[TSG-Access-RD] Bulk Data, Bulk Query, WhoWas and Charter scope

Francisco Arias francisco.arias at icann.org
Fri Dec 21 23:19:42 UTC 2018 

I think the question of how requests are going to be reviewed is out of scope for this group. In the spec we have to support both "online/interactive" and manual authorizations as described in questions 2 and 3 in the authentication/authorization section of the key questions of the charter at https://www.icann.org/en/system/files/files/tsg-access-non-public-registration-data-charter-20dec18-en.pdf

As described in the second paragraph of the charter (purpose section) the registry/registrar will only see a request from ICANN. There will be no interaction between the requestor and the registry/registrar.

-- 
Francisco

On 12/21/18, 5:51 AM, "TSG-Access-RD on behalf of Jody Kolker" <tsg-access-rd-bounces at icann.org on behalf of jkolker at godaddy.com> wrote:

    High volume access is an area of concern.  Someone that is eligible to receive data for a particular domain is not automatically eligible to receive data for another domain, and it definitely doesn't make the person eligible to receive data for every domain at a registrar.  How are requests going to be reviewed?  I am not a lawyer, but it appears that manual review of these requests is the only way to protect privacy under the current privacy laws.  
    
    Also, I would like discuss how the registrar/registry is going to be notified who is behind the request?  Will the request for data come from ICANN or from the entity that performed the request at ICANN?  As a registrar, I will want to know whois is requesting the data.
    
    Thanks,
    Jody Kolker
    
    -----Original Message-----
    From: TSG-Access-RD <tsg-access-rd-bounces at icann.org> On Behalf Of Andrew Newton
    Sent: Thursday, December 20, 2018 10:00 AM
    To: Gavin Brown <gavin.brown at centralnic.com>
    Cc: tsg-access-rd at icann.org
    Subject: Re: [TSG-Access-RD] Bulk Data, Bulk Query, WhoWas and Charter scope
    
    On Thu, Dec 20, 2018 at 7:52 AM Gavin Brown <gavin.brown at centralnic.com> wrote:
    >
    > +1 as well.
    >
    > I'd like to clarify what I said on Tuesday's call about "bulk" access. 
    > I was referring to the common practice of obtaining registration data 
    > in bulk by performing large quantities of whois/RDAP queries using a 
    > list of domains (obtained from the CZDS, passive DNS or elsewhere) as 
    > an index. Such activity is annoying from an operator point of view but 
    > can have legitimate uses (abuse analysis and research) as as well as 
    > malicious (spam, ID theft, phishing, slamming, etc) uses.
    >
    > Perhaps "high volume access" would be a better term to describe this 
    > than "bulk access"?
    >
    > A third party with a legitimate need for "high volume" access would 
    > need to be able to obtain pre-authorisation for a large number of 
    > queries for non-public data, rather than have each query separately authorised.
    >
    > Or do we feel that "high volume" access is out of scope and should be 
    > dealt with via some out-of-band solution?
    
    I don't think supporting this is onerous, but one of the requirements was that "each" query by authorized.
    
    Perhaps we can offer it as an option.
    
    -andy

More information about the TSG-Access-RD mailing list