Re: [ga] whois.txt, ala robots.txt, as a standard ?

[Karl Auerbach <karl@CaveBear.com>]

On Fri, 7 Feb 2003, Ram Mohan wrote:

> > Why are people who feel they need to protect their privacy "egregious
> > violators".  Suppose you had young children, would you feel comfortable
> > publishing your (and thus their) addresses and phone numbers onto an open
> > directory?
> 
> + You misread what I said.  I said that providing *only* individuals the
> right to provide access to data works as long as the premise is that the
> individual supplies accurate/valid data.  However, some of the most
> egregious violators (such as domain slammers) wantonly provide false
> information - and those trying to get "their" domain name restored to them
> have a problem.

How does one know that a domain name holder is a "slammer"?  Certainly
there has to be a greater showing than a simple assertion.  In other
words, the mechanisms that I propose - that a showing that there are
reasonable grounds to believe that the accused domain name holder is
impinging on the rights of the data accessor - ought to apply as a
precondition to any and all access to registration data.

 
> > If there are reasonable grounds to believe that someone has
> > violated a civil or criminal law, there are well established legal
> > procedures (many of which involve going before a neutral magistrate and
> > making a showing of those reasonable grounds) to obtain access to things
> > like domain name registration databases.
> 
> + Indeed.  As long as you can find someone/someplace to serve.

The legal system has been able to deal (albeit sometimes slowly) with
anonymous and hidden identies.  Essentially the one who claims that
his/her rights are being infringed initiates a legal proceeding that isn't
quite that awful "in rem" stuff but rather something that is designed to
mature into a normal in personam procedure.  Think of it as bringing
process against "john doe" and the first step is to figure out who "john
doe" is.  In our domain name situation that process will usually involve
some sort of invocation of the domain name registrar to disclose the
registration data.

The actual procedures to do this will vary from jurisdiction to
jurisdiction.  Now I do recognize that most normal folks won't have means
to travel half way around the world to exercise some arcane process just
to try to figure out who is messing with their rights.  But we can take a
cue from the UDRP system - We've already set up UDRP system, it seems that
that gives us a pretty good suggestion about how to we could create a
private, worldwide, inexpensive, contractual based way to empower someone
to decide when DNS registrars/registries ought to open their registration
records to someone who has been harmed.

> > And let's be careful not to turn whois into Megan's law in reverse: in
> > which internet users are forced to publish their (and their children's)
> > names, addresses, and phone numbers for the benefit of any and all
> > predators.
> 
> + I don't disagree with you on this.  I certainly get my share of spam,
> unsolicited calls, etc thanks to having accurate information available via
> Whois.

We've got to get out of the "spam" mentality - the damage that can befall
a person or his family as the result of a privacy violation can be much
greater than a few dozen (or in my case, a few hundred) spams a day.  
Consider things like identity theft, or stalking, or worse.

> There needs to be a place where accurate domain contact information resides.

No disagreeement there - but that information is information about DNS
registrations and is recorded for that purpose.  There is no need for it
to be open to the public for unfettered and unmonitored access.  And
moreover, "accurate information" doesn't necessarily mean the identity of
some person who is ultimately accountable for the domain name; it could be
some intermediary which might itself have to be penetrated to work up the
chain of control.  Yes, this is hard.  Sometimes may be nearly as hard to
find who really controls a domain name as it does to figure out who inside
ICANN makes a decision that is published under the IANA label.  ;-)

> ...Does this mean we should "completely disengage from the current
> system"

I don't think so.  But I do think that it means that we need to change the 
default mode of thinking from "open access" to "access only after a 
demonstrated legitimate reason accompanied by believable identification 
of the person asking for access".

Your point that DNS is but a small part of the privacy problem is quite
well taken.  But I can't solve the other parts, but you and I can help
solve the DNS part.

		--karl--




--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html