[registrars] Draft Registrar Submission to TF1

Eric Brunner-Williams in Portland Maine brunner at nic-naa.net
Fri Apr 2 18:42:11 UTC 2004 

Lines beginning in "<" are from Paul's draft, lines in ">" from Elana's

A lot of the changes are cosmetic, and IMHO, changes from foo's to foos'
and so on are the copy-edit task that comes _after_ the substantive edit
cycle is completed. I've deleted those. I've left in those where Paul's
text and Elana's text do differ in substance, at least in my reading.

> The potential rate of mining is a concern not only to the registrants,
> whose sensitive data is taken by miners, but also to registrars,
> for whom this has significant business implications.

What are these "significant business implications"? Are we just talking about
inter-registrar slamming, or repurposing and loss of value to non-registrar
competitors? 

< The whois data is the registrant's data.  It should remain in the control of
---
> Whois data is the registrant's information.  It should remain in the control of

I prefer the data-data form over the data-information form. This could just be
a matter of taste.

< registrants to the registrars and further, to fat registries, and to even
< more distant 4th  and 5th parties, it becomes less and less in the control
< of the registrants.  The registrars should not be obligated to provide whois
< data to any party that can not guarantee that the data will be treated in a
< manner consistent with the policies and legislation under which it was
< collected.  Therefore, any data collected from registrants must remain as
< close as possible to the registrants, at the registrar.  As the whois
< information is passed to these other entities, more access policy-control
---
> registrants to the registrars and further, to "thick" registries, and to even
> more distant (and un-identified) 4th and 5th parties, the registrant loses more and more control.
> As the public has learned more about how their information is abused,
> customers have begun to demand more privacy for their information and to
> object to such loss of control to parties with which they have no
> relationship or contact.
> Customers are not happy about their registrars publishing their sensitive whois
> data because registrars can not guarantee that the "4th and 5th" parties would
> treat the data in a manner consistent with the policies and laws under which it was collected.  
> 
> Requiring registrars to make data available to parties that they can not bind to any
> standards or restrictions flies in the face of registrars' responsibilities to their customers. 
> Registrars are in the untenable position of having to comply with directly contradictory
> requirements - from ICANN, and from their customers and national privacy laws.
> As the whois information is passed to these other entities, more access policy-control

There's a lot more words in Elana's version, but I think the proximity of the
registrant's data to the registrant is stronger in Paul's version, and that
is something I prefer.

< which to mine the data). Because the registrars will always be closer to the
< registrants, and in between the registry and the registrant, the utility of
< a thick registry model should be evaluated.
---
> which to mine the data).  Because the registrars are closer to the
> registrants, their customers,
> registrars are in the best position of protecting their customers' data,
> per the permissions provided by the registrants.
> To protect their customers, registrants strongly advocate for the ability to
> maintain data control. This means the right to display only non-sensitive information to
> the public, while providing appropriate limited access to the sensitive information.
> This also means providing only non-sensitive information at the registry level.

Again, more words in Elana's version, and Paul's criticism of the thick model is,
in my opinion, something to retain. As a registrar, I'm not indifferent to the model
of the registry, and prefer "thin" (or skinny) over "thick" (or fat).

< If TF2 determines that sensitive information must be displayed, the
---
> If TF2 determines that sensitive information must be displayed on the Web, the

I wasn't aware that TF2's scope was limited to data delivered via http.

< iii.	Port-43 query rate limiting must be allowed.
< iv.	The identities of the non-public requestors must be known to the
---
> ii.	The identities of the non-public requestors must be known to the

I like the affirmative assertion about some form of whois:43 rate limiting
mechanism in Paul's version.

< communicated to the registrants.
< v.	The requestor must have a defined, valid purpose for each request
---
> communicated to the registrants in appropriate circumstances.
> iii.	The requestor must have a defined, valid purpose for each request

I like the lack of condition about registrant notification in Paul's version.

< vi.	The requestor cannot act as a proxy 
---
> iv.	The requestor cannot act as a proxy 
> c.	Port-43 query rate limiting must be allowed to protect against mining, but the level of the limit must be determined.

The problem with Elana's formulation is that it suggests that there is
one single right answer to the rate limit question.

< Because the result is the same (obtaining the totality, or a large portion,
< of the whois information), the registrars assert that the following are
< identical:
---
> The safe guards established for Port 43 access must be put in place for all analogous access points.
> All of the following access points provide a miner with access to all, or a large portion,
> of the whois database of many registrants' sensitive information.  

I like the affirmative language of Paul's original, "the registrars assert that".
This really is a matter of taste.

In summary, I recommend that Paul's version without Elana's edits is adopted.

Eric

More information about the registrars mailing list