[NCUC-DISCUSS] Expert Working Group on gTLD Directory Services - overview & questions

Kathy Kleiman kathy at kathykleiman.com
Mon Jul 15 05:55:35 CEST 2013 

Hi All,
As promised, I am circulating an overview and questions prior to the 
Expert Working Group on gTLD Directory Services meeting today. This is 
the "next generation Whois" working group and Stephanie Perrin fought 
hard for privacy for Registrants and accountability for those Using the 
Data.

But many of the proposals concern me and Wendy and others, especially 
this idea that all gTLD Registrant Data would be compiled into a single 
Centralized database (called the Aggregated RDS or "ARDS").   It's a 
fortress, with privacy protections and guards at the gate, but seemingly 
broad and vague purposes for accessing the data. Also, the data appears 
to not be minimized for "technical purposes" but rather maximized and 
expanded for every imaginable purpose including not only name, address, 
phone and email, but also the IP Address from which the Domain Name was 
registered, the Purpose of the Domain Name and even the "Registrant 
Type" (reducing the gray spectrum of individuals, hobbyists, informal 
organizations, formal organizations, entrepreneurs, small businesses, 
home-based businesses, medium and large businesses to "Legal/Natural 
Person, Proxy/Third Party.")

I really wanted to like this report, but on review, I see a lot to worry 
about and question.  Please join me in asking questions (as one person 
can only ask so many). Together perhaps we can raise not only privacy 
aspects of the proposal, but show that the NCUC Privacy Community is 
watching closely and concerned.

/*Expert Working Group main meeting is Monday, Hall 6 at 2:45pm Durban 
time (8:45 am Eastern; 5:45 am Pacific).*/

Some questions below.  Also, some documents attached:
1) My quick overview of EWG goals and my initial concerns (attached)
2) Expert Working Group Executive Summary (attached)
3) Expert Working Group Full Report -- 
http://www.icann.org/en/groups/other/gtld-directory-services/initial-report-24jun13-en.pdf

*Questions (please add more!)**:*
1)Is the Expert Working Group really recommending that every element of 
the existing Whois be included in this Centralized Database, including 
name, address and phone, and also never-before-collected data elements 
such as the Purpose of the Domain Name (and whether it is commercial or 
non-commercial -- a long abandoned concept because most domain names of 
individuals and organized have elements of both fundraising and 
noncommercial protected speech).

2)If the registrant data will now be held by the Registrar, Registry and 
Centralized Database, how is all access routed to only one source?  
Won't law enforcement and others seeking the data have three places from 
which to request it?  If not, how can ICANN limit the cooperation of a 
Registry and its national government, for example?

3)How can the Centralized Database know what is a valid purpose or 
invalid purpose?  Won't requesters say the right thing to get the data? 
But without any threshold or required showing of need or problems, 
doesn't it all amount to a bottom line of -- I want the data and have 
shown you that I exist?

4)How can/will abuse of EWG data be monitored and controlled? Including 
by law enforcement? If the limitation and policing are not done upfront, 
don't we impose a huge burden on the registrant for policing?

  h

5)How easy will it be for the Registrant will be able to find out who is 
searching his/her/its data?

6)Isn't the new model imposing major new risks -- including Big Data, 
new data elements (with no proposal to streamline or limit data) and 
searching across all gTLDs on a massive scale that is impossible today?

7)Do privacy protections for the Centralized Database depend on where it 
is located?Who would determine that - the EWG? ICANN? The GNSO?

8)A Risk Analysis seems critical -- and very, very soon.When will that 
take place and when will its results become known to the ICANN Community?

9)Authentication of those requesting the Registrant Data, as proposed by 
EWG, is a good idea. Credentialing (also as proposed by EWG) may not be 
--as it seems to imply that the same person or law firm or law 
enforcement agency gets access again and again to the Centralized 
Database of Registrant Data -- rather like a library card for books at a 
public library. Is this analysis right or wrong?

10)How can the bad actor category include that bad actors come from 
nearly every category of user -- and not just spammers?Bad actors in the 
Whois space include intellectual property attorneys, individuals and 
even law enforcement: who go "fishing" and explore for bad acts beyond 
any real proof or specific allegation, and those who seek to find 
registrants for the purpose of harassment and intimidation (including to 
give up domain names they are otherwise entitled to) and disclosure of 
physical location (to harass, stalk and intimidate, e.g.,for purposes of 
physical violence or to stop exercise of unpopular free speech 
positions).[There is considerable use of Whois data currently to allow 
big companies and entities to intimidate individuals, organizations and 
small/home-based businesses.]

11)Why have 3 places that individuals, attorneys and law enforcement can 
get data: Registrars, Registries and Centralized Database?If that's not 
the case, what stops law enforcement from going to a Registry in their 
country for the data directly? What stops this from being a 3-way 
shopping path?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20130714/cd79d2d6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Quick Summary_Expert Working Group Report for NCUC.doc
Type: application/msword
Size: 40960 bytes
Desc: not available
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20130714/cd79d2d6/attachment.doc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initial-report-executive-summary-24jun13-en.pdf
Type: application/pdf
Size: 231767 bytes
Desc: not available
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20130714/cd79d2d6/attachment.pdf>
-------------- next part --------------
_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

More information about the Ncuc-discuss mailing list