[nc-whois] privacy remarks
Let me try to briefly summarize my remarks made during today's
conference call in writing, and to elaborate further on some points.
1. Comments received: I had asked both the members of the GA list
and my colleagues on the ALAC for any input they may have for our
brainstorming. A predominant observation was that privacy concerns
with respect to WHOIS are a compliance issue *at* *least* in Europe.
Michael Palage made slides available which compare applicable law in
the US and in the European Union; I forwarded these to the list.
Ross Rader proposed that it would be best not to consult with
individual governments or groups (since following local agendas or
tracking national laws would be impracticable), but to ask the GAC
for formal advice.
2. Speaking from a European point of view, a fundamental "dogma" of
privacy regulations on the Old Continent is that data must be
collected and processed for a specific purpose, to which the data
subject has given its consent, and must not (in general) be
processed (transferred, ...) for other purposes. A different way of
stating this principle is that the data must not be used for
purposes to which the data subject has not given its consent, and
that promises made about the use of the data must be respected.
This principle may be a useful tool for developing policy since it
requires a certain amount of clarity about the possible uses of
data. Specifically, what kinds of uses are compatible with the
initial purpose for which the data have been collected? Where are
3. There's another principle we need to adhere to, and that's
ICANN's mission and core values. WHOIS is a burden on registrars,
registries, and registrants -- that burden must only be placed on
them for essential purposes within ICANN's mission, not for other
things which might just be "nice to have" for some.
Taken together, these principles would lead to the approach of
asking a number of very basic questions (to which we still don't
have a comprehensive answer):
a) Which data users need which data elements for which purposes?
b) Is it essential for the stability of the Internet that these data
users can indeed use the data for the purpose given?
c) Are registrars' databases an appropriate source for fulfilling
these data users' wishes, or are there different ways to more
appropriately access these data?
When we have identified those uses and users for which all three
questions can be answered with "yes", then we have identified the
necessary characteristics of a future WHOIS service. Once that's
done, the question comes up how this access to registrants'
databases can be granted. The simplest approach is, of course,
making all the data public -- much like the WHOIS service we have
Figuring out how to make the data available for essential purposes
(as defined by a-c) without publishing everything, and figuring out
what data elements possibly still to publish is the challenge we are
facing. I'd like to invite you to think through your favorite uses
with the criteria above in mind.
Finally, let me make some observations on the idea of classifying
data subjects into, say, individuals, organizations, and businesses,
and imposing different kinds of data publication policies on them --
this has been floating around for some conference calls now. The
approach of having class-wide policies brings a difficulty: Those
with fraudulent activities would certainly be willing to lie about
their classification, just like they would lie about their address
now. Thus, availability of data elements would in practice always be
determined by the policy for class of data subjects with the most
strict protection -- most likely individuals. Publishing anything
else would, in practice, be optional.
Instead of creating a lot of headache by figuring out the individual
classes' policies, it may be the simplest approach to forget about
classes of data subjects on the conceptual level, and to just think
about mandatory and optional publication of certain data elements --
after all, that's what it boils down to in practice anyway. What
optional data elements are published could be the registrant's own
decision (regardless of his class), and it would then *not* be a
policy matter. Only the mandatory elements would be determined by
policy, and they would be determined in a way which makes them
appropriate for "genuine" individual registrants.
(Note that I assume, in this argument, that some kind of privileged
access is available for the essential uses defined above.)
Regards (and good night),
Thomas Roessler <firstname.lastname@example.org>