Re: [ga] Bulk acces...

[Karl Auerbach <karl@CaveBear.com>]

On Thu, 5 Sep 2002, Thomas Roessler wrote:

> Here are some thoughts on what bulk access provisions should look like. 

My answer to what it ought to look like is this:

	{ }  (empty set)

The reason is that there should be NO access to whois data whatsoever 
without a demonstrated, and supportable, reason to look at the personally 
identifiable information.

This does not mean that the casual person might not be able to take a 
veiled look now and then at a veiled version of the information.  But 
today's wide open access is at varience with what are becoming widely 
accepted principles of privacy.

Bulk access ought to be eliminated. To my way of thinking, "bulk access"
(except to those doing research) is something that is simply inconsistent
with the reasons that "whois" is claimed to be needed, i.e.  the checking
for identity of those who are accused of transgressing on the rights of
the person making the inquiry.  Whois is not a toy that is justified
because it is "fun".

(Trolling for unused names is *not* a valid reason to violate privacy.  
If one must be a troll then it is a more efficient use of net resources to
do a DNS query itself to see whether a name is in use or not.)

It's not necessary for us to engage in discussions of the needs of law
enforcement or other public safety needs.  As a general principle, privacy
limitations give way to public health and safety in those situations where
time is of the essence or when the data subject is under observation.  
The terms and condititions of this kind of access are generally beyond
ICANN's scope and are, instead, established by law.

Anonymous access ought to be eliminated.  Except as provided by law, no
access should be anonymous.  If anyone looks at your record you should be
able to know who and when they looked.

Anyone making access must identify themselves and make a reasonable
demonstrating that that identity is correct.  E-mail addresses are an
interesting kind of lesser identity that might be of use when allowing
access, more on that below.

When there is *no* demonstration of identity of the person making the
query, such as in classical "whois", then the data returned should be
veiled - for example, full telephone numbers should be replaced by area
codes/country codes (and perhaps exchange codes), and full addresses
should be replaced by postal codes.

So here's my suggestion:

A multi-tier form of access to the registration meta-data (i.e. "whois"):

1. People (e.g. intellectual property attorneys, ISP NOC staff, etc.) may
"pre-qualify" for access by demonstrating and proving their identity and
showing a general need for access and that they are generally responsible.  
These people would receive a "credential" (a password or digitial
certificate or something of that ilk) that they can use to obtain fast,
unhindered access to full records.

2. One who has not pre-qualified can still obtain access to full contents
of records by going through some sort of identification/authentication
sequence. There might be a limitation on the number of queries that may be
made without requalifiying, and the qualification may be limited to some
class of records expressed in the form of some kind of regular expression.

3. E-mail addresses could serve as even a lower form of identification
that permits access, but in this case the response would be via e-mail to
that e-mail address.  Rate limitations would clamp the number of replies
per day to any e-mail address to some reasonable number.

4. In direct query/response mechanisms in which the querier is not
required to provide any identification, i.e. today's whois, then the
returned information ought to be veiled as described previously.

In all of these cases every data subject (i.e. the people named in the 
whois data) would have access to the list of identities of who looked, and 
when.

(The list of names and what those people are looking at is itself a
database of personally identifiable information and is, itself deserving
of some protection.  What those protections are is left to another day.)

Yes, this will be slower than today's system.

Yes, what I suggest will be more expensive than today's non-system.
And if there is a cost to be borne it ought to be borne by those who are 
making the inquiries, not by the data subjects.

		--karl--






--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html