

	(iii) the protection of the public revenue;

	(iv) the prevention, detection, investigation or remedying of
seriously 	improper conduct or prescribed conduct;

	(v) the preparation for, or conduct of, proceedings before any
court or 	tribunal, or implementation of the orders of a court or
tribunal."

The privacy principle also states:
"If an organisation uses or discloses personal information under
paragraph (h), it must make a written note of the use or disclosure."

So at least in Australia, law enforcement activities are already covered
under the privacy laws.

What is not envisaged in the privacy laws is that the method to provide
data to law enforcement should be via public publication.

There is literally no practical way to restrict the subsequent "use" of
data once it is published in the public.

There is mention about defining uses, but our role within the ICANN
mission is all about purpose - what is the purpose of providing certain
information to the public.   Whatever information is eventually
published to the public is clearly going to be "used" for an endless
range of activities - thus we need to be very careful in ensuring we
only provide information that is "sufficient" to meet the purpose of the
service.

Regards,
Bruce Tonkin

More information about the council mailing list