[comments-whois] Comment on draft

[Karl Auerbach <karl@cavebear.com>]

The Nov 30 report unfairly characterizes my comments and failed to answer 
even a single one of my questions.

Since apparently my thoughts didn't get through on the first try, I am 
appending them again below.

As a general matter, I find the report deficient insofar as it apparently
starts with a presumption, apparently an irrebutable presumption, that
whois data must be published for the convenience of intellectual property
owners no matter how much social damage that may cause through destruction
of personal privacy.

In addition, I agree with the comments of Kathryn A. Kleiman made on 
December 8.

		--karl--
		Karl Auerbach
		North American Elected Director
		ICANN Board of Directors


---------- Forwarded message ----------
Date: Sun, 20 Oct 2002 14:48:55 -0700 (PDT)
From: Karl Auerbach <karl@CaveBear.com>
To: comments-whois@dnso.org
Subject: Comment on Oct. 14 Interim report


I see nothing in this interim report that answers the primary question why 
personally identifiable information must be published to the public at 
all.

In other words, the report fails to answer what I believe must be the 
first question: Why is "whois" needed, and by whom?

It is my sense that there is little public value in the existance of a 
publicly available "whois" database.

There are, of course, small groups who find such a database useful and
perhaps even valuable - groups such as marketeers (spammers) and trademark
people who seek to redress perceived violations of their rights without
resorting to the processes that nations have established for that purpose 
(i.e. the legal system.)

However, the report fails to indicate that the needs of those groups is of
sufficient weight to justify what amounts to a wholesale violation of
privacy principles that amounts to nothing less than an anti-privacy tax
on anyone who wishes to become visible on the internet through the
mechanism of acquiring a domain name.

The report fails to consider privacy protection mechanisms such as the 
following:

  - Requirements that the data subjects (i.e. the people named in whois 
    records) have free and effective means to maintain the data.

  - Requirements that those who examine the records must first identify 
    themselves, offer proof of that identity, and indicate working means 
    of contact, in particular a valid e-mail address.

     + To ensure that the contact of the person making the inquiry is 
       valid, the response to the query should be returned by e-mail 
       rather than being made online.

    + Special arrangements might be established for those in operational 
      roles (such as people in ISP network operating centers) to have 
      pre-arranged access credentials.

  - That the time, date, and identity of every inquiry be recorded and 
    made available to the data subjects.

  - Requirements that the registries and registrars make no use of the 
    information for any purpose except that for which it was gathered, the 
    maintainence of the registrant's domain name (including the issuance 
    of billing and status statements.)

  - Requirements that registries and registrars take concrete steps ensure
    that this data is protected by adequate and appropriate security 
    measures.

		--karl--