<div dir="ltr"><div><br></div><div>There's a huge difference between domains and telephone numbers and I don't think an article dated from 2000 brings relevant points.</div><div><br></div><div>-Domains are not inherently a method of contact</div><div>-Domains are not required to live and function in society</div><div>-Domain whois is a choice</div><div>-The abuse landscape is extremely different</div><div>-Social norms regarding handling spam have drastically shifted in the past decades</div><div><br></div><div>So you as a private person wishing to claim your privacy rights with your domain have a lot of options. If you don't choose to disclose your information in whois, then no one has a right to it. If you do disclose, knowing full well that whois is public, you shouldn't be surprised at the results. The choice is yours. The entitlements you listed(control over sharing, how data is used), on the Internet in 2017, are wholly unenforceable for anything publicly available. The cat is either out of the bag or it isn't. That's just how the Internet works. The world will not stop turning for you if you Tweet your password.</div><div><br></div><div>Additionally, the owners of abusive domains are unlikely to attempt to claim these rights as a private citizen, and this is the area most of us are interested in anyways. </div><div><br></div><div>If we want to talk about ways to prevent abuse of whois data, first of all, the "reverse lookup" and "historical" directories in their current state are unlikely to be involved in abuse at all- quite unlike reverse phone directories. They are far too costly for spamming purposes and wouldn't yield more data than forward lookups and scraping.</div><div><br></div><div>Additionally, and far more importantly, a lot has changed since the year 2003. Norms have shifted. Most importantly, decent spam filtering has been invented. Also, enforcement action is increasingly effective against spam operations and abusers are increasingly seeing jail time. And finally, social norms have shifted and more people understand the concept of privacy via not disclosing.</div><div><br></div><div>So I think we need to look at how the Internet actually works today, not in 2003, and look at today's norms. We also need to look into how user education can prevent nasty surprises from ever happening in the first place, so people don't have any motivation to issue unreasonable demands to somehow claw back public data and force everyone else in the world to delete it. If the copyright police utterly failed to do that with DRM, you're unlikely to succeed with whois data.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 14, 2017 at 11:16 PM, Rob Golding <span dir="ltr"><<a href="mailto:rob.golding@astutium.com" target="_blank">rob.golding@astutium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2017-06-14 22:09, allison nixon wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Alright. I want to discuss the customer education process, because it<br>
does seem to underlie a point of misunderstanding and I want to<br>
understand better:<br>
-Are customers notified that WHOIS data is made public when they buy<br>
domains?<br>
</blockquote>
<br></span>
It doesn't matter whether someone has it explained that this will be 'public' or not - the distribution / storage / control / audit / accountability levels required are simply not in place at the moment.<br>
<br>
"even after personal data are made public, they are still personal and as a consequence the data subjects can not be deprived of the protection they are entitled to as regards the processing of their data."<br>
<a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf" rel="noreferrer" target="_blank">http://ec.europa.eu/justice/da<wbr>ta-protection/article-29/docum<wbr>entation/opinion-recommendatio<wbr>n/files/2003/wp76_en.pdf</a><br>
<br>
I'm a European (for now at least), so put in simple terms, data about me, is mine to ultimately control.<br>
* I am entitled to decide who can have that data<br>
* I am entitled to decide what they can do with it<br>
* I am entitled to decide if and who they can share it with (and those it's shared with gain NO right to further share it) or to decide they can have it and not share it<br>
* I am entitled to determine when the access/view/use of it gets revoked<br>
and so on<br>
<br>
A-N-Other-Party (ANOP) might want / think they need access to my data, but certainly have no _right_ to it.<br>
<br>
ANOP might be granted access to it for a pre-approved stated purpose and subject to contract but ANOP cannot just do what they like with it, ONLY what I specifically permit which is why the A29WP said "filter mechanism should be developed to secure purpose limitation in the interfaces for accessing the directories. "<br>
<br>
There is currently no way I can get a list of everyone who has copied my details from a whois of my domain name (currently) because the whois has no requirement to authenticate the requestors ID and then confirm/restrict/revoke their usage - how can I therefore verify the purpose limitations ?<br>
<br>
Being a directory, is subject to 95/46/EC, means that the data subject has "the right to modify, at every moment and free of charge, his decision to allow each specific data processing." (as well as outlawing the copying of the directory contents, use of the data for unspecified/further processing and much more)<br>
<a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2000/wp33_en.pdf" rel="noreferrer" target="_blank">http://ec.europa.eu/justice/da<wbr>ta-protection/article-29/docum<wbr>entation/opinion-recommendatio<wbr>n/files/2000/wp33_en.pdf</a><br>
<br>
At the moment I'm not sure how RDS will need to be architected to list the 4 permissible purposes for the data (and effectively police that), for the instance where I as a registrant has chosen to _opt in_ to those I will permit<span class="HOEnZb"><font color="#888888"><br>
<br>
Rob</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">_________________________________<br>Note to self: Pillage BEFORE burning.</div>
</div>