<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [dow2tf] My sections - resend
- To: Jordyn@xxxxxxxxxxxxx, dow2tf@xxxxxxxxxxxxxx, gnso.secretariat@xxxxxxxxxxxxxx
- Subject: Re: [dow2tf] My sections - resend
- From: KathrynKL@xxxxxxx
- Date: Sun, 16 May 2004 19:57:50 EDT
- Sender: owner-dow2tf@xxxxxxxxxxxxxx
It appears there were attachment difficulties with my last email.
So let me try to resend my section on Publication of Data.
I am both attaching the file (as text) and also placing the text at
the bottom of this message. Regards, Kathy
******************************************************************************
*****************
Publication of Data
2.5 Findings
The topic of publication of data received considerable attention in TF2.
Originally published for technical and operational purposes, the 20 year old
WHOIS protocol has developed a range of secondary uses (outlined below). Once
limited to the information of research and technical institutions in a small and
limited network, the data -- including registrant name, address, phone and
email -- originally invoked no privacy concerns, but today raises the specter of
privacy and freedom of expression infringement (outlined below).
One topic the TF addressed and did not answer was the purpose of the
database. Our mandate was to balance contactability and privacy, which we have tried
to do. We leave to another PDP process the knotty question of the ultimate
purposes of this database, and whether and how they can change.
Findings:
1. WHOIS data continues to serve a host of technical and operational
functions for Registries and Registrars. Transfers and other technical processes
require the ability to access, verify and transfer WHOIS data.
2. WHOIS data includes personal and sensitive data of the type that people
are generally allowed to limit and control in other mediums (such as address
and phone in an unlisted phone number, and the control over secondary uses given
to owners of personal data in European countries and other countries with
comprehensive data protection legislation). Such personal data is found in the
registrant, administrative contact and technical contact fields.
3. Publication of data serves a host of secondary purposes, including
combating spam, policing trademarks and copyrights, availability/offers for domain
names and checking registration data of a domain name by its owner.
4. Publication of WHOIS data raises a host of privacy problems,
including identity theft, telemarketing, spamming and other forms of email and
telephone harassment, stalking, abuse and harassment by groups acting outside of
normal scope and legal need.
5. Publication of all WHOIS data to the world for access on an anonymous
basis does not serve the balance of contactability and privacy.
6. Data requesters want timely, even immediate, responsiveness to their
requests for personal/sensitive data. Data subjects (domain name holders) want
timely, even immediate, notification when their personal/sensitive data is
requested and revealed to a third party.
Possible Balances:
While (as of this writing) TF2 has not come to a final decision regarding
which Tiered Access model to recommend, several models were submitted in
Constituency statements. The Registries recommended that only General Information be
provided in the WHOIS (which is technical data without registrant,
administrative contact or technical contact information). The Registrars recommended a
3-tiered system with limited information in the public WHOIS (name/country of
registrant, administrative contact and technical contact) and technical data;
additional information at a screened-access second tier (name/address of
registrant, administrative contact and technical contact) and all data displayed for
technical purposes by registries and registrars.
Noncommercial Users Constituency called for publication of technical contact
data in the WHOIS, but removal of all registrant and administrative contact
fields. ALAC also requested removal of all personally identifying information,
but asked as an alternative for notification of the domain name holder when
his/her personal data was revealed.
A compromise proposal submitted to the TF called for a combination of the
elements above: reduction of data available to the public for anonymous and
unlimited access; additional but limited contact information provided to a party
who can verify his/her/its identity and state a specific reason for the access
to the particular domain name data; confirmation and then release of data via
an automated process; immediate notification of the domain name holder by email
of the release of personal data (allowing domain name holder to act for
personal safety (e.g., data released to stalker) or enforce legal rights).
Publication of Data
3.5 Recommendations:
1. Personal data should not be public in the public WHOIS database (available
on an anonymous basis).
2. We believe a tiered access model can be developed that supports privacy
and contactability. We believe such a model should be affordable, scalable,
provide timely responses to those requesting data (who meet the criteria) and
provide timely notification of release of data to domain name holders (subject to
appropriate law enforcement exceptions).
3. Registrars and Registries should continue to have full access to the
WHOIS data for technical and operational purposes.
4. The model to emerge should take into consideration the most closely-held
concerns of data users and data subjects, and those who protect their legal
rights. Data users want contact data for domain name holders, especially during
a pending legal investigations of a technical nature (such as spoofing or
spamming). Data subjects (domain name holders) want personal/sensitive data
provided only on as-needed and individual basis, and not in unlimited form to a
predetermined group of data requesters. Data protection officials are concerned
that overly broad reach into the data without accountability and with broad
searching capabilities (e.g., wildcards) will be privacy-intrusive,
disproportionate and provide a general presumption of guilt.
Publication of Data
2.5 Findings
The topic of publication of data received considerable attention in TF2. Originally published for technical and operational purposes, the 20 year old WHOIS protocol has developed a range of secondary uses (outlined below). Once limited to the information of research and technical institutions in a small and limited network, the data -- including registrant name, address, phone and email -- originally invoked no privacy concerns, but today raises the specter of privacy and freedom of expression infringement (outlined below).
One topic the TF addressed and did not answer was the purpose of the database. Our mandate was to balance contactability and privacy, which we have tried to do. We leave to another PDP process the knotty question of the ultimate purposes of this database, and whether and how they can change.
Findings:
1. WHOIS data continues to serve a host of technical and operational functions for Registries and Registrars. Transfers and other technical processes require the ability to access, verify and transfer WHOIS data.
2. WHOIS data includes personal and sensitive data of the type that people are generally allowed to limit and control in other mediums (such as address and phone in an unlisted phone number, and the control over secondary uses given to owners of personal data in European countries and other countries with comprehensive data protection legislation). Such personal data is found in the registrant, administrative contact and technical contact fields.
3. Publication of data serves a host of secondary purposes, including combating spam, policing trademarks and copyrights, availability/offers for domain names and checking registration data of a domain name by its owner.
4. Publication of WHOIS data raises a host of privacy problems, including identity theft, telemarketing, spamming and other forms of email and telephone harassment, stalking, abuse and harassment by groups acting outside of normal scope and legal need.
5. Publication of all WHOIS data to the world for access on an anonymous basis does not serve the balance of contactability and privacy.
6. Data requesters want timely, even immediate, responsiveness to their requests for personal/sensitive data. Data subjects (domain name holders) want timely, even immediate, notification when their personal/sensitive data is requested and revealed to a third party.
Possible Balances:
While (as of this writing) TF2 has not come to a final decision regarding which Tiered Access model to recommend, several models were submitted in Constituency statements. The Registries recommended that only General Information be provided in the WHOIS (which is technical data without registrant, administrative contact or technical contact information). The Registrars recommended a 3-tiered system with limited information in the public WHOIS (name/country of registrant, administrative contact and technical contact) and technical data; additional information at a screened-access second tier (name/address of registrant, administrative contact and technical contact) and all data displayed for technical purposes by registries and registrars.
Noncommercial Users Constituency called for publication of technical contact data in the WHOIS, but removal of all registrant and administrative contact fields. ALAC also requested removal of all personally identifying information, but asked as an alternative for notification of the domain name holder when his/her personal data was revealed.
A compromise proposal submitted to the TF called for a combination of the elements above: reduction of data available to the public for anonymous and unlimited access; additional but limited contact information provided to a party who can verify his/her/its identity and state a specific reason for the access to the particular domain name data; confirmation and then release of data via an automated process; immediate notification of the domain name holder by email of the release of personal data (allowing domain name holder to act for personal safety (e.g., data released to stalker) or enforce legal rights).
Publication of Data
3.5 Recommendations:
1. Personal data should not be public in the public WHOIS database (available on an anonymous basis).
2. We believe a tiered access model can be developed that supports privacy and contactability. We believe such a model should be affordable, scalable, provide timely responses to those requesting data (who meet the criteria) and provide timely notification of release of data to domain name holders (subject to appropriate law enforcement exceptions).
3. Registrars and Registries should continue to have full access to the WHOIS data for technical and operational purposes.
4. The model to emerge should take into consideration the most closely-held concerns of data users and data subjects, and those who protect their legal rights. Data users want contact data for domain name holders, especially during a pending legal investigations of a technical nature (such as spoofing or spamming). Data subjects (domain name holders) want personal/sensitive data provided only on as-needed and individual basis, and not in unlimited form to a predetermined group of data requesters. Data protection officials are concerned that overly broad reach into the data without accountability and with broad searching capabilities (e.g., wildcards) will be privacy-intrusive, disproportionate and provide a general presumption of guilt.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|