[gnso-rds-pdp-wg] Dangers of public whois

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Tue Feb 14 04:35:45 UTC 2017 

I am not quite sure which arguments Alex is labelling obstructive, but I 
feel compelled (at the risk of being called obstructive) to clarify a 
couple of things.  As a non lawyer, I would add.

1. Proportionality is a pretty well known concept in EU law, as is the 
reasonable person test I talked about last week, in common law.  It does 
not mean that by introducing those concepts into the law, we are 
punching a hole in the bottom of the bucket.  It does not mean that all 
a party has to claim is "I need that data"  "I have a business that was 
founded on harvesting that data" or "if I don't get that data my auto 
bots will not be able to send out letters automatically, I will have to 
hire people to do work", and a data commissioner is supposed to fold and 
say "why shucks, you need that data you just go right ahead and take 
it.  Chances are the individuals will never know".  Not saying that 
doesn't happen, of course, humanity being what it is....

2.  We are supposed to be finding out what the right thing to do is.  I 
do not expect anyone on the IP/BC to stop arguing that they need the 
data, (although I do pray for conversions on a biblical scale in my 
private moments) and I will not label you or John Horton or anyone else, 
I hope, obstructive for continuing to insist on the same arguments.  
Happy to have it pointed out if I am getting shrill, sometimes we all 
get short tempered. But repeating the same argument and refusing to fold 
is not obstructive.  (I believe the BC or the IPC even added similar 
language into their comments on the recent draft anti-harassment policy, 
for which I congratulate them.)

3.  As for bread crumb data.  This is a very difficult area.  For those 
of us who are not prepared to give up on privacy, the fact that you can 
find anything about anybody today without their consent, if you know 
where to look and what identifiers to use is not okay. As we move into 
the IOT (following some of Sam's examples) we do get closer to that 
world, and if we dont hurry up it will be hard to have any privacy about 
our most intimate affairs. So privacy advocates (and not just the lone 
nutter volunteering on this group who is speaking at the moment) are 
determined to set limits on bread crumb data. (see the 2014 paper by the 
Art 29, which touches on some of these issues 
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf). 
   Those of us who also administered the access to information acts when 
those acts were in their infancy, heard a lot of earnest argument from 
defence/intelligence/law enforcement agencies that we could not release 
seemingly innocuous crumbs of data lest they contribute to the "mosaic 
effect", whereby a dangerous picture of intelligence gathering/law 
enforcement techniques etc could be deduced from small elements 
released, once combined with others.  Obviously this is true.  The same 
agencies, again quite logically, argued that the same did not apply to 
personal data they needed.  Personally, I find it hard to agree with 
that.  Sadly, in the internet world, individuals are on their own in a 
largely unregulated universe.  They are the victims of "information 
asymmetry", anyone with a life is too busy to be focused on what is 
happening to their personal data.  We are past the point where someone 
can say "caveat emptor, it is up to the individual to read everything 
and find out what is happening to their data." Bread crumb data is 
therefore much more important now than it was when the original deal for 
a wide open WHOIS was hatched.

4.  AS for authentication to get access to thick data, which you have 
pointed out correctly lies ahead of us.....we should not substitute one 
completely insecure open data trove with one with a weak authenticator 
that only stops bots.  You and Scott Hollenbeck and many others would 
know better than I what we need, but given we only tweak this thing 
every 20 years we had better think ahead and make it better than an 
email address.  We need to be able to arrest those who are committing 
fraud to get access to PI, what standard of evidence would that take?

Stephanie Perrin




On 2017-02-13 20:23, Deacon, Alex wrote:
> All,
>
> So it seems the debate has progressed from “thin data” to “thick data” (i.e. data that includes email).  I know we are all super excited to talk about “thick data” but I don’t think we are there yet (are we?  Hopefully I didn’t miss the party…)
>
> Focusing on thin data for the moment I struggle to understand how it is personal data.  I do not believe it is.    As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.
>
> I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws.   Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.
>
> Alex
>
>
> On 2/13/17, 5:42 AM,  <gnso-rds-pdp-wg-bounces at icann.org on behalf of michele at blacknight.com> wrote:
>
>      I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed.
>      
>      Also it’s one of the biggest sources of complaints we get from our clients (registrants)
>      
>      It’s definitely not an “edge case”.
>      
>      Regards
>      
>      Michele
>      
>      
>      --
>      Mr Michele Neylon
>      Blacknight Solutions
>      Hosting, Colocation & Domains
>      https://www.blacknight.com/
>      http://blacknight.blog/
>      Intl. +353 (0) 59  9183072
>      Direct Dial: +353 (0)59 9183090
>      Social: http://mneylon.social
>      Some thoughts: http://ceo.hosting/
>      -------------------------------
>      Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>      Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>      
>      _______________________________________________
>      gnso-rds-pdp-wg mailing list
>      gnso-rds-pdp-wg at icann.org
>      https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170213/efde6624/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list