I'm going to try something new here. I'm sitting here at the ICANN meeting on whois and I'll try to jot down some of my thoughts as they occur to me in reaction to what is being said:
- What is the "purpose" of whois? When a person acquires a domain name he/she has a decision to make: whether he/she will give the vendor/registrar his/her personal information? (If not, the person might have to forego getting the name, but that's his/her choice.) It seems that that is the context in which we need to evaluate the "purpose" of whois. In other words, the person relinquishes the information for the purpose of acquiring a domain name and not the broad panopoly of uses that have grown around whois.
- "tiered" access - do we give rights to classes of persons or to classes of situations? It seems to me that it is wrong to create a class of persons who, by virtue of their status, have whois access. Rather, it seems that the question whether to allow access must be situational, based on the facts of the situation rather than the status of the person making the inquiry.
- "law enforcement" - This is universally a special case. There are several issues. First, how does on identify who is a law enforcement person? Second, how does one decide whether that person is acting within his/her scope of authority? Third, do we require the law enforcement person to articulate something akin to probable cause or some lower showing of the underlying reasons for the request? And to the extent that we build audit trails, when are law enforcement accesses made visible to the data subject?
- Vint's comment on whois being an ancillary aspect of being on the net: I can't accept that paradigm. If the net were a dangerous instrumentality, the use of which could cause immediate harm to third parties, then perhaps it would be appropriate to require that the user make his identity visible to the world. But with the net becoming a utility, a necessary part of simply being a citizen, it seems wrong that a person must divulge his personal contact information into an unrestricted database as the price of participation.
I just had an awful thought - the logic that is being used to require open access to whois could be equally applied to require the gathering and publishing the name, blood type, DNS sequence, etc of every newborn baby. Hello Mr. Orwell.
- I wonder what kinds of obligations that a registry/registrar must place on its employees? What I'm asking is whether an employing registry/registrar could be held negligent if it doesn't properly train or obligate its employees to protect privacy?
- .nl Why the *&!&*! are IP rights given automatic status as "legitimate"?!!! I would argue that if one goes down that path there is even a stronger right of a parent to check the medical records their childrens' playmates to see if their might carry infectuous diseases.
- Jane Mutimear on intellectual property uses of whois... Oh lordy, she's hopping onto the "consumer protection" bandwagon and wrapping the ip industry in the superhero suit of a neo-law enforcement agency. Are the law enforcement and consumer protection agencies in the UK so week that the intellectual property industry has to go forth and stop someone from collecting data on little girls or shipping defective batteries?
Oh now she's describing two companies that merge and only afterwords go out and try to get a domain name. Am I supposed to feel sympathy for business people who are simply stupid? What's next, am I going to be obligated to sell (or worse, to give) land to a company because I happened to figure out that a factory might want to expand onto that land before the business itself does?
Now she's claiming "due dilligence" requires ip folks to dig into whois - that kind of thing really could be satisfied by a distinct mechanism, something akin to a certificate of ownership issued by the registrar to its customer (perhaps for a small fee.)
Her answer that "intellectual property people are allowed to protect consumers because trademark arises originally to protect consumers" is interesting. My thought is to what extent the original idea that consumers should be able to identify and distinguish the source of goods and services can be stretched into other things?
I am hearing a request that ICANN become a consumer protection body.
The OECD person seems to be asking for "whois" to become a de facto business license.
FTC - Interesting to hear that they consider .usa to "not exist" - they seem to not recognizing competing roots and are incorrectly analyzing the situation based on the notion that there is but on single root. The proper analysis would be not on existance but rather that the seller was relying on the buyer being mislead as to the scope of visibility of the purchased domain name.
They are saying that supoena powers are a) too slow and b) limited to the US. I don't accept the "slow" argument - they could preprint a stack of 'em and simply fill in the blanks as needed. I am curious as to the hoops that they have to jump through in order to issue a supoena.
Questions from floor -
Milton's question about allocation of costs - I want to hear the answer as well. it seems that much of what is happening here is the shifting of costs, that it is attractive for those who can offload costs onto others to do so.
Alan Davidson - Raised point that without privacy people would build structures to mask their identity.
Also asked - for example, why are telephone numbers being collected? The answer from .nl was that technical people need to reach one another to fix things. My own thought was "OK, that may be acceptable, but does that justify giving full phone numbers to everybody?"
Me - I never got an answer on my question on having explicit third party beneficiary rights in the registrar accredition agreement (RAA) so that consumers would have a legal basis to initiate actions to redress perceived violations to their rights.
Thought of my own - I believe most of the concerns of ip folks and law enforcement, and even consumer deception, arise out of a weakness in the technical architecture of the internet. If the net had a viable and deployed end-to-end system of identification and authentication that is applied on connections then one would always have a solid verifiable way of finding out who they are connecting to. (The identification might only be to the level of a certificate of some kind, requiring one to work backwards up some chain. Consumers/users would have to learn to refuse to deal with those who they can not adequately.)
We are running into a clock-based cut-off of discussion - and there are several people standing in line. I see no reason not to continue into the lunch period.
More later...Posted by karl at June 24, 2003 7:56 AM