Re: Re[2]: [ga-sys] the Euro v. Americas issue on privacy plus

[Alexander Svensson <alexander@svensson.de>]

Hello Kent!

Kent Crispin wrote on 29.06.01, 10:15:05:
> On Fri, Jun 29, 2001 at 07:20:42PM +0200, Alexander Svensson wrote:
>> I agree that the possible domain uses will be greatly affected.
>> But this applies to any (ab)use of data.
> No, it doesn't.  You are over-generalizing -- not all data has the same
> purpose.
Admittedly, I should be more precise. I was trying to point
out that widespread publication of personal data may lead
to a variety of side uses, some of them beneficial. If a
publicly accessible database is (partly) restricted because
of privacy concerns, some of the side uses may be restricted
too. This is not a peculiarity of the Whois database.

> The physical hardware of telephones is designed so that it is very
> difficult for a misbehaving phone to cause problems in the entire
> network.  Therefore, there is little need to be able to contact the owner
> of a particular telephone to seek their aid in fixing a phone.  Moreover,
> the structure of the phone system is such that almost all the maintenance
> is done by a central facility.

E.g. 1.8 million .de domain names are hosted by the company
Puretec on their servers; I think Strato has another 2.x million.
If Puretec has a technical problem with their servers, there
is no way an individual Puretec domain holder can help
solving it -- he can do just as little as a phone owner can.
Why shouldn't he then have the *choice* between having and
not having his contact details in the Whois? We both know that
this is no longer the Internet where only techies have their
own servers running web sites.

> This model equally applies with equal force to non-technical problems --
> the phone by its nature doesn't have many modes for causing legal
> problems, and when they do happen, there is a central authority through
> which a responsible party can be reached to deal with things.  A
> computer, on the other hand, is a very much more capable device than a
> phone; when you connect a computer to the Internet a large number of new
> ways of interacting with the law become possible, *and* there is no
> central authority through which a responsible party can be reached.

This is a very (and too) broad approach IMHO. To be consistent,
you would have to call for unique IDs for computer users
in general or at least for everyone accessing the Internet.
Drawing the line at domain names is rather arbitrary.

> So, despite the superficial similarity, getting a domain name is *not*
> like getting a phone number -- like it or not, getting a domain name
> has far wider social implications than getting a phone number.  When
> you get a domain name for your personal use you must *also* accept
> responsibility for this far broader range of possible effects.

I don't buy that "that's just the way it is" -- get a domain
name and have your address and phone published. It's a relic
which has only been possible because of the historical
birthplace of the Internet. It may have made sense in the
days when people were actually running their domain on their
own servers and it may still make sense for those people
today. Do you really think that e.g. it has had an impact
on the .de part of the Internet that the DeNIC doesn't
publish the registrant's phone number?

> [ inappropriate example deleted ]
What a pity! ;) First thing you learn in privacy law is
asking the question whether there really is a need for
the proclaimed purpose or whether it is simply comfort
or a long-established habit. I tried to point out that
there are (even beneficial) side effects of publishing
personal data.

>> > Domain transfers, for instance, DEPEND on getting whois data to
>> > authenticate transfer requests.  Secure certificate authorities depend
>> > on whois outputs to verify the proper owner of a domain name and make
>> > sure they only issue a cert to the proper owner.
>>
>> So you cannot get a certificate at a certain company
>> unless you opt-in -- that's fine. Maybe other companies
>> will find and use other verification methods to do so
>> even for those who opted out, but even if they don't
>> it's an improvement (surely not everyone wants a secure
>> certificate).
>
> If there were a way to register a "lower capability" domain name that,
> for example, could *not* be used to get a certificate, then it might
> make sense to make special rules for such domains.

It's not a major point, but I'm not sure I understand it: If
(WXW's example:) a company depends on whois outpouts to verify
the proper domain owner, they will not give to someone opting
out. That means that this domain cannot be used to get this
particular certificate.


>> Sure, no limits to imagination. But do you think that hiding
>> the contact details for the admin-c makes it impossible
>> to stop spammers? Doesn't that also apply to people abusing
>> their Hotmail accounts? I assume you don't want to have a Whois
>> for all e-mail users! Let's separate information we would *like*
>> to have from information we *must* have. I'm not convinced
>> mail address, e-mail, phone and fax of registrant/admin-c belong
>> in this category.
>
> If you don't want those details visible, then you can contract with
> someone to register the domain for you.  They then become the
> registrant/admin contact.  Your identity is protected; your contract
> with them protects your rights to the domain; they provide the service
> of a legal point of contact for the registrant/admin-contact.

I already asked two weeks ago if anyone knew about registrars
offering registrations with "its own contact details in lieu of
registrants' personal information, provided that it accepts
liability for any harm caused by wrongful use, and that it
promptly discloses the identity of the true holder upon
reasonable evidence of actionable harm." and if so, how much
they charge. You are of course right that I can also make a
separate contract with any third party, e.g. my lawyer. But
I don't think forcing people to pay more and have two contracts
is a viable approach to privacy issues.

Best regards,
/// Alexander
--
This message was passed to you via the ga-sys@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-sys" in the body of the message).
Archives at http://www.dnso.org/archives.html