[Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

[Don Blumenthal]

John,

Thanks for adding your experience. As I suggested to Gema, jurisdiction certainly is an issue with respect to proxy/privacy. A number of us on the WG have worked with the issues first hand, with my experience from over ten years of online service and Internet law enforcement followed by working for a registry.

A question for all. How do we translate these concerns and experience into concrete suggestions for the EWG?

Don



From: John Horton <john.horton at legitscript.com<mailto:john.horton at legitscript.com>>
Date: Monday, January 6, 2014 at 3:53 PM
To: Steven Metalitz <met at msk.com<mailto:met at msk.com>>
Cc: Don Blumenthal <dblumenthal at pir.org<mailto:dblumenthal at pir.org>>, "Campillos Gonzalez, Gema Maria" <GCAMPILLOS at minetur.es<mailto:GCAMPILLOS at minetur.es>>, PPSAI <gnso-ppsai-pdp-wg at icann.org<mailto:gnso-ppsai-pdp-wg at icann.org>>
Subject: Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

Also with apologies for my delay, I wanted to echo Gema's concerns (speaking both in my current role and also as a former prosecutor), and provide another real-life illustration that, I hope, will be helpful context.

First, as background: my company, LegitScript, works with many registrars (and search engines, e-commerce platforms, etc.) to identify and submit notification about "rogue" Internet pharmacies -- websites masquerading as pharmacies but with no valid (or forged) pharmacy licenses; selling falsified drugs; selling drugs without a prescription, and so forth. This is not only illegal, but can lead to (and has led to) illness or death. We are not a government agency, but are endorsed<http://www.legitscript.com/download/NABP_Recognition_LegitScript_International_Internet_Pharmacy_Standards_2012.pdf> on behalf of those government regulatory authorities in some countries to submit notifications to registrars and for registrars to terminate services (including, where appropriate, privacy/proxy services) to registrants engaged in this illicit activity. We have found that most registrars are responsible and take voluntary action to ensure that their services are not being used by criminals, who -- unfortunately -- do rely heavily on anonymous Whois services.

As Gema indicates, cybercriminals are adept in using the fundamentally "jurisdictionless" aspect of the Internet, combined with some registrars' insistence on a court order from their jurisdiction, to create a "safe haven" resulting in a practical inability of any law enforcement agency anywhere to take any action at all. The insistence on a court order, as opposed to taking voluntary action based on one's terms and conditions, plays right into the hands of criminals, because it is quite easy to choose a registrar in a jurisdiction where it will be almost impossible for any court to ever issue an order -- at least, in the area of "rogue pharma." Here is a real-life example that we deal with every day. (The countries below are merely illustrative examples; they can be easily replaced with other countries.)

  *   A website is selling fake or toxic drugs (or drugs without a prescription, falsely posing as a pharmacy, etc.) targeting the residents of Country "A." (For illustrative purposes, we will say to the US, but this is not a US-only problem.)
  *   The registrar is in, say, the United Kingdom.
  *   The registrant is in Russia.
  *   The content is being hosted in Japan.
  *   The fake drugs are shipped from Pakistan.
  *   The fake drugs are only being marketed to the US -- not to the UK, Russia, Pakistan or Japan.

We submit an abuse notification to the registrar, who says that they require a court order from the UK -- the registrar's jurisdiction -- to take any action. As a practical matter, it is impossible to ever get a court order. Here's why:

  *   The drugs are not being marketed to the UK. One cannot point to a violation of UK drug safety laws, since the drugs never enter the UK. (Put differently, one cannot ask a court in "Country A" to issue an order based on a violation of the laws in Country "B".) So, the registrar is insisting upon an impossibility.
  *   If the registrar says, "Go talk to the ISP; it's not our problem," there is also no violation of that country's laws. And, for reasons I can explain another time, it is wholly ineffective to complain to content hosting companies. (And, of course, the content host has nothing to do with the Whois record, if that is the issue.)
  *   Law enforcement in the registrant's country -- in our example, Russia -- similarly has no jurisidction. Why? Because the drugs come from and are targeted at other countries. No violation of Russian drug safety or medicine laws exists unless the drugs are actually shipped into Russia.
  *   Similarly, drug laws in most countries are such that the law of the country where the drugs are shipped from may not be violated if no customers are there.
  *   And also similarly, law enforcement can generally only seek and receive a court order against an entity located in the court's jurisdiction. (Put differently, a court in the US has no jurisdiction over a registrar in the UK: the registrar can simply ignore the court order, so most courts will not even issue the order.)

You can see here that nobody anywhere has the ability to issue or receive a binding court order. This is not merely a rare example; it is a very common fact pattern we see with rogue Internet pharmacies: to choose a registrar that is not in the jurisdiction where the drugs come from, are sold to, or where the registrant is located, so that if -- as the rogue Internet pharmacy hopes -- the registrar insists on a court order before taking any action, the criminal can rest comfortably knowing that it will never be possible. We deal with this type of circumstance -- again, the countries change depending on the website -- multiple times each day.

Again, many registrars we work with understand the conundrum presented above, and take voluntary action upon a showing that the website is being used in furtherance of this sort of activity, irrespective of jurisdiction. We continue to encourage registrars to develop internal anti-abuse policies in this area that clarify the circumstances in which they will take voluntary action.

I hope that the illustration above is also helpful and on-point and not outside of the scope of this group; please do not hesitate to let me know if not. (The example does relate to broader anti-abuse issues, but also to the question of privacy/proxy services.) Please do not hesitate to contact me should you require any clarification or have any questions.

John Horton
President, LegitScript
 [https://static.legitscript.com/assets/logo-smaller-cdb8a6f307ce2c6172e72257dc6dfc34.png]


Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com>  |  Facebook<https://www.facebook.com/LegitScript>  |  Twitter<https://twitter.com/legitscript>  |  YouTube<https://www.youtube.com/user/LegitScript>  |  Blog<http://blog.legitscript.com>  |  Google+<https://plus.google.com/112436813474708014933/posts>


On Mon, Jan 6, 2014 at 8:16 AM, Metalitz, Steven <met at msk.com<mailto:met at msk.com>> wrote:
With apologies for delay, I echo Don’s response, and submit that the issues Gema raises go to the center of our task.

Steve Metalitz



From:gnso-ppsai-pdp-wg-bounces at icann.org<mailto:gnso-ppsai-pdp-wg-bounces at icann.org> [mailto:gnso-ppsai-pdp-wg-bounces at icann.org<mailto:gnso-ppsai-pdp-wg-bounces at icann.org>] On Behalf Of Don Blumenthal
Sent: Saturday, December 21, 2013 2:38 PM
To: Campillos Gonzalez, Gema Maria; gnso-ppsai-pdp-wg at icann.org<mailto:gnso-ppsai-pdp-wg at icann.org>

Subject: Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

Gema,

Thanks very much for your very thorough and interesting post. I appreciate your comments, which definitely are not out of scope at all.

Regards,

Don

=========================
DON M. BLUMENTHAL, Esq.
Senior Policy Advisor, Public Interest Registry
dblumenthal at pir.org<mailto:dblumenthal at pir.org>
Office: +1 734 418-8242<tel:%2B1%20734%20418-8242>  | Mobile: +1 202 431-0874<tel:%2B1%20202%20431-0874> | Skype: donblumenthal |
www.pir.org<http://www.pir.org/> | Facebook<http://www.facebook.com/pir.org> | Twitter<http://twitter.com/PIRegistry> | Instagram<http://instagram.com/piregistry> | YouTube<http://www.youtube.com/PIRegistry>

From: "<Campillos Gonzalez>", Gema Maria <GCAMPILLOS at minetur.es<mailto:GCAMPILLOS at minetur.es>>
Date: Thursday, December 19, 2013 at 2:27 PM
To: "gnso-ppsai-pdp-wg at icann.org<mailto:gnso-ppsai-pdp-wg at icann.org>" <gnso-ppsai-pdp-wg at icann.org<mailto:gnso-ppsai-pdp-wg at icann.org>>
Subject: Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

Dear all,

First of all, I introduce myself. My name is Gema Campillos and I´m a civil servant in Spain. My current position is Deputy Director on Information Society Services (in the Ministry of Industry, Energy and Tourism) and I represent my country at the GAC. I would like to stress from the outset that I´m not a representative for the GAC in this GNSO working group.

My interest in participating in this WG comes from the hurdles proxy and privacy services suppose for the exercise or supervisory powers over service providers subject to Spanish law. They may serve legitimate purposes, like preventing spam or phishing attacks, or even prosecution in countries with limited freedom of speech, but in my experience, proxy and privacy services are overwhelmingly used by infringers of consumer protection and intellectual property laws.

We oversee websites addressing the Spanish market. The Ministry of Education, Culture and Sports supervise websites violating IPRs of right holders in Spain as well. They all have to comply with Spanish law. But, some of them choose to move to other locations to escape from public authorities control (their servers are located outside, their hosting providers are beyond our frontiers…), they hide behind “straw men” or hire a privacy or proxy service in another country to replace their Whois information. But, they still target the residents in Spain by providing information in Spanish, pricing in euros, displaying adverts of Spanish companies, etc.

Some of the privacy and proxy services also spread their reach to foreign markets. Godaddy is a conspicuous instance. It detects you access the Internet through an IP address in Spain and directs you to http://es.godaddy.com. There, information is given in Spanish with a local telephone number for assistance. Those also fall within the scope of Spanish Law 34/2002, of 11 July, on Information Society Services and E-Commerce.

We have addressed proxy and privacy services on several occasions to request them to reveal to us the identity of the domain name holder, but they have refused to do so, arguing that they can only disclose that information to “law enforcement agencies” (aren´t we one of those?) or to “a state or federal court located in the United States”. If we were to seek a court order to be conveyed to foreign courts, recognized and executed by them, which we are not obliged to do according to our national law, the website at issue could have disappeared by then and our action would be useless. I enclose two sample answers.   *I hope the companies named in this e-mail and in the examples don´t take offence. I do not have any animosity against them.

To be fair, I must confess that IP providers, hosting services… also make this kind of excuse sometimes. Vey often they don´t even respond to our requests.

The Internet grants providers, however small they are, the ability to sell or offer information globally. But, I think that when you benefit from access to a market you must be obliged to abide by its rules as well (in the EU we apply the “country of origin” principle to the Internet except for consumer protection and some other exceptions since there´s a high level of harmonization among us). This rule of thumb in the physical world is not respected on the Internet to the detriment of recipients of services in local markets. A company doing business internationally should be able to cooperate with local authorities. Otherwise, it is helping infringers of local laws to pursue their illegal activities.

I understand verifying the authenticity of public authorities requests when a company provides its services worldwide, the competence of that authority to issue that request and ascertaining the information is not going to be used against human rights treaties cannot be automated like all the processes of registries, registrars and other Internet service providers. But, they should do something to cooperate with public authorities. In this regard, I draw your attention to the Internet & Jurisdiction project (http://www.internetjurisdiction.net) that is undertaking the challenge to devise a protocol based on self-regulation to overcome the barriers jurisdiction limits pose to law enforcement efforts.

Sorry for this long message. You might come to the conclusion at the end of it that my concerns are outside the scope of this WG. In this case, please let me know and I won´t bother you anymore.

I attach the questionnaire for the EWG with some questions –the ones I can answered- filled in.

As we are almost in Christmas, I wish you enjoy this season and have a happy new year.



Gema Campillos
Deputy Director of Information Society Services
Secretary of State for Telecommunications and Information Society
Telf: 34 91 346 15 97
SPAIN

De: gnso-ppsai-pdp-wg-bounces at icann.org<mailto:nso-ppsai-pdp-wg-bounces at icann.org> [mailto:gnso-ppsai-pdp-wg-bounces at icann.org] En nombre de Mary Wong
Enviado el: miércoles, 18 de diciembre de 2013 0:46
Para: gnso-ppsai-pdp-wg at icann.org<mailto:gnso-ppsai-pdp-wg at icann.org>
Asunto: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions

Dear Working Group members,

Please find attached the draft questions that were discussed during the WG call earlier today. As mentioned, the Expert Working Group intends to send out the final text and questions by mid-January, and as such feedback and suggestions from this WG should be sent to them no later than Friday 10 January 2014. To expedite WG discussion and finalization of feedback, we suggest inserting any comments you may have in the attached document. In order to facilitate discussion at the next WG call on Tuesday 7 January 2014, please send your annotated document to me as soon as you can – staff will collate all responses received for the 7 January call. In the interest of expediency, you may wish to indicate that your comments are made in your personal capacity should it prove difficult to obtain your constituency/stakeholder group/community's feedback and sign-off in the timeline within which we are working.

Since waiting to start and finish all WG discussions about this survey in that single call on 7 January is an ambitious undertaking, however, it would be tremendously helpful if comments, questions and thoughts could be posted to this mailing list between now and then. For example, you may wish to circulate your written comments on the questions to the list to kickstart discussions or raise concerns about particular questions.

For the most effective and efficient use of your time, you may wish also to focus on commenting on the scope and substance of each draft question rather than redrafting them. The EWG also welcomes feedback on the types of questions that should be asked and that are missing from the current draft.

Thank you all for an excellent discussion today – and happy holidays to you and yours!

Cheers
Mary

Mary Wong
Senior Policy Director
Internet Corporation for Assigned Names & Numbers (ICANN)
Telephone: +1 603 574 4892<tel:%2B1%20603%20574%204892>
Email: mary.wong at icann.org<mailto:mary.wong at icann.org>

* One World. One Internet. *

_______________________________________________
Gnso-ppsai-pdp-wg mailing list
Gnso-ppsai-pdp-wg at icann.org<mailto:Gnso-ppsai-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140106/983eacbd/attachment-0001.html>