[gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")

John Bambenek jcb at bambenekconsulting.com
Thu Mar 23 17:02:08 UTC 2017 

Take on is a strong way of putting it. Public policy is about balancing of interests. DP authorities know that. So I intend to use my expertise to show them the best way to solve the problem. 

I don't expect the entire WG to fall in line. I intend to work with governments directly on that. 

Sent from my iPhone

> On Mar 23, 2017, at 11:47, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
> 
> I must say I am overwhelmed by the scope of this task. Can this WG really take on governments and challenge their practices? 
> If so, I think I'll need a drink first. (Not really). 
>  
> Nathalie 
> 
> 
> On Thursday, March 23, 2017 12:21 PM, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> 
> 
> Hi,
> 
> On Thu, Mar 23, 2017 at 09:08:59AM -0400, allison nixon wrote:
> > The problems have nothing to do with your code, unless your code somehow
> > simulates the cost of bureaucratic overhead of a bunch of
> > already-overworked FBI agents "certifying" tens of thousands of people
> > across the country who just want to get back to work.
> 
> I would encourage you to read Scott's messages on this a little more
> carefully, because I don't think that he's claiming he is covering
> those costs.  What he is doing is demonstrating that the technology
> for different groups of people to be authenticated by various
> providers is available, already widely deployed in other parts of the
> Internet, and applicable to this case.  That technology was heretofore
> unavailable for RDS the way it was for other things, because the
> historic RDS relies on the ancient whois protocol -- a protocol
> designed for a world where it was literally possible to get a list, on
> paper, of every single person who was connected to the Internet.
> (Some people in this effort have reported to me that they still have
> old copies lying around.)
> 
> If your argument is instead, "But we don't have to pay the overhead of
> authentiction and authorization today, so it should remain that way
> forever," then I think you are going to have to do a better job
> arguing for that position.  Because to me it is plainly absurd.  The
> world has changed partly because the Internet has changed a great
> deal.  Indeed, the very fact that the Internet can be instrumental in
> fraud in ways that it certainly could not have been instrumental in
> 1982 (when RFC 812 was published) suggests to me that appropriate
> authorization and authentication protocols around the RDS ought to
> have been embraced -- by law enforcement and others -- quite a long
> time ago.  We ought to be ashamed it has taken us this long, when even
> Google is concerned about leaking this kind of data.
> 
> > Also how will the need for historical whois be fulfilled?
> 
> This is in part an excellent question because it is not plain that all
> "historical whois" services are actually ok under existing policy.
> But of course, this WG is in a position to specify retention periods
> about data as part of the collection policies that we were working on.
> RDAP could easily work to provide a picture of something at some time
> in the past, assuming that the data is available.  Whether the data
> ought to be is a different question, and one we should discuss rather
> than assume.  There is a cost to be paid for collecting, keeping, and
> ensuring appropriate authorization in the disclosure of data.  The
> existing practices externalize some of those costs onto the
> individuals whose data is being collected.  I recognize that it might
> not be convenient to have those costs borne by the people who want
> access, but one of the things markets are good at is allocating
> resources according to how much value something brings.  Perhaps if
> people had to endure the costs of their desire for access to the data,
> they would do a better job evaluating the balance of costs versus
> benefits.
> 
> > Also, this gated access reminds me of how we treat personal data in the
> > United States.
> 
> Speaking as a reluctant citizen of the US, I am sorry to say that US
> personal data protection is no sort of standard worth emulating.  I
> believe it is only a matter of time before the legal system catches up
> with the frankly negligent handling of personal data in the US, and
> that the costs of insurance and liability will get to the point where
> corporations will get better at it.
> 
> Even the USG has had major breaches of its databases.  In my opinion,
> those breaches were made easier because the USG it collects too much,
> saves too much, and handles that collected stuff in a way that is too
> convenient to those who like to have all the data hanging around in
> the service of the security state.  Peter Wayner's _Translucent
> Databases_ provides an excellent discussion of the general issues, and
> is not too long; it came out in 2002 and was hardly at the cutting
> edge of these discussions even then.  I am not sure why the ICANN
> community has taken 15 years to get with the program, but I think this
> WG needs to find a way to do so.
> 
> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
> 
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170323/912854aa/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list