June 25, 2003

Real-time thoughts during ICANN's second whois session:
Second Panel

Today is George Orwell's 100'th birthday. Orwell, were he here at these ICANN sessions on whois, would probably perceive them as strong evidence that Big Brother is closer today than in 1984.

Metalitz/IP - He is beginning with an incorrect statement about the "purpose" of whois. It was not established to track down people doing bad things - back when whois started it was much like the roster of a club. So his statement that whois is being used by IP folks in the way whois was originally "intended" is not supportable.

FTC - Mentioned accuracy. My thought is that we need to be more accurate about the meaning of "accuracy". There are elements such as precision - for example whether a full telephone number is provided versus only the country-code/city code part of the phone number. And there is a distinction between information that is simply absent versus information that is misleading. Accuracy depends on the use to which the data is to be put - in the sciences this concept is embodied in a mechanism called "significant digits".

Thinking of accuracy, I am reminded of a statement attributed to John Von Neumann:

"There's no sense in being precise when you don't even know what you're talking about."

Davidson/Metalitz on "tiered access" - There seems to be an issue that is being smoothed over - and that is whether the "tiers" represent people by status or situations as defined by facts? My sense is that the parties to this discussion are talking past one another. Clearly the IP folks want "tiers" by virtue of status (with IP folks being in the the privileged class). I would suggest that what we really want is situation-based access.

Willie Black - He is asking for an authority system so he can identify the person making the inquiry. That is consistent with my own proposals. However, he is treating the proof of identity as the end of the trail - that once the registry/registrar knows that a person is of a given status that he/she deserves adequate, without examination of the situation or requiring that the person making his inquiry state the reason.

Milam - Talking about bulk access: Justifying bulk access because some companies have developed data mining that requires bulk access as fodder. Sheesh, I can imagine Jay Gould saying something like that - that he has a right to take public lands because he can make money out of railroads he builds across those lands.

Topic - notification of the data subject

There's a lot of discussion on this. There is a lot of swirling around the distinction between real-time notice and deferred notice. It seems that people seem to have different assumptions and are disagreeing based more on their assumptions than upon the underlying concepts. I believe that the topic of notification would be served by dealing with concrete examples of how such a system might work.

The question has come up about the viability of a privacy-oriented TLD. I don't feel that this is a viable concept for general use. Davidson described it as a "privacy ghetto".

I hope to run an experiment soon in which people can register names anonymously and without the retention of any contact information whatsoever - control of a name would be in the form of a digital certificate, a kind of bearer bond.

Metalitz/Milam - they are complaining that registries/registrars are not honoring their obligations under the ICANN contracts. They want third party beneficiary rights so that they have standing to enforce the contracts. It is my feeling that if anyone deserves third party beneficiary rights, it is not the IP owners but rather the users of the internet for whose benefit ICANN is purported to have been created.

FTC - arguing that the commercial/non-commercial distinction is viable, yet she speaks in language as if the internet were only the world wide web and contained no other services. That kind of uneducated thinking is dangerous.

Posted by karl at 6:36 AM

Real-time thoughts during ICANN's second whois session:
First Panel

I'm picking this up about 20 minutes in ---

John LoGalbo - A "law enforcement" type - is complaining how long it takes him to issue a suboena. My thought is this: Why should our privacy suffer because his organization can't get its procedural act together?

I am incensed - he is simply stating a conclusion that his targets are "criminals" and that to go after them he want to throw away all legal processes and procedures - so much for the fourth, fifth, sixth, and fourteenth amendments.

Law enforcement procedures are there for a reason and should not be abandoned on the basis of mere expedency and convenience, particularly on nothing more than an accusation that has never been reviewed by a magistrate or other disinterested party.

I am appalled at the way that the word "legitimate" is bandied around without even a hint of recognition that it is a conclusion properly arrived at only after a long road. From what I am hearing, people are simply wrapping their desires in the word "legitimate" and bypassing the hard part of actually justifying it.

This panel really contains no advocates representing the point of view of the data subjects.

Posted by karl at 6:05 AM

June 24, 2003

Real-time thoughts during the WHOIS session

I'm going to try something new here. I'm sitting here at the ICANN meeting on whois and I'll try to jot down some of my thoughts as they occur to me in reaction to what is being said:

- What is the "purpose" of whois? When a person acquires a domain name he/she has a decision to make: whether he/she will give the vendor/registrar his/her personal information? (If not, the person might have to forego getting the name, but that's his/her choice.) It seems that that is the context in which we need to evaluate the "purpose" of whois. In other words, the person relinquishes the information for the purpose of acquiring a domain name and not the broad panopoly of uses that have grown around whois.

- "tiered" access - do we give rights to classes of persons or to classes of situations? It seems to me that it is wrong to create a class of persons who, by virtue of their status, have whois access. Rather, it seems that the question whether to allow access must be situational, based on the facts of the situation rather than the status of the person making the inquiry.

- "law enforcement" - This is universally a special case. There are several issues. First, how does on identify who is a law enforcement person? Second, how does one decide whether that person is acting within his/her scope of authority? Third, do we require the law enforcement person to articulate something akin to probable cause or some lower showing of the underlying reasons for the request? And to the extent that we build audit trails, when are law enforcement accesses made visible to the data subject?

- Vint's comment on whois being an ancillary aspect of being on the net: I can't accept that paradigm. If the net were a dangerous instrumentality, the use of which could cause immediate harm to third parties, then perhaps it would be appropriate to require that the user make his identity visible to the world. But with the net becoming a utility, a necessary part of simply being a citizen, it seems wrong that a person must divulge his personal contact information into an unrestricted database as the price of participation.

I just had an awful thought - the logic that is being used to require open access to whois could be equally applied to require the gathering and publishing the name, blood type, DNS sequence, etc of every newborn baby. Hello Mr. Orwell.

- I wonder what kinds of obligations that a registry/registrar must place on its employees? What I'm asking is whether an employing registry/registrar could be held negligent if it doesn't properly train or obligate its employees to protect privacy?

- .nl Why the *&!&*! are IP rights given automatic status as "legitimate"?!!! I would argue that if one goes down that path there is even a stronger right of a parent to check the medical records their childrens' playmates to see if their might carry infectuous diseases.

- Jane Mutimear on intellectual property uses of whois... Oh lordy, she's hopping onto the "consumer protection" bandwagon and wrapping the ip industry in the superhero suit of a neo-law enforcement agency. Are the law enforcement and consumer protection agencies in the UK so week that the intellectual property industry has to go forth and stop someone from collecting data on little girls or shipping defective batteries?

Oh now she's describing two companies that merge and only afterwords go out and try to get a domain name. Am I supposed to feel sympathy for business people who are simply stupid? What's next, am I going to be obligated to sell (or worse, to give) land to a company because I happened to figure out that a factory might want to expand onto that land before the business itself does?

Now she's claiming "due dilligence" requires ip folks to dig into whois - that kind of thing really could be satisfied by a distinct mechanism, something akin to a certificate of ownership issued by the registrar to its customer (perhaps for a small fee.)

Her answer that "intellectual property people are allowed to protect consumers because trademark arises originally to protect consumers" is interesting. My thought is to what extent the original idea that consumers should be able to identify and distinguish the source of goods and services can be stretched into other things?

OECD:

I am hearing a request that ICANN become a consumer protection body.

The OECD person seems to be asking for "whois" to become a de facto business license.

FTC - Interesting to hear that they consider .usa to "not exist" - they seem to not recognizing competing roots and are incorrectly analyzing the situation based on the notion that there is but on single root. The proper analysis would be not on existance but rather that the seller was relying on the buyer being mislead as to the scope of visibility of the purchased domain name.

They are saying that supoena powers are a) too slow and b) limited to the US. I don't accept the "slow" argument - they could preprint a stack of 'em and simply fill in the blanks as needed. I am curious as to the hoops that they have to jump through in order to issue a supoena.

Questions from floor -

Milton's question about allocation of costs - I want to hear the answer as well. it seems that much of what is happening here is the shifting of costs, that it is attractive for those who can offload costs onto others to do so.

Alan Davidson - Raised point that without privacy people would build structures to mask their identity.

Also asked - for example, why are telephone numbers being collected? The answer from .nl was that technical people need to reach one another to fix things. My own thought was "OK, that may be acceptable, but does that justify giving full phone numbers to everybody?"

Me - I never got an answer on my question on having explicit third party beneficiary rights in the registrar accredition agreement (RAA) so that consumers would have a legal basis to initiate actions to redress perceived violations to their rights.

Thought of my own - I believe most of the concerns of ip folks and law enforcement, and even consumer deception, arise out of a weakness in the technical architecture of the internet. If the net had a viable and deployed end-to-end system of identification and authentication that is applied on connections then one would always have a solid verifiable way of finding out who they are connecting to. (The identification might only be to the level of a certificate of some kind, requiring one to work backwards up some chain. Consumers/users would have to learn to refuse to deal with those who they can not adequately.)

We are running into a clock-based cut-off of discussion - and there are several people standing in line. I see no reason not to continue into the lunch period.

More later...

Posted by karl at 7:56 AM

June 7, 2003

Privacy and Whois (A continuing blog-dialog with Ross Rader)

Privacy is a complex topic.  The decision whether information is to be private or not is the result of a balance of equities.  As in any such balancing act the weights assigned to the various equities frequently dictates the outcome.  And loss of privacy is a ratcheting event - once privacy is breached, it remains breached.

During the 1970s and 1980s privacy issues were distilled into collections of principles.  These principles represent broad consensus of opinion among many actors, private and commercial, governmental and institutional.  Many of these principles underlie imperative laws in many nations around the world and ought not be thoughtlessly disregarded.

When a person discloses personal information a kind of rough social bargain is struck - the person makes a choice, perhaps unknowingly, to disclose or not to disclose based on that person's evaluation of the benefits to be obtained versus the costs and burdens to be incurred.  To come in at a later time and rewrite the terms of that bargain is unfair and will eventually result in people becoming overprotective of their personal information.

In other words, it is axiomatic that the privacy balance must be based on the conditions present and known to the person at the time of the transaction in which he/she chose to disclose his/her private information.

A corollary is that in the balance of equities to decide whether the personal data should be disclosed to a third party it is crucial that primary weight be given to the use of that data that was intended by, or expected by, the person who disclosed the data.  If the third party is requesting a use that is within the reasonable scope of that intended or expected use then the hurdles to be overcome should be comparitively lower.  If the third party is requesting a use that is beyond the reasonable scope, then the hurdles to be overcome should be rather higher.

Someone must have been telling lies about Joseph K., for without having done anything wrong he was arrested one fine morning. - opening sentence of The Trial by Franz Kafka.

It is difficult to accept a balance as having been fairly made if the parties to the issue have not been allowed to make their case or even be allowed to be aware that a balance concerning their interests is being struck.

Consequently, is is very important that inquiries for private data be neither anonymous nor unrecorded.  The data subject - the person who the data concerns - ought to be able to learn who has been asking questions, perhaps questions based on false presumptions or even upon lies.

To make some of these thoughts more concrete let me apply them in the context of the Domain Name System (DNS) "whois" database.

First, what is the expectation of the person, the customer, who is disclosing his/her information when he/she decides to acquire a domain name?  Certainly we can say that the purpose is to allow the vendor - the domain name registrar - to complete the transaction and to collect any fees that may be charged.  And certainly the purpose includes the ability of the customer to give the registrar adequate information to allow the customer to maintain the viability of the name server address information that makes the registration workable on the internet.

But does that purpose encompass an intent to provide information to third parties, such as intellectual property holders, for the purpose of easing the cost and removing the protections offered by legal procedures of bringing accusatory actions against the customer?  I would suggest that it is unreasonable to conclude that domain name customers intend to confer such benefits on those third parties.

Thus is it reasonable to conclude that disclosure that facilitates the ability of the registrar to consummate the registration agreement is readily permissible.

However, disclosure to an intellectual property attorney who is seeking to accuse the customer/data-subject/domain-name-holder is not so obvious.  So we start to balance the equities.

I expect one of the first assertions to be made by the intellectual property attorney is that we should imply an intent onto the data-subject that he/she intends to obey the law.  I agree.  However, that implication applies to all of our transactions in life and if that implication is sufficient to allow privacy to be breached in the whois context then one has to wonder whether could remain any area in life in which privacy might continue to exist?

And I would add to that assertion that there are well established procedures and remedies, established through thousands of years of trial and error, for an aggrieved party to seek redress.  If those procedures are slow and expensive it seems to me that the cure is to fix the procedures rather than to eliminate the right to privacy on nothing stronger than a mere accusation.  If one examines the power of the intellectual property bar relative to the average data subject, the former has a much, much greater ability to affect changes in the legal system and its procedures and costs.

Recognizing the force of the intellectual property interests in ICANN, there is reason to believe that an extra-legal route into whois will be established (if it has not been established already) despite or, and indeed in lieu of, established legal processes.

If such a route is established then I suggest that there also be established a magisterial process through which those who claim that they need access to whois data may present their reasons for such access and have them evaluated for sufficiency.  In such a process, unless the data subject has been given notice and an opportunity to appear in a convenient venue, all questions not supported by compelling evidence ought to be decided in favor of the data subject.

All people and entities that seek access to whois data ought to be required to demonstrate, using verifiable credentials, their identity and contact information.  That identity, contact information, and the basis upon which access is being requested, ought to be recorded in a permanent audit file.

Except in the case of legitimate law enforcement activities (which are presumably governed by bodies of laws and constitutional limitations) that audit file ought to be available to the data subject - much like credit reports are available.  The cost of this system and of a reasonable number of reports (e.g. one report per quarter) ought to be covered by a system that recoups the costs from those who register domain names and those who seek to penetrate whois privacy.

(I have noticed that some people read more into my proposal than I intend - It is my intent that there be an audit trail, not that there be real-time notification of the data subject.  I would prefer the latter, except in cases of legitimate law enforcement, however my sense is that it is beyond today's technology and would be more of a nuisance than a benefit.)

Identification need not be burdensome or expensive.  There are certain classes of people and entities who would be expected to be frequently in need of whois data.  These include operators in Network Operations Centers (NOCs) who must track down network problems, often in the wee hours of the night and often under emergency conditions.  Intellectual property attorneys who engage in domain name versus trademark disputes would similarly be likely to require frequent access.

In such cases it would be appropriate to pre-establish identities and credentials.  The cost of such a system really need no more than the cost of a signed entry on a PGP or GPG key ring - i.e. almost nil.

For those who do not have pre-arranged credentials, data access could be constrained in non-burdensome ways.  For example, for those who do not have pre-established credentials, the result of the query could be delivered by e-mail, which creates at least a rough handle, if perhaps only for a short while, leading to the person purported to be making the inquiry.  Or the result could be made less precise - telephone area codes/country codes could be substituted in lieu of the full telephone number of the data subject.  Similarly, only postal code information might be available instead of an exact street address.

Posted by karl at 11:03 PM

So Oracle wants to buy PeopleSoft - I hope they do their homework

I saw in the news that Oracle wants to buy PeopleSoft.  I hope they do their homework, particularly about PeopleSoft's CEO, Craig Conway.

I encountered PeopleSoft's CEO when he was brought into a software/networking company in Santa Cruz, TGV, to take them public (and then later to sell the company to Cisco.)

I do hope the people at Oracle look at the "job" that Conway did on TGV and on my own company, Empirical Tools and Technologies that had TGV as a principal investor.  The California Department of Corporations has a rather complete record of how TGV, under the direction of Conway, destroyed a running corporation with award winning products.

I do hope the people at Oracle ask Cisco about Cisco's acquisition of TGV, an acquisition that has been frequently described as "failed", and ask why Cisco chose not to employ Conway after the acquisition.

As for myself, I was appalled when I heard that PeopleSoft's Board of Directors had engaged Conway as CEO.  One would have hoped that the Board of Directors of a corporation such as PeopleSoft would have done some background checks.  I immediately dumped PeopleSoft from my portfolio and have avoided them, and their products, ever since.

It would be justice indeed, if Larry Ellison, were to give PeopleSoft's CEO a taste of the kind of treatment that PeopleSoft's CEO has dished out to others over the years.

Posted by karl at 4:38 PM

2nd Whois Phonecall

I hear that there was a 2nd conference call on whois issues.

I would have participated. However, nobody bothered to let me know that it was scheduled or what the call-in information was.

From what I have been able to ascertain several of the people who actively participated in the first phone call (and primarly those who expressed concerns about privacy) were not notified. There appears to be a bit of unnatural selection going on - perhaps to tailor the result and create yet another one of ICANN's infamous artificial "consensus" policies.

Looking through the summary it appears that the intellectual property folks still don't give a damn about privacy - they just want more and better ore to data mine (although they give it a better name - tiered access, in which they, of course, occupy the most privileged tier.)

The registrars seem concerned that their costs of providing this service are covered. That makes sense. But it seems that there is also an undercurrent of desire to be able to turn whois into a profit center. Banks and large merchants sell their customer's personal data for a profit; it is understandable that registrars would like to be able to do the same.

I continue to see that most of the people discussing this issue continue to fail to comprehend that the internet is much more than the world wide web. As a consequence it is unfortunate, but likely, that the results of these discussions will end up burdening, perhaps crippling, non-web internet technologies.

Towards the end of the phone call there is discussion about law enforcement. (It was good to see people rebut the assertion by the intellectual property people that they are somehow a form of law enforcement agency and thus entitled to all the privileges, and immunities.)

It is good that the FTC uses whois data to go after consumer fraud. Of course, the FTC has suboena powers and could get to DNS registrar data even if there were no public whois system. It was sad to see the FTC forget that a lot of the fraud that is committed is upon consumers whose name and address and phone number come into the hands of the bad guys via the whois system.

Overall I am feeling that this whois effort is becoming a whitewash for the status quo, perhaps with some some tools to make it even easier for intellectual property attorneys to data mine private information, and perhaps with a nod in the direction of making it easier for registrars to recoup the cost of their participation in what is developing as one of the world's largest and most extensive violations of personal privacy.

Posted by karl at 11:10 AM

June 4, 2003

What has ICANN's Appointments, oops, Nominating Committee been up to?

ICANN's so-call "Nominating committee" (despite its name, it is really an "appointing" committee) is supposed to come out with its list of appointees in early June.

It is now early June.

One might wonder what process are being used by the members of the committee? Are they voting at all? Are there separate votes for each person under consideration using majority-takes-all counting? Or are there lists of names and voting using cumulative or instant runoff (single transferable vote) methods of counting?

These are not trivial differences. Single name voting with majority counting rules are a classic form of ensuring that the majority will win on every decision. On the other hand, votes for multiple seats using cumulative and instant runoff methods are widely used methods to ensure that the minority interests have at least a chance of getting a few of their people chosen.

One wonders why even the method of voting is being kept secret.

The nominating commitee has adopted rules that make it seem like a hiring committee. I find this kind of secrecy to be wrongheaded. The choice of ICANN board members should be more like the selection of judges - the names of candidates should be made public, there should be ways for the public to comment on the quality of those candidates, there should be an open vote, with the vote of each committee member recorded in the minutes.

ICANN was born in secrecy, it operates in secrecy, and it now appoints its board using secret procedures.

Posted by karl at 11:00 PM