ICANN/DNSO
DNSO Mailling lists archives

[ga-full]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Bulk WHOIS Data Issue


George and all assembly members,

George Kirikos wrote:

> Hello,
>
> Continuing with my prior thoughts, based on weighing the costs and
> benefits of switching to "absolute privacy", and the notion of
> "personal responsibility", I offer up a couple of links.
>
> First, here's the experience of the OECD, with regards to one of their
> domain names:
>
> http://www.oecd.org/pdf/M00027000/M00027316.pdf

  This is a very interesting "Individual" case.  But such a
single experience does not a strong or compelling argument make..

>
>
> Secondly, I offer the example of the Canadian registry's agreement, at:
>
> http://www.cira.ca/official-doc/8.RPPG_00015EN.txt

>
>
> and in particular the words in section 4 (the kind of information
> disclosed to the public), Registrant obligations in section 3
> (especially legal ones), and also highlighting 3.1(n)
>
> "(n)be wholly responsible for the use and operation of any third,
> fourth, or further sub-level domain to any second level Domain Name
> Registration in the Registrant's name and the Registrant shall ensure
> that the use and operation of any such sublevel domain is conducted in
> compliance with this Agreement;"

  I think this is a good practice.  But it does not delineate that such
information that is personal or private be listed in the Whois for
any .CA domain name.  Such information to which this discussion
and debate includes but may not be limited to is, Personal or private
physical address, personal or private Phone Number,  and Personal
E-Mail address...

>
>
> Having presented these, let's consider the arguments of those
> advocating absolute privacy in WHOIS data. The OECD suffered damages
> because of the fake registration data of "ocde.org" (the French version
> of oecd.org, that had been taken by a pornographer, and habitual
> cybersquatter), and this is undeniable. Furthermore, the innocent
> individuals who were named in the WHOIS (i.e. not the name of the true
> registrant -- the cybersquatter used names of previous victims!)
> suffered damages of being hassled even more, by those who thought they
> were the true owners. The actions of the Registrar were quite
> unhelpful, and time was not "of the essence" in their behaviour.

  Yes and the Key here is that the registrar and/or the registry
has the information of whom the registrant was, and can therefore
make the necessary inquiries or contact local or the appropriate
law enforcement officials as to a potential problem without the
personal and private registrants information being available
to the public in the WHOIS data...


>
> Ultimately, what moved things forward towards a favourable outcome was
> that the registrant was being forced to put TRUE and PUBLIC contact
> information into the WHOIS database.

  Hummm?  I don't see any information that would definitely indicate
this contention George.  Respectfully it seems from my reading that
the fact that the registrant via the registrar in this particular instance
or case was "Flushed Out" because he/she was aware that they
were likely to be contacted by an appropriate law enforcement
agency for further inquiry...

> Instead of doing that, the
> cybersquatter chose to hand over the domain. The cybersquatter is
> *still* at large. I am sure he or she would be quite pleased by the
> "absolute privacy" arguments being made by a few advocates on this
> list.
>
> I think it is undeniable that having this absolute privacy become
> standard would only encourage and embolden those who seek to commit
> abuse and use the domain name irresponsibly, as it raises the costs of
> those who need to identify them, creates time lags, and increases the
> damages that take place due to those greater time lags. Thus, not only
> would there be greater number of abusers (since it is much "cheaper" in
> a sense, for the abuser to hide behind anonymity, thus opening the
> market to more abusers), the damage from each instance of abuse would
> be higher.
>
> The second example above, CIRA's document, is just a reminder that
> we're a society governed by laws. Some advocates seem to be taking the
> position that they have absolute rights to certain privileges, without
> having to take the commensurate responsibilities for those privileges,
> or making it extremely difficult and costly to enforce those
> responsibilities, for minor personal benefit.
>
> Some on this list are nothing more than advocates, in my view. What
> separates decision-makers (leaders), from simple zealots and advocates
> is that decision-makers judge issues by weighing the facts. In an
> economic and policy framework, this involves making certain
> compromises, and looking at the costs and benefits of certain choices.
> This allows one to come to a reasoned decision, instead of "religious"
> decisions of absolutist zealots.
>
> <rant mode on>
> For the peanut gallery, if it be a sin to covet logic and reason, then
> I'm the most offending soul alive. :) A sound and reasoned economic
> framework doesn't make one "audacious", unless you mean the definition
> "contemptuous of religion", where one is arguing with those who see
> their positions as coming from God, and present no further arguments
> rather than "it's in the Good Book". Insinuating a relation to
> terrorists is ludicrious, and as William Walsh put it best "we expect
> more from you".
> <rant mode off>
>
> Some of the privacy advocates actually atempted to make a positive
> contribution, by presenting some arguments as to the benefits of
> greater privacy. Joanna Lane rightly brought up the personal safety
> argument. I am in 100% agreement with her that personal safety is an
> important issue. I personally know of individuals who've suffered from
> violence, and know that the effects of those acts has a lasting legacy,
> not only on themselves, but on their families, friends, and society at
> large. No one should have to live in fear.
>
> However, I think Joanna then goes a bit too far (perhaps for dramatic
> effect -- debates are entertainment, for some). Citing statistics about
> 1 in 5 children being solicited online is all good and well. Then
> beating one's chest that "we're concerned about the CHILDREN", as
> though anyone else who might put up an opposing argument is some
> monster. These are motherhood issues -- issues that everyone agrees on,
> and you're attempting to preach to the choir (I can almost hear the
> violins playing!). However, to go on and then demand a right to
> absolute privacy, making the implicit assumption that the benefits in
> terms of personal safety are INFINITE, and incalculable, and that all
> other considerations are moot, reveal oneself to be a bit naive.
>
> The benefits of personal safety are NOT infinite. If they were, the
> average car would cost $1 million, and everyone would own $250,000 home
> security systems, and would be wary of leaving their house at all. The
> reality is, folks make decisions (implicitly, using costs and benefits,
> and risk analysis) everyday about personal safety, when they step into
> their car, when they decide to buy a new TV instead of spending the
> money on a security guard for their home, etc. Providing online
> examples, how many people use PGP for security of their emails? Or,
> similar encryption/digital signing, to provide some protection against
> identity theft? Too few people signed up for Zero Knowledge's
> "Freedom.net" project, to have anonymity which was only priced at
> $50/yr. And I go back to my examples of the average person who will
> give up their privacy for a $5 Amazon.com coupon, or a miniscule chance
> of winning a prize in a lottery.
>
> I think it is even a fallacious argument that improving the privacy
> will have an enormous impact on the issues Joanna raised. Statistics
> can be misused, to become fear mongering. Most rapists, for example,
> are already friends or relatives of the victim, sadly. Removing a few
> WHOIS details is no replacement for parental supervision of children.
> While the "anonymous stranger" mentality is good for fear mongering in
> the media, it's out of step with reality. If 1 in 5 children have been
> solicited online, shouldn't it be like "shooting fish in a barrel" to
> catch those online criminals? Yet, the facts are those offenders are
> *drawn* into  the anonymity of the online world, and increasing their
> anonymity only will embolden them further! Creating that link to the
> offline world keeps things "real", and enhances personal
> responsibility. A few anarchists are in favour of total lack of
> personal responsibility online, but most members of society choose to
> be governed by law.
>
> For some of the older ones on the list, we remember the days of rotary
> telephones, and without the caller id to see who was calling. Remember
> how many harassing phone calls people used to get (e.g. deep breathing,
> etc)? Telephone companies can verify that once the technology reduced
> that anonymity, folks became more responsible, and abusers sought out
> different places to commit abuse. (the telephone metaphor is only being
> used in a limited sense, as it's a 1-to-1 technology, and much less
> powerful than an internet technology)
>
> Even though economics is my religion (just kidding; I do believe in
> God!), I do agree that Joanna raises a valid concern. How can this
> concern be addressed then? As decision-makers, what is the compromise?
>
> Clearly, the "absolute privacy" isn't a compromise. It would only
> represent a compromise IF the responsibility for damage resulting from
> abuse become shifted to the registrar or registry (which would have
> alleviated the problem in the OECD example). This is probably
> unrealistic, for most registrars, and more than they signed on for when
> they became registrars. Ultimately, society at large needs a way to be
> able to legally "serve" a legal person (i.e. an individual, a
> corporation, etc.) when the need arises.
>
> The compromise proposed by Jeff, i.e. a single email address, is
> interesting. i.e. in the WHOIS, all that would be present would be
> "EXAMPLE.com" and "postmaster@EXAMPLE.com". The pitfalls of this
> proposed solution are that we're not ready for it, yet, as a planet. I
> believe one court in Texas allowed "service" of a legal document to an
> email address of a domain holder, where all other avenues had been
> exhausted. However, the law in this area is VERY new, and needs to be
> worked on internationally. Furthermore, e-mail is not a technology with
> guaranteed delivery. Even in the OECD example, the registrar was
> willing to wait 10+ days to hear from the registrant in response to an
> e-mail only inquiry -- this recognizes that in this day and age, people
> do not check their email regularly, except for those advanced once
> (like ourselves perhaps), who are checking things continuously. In 20
> or 30 years, when all nations have supplied unique e-mail addresses to
> their citizens with guaranteed delivery/receipt mechanisms, which are
> recognized as being sufficient for "serving" legal processes, I think
> Jeff's proposal would work. Unfortunately, we're not there yet (I wish
> we were, and that technology would catch up to our imagination!).
> Perhaps the slow pace of technological progress is helpful, as it
> allows the rest of society's institutions enough time to catch up to
> our imagination....
>
> What compromise do I envision? I've mentioned it in the past, but let
> me expand on it. Firstly, we don't *need* all the present info that is
> in the WHOIS, to achieve a desirable balance in the costs/benefits of
> privacy. For instance, who needs a public billing contact? That's
> between the registrar and the registrant, and could be kept private (or
> optionally be made public). A technical contact? While it could be
> helpful to some people, in some cases, the technical contact is of most
> importance only to the registrant (and could be optionally made public,
> at the registrant's whim). That leaves us with the administrative
> contact (i.e. owner). For them, sufficient info (name, address, phone
> number, enough details to be identified and legally served a process,
> as recognized by international law) should be minimized, in keeping
> with international law developments (e.g. once international law
> recognizes e-mail as sufficient, then we move to Jeff's solution).
>
> I think from a policy point of view, allowing a 3rd party to be the
> administrative contact could work, as long as from a legal point of
> view it is recognized that the 3rd party is "responsible" (i.e. it is
> sufficient to contact only them, and if they represent someone else,
> it's their own problem to deal with contacting that person, and acting
> if they can't reach them, etc.).  This would work within the framework
> of the CIRA text above, and also within the framework of international
> laws.
>
> Who would that third party be? It's up to the owner of the domain (i.e.
> the registrant). It could be themselves, i.e. self-representation. For
> most people and corporations, that would likely be their pick -- they
> have nothing to hide and don't place a high value on the extra privacy.
>
> For others, they might choose a friend, a lawyer, or even the registrar
> itself (if the registrar is willing to take on the risk, and is
> compensated). For instance, a friend of mine wanted a domain, and I
> registered it on her behalf, and put "Domain Trust" as the contact,
> with my own corporation and personal address and details in the contact
> info. If there's someone to be contacted for any reason about the
> domain, I can handle things, and help preserve her privacy. I am
> legally responsible should abuse originate from the domain. The cost of
> providing this "service" to her? Absolutely zero. For a registrar?
> Perhaps a few pennies or dollars -- most registrants are not abusive,
> and have a relationship with the registrar or reseller, or would be
> quick to end abuse if they are responsible for ending it, and couldn't
> point the finger to someone else (like in the OECD example).
>
> A few people might say "well, that's not good enough, I demand ABSOLUTE
> privacy". I have no sympathy for those people, unless they tell me how
> much (monetarily) they value their privacy. Suppose they repeat the
> mantra that it's of "Infinite value" -- then, they should just pay the
> $5 or whatever it'll cost to have a representative agent be in the
> WHOIS information, and then spare us the whining. If instead they say
> "I value my privacy at $2, and $5 is too expensive for that extra
> element of privacy", my reply is "then don't waste our time quibbling
> over things you don't value, and let's return to real issues, and not
> religious ones."
>
> Note that the above compromise can also be implemented by adding a
> brand new contact ("legal contact"), and then hiding all current
> contacts (administrative, technical, billing).
>
> Reading through the other posts, I think Kristy brings up a good point,
> as to the Bulk access (we kind of strayed a bit, once the "absolute
> privacy" zealots entered the fray). Maybe there'd be a way to do things
> like Verisign's bulk access agreement when getting access to the zone
> file, for port 43 WHOIS access. This would reduce the amount of
> "harvesting" of the WHOIS data by spambots. If registrars were able to
> seed a few fake domain names with unique fake registration data (as
> physical mailing lists do), and then catch abusers red-handed and hold
> them accountable if they break the WHOIS port access agreement, things
> would be rosy indeed. There's no replacement, though, for strong
> anti-spam laws.
>
> Reading through even more posts, people seem to be struggling for
> metaphors. The telephone example tends to be overused. If we look at
> the example in trademark registries, there's sufficient "whois" data
> for a trademark to be able to serve someone. Individuals, companies,
> and other entities register trademarks, without some of the personal
> safety issues that freaks out some individuals. Trademarks represent
> division of a public resource/namespace, like domain names. Similarly,
> in the case of licensing of radio or TV stations -- it's made easy for
> the public to look up the owner of that frequency/station.
> Registrations of corporations, personal businesses, etc. are another
> metaphor. Some folks seemed to have attempted to make the domain itself
> a unique legal entity unto itself, and that argument is deeply flawed.
> One can't "serve" a domain or find it responsible for itself.
>
> In conclusion, I hope folks who contribute further to this thread try
> to focus on costs and benefits, and come up with workable compromises.
> Other examples of "benefits" to greater privacy are always welcome, so
> we can try to come up with even more satisfactory solution.
>
> And that's my audacious post for today. :)
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
> --
> This message was passed to you via the ga@dnso.org list.
> Send mail to majordomo@dnso.org to unsubscribe
> ("unsubscribe ga" in the body of the message).
> Archives at http://www.dnso.org/archives.html

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup - (Over 121k members/stakeholdes strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number:  972-244-3801 or 214-244-4827
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208


--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>