[gnso-rds-pdp-wg] List topics for this week

Richard Woodvine icann at richardw.ca
Thu Jun 15 17:30:20 UTC 2017 

Thank you for posting the links to those documents, Rob.  I've spent the
last two months painfully reading posts and trying to catch up on
documents, but was having a very hard time getting my head around the
idea that any country would enact laws that prevent the publishing of
data where the owner of that data has given consent for it to be
published.  Alas, such a law doesn't exist, at least not within the
jurisdiction and context of those documents provided.

The documents are quite clear that such publication can occur, provided
it is restricted to the basic information needed and the original intent
it was collected for.  Further, informed consent must be provided prior
to publication and that consent can be changed or withdrawn at any time
and without charge.

It seems to me the same type of solution is being proposed here,
informed consent, basic data and provision for withdrawing that consent.

What I have trouble getting my head around is the proposal to prohibit
the publication of even basic data.  I live in a free country, as I hope
most of the participants here do and I find it troubling that anyone
would propose that my registrar or ICANN or whomever cannot publish my
data even if I give them permission to do so.  But prohibiting the
existence of a whois database is exactly what that would do.

I'm not sure such arguments are even applicable to the case at hand
since the discussion isn't even about publishing personal identifying
information, but basic public data, referred to as thin data up until
yesterday.

I fail to see how the publication of this basic public data in the cira
whois about one on my domains threatens my personal data in any way:

Domain name: 	  	richardw.ca
Domain name status: 	  	registered
Creation date: 	  	2006/11/03
Expiry date: 	  	2022/11/03
Updated date: 	  	2014/12/13
DNSSEC: 	  	Unsigned
Registrar name: 	  	easyDNS Technologies Inc.
Registrar number: 	  	88
Name servers 	  	
DNS 1 hostname: 	  	dns1.easydns.com
DNS 2 hostname: 		dns2.easydns.net
DNS 3 hostname: 		dns3.easydns.org

The resistance seems to be around the scraping of information and use of
it by third parties for purposes different than what it was collected
for.  That is also the basis of the concerns expressed in the linked
documents regarding for example, services providing reverse lookup of
phone numbers, or advanced searches of telephone books.

That should not be a determining factor in whether a database is
provided, particularly one with no PII, but one with basic public data.
Abuse of the data is a separate matter to be dealt with on its own merits.

Richard


On 2017-06-14 9:16 PM, Rob Golding wrote:
> On 2017-06-14 22:09, allison nixon wrote:
>> Alright. I want to discuss the customer education process, because it
>> does seem to underlie a point of misunderstanding and I want to
>> understand better:
>> -Are customers notified that WHOIS data is made public when they buy
>> domains?
> 
> It doesn't matter whether someone has it explained that this will be
> 'public' or not - the distribution / storage / control / audit /
> accountability levels required are simply not in place at the moment.
> 
> "even after personal data are made public, they are still personal and
> as a consequence the data subjects can not be deprived of the protection
> they are entitled to as regards the processing of their data."
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf
> 
> 
> I'm a European (for now at least), so put in simple terms, data about
> me, is mine to ultimately control.
> * I am entitled to decide who can have that data
> * I am entitled to decide what they can do with it
> * I am entitled to decide if and who they can share it with (and those
> it's shared with gain NO right to further share it) or to decide they
> can have it and not share it
> * I am entitled to determine when the access/view/use of it gets revoked
> and so on
> 
> A-N-Other-Party (ANOP) might want / think they need access to my data,
> but certainly have no _right_ to it.
> 
> ANOP might be granted access to it for a pre-approved stated purpose and
> subject to contract but ANOP cannot just do what they like with it, ONLY
> what I specifically permit which is why the A29WP said "filter mechanism
> should be developed to secure purpose limitation in the interfaces for
> accessing the directories. "
> 
> There is currently no way I can get a list of everyone who has copied my
> details from a whois of my domain name (currently) because the whois has
> no requirement to authenticate the requestors ID and then
> confirm/restrict/revoke their usage - how can I therefore verify the
> purpose limitations ?
> 
> Being a directory, is subject to 95/46/EC, means that the data subject
> has "the right to modify, at every moment and free of charge, his
> decision to allow each specific data processing." (as well as outlawing
> the copying of the directory contents, use of the data for
> unspecified/further processing and much more)
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2000/wp33_en.pdf
> 
> 
> At the moment I'm not sure how RDS will need to be architected to list
> the 4 permissible purposes for the data (and effectively police that),
> for the instance where I as a registrant has chosen to _opt in_ to those
> I will permit
> 
> Rob
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list