On 08/09/2008 12:40, "Patrick Vande Walle" <patrick@vande-walle.eu> wrote:
Being new to the ALAC, I am not sure what the process is to reply to this document from the ALAC side or if we want to reply at all. Actually, this is the study I would have liked to see years ago, when the whois issues were first discussed in ICANN circles.
Here are some concerns I have. Free to read it, keep it or trash it as you see fit.
Patrick
Area 1 WHOIS misuse studies
Altough some registrars prevent automated email harvesting by allowing public web-based access to Whois registrant data only after the user deciphers a "captcha" image, it has been demonstrated in other contexts that captchas are now able to be machine deciphered, making them mostly useless against serious attacks.
While it is commonly mentioned that whois data is used for spamming purposes, other cases have been reported like identifying opponents and other people persecuted for their opinions.
Area 2 Compliance with data protection laws and the Registrar Accreditation Agreement
If local laws allow a registrant (natural person) to oppose the publication of his/her data in the whois, he/she should still be allowed to register a domain name. It should not be a prerequisite to surrender one's privacy to "gain the right" to buy a domain name.
Further analysis is needed regarding the export of registrant data from one country to another. It may be the case that a registrar located in country X is not allowed by law to export natural persons data to a registry in country Y. This matter is further complicated if the registry subcontracts the technical backend to an operator with its registered address in country Z and its data operations in yet another country.
Area 5 Impact of WHOIS data protection on crime and abuse
It is important to define what is "the legitimate use of gTLD WHOIS data" and who are those entities, who can invoke it and how. Again, this is often dependent on local law.
Area 6 Proxy registrar compliance with law enforcement and dispute resolution requests
It may be true that some registrars operating proxy/privacy services are not revealing registrant data when requested in a UDRP proceeding. These registrars may be prevented to do so under local law. UDRP is an arbitral, not a legal, process. Different rules may apply, depending on local law.
Area 7 WHOIS data accuracy and general considerations
As mentioned in RFC 3912: "The WHOIS protocol has not been internationalised. The WHOIS protocol has no mechanism for indicating the character set in use.[...] This inability to predict or express text encoding has adversely impacted the interoperability (and, therefore, usefulness) of the WHOIS protocol."
RFC 3912 further elaborates that: "The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing."
While this is outside the scope of the comments request, ALAC might suggest now or later that those who think the whois has some usefulness to actually eat their own dogfood and go through the process of redesigning the whole whois protocol, rather than (ab)using the security holes in its current incarnation to serve their business inerests.
On Mon, 8 Sep 2008 01:02:15 -0700, Nick Ashton-Hart <Nick.Ashton-Hart@icann.org> wrote:
The GNSO Council has requested the ALAC's views on the report recently prepared by the Whois Study Hypothesis Group.
The Council has requested that, if possible, comments should be sent by 16th October 2008, in order for them to be discussed in the Council meeting on that date.
The Report may be found at:
http://gnso.icann.org/issues/whois/whois-study-hypothesis-group-report-to-co... cil-26aug08.pdf
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann... rg
At-Large Official Site: http://atlarge.icann.org
-- Regards, Nick Ashton-Hart Director for At-Large Internet Corporation for Assigned Names and Numbers (ICANN) Main Tel: +33 (450) 40 46 88 USA DD: +1 (310) 578-8637 Fax: +41 (22) 594-85-44 Mobile: +41 (79) 595 54-68 email: nick.ashton-hart@icann.org Win IM: ashtonhart@hotmail.com / AIM/iSight: nashtonhart@mac.com / Skype: nashtonhart Online Bio: https://www.linkedin.com/in/ashtonhart