[NCUC-DISCUSS] Expert Working Group on gTLD Directory Services - overview & questions

Marc Perkel marc at churchofreality.org
Mon Jul 15 06:21:13 CEST 2013 

I'll state my position as simply as possible. If you put WHOIS in a 
single database the NSA will get it. Single point of failure. There is 
no reason that you can give me to justify this.

Just say NO!

On 7/15/2013 5:55 AM, Kathy Kleiman wrote:
> Hi All,
> As promised, I am circulating an overview and questions prior to the 
> Expert Working Group on gTLD Directory Services meeting today. This is 
> the "next generation Whois" working group and Stephanie Perrin fought 
> hard for privacy for Registrants and accountability for those Using 
> the Data.
>
> But many of the proposals concern me and Wendy and others, especially 
> this idea that all gTLD Registrant Data would be compiled into a 
> single Centralized database (called the Aggregated RDS or "ARDS").   
> It's a fortress, with privacy protections and guards at the gate, but 
> seemingly broad and vague purposes for accessing the data. Also, the 
> data appears to not be minimized for "technical purposes" but rather 
> maximized and expanded for every imaginable purpose including not only 
> name, address, phone and email, but also the IP Address from which the 
> Domain Name was registered, the Purpose of the Domain Name and even 
> the "Registrant Type" (reducing the gray spectrum of individuals, 
> hobbyists, informal organizations, formal organizations, 
> entrepreneurs, small businesses, home-based businesses, medium and 
> large businesses to "Legal/Natural Person, Proxy/Third Party.")
>
> I really wanted to like this report, but on review, I see a lot to 
> worry about and question.  Please join me in asking questions (as one 
> person can only ask so many). Together perhaps we can raise not only 
> privacy aspects of the proposal, but show that the NCUC Privacy 
> Community is watching closely and concerned.
>
> /*Expert Working Group main meeting is Monday, Hall 6 at 2:45pm Durban 
> time (8:45 am Eastern; 5:45 am Pacific).*/
>
> Some questions below.  Also, some documents attached:
> 1) My quick overview of EWG goals and my initial concerns (attached)
> 2) Expert Working Group Executive Summary (attached)
> 3) Expert Working Group Full Report -- 
> http://www.icann.org/en/groups/other/gtld-directory-services/initial-report-24jun13-en.pdf
>
> *Questions (please add more!)**:*
> 1)Is the Expert Working Group really recommending that every element 
> of the existing Whois be included in this Centralized Database, 
> including name, address and phone, and also never-before-collected 
> data elements such as the Purpose of the Domain Name (and whether it 
> is commercial or non-commercial -- a long abandoned concept because 
> most domain names of individuals and organized have elements of both 
> fundraising and noncommercial protected speech).
>
> 2)If the registrant data will now be held by the Registrar, Registry 
> and Centralized Database, how is all access routed to only one 
> source?  Won't law enforcement and others seeking the data have three 
> places from which to request it?  If not, how can ICANN limit the 
> cooperation of a Registry and its national government, for example?
>
> 3)How can the Centralized Database know what is a valid purpose or 
> invalid purpose?  Won't requesters say the right thing to get the 
> data? But without any threshold or required showing of need or 
> problems, doesn't it all amount to a bottom line of -- I want the data 
> and have shown you that I exist?
>
> 4)How can/will abuse of EWG data be monitored and controlled? 
> Including by law enforcement? If the limitation and policing are not 
> done upfront, don't we impose a huge burden on the registrant for 
> policing?
>
>  h
>
> 5)How easy will it be for the Registrant will be able to find out who 
> is searching his/her/its data?
>
> 6)Isn't the new model imposing major new risks -- including Big Data, 
> new data elements (with no proposal to streamline or limit data) and 
> searching across all gTLDs on a massive scale that is impossible today?
>
> 7)Do privacy protections for the Centralized Database depend on where 
> it is located?Who would determine that - the EWG? ICANN? The GNSO?
>
> 8)A Risk Analysis seems critical -- and very, very soon.When will that 
> take place and when will its results become known to the ICANN Community?
>
> 9)Authentication of those requesting the Registrant Data, as proposed 
> by EWG, is a good idea. Credentialing (also as proposed by EWG) may 
> not be --as it seems to imply that the same person or law firm or law 
> enforcement agency gets access again and again to the Centralized 
> Database of Registrant Data -- rather like a library card for books at 
> a public library. Is this analysis right or wrong?
>
> 10)How can the bad actor category include that bad actors come from 
> nearly every category of user -- and not just spammers?Bad actors in 
> the Whois space include intellectual property attorneys, individuals 
> and even law enforcement: who go "fishing" and explore for bad acts 
> beyond any real proof or specific allegation, and those who seek to 
> find registrants for the purpose of harassment and intimidation 
> (including to give up domain names they are otherwise entitled to) and 
> disclosure of physical location (to harass, stalk and intimidate, 
> e.g.,for purposes of physical violence or to stop exercise of 
> unpopular free speech positions).[There is considerable use of Whois 
> data currently to allow big companies and entities to intimidate 
> individuals, organizations and small/home-based businesses.]
>
> 11)Why have 3 places that individuals, attorneys and law enforcement 
> can get data: Registrars, Registries and Centralized Database?If 
> that's not the case, what stops law enforcement from going to a 
> Registry in their country for the data directly? What stops this from 
> being a 3-way shopping path?
>
>
>
>
> _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20130715/6122574f/attachment-0001.html>
-------------- next part --------------
_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

More information about the Ncuc-discuss mailing list