Re: [alac] WHOIS TF: Brainstorming on privacy.

[Esther Dyson <edyson@xxxxxxxxxxxxx>]

Vittorio -

actually, in many cases, in Europe, the balance is too far *against* data 
collection, and the customer does not get enough flexibility even if he 
would *like* to be treated as an individual with specific 
requirements  (but never mind!).  And in the US, it is indeed too often the 
company that decides, and the user does not get enough flexibility... and 
in the rest of the world...

Whatever, it would be good if the customer *could* decide, but remember 
that the customer (A) may also have customer (B), and customer B wants to 
know whom he is dealing with when he interacts with A.

As you note below, granularity is good and should be built in, whatever 
policies might be built around it later.

Esther


At 04:04 AM 2/24/2003, Vittorio Bertola wrote:
> On Mon, 24 Feb 2003 08:18:44 +0100, you wrote:
>
> >The WHOIS Task Force is going to hold a brain-storming session on
> >WHOIS privacy tomorrow afternoon (European time), in preparation of
> >its privacy issues report.  If there are any specific issues you
> >want me to raise there, or any documents the Task Force should be
> >aware of, please let me know.
>
> 1) they should get an interpretation from a skilled European lawyer
> (and perhaps even an official statement from the EU) on requirements
> and applicability to WHOIS of the EU privacy law.
>
> 2) in the meantime, they should get a quick understanding of it for
> themselves (perhaps we can make a summary?)
>
> 3) as a consequence of 1 and 2, they should understand the principle
> (which is obvious for us in Europe, but I guess not obvious in the US)
> that it is the customer, not the service supplier, who decides which
> personal data can be made public and with which allowed usages, except
> for those data which are strictly necessary to provide the service
> which is the scope of the contract/sale.
>
> 4) someone from the TF should liaise with the IETF because they are
> standardizing the EPP and "WHOIS-2" protocols and any policy won't be
> practically implementable if these protocols don't contain the
> necessary tools. I have been subscribing to these two IETF groups in
> the last weeks, and while the WHOIS-2 group is fine (they even
> accepted my rewriting of a few paragraphs of the RFC to add
> specifications about data protection) there's quite a controversy in
> the EPP group. Basically, the IESG told the EPP group "you need to
> have mechanisms to specify data protection requirements at a granular
> level or we won't approve your draft", and the group (mostly made by
> registry/registrar people) did not react very well, using points such
> as "privacy is something not well defined" and "registries could
> always implement privacy as a non-standard extension to the protocol"
> to refuse to do the job. The latter argument is particularly worrying,
> because it is technically true, but if the protocol does not have a
> standard way of saying "do not disclose this data field for this
> user", most registries won't bother to do the work to add it, or will
> do it in a non-standard non-interoperable way.
> --
> vb.                  [Vittorio Bertola - vb [at] bertola.eu.org]<---
> -------------------> http://bertola.eu.org/ <-----------------------



Esther Dyson                    Always make new mistakes!
chairman, EDventure Holdings
writer, Release 3.0 (on Website below)
edyson@xxxxxxxxxxxxx
1 (212) 924-8800    --   fax  1 (212) 924-0240
104 Fifth Avenue (between 15th and 16th Streets; 20th floor)
New York, NY 10011 USA
http://www.edventure.com

The conversation continues..... at
http://www.edventure.com/conversation/

PC Forum 2003 - March 23 to 25, Phoenix
Who? what? where? Data comes alive!