[gnso-thickwhoispdp-wg] Thick Whois and Privacy

[Alan Greenberg <alan.greenberg@xxxxxxxxx>]

I have largely stayed out of this debate, but this week's meeting 
conflicts with the ALAC monthly meeting (as it does every month), and 
I will not be able to attend, so I will make a few comments here.
My overwhelming reaction to all this is extreme disappointment. The 
draft report was published, we solicited comments for over six weeks. 
Unless I have missed something, NONE of the people now advocating a 
new recommendation and potentially a delay in the implementation of 
the PDP main (and until this discussion only) recommendation. There 
was one comment on the movement of date across jurisdictional 
boundaries, and I believe that all of those who participated in the 
review of comments (and implicitly all on the WG mailing list) agreed 
on the WG reply, which did not include adding new recommendations.
Now this has suddenly blown up, with quite a number of the both 
active and passive WG members requiring a new direction to allow for 
their support.
Everyone agrees that there are privacy issues with Whois (or whatever 
we name it next go-around). We spent a lot of time discussing whether 
there was an issue with the thin-to-thick transition, and no one 
could present a single example of exactly how such a problem would 
play out. This issue was not actual occurrences, just a request for a 
theoretical example.
As has been pointed out, there have been cases where REGISTRIES 
needed exemptions to satisfy privacy issues and those have been 
granted. The new RAA makes it explicitly clear that REGISTRARS could 
ask for exemptions if they could demonstrate a need (no longer 
requiring actual prosecution or the threat of prosecution). To date, 
no registrars had identified a thick registry as being problematic, 
not did the RrSG indicate a problem.
And all registrants in thin registries have agreed to allow their 
data to move across jurisdictional boundaries. And in fact, some 
Whois data already does just that when it is escrowed.
From a practical point of view (and I understand that laws may not 
consider this), all of the data we are talking about is publicly 
available and will continue to be so. DomainTools, a US-based 
company, and no doubt others cache all of this as well as historical 
data. And under the older RAAs, registrars were required to sell 
their Whois data if someone wanted it.
I appreciate that there are people who despite the lack of specific 
concrete or theoretical cases of problems, are uneasy with the 
change. But as people regularly remind us, we are supposed to be 
setting fact-based policy. In this case, a good theoretical scenario 
might suffice, but I have yet to hear one.
I do note that we are about to embark on a PDP on privacy and proxy 
providers, and there will doubtless be substantive privacy issues 
discussed there.
I strongly support making sure that as we make substantive changes to 
Whois (and its replacements), that we understand all issues related 
to privacy. But in the absence of specific issues related to the 
transition from thick to thin, I do not believe that we should be 
delaying the transition that we have been working on and that had 
such strong support until very recently.
Alan