[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

[Rob Golding]

As to the "twitter" comparison ...

A business/individual _chooses_ what information to be shown on their 
twitter profile (and presumably does so in order for it to be "public"), 
can update it at any time, is able to use parody details should they so 
choose, and can remove/revoke it at any point that they choose to do so 
- whilst there are some similarities, it's not equivalent to whois

> And if someone spent time digitizing every edition of a specific phone
> book, we very easily could have history of phone numbers of those
> listed there.

Use of the UK telephone directory is subject to contract, which 
specifically precludes the storage/distribution of the data, doing 
anything with it in bulk, any use of the data for marketing, etc

Companies that had transcribed it all and were selling it on CDs over 20 
years ago were being fined and in some cases the directors personally 
fined

In more recent times, there are regular and significant fines charged to 
organisations who cold-call numbers in the "phone book" (or however 
obtained) where the owner of that number has not given consent for 
commercial use (or more specifically registered to opt-out)

Selling "harvested" data in the UK can get you a fine of upto 500k. 
Hundreds of such fines are handed out every year.

Commercially using harvested data can also get you fined by the ICO, as 
well as by the regulator for that specific industry, involve the forced 
closure of the business concerned, and lead to prosecution of the 
directors.

For example
https://www.claimsregulation.gov.uk/details.aspx/11168/Zahier_Hussain/
licence revoked, director fined 850k, company banned from access to the 
uk telephone networks
- for "PPI claims marketing" to people who had not given consent to be 
called, on numbers harvested/bought

Organisations are being fined for sending text messages _to their 
existing clients_ if consent has not previously been explicitly obtained 
(and just giving a company your mobile number is NOT consent).

It is illegal to make a sales call to a person on the TPS or a company 
on the CTPS
It is illegal to send sales literature if they're on the MPS
It is illegal to send an unsolicited fax if they're on the FPS

So it's not just use of "personal data", it's "use of data for a purpose 
the data-subject does not approve, prior to it's use"

>> Likewise, I cannot go to a website, enter a
>> vehicle’s license plate, and see the owner’s name, address, and
>> phone number.

In the UK you can get the keepers' name and some basic details about the 
vehicle, but it's a chargeable service. There are a number of 'gateways' 
that provide access to the data, and the use is logged, and the owner 
can get the details of the search.

Access to the address information (phone no is not collected and so not 
available) is restricted to specific law-enforcement departments, 
related industries like vehicle insurance (who pay for access), the 
courts etc

So it's multi-level gated access, the costs of access/use is charged to 
the requester (not the data-collector and certainly not the 
data-subject), all queries are logged, and those logs can and are made 
available.

Perhaps something we can use as a model ?

I'd have less objections to my data being in an RDS if I got paid 
everytime it was looked at, and I could obtain the details of those 
looking at it - equality in transparancy !


Rob