<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I'll state my position as simply as possible. If you put WHOIS in a
single database the NSA will get it. Single point of failure. There
is no reason that you can give me to justify this. <br>
<br>
Just say NO!<br>
<br>
<div class="moz-cite-prefix">On 7/15/2013 5:55 AM, Kathy Kleiman
wrote:<br>
</div>
<blockquote cite="mid:51E372B7.2090403@kathykleiman.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi All,<br>
As promised, I am circulating an overview and questions prior to
the Expert Working Group on gTLD Directory Services meeting today.
This is the "next generation Whois" working group and Stephanie
Perrin fought hard for privacy for Registrants and accountability
for those Using the Data.<br>
<br>
But many of the proposals concern me and Wendy and others,
especially this idea that all gTLD Registrant Data would be
compiled into a single Centralized database (called the Aggregated
RDS or "ARDS"). It's a fortress, with privacy protections and
guards at the gate, but seemingly broad and vague purposes for
accessing the data. Also, the data appears to not be minimized for
"technical purposes" but rather maximized and expanded for every
imaginable purpose including not only name, address, phone and
email, but also the IP Address from which the Domain Name was
registered, the Purpose of the Domain Name and even the
"Registrant Type" (reducing the gray spectrum of individuals,
hobbyists, informal organizations, formal organizations,
entrepreneurs, small businesses, home-based businesses, medium and
large businesses to "Legal/Natural Person, Proxy/Third Party.")<br>
<br>
I really wanted to like this report, but on review, I see a lot to
worry about and question. Please join me in asking questions (as
one person can only ask so many). Together perhaps we can raise
not only privacy aspects of the proposal, but show that the NCUC
Privacy Community is watching closely and concerned.<br>
<br>
<i><b>Expert Working Group main meeting is Monday, Hall 6 at
2:45pm Durban time (8:45 am Eastern; 5:45 am Pacific).</b></i><br>
<br>
Some questions below. Also, some documents attached:<br>
1) My quick overview of EWG goals and my initial concerns
(attached)<br>
2) Expert Working Group Executive Summary (attached)<br>
3) Expert Working Group Full Report -- <a moz-do-not-send="true"
href="http://www.icann.org/en/groups/other/gtld-directory-services/initial-report-24jun13-en.pdf"
onclick="linkClick(this.href)">http://www.icann.org/en/groups/other/gtld-directory-services/initial-report-24jun13-en.pdf</a><br>
<br>
<b>Questions (please add more!)</b><b>:</b><br>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<span style="mso-list:Ignore">1)<span style="font:7.0pt
"Times New Roman""> </span></span>Is the
Expert Working Group really recommending that every element of the
existing Whois be included in this Centralized Database, including
name, address and phone, and also never-before-collected data
elements such as the Purpose of the Domain Name (and whether it is
commercial or non-commercial – a long abandoned concept because
most domain names of individuals and organized have elements of
both fundraising and noncommercial protected speech).
<p class="MsoNormal" style="margin-left:.25in"><o:p> </o:p></p>
<span style="mso-list:Ignore">2)<span style="font:7.0pt
"Times New Roman""> </span></span>If the
registrant data will now be held by the Registrar, Registry and
Centralized Database, how is all access routed to only one
source? Won't law enforcement and others seeking the data have
three places from which to request it? If not, how can ICANN
limit the cooperation of a Registry and its national government,
for example?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">3)<span style="font:7.0pt
"Times New Roman""> </span></span>How can the
Centralized Database know what is a valid purpose or invalid
purpose? Won't requesters say the right thing to get the data?
But without any threshold or required showing of need or problems,
doesn't it all amount to a bottom line of -- I want the data and
have shown you that I exist?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">4)<span style="font:7.0pt
"Times New Roman""> </span></span>How can/will
abuse of EWG data be monitored and controlled? Including by law
enforcement? If the limitation and policing are not done upfront,
don’t we impose a huge burden on the registrant for policing?
<p class="MsoNormal"><o:p> h</o:p></p>
<span style="mso-list:Ignore">5)<span style="font:7.0pt
"Times New Roman""> </span></span>How easy
will it be for the Registrant will be able to find out who is
searching his/her/its data?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">6)<span style="font:7.0pt
"Times New Roman""> </span></span>Isn’t the
new model imposing major new risks – including Big Data, new data
elements (with no proposal to streamline or limit data) and
searching across all gTLDs on a massive scale that is impossible
today?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">7)<span style="font:7.0pt
"Times New Roman""> </span></span>Do privacy
protections for the Centralized Database depend on where it is
located?<span style="mso-spacerun:yes"> </span>Who would
determine that - the EWG? ICANN? The GNSO?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">8)<span style="font:7.0pt
"Times New Roman""> </span></span>A Risk
Analysis seems critical – and very, very soon.<span
style="mso-spacerun:yes"> </span>When will that take place and
when will its results become known to the ICANN Community?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">9)<span style="font:7.0pt
"Times New Roman""> </span></span>Authentication
of those requesting the Registrant Data, as proposed by EWG, is a
good idea. Credentialing (also as proposed by EWG) may not be –as
it seems to imply that the same person or law firm or law
enforcement agency gets access again and again to the Centralized
Database of Registrant Data – rather like a library card for books
at a public library. Is this analysis right or wrong?
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">10)<span style="font:7.0pt
"Times New Roman""> </span></span>How can the bad
actor category include that bad actors come from nearly every
category of user – and not just spammers?<span
style="mso-spacerun:yes"> </span>Bad actors in the Whois space
include intellectual property attorneys, individuals and even law
enforcement: who go “fishing” and explore for bad acts beyond any
real proof or specific allegation, and those who seek to find
registrants for the purpose of harassment and intimidation
(including to give up domain names they are otherwise entitled to)
and disclosure of physical location (to harass, stalk and
intimidate, e.g.,for purposes of physical violence or to stop
exercise of unpopular free speech positions).<span
style="mso-spacerun:yes"> </span>[There is considerable use of
Whois data currently to allow big companies and entities to
intimidate individuals, organizations and small/home-based
businesses.]
<p class="MsoNormal"><o:p> </o:p></p>
<span style="mso-list:Ignore">11)<span style="font:7.0pt
"Times New Roman""> </span></span>Why have 3
places that individuals, attorneys and law enforcement can get
data: Registrars, Registries and Centralized Database?<span
style="mso-spacerun:yes"> </span>If that’s not the case, what
stops law enforcement from going to a Registry in their country
for the data directly? What stops this from being a 3-way shopping
path?
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 10">
<meta name="Originator" content="Microsoft Word 10">
<link rel="File-List"
href="file:///C:%5CUsers%5CKATHYK%7E1%5CAppData%5CLocal%5CTemp%5Cmsohtml1%5C09%5Cclip_filelist.xml">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Alice Jansen</o:Author>
<o:Version>10.6870</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1795250556;
mso-list-type:hybrid;
mso-list-template-ids:-618902458 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--> </style><br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ncuc-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ncuc-discuss@lists.ncuc.org">Ncuc-discuss@lists.ncuc.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss">http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss</a>
</pre>
</blockquote>
<br>
</body>
</html>