[gnso-whois-wg] today's call -- clarifications

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Sorry I didn't get all of these comments in today.  The live format doesn't
always allow for complete comprehensiveness, given the dynamic real-time
flow of conversation.


With regard to authentication (section 6):

 * If indeed we interpret the consultant's statement as being indeterminate
as to whether third-party authentication *can be* properly executed (he
said he was "not confident that there *is* an organization" that can do it
-- emphasis added), then we certainly should not remove it from
consideration in our policy recommendations.  If his statement is
interpreted as having any implication that third-part authentication
*cannot be* done, his own report contradicts that interpretation.  The
report needs to clarify this, as it is easy to "misread" it.

I still object to any implication that only pre-existing implementation
options for third-party authentication should be considered.  We should
retain this option along with any consideration of self-declaration.

Specifically with respect to line 516:  I am increasingly finding the word
"practical" to be ambiguous.  If what is meant is "tangible" and/or
"detailed" then I see no reason that this should prevent us from retaining
authentication by a third party as an option.  If however the implication
is that third-party authentication is itself "impractical" then I would
take issue with that statement directly.  The examples in the consultant's
report seem to contradict this implication outright.

 * I'm sorry we didn't hear from Pat Cain who was on the call, as he had a
lot to say in San Juan.  His presentation (authored by Rod Rasmussen) can
still be found at:

http://sanjuan2007.icann.org/files/sanjuan/APWGOverviewPresentationICANNJune2007.pdf

I encourage people to look at page 16, where APWG discusses best practices
in the context of .asia Domain Suspension Initiative, and there is the
suggestion of an "APWG accredited takedown entity" in the upper-left box.
This is in the context of accrediting private agents.  I reiterate that we
probably need to distinguish between authentication methods for LEAs versus
other private entities.

 * Our USG GAC representative suggested that the USG had discussed
third-party authentication possibilities with some sort of negative
outcome, but without any details as to who or what was involved in those
discussions it's impossible to evaluate the interpretation voiced in
summary, just as the summary in our consultant's report did not necessarily
concur in detail with the facts laid out in the report, depending on
interpretation.  We do know that the USG is not disinterested in this
matter, so I think we need an independent confirmation of anything that is
summarized with regard to any factual analysis by USG.  If these results
are published anywhere, we should see them.  If not, we should interpret
such statements with caution.


With regard to self-declaration (section 6):

 * It was suggested that we limit this to "effective" methods of challenges
to self-declaration.  Rhetorically this is marginally adequate, but only
because it really just passes the buck to another term.  We have not
determined well-defined criteria for "effectiveness" and in order to make
this recommendation meaningful we must define the criteria of effectiveness.

I can assure you that I and others have very high standards of
"effectiveness" for any self-declaration method of "authentication" when it
comes to defining standing to get access to private personal data, because
if a mistake is made (a bad actor engages in fraud in order to get
undeserved access to the data) the damage cannot be undone after the data
are already acquired -- this action cannot be undone if there is a mistake,
and post-facto punishments cannot deter the original transgression.

I cannot accept a recommendation of self-declaration without defining
"effective" in some detail, with the default that ineffectiveness must be
assumed in this context unless and until effectiveness can be demonstrated.
Any effective challenge procedure must be quick and cheap, and must
pro-actively notify those who might make challenges that self-declarations
by others have been made as to claims of standing to access private
personal data such that challenges can be made on a timely basis,
especially if access is to be given on a timely basis -- the challenge has
to be quick enough to prevent access in the event that the challenge is
justified.

I think it will be extremely difficult to define criteria that make
challenge procedures truly "effective" in this context, and I would not
assume that we will find them.  Accordingly I suggest that we not rely upon
self-declaration as a feasible method of authentication for access at this
time.


With regard to certification of Requesters (to Reveal by OPoC or Registrar):

 * Any Requester of private data should be subject to the same
authentication of standing that Accessors are subject to, and subject to
effective punishments for misuse of data.  Deterrence must be significant
to be effective.  Prior due process is generally more effective than
post-facto punishment.


I'll look forward to seeing draft 1.6, and I hope it indeed reflects the
full range of comments and diversity of opinion on the matters at hand.
Sorry to say, my impression overall is that our areas of genuine consensus
are rather moderate, and we should not overstate the levels of agreement.

This has been a difficult exercise, and I'm not sure that it demonstrates
that a "consensus policy process" can be achieved "on demand" in all cases.
More likely this is a demonstration that consensus can and will often be
systematically elusive, especially where the issues being considered are
intrinsically problematic in political (not just technical) terms.  It is
clear to me in retrospect that this process has been rife with political
undertones, all explicit efforts to avoid politics notwithstanding.

I think we should be honest in concluding that if this WG was intended to
get "past" politics (and leading up to San Juan there were some indications
that this WG was being looked at favorably in that respect), it now appears
that it has substantially failed in that regard.  (There is still some
uncertainty as to how much it failed, depending on what the final report
looks like.)

While this WG may not include "minority reports" one should bear in mind
that when this recommendation returns to GNSO Council for evaluation, many
minority reports are probably to be expected surrounding many aspects of
this WG's results in case it is considered for sending on to the Board.  I
suspect, though, that there is a strong chance that GNSO's collective
opinion on Whois privacy policy will not be deemed ready for the Board in
the foreseeable future.

Dan