[CPWG] [GTLD-WG] [registration-issues-wg] Next possible move related to GDPR

Thu Sep 6 11:00:49 UTC 2018

Thanks Evan
May I make a practical example.
I am a registrant, as I have several domain names for different purposes.
I am fed up with periodic scam attempts by folks who imply that my registration is about to expire - looking at the fine prints, what they propose is instead to be registered for privileged position in the search engines. In any case, there was only one way for them to get the details of my registration, and that is accessing the WhoIs. And I believe not to be the only one who is targeted by these scams.
I could not care less about how broad is the definition of abuse is, because, like the vast majority of domain names holders, I do not use the web site for illegal purposes. The important thing, to me, is that we have a well-defined rule so that we have predictable behaviour - like in the offline world, where we do know what is legal and what is illegal and we have properly defined authorities who take full responsibility for the law enforcement actions that they perform. In short, I am indeed in favour of registrant accountability - in much the same way I am in favour of accountability in the offline world for all those who can affect others with their actions.
I am therefore all for a tiered access where my personal information can be seen by the folks that are authorised to see it, but only by them. Of course, that needs a definition of the criteria that make a party “authorised” - like the way it happens in the offline world. Moreover, I would like to have the “authorised” parties to be fully accountable for the potential damage they cause by improper use of the information.
Personally, I do not see how this approach would limit the rights of the non-registrant users.
Moreover, I am not only a registrant, but also a user, who is subject to all sort of other scams as any other non-registrant user.
As user, I personally seldom check the WhoIs, and when I do it is because I already suspect that the email I am getting or the options on the web site I am looking are not properly legal. That is, I have first to be aware - or at least suspicious - about the potential problem. In simple words, I do not need to constantly check the WhoIs every time I navigate. Therefore, I am perfectly happy if this WhoIs checking is performed for me by “authorised” parties, I would even consider this as a service, in much the same way I appreciate the law enforcement “services” in the offline world.
In summary, I seriously doubt that there is no compromise solution possible - once we avoid, as you have rightfully pointed out - the “unreasonable” actors.
However, to deal with this matter by predefining lines of principle and using stereotypes for the registrants and the users does not help in reducing the “unreasonableness”.
Just my 2c.
Cheers,
Roberto

On 04.09.2018, at 16:11, Evan Leibovitch <evanleibovitch at gmail.com<mailto:evanleibovitch at gmail.com>> wrote:

Hi Roberto,

As just one example:

Registrants will want the definition of abuse defined as narrowly as possible, to perhaps only activity that is a major crime (ie, a felony in the US) in the country where the domain is registered. This would allow the bad-actor registrants to go location-shopping for the most lax jurisdictions, a practise already clearly in evidence even for registries seeking tax havens.

End-users will want a broader definition that will extend to what is illegal or regulated in the country where the abuse takes place (ie, phishing, election tampering etc) takes place.

Generally registrants will want access to data as minimal and difficult as possible, in ways that will not only fail to curtail current levels of abuse but could inflame them. End users will want broader levels of accountability than registrants want to give, and may want to enable investigations of abuse to be conducted by organisations not strictly defined as law-enforcement (human rights groups, for example).

As I've said, usually the interests of registrants and end users are aligned. We have to be able to deal with those rare-but-real instances where they are not. Yes, compromise is possible, but only if first there is a strong and clear advocate for (and at very least understanding of!) registrant accountability. No other community or constituency except At-Large even has an interest to serve as that advocate, and most other parts of ICANN (most certainly registrants) are already pushing for little or zero accountability.

Cheers,
Evan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20180906/7a1b37bb/attachment.html>