[Gnso-ppsai-pdp-wg] FW: EWG privacy & proxy survey: draft questions

John Horton john.horton at legitscript.com
Tue Jan 7 16:06:54 UTC 2014 

No problem at all, Don. :) Thanks for the input. As I mentioned, we are
finalizing some specific input and recommended edits, but felt that some
additional background context might be helpful prior to that first, also in
the context of Gema's earlier email. My apologies for the delay on the
specifics. Safe travels.

John Horton
President, LegitScript



*Follow LegitScript*:
LinkedIn<http://www.linkedin.com/company/legitscript-com>
|  Facebook <https://www.facebook.com/LegitScript>  |
Twitter<https://twitter.com/legitscript>
|  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
<http://blog.legitscript.com>*  |
Google+<https://plus.google.com/112436813474708014933/posts>


On Tue, Jan 7, 2014 at 7:31 AM, Don Blumenthal <dblumenthal at pir.org> wrote:

>  I apologize for this note.  I intended to add more to complete my
> intended point, which I will do later, but must have triggered Send when I
>  put my phone in the airport security bin..
>
>  Don
>
>   From: Don Blumenthal <dblumenthal at pir.org>
> Date: Tuesday, January 7, 2014 at 10:14 AM
> To: Michele Blacknight <michele at blacknight.com>
> Cc: PPSAI <gnso-ppsai-pdp-wg at icann.org>
>
> Subject: Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
> questions
>
>   But at least Gems made some substantive points,  and suggested some
> letter edits in another post.
>
>  In airport security. Hope to have time to join the call.
>
>  Sent from my phone
>
> ----- Reply message -----
> From: "John Horton" <john.horton at legitscript.com>
> To: "Michele Neylon - Blacknight" <michele at blacknight.com>
> Cc: "gnso-ppsai-pdp-wg at icann.org" <gnso-ppsai-pdp-wg at icann.org>
> Subject: [Gnso-ppsai-pdp-wg] EWG privacy &amp; proxy survey: draft
> questions
> Date: Tue, Jan 7, 2014 10:04 AM
>
>   Hi Michele,
>
>  Thanks. Nope, my intent wasn't to ask a question or suggest concrete
> action at this point -- we'll certainly have some of those later! As Gema
> did, I wanted to provide some contextual background on the jurisdictional
> issue.
>
>  Thanks,
>
>  John Horton
> President, LegitScript
>
>
>
>  *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com>
> |  Facebook <https://www.facebook.com/LegitScript>  |  Twitter<https://twitter.com/legitscript>
> |  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
> <http://blog.legitscript.com>*  |  Google+<https://plus.google.com/112436813474708014933/posts>
>
>
> On Tue, Jan 7, 2014 at 3:05 AM, Michele Neylon - Blacknight <
> michele at blacknight.com> wrote:
>
>>  John
>>
>>
>>
>> You’ve given an example of an issue, but unless I’m missing something you
>> haven’t actually asked a specific question or suggested any action?
>>
>>
>>
>> Or if you have, as I said, I missed it
>>
>>
>>
>> Regards
>>
>>
>>
>> Michele
>>
>>
>>
>>
>>
>> --
>>
>> Mr Michele Neylon
>>
>> Blacknight Solutions
>>
>> Hosting & Colocation, Domains
>>
>> http://www.blacknight.co/
>>
>> http://blog.blacknight.com/
>>
>> http://www.technology.ie
>>
>> Intl. +353 (0) 59  9183072
>>
>> Locall: 1850 929 929
>>
>> Direct Dial: +353 (0)59 9183090
>>
>> Fax. +353 (0) 1 4811 763
>>
>> Twitter: http://twitter.com/mneylon
>>
>> -------------------------------
>>
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
>> Park,Sleaty
>>
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>
>>
>>
>> *From:*gnso-ppsai-pdp-wg-bounces at icann.org [mailto:
>> gnso-ppsai-pdp-wg-bounces at icann.org] *On Behalf Of *John Horton
>> *Sent:* Monday, January 6, 2014 8:54 PM
>> *To:* Metalitz, Steven
>> *Cc:* gnso-ppsai-pdp-wg at icann.org
>>
>> *Subject:* Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
>> questions
>>
>>
>>
>> Also with apologies for my delay, I wanted to echo Gema's concerns
>> (speaking both in my current role and also as a former prosecutor), and
>> provide another real-life illustration that, I hope, will be helpful
>> context.
>>
>>
>>
>> First, as background: my company, LegitScript, works with many registrars
>> (and search engines, e-commerce platforms, etc.) to identify and submit
>> notification about "rogue" Internet pharmacies -- websites masquerading as
>> pharmacies but with no valid (or forged) pharmacy licenses; selling
>> falsified drugs; selling drugs without a prescription, and so forth. This
>> is not only illegal, but can lead to (and has led to) illness or death. We
>> are not a government agency, but are endorsed<http://www.legitscript.com/download/NABP_Recognition_LegitScript_International_Internet_Pharmacy_Standards_2012.pdf>on behalf of those government regulatory authorities in some countries to
>> submit notifications to registrars and for registrars to terminate services
>> (including, where appropriate, privacy/proxy services) to registrants
>> engaged in this illicit activity. We have found that most registrars are
>> responsible and take voluntary action to ensure that their services are not
>> being used by criminals, who -- unfortunately -- do rely heavily on
>> anonymous Whois services.
>>
>>
>>
>> As Gema indicates, cybercriminals are adept in using the fundamentally
>> "jurisdictionless" aspect of the Internet, combined with some registrars'
>> insistence on a court order from their jurisdiction, to create a "safe
>> haven" resulting in a practical inability of any law enforcement agency
>> anywhere to take any action at all. The insistence on a court order, as
>> opposed to taking voluntary action based on one's terms and conditions,
>> plays right into the hands of criminals, because it is quite easy to choose
>> a registrar in a jurisdiction where it will be almost impossible for any
>> court to ever issue an order -- at least, in the area of "rogue pharma."
>> Here is a real-life example that we deal with every day. (The countries
>> below are merely illustrative examples; they can be easily replaced with
>> other countries.)
>>
>>    - A website is selling fake or toxic drugs (or drugs without a
>>    prescription, falsely posing as a pharmacy, etc.) targeting the residents
>>    of Country "A." (For illustrative purposes, we will say to the US, but this
>>    is not a US-only problem.)
>>    - The registrar is in, say, the United Kingdom.
>>    - The registrant is in Russia.
>>    - The content is being hosted in Japan.
>>    - The fake drugs are shipped from Pakistan.
>>    - The fake drugs are only being marketed to the US -- not to the UK,
>>    Russia, Pakistan or Japan.
>>
>>  We submit an abuse notification to the registrar, who says that they
>> require a court order from the UK -- the registrar's jurisdiction -- to
>> take any action. As a practical matter, it is impossible to ever get a
>> court order. Here's why:
>>
>>    - The drugs are not being marketed to the UK. One cannot point to a
>>    violation of UK drug safety laws, since the drugs never enter the UK. (Put
>>    differently, one cannot ask a court in "Country A" to issue an order based
>>    on a violation of the laws in Country "B".) So, the registrar is insisting
>>    upon an impossibility.
>>    - If the registrar says, "Go talk to the ISP; it's not our problem,"
>>    there is also no violation of that country's laws. And, for reasons I can
>>    explain another time, it is wholly ineffective to complain to content
>>    hosting companies. (And, of course, the content host has nothing to do with
>>    the Whois record, if that is the issue.)
>>    - Law enforcement in the registrant's country -- in our example,
>>    Russia -- similarly has no jurisidction. Why? Because the drugs come from
>>    and are targeted at other countries. No violation of Russian drug safety or
>>    medicine laws exists unless the drugs are actually shipped into Russia.
>>    - Similarly, drug laws in most countries are such that the law of the
>>    country where the drugs are shipped from may not be violated if no
>>    customers are there.
>>    - And also similarly, law enforcement can generally only seek and
>>    receive a court order against an entity located in the court's
>>    jurisdiction. (Put differently, a court in the US has no jurisdiction over
>>    a registrar in the UK: the registrar can simply ignore the court order, so
>>    most courts will not even issue the order.)
>>
>>  You can see here that nobody anywhere has the ability to issue or
>> receive a binding court order. This is not merely a rare example; it is a
>> very common fact pattern we see with rogue Internet pharmacies: to choose a
>> registrar that is not in the jurisdiction where the drugs come from, are
>> sold to, or where the registrant is located, so that if -- as the rogue
>> Internet pharmacy hopes -- the registrar insists on a court order before
>> taking any action, the criminal can rest comfortably knowing that it will
>> never be possible. We deal with this type of circumstance -- again, the
>> countries change depending on the website -- multiple times each day.
>>
>>
>>
>> Again, many registrars we work with understand the conundrum presented
>> above, and take voluntary action upon a showing that the website is being
>> used in furtherance of this sort of activity, irrespective of jurisdiction.
>> We continue to encourage registrars to develop internal anti-abuse policies
>> in this area that clarify the circumstances in which they will take
>> voluntary action.
>>
>>
>>
>> I hope that the illustration above is also helpful and on-point and not
>> outside of the scope of this group; please do not hesitate to let me know
>> if not. (The example does relate to broader anti-abuse issues, but also to
>> the question of privacy/proxy services.) Please do not hesitate to contact
>> me should you require any clarification or have any questions.
>>
>>
>>   John Horton
>> President, LegitScript
>>
>>
>>
>>
>>
>> *Follow**Legit**Script*: LinkedIn<http://www.linkedin.com/company/legitscript-com>
>> |  Facebook <https://www.facebook.com/LegitScript>  |  Twitter<https://twitter.com/legitscript>
>> |  YouTube <https://www.youtube.com/user/LegitScript>  |  *Blog
>> <http://blog.legitscript.com>*  |  Google+<https://plus.google.com/112436813474708014933/posts>
>>
>>
>>
>> On Mon, Jan 6, 2014 at 8:16 AM, Metalitz, Steven <met at msk.com> wrote:
>>
>>   With apologies for delay, I echo Don’s response, and submit that the
>> issues Gema raises go to the center of our task.
>>
>>
>>
>> Steve Metalitz
>>
>>
>>
>>
>>
>>
>>
>> *From:*gnso-ppsai-pdp-wg-bounces at icann.org [mailto:
>> gnso-ppsai-pdp-wg-bounces at icann.org] *On Behalf Of *Don Blumenthal
>> *Sent:* Saturday, December 21, 2013 2:38 PM
>> *To:* Campillos Gonzalez, Gema Maria; gnso-ppsai-pdp-wg at icann.org
>>
>>
>> *Subject:* Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
>> questions
>>
>>
>>
>> Gema,
>>
>>
>>
>> Thanks very much for your very thorough and interesting post. I
>> appreciate your comments, which definitely are not out of scope at all.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Don
>>
>>
>>
>> =========================
>>
>> *DON M. BLUMENTHAL, Esq.*
>>
>> Senior Policy Advisor, Public Interest Registry
>>
>> dblumenthal at pir.org
>>
>> Office: +1 734 418-8242  | Mobile: +1 202 431-0874 | Skype:
>> donblumenthal |
>>
>> www.pir.org | Facebook <http://www.facebook.com/pir.org> | Twitter<http://twitter.com/PIRegistry>
>>  | Instagram <http://instagram.com/piregistry> | YouTube<http://www.youtube.com/PIRegistry>
>>
>>
>>
>> *From: *"<Campillos Gonzalez>", Gema Maria <GCAMPILLOS at minetur.es>
>> *Date: *Thursday, December 19, 2013 at 2:27 PM
>> *To: *"gnso-ppsai-pdp-wg at icann.org" <gnso-ppsai-pdp-wg at icann.org>
>> *Subject: *Re: [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft
>> questions
>>
>>
>>
>> Dear all,
>>
>>
>>
>> First of all, I introduce myself. My name is Gema Campillos and I´m a
>> civil servant in Spain. My current position is Deputy Director on
>> Information Society Services (in the Ministry of Industry, Energy and
>> Tourism) and I represent my country at the GAC. I would like to stress from
>> the outset that I´m not a representative for the GAC in this GNSO working
>> group.
>>
>>
>>
>> My interest in participating in this WG comes from the hurdles proxy and
>> privacy services suppose for the exercise or supervisory powers over
>> service providers subject to Spanish law. They may serve legitimate
>> purposes, like preventing spam or phishing attacks, or even prosecution in
>> countries with limited freedom of speech, but in my experience, proxy and
>> privacy services are overwhelmingly used by infringers of consumer
>> protection and intellectual property laws.
>>
>>
>>
>> We oversee websites addressing the Spanish market. The Ministry of
>> Education, Culture and Sports supervise websites violating IPRs of right
>> holders in Spain as well. They all have to comply with Spanish law. But,
>> some of them choose to move to other locations to escape from public
>> authorities control (their servers are located outside, their hosting
>> providers are beyond our frontiers…), they hide behind “straw men” or hire
>> a privacy or proxy service in another country to replace their Whois
>> information. But, they still target the residents in Spain by providing
>> information in Spanish, pricing in euros, displaying adverts of Spanish
>> companies, etc.
>>
>>
>>
>> Some of the privacy and proxy services also spread their reach to foreign
>> markets. Godaddy is a conspicuous instance. It detects you access the
>> Internet through an IP address in Spain and directs you to
>> http://es.godaddy.com. There, information is given in Spanish with a
>> local telephone number for assistance. Those also fall within the scope of
>> Spanish Law 34/2002, of 11 July, on Information Society Services and
>> E-Commerce.
>>
>>
>>
>> We have addressed proxy and privacy services on several occasions to
>> request them to reveal to us the identity of the domain name holder, but
>> they have refused to do so, arguing that they can only disclose that
>> information to “law enforcement agencies” (aren´t we one of those?) or to
>> “a state or federal court located in the United States”. If we were to seek
>> a court order to be conveyed to foreign courts, recognized and executed by
>> them, which we are not obliged to do according to our national law, the
>> website at issue could have disappeared by then and our action would be
>> useless. I enclose two sample answers.   *I hope the companies named in
>> this e-mail and in the examples don´t take offence. I do not have any
>> animosity against them.
>>
>>
>>
>> To be fair, I must confess that IP providers, hosting services… also make
>> this kind of excuse sometimes. Vey often they don´t even respond to our
>> requests.
>>
>>
>>
>> The Internet grants providers, however small they are, the ability to
>> sell or offer information globally. But, I think that when you benefit from
>> access to a market you must be obliged to abide by its rules as well (in
>> the EU we apply the “country of origin” principle to the Internet except
>> for consumer protection and some other exceptions since there´s a high
>> level of harmonization among us). This rule of thumb in the physical world
>> is not respected on the Internet to the detriment of recipients of services
>> in local markets. A company doing business internationally should be able
>> to cooperate with local authorities. Otherwise, it is helping infringers of
>> local laws to pursue their illegal activities.
>>
>>
>>
>> I understand verifying the authenticity of public authorities requests
>> when a company provides its services worldwide, the competence of that
>> authority to issue that request and ascertaining the information is not
>> going to be used against human rights treaties cannot be automated like all
>> the processes of registries, registrars and other Internet service
>> providers. But, they should do something to cooperate with public
>> authorities. In this regard, I draw your attention to the Internet &
>> Jurisdiction project (http://www.internetjurisdiction.net) that is
>> undertaking the challenge to devise a protocol based on self-regulation to
>> overcome the barriers jurisdiction limits pose to law enforcement efforts.
>>
>>
>>
>> Sorry for this long message. You might come to the conclusion at the end
>> of it that my concerns are outside the scope of this WG. In this case,
>> please let me know and I won´t bother you anymore.
>>
>>
>>
>> I attach the questionnaire for the EWG with some questions –the ones I
>> can answered- filled in.
>>
>>
>>
>> As we are almost in Christmas, I wish you enjoy this season and have a
>> happy new year.
>>
>>
>>
>>
>>
>>
>>
>> Gema Campillos
>>
>> Deputy Director of Information Society Services
>>
>> Secretary of State for Telecommunications and Information Society
>>
>> Telf: 34 91 346 15 97
>>
>> SPAIN
>>
>>
>>
>> *De:* gnso-ppsai-pdp-wg-bounces at icann.org [
>> mailto:gnso-ppsai-pdp-wg-bounces at icann.org<gnso-ppsai-pdp-wg-bounces at icann.org>]
>> *En nombre de *Mary Wong
>> *Enviado el:* miércoles, 18 de diciembre de 2013 0:46
>> *Para:* gnso-ppsai-pdp-wg at icann.org
>> *Asunto:* [Gnso-ppsai-pdp-wg] EWG privacy & proxy survey: draft questions
>>
>>
>>
>> Dear Working Group members,
>>
>>
>>
>> Please find attached the draft questions that were discussed during the
>> WG call earlier today. As mentioned, the Expert Working Group intends to
>> send out the final text and questions by mid-January, and as such feedback
>> and suggestions from this WG should be sent to them no later than *Friday 10
>> January 2014*. To expedite WG discussion and finalization of feedback,
>> we suggest inserting any comments you may have in the attached document. In
>> order to facilitate discussion at the next WG call on *Tuesday 7 January
>> 2014*, please send your annotated document to me as soon as you can –
>> staff will collate all responses received for the 7 January call. In the
>> interest of expediency, you may wish to indicate that your comments are
>> made in your personal capacity should it prove difficult to obtain your
>> constituency/stakeholder group/community's feedback and sign-off in the
>> timeline within which we are working.
>>
>>
>>
>> Since waiting to start and finish all WG discussions about this survey in
>> that single call on 7 January is an ambitious undertaking, however, it
>> would be tremendously helpful if comments, questions and thoughts could be
>> posted to this mailing list between now and then. For example, you may wish
>> to circulate your written comments on the questions to the list to
>> kickstart discussions or raise concerns about particular questions.
>>
>>
>>
>> For the most effective and efficient use of your time, you may wish also
>> to focus on commenting on the scope and substance of each draft question
>> rather than redrafting them. The EWG also welcomes feedback on the types of
>> questions that should be asked and that are missing from the current draft.
>>
>>
>>
>> Thank you all for an excellent discussion today – and happy holidays to
>> you and yours!
>>
>>
>>
>> Cheers
>>
>> Mary
>>
>>
>>
>> Mary Wong
>>
>> Senior Policy Director
>>
>> Internet Corporation for Assigned Names & Numbers (ICANN)
>>
>> Telephone: +1 603 574 4892
>>
>> Email: mary.wong at icann.org
>>
>>
>>
>> * One World. One Internet. *
>>
>>
>>  _______________________________________________
>> Gnso-ppsai-pdp-wg mailing list
>> Gnso-ppsai-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>>
>>
>>
>
>
> _______________________________________________
> Gnso-ppsai-pdp-wg mailing list
> Gnso-ppsai-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ppsai-pdp-wg/attachments/20140107/c8da9a99/attachment-0001.html>

More information about the Gnso-ppsai-pdp-wg mailing list