[gnso-rds-pdp-wg] List topics for this week

allison nixon elsakoo at gmail.com
Thu Jun 15 10:31:19 UTC 2017 

There's a huge difference between domains and telephone numbers and I don't
think an article dated from 2000 brings relevant points.

-Domains are not inherently a method of contact
-Domains are not required to live and function in society
-Domain whois is a choice
-The abuse landscape is extremely different
-Social norms regarding handling spam have drastically shifted in the past
decades

So you as a private person wishing to claim your privacy rights with your
domain have a lot of options. If you don't choose to disclose your
information in whois, then no one has a right to it. If you do disclose,
knowing full well that whois is public, you shouldn't be surprised at the
results. The choice is yours. The entitlements you listed(control over
sharing, how data is used), on the Internet in 2017, are wholly
unenforceable for anything publicly available. The cat is either out of the
bag or it isn't. That's just how the Internet works. The world will not
stop turning for you if you Tweet your password.

Additionally, the owners of abusive domains are unlikely to attempt to
claim these rights as a private citizen, and this is the area most of us
are interested in anyways.

If we want to talk about ways to prevent abuse of whois data, first of all,
the "reverse lookup" and "historical" directories in their current state
are unlikely to be involved in abuse at all- quite unlike reverse phone
directories. They are far too costly for spamming purposes and wouldn't
yield more data than forward lookups and scraping.

Additionally, and far more importantly, a lot has changed since the year
2003. Norms have shifted. Most importantly, decent spam filtering has been
invented. Also, enforcement action is increasingly effective against spam
operations and abusers are increasingly seeing jail time. And finally,
social norms have shifted and more people understand the concept of privacy
via not disclosing.

So I think we need to look at how the Internet actually works today, not in
2003, and look at today's norms. We also need to look into how user
education can prevent nasty surprises from ever happening in the first
place, so people don't have any motivation to issue unreasonable demands to
somehow claw back public data and force everyone else in the world to
delete it. If the copyright police utterly failed to do that with DRM,
you're unlikely to succeed with whois data.

On Wed, Jun 14, 2017 at 11:16 PM, Rob Golding <rob.golding at astutium.com>
wrote:

> On 2017-06-14 22:09, allison nixon wrote:
>
>> Alright. I want to discuss the customer education process, because it
>> does seem to underlie a point of misunderstanding and I want to
>> understand better:
>> -Are customers notified that WHOIS data is made public when they buy
>> domains?
>>
>
> It doesn't matter whether someone has it explained that this will be
> 'public' or not - the distribution / storage / control / audit /
> accountability levels required are simply not in place at the moment.
>
> "even after personal data are made public, they are still personal and as
> a consequence the data subjects can not be deprived of the protection they
> are entitled to as regards the processing of their data."
> http://ec.europa.eu/justice/data-protection/article-29/docum
> entation/opinion-recommendation/files/2003/wp76_en.pdf
>
> I'm a European (for now at least), so put in simple terms, data about me,
> is mine to ultimately control.
> * I am entitled to decide who can have that data
> * I am entitled to decide what they can do with it
> * I am entitled to decide if and who they can share it with (and those
> it's shared with gain NO right to further share it) or to decide they can
> have it and not share it
> * I am entitled to determine when the access/view/use of it gets revoked
> and so on
>
> A-N-Other-Party (ANOP) might want / think they need access to my data, but
> certainly have no _right_ to it.
>
> ANOP might be granted access to it for a pre-approved stated purpose and
> subject to contract but ANOP cannot just do what they like with it, ONLY
> what I specifically permit which is why the A29WP said "filter mechanism
> should be developed to secure purpose limitation in the interfaces for
> accessing the directories. "
>
> There is currently no way I can get a list of everyone who has copied my
> details from a whois of my domain name (currently) because the whois has no
> requirement to authenticate the requestors ID and then
> confirm/restrict/revoke their usage - how can I therefore verify the
> purpose limitations ?
>
> Being a directory, is subject to 95/46/EC, means that the data subject has
> "the right to modify, at every moment and free of charge, his decision to
> allow each specific data processing." (as well as outlawing the copying of
> the directory contents, use of the data for unspecified/further processing
> and much more)
> http://ec.europa.eu/justice/data-protection/article-29/docum
> entation/opinion-recommendation/files/2000/wp33_en.pdf
>
> At the moment I'm not sure how RDS will need to be architected to list the
> 4 permissible purposes for the data (and effectively police that), for the
> instance where I as a registrant has chosen to _opt in_ to those I will
> permit
>
> Rob
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170615/304bbb6c/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list