[gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")

Andrew Sullivan ajs at anvilwalrusden.com
Thu Mar 23 16:21:09 UTC 2017 

Hi,

On Thu, Mar 23, 2017 at 09:08:59AM -0400, allison nixon wrote:
> The problems have nothing to do with your code, unless your code somehow
> simulates the cost of bureaucratic overhead of a bunch of
> already-overworked FBI agents "certifying" tens of thousands of people
> across the country who just want to get back to work.

I would encourage you to read Scott's messages on this a little more
carefully, because I don't think that he's claiming he is covering
those costs.  What he is doing is demonstrating that the technology
for different groups of people to be authenticated by various
providers is available, already widely deployed in other parts of the
Internet, and applicable to this case.  That technology was heretofore
unavailable for RDS the way it was for other things, because the
historic RDS relies on the ancient whois protocol -- a protocol
designed for a world where it was literally possible to get a list, on
paper, of every single person who was connected to the Internet.
(Some people in this effort have reported to me that they still have
old copies lying around.)

If your argument is instead, "But we don't have to pay the overhead of
authentiction and authorization today, so it should remain that way
forever," then I think you are going to have to do a better job
arguing for that position.  Because to me it is plainly absurd.  The
world has changed partly because the Internet has changed a great
deal.  Indeed, the very fact that the Internet can be instrumental in
fraud in ways that it certainly could not have been instrumental in
1982 (when RFC 812 was published) suggests to me that appropriate
authorization and authentication protocols around the RDS ought to
have been embraced -- by law enforcement and others -- quite a long
time ago.  We ought to be ashamed it has taken us this long, when even
Google is concerned about leaking this kind of data.
 
> Also how will the need for historical whois be fulfilled?

This is in part an excellent question because it is not plain that all
"historical whois" services are actually ok under existing policy.
But of course, this WG is in a position to specify retention periods
about data as part of the collection policies that we were working on.
RDAP could easily work to provide a picture of something at some time
in the past, assuming that the data is available.  Whether the data
ought to be is a different question, and one we should discuss rather
than assume.  There is a cost to be paid for collecting, keeping, and
ensuring appropriate authorization in the disclosure of data.  The
existing practices externalize some of those costs onto the
individuals whose data is being collected.  I recognize that it might
not be convenient to have those costs borne by the people who want
access, but one of the things markets are good at is allocating
resources according to how much value something brings.  Perhaps if
people had to endure the costs of their desire for access to the data,
they would do a better job evaluating the balance of costs versus
benefits.

> Also, this gated access reminds me of how we treat personal data in the
> United States.

Speaking as a reluctant citizen of the US, I am sorry to say that US
personal data protection is no sort of standard worth emulating.  I
believe it is only a matter of time before the legal system catches up
with the frankly negligent handling of personal data in the US, and
that the costs of insurance and liability will get to the point where
corporations will get better at it.

Even the USG has had major breaches of its databases.  In my opinion,
those breaches were made easier because the USG it collects too much,
saves too much, and handles that collected stuff in a way that is too
convenient to those who like to have all the data hanging around in
the service of the security state.  Peter Wayner's _Translucent
Databases_ provides an excellent discussion of the general issues, and
is not too long; it came out in 2002 and was hardly at the cutting
edge of these discussions even then.  I am not sure why the ICANN
community has taken 15 years to get with the program, but I think this
WG needs to find a way to do so.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list