Re: [ga] Bulk acces...

[Jeff Williams <jwkckid1@ix.netcom.com>]

Karl and all assembly members,

  If I understand it, I think I agree with Karl's thoughts here completely.

  My understanding of Karls comments/position is thus:

1.)  "personally identifiable information" in Whois or Bulk Whois Accesses
needs significant legal justification.

2.) "veiled version of the information" for Whois not bulk is open and should
be available to any and all.

3.) Anonymous access should not be allowed under any circumstances to
     Whois records.


Karl Auerbach wrote:

> On Thu, 5 Sep 2002, Thomas Roessler wrote:
>
> > Here are some thoughts on what bulk access provisions should look like.
>
> My answer to what it ought to look like is this:
>
>         { }  (empty set)
>
> The reason is that there should be NO access to whois data whatsoever
> without a demonstrated, and supportable, reason to look at the personally
> identifiable information.
>
> This does not mean that the casual person might not be able to take a
> veiled look now and then at a veiled version of the information.  But
> today's wide open access is at varience with what are becoming widely
> accepted principles of privacy.
>
> Bulk access ought to be eliminated. To my way of thinking, "bulk access"
> (except to those doing research) is something that is simply inconsistent
> with the reasons that "whois" is claimed to be needed, i.e.  the checking
> for identity of those who are accused of transgressing on the rights of
> the person making the inquiry.  Whois is not a toy that is justified
> because it is "fun".
>
> (Trolling for unused names is *not* a valid reason to violate privacy.
> If one must be a troll then it is a more efficient use of net resources to
> do a DNS query itself to see whether a name is in use or not.)
>
> It's not necessary for us to engage in discussions of the needs of law
> enforcement or other public safety needs.  As a general principle, privacy
> limitations give way to public health and safety in those situations where
> time is of the essence or when the data subject is under observation.
> The terms and condititions of this kind of access are generally beyond
> ICANN's scope and are, instead, established by law.
>
> Anonymous access ought to be eliminated.  Except as provided by law, no
> access should be anonymous.  If anyone looks at your record you should be
> able to know who and when they looked.
>
> Anyone making access must identify themselves and make a reasonable
> demonstrating that that identity is correct.  E-mail addresses are an
> interesting kind of lesser identity that might be of use when allowing
> access, more on that below.
>
> When there is *no* demonstration of identity of the person making the
> query, such as in classical "whois", then the data returned should be
> veiled - for example, full telephone numbers should be replaced by area
> codes/country codes (and perhaps exchange codes), and full addresses
> should be replaced by postal codes.
>
> So here's my suggestion:
>
> A multi-tier form of access to the registration meta-data (i.e. "whois"):
>
> 1. People (e.g. intellectual property attorneys, ISP NOC staff, etc.) may
> "pre-qualify" for access by demonstrating and proving their identity and
> showing a general need for access and that they are generally responsible.
> These people would receive a "credential" (a password or digitial
> certificate or something of that ilk) that they can use to obtain fast,
> unhindered access to full records.
>
> 2. One who has not pre-qualified can still obtain access to full contents
> of records by going through some sort of identification/authentication
> sequence. There might be a limitation on the number of queries that may be
> made without requalifiying, and the qualification may be limited to some
> class of records expressed in the form of some kind of regular expression.
>
> 3. E-mail addresses could serve as even a lower form of identification
> that permits access, but in this case the response would be via e-mail to
> that e-mail address.  Rate limitations would clamp the number of replies
> per day to any e-mail address to some reasonable number.
>
> 4. In direct query/response mechanisms in which the querier is not
> required to provide any identification, i.e. today's whois, then the
> returned information ought to be veiled as described previously.
>
> In all of these cases every data subject (i.e. the people named in the
> whois data) would have access to the list of identities of who looked, and
> when.
>
> (The list of names and what those people are looking at is itself a
> database of personally identifiable information and is, itself deserving
> of some protection.  What those protections are is left to another day.)
>
> Yes, this will be slower than today's system.
>
> Yes, what I suggest will be more expensive than today's non-system.
> And if there is a cost to be borne it ought to be borne by those who are
> making the inquiries, not by the data subjects.
>
>                 --karl--
>
> --
> This message was passed to you via the ga@dnso.org list.
> Send mail to majordomo@dnso.org to unsubscribe
> ("unsubscribe ga" in the body of the message).
> Archives at http://www.dnso.org/archives.html

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup - (Over 127k members/stakeholders strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number: 214-244-4827 or 972-244-3801
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208


--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html