ICANN ICANN Email List Archives

[At-Large Advisory Committee]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [alac] WHOIS TF: Brainstorming on privacy.

  • To: Vittorio Bertola <vb@xxxxxxxxxxxxxx>
  • Subject: Re: [alac] WHOIS TF: Brainstorming on privacy.
  • From: Esther Dyson <edyson@xxxxxxxxxxxxx>
  • Date: Mon, 24 Feb 2003 07:23:51 -0500

Vittorio -

actually, in many cases, in Europe, the balance is too far *against* data collection, and the customer does not get enough flexibility even if he would *like* to be treated as an individual with specific requirements (but never mind!). And in the US, it is indeed too often the company that decides, and the user does not get enough flexibility... and in the rest of the world...

Whatever, it would be good if the customer *could* decide, but remember that the customer (A) may also have customer (B), and customer B wants to know whom he is dealing with when he interacts with A.

As you note below, granularity is good and should be built in, whatever policies might be built around it later.

Esther


At 04:04 AM 2/24/2003, Vittorio Bertola wrote:
On Mon, 24 Feb 2003 08:18:44 +0100, you wrote:

>The WHOIS Task Force is going to hold a brain-storming session on
>WHOIS privacy tomorrow afternoon (European time), in preparation of
>its privacy issues report.  If there are any specific issues you
>want me to raise there, or any documents the Task Force should be
>aware of, please let me know.

1) they should get an interpretation from a skilled European lawyer
(and perhaps even an official statement from the EU) on requirements
and applicability to WHOIS of the EU privacy law.

2) in the meantime, they should get a quick understanding of it for
themselves (perhaps we can make a summary?)

3) as a consequence of 1 and 2, they should understand the principle
(which is obvious for us in Europe, but I guess not obvious in the US)
that it is the customer, not the service supplier, who decides which
personal data can be made public and with which allowed usages, except
for those data which are strictly necessary to provide the service
which is the scope of the contract/sale.

4) someone from the TF should liaise with the IETF because they are
standardizing the EPP and "WHOIS-2" protocols and any policy won't be
practically implementable if these protocols don't contain the
necessary tools. I have been subscribing to these two IETF groups in
the last weeks, and while the WHOIS-2 group is fine (they even
accepted my rewriting of a few paragraphs of the RFC to add
specifications about data protection) there's quite a controversy in
the EPP group. Basically, the IESG told the EPP group "you need to
have mechanisms to specify data protection requirements at a granular
level or we won't approve your draft", and the group (mostly made by
registry/registrar people) did not react very well, using points such
as "privacy is something not well defined" and "registries could
always implement privacy as a non-standard extension to the protocol"
to refuse to do the job. The latter argument is particularly worrying,
because it is technically true, but if the protocol does not have a
standard way of saying "do not disclose this data field for this
user", most registries won't bother to do the work to add it, or will
do it in a non-standard non-interoperable way.
--
vb.                  [Vittorio Bertola - vb [at] bertola.eu.org]<---
-------------------> http://bertola.eu.org/ <-----------------------



Esther Dyson Always make new mistakes! chairman, EDventure Holdings writer, Release 3.0 (on Website below) edyson@xxxxxxxxxxxxx 1 (212) 924-8800 -- fax 1 (212) 924-0240 104 Fifth Avenue (between 15th and 16th Streets; 20th floor) New York, NY 10011 USA http://www.edventure.com

The conversation continues..... at
http://www.edventure.com/conversation/

PC Forum 2003 - March 23 to 25, Phoenix
Who? what? where? Data comes alive!






<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy