[gnso-rds-pdp-wg] Authorizing specific usages such as warrants or credit checks

[Shane Kerr]

Hello,

I briefly previously in an e-mail that there was no way to handle
warrants or other court orders via RDAP. Someone on the recent WG
call said that this was covered in RDAP.

I had a quick look through 4 RDAP RFC's (RFC 7480, RFC 7481, RFC
7482, and RFC 7483) and didn't see anything that seemed to match.

Warrant Example
===============
For a warrant, ideally the RDS would support a system like that which
we have in place in every other part of the universe today. That is, if
a court or some other authorized legal authority (this varies widely
per jurisdiction, I know) issues a statement approving a search, then
someone can be forced to turn over information.

So, if the police get a warrant they can go to the company where you
bought airline tickets and find out when and where you traveled. I
think we all agree that this makes sense, although of course the
details can be delightfully complicated.

What I do not see in RDAP is any way for a registry or registrar to be
served a warrant or other equivalent document. It IS possible for the
police to have authorization to view private data, but I don't see any
way for them to ONLY have authorization for this data if it is approved
by a court on a case-by-case basis.

I may have missed this! Please point me in the right direction so I can
have a look at how RDAP proposes handling this. :)

Credit Checks
=============
Another use case that we discussed is possibly similar. In that case
some agency was doing some sort of checks to make sure that a given
applicant was going to be using a domain for an approved purpose. In
order to do this they use the current WHOIS data to do some sanity
checks and look for various patterns that signal fraud.

In my mind, this *could* be similar because it also involves getting
access to private data only for a specific lookup. So, rather than
granting a for-profit, private company access to all private data of
everyone with a domain name, the person who wants a service can
authorize a sort of credit/background check. This check could indeed
give complete access to all records for that person, but in principle
need not give the company access to all data.

Again, I don't think that any of the current technologies support this,
but I am hardly an expert in authentication or authorization systems,
so this sort of thing might be supported today.

Happy Thoughts
==============
I saw/heard on the call the tension between WG members who lean towards
minimal access (privacy advocates, human rights representatives, dirty
hippies like myself) and WG members who lean towards insuring
responsible use of systems and helping authorities prevent crime and
other abuse (LEA representatives, IP lawyers, and so on).

We didn't delve into it too deeply but I am looking forward to a policy
that balances everyones needs. I was heartened that everyone was
polite and constructive! 

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160802/44237653/attachment.sig>