[gnso-rds-pdp-wg] Principle on Proportionality for "Thin Data"access

[Sam Lanfranco]

All,

Are we mixing up several issues here? One is the content of and terms of 
access to “thin data”. Another is the evolving sovereign national and 
regional rulings on personal data privacy. Another is abuses of the 
available date to essentially harass domain name holders. Yet another is 
general privacy on the part of the domain name holder. Consider these 
issues in reverse order.

For a domain name holder “thin data” is but one piece of  “bread crumb 
data” (traces found online) associated with that holder within the 
Internet ecosystem. Depending on one’s online presence, modest due 
diligence will produce substantial data about that holder, even though 
no one piece of bread crumb data violates privacy laws. It is impossible 
to prevent such due diligence but there may be scope for policies to 
restrict uses that amount to harassment.

That is the nature of online reality. The three components of accessible 
thin data, privacy legislation, and (equally important) a holder’s 
online presence determine how much of one’s individual persona is 
accessible by online due diligence. There is no way to reduce that 
exposure to zero, short of no engagement in the Internet ecosystem. At 
most there could be warnings much like those for people with peanut 
allergies. Typical wording is: “Warning: this produce may contain 
peanuts”, or “Produced in a facility that also processes peanuts”. 
Possible wording here could read like the warnings in browsers with 
regard to others tracking one’s online behavior.

The issue of abuses, from access and due diligence, should probably be 
treated as a separate issue. There are technical solutions to massive 
data harvesting, and privacy/proxy solutions for individual thin data. 
It is probably wiser to work from treating the catalogue of abuses as a 
policy challenge in its own right.

With respect to the moving target of compliance with national and 
regional privacy laws, the Internet ecosystem is not unlike the natural 
ecosystem. Environmental policies evolve, both as a function of 
perceived environmental problems, and the interplay between the various 
stakeholders. This involves ongoing agency and adjustment by 
environmental stakeholders. Such will be the ongoing situation for 
stakeholders in the DNS system. Recognizing this prevents us from trying 
(and failing) to cast in stone, at any one in time, a definitive 
solution to consistency between practice (ICANN’s and others) and 
evolving national and regional (e.g. EU) privacy policy.

Lastly, the content of and terms of access to thin data remain the core 
of this working groups task here. The working group is probably 98% 
along that path with purposeful thin data and unrestricted access. Doing 
that well, while cognizant of these other issues, is the task at hand. 
Some of these other issues are, by their nature ongoing, and the thin 
data task is to do it in a way that minimizes the complications of 
separately addressing the ongoing challenges of abuse and privacy 
compliance issues.

We are almost there, in terms of our actual remit. Are we overly 
muddying the road we are on with the ongoing challenges of abuse and 
privacy compliance?

Sam Lanfranco (NCSG/NOPC)