Re: [dow1tf] Against a Whois "White List"

["Antonio Harris" <harris@xxxxxxxxxxxxx>]

I would make the following comments on Milton's proposal:

1) As per the ISPCP statement - "In light of small and regional ISPs'
reliance on Port 43 access, the ISPCP Constituency believes its use ought to
be preserved at this time. However, its use should be strictly limited for
non-technical means such as rate limiting.  In the long term, we strongly
discourage its continued use." Rate limiting would be a means to prevent
data mining.

2) Regarding tiered access, the ISPCP statement declares: "  The ISPCP
supports the concept of tiered access as a principle, but is concerned with
cost, enforcement and other practical implementation issues that must be
clearly set forth prior to the implementation of such mechanism.  The ISPCP
will reserve final assessment on this principle until such time that a
clearly defined and viable method is proposed." Obviously if some data is
made unavailable for public access, a functional and cost effective method
for legitimate users to access it must be devised. We would be hesitant to
declare this is impossible to do before suitable analysis of the options is
conducted.

3) We disagree with the "the concept is discriminatory" (related to White
Listing). Certain activities that pertain to domain names make it necessary,
unfortunately, for investigations regarding infringements and fraudulent
activity to be conducted, and I fail to see how those entities and
organizations who must do this can be equated to every Internet user (should
a user have a problem, he can address it through one of these entities or
organizations). The term "spied upon users" seems rather far fetched. If a
registrant (user) is going about his business legitimately and not doing
harm to anyone, who would be interested in "spying" on him? If he needs to
be concealed from public view, why does he voluntarily register a gTLD
domain name? If he wants to get behind the shield of his own country's
privacy protection law, why doesnt he register under the corresponding
ccTLD?

4) We are comfortable with Milton's proposal that lack of consensus be
noted.

5) We support David's motion that we refrain from "attempting to define
sensitive and non-
sensitive data, since that is within the mandate of TF 2. "

Regards

Tony Harris
ISPCP Constituency

----- Original Message ----- 
From: "David Fares" <dfares@xxxxxxxxx>
To: <dow1tf@xxxxxxxxxxxxxx>; <liaison6c@xxxxxxxxxxxxxx>;
<Jeff.Neuman@xxxxxxxxxx>; "Milton Mueller" <mueller@xxxxxxx>
Sent: Monday, May 10, 2004 6:13 PM
Subject: Re: [dow1tf] Against a Whois "White List"


> Again, thanks to Milton for starting this email dialogue.
>
> Again however, the BC does not agree with Milton's suggestion.  The
> BC understands that there may be administrative burdens with a
> tiered access systems, that is why we called for a complete analysis
> of the implications and costs of any such system before approval and
> implementation.  However, access to Whois for legitimate purposes is
> essential for business users.  If some Whois data is not displayed for
> public accessibility, than some sort of white-list will be essential to
> ensure timely access by legitimate users.
>
> On another different but related point, in reviewing our draft, I believe
> that we should refrain from attempting to define sensitive and non-
> sensitive data, since that is within the mandate of TF 2.  We could still
> include the general ideas related to differentiating sensitive and non-
> sensitive data.
>
>
>
> Date sent:      Sun, 09 May 2004 12:20:11 -0400
> From:           "Milton Mueller" <mueller@xxxxxxx>
> To:             <dow1tf@xxxxxxxxxxxxxx>, <liaison6c@xxxxxxxxxxxxxx>,
>   <Jeff.Neuman@xxxxxxxxxx>
> Subject:        [dow1tf] Against a Whois "White List"
>
> >
> >
> > NCUC opposes on principle the concept of a "White List" of authorized
> > Port 43 users. We ask that this concept either be stricken from the
> > draft report of TF1, or that the lack of consensus on this idea be
> > noted. If the latter route is taken, we ask that the following
> > analysis of the reasons against the concept be afforded equal
> > treatment in the report with the description of a White list and any
> > reasons advanced for it.
> >
> > Analysis
> > As we understand it, a "White List" is intended to give certain
> > approved users the right to access sensitive data via port 43 (or
> > other means). Organizations would apply for approval and once they
> > were placed on the White list they could search, store and download
> > sensitive whois data, without any further restriction.
> >
> > This concept is unacceptable to NCUC for the following reasons:
> >
> > 1. The concept is impractical.
> > Creating such a list would add a huge operational burden to ICANN.
> > There are hundreds of millions of Internet users and they come from
> > every geographic region and language group, and involve data use
> > purposes ranging from academic research to IP enforcement. ICANN would
> > in effect be setting up a global certification process that had to be
> > able to respond to all this diversity. If ICANN did this task
> > conscientiously, the administrative burden would be huge. Not only
> > would it have to investigate the legitimacy of each applicant, it
> > should in principle also be able to constantly monitor the behavior of
> > approved entities to make sure that they were not abusing their
> > privileges. It would have to be willing to withdraw the privilege, and
> > handle disputes and appeals relating to that.
> >
> > If ICANN did not do this task conscientiously, if it simply added
> > entities pro forma to the list whenever they applied, then there is no
> > reason to create the list at all. Anyone and everyone could get the
> > status, which is no different than opening up all Whois information to
> > everyone.
> >
> > 2. The concept is discriminatory
> > The right to access Whois data must be balanced against the privacy
> > rights of the domain name registrants. Once the proper balance is
> > struck, all Internet users should have the same rights to access Whois
> > data under the same terms and conditions. Intellectual property
> > interests have no greater claim on that information than anyone else.
> > The White List, in our opinion, is designed to create a two-class
> > world of the spied-upon users, who have no rights, and privileged,
> > surveillance- authorized users, who are permitted to spy on
> > registrants.
> >
> > 3. The concept violates international privacy norms
> > A White List would give any approved user the equivalent of bulk
> > access to whois zone files. According to George Papapavlou of the
> > European Union, under data protection law bulk access is a
> > "disproportionate, privacy infringing step, unless a very convincing,
> > specific case can be made which has to be followed by due process.
> > This applies not only to marketing but to any purpose." In other
> > words, no one has the right to fish through sensitive personal data
> > just to see if they can find anything of interest. But a White List
> > would grant this right.
> >
> > 4. The White List concept is unnecessary
> > Under the proposals supported by registrars, NCUC, and ALAC,
> > the concept of a known user with a known purpose making a request for
> > each individual domain name she wants to investigate can give
> > legitimate users and purposes access to the information they need
> > without creating a centralized administrative entity and without
> > violating privacy.
> >
> >
> >
>
> David A. Fares
> Director, Electronic Commerce
> U.S. Council for International Business
> dfares@xxxxxxxxx
> Tel: 212-703-5061
>      212-354-4480
> Fax: 212-575-0327
>