Re: [ga] Bulk acces/just oppose it period

[Eric Dierker <eric@hi-tek.com>]

I still do not get why an IP lawyer gets a "bulk" access.
That is like a Judge issuing a search warrant to search everyone that lives 
in a community, because a purse was stolen, somewhere near there.

No, bulk access makes no sense at all.

Private or University research should not be given carte blanche into 
medical records or whois data, without an opt in by the patient or 
registrant.

My 19 year old college daughter has a site, and some pervert can find out 
all her personal information, MANO that is sick.
So now I will not let her have a site - Well there the hell went your 
"access, reliability and Security".  

Bulk access is total bullshit, to use an Arizona phrase.  We do not even 
have bulk access to criminal or Department of Motor Vehicle records.

Can you say "Stalker"? Can you say "privacy"?  Even the debate here pisses 
me off, to use a Southern Califronia phrase.

Sincerely,
Eric


> On Thu, 5 Sep 2002, Thomas Roessler wrote:
> 
>> Here are some thoughts on what bulk access provisions should look
>> like. 
> 
> My answer to what it ought to look like is this:
> 
> 	{ }  (empty set)
> 
> The reason is that there should be NO access to whois data whatsoever 
> without a demonstrated, and supportable, reason to look at the
> personally  identifiable information.
> 
> This does not mean that the casual person might not be able to take a 
> veiled look now and then at a veiled version of the information.  But 
> today's wide open access is at varience with what are becoming widely 
> accepted principles of privacy.
> 
> Bulk access ought to be eliminated. To my way of thinking, "bulk
> access" (except to those doing research) is something that is simply
> inconsistent with the reasons that "whois" is claimed to be needed,
> i.e.  the checking for identity of those who are accused of
> transgressing on the rights of the person making the inquiry.  Whois is
> not a toy that is justified because it is "fun".
> 
> (Trolling for unused names is *not* a valid reason to violate privacy. 
>  If one must be a troll then it is a more efficient use of net
> resources to do a DNS query itself to see whether a name is in use or
> not.)
> 
> It's not necessary for us to engage in discussions of the needs of law
> enforcement or other public safety needs.  As a general principle,
> privacy limitations give way to public health and safety in those
> situations where time is of the essence or when the data subject is
> under observation.   The terms and condititions of this kind of access
> are generally beyond ICANN's scope and are, instead, established by
> law.
> 
> Anonymous access ought to be eliminated.  Except as provided by law, no
> access should be anonymous.  If anyone looks at your record you should
> be able to know who and when they looked.
> 
> Anyone making access must identify themselves and make a reasonable
> demonstrating that that identity is correct.  E-mail addresses are an
> interesting kind of lesser identity that might be of use when allowing
> access, more on that below.
> 
> When there is *no* demonstration of identity of the person making the
> query, such as in classical "whois", then the data returned should be
> veiled - for example, full telephone numbers should be replaced by area
> codes/country codes (and perhaps exchange codes), and full addresses
> should be replaced by postal codes.
> 
> So here's my suggestion:
> 
> A multi-tier form of access to the registration meta-data (i.e.
> "whois"):
> 
> 1. People (e.g. intellectual property attorneys, ISP NOC staff, etc.)
> may "pre-qualify" for access by demonstrating and proving their
> identity and showing a general need for access and that they are
> generally responsible.   These people would receive a "credential" (a
> password or digitial
> certificate or something of that ilk) that they can use to obtain fast,
> unhindered access to full records.
> 
> 2. One who has not pre-qualified can still obtain access to full
> contents of records by going through some sort of
> identification/authentication sequence. There might be a limitation on
> the number of queries that may be made without requalifiying, and the
> qualification may be limited to some class of records expressed in the
> form of some kind of regular expression.
> 
> 3. E-mail addresses could serve as even a lower form of identification
> that permits access, but in this case the response would be via e-mail
> to that e-mail address.  Rate limitations would clamp the number of
> replies per day to any e-mail address to some reasonable number.
> 
> 4. In direct query/response mechanisms in which the querier is not
> required to provide any identification, i.e. today's whois, then the
> returned information ought to be veiled as described previously.
> 
> In all of these cases every data subject (i.e. the people named in the 
> whois data) would have access to the list of identities of who looked,
> and  when.
> 
> (The list of names and what those people are looking at is itself a
> database of personally identifiable information and is, itself
> deserving of some protection.  What those protections are is left to
> another day.)
> 
> Yes, this will be slower than today's system.
> 
> Yes, what I suggest will be more expensive than today's non-system. And
> if there is a cost to be borne it ought to be borne by those who are 
> making the inquiries, not by the data subjects.
> 
> 		--karl--
> 
> 
> 
> 
> 
> 
> --
> This message was passed to you via the ga@dnso.org list.
> Send mail to majordomo@dnso.org to unsubscribe
> ("unsubscribe ga" in the body of the message).
> Archives at http://www.dnso.org/archives.html


--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html