Re: [dow2tf] My sections - resend

[KathrynKL@xxxxxxx]

It appears there were attachment difficulties with my last email.
So let me try to resend my section on Publication of Data.  

I am both attaching the file (as text) and also placing the text at 
the bottom of this message.  Regards, Kathy

******************************************************************************
*****************
Publication of Data
2.5 Findings 

The topic of publication of data received considerable attention in TF2.  
Originally published for technical and operational purposes, the 20 year old 
WHOIS protocol has developed a range of secondary uses (outlined below).  Once 
limited to the information of research and technical institutions in a small and 
limited network, the data -- including registrant name, address, phone and 
email -- originally invoked no privacy concerns, but today raises the specter of 
privacy and freedom of expression infringement (outlined below).  

One topic the TF addressed and did not answer was the purpose of the 
database.  Our mandate was to balance contactability and privacy, which we have tried 
to do.  We leave to another PDP process the knotty question of the ultimate 
purposes of this database, and whether and how they can change.  

Findings:

1. WHOIS data continues to serve a host of technical and operational 
functions for Registries and Registrars.  Transfers and other technical processes 
require the ability to access, verify and transfer WHOIS data.

2.  WHOIS data includes personal and sensitive data of the type that people 
are generally allowed to limit and control in other mediums (such as address 
and phone in an unlisted phone number, and the control over secondary uses given 
to owners of personal data in European countries and other countries with 
comprehensive data protection legislation).  Such personal data is found in the 
registrant, administrative contact and technical contact fields. 

3.  Publication of data serves a host of secondary purposes, including 
combating spam, policing trademarks and copyrights, availability/offers for domain 
names and checking registration data of a domain name by its owner. 

4.      Publication of WHOIS data raises a host of privacy problems, 
including identity theft, telemarketing, spamming and other forms of email and 
telephone harassment, stalking, abuse and harassment by groups acting outside of 
normal scope and legal need.  

5. Publication of all WHOIS data to the world for access on an anonymous 
basis does not serve the balance of contactability and privacy.  

6. Data requesters want timely, even immediate, responsiveness to their 
requests for personal/sensitive data.  Data subjects (domain name holders) want 
timely, even immediate, notification when their personal/sensitive data is 
requested and revealed to a third party.

Possible Balances:
While (as of this writing) TF2 has not come to a final decision regarding 
which Tiered Access model to recommend, several models were submitted in 
Constituency statements.  The Registries recommended that only General Information be 
provided in the WHOIS (which is technical data without registrant, 
administrative contact or technical contact information).  The Registrars recommended a 
3-tiered system with limited information in the public WHOIS (name/country of 
registrant, administrative contact and technical contact) and technical data; 
additional information at a screened-access second tier (name/address of 
registrant, administrative contact and technical contact) and all data displayed for 
technical purposes by registries and registrars.
Noncommercial Users Constituency called for publication of technical contact 
data in the WHOIS, but removal of all registrant and administrative contact 
fields. ALAC also requested removal of all personally identifying information, 
but asked as an alternative for notification of the domain name holder when 
his/her personal data was revealed.
                    
A compromise proposal submitted to the TF called for a combination of the 
elements above: reduction of data available to the public for anonymous and 
unlimited access; additional but limited contact information provided to a party 
who can verify his/her/its identity and state a specific reason for the access 
to the particular domain name data; confirmation and then release of data via 
an automated process; immediate notification of the domain name holder by email 
of the release of personal data (allowing domain name holder to act for 
personal safety (e.g., data released to stalker) or enforce legal rights). 

Publication of Data
3.5  Recommendations: 

1. Personal data should not be public in the public WHOIS database (available 
on an anonymous basis).  
2. We believe a tiered access model can be developed that supports privacy 
and contactability.  We believe such a model should be affordable, scalable, 
provide timely responses to those requesting data (who meet the criteria) and 
provide timely notification of release of data to domain name holders (subject to 
appropriate law enforcement exceptions). 
3.      Registrars and Registries should continue to have full access to the 
WHOIS data for technical and operational purposes.  
4.  The model to emerge should take into consideration the most closely-held 
concerns of data users and data subjects, and those who protect their legal 
rights.  Data users want contact data for domain name holders, especially during 
a pending legal investigations of a technical nature (such as spoofing or 
spamming). Data subjects (domain name holders) want personal/sensitive data 
provided only on as-needed and individual basis, and not in unlimited form to a 
predetermined group of data requesters.   Data protection officials are concerned 
that overly broad reach into the data without accountability and with broad 
searching capabilities (e.g., wildcards) will be privacy-intrusive, 
disproportionate and provide a general presumption of guilt.  


Publication of Data
2.5 Findings 

The topic of publication of data received considerable attention in TF2.  Originally published for technical and operational purposes, the 20 year old WHOIS protocol has developed a range of secondary uses (outlined below).  Once limited to the information of research and technical institutions in a small and limited network, the data -- including registrant name, address, phone and email -- originally invoked no privacy concerns, but today raises the specter of privacy and freedom of expression infringement (outlined below).  

One topic the TF addressed and did not answer was the purpose of the database.  Our mandate was to balance contactability and privacy, which we have tried to do.  We leave to another PDP process the knotty question of the ultimate purposes of this database, and whether and how they can change.  

Findings:

1. WHOIS data continues to serve a host of technical and operational functions for Registries and Registrars.  Transfers and other technical processes require the ability to access, verify and transfer WHOIS data.

2. 	WHOIS data includes personal and sensitive data of the type that people are generally allowed to limit and control in other mediums (such as address and phone in an unlisted phone number, and the control over secondary uses given to owners of personal data in European countries and other countries with comprehensive data protection legislation).  Such personal data is found in the registrant, administrative contact and technical contact fields. 

3. 	Publication of data serves a host of secondary purposes, including combating spam, policing trademarks and copyrights, availability/offers for domain names and checking registration data of a domain name by its owner. 

4.  	Publication of WHOIS data raises a host of privacy problems, including identity theft, telemarketing, spamming and other forms of email and telephone harassment, stalking, abuse and harassment by groups acting outside of normal scope and legal need.  

5. Publication of all WHOIS data to the world for access on an anonymous basis does not serve the balance of contactability and privacy.  

6. Data requesters want timely, even immediate, responsiveness to their requests for personal/sensitive data.  Data subjects (domain name holders) want timely, even immediate, notification when their personal/sensitive data is requested and revealed to a third party.

Possible Balances:
While (as of this writing) TF2 has not come to a final decision regarding which Tiered Access model to recommend, several models were submitted in Constituency statements.  The Registries recommended that only General Information be provided in the WHOIS (which is technical data without registrant, administrative contact or technical contact information).  The Registrars recommended a 3-tiered system with limited information in the public WHOIS (name/country of registrant, administrative contact and technical contact) and technical data; additional information at a screened-access second tier (name/address of registrant, administrative contact and technical contact) and all data displayed for technical purposes by registries and registrars.
Noncommercial Users Constituency called for publication of technical contact data in the WHOIS, but removal of all registrant and administrative contact fields. ALAC also requested removal of all personally identifying information, but asked as an alternative for notification of the domain name holder when his/her personal data was revealed.
					
A compromise proposal submitted to the TF called for a combination of the elements above: reduction of data available to the public for anonymous and unlimited access; additional but limited contact information provided to a party who can verify his/her/its identity and state a specific reason for the access to the particular domain name data; confirmation and then release of data via an automated process; immediate notification of the domain name holder by email of the release of personal data (allowing domain name holder to act for personal safety (e.g., data released to stalker) or enforce legal rights). 

Publication of Data
3.5  Recommendations: 

1. Personal data should not be public in the public WHOIS database (available on an anonymous basis).  
2. We believe a tiered access model can be developed that supports privacy and contactability.  We believe such a model should be affordable, scalable, provide timely responses to those requesting data (who meet the criteria) and provide timely notification of release of data to domain name holders (subject to appropriate law enforcement exceptions). 
3.  	Registrars and Registries should continue to have full access to the WHOIS data for technical and operational purposes.  
4. 	The model to emerge should take into consideration the most closely-held concerns of data users and data subjects, and those who protect their legal rights.  Data users want contact data for domain name holders, especially during a pending legal investigations of a technical nature (such as spoofing or spamming). Data subjects (domain name holders) want personal/sensitive data provided only on as-needed and individual basis, and not in unlimited form to a predetermined group of data requesters.   Data protection officials are concerned that overly broad reach into the data without accountability and with broad searching capabilities (e.g., wildcards) will be privacy-intrusive, disproportionate and provide a general presumption of guilt.