[gnso-rds-pdp-wg] List topics for this week

Thu Jun 15 11:39:26 UTC 2017

Hi

> There's a huge difference between domains and telephone numbers

The type of directory is irrelevant to my rights to control my data

> I don't think an article dated from 2000 brings relevant points.

That we've still not brought policy or technology upto almost 20 year 
old legislation just shows how unfit for purpose WHOIS has become

Much of that is because enforcement of existing legislation has been 
lax, but the Snowden issue, repealling on the Data Retention Directive, 
scrapping of Safe-Harbour and a need to toughen up both the rules and 
the enforcement are what's led to the GDPR, which is now in force, and 
next year will be actively enforced.

Multi-million $ fines rather than slap-on-wrists with 20k fines might 
start to change attitudes a bit as the penalties have been inflation 
adjusted, and now the data-subject is also entitled to compensation for 
the unauthorised use of their data - so there will be an "incentive" to 
start sueing people

The local supermarket will pay me £44 (appx $60) for my postal address [ 
in vouchers, discounts, freebies etc ] - that 's the "value" of my data 
to one user - if there was suitable recompense to registrants & 
registrars & registries for access to whois data , I'm sure there would 
be less objection to the system !

> -Social norms regarding handling spam have drastically shifted in the
> past decades

Spam is just one of the numerous (ab)uses of the data. I imagine very 
few people have "consented" to spam, even if it was listed as a 
"proposed legitimate use" for which they could actively consent.

> If you don't choose to disclose
> your information in whois, then no one has a right to it

Whether I choose to be listed in a directory (which I dont _really_ have 
much choice over as a registrant of numerous gtlds) or not doesn't 
change that it's *MY* data, nor that most of the (tld dependant) 
"privacy" options now available are relatively new (whois has been there 
for 30 years)

> If you do
> disclose, knowing full well that whois is public, you shouldn't be
> surprised at the results.

And therein lies what I think is the mindset problem, the "results" are 
(legally) ONLY what I give explicit permission for it to be used for, 
any other use is not permitted, and I have the right to revoke that 
permission, free of charge (to me) at any stage.

> The entitlements you listed(control over sharing, how data is used), on 
> the Internet in
> 2017, are wholly unenforceable for anything publicly available.

Google pay thousands of times as much as ICANN to lawyers and yet they 
lost over the "right to be forgotten" issue under the older and much 
laxer legislation - so we'll see what is "enforceable"

> If we want to talk about ways to prevent abuse of whois data, first of
> all, the "reverse lookup" and "historical" directories in their
> current state are unlikely to be involved in abuse at all-

The directories themselves would constitute an "abuse" - in the main 
they've breached both law and contract to obtain that data

Maybe we need a definition of what "public" means ?
Rob