Thank you Karl Your steps are exactly what I had in mind. You're right - it will take time, and cost. But could we all please start on this journey. Holly On 20/01/2013, at 8:48 PM, Karl Auerbach wrote:
On 01/19/2013 05:05 PM, Holly Raiche wrote:
For me (and I suspect you), the hard bit will be working out what amount to legitimate rights to what data - and ensuring that there is a process to ensure that any access that is granted is only done after the bona fides of the access seeker and reasons for access are established.
Thanks for returning us to a rational, and I hope, productive discussion. (By-the-way, if you, or anyone else reading this, are ever in the Monterey Bay area of California and want to chat about details of this stuff drop me a note offline.)
The balance of rights is something that I sense needs to be muddled-through via our well trod path of declarations of rules that are adjusted through use in actual situations. For example, simply identifying people making inquiries is hard enough; proving that identity is even harder.
Personally I tend to lean towards the "privacy" - because one can usually remedy an incorrect decision to protect privacy when such protection is not warranted. But the converse is not true - once privacy is breached it is hard to put the information back into the bottle.
Over the last dozen years I've posited variations on a general process that would be largely, but not entirely, mechanical. The nugget of difficult has always been that "not entirely mechanical" part.
Procedure does not scare me - perhaps that is because as an attorney I have learned that good and fair procedure is very, very important. I am very scared about rushes to judgment that trample sane and deliberate processes or, even worse, "Ox Bow Incident" vigilantism.
I do think that some WHOIS access procedural aspects can be set forth:
1. Every query would be recorded and that record would persist for at least a couple of years.
2. There would be some means so that data subjects (domain name owners) could obtain records of those queries that relate to their domain names.
3. Anyone who wants to make an inquiry must identify himself and present proofs of that identity. That identify and at least a summery of the proofs would be saved in the access record. (People who make a lot of inquiries, such as IP protection attorneys might pre-establish identities and credentials to make the process faster and reduce costs.)
4. The person making the inquiry would have to assert that some cognizable legal right of that person is being violated by the accused domain name owner. That assertion would have to be fairly specific and be backed by some specific evidence to back that assertion. This accusation and evidence would be saved in the access record and thus be available to the data subject. This could be fairly formulaic - there could be a checklist of common accusations and I am sure that supporting evidence would soon assume a rather standard shape and form.
5. The person making the inquiry would have to put up some $$ to cover the cost of processing the inquiry and also to serve as a bond (payable to the data subject) if the inquiry is found to be frivolous or abusive. The bond portion would be returned after some period of time - perhaps 90 days? (Lest one think that this puts all the costs onto the person making the inquiry, I note that the domain name owner has paid a yearly registry fee and ICANN fee. And that a name that is successfully challenged does not give rise to a refund for those fees.)
6. Unless someone can come up with some sort of super-Turing tool to examine the accusations and evidence, there would have to be some quick and fast review of the accusation and evidence by a human. This is the step that is the most troublesome in terms of cost and delay. If this review sees no clear problem then the data access is granted.
7. A periodic summary of all accesses for each name would be sent to the domain name owner. This would allow the name owner to know who is asking about his names, understand the accusations being made, and see the evidence being presented. (Remember, by this time the record has already been made available to the person making the inquiry.) This would allow the name owner to raise a challenge to sufficiency. Such challenges would be reviewed by someone other than the original reviewer of the initial accusation. If the accusation is found inadequate the bond would be paid to the name owner to at least partially compensate for the violation of their privacy. (This payment ought not be construed as a waiver of any rights to civil action that the domain name owner might have against the accuser for making false accusations or representations.)
8. A periodic gazette (web page) would summarize to the public what names are being inquired-of, who is making the largest numbers of inquiries (broken down by accusation type, success/failure counts, etc) This would let the public see who are being domain name trolls.
This is not a free system, and it has friction - which is quite intentional. I have concern that it would take some work to build the machinery and operate it, and that the human steps could cost too much (more than a few dollars per event would be too much) or that it could become merely a rubber stamp. ICANN's new gTLD program has shown us how little things can be ballooned into bloated, expensive, systems of Rube-Goldberg complexity.
...What the Whois Final Report did say is that, if people are more confident about having their privacy respected, they will have less reason to provide false information. At that point, ICANN can and should insist on complete and accurate data being provided.
This is a very good point that ought to carry a lot of weight.
--karl--