DNSO Archives: [registrars]

ICANN/DNSO DNSO Mailling lists archives

[registrars]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [registrars] ORG Redelegation

To: "Ross Wm. Rader" <ross@tucows.com>
Subject: Re: [registrars] ORG Redelegation
From: Michael Bilow <mbilow@registrationtek.com>
Date: Wed, 20 Nov 2002 09:17:42 -0500 (EST)
cc: Patrick <patrick@gandi.net>, Ram Mohan <rmohan@afilias.info>, Eric Brunner-Williams <brunner@nic-naa.net>, Registrars@dnso.org
In-Reply-To: <07fb01c28ce4$7402fc20$f80b000a@rraderxp>
Sender: owner-registrars@dnso.org

On 2002-11-15 at 15:20 -0500, Ross Wm. Rader wrote:

> > I am also very much amazed by the fact that everyone is crying about
> > data-mining and such, and presenting it as an argument why Registrars
> > do not have the same whois format, or one that changes, but in the
> > same time... I mean... with thick Registries... is the problem less
> > or worse ?
> 
> The Intellectual Property community wants one thing - access to all whois
> data through one web interface. They haven't thought much about the impact
> of thick v. thin, they haven't thought much about the data mining issue that
> you set forth, frankly, it doesn't much appear that they have thought much
> about the consequences of their demands at all. But, I'm sure as long as
> they continue to get what they want, they will continue to be a bunch of
> happy campers. Keep in mind that these are the same people that lobby time
> to time that libraries should be regulated and pay licensing fees because of
> the multiple uses of the intellectual property.
> 
> -rwr

It seems to me that there is a pretty serious legal problem with migrating
a thin registry to a thick registry, especially in Europe where data
privacy laws are very strict.  All of the data has been collected by
registrars subject to certain agreements with registrants and contacts,
and registrars may run afoul of those laws by turning over customer data
to the registry, especially if the registry claims to be able to use this
data for marketing, resale, or any other purpose not originally allowed.  
Even where the local or national laws are not so strict, there may still
be issues of contract which bind the registrar, and at best there would be
a different contract with different terms for each registrar, leading to a
need by the registry to keep straight the terms and conditions running
with the data.  See, for example, an IETF draft on this issue:

http://www.ietf.org/internet-drafts/draft-brunner-epp-data-considerations-00.txt

The author of that document (Brunner-Williams) put this succinctly:

   This proposal would be consistent with the "opt-out" legal regime of
   the United States, but inconsistent with the "opt-in" regime of the
   OECD States, and in conflict with the "opt-in" regime of the EU States.

There are also a lot of subtleties with regard to what information is
public and what information is potentially only subject to inference by
the public.  For example, if two different domains are registered with
similar contact information, whether the contacts refer to the same real
world person or corporate entity is not now something that can be known
from public WHOIS data, although obviously one can guess.  This sort of
compromise of private information would be forced by a going to EPP, and
the various evolving versions of the EPP moving target have chosen to
handle this particular issue differently (e.g., ROIDs).

The ORG data is also not in a format in registrar files that can be easily
coerced into EPP requirements.  For example, many ORG domains have "role
account" contacts, which were actually encouraged as good practice at one
time.  Historically, registrants (as distinct from contacts) did not have
contact-like information such as e-mail addresses and telephone numbers,
but thick EPP implementations require that registrant information be
provided and the EPP specification requires that, if provided, registrant
and contact information must be in the form of contact objects.  See, for
example, sec. 3.2.1 from the draft EPP-D specification:

http://www.ietf.org/internet-drafts/draft-ietf-provreg-epp-domain-05.txt

It is not clear to me how one can migrate data from the historical system
to a thick EPP implementation without simply constructing synthetic
contact and other objects that are filled with junk or dummy data.  The
essence of the problem is by no means inherent in the EPP definition, but
rather in the mapping between EPP elements and the real world.

This entire proposal has a lot of serious problems that are only made
worse by the insane, careening rush to satisfy an arbitary drop-dead date
on January 1.  We still do not even have a protocol specification for the
"transitional" RRP implementation.  Presumably there is an expectation
that the necessary documentation can be released to us on Christmas Eve
and we can call in programming staff on Christmas Day to get a good head
start on a problem that has been slowly building for months.  I am sure we
are all going to be enjoying the New Year's holiday trying to see if we
are still in business.

I find it incredibly disturbing that no one seems to have thought to raise
the issue of whether conversion of a thin registry to a thick registry is
either legal or technically feasible.  No one has ever done it before and
the inevitable result will be to treat the ORG registrants as experimental
animals like lab mice.  Given that some countries have very severe privacy
laws that carry criminal enforcement provisions with heavy jail terms, one
would think that the legality of migration from thin to thick data storage
models would have been a paramount concern.

Michael Bilow
Chief Engineer
  mbilow@RegistrationTek.com
Registration Technologies, Inc.
  http://www.RegistrationTek.com/

References:
- Re: [registrars] ORG Redelegation
  - From: "Ross Wm. Rader" <ross@tucows.com>

<<< Chronological Index >>> <<< Thread Index >>>