DNSO Archives: [ga]

ICANN/DNSO DNSO Mailling lists archives

[ga]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [ga] whois.txt, ala robots.txt, as a standard ?

To: Ram Mohan <rmohan@afilias.info>
Subject: Re: [ga] whois.txt, ala robots.txt, as a standard ?
From: Karl Auerbach <karl@CaveBear.com>
Date: Thu, 6 Feb 2003 22:01:54 -0800 (PST)
cc: ross@tucows.com, "'George Kirikos'" <gkirikos@yahoo.com>, <ga@dnso.org>
In-Reply-To: <038701c2ce40$10eea7e0$6a14a8c0@afilias.com>
Reply-To: Karl Auerbach <karl@CaveBear.com>
Sender: owner-ga@dnso.org

On Thu, 6 Feb 2003, Ram Mohan wrote:

> Interesting thoughts and an interesting premise.  The problem is, that the
> groups you mention here (marketers, IP folks, etc) are not the only people
> who utilize Whois information.
> 
> System operators (including technicians, systems administrators responding
> to abuse, etc) often depend solely on information found in Whois to
> determine next courses of action for serious network and other related
> issues.

I disagree - Folks in NOCs *do* use something called "whois", but it most
often it is a distinct set of databases pertaining to IP address
allocations.

Why do NOC folks use the IP "whois"?  Simply because the key that one has
for the lookup is less easily forged.  Domain names on purported spam
e-mail are only ocassionally accurate.  But the IP address on a TCP
connection has intrinsic value because a TCP connection can not be formed
unless both the source and destination address are actually reachable.

Assuming for the moment that ISP's and such obtained value out of DNS
whois information - That still doesn't justify them mucking around unless 
certain conditions are met:

  1. That a person who acquires a domain name is informed from the outset
that such access will be performed by ISP people.  (I.e. actual or implied
consent by the data subject.)

  2. The person who is doing the looking is actually a real ISP person
following up on a specific legitimate problem.

It would not be all that hard for anyone claiming to be an "ISP" to jump 
through some qualification hoops in order to gain a whois access 
credential.  For instance, once a year.

The burden of proving that access to personally identifiable information
is a valid access ought to fall on the person requesting access, not on
the data subject.

> Your premise is also that all individuals provide accurate information.  We
> know (you definitely do, as a registrar) that some of the most egregious
> violators make sure that they provide _false_ information.

Why are people who feel they need to protect their privacy "egregious
violators".  Suppose you had young children, would you feel comfortable
publishing your (and thus their) addresses and phone numbers onto an open
directory?

> Giving individuals the sole right to provide information about them
> seems to swing the pendulum too far one way.

It's their information; they have the right to control it.

> ....  However, your suggested solution provides a
> wonderful shelter for every spammer, DDoS violator and domain-slammer to
> hide behind.

Nonesense.  If there are reasonable grounds to believe that someone has
violated a civil or criminal law, there are well established legal
procedures (many of which involve going before a neutral magistrate and
making a showing of those reasonable grounds) to obtain access to things 
like domain name registration databases.

Absent such a showing, there is no reason to violate privacy.  That is,
unless one accepts as a working premise that those who are accused are
considered guilty until they prove otherwise.

> The Whois Task Force is working on providing meaningful recommendations
> that, among other things, addresses the issue of Bulk Whois.

Until they establish that there is a reason for public publication of DNS 
registration information in the first place, such recommendations are 
fundamentally useless.

> The IETF Provreg group is debating adding a <privacy> element as a
> standard part of the de-facto standard domain protocol (EPP).

If you follow what is going on there, they are debating whether even to 
include some very weak, and potentially useless, mechanisms, and only 
because the IESG is holding the working group's feet to the fire.

> Let's be careful not to throw the baby out with the bath water.

And let's be careful not to turn whois into Megan's law in reverse: in
which internet users are forced to publish their (and their children's)
names, addresses, and phone numbers for the benefit of any and all
predators.

		--karl--

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html

Follow-Ups:
- [ga] Question about ICANNatLarge Web site
  - From: "Michael D. Palage" <michael@palage.com>
- Re: [ga] whois.txt, ala robots.txt, as a standard ?
  - From: "J-F C. (Jefsey) Morfin" <jefsey@club-internet.fr>
- Re: [ga] whois.txt, ala robots.txt, as a standard ?
  - From: "Ram Mohan" <rmohan@afilias.info>
- Re: [ga] whois.txt, ala robots.txt, as a standard ?
  - From: "Ross Wm. Rader" <ross@tucows.com>

References:
- Re: [ga] whois.txt, ala robots.txt, as a standard ?
  - From: "Ram Mohan" <rmohan@afilias.info>

<<< Chronological Index >>> <<< Thread Index >>>