On Mon, 24 Feb 2003 08:18:44 +0100, you wrote:
>The WHOIS Task Force is going to hold a brain-storming session on
>WHOIS privacy tomorrow afternoon (European time), in preparation of
>its privacy issues report. If there are any specific issues you
>want me to raise there, or any documents the Task Force should be
>aware of, please let me know.
1) they should get an interpretation from a skilled European lawyer
(and perhaps even an official statement from the EU) on requirements
and applicability to WHOIS of the EU privacy law.
2) in the meantime, they should get a quick understanding of it for
themselves (perhaps we can make a summary?)
3) as a consequence of 1 and 2, they should understand the principle
(which is obvious for us in Europe, but I guess not obvious in the US)
that it is the customer, not the service supplier, who decides which
personal data can be made public and with which allowed usages, except
for those data which are strictly necessary to provide the service
which is the scope of the contract/sale.
4) someone from the TF should liaise with the IETF because they are
standardizing the EPP and "WHOIS-2" protocols and any policy won't be
practically implementable if these protocols don't contain the
necessary tools. I have been subscribing to these two IETF groups in
the last weeks, and while the WHOIS-2 group is fine (they even
accepted my rewriting of a few paragraphs of the RFC to add
specifications about data protection) there's quite a controversy in
the EPP group. Basically, the IESG told the EPP group "you need to
have mechanisms to specify data protection requirements at a granular
level or we won't approve your draft", and the group (mostly made by
registry/registrar people) did not react very well, using points such
as "privacy is something not well defined" and "registries could
always implement privacy as a non-standard extension to the protocol"
to refuse to do the job. The latter argument is particularly worrying,
because it is technically true, but if the protocol does not have a
standard way of saying "do not disclose this data field for this
user", most registries won't bother to do the work to add it, or will
do it in a non-standard non-interoperable way.
--
vb. [Vittorio Bertola - vb [at] bertola.eu.org]<---
-------------------> http://bertola.eu.org/ <-----------------------