ICANN/GNSO
DNSO and GNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [ga] Text Posting of Michael Palage's Comments on Whois Task Force


Let me begin with stipulating that this answer is my personal opnion,
and as such has been cc'd to the TF, but has no bearing whatsoever on
the Whois TaskForce or the consensus opinion of that TF, nor do I speak
for or on behalf of the Task Force.

I too am worried about the privacy ramifications within whois.
I do not doubt the usefullness of the whois, as some, but am sure that
as it was written in the earlier days and was intended, that it is a
good and decent tool.

We seem however to have forgotten that the use of whois was intended not
for marketing, and that the contacts in the whois were there for a
purpose:

Admin / Tech C / had a clear position. I still remember that when I
registered my first domain I was not allowed to be tech contact, that
was host of the machine the domain ran on, as for admin contact, that
was my provider and the only place my name (and that only) showed was
udner "registrant"

No email address. No home phonenumber. No address.

It was simple. The reason for those contacts, in case of a problem they
could contact the appropriate contact.

With dig/host/nslookup & whois we have tools that some of us use for
seroous technical problems, like black-hling or dumpnig IP's that dDoS
an uplink, server or such and in that way prevent the "normal"
operations.

The admin contact made sure he was able to reach me, since I had to pay
him monthly for the honour of hosting my website and dialling in through
them.

Would such still be the case then there would imo be little wrong with
whois, however reality kicks in, there is something wrong.

Long has this been forgotten as a usage, and it has become a database
that is dealt in, that is "mined" by those with a sense for the value of
such a large database and used as a source for scaring the living
daylights out of ppl by the IP lawyers.

It now is something that shows vital data on everyone who has a domain
registered and as such is a very grave breach of privacy laws in lots of
countries, the EU foremost.

None of the so-called arguments for keeping it as it is now fail in my
opinion, but as I said before, such is MY opinion.
As it was it is usefull or can be, the foremost use should be the
tech-contact data.
The IP lawyers argue falsely that there is an emergency on their part in
accessing this information, none of the information gathered that way is
solving a problem if there is a legitimate reason to "shut down" a site
very fast, one needs the host, which can only be found by finding the
nameservers for the domain.

Law enforcement has the same arguing flaws, since real crooks will never
tell the world via a whois who they are, and the "smaller" cases can
easely be solved by consulting with the host of said site, since they
would most likely have data of payments and such and therefore a greater
chance of getting "real" data.

It should still be usefull in it's original form if the data was in
confirmation with that original RFC, however it isn't anymore.

The proposals made by the dot name registry are therefore somewhat
refreshing, and far more based on EU law (UK to be precise) nad far more
protective of the privacy, but again imo not far fetching enough, though
I can understand their difficulty for manouvering between ICANN and the
UK laws.

If the RFC was "adepted" we could surely take one source for "angst"
away from ppl, namely mining, and if ICANN and the registry/registrars
agreed on dropping the clause in which they are to sell their database
we would be near perfection:

A usefull whois, containing the name of the registrant, the contacts for
a "techie" that can intervene in case of problems and an admin who can
forward law-enforcement where needed.

As a whois that would suffice imo. And protect all users from being
spammed to death, though mail-servers take the hardets beating and loads
of bandwidth is stolen by trying to find relay-capable servers.

The report is a work in progress, many things have not yet been
distilled from the information, yet with the right input I still believe
in the TF being able to deliver a very good job in it's final findings.
This of course is also very dependant on the input from all concerned.

Kind regards

Abel Wisman








-----Original Message-----
From: owner-ga-full@dnso.org [mailto:owner-ga-full@dnso.org] On Behalf
Of Karl AuerbacSent: 23 October 2002 07:10
To: Michael D. Palage
Cc: ga@dnso.org
Subject: Re: [ga] Text Posting of Michael Palage's Comments on Whois
Task Force


On Wed, 23 Oct 2002, Michael D. Palage wrote:

I am slowly digesting your comments, which are, as usual, interesting
and enlightening.

Right now I only want to deal with one point:

> .	Some of the Whois Task Force's recommendations explicitly rely
on changes
> to the ICANN Registrar Accreditation Agreement (RAA). Per Louis 
> Touton's note of October 20, 2002, ICANN lacks the contractual 
> authority to unilaterally renegotiate this or other agreements.

Let's not forget the value of comity.

ICANN had no way of forcing Verisign/NSI into the major amendment of
their contract with ICANN, but with the carrot that ICANN offered, the
perpetual control of .com, Verisign was happy to be induced.

What I'm saying is that perhaps there is no unilateral power, but there
is 
value in future comfortable relations.

At the risk of violating ICANN's policy of having comments in the form
of messages tossed over a wall and disappearing from view, please pardon
me if I take this opportunity to post my own comment on the report:

>From karl@CaveBear.com Tue Oct 22 22:58:10 2002
Date: Sun, 20 Oct 2002 14:48:55 -0700 (PDT)
From: Karl Auerbach <karl@CaveBear.com>
To: comments-whois@dnso.org
Subject: Comment on Oct. 14 Interim report


I see nothing in this interim report that answers the primary question
why 
personally identifiable information must be published to the public at 
all.

In other words, the report fails to answer what I believe must be the 
first question: Why is "whois" needed, and by whom?

It is my sense that there is little public value in the existance of a 
publicly available "whois" database.

There are, of course, small groups who find such a database useful and
perhaps even valuable - groups such as marketeers (spammers) and
trademark people who seek to redress perceived violations of their
rights without resorting to the processes that nations have established
for that purpose 
(i.e. the legal system.)

However, the report fails to indicate that the needs of those groups is
of sufficient weight to justify what amounts to a wholesale violation of
privacy principles that amounts to nothing less than an anti-privacy tax
on anyone who wishes to become visible on the internet through the
mechanism of acquiring a domain name.

The report fails to consider privacy protection mechanisms such as the 
following:

  - Requirements that the data subjects (i.e. the people named in whois 
    records) have free and effective means to maintain the data.

  - Requirements that those who examine the records must first identify 
    themselves, offer proof of that identity, and indicate working means

    of contact, in particular a valid e-mail address.

     + To ensure that the contact of the person making the inquiry is 
       valid, the response to the query should be returned by e-mail 
       rather than being made online.

    + Special arrangements might be established for those in operational

      roles (such as people in ISP network operating centers) to have 
      pre-arranged access credentials.

  - That the time, date, and identity of every inquiry be recorded and 
    made available to the data subjects.

  - Requirements that the registries and registrars make no use of the 
    information for any purpose except that for which it was gathered,
the 
    maintainence of the registrant's domain name (including the issuance

    of billing and status statements.)

  - Requirements that registries and registrars take concrete steps
ensure
    that this data is protected by adequate and appropriate security 
    measures.

		--karl--
  





--
This message was passed to you via the ga-full@dnso.org list. Send mail
to majordomo@dnso.org to unsubscribe ("unsubscribe ga-full" in the body
of the message). Archives at http://www.dnso.org/archives.html


--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html




<<< Chronological Index >>>    <<< Thread Index >>>