[gnso-rds-pdp-wg] Dangers of public whois

Mark Svancarek marksv at microsoft.com
Fri Feb 10 22:03:39 UTC 2017 

I'd say that good privacy practice would assume:

Only collect what you need (not something you "might" need)
Only keep it as long as you need it, discard it as soon as its utility is expired
Only use it for the reason you collected it, don't invent new reasons to use it post facto
Restrict access on a need to know basis, which applies both to human access and machine access

And +1 on most data being "linkable" to other data available elsewhere, thus potentially becoming PII in aggregate.

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of James Galvin
Sent: Thursday, February 9, 2017 2:16 PM
To: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois

I have to say that my beliefs about private data have been evolving for as long as this working group has existed.

One thing I believe now is that asking the question, “What is private/personal/PII data?” is not the best way to approach the problem.

In my opinion, in this world of “big data”, a case could be made that everything is personal information.  This includes the “thin data” we’ve been talking about.  The reality is that doing “reverse lookups” with one or more bits of information can be quite revealing, much more so for folks like Sean Spicer than others perhaps, but nonetheless true.

As Greg A. pointed out later in this thread, different people have different risk profiles and frankly there’s a limit to how much you can protect people from their own ignorance.

In my opinion, our focus should be on what information we need and why, i.e., what is the purpose of the registration data?  We should be taking a minimalist approach, to start, followed by extended discussion about what else we might collect and why?

Although we need to keep in mind access and visibility of information, as Chuck so often reminds us, that’s a separate discussion to be had “next”, in the not too distant future I hope.

Discussions about what is personal data and what is not are distracting. 
  Let’s assume it all is and move forward from there.  Understanding the “why” collecting the data will quite naturally drive the discussion of whether or not it needs to be “public” or in some way be subject to “restricted access”.

Jim
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list