[TSG-Access-RD] Bulk Data, Bulk Query, WhoWas and Charter scope
Francisco Arias
francisco.arias at icann.org
Fri Dec 21 23:19:42 UTC 2018
I think the question of how requests are going to be reviewed is out of scope for this group. In the spec we have to support both "online/interactive" and manual authorizations as described in questions 2 and 3 in the authentication/authorization section of the key questions of the charter at https://www.icann.org/en/system/files/files/tsg-access-non-public-registration-data-charter-20dec18-en.pdf
As described in the second paragraph of the charter (purpose section) the registry/registrar will only see a request from ICANN. There will be no interaction between the requestor and the registry/registrar.
--
Francisco
On 12/21/18, 5:51 AM, "TSG-Access-RD on behalf of Jody Kolker" <tsg-access-rd-bounces at icann.org on behalf of jkolker at godaddy.com> wrote:
High volume access is an area of concern. Someone that is eligible to receive data for a particular domain is not automatically eligible to receive data for another domain, and it definitely doesn't make the person eligible to receive data for every domain at a registrar. How are requests going to be reviewed? I am not a lawyer, but it appears that manual review of these requests is the only way to protect privacy under the current privacy laws.
Also, I would like discuss how the registrar/registry is going to be notified who is behind the request? Will the request for data come from ICANN or from the entity that performed the request at ICANN? As a registrar, I will want to know whois is requesting the data.
Thanks,
Jody Kolker
-----Original Message-----
From: TSG-Access-RD <tsg-access-rd-bounces at icann.org> On Behalf Of Andrew Newton
Sent: Thursday, December 20, 2018 10:00 AM
To: Gavin Brown <gavin.brown at centralnic.com>
Cc: tsg-access-rd at icann.org
Subject: Re: [TSG-Access-RD] Bulk Data, Bulk Query, WhoWas and Charter scope
On Thu, Dec 20, 2018 at 7:52 AM Gavin Brown <gavin.brown at centralnic.com> wrote:
>
> +1 as well.
>
> I'd like to clarify what I said on Tuesday's call about "bulk" access.
> I was referring to the common practice of obtaining registration data
> in bulk by performing large quantities of whois/RDAP queries using a
> list of domains (obtained from the CZDS, passive DNS or elsewhere) as
> an index. Such activity is annoying from an operator point of view but
> can have legitimate uses (abuse analysis and research) as as well as
> malicious (spam, ID theft, phishing, slamming, etc) uses.
>
> Perhaps "high volume access" would be a better term to describe this
> than "bulk access"?
>
> A third party with a legitimate need for "high volume" access would
> need to be able to obtain pre-authorisation for a large number of
> queries for non-public data, rather than have each query separately authorised.
>
> Or do we feel that "high volume" access is out of scope and should be
> dealt with via some out-of-band solution?
I don't think supporting this is onerous, but one of the requirements was that "each" query by authorized.
Perhaps we can offer it as an option.
-andy
More information about the TSG-Access-RD
mailing list