[ga] RE: Whois more in detail

["Dominik Filipp" <dominik.filipp@xxxxxxxx>]

Jeff,

firstly, my proposal is just a technical framework on how whois records
could be structured and accessed respecting the ideas we've been talking
about here. The 'access modes' mentioned in the proposal, at this very
first phase, is nothing but a technical granulation, or an 'access'
property attached to single whois entry. I'm still persuaded that such a
granulation is technically important just for supporting different whois
policy models being taken into consideration whenever local law
enforcement is applied and demanded.
As you can see, the current Preliminary Draft on Whois we are about to
comment now is also focused mainly on technical and structural issues,
so do I. The main difference I see between the Draft and my proposal (I
tend to say 'our' proposal as I've just taken various ideas from GA into
account and put them in a more formalized framework) is a more dynamic
approach supported in the proposal. In the Draft the model is somewhat
fixed in favor of data publishing. If you want more privacy you are
obligated to qualify for the "Special Circumstances" process which is a
paid service and your request can still be refused unless you meet
adequate standards for that purpose. At the moment nobody knows what the
standards are (or will be) like. As a technical proposal it has nothing
to do with law enforcement. The only important question regarding law
issues in the technical proposal is whether we are somehow able to
manage different (national) policies on technical level, thanks to a
suitable granularity.
As far as I remember, there has been a long-term discussion out here
supporting the natural human right to keep individual privacy similarly
as it's arranged for individual gun holders, driving licenses, etc.
Frankly, first when I was reading the Draft I was for publishing as much
data as possible regardless of the 'type' of registrants. However, after
going further into reading the posts here I've realized the importance
of individual privacy (over commercial business companies). That's why
I've decided to design the proposal more dynamic.

Secondly, I mean that whois records and the whois policy are two
different things. Again, in the Draft, you can notice calling for a
meaningful and operational policy capable of enforcing all whois related
laws every registrant is obligated to abide by. See, for instance, the
section Inaccurate Data in the Draft. So, the need for functional whois
policy will come forth anyway. At the moment there is just a very hazy
understanding of how this could be actually reached, but the important
question is whether the future whois model will be flexible enough to
adapt to possible approaches. At this very first phase of the new whois
model I don't care about the policy as well, there will be (I hope)
enough room for further discussions over that later.
Now, let me show an example. The Dutch whois model strongly prefers
publishing all data, on the other hand the French model prefers (or
allows/requires) more privacy. Both models are inherently incompatible
and none static model can fit both expectations. Yeah, you can still
make a classical cut and state that whois record will contain just half
of data to 'satisfy' both models. No need to say it's a poor solution
that definitely fails in the moment when both governments decide to
strictly follow their own laws.
In the dynamic model the situation is solvable as follows - when the
registrant fills in the country in the registration form, the next form
(with registrant data) offers suitable 'access modes' according to the
country selected; for Dutch registrant the only choice is 'Exposed'
access mode, for French registrant there are all three modes available
he/she can choose from. The resulting two whois records perfectly fit
the national law requirements.

Sure, there are many open questions remaining. But we are at least able
to distinguish between the technical (data & handling) whois structure
on one side, and applicable (national) law enforcement related to whois
accuracy on the other side. Moreover, they both seem to be compatible.

And finally, Jefsey is right, the dynamic model is part of the
application level and, indeed, its implementation is more complex than
the static one. I even think that a new RFC will be necessary. So what!
If we are about to design something new let's design it better.

Dominik


-----Original Message-----
From: Jeff Williams [mailto:jwkckid1@xxxxxxxxxxxxx] 
Sent: Tuesday, January 09, 2007 12:03 PM
To: Dominik Filipp; icann whois
Cc: ga
Subject: Re: [ga] JFC Morfin: people are not for sale

Dominik and all,

  Interesting musings and thoughts from JFC here.  However Whois is
ICANN's baby and ICANN's baby alone in as much as policy for Whois is
concerned. W3C, IETF, ect., ect., can of course recommend whatever they
wish.  However registrars will have most of the final say in regards to
Whois policy.  Yet here inlies the problem, and/or chicken and egg
situation in respect to Whois and the different legal concerns as to
what is considered private information and what is not.  Hence, indeed
ICANN's registrars by contract to ICANN will be forced or otherwise
recognize ONE standard and/or policy for Whois data and whom has access
to what data elements in a Whois query.  As privacy protections are
being increased in some countries and dramatically eroded in other
countries such as the US, a single standard and or policy is necessary
if continuity of Whois data is to be maintained and considered accurate
and reliable.  Yet different layers as to access can be and are in
effect now, can continue to be used as long as the Whois data base
itself is not effected or otherwise modified by said applications or
said applications are tested and approved by ICANN and/or its
registrars.

 This all still leaves the concern or challenge of enforcement of any
and all privacy violations with respect different laws and legal systems
in various nations.  As I have said before, we all have many times
witnessed, neither ICANN nor its registrars can or will enforce their
own standards and/or contract obligations.