Re: [alac] Various

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

On 2003-06-18 17:20:15 -0300, Sebastian Ricciardi wrote:

> As you all might know - specially those of you who are subscribed
> the WHOIS list hosted by Tucows - there is an interesting
> discussion on WHOIS. Reading the discussion and after a few days
> of studying the subject, I think that we may want to submit a
> stronger statement regarding user's privacy than the one we
> already sent. Wendy, Esther, Thomas & Vittorio: do you feel that
> the discussion is heading to the right way ? Aren't you concern
> about ideas given such as paying a fee for improved privacy? 
> What are your thoughts regarding Montreal Meeting ?

One aspect which is only appearing marginally in the present
whois-coordination discussions, but will receive quite a bit of
attention in Montreal -- in particular at the workshop -- and
probably also afterwards, is registrar compliance with national law:
A number of large registrars (Schlund.de, e.g., is one of the top 10
registrars) are located in the European Union, and are essentially
faced with the choice to either comply with applicable law, or to
comply with the RAA's whois rules; Canadian and Australian
registrars are in a similar situation.

Privacy commissioners throughout Europe are getting aware of this
situation, and start to make noises about compliance and enforcement
-- see, e.g., Sven Mörs' messages to the whois-coordination list,
his comments on the conference call, and the article 29 working
party opinion he forwarded.  (This working party consists of the EU
member states' national privacy commissioners; it's a high-level
body.  See
<http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm>.)


In other words, there is considerable regulatory pressure in favor
of a pro-privacy change to WHOIS policy, and against the "extended
searchability" changes which are being advocated by, e.g., IP
interests -- implementing these would be plainly illegal in Europe.

What's completely open at this point is whether or not WHOIS policy
will be opened up for local variations (i.e., different WHOIS
policies could apply for registrars who have applicable privacy
laws, e.g. in Latin America, Europe, Canada, Australia on the one
hand, and American registrars on the other), or if we are going to
have a more privacy-friendly policy globally.  The details of these
policies will require a lot of work and negotiation.


Practically, what could happen in the next couple of months or maybe
the next year?

- The RAA's bulk access provisions could be removed or at least
  castrated -- they are plainly illegal here, and not being enforced
  globally any more.

- We won't see an implementation of extended search services like
  Afilias' xWHOIS service (proposed for .org and .info) -- DOA.

- We'll probably see a lot of discussion (and maybe even a policy)
  about tiered access to WHOIS databases.  These schemes will have
  one set of "non-sensitive" data for the general public, and
  privileged access modes to more data for legitimate data users,
  including IP and law enforcement.

- We'll see a lot of discussion about audit trails -- another legal
  requirement here: WHOIS data users will have to identify
  themselves and the purposes why they want to use the data; their
  identity and the purpose will be made available to registrants.

- We'll also start to see some interesting discussions about thick
  registry WHOIS services which create their own set of even more
  ugly compliance problems.

(That's all "unless something unexpected happens and radically
changes the landscape".)


What we could do is to air some concerns about the current WHOIS
policy's privacy implications.  We could, e.g., talk about the risks
publicly available WHOIS might pose to average registrants; about
the effects of anonymity and speaker identification on free speech;
and about users' expectations which are created by their usual legal
environment, and should be respected by the domain name registration
system.

I don't think that we should commit to any particular policy
proposal or a "formal position" at this point.


Regards,
-- 
Thomas Roessler                   <roessler (at) does-not-exist.org>