[Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

John Horton john.horton at legitscript.com
Mon Jan 6 20:53:56 UTC 2014 

Also with apologies for my delay, I wanted to echo Gema's concerns
(speaking both in my current role and also as a former prosecutor), and
provide another real-life illustration that, I hope, will be helpful
context.

First, as background: my company, LegitScript, works with many registrars
(and search engines, e-commerce platforms, etc.) to identify and submit
notification about "rogue" Internet pharmacies -- websites masquerading as
pharmacies but with no valid (or forged) pharmacy licenses; selling
falsified drugs; selling drugs without a prescription, and so forth. This
is not only illegal, but can lead to (and has led to) illness or death. We
are not a government agency, but are
endorsed<http://www.legitscript.com/download/NABP_Recognition_LegitScript_International_Internet_Pharmacy_Standards_2012.pdf>on
behalf of those government regulatory authorities in some countries to
submit notifications to registrars and for registrars to terminate services
(including, where appropriate, privacy/proxy services) to registrants
engaged in this illicit activity. We have found that most registrars are
responsible and take voluntary action to ensure that their services are not
being used by criminals, who -- unfortunately -- do rely heavily on
anonymous Whois services.

As Gema indicates, cybercriminals are adept in using the fundamentally
"jurisdictionless" aspect of the Internet, combined with some registrars'
insistence on a court order from their jurisdiction, to create a "safe
haven" resulting in a practical inability of any law enforcement agency
anywhere to take any action at all. The insistence on a court order, as
opposed to taking voluntary action based on one's terms and conditions,
plays right into the hands of criminals, because it is quite easy to choose
a registrar in a jurisdiction where it will be almost impossible for any
court to ever issue an order -- at least, in the area of "rogue pharma."
Here is a real-life example that we deal with every day. (The countries
below are merely illustrative examples; they can be easily replaced with
other countries.)

   - A website is selling fake or toxic drugs (or drugs without a
   prescription, falsely posing as a pharmacy, etc.) targeting the residents
   of Country "A." (For illustrative purposes, we will say to the US, but this
   is not a US-only problem.)
   - The registrar is in, say, the United Kingdom.
   - The registrant is in Russia.
   - The content is being hosted in Japan.
   - The fake drugs are shipped from Pakistan.
   - The fake drugs are only being marketed to the US -- not to the UK,
   Russia, Pakistan or Japan.

We submit an abuse notification to the registrar, who says that they
require a court order from the UK -- the registrar's jurisdiction -- to
take any action. As a practical matter, it is impossible to ever get a
court order. Here's why:

   - The drugs are not being marketed to the UK. One cannot point to a
   violation of UK drug safety laws, since the drugs never enter the UK. (Put
   differently, one cannot ask a court in "Country A" to issue an order based
   on a violation of the laws in Country "B".) So, the registrar is insisting
   upon an impossibility.
   - If the registrar says, "Go talk to the ISP; it's not our problem,"
   there is also no violation of that country's laws. And, for reasons I can
   explain another time, it is wholly ineffective to complain to content
   hosting companies. (And, of course, the content host has nothing to do with
   the Whois record, if that is the issue.)
   - Law enforcement in the registrant's country -- in our example, Russia
   -- similarly has no jurisidction. Why? Because the drugs come from and are
   targeted at other countries. No violation of Russian drug safety or
   medicine laws exists unless the drugs are actually shipped into Russia.
   - Similarly, drug laws in most countries are such that the law of the
   country where the drugs are shipped from may not be violated if no
   customers are there.
   - And also similarly, law enforcement can generally only seek and
   receive a court order against an entity located in the court's
   jurisdiction. (Put differently, a court in the US has no jurisdiction over
   a registrar in the UK: the registrar can simply ignore the court order, so
   most courts will not even issue the order.)

You can see here that nobody anywhere has the ability to issue or receive a
binding court order. This is not merely a rare example; it is a very common
fact pattern we see with rogue Internet pharmacies: to choose a registrar
that is not in the jurisdiction where the drugs come from, are sold to, or
where the registrant is located, so that if -- as the rogue Internet
pharmacy hopes -- the registrar insists on a court order before taking any
action, the criminal can rest comfortably knowing that it will never be
possible. We deal with this type of circumstance -- again, the countries
change depending on the website -- multiple times each day.

Again, many registrars we work with understand the conundrum presented
above, and take voluntary action upon a showing that the website is being
used in furtherance of this sort of activity, irrespective of jurisdiction.
We continue to encourage registrars to develop internal anti-abuse policies
in this area that clarify the circumstances in which they will take
voluntary action.

I hope that the illustration above is also helpful and on-point and not
outside of the scope of this group; please do not hesitate to let me know
if not. (The example does relate to broader anti-abuse issues, but also to
the question of privacy/proxy services.) Please do not hesitate to contact
me should you require any clarification or have any questions.

John Horton
President, LegitScript



*Follow LegitScript*:
LinkedIn<http://www.linkedin.com/company/legitscript-com>
|  Facebook <https://www.facebook.com/LegitScript>  |
Twitter<https://twitter.com/legitscript>
|  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
<http://blog.legitscript.com>*  |
Google+<https://plus.google.com/112436813474708014933/posts>


On Mon, Jan 6, 2014 at 8:16 AM, Metalitz, Steven <met at msk.com> wrote:

>  With apologies for delay, I echo Don’s response, and submit that the
> issues Gema raises go to the center of our task.
>
>
>
> Steve Metalitz
>
>
>
>
>
>
>
> *From:* gnso-ppsai-pdp-wg-bounces at icann.org [mailto:
> gnso-ppsai-pdp-wg-bounces at icann.org] *On Behalf Of *Don Blumenthal
> *Sent:* Saturday, December 21, 2013 2:38 PM
> *To:* Campillos Gonzalez, Gema Maria; gnso-ppsai-pdp-wg at icann.org
>
> *Subject:* Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>
>
> Gema,
>
>
>
> Thanks very much for your very thorough and interesting post. I appreciate
> your comments, which definitely are not out of scope at all.
>
>
>
> Regards,
>
>
>
> Don
>
>
>
> =========================
>
> *DON M. BLUMENTHAL, Esq.*
>
> Senior Policy Advisor, Public Interest Registry
>
> dblumenthal at pir.org
>
> Office: +1 734 418-8242  | Mobile: +1 202 431-0874 | Skype: donblumenthal
> |
>
> www.pir.org | Facebook <http://www.facebook.com/pir.org> | Twitter<http://twitter.com/PIRegistry>
>  | Instagram <http://instagram.com/piregistry> | YouTube<http://www.youtube.com/PIRegistry>
>
>
>
> *From: *"<Campillos Gonzalez>", Gema Maria <GCAMPILLOS at minetur.es>
> *Date: *Thursday, December 19, 2013 at 2:27 PM
> *To: *"gnso-ppsai-pdp-wg at icann.org" <gnso-ppsai-pdp-wg at icann.org>
> *Subject: *Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>
>
> Dear all,
>
>
>
> First of all, I introduce myself. My name is Gema Campillos and I´m a
> civil servant in Spain. My current position is Deputy Director on
> Information Society Services (in the Ministry of Industry, Energy and
> Tourism) and I represent my country at the GAC. I would like to stress from
> the outset that I´m not a representative for the GAC in this GNSO working
> group.
>
>
>
> My interest in participating in this WG comes from the hurdles proxy and
> privacy services suppose for the exercise or supervisory powers over
> service providers subject to Spanish law. They may serve legitimate
> purposes, like preventing spam or phishing attacks, or even prosecution in
> countries with limited freedom of speech, but in my experience, proxy and
> privacy services are overwhelmingly used by infringers of consumer
> protection and intellectual property laws.
>
>
>
> We oversee websites addressing the Spanish market. The Ministry of
> Education, Culture and Sports supervise websites violating IPRs of right
> holders in Spain as well. They all have to comply with Spanish law. But,
> some of them choose to move to other locations to escape from public
> authorities control (their servers are located outside, their hosting
> providers are beyond our frontiers…), they hide behind “straw men” or hire
> a privacy or proxy service in another country to replace their Whois
> information. But, they still target the residents in Spain by providing
> information in Spanish, pricing in euros, displaying adverts of Spanish
> companies, etc.
>
>
>
> Some of the privacy and proxy services also spread their reach to foreign
> markets. Godaddy is a conspicuous instance. It detects you access the
> Internet through an IP address in Spain and directs you to
> http://es.godaddy.com. There, information is given in Spanish with a
> local telephone number for assistance. Those also fall within the scope of
> Spanish Law 34/2002, of 11 July, on Information Society Services and
> E-Commerce.
>
>
>
> We have addressed proxy and privacy services on several occasions to
> request them to reveal to us the identity of the domain name holder, but
> they have refused to do so, arguing that they can only disclose that
> information to “law enforcement agencies” (aren´t we one of those?) or to
> “a state or federal court located in the United States”. If we were to seek
> a court order to be conveyed to foreign courts, recognized and executed by
> them, which we are not obliged to do according to our national law, the
> website at issue could have disappeared by then and our action would be
> useless. I enclose two sample answers.   *I hope the companies named in
> this e-mail and in the examples don´t take offence. I do not have any
> animosity against them.
>
>
>
> To be fair, I must confess that IP providers, hosting services… also make
> this kind of excuse sometimes. Vey often they don´t even respond to our
> requests.
>
>
>
> The Internet grants providers, however small they are, the ability to sell
> or offer information globally. But, I think that when you benefit from
> access to a market you must be obliged to abide by its rules as well (in
> the EU we apply the “country of origin” principle to the Internet except
> for consumer protection and some other exceptions since there´s a high
> level of harmonization among us). This rule of thumb in the physical world
> is not respected on the Internet to the detriment of recipients of services
> in local markets. A company doing business internationally should be able
> to cooperate with local authorities. Otherwise, it is helping infringers of
> local laws to pursue their illegal activities.
>
>
>
> I understand verifying the authenticity of public authorities requests
> when a company provides its services worldwide, the competence of that
> authority to issue that request and ascertaining the information is not
> going to be used against human rights treaties cannot be automated like all
> the processes of registries, registrars and other Internet service
> providers. But, they should do something to cooperate with public
> authorities. In this regard, I draw your attention to the Internet &
> Jurisdiction project (http://www.internetjurisdiction.net) that is
> undertaking the challenge to devise a protocol based on self-regulation to
> overcome the barriers jurisdiction limits pose to law enforcement efforts.
>
>
>
> Sorry for this long message. You might come to the conclusion at the end
> of it that my concerns are outside the scope of this WG. In this case,
> please let me know and I won´t bother you anymore.
>
>
>
> I attach the questionnaire for the EWG with some questions –the ones I can
> answered- filled in.
>
>
>
> As we are almost in Christmas, I wish you enjoy this season and have a
> happy new year.
>
>
>
>
>
>
>
> Gema Campillos
>
> Deputy Director of Information Society Services
>
> Secretary of State for Telecommunications and Information Society
>
> Telf: 34 91 346 15 97
>
> SPAIN
>
>
>
> *De:* gnso-ppsai-pdp-wg-bounces at icann.org [
> mailto:gnso-ppsai-pdp-wg-bounces at icann.org<gnso-ppsai-pdp-wg-bounces at icann.org>]
> *En nombre de *Mary Wong
> *Enviado el:* miércoles, 18 de diciembre de 2013 0:46
> *Para:* gnso-ppsai-pdp-wg at icann.org
> *Asunto:* [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions
>
>
>
> Dear Working Group members,
>
>
>
> Please find attached the draft questions that were discussed during the WG
> call earlier today. As mentioned, the Expert Working Group intends to send
> out the final text and questions by mid-January, and as such feedback and
> suggestions from this WG should be sent to them no later than *Friday 10
> January 2014*. To expedite WG discussion and finalization of feedback, we
> suggest inserting any comments you may have in the attached document. In
> order to facilitate discussion at the next WG call on *Tuesday 7 January
> 2014*, please send your annotated document to me as soon as you can –
> staff will collate all responses received for the 7 January call. In the
> interest of expediency, you may wish to indicate that your comments are
> made in your personal capacity should it prove difficult to obtain your
> constituency/stakeholder group/community's feedback and sign-off in the
> timeline within which we are working.
>
>
>
> Since waiting to start and finish all WG discussions about this survey in
> that single call on 7 January is an ambitious undertaking, however, it
> would be tremendously helpful if comments, questions and thoughts could be
> posted to this mailing list between now and then. For example, you may wish
> to circulate your written comments on the questions to the list to
> kickstart discussions or raise concerns about particular questions.
>
>
>
> For the most effective and efficient use of your time, you may wish also
> to focus on commenting on the scope and substance of each draft question
> rather than redrafting them. The EWG also welcomes feedback on the types of
> questions that should be asked and that are missing from the current draft.
>
>
>
> Thank you all for an excellent discussion today – and happy holidays to
> you and yours!
>
>
>
> Cheers
>
> Mary
>
>
>
> Mary Wong
>
> Senior Policy Director
>
> Internet Corporation for Assigned Names & Numbers (ICANN)
>
> Telephone: +1 603 574 4892
>
> Email: mary.wong at icann.org
>
>
>
> * One World. One Internet. *
>
> _______________________________________________
> Gnso-ppsai-pdp-wg mailing list
> Gnso-ppsai-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140106/630868cf/attachment-0001.html>

More information about the Gnso-ppsai-pdp-wg mailing list