[dow1tf] Fwd: [dow2tf] Notification, Accountability, and Balance

["Milton Mueller" <mueller@xxxxxxx>]

I am forwarding Thomas Roessler's excellent
post to TF 2 to this TF 1 list. It follows up on 
the discussions we had Tuesday (May 4) about 
certification, notification, etc. 

Basically it articulates a reciprocity principle that 
provides a sound basis for any compromise proposal
acceptable to all constituencies. 

We in NCUC consider recprocal accountability
to be a requirement that we can't back down on.
Please keep it in mind as we go forward. 

--MM

--- Begin Message ---

• To: dow2tf@xxxxxxxxxxxxxx
• Subject: [dow2tf] Notification, Accountability, and Balance
• From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
• Date: Thu, 6 May 2004 11:36:11 +0200
• Mail-followup-to: dow2tf@xxxxxxxxxxxxxx
• Sender: owner-dow2tf@xxxxxxxxxxxxxx
• User-agent: Mutt/1.5.6i

I'd like to briefly follow up to some of yesterday's discussion
about the proposed notification of domain name holders when their
tier-2 data is queried.  Let me state at the outset that I'm not
discussing the special case that the data user has a specific
contractual or legal authorization to access the data -- transfers,
law enforcement with appropriate legal authorization, dispute
resolution providers, ...


Anyway, back to tiered access.

Domain name holders (the good guys and the bad guys alike) at this
point have to make their personal information available to everybody
-- enabling others to hold them accountable for their activities
online.  Many of us have deep concerns with this.  We have heared
about free speech and the right to anonymity (which could be phrased
as a right not to be held accountable for protected speech, and as a
prohibition of architectures that enable such accountability), and
we have heared about the risks to the good guys who don't do
anything they need to be held accountable for.  We have heared about
concerns about compliance with privacy laws where these exist.  

One could argue that at least some of these concerns could be
addressed by limiting access to WHOIS data to "just the good guys"
among the data users.  Maggie yesterday suggested that this was
actually the purpose of a tiered access model.


The model that's on the table is much more humble: The suggestion 
is *not* that only "good guys" get access to tier-2 WHOIS data.

(It's also not just the "good guys" who get access to domain name
registrations, by the way.  The reasons are similar in both cases.)

The suggestion is, instead, that anyone gets access to these data
who is willing to be held accountable for their use of the data.
It's, essentially, the same deal as with domain name registrations:
You can't get a domain name without enabling accountability.
According to the model on the table, you can't get access to domain
name holder information without enabling accountability.


I understand (and share) the concerns data users may have about this
approach.  To a large degree, they mirror the concerns about
registrant privacy.

The proposal is that registrant data continue to be widely available
despite many of these concerns -- why shouldn't data users'
identities then be available to registrants, despite concerns?


Finally, one could ask: Why can't registrars be the enforcers here?
Why isn't it enough when just registrars know who is querying the
data for what purpose?

This question, too, has a sibling on the other side of the mirror:
Why isn't it enough when just registrars know who is registering a
domain name?  What is the reason, again, why we have WHOIS?


Regards,
-- 
Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>
At-Large Advisory Committee: http://alac.info/

--- End Message ---