<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Take on is a strong way of putting it. Public policy is about balancing of interests. DP authorities know that. So I intend to use my expertise to show them the best way to solve the problem. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">I don't expect the entire WG to fall in line. I intend to work with governments directly on that. <br><br>Sent from my iPhone</div><div><br>On Mar 23, 2017, at 11:47, nathalie coupet via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>> wrote:<br><br></div><blockquote type="cite"><div><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div dir="ltr"><span>I must say I am overwhelmed by the scope of this task. Can this WG really take on governments and challenge their practices? </span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1490276695442_395935"><span>If so, I think I'll need a drink first. (Not really). </span></div><div></div><div id="yui_3_16_0_ym19_1_1490276695442_395846"> </div><div class="signature" id="yui_3_16_0_ym19_1_1490276695442_395847">Nathalie </div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Thursday, March 23, 2017 12:21 PM, Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a>> wrote:<br></font></div> <br><br> <div class="y_msg_container">Hi,<br clear="none"><br clear="none">On Thu, Mar 23, 2017 at 09:08:59AM -0400, allison nixon wrote:<br clear="none">> The problems have nothing to do with your code, unless your code somehow<br clear="none">> simulates the cost of bureaucratic overhead of a bunch of<br clear="none">> already-overworked FBI agents "certifying" tens of thousands of people<br clear="none">> across the country who just want to get back to work.<br clear="none"><br clear="none">I would encourage you to read Scott's messages on this a little more<br clear="none">carefully, because I don't think that he's claiming he is covering<br clear="none">those costs. What he is doing is demonstrating that the technology<br clear="none">for different groups of people to be authenticated by various<br clear="none">providers is available, already widely deployed in other parts of the<br clear="none">Internet, and applicable to this case. That technology was heretofore<br clear="none">unavailable for RDS the way it was for other things, because the<br clear="none">historic RDS relies on the ancient whois protocol -- a protocol<br clear="none">designed for a world where it was literally possible to get a list, on<br clear="none">paper, of every single person who was connected to the Internet.<br clear="none">(Some people in this effort have reported to me that they still have<br clear="none">old copies lying around.)<br clear="none"><br clear="none">If your argument is instead, "But we don't have to pay the overhead of<br clear="none">authentiction and authorization today, so it should remain that way<br clear="none">forever," then I think you are going to have to do a better job<br clear="none">arguing for that position. Because to me it is plainly absurd. The<br clear="none">world has changed partly because the Internet has changed a great<br clear="none">deal. Indeed, the very fact that the Internet can be instrumental in<br clear="none">fraud in ways that it certainly could not have been instrumental in<br clear="none">1982 (when RFC 812 was published) suggests to me that appropriate<br clear="none">authorization and authentication protocols around the RDS ought to<br clear="none">have been embraced -- by law enforcement and others -- quite a long<br clear="none">time ago. We ought to be ashamed it has taken us this long, when even<br clear="none">Google is concerned about leaking this kind of data.<br clear="none"> <br clear="none">> Also how will the need for historical whois be fulfilled?<br clear="none"><br clear="none">This is in part an excellent question because it is not plain that all<br clear="none">"historical whois" services are actually ok under existing policy.<br clear="none">But of course, this WG is in a position to specify retention periods<br clear="none">about data as part of the collection policies that we were working on.<br clear="none">RDAP could easily work to provide a picture of something at some time<br clear="none">in the past, assuming that the data is available. Whether the data<br clear="none">ought to be is a different question, and one we should discuss rather<br clear="none">than assume. There is a cost to be paid for collecting, keeping, and<br clear="none">ensuring appropriate authorization in the disclosure of data. The<br clear="none">existing practices externalize some of those costs onto the<br clear="none">individuals whose data is being collected. I recognize that it might<br clear="none">not be convenient to have those costs borne by the people who want<br clear="none">access, but one of the things markets are good at is allocating<br clear="none">resources according to how much value something brings. Perhaps if<br clear="none">people had to endure the costs of their desire for access to the data,<br clear="none">they would do a better job evaluating the balance of costs versus<br clear="none">benefits.<br clear="none"><br clear="none">> Also, this gated access reminds me of how we treat personal data in the<br clear="none">> United States.<br clear="none"><br clear="none">Speaking as a reluctant citizen of the US, I am sorry to say that US<br clear="none">personal data protection is no sort of standard worth emulating. I<br clear="none">believe it is only a matter of time before the legal system catches up<br clear="none">with the frankly negligent handling of personal data in the US, and<br clear="none">that the costs of insurance and liability will get to the point where<br clear="none">corporations will get better at it.<br clear="none"><br clear="none">Even the USG has had major breaches of its databases. In my opinion,<br clear="none">those breaches were made easier because the USG it collects too much,<br clear="none">saves too much, and handles that collected stuff in a way that is too<br clear="none">convenient to those who like to have all the data hanging around in<br clear="none">the service of the security state. Peter Wayner's _Translucent<br clear="none">Databases_ provides an excellent discussion of the general issues, and<br clear="none">is not too long; it came out in 2002 and was hardly at the cutting<br clear="none">edge of these discussions even then. I am not sure why the ICANN<br clear="none">community has taken 15 years to get with the program, but I think this<br clear="none">WG needs to find a way to do so.<div class="yqt8226432855" id="yqtfd17252"><br clear="none"><br clear="none">Best regards,<br clear="none"><br clear="none">A<br clear="none"><br clear="none">-- <br clear="none">Andrew Sullivan<br clear="none"><a shape="rect" ymailto="mailto:ajs@anvilwalrusden.com" href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a><br clear="none">_______________________________________________<br clear="none">gnso-rds-pdp-wg mailing list<br clear="none"><a shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br clear="none"><a shape="rect" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br clear="none"></div><br><br></div> </div> </div> </div></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>gnso-rds-pdp-wg mailing list</span><br><span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a></span><br><span><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></div></blockquote></body></html>