[gnso-rds-pdp-wg] Dangers of public whois

Volker Greimann vgreimann at key-systems.net
Tue Feb 14 14:40:24 UTC 2017 

Hi John,

> (...) I'm strongly opposed to requiring email or other registration in 
> order to view thin or thick details. For the reasons outlined below, I 
> think it's antithetical to the open and decentralized nature of the 
> internet, and constitutes a form of internet surveillance.
Is it though? Only for domain names do you have such a database. Other 
services on the open and decentralized internet do not seem to require 
it. For example the ones actually doing the abuse, e.g. users of mail 
and hosting services. Why should a domain name be treated differently 
than any other service that constitutes the internet?
>
> First, putting aside repressive regimes, private networks and edge 
> cases, one of the hallmark principles of the internet is that it's 
> open; you don't have to register or justify your need to access 
> information on the internet. And, it's decentralized. Historically, 
> its open nature has included not only being able to see a website, but 
> also the registration details for the website's domain name. And, 
> whatever governments may do (which isn't the question here), there's 
> no centralized internet surveillance or registration authority for 
> internet users generally.
You do have to justify the publication of private details. And I am 
sorry, but "Legitscript might need it" or even "Legitscript may not need 
this particular set of data but someone elses data" does not cut it as 
far as justifications go.
>
> If we impose a scheme where there is a central organization with the 
> authority to a) require registration and b) centrally control access, 
> and c) (as has been proposed) require the user to provide a reason for 
> their access, that organization then also has the ability to d) make 
> judgment calls about what reasons are valid and which are not and e) 
> maintain data on who accessed what RDS data, for what reason, for how 
> long and why. Note also that at least one version of the EWG report 
> said that f) the organization would be empowered to levy punitive 
> measures against internet users who accessed more data than the RDS 
> deems appropriate.
Sounds good to me. If you want all this data on other people, why are 
you so shy about your own data?
> A journalist (or blogger) is writing an investigative article and 
> wants to find out who is behind a domain name. If we require 
> registration and disclosure of the reason, that in essence creates a 
> situation where the RDS de facto is monitoring that journalist and 
> determining if their basis for conducting the investigation is worthy. 
> It also allows the RDS the ability to monitor the journalist's use of 
> the domain name registration data. This potentially chills free speech.
Does that reporter have a legally enforceable right to access that data? 
Would he have such a right to find out who rents the hosting space at 
hosting provider X?
>
>   * Consider a political activist who wishes to expose corruption by
>     an elected politician and wants to access RDS information to show,
>     for example, conflicts of interests in the politician's business
>     operations. Once the political activist has to disclose who they
>     are, let alone why they are accessing the information, that not
>     only chills legitimate political activism but also potentially
>     opens up a route for government abuse (e.g., if a government
>     agency were able to subpoena the list of who accessed RDS
>     information for which domain names and why).
>
Does that reporter have a legally enforceable right to access that data? 
Would he have such a right to find out who rents the hosting space at 
hosting provider X? Maybe a look at the tax returns of the elected 
politician would be more helpfull (Oops, hot topic!)
>
>   * Academic researchers periodically review Whois/RDS data; requiring
>     them to register before reviewing data and disclose why they are
>     doing the research potentially empowers the RDS to monitor
>     academic research and determine its worthiness.
>
Should such research be possible? Does the right to academic freedom 
beat out the right of countless individuals to data privacy?
>
>   * Imagine that a cybercrime network is under investigation (as they
>     are wont to be); requiring law enforcement to register --
>     particularly if there is a log of which domain names they reviewed
>     RDS for -- can potentially compromise the investigation if that
>     information is disclosed. Would registrants have the right to be
>     informed every time that someone registered to review their RDS
>     details?
>
We have not determined that yet. Let's consider that down the road along 
with the question if law enforcement of a particular jurisdiction should 
even be able to access data on a data subject in another jurisdiction. 
If I remember correctly, the legal authority of most law enforcement 
agencies ends at their national border.
> For one central entity to possess that much power over internet users 
> is something that I think we should avoid, and it's antithetical to 
> the principles of openness and decentralization. There are other 
> well-known solutions to spam and inappropriate contacts; forcing all 
> other legitimate activities to grind to a screeching halt -- 
> particular under the umbrella of a surveillance scheme -- is a cure 
> worse than the disease.
Well, I would argue that private data being public as it is now is worse 
than anything you proposed so far.
> -- 

Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/fd60a1d0/attachment.html>

More information about the gnso-rds-pdp-wg mailing list