[At-Large] ICC Policy Statement on Cross- Border Law Enforcement vs Privacy Laws

Derek Smythe derek at aa419.org
Fri Mar 23 10:31:53 UTC 2012

On 3/23/2012 11:21 AM, Lutz Donnerhacke wrote:
> On Thu, Mar 22, 2012 at 10:05:36PM -0500, Carlton Samuels wrote:
>> http://www.iccwbo.org/uploadedFiles/Law_enforcement_access_to_company_data_final_20March12.pdf
> Thank you for pointing to this document. To my honest surprise the paper asks
> the the Law Enforcement Agencies to respect the laws in other countries and
> urges them to use cross-country law enforcement frameworks.
> Breaking it down to WHOIS, it declares the "global, unrestricted access to
> complete data" as a violation of data protection and privacy laws.

That would depend on which country you are in :)

However, here is the problem:
Currently we have grossly inaccurate and unvalidated WHOIS information
we now wish to hide under privay laws.

The end result to that is that the ordinary user on the net will
become more of a target than ever before. It is common to see some
West African registrant claiming to live in another country, in turn
claims to be a business in a third like a bank, courier, lawyer etc.
It is also not uncommon to link the real registrant whoever he is to
credit card fraud and identity theft based upon the claimed whois details.

Also remember: Law enforcement officials will not examine each and
every occurrence of fraud on the internet, they simply do not have the

Right now law enforcement depends on non-law enforcement parties to
alert them to issues. WHOIS data is part of this process and law
enforcement will lose access to a lot of these alerts. I find it
ironical that so many whois abuse studies are done, yet so few studies
on legitimate usage.

Also, say we have official channels to obtain data for criminals
operating on the net, how long does it take before the reply gets back
to law enforcement? What do you do if the reply is "Yogi Bear, 12
Yellowstone Park"? How much time  and other resources would have been
wasted? Remember some of these issues are also time sensitive. History
has also shown a crisis in one country may not constitute a crisis in
another country.

We do however need privacy and desperately so. So how do we get to it?

We first need to resolve the current WHOIS mess, then we can throw a
blanket of privacy over it. Doing it the wrong way around is a recipe
for a disaster.

Also note distinction is made between companies and individuals. So
what will we do if we notice a domain like the-real-bank.info with web
content claiming to be the-real-bank.com, yet the first on cheap
shared hosting and no security and with obfuscated WHOIS details. The
real the-real-bank.com may act if it is phishing (targeting their
clients), but history has shown the real owner tends to be less
responsive if it's a 419 domain (not targeting their clients). What do
we do if it is some-fictitious-bank.com that does not exist in reality
(we see a lot of them)?

Privacy requires accountability - you cannot separate the two.
Currently there is no accountability in the system. Once we fix that
we are on the road to responsible privacy.


More information about the At-Large mailing list