Re: [nc-whois] privacy remarks

[Thomas Roessler <roessler@does-not-exist.org>]

On 2003-02-27 12:20:51 -0500, Steve Metalitz wrote:

> I regret having missed Tuesday's conference call, which as you
> know conflicted with a long-standing prior commitment.

Welcome back.

> I believe that Becky makes some excellent points below.  

Indeed.  I'd like to see much of her posting make it to the issues
report.

[different policies for different classes of registrants; compliance
of .name registrants]

> This does not mean that it is necessarily inappropriate to modify
> Whois policies for .name -- as you know, the IPC did not oppose
> the changes recently approved by the ICANN Board in this regard
> -- but just that the changes cannot be justified on the basis
> that the .name registrants are individuals using their own names.
> More fundamentally, even individual registrants can engage in
> improper activity (such as crimes, fraud, piracy, child
> pornography etc.) or even perfectly legitimate activity (e.g.,
> commerce) for which there is a strong interest in the
> accountability and transparency that the current gTLD Whois
> policies provide.  

I think that Becky made a very strong argument about this topic (the
customer education note): To the extent to which TLD identifiers may
help to "tag" registrants, many problems may not so much depend on
who a registrant really *is*, but rather on what they are
*perceived* to be (.biz and .name are examples for TLDs which could
create rather clear perceptions -- on very different ends of the
scale).  From that point of view, it would in fact be quite
appropriate to have distinct policies for distinct TLDs with
distinct *intended* registrants.

Of course, the much more interesting cases are open, unsponsored
TLDs like .com, .org, .info, where you have a wild mixture of
different groups of registrants -- that's the situation I had in
mind in my earlier posting, and I suspect we may be able to disagree
on what's appropriate there for an extensive amount of time.  ;-)

For the moment (and for the purposes of the issues report), we
should most likely leave that discussion at the point of
articulating the opposing perspectives -- with mandatory publication
of a limited set of essential data elements (and optional
publication of the rest, plus some privileged tier with access to
more information) as one of the policy options.

> Before I go further in response to Thomas' remarks, let me say
> again (as I have in a number of previous Task Force conference
> calls) that our Task Force is not really the place to get into a
> detailed discussion about what particular privacy/data protection
> laws do or do not require with regard to Whois.

Agreed.  But one way to avoid the problem of getting into the ugly
details of national laws (while still getting some useful
perspective) and their applicability is to look at the abstract
design principles underlying these laws -- there are less ways of
doing the fundamental design than there are ways to implement it.

The OECD principles posted by Ruchika certainly belong into that
category, and my referral to what I called the "purpose dogma" went
into that direction, too.

Ultimately, this may lead to a question the GNSO could ask the GAC:
What advice can they give us, in the most general terms possible, on
design principles for a WHOIS service which may make compliance with
local laws in a variety of jurisdictions possible (or at least
easier to achieve)?

> Speaking of consent,

I wouldn't.  As opposed to what you noted earlier, I don't think
that choices available are sufficient at this point to permit
speaking about true consent -- if you want a domain name in the
relatively popular gTLDs, you have to give the consent you
described.  .name is starting to add at least some kind of genuine
choice to the picture, but there's still a long way to go until the
argument can be made that registrants freely consented to the
publication of their data.

> With regard to Thomas's first "very basic question" -- "which
> data users need which data elements for which purposes?" -- I
> believe we have a wealth of data responsive to that question in
> the 3000 or so responses to the survey which this Task Force
> conducted back in the early days of this century.  Of course that
> data is not definitive but it is a lot more concrete and relevant
> than any speculative answers that we might come up with now.  I
> think it is fair to summarize those responses as indicating that
> most respondents in most categories (individuals, businesses,
> governments, etc.) believed that nearly all of the data elements
> currently accessible to the public via gTLD Whois were either
> valuable or essential for one or more of the activities which
> these same respondents said they carried out using Whois data.
> Let's go back and look at that data again before plunging further
> down this track. 

While I have certainly no objection against revisiting the survey
data (which I can't do right now, since I'm typing this on a train
ride), I have one concern about using the survey as our definitive
source on who needs what: All we know is that people have told us
what kind of data they'd *like* to see.  We don't know to what
extent "essential" answers are just "nice to have" plus a bit of
advocacy. We don't know what kinds of data people actually *need*
(*not*: want) for what specific uses.  And, quite frankly, I doubt
that this is a question you can easily answer through a public
survey.

> With regard to Thomas' second and third questions, I am certainly
> comfortable saying that continued public access to Whois data
> enhances the transparency and accountability of online activity
> in a way that contributes substantially to the "stability of the
> Internet" in the following sense: in order to create and maintain
> public confidence that people know who they are dealing with
> online.  To the extent that confidence is eroded by reducing
> transparency and accountability, the Internet becomes practically
> (and also technically) less stable.  I believe our survey data
> supports this conclusion, as did the report of the DNS Security
> and Stability Advisory Committee.  It may be that I have
> misunderstood Thomas' question in which case I am sure he will
> set me straight.  

You haven't misunderstood the question at all.  But there's a
different side to your argument: Less transparency (in the sense of
a smaller number of mandatory data elements) might make feel
registrants more comfortable about their privacy, and may lead to
more honesty about WHOIS data when registering domain names.  There
is a trade-off between publishing as much as possible (but with
possibly poor accuracy), and publishing as much as needed (with
possibly less privacy concerns perceived, and better accuracy).  How
much "as much as needed" really is, is one of the things to work out
in future policy development, I think.

> Concerning the third question about whether "registrars'
> databases [are] an appropriate source for fulfilling these data
> users' wishes," this question (like the one before it) is posed
> in what I view as a biased manner (or perhaps I am misreading
> it), 

When you know someone's general bias, it's easy to read it into
everything he writes. ,-) The question is meant in the following
sense: There are some uses of WHOIS data (like being able to serve
legal proceedings) for which enforcing the publication of data
through policy may be appropriate.

There are other uses (the appropriate uses of technical contact
information in domain name WHOIS, to give an example) where it could
be left to the registrant whether or not to publish relevant
information -- if they don't know how to fix their technology, or
only speak some very uncommon language, then there's little to no
value in having "technical contact" information.  (Before someone
jumps on me and talks about tracking DDOS attacks and the like: For
that kind of thing, you usually won't need the technical contact for
a *domain* *name*, but you'll go to IP address WHOIS.) Similar
questions could be asked about other data elements.

To the extent to which it's sufficient for data users' purposes to
rely upon voluntarily published information, there is no need to
mandate publication of these data.

Regards,
-- 
Thomas Roessler				<roessler@does-not-exist.org>