[gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information

Rod Rasmussen rrasmussen at infoblox.com
Mon Aug 1 23:42:37 UTC 2016 

Here are some thoughts on your primary issues here Ayden.

1) Collection of data necessary for various purposes does not imply that it can or should be fully accessible by all at all times.  In today’s system we already have some operationally necessary data “hidden” in order to provide domain registration services, to whit, payment information.  The existence of privacy/proxy services has come about as a market response to the display issue, and the entire concept of tiered access was proposed to much better deal with various issues, particularly privacy.  So I would point out that a great deal of thought and effort has already occurred towards dealing with this important area.  Our job is to see that through.

2) We have a globally unique namespace that is being allocated using a number of parties but all tied back to the same root (pun intended).  We have rules regulating how this allocation is done, that all members of the ecosystem must respect in order to participate.  One primary purpose of an interconnected system for the *management* of the namespace (not *use* of the namespace which is based in the DNS) is for allowing different 3rd parties to efficiently, fairly, securely, and legally reallocate names amongst each other including “the right to use” (registrant) and the “right to service” (registrar) these names.  The concept of an RDS isn’t an “alternative” system - it is the system.  It is necessary to have a system for doing so in a way that assures that names are properly handled and no participant can either intentionally or through error cause a registrant or registrar to have their rights impeded.  To my knowledge, all management regimes that humans have invented over the years to record rights like these and necessary transactions between parties in changing those rights involve actually recording information on the parties involved.  The current way we have implemented this is fraught with issues as we all know, but I don’t see how you can ever get away from that very basic tenant.  I know that I personally would never trust a system that didn’t record my information in a way that would allow for relatively easy auditing/tracking of my rights to that name so that I could assert my legal rights in case something went wrong.  I’ll also bet that corporations feel a tad bit stronger about that when it comes to an asset that may be worth billions of dollars (like google.com or facebook.com).

Note that tracking and even publicly displaying this kind of information because people *want to* does not necessarily create a requirement that all participants in such a system have to do so as well.  The current “whois” version of the system tends to force that though, and that’s one of the big reasons why we’re here.  However, the reverse of that, which I have heard some argue for, is an unacceptable end state given this basic need of a majority of domain registrants.  What I’m talking about is the desire I’ve heard put out there to build a system where “no” personal information is collected or even allowed to be collected in order to protect the privacy of registrants amongst other things.

That’s why we flesh out these use cases - to see where different purposes, goals, etc. create the need for flexibility, contingencies, and functionality.  Only after you see the system and what it needs to do in its entirety can you fully understand what it needs to be able to do and there are often surprising insights along the way.  Bringing everyone’s particular perspective and uses together allows us to work through that, and realize that while we may have some really important goals to accomplish, there are many other important goals out there as well.  These are all lessons we learned continuously throughout the EWG process - all of us came in with some pre-conceived notion of how we thought the system should “work” only to find out that there were things we didn’t know about that changed that outlook over and over.  The use case process was a good way to get through that quickly, so hopefully this example will give some perspective to those who hadn’t considered this part of the domain management equation in depth.

Cheers,

Rod

> On Aug 1, 2016, at 3:01 PM, Ayden Férdeline <icann at ferdeline.com> wrote:
> 
> Thanks for your comments, Rod.
> 
> That primary concept is for a registrant to be able to definitively prove their ownership (or “right to control/use" if you don’t like the concept of “owning” domains) of a domain name. Someone has to have that information - the registrar is the base case - in order for the vast, vast majority of domain holders to do things like transfer their domain between registrars, sell the rights to their domain to some other party, obtain domain-related services, ensure their domain is not hijacked or can be recovered if it is, etc.
> 
> I see where you are coming from here, I just question why privacy must be eroded to the point where anyone, for any reason, can query the RDS and retrieve such sensitive personal information.
> 
> If I run with the arguments I've heard in this thread, there are two main reasons for why we need a WHOIS-like service. One is so that if a domain name causes problems (intentionally or otherwise) or has technical issues, there's a point of contact who can be reached. The second argument, the one you have raised, is that there should be some kind of record, like a land title registry, of who owns each domain name. I'll admit I hadn't considered the latter before, and I've been reflecting on the idea over the past few days.
> 
> In Helsinki at our cross-community session, Jordyn Buchanan from Google said we shouldn't include any requirements where there's another, alternative mechanism to achieve the same result in a better way. Applying his suggestion here, there really would seem to be no need to know who owns a domain name, so long as there is a mechanism through which a message can be relayed to the registrant if there is a legitimate need to do so. Do questions of domain name ownership not fall within the remit of whatever contract exists between the registrar and the registrant? One of the data elements I suggested collecting was the name of the registrar. I imagine that most registrars retain the billing information of their active customers, so if they receive some kind of legal action, they have the capacity to pass this along to the billing contact. Likewise, if law enforcement is investigating something, provided due process is followed they may be able to query the billing contact information. However, I remain firmly of the view that such sensitive information should not be free for anyone to query and retrieve.
> 
> Best wishes,
> 
> Ayden
> 
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160801/857db879/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160801/857db879/signature.asc>

More information about the gnso-rds-pdp-wg mailing list