[gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")
John Bambenek
jcb at bambenekconsulting.com
Thu Mar 23 17:02:08 UTC 2017
Take on is a strong way of putting it. Public policy is about balancing of interests. DP authorities know that. So I intend to use my expertise to show them the best way to solve the problem.
I don't expect the entire WG to fall in line. I intend to work with governments directly on that.
Sent from my iPhone
> On Mar 23, 2017, at 11:47, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
>
> I must say I am overwhelmed by the scope of this task. Can this WG really take on governments and challenge their practices?
> If so, I think I'll need a drink first. (Not really).
>
> Nathalie
>
>
> On Thursday, March 23, 2017 12:21 PM, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
>
>
> Hi,
>
> On Thu, Mar 23, 2017 at 09:08:59AM -0400, allison nixon wrote:
> > The problems have nothing to do with your code, unless your code somehow
> > simulates the cost of bureaucratic overhead of a bunch of
> > already-overworked FBI agents "certifying" tens of thousands of people
> > across the country who just want to get back to work.
>
> I would encourage you to read Scott's messages on this a little more
> carefully, because I don't think that he's claiming he is covering
> those costs. What he is doing is demonstrating that the technology
> for different groups of people to be authenticated by various
> providers is available, already widely deployed in other parts of the
> Internet, and applicable to this case. That technology was heretofore
> unavailable for RDS the way it was for other things, because the
> historic RDS relies on the ancient whois protocol -- a protocol
> designed for a world where it was literally possible to get a list, on
> paper, of every single person who was connected to the Internet.
> (Some people in this effort have reported to me that they still have
> old copies lying around.)
>
> If your argument is instead, "But we don't have to pay the overhead of
> authentiction and authorization today, so it should remain that way
> forever," then I think you are going to have to do a better job
> arguing for that position. Because to me it is plainly absurd. The
> world has changed partly because the Internet has changed a great
> deal. Indeed, the very fact that the Internet can be instrumental in
> fraud in ways that it certainly could not have been instrumental in
> 1982 (when RFC 812 was published) suggests to me that appropriate
> authorization and authentication protocols around the RDS ought to
> have been embraced -- by law enforcement and others -- quite a long
> time ago. We ought to be ashamed it has taken us this long, when even
> Google is concerned about leaking this kind of data.
>
> > Also how will the need for historical whois be fulfilled?
>
> This is in part an excellent question because it is not plain that all
> "historical whois" services are actually ok under existing policy.
> But of course, this WG is in a position to specify retention periods
> about data as part of the collection policies that we were working on.
> RDAP could easily work to provide a picture of something at some time
> in the past, assuming that the data is available. Whether the data
> ought to be is a different question, and one we should discuss rather
> than assume. There is a cost to be paid for collecting, keeping, and
> ensuring appropriate authorization in the disclosure of data. The
> existing practices externalize some of those costs onto the
> individuals whose data is being collected. I recognize that it might
> not be convenient to have those costs borne by the people who want
> access, but one of the things markets are good at is allocating
> resources according to how much value something brings. Perhaps if
> people had to endure the costs of their desire for access to the data,
> they would do a better job evaluating the balance of costs versus
> benefits.
>
> > Also, this gated access reminds me of how we treat personal data in the
> > United States.
>
> Speaking as a reluctant citizen of the US, I am sorry to say that US
> personal data protection is no sort of standard worth emulating. I
> believe it is only a matter of time before the legal system catches up
> with the frankly negligent handling of personal data in the US, and
> that the costs of insurance and liability will get to the point where
> corporations will get better at it.
>
> Even the USG has had major breaches of its databases. In my opinion,
> those breaches were made easier because the USG it collects too much,
> saves too much, and handles that collected stuff in a way that is too
> convenient to those who like to have all the data hanging around in
> the service of the security state. Peter Wayner's _Translucent
> Databases_ provides an excellent discussion of the general issues, and
> is not too long; it came out in 2002 and was hardly at the cutting
> edge of these discussions even then. I am not sure why the ICANN
> community has taken 15 years to get with the program, but I think this
> WG needs to find a way to do so.
>
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170323/912854aa/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list