Impressions from the Whois-Review
As an AtLarge delegate to the whois review team, I'd like to keep you informed. Of course I'll not talk about interna, but give you background about my activities. http://wwwneu.iks-jena.de/eng/Blog/That-s-the-way-it-always-have-been or http://wwwneu.iks-jena.de/Blog/Das-war-schon-immer-so Please note that "wwwneu.iks-jena.de" is a staging system, so please do blame me for errors and inconstencies.
2011/1/31 Lutz Donnerhacke <lutz@iks-jena.de>:
As an AtLarge delegate to the whois review team, I'd like to keep you informed. Of course I'll not talk about interna, but give you background about my activities.
http://wwwneu.iks-jena.de/eng/Blog/That-s-the-way-it-always-have-been or http://wwwneu.iks-jena.de/Blog/Das-war-schon-immer-so
Lutz, you make three assertions: 1. "Coming from AtLarge I do not have to follow economic interests or law enforcement needs, I'd even could ignore the laws itself by expressing end user concerns. I'll not deal with the discussions here or tell stories from the desk, that would only cause trouble." but then go on to comment about LEA use of WHOIS data: "Whois information are rubbishy for law enforcement. Serious crime will not give their real name to start their activities, they use stolen credit cards and forged identities. All those internet service providers and resellers out there can easily be fooled by serious criminals. And real criminals do run their own provider services itself. Nobody would even consider such a worldwide identification scheme for normal internet access today." "Whois information is unusable for law enforcement. Current Whois services are often used to solve low level internet crime." Every time we have heard from law enforcement, there is ongoing and legitimate use of WHOIS, and it does manage to be very useful. At present time, I am involved with two cases, one a spamming case, and the other a phishing incident. In both instances, WHOIS has proven to be very helpful. Despite your dismissing WHOIS as not being useful, I can state unequivocally that this is incorrect. The spammer has left dozens of clues that have allowed us to identify the individual behind the incident, and with the phishers, WHOIS allowed us to protectively block tens of millions of very malicious (malware payload) phishing emails from hitting their intended targets. WHOIS is also used by researchers who assist law enforcement in their preparation of cases. This happens daily, constantly. Obviously, I am unable to speak with specifics in either case at present time, but it is with 100% assuredness that I can say that without WHOIS, we would find it impossible to file charges. As it is, we are much more further along in that regard. Neil Schwartzman Executive Director, CAUCE
* Neil Schwartzman wrote:
1. "Coming from AtLarge I do not have to follow economic interests or law enforcement needs, I'd even could ignore the laws itself by expressing end user concerns. I'll not deal with the discussions here or tell stories from the desk, that would only cause trouble."
And full stop here. All following text could be written before any meeting. It's my personal view to whois. (Please do not remove the "troublemaker", it's the context of the sentences you quoted.)
"Whois information are rubbishy for law enforcement. Serious crime will not give their real name to start their activities, they use stolen credit cards and forged identities. All those internet service providers and resellers out there can easily be fooled by serious criminals. And real criminals do run their own provider services itself. Nobody would even consider such a worldwide identification scheme for normal internet access today."
"Whois information is unusable for law enforcement. Current Whois services are often used to solve low level internet crime."
Every time we have heard from law enforcement, there is ongoing and legitimate use of WHOIS, and it does manage to be very useful.
Every time I ask the law enforcement people, they tell me the above. You might have an ear on the recording (day 2) to find out, what they said. Or wait for the transcript.
At present time, I am involved with two cases, one a spamming case, and the other a phishing incident. In both instances, WHOIS has proven to be very helpful. Despite your dismissing WHOIS as not being useful, I can state unequivocally that this is incorrect. The spammer has left dozens of clues that have allowed us to identify the individual behind the incident, and with the phishers, WHOIS allowed us to protectively block tens of millions of very malicious (malware payload) phishing emails from hitting their intended targets.
You seem to refer to IP addresses. Normally you have a look into the route registry (or better the live BGP4 data) to find the injecting autonoumous system and ask there. Whois will you point to the same provider, if it contains correct data. There is no time difference between both methods: 1) router> show bgp ipvX unicast XXXXXX -- Obtain injecting AS 2) Query the AS contact details from the regional internet registry 3) Query the end user data from the ISP.
WHOIS is also used by researchers who assist law enforcement in their preparation of cases. This happens daily, constantly.
Of course, because it's there. My first point on my list is to check the changes in the general framework since 1978. I fear, that Whois is illegal.
Obviously, I am unable to speak with specifics in either case at present time, but it is with 100% assuredness that I can say that without WHOIS, we would find it impossible to file charges. As it is, we are much more further along in that regard.
That's bullshit. Whois makes it easy. But it's not necessary.
That's bullshit. Whois makes it easy. But it's not necessary.
It's unlikely to reflect well on the ALAC or yourself to reject Neil's expertise simply because it contradicts your personal preferences. I talk to many of the same law enforcement people that Neil does, and I hear the same thing: even in its current imperfect form WHOIS is an invaluable tool for tracking down the criminals who prey on the non-technical users that the ALAC purportedly represents. You may not like it, but it's the truth. Arguments about what's "necessary" are silly. The DNS isn't "necessary". Telephones aren't "necessary". E-mail isn't "necessary". We could just grab big sticks and run off and hunt the bad guys. I really wish that the ALAC would get over the 1990s idea that somehow it represents the tiny handful of individual vanity domain registrants (such as me) in preference to the vast majority of users who have never registered a domain and never will. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On 31 January 2011 11:37, John R. Levine <johnl@iecc.com> wrote:
I really wish that the ALAC would get over the 1990s idea that somehow it represents the tiny handful of individual vanity domain registrants (such as me) in preference to the vast majority of users who have never registered a domain and never will.
Pardon? I hope I'm not lumped in with that description. Registrants are -- at least in the ICANN flowchart -- supposely represented by the non-contracted house of GNSO. Whether that's an appropriate or effective vehicle for their interests is a different debate, But At-Large is (always in theory and increasingly in practise) about the individual end user -- I still bristle at the term "consumer" because even that implies financial transaction. It has taken some time finding its feet but I don't think that the ALAC of today speaks to the vanity interests you speak of. Indeed, privacy advocates have (at least in my experience) found At-Large to be not particularly friendly to the notion that domain owners have the unrestricted right to hide. - Evan
Hi, I would have to agree. At-Large seems to care far more about the Law Enforcement point of view than it has cared about the Privacy point of view. I have felt an ever increasing Law and Order posture in At-Large over the last years. Those arguing for Privacy are definitely in the minority. a. On 31 Jan 2011, at 11:53, Evan Leibovitch wrote:
On 31 January 2011 11:37, John R. Levine <johnl@iecc.com> wrote:
I really wish that the ALAC would get over the 1990s idea that somehow it represents the tiny handful of individual vanity domain registrants (such as me) in preference to the vast majority of users who have never registered a domain and never will.
Pardon?
I hope I'm not lumped in with that description.
Registrants are -- at least in the ICANN flowchart -- supposely represented by the non-contracted house of GNSO. Whether that's an appropriate or effective vehicle for their interests is a different debate,
But At-Large is (always in theory and increasingly in practise) about the individual end user -- I still bristle at the term "consumer" because even that implies financial transaction. It has taken some time finding its feet but I don't think that the ALAC of today speaks to the vanity interests you speak of. Indeed, privacy advocates have (at least in my experience) found At-Large to be not particularly friendly to the notion that domain owners have the unrestricted right to hide.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
I argue for balance between both. Omar 2011/1/31 Avri Doria <avri@acm.org>:
Hi,
I would have to agree.
At-Large seems to care far more about the Law Enforcement point of view than it has cared about the Privacy point of view.
I have felt an ever increasing Law and Order posture in At-Large over the last years. Those arguing for Privacy are definitely in the minority.
a.
On 31 Jan 2011, at 11:53, Evan Leibovitch wrote:
On 31 January 2011 11:37, John R. Levine <johnl@iecc.com> wrote:
I really wish that the ALAC would get over the 1990s idea that somehow it represents the tiny handful of individual vanity domain registrants (such as me) in preference to the vast majority of users who have never registered a domain and never will.
Pardon?
I hope I'm not lumped in with that description.
Registrants are -- at least in the ICANN flowchart -- supposely represented by the non-contracted house of GNSO. Whether that's an appropriate or effective vehicle for their interests is a different debate,
But At-Large is (always in theory and increasingly in practise) about the individual end user -- I still bristle at the term "consumer" because even that implies financial transaction. It has taken some time finding its feet but I don't think that the ALAC of today speaks to the vanity interests you speak of. Indeed, privacy advocates have (at least in my experience) found At-Large to be not particularly friendly to the notion that domain owners have the unrestricted right to hide.
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
I have felt an ever increasing Law and Order posture in At-Large over the last years. Those arguing for Privacy are definitely in the minority.
Well, OK. Every day, Internet users get several billion spam messages. Most are filtered out, at substantial cost which is primarily borne by the users, but plenty are not. They get phishes, trying to steal their personal info. They get ads for fake drugs, which can kill or mail them (such as fake AIDS drugs) and again deceive people into giving up their personal info. The phishes and fake drugs invariably collect the victims' info through web sites, and the WHOIS info about those web sites is an important tool to both formal law enforcement an informal investigations by ISPs and others. The harder it is to get info from WHOIS, the easier life is for the crooks. Does ICANN have any interest in the privacy of spam and phishing victims? The answer I'm hearing is no, because the rights of the handful of people who have paid ICANN to care, by registering a domain, are more important. Let me know if I've missed anything. For any arguments along the lines that nobody needs WHOIS to track down phishes and fake drugs, please explain why you need your vanity domain, and why your need is more important. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Jon, Why I agree the WHOIS needs to be accurate and may be non-obfuscated (I'm still undecided on this one, if there is a way to check emails sent to contacts are received and replied to), your arguments are the same as clamping on freedom to gain security and you will deserve neither. If people are too stupid, so may be, let it be? But what is dangerous, is that it creates an underground economy that creates a real organised crime that has implication on by-standers. My argument, is the Whois is a mess, it is a bad job, it reflects poorly on ICANN as the keeper of records. It needs to be fixed, once records are well kept we can decide who has access to it. Cheers ----- Original Message ----- From: "John R. Levine" <johnl@iecc.com> To: "At-Large Worldwide" <at-large@atlarge-lists.icann.org> Sent: Tuesday, 1 February, 2011 9:37:28 AM Subject: Re: [At-Large] privacy, was Impressions from the Whois-Review
I have felt an ever increasing Law and Order posture in At-Large over the last years. Those arguing for Privacy are definitely in the minority.
Well, OK. Every day, Internet users get several billion spam messages. Most are filtered out, at substantial cost which is primarily borne by the users, but plenty are not. They get phishes, trying to steal their personal info. They get ads for fake drugs, which can kill or mail them (such as fake AIDS drugs) and again deceive people into giving up their personal info. The phishes and fake drugs invariably collect the victims' info through web sites, and the WHOIS info about those web sites is an important tool to both formal law enforcement an informal investigations by ISPs and others. The harder it is to get info from WHOIS, the easier life is for the crooks. Does ICANN have any interest in the privacy of spam and phishing victims? The answer I'm hearing is no, because the rights of the handful of people who have paid ICANN to care, by registering a domain, are more important. Let me know if I've missed anything. For any arguments along the lines that nobody needs WHOIS to track down phishes and fake drugs, please explain why you need your vanity domain, and why your need is more important. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
On 01/31/2011 01:12 PM, Franck Martin wrote:
Why I agree the WHOIS needs to be accurate and may be non-obfuscated
There is a completely lawful domain name business model in which there is *no* record made of who acquired a domain name. Rather control is vested into a digital certificate - much like a bearer bond - which can be issued without capturing identity and transferred entirely without knowledge of the registry (a non-repudiation database of transfers can be maintained by a third party.) At least one of the 40 applicants of year 2000 - who are still waiting for ICANN - used such a model. I do find it amusing that on one hand many of us whine when government bodies or industrial groups insist that ICANN create thus-and-so policy yet at the same time we say that it's just fine for us to insist that ICANN create this-and-that policy. Impositions on lawful activities are impositions on lawful activity whether those impositions are advocated by governments, industrial actors, or ICANN's so-called "at large advisory" groups. --karl--
There is a completely lawful domain name business model in which there is *no* record made of who acquired a domain name.
Hi. Before we continue, could you say whether the people who are bombarded with phishes and drug spam have any privacy rights, or are they reserved for people who've bought vanity domains? Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On 01/31/2011 03:12 PM, John R. Levine wrote:
There is a completely lawful domain name business model in which there is *no* record made of who acquired a domain name.
Hi. Before we continue, could you say whether the people who are bombarded with phishes and drug spam have any privacy rights, or are they reserved for people who've bought vanity domains?
They have rights. They have the right to and to go to their legislators, get laws enacted, and get those laws enforced - all under constitutional procedures and constraints. ICANN is not a government; it is subject to no due process constraints nor is it constrained by any real political political process. I hate spam too - in fact I've argued for draconian measures - http://www.cavebear.com/cbblog-archives/000236.html But I hate vigilante action even more. --karl--
On 2011/02/01 01:32, Karl Auerbach wrote:
On 01/31/2011 03:12 PM, John R. Levine wrote:
There is a completely lawful domain name business model in which there is *no* record made of who acquired a domain name.
Hi. Before we continue, could you say whether the people who are bombarded with phishes and drug spam have any privacy rights, or are they reserved for people who've bought vanity domains?
They have rights. They have the right to and to go to their legislators, get laws enacted, and get those laws enforced - all under constitutional procedures and constraints.
Does that come free? Or does it cost somebody money? Perhaps tax payers? Already we see the (not so) small issue of budget constraints hampering law enforcement efforts. Also, if a spammer spams from one country to another, why should the recipient country be paying for it to protect their citizens? Remember the world does not end on US shores, we are now going internationally. What about those countries where something may not be illegal, but is propagated to you via the net and is illegal by you?
ICANN is not a government; it is subject to no due process constraints nor is it constrained by any real political political process.
I hate spam too - in fact I've argued for draconian measures - http://www.cavebear.com/cbblog-archives/000236.html
But I hate vigilante action even more.
--karl--
I wish you would define the term "vigilante" in your own words and give us a few examples of such on the net. You have used it a few times, but it seems to be such a vague term in your usage and in this context. Ever heard of neighborhood watches, groups of society protecting their own within the bounds of the law and in cooperation with law enforcement? Why should the virtual world not be afforded that luxury? If you were walking down the road and saw a car was about to knock over a pedestrian next to you, would you yank him/her out of the way, or turn away since you are not a traffic officer, also not note the registration details for the same reason? As a matter of interest: How many domain owners are there? How many internet users in total? How many domain owners are harmed (either physically or indirectly/financially) per annum vs non domain owners, all due to abuse arising on the net and linked to domains. How much money is lost on the internet annually due to fraud? How much is recovered? How many cases are actually investigated? It is fine to get all philosophical and preach "constitutional procedures", but doing a reality check, that does not happen overnight and definitely not overnight internationally. We also need to note the track record of such (CAN-SPAM Act?). Did we not recently see what happens when "laws" get enforced?: Egypt? Libya terminating unacceptable .ly domains? ... I guess these approaches are about as delicate a performing open heart surgery with a jack hammer. It seems to me the rules are made for those good upstanding netizens, while at the same time creating a climate for the perfect crime storm for those that disregard them. What do we do in the meantime? Does issues pertaining to the ordinary Internet user get discussed here, or only domain owners and then only a certain subset of those domain owners? Derek
It is in every gTLD contract that they must provide a whois service. but if it is to do THAT whois service, then it is a joke and the onus is on ICANN to set the rules to insure consistency and accuracy. ----- Original Message ----- From: "Karl Auerbach" <karl@cavebear.com> To: at-large@atlarge-lists.icann.org Sent: Tuesday, 1 February, 2011 11:48:15 AM Subject: Re: [At-Large] privacy, was Impressions from the Whois-Review On 01/31/2011 01:12 PM, Franck Martin wrote:
Why I agree the WHOIS needs to be accurate and may be non-obfuscated
There is a completely lawful domain name business model in which there is *no* record made of who acquired a domain name. Rather control is vested into a digital certificate - much like a bearer bond - which can be issued without capturing identity and transferred entirely without knowledge of the registry (a non-repudiation database of transfers can be maintained by a third party.) At least one of the 40 applicants of year 2000 - who are still waiting for ICANN - used such a model. I do find it amusing that on one hand many of us whine when government bodies or industrial groups insist that ICANN create thus-and-so policy yet at the same time we say that it's just fine for us to insist that ICANN create this-and-that policy. Impositions on lawful activities are impositions on lawful activity whether those impositions are advocated by governments, industrial actors, or ICANN's so-called "at large advisory" groups. --karl-- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
On 31 January 2011 17:48, Karl Auerbach <karl@cavebear.com> wrote:
I do find it amusing that on one hand many of us whine when government bodies or industrial groups insist that ICANN create thus-and-so policy yet at the same time we say that it's just fine for us to insist that ICANN create this-and-that policy.
I'm glad you find this amusing.
Impositions on lawful activities are impositions on lawful activity whether those impositions are advocated by governments, industrial actors, or ICANN's so-called "at large advisory" groups.
So when you disagree with us, you use double quotes? Is that your way of offering amusement in return? Worked for me. - Evan
* John R. Levine wrote:
Let me know if I've missed anything.
You missed the plain point, that it is unconstitutional, illegitimate and bad tast to collect and publish personal data from zillions of innocent people in order to do a personal fight. Why do you assume, that bad guys are honest enough to announce their real data directly before doing bad things? I'll not repeat my blog article here.
You missed the plain point, that it is unconstitutional, illegitimate and bad tast to collect and publish personal data from zillions of innocent people in order to do a personal fight.
I won't begin to ask what constitution you're referring to, and why you think it applies here.
Why do you assume, that bad guys are honest enough to announce their real data directly before doing bad things?
Because, to a surprising extent, they do. We have real experience that show that they do. It would be nice if people acted on actual facts rather than imaginary preconceptions. R's, John
----- Original Message -----
From: "Lutz Donnerhacke" <lutz@iks-jena.de> To: at-large@atlarge-lists.icann.org Sent: Tuesday, 1 February, 2011 4:04:32 PM Subject: Re: [At-Large] privacy, was Impressions from the Whois-Review * John R. Levine wrote:
Let me know if I've missed anything.
You missed the plain point, that it is unconstitutional, illegitimate and bad tast to collect and publish personal data from zillions of innocent people in order to do a personal fight. Why do you assume, that bad guys are honest enough to announce their real data directly before doing bad things?
What is the business of D&B again? http://en.wikipedia.org/wiki/D%26B How the whois is different?
* Franck Martin wrote:
What is the business of D&B again? How the whois is different?
There is no ICANN policy to add every domain or ip space holder into the databases of D&B with full private contact details and no policy to grant everbody an unrestricted and public access to this database.
On 31 Jan 2011, at 21:37, John R. Levine wrote:
Does ICANN have any interest in the privacy of spam and phishing victims? The answer I'm hearing is no, because the rights of the handful of people who have paid ICANN to care, by registering a domain, are more important.
Let me know if I've missed anything. For any arguments along the lines that nobody needs WHOIS to track down phishes and fake drugs, please explain why you need your vanity domain, and why your need is more important.
One thing we all agree on is that criminals need to be tracked. Of course, we need a record of who has registered domain names. The fundamental question is who gets to see the full details of a registrant. I am advocating that one should show sufficient authority to do so. Please note that this does not apply only to what you consider "vanity domains". Under law over here, even the name of your employer is considered private information. One should never register a domain name for his/her employer if he want privacy. Patrick
At the risk of getting too far out of my league (I don't get to do policy work professionally), here are my CAD$0.02: On 31 January 2011 12:55, Avri Doria <avri@acm.org> wrote:
At-Large seems to care far more about the Law Enforcement point of view than it has cared about the Privacy point of view.
I guess I'd frame it differently, because I don't consider this a law enforcement issue. It's only become that way because privacy advocates want to obfuscate domain ownership (using proxies, etc) in such a way that would require intervention through law-enforcement methods (ie, court orders). If I had my way, WHOIS records would be sufficiently accurate and complete so that any end-user could locate a registrant WITHOUT the need for law-enforcement intervention. If anything, I'm trying to eliminate the legal system from the path between registrant and end-user by eliminating the levels of obfuscation that require it. I don't want the police having any more access than I would have as an individual -- that is, I want all of us to have equally accurate contact information for registrants. So .. rather than advocating "law and order" (which is generally a euphamism for pro-law-enforcement) I'd say that I'm advancing this as a position of justice -- one that allows end-users to identify the registrants that may be using their domain to spread lies, fraud, obscenities and misrepresentations -- some (but not all) of which may be illegal. I don't know of any jurisdiction in which a collective legal entity (for-profit corporation, non-profit organization, unincorporated business name) can be registered without a requirement for completeness and accuracy of its registration information. I find it frankly baffling that there are those who condone subversion of the intent of WHOIS, for I don't even consider this a freedom-of-speech issue. One can have a finely anonymous voice on the Internet without needing one's own domain name. At least I would ask for some honesty, in that obfuscation advocates should argue for the elimination of WHOIS rather than its survival with knowingly (or worse, approvingly) unstable data. I have felt an ever increasing Law and Order posture in At-Large over the
last years. Those arguing for Privacy are definitely in the minority.
You've badly mis-characterized the 'posture', which IMO defends privacy at the individual level but does not extent it as a right to disembodied registrants. This position rejects the notion that personal domain ownership is a mandatory prerequisite of free speech. And it's not a "law and order" stance for reasons described above. However, you've accurately identified the trend, which indicates that At-Large is now (finally!) starting to reflect the reality that most of the world's Internet end-users are not registrants. In this context, the end-user's desire for registrant responsibility runs counter to (and, within At-Large, trumps) the registrant's appeal to "privacy" as a dodge from said responsibility. Just my personal opinion, - Evan
On 31 Jan 2011, at 15:56, Evan Leibovitch wrote:
It's only become that way because privacy advocates want to obfuscate domain ownership (using proxies, etc) in such a way that would require intervention through law-enforcement methods (ie, court orders).
I would not call that obfuscation. I would call it protecting our rights. And why shouldn't due process be required? What I term Law and Order is when people want to skip the due process step and take the law into their own hands. By law in many countries, my telephone number and address are private and there is no way i can be forced to tell them to the world as a private individual unless the court agrees that there is a good reason. I am thankful for proxies that allow me to tell the truth on my registrations and keep the bad guys away from my door and stop them from calling me at dinner time. And as a user, I will grateful when I know that if I need to find a registrant who is abusing me, I will be able to work through the proxy and the courts to have that dealt with. The key is to make sure that registrants give accurate info and that proxy operators and registrars respond to lawful due process. And yes, the tools and policy need to fixed to make this possible. But as long as the those who insist that everyone hang out on the network with all of their private information exposed, it is my guess that this will never happen. a.
On 31 January 2011 16:53, Avri Doria <avri@acm.org> wrote:
It's only become that way because privacy advocates want to obfuscate domain ownership (using proxies, etc) in such a way that would require intervention through law-enforcement methods (ie, court orders).
I would not call that obfuscation. I would call it protecting our rights.
"Our" meaning registrants, at the expense of the rights of end-users. I get that.
And why shouldn't due process be required?
Why should it? Why should law enforcement -- and the need to acquire legal assistance (ie, $$) be a requirement of getting in contact with someone who may have done something as simple as a small factual error or as major as call for you to be killed (hate crime is not recognized in all jurisdictions)? Why shouldn't third parties who are not law enforcement be able to verify the accuracy of the information provided?
By law in many countries, my telephone number and address are private and there is no way i can be forced to tell them to the world as a private individual unless the court agrees that there is a good reason.
In most of these same countries, contact information for corporations, NGOs, trademark owners and registered business names are publicly searchable. I've used some of these search facilities myself. Some require payment for the search but none requires law enforcement support. Most governments and people can understand the distinction between the level of rights afforded individuals and the rights given disembodied entities. In this debate, it seems that advocates for registrant privacy deliberately blur the distinction. The key is to make sure that registrants give accurate info and that proxy
operators and registrars respond to lawful due process.
How will you deal with bad actors who go jurisdiction shopping, seeking environments for registrars and/or proxies where due process is so prohibitively expensive as to be effectively impossible to all but the rich? - Evan
On 01/31/2011 03:11 PM, Evan Leibovitch wrote:
Why shouldn't third parties who are not law enforcement be able to verify the accuracy of the information provided?
That same argument can be made that for public health purposes that each and every one of us have our entire history of sex partners published, 24x7, for anonymous access by any one for any purpose. There is a thing called privacy. As for law enforcement - even if they read an open telephone directory they are obligated, at least in the US, to adhere to due process constraints and are (arguably) supervised by courts, legislatures, executives, and the political process. Private actors are not so constrained. Simply put - law enforcement issues are outside of the whois access debates becase law enforcement already has access powers that are outside of those exercised by private actors and because those powers are already governed by due process constraints and oversight. And simply put again - if someone wants to access whois they ought to be obligated to put their name and cards on the table and into a permanent record, backed by a concrete and specific accusation, backed by concrete evidence, and agree to an enforceable contract that constrains use and third party transfers of the data - before they get to see the goods. --karl--
Asked and answered. There is a distinction -- that most people and governments seem perfectly capable of making -- between the rights of individuals and the rights of disembodied entities. This distinction appears to be totally lost on advocates of registrant privacy. Just as any business, trademark or non-profit can be casually and easily traced its owners/stakeholders -- even in jurisdictions that put huge value on the privacy of individuals -- so should domains. - Evan On 31 January 2011 18:27, Karl Auerbach <karl@cavebear.com> wrote:
On 01/31/2011 03:11 PM, Evan Leibovitch wrote:
Why shouldn't third parties who are not law enforcement be able to verify the accuracy of the information provided?
That same argument can be made that for public health purposes that each and every one of us have our entire history of sex partners published, 24x7, for anonymous access by any one for any purpose.
There is a thing called privacy.
As for law enforcement - even if they read an open telephone directory they are obligated, at least in the US, to adhere to due process constraints and are (arguably) supervised by courts, legislatures, executives, and the political process. Private actors are not so constrained.
Simply put - law enforcement issues are outside of the whois access debates becase law enforcement already has access powers that are outside of those exercised by private actors and because those powers are already governed by due process constraints and oversight.
And simply put again - if someone wants to access whois they ought to be obligated to put their name and cards on the table and into a permanent record, backed by a concrete and specific accusation, backed by concrete evidence, and agree to an enforceable contract that constrains use and third party transfers of the data - before they get to see the goods.
--karl-- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
-- Evan Leibovitch, Toronto Canada Em: evan at telly dot org Sk: evanleibovitch Tw: el56
On 01/31/2011 04:34 PM, Evan Leibovitch wrote:
There is a distinction -- that most people and governments seem perfectly capable of making -- between the rights of individuals and the rights of disembodied entities. This distinction appears to be totally lost on advocates of registrant privacy.
OK, if it is so obvious, then I need an education - so please give me a pointer to this distinction. I'll even accept a wikipedia article explaining why corporate privacy is OK while human privacy is not, and why due process procedures to penetrate corporate privacy are acceptable but similar procedures are unacceptable when the data subject is a human being. I claim that such a distinction does not exist - particularly in light of the recent "Citizens United" supreme court case - or that it is the inverse of the direction that you claim, i.e. that fictional persons are less deserving of privacy protection than corporate entities. And, if we look at the US foundation of constitutional (as opposed to legislative) privacy - Griswold v Connecticut - we would see that privacy ought to be greater for humans than for corporations.
Just as any business, trademark or non-profit can be casually and easily traced its owners/stakeholders -- even in jurisdictions that put huge value on the privacy of individuals -- so should domains.
"casually and easily"? When was the last time you tried to penetrate a corporate entity that wanted to hide its ownership or control? Or even one, particularly a closely held [i.e. small number of owners] corporation, that does just the routine registrations with no intent to try to hide? It can be nearly impossible, even given governmental and law enforcement powers of access. And in the US some states (such as Delaware) attract corporate registrations by making corporate penetration difficult. It gets more fun with layers of corporations especially if some of 'em are in other countries. And it can be 100% legal in all jurisdictions involved. --karl--
On 2011/01/31 23:53, Avri Doria wrote:
On 31 Jan 2011, at 15:56, Evan Leibovitch wrote:
It's only become that way because privacy advocates want to obfuscate domain ownership (using proxies, etc) in such a way that would require intervention through law-enforcement methods (ie, court orders).
I would not call that obfuscation. I would call it protecting our rights. And why shouldn't due process be required?
What I term Law and Order is when people want to skip the due process step and take the law into their own hands.
What do we call it when registrars and resellers abuse the trust put in them, allowing parties to register anonymously knowing full well - even encouraging a certain segment of the domain owner market that targets innocent parties on the net via malware/spam/fraud, yet hide the existence of non-existing real end user details behind layers of laywers in disprate jurisdictions, deliberately so as to frustrate law enforcement that may wish to follow due process on behalf of the defrauded victims (who we also supposed to be represented here) I pointed this out previously, nobody cared to comment.
.....
I am thankful for proxies that allow me to tell the truth on my registrations and keep the bad guys away from my door and stop them from calling me at dinner time. And as a user, I will grateful when I know that if I need to find a registrant who is abusing me, I will be able to work through the proxy and the courts to have that dealt with.
I agree with the first part. However do you believe that due process will succeed in all cases? In most cases? Or will you perhaps reach a dead end? And after how much expense? And at whose cost? And at what harm?
The key is to make sure that registrants give accurate info and that proxy operators and registrars respond to lawful due process.
Agreed 101%. I would also like to impose that condition on proxy providers.
But as long as the those who insist that everyone hang out on the network with all of their private information exposed, it is my guess that this will never happen.
As you already said, the tools are there; "I am thankful for proxies ...". So I do not agree with you here. However do you think that is why we have whois information like in the following domain: horizonbanck.com My geographical knowledge may not be the best in the world, but even I know Thailand is not in the USA. I have to be no genius to tell you the telephone number is bad. All we have is an anonymous difficult to trace email address. There certainly is a desire for more than privacy by the registrant here, in fact anonymity. However a UDRP would be too slow a process and we need to ask why such domains exist and how come it is possible that they enter the system. We also need to ask how many such domains enter the system per day and their potential for harm to any unwitting internet user. Unwitting is not illegal. However, what about the actions of the domain owner? Incidentally, thanks to whois data that is open, we see this registrant is a repeat offender, spoofing the Reserve Bank of India. So who will we defend here - the victim or the domain owner? That brings us to a basic reality. Domains such as these, some with obviously bad whois details, some with seemingly credible though equally fake registration details and many hidden behind proxies, are registered daily and for equally nefarious purposes. The system is broken at grass roots level. To fix it and protect more domain registrants and general internet users in a long term solution, we would have to have a system whereby the registrant details are verified before any form of domain registration would be accepted. Blind faith, as long as you pay the domain registration fees, does not work. Furthermore, any domain linked to commercial activity should not be using a proxy. Are we going to deny any party the right to know who he is dealing with? Contact details on a web page is just that, details on a page. We cannot use the car registration plate databases as examples for domains. The take on processes differs vastly - verified versus unverified. This would only be a painful process the first time as future registrations could piggyback on the initial registration. Where in the rest of respectable commerce and industry do you find anybody willingly act as a proxy for a party you do not know and have not verified? Trying to now use unverified details and give it a veneer of respectibility by hiding garbage info behind a proxy (many times themselves unverified and not a natural or legal person), would be like trying to hide the dog's mess in a cupboard. Sooner or later it is bound to stink. Ignore it even longer and anybody close may be susceptible to disease or whatever is morphing in that cupboard. Yet this is exactly what we are seeing and trying to do with domains. It's simple: junk in, junk out. Some may say that I am now tarnishing innocent domain registrants, however by the same token domain ownership bears responsibility. Separate the two and we have the joke that is the WHOIS system at the start of 2011. The few spoil it for the bulk. Derek
On 01/31/2011 03:35 PM, Derek Smythe wrote:
I pointed this out previously, nobody cared to comment.
OK...
What do we call it when registrars and resellers abuse the trust put in them, allowing parties to register anonymously knowing full well - even encouraging a certain segment of the domain owner market that targets innocent parties on the net via malware/spam/fraud, yet hide the existence of non-existing real end user details behind layers of laywers in disprate jurisdictions, deliberately so as to frustrate law enforcement that may wish to follow due process on behalf of the defrauded victims (who we also supposed to be represented here)
Who imposed a duty of trust on registrars and resellers? What right - and I want chapter and verse, a full legal citation - gives that who the authority to impose those duties? If you want to pass a law imposing duties, then go for it. Such duties exist merely by assertion. As for "deliberately so as to frustrate law enforcement" - an act that is lawful - and and registering a domain name using an hard-to-penetrate intermediary (such as a corporation) is a lawful act. And last time I checked there is nothing in the US Constitution - and I am not aware of any such provision in other constitutions - that says that citizens exist for the benefit of the government or must conform their lawful activities for the convenience of law enforcement. Closing one's windows at night also is a deliberate act that would frustrate a police officer who is looking for burglers. So I guess that when I draw my blinds at night that I ought to be treated as a criminal? Attorney-client privilege also frustrates law enforcement. Should we abandon that privilege? Let me suggest that everyone here go out and read "The Oxbow Incident" and consider the dangers of making accusations and executing judgment without affording due process. --karl--
On 2011/02/01 02:11, Karl Auerbach wrote:
On 01/31/2011 03:35 PM, Derek Smythe wrote:
I pointed this out previously, nobody cared to comment.
OK...
What do we call it when registrars and resellers abuse the trust put in them, allowing parties to register anonymously knowing full well - even encouraging a certain segment of the domain owner market that targets innocent parties on the net via malware/spam/fraud, yet hide the existence of non-existing real end user details behind layers of laywers in disprate jurisdictions, deliberately so as to frustrate law enforcement that may wish to follow due process on behalf of the defrauded victims (who we also supposed to be represented here)
Who imposed a duty of trust on registrars and resellers? What right - and I want chapter and verse, a full legal citation - gives that who the authority to impose those duties?
If you want to pass a law imposing duties, then go for it. Such duties exist merely by assertion.
As for "deliberately so as to frustrate law enforcement" - an act that is lawful - and and registering a domain name using an hard-to-penetrate intermediary (such as a corporation) is a lawful act.
And last time I checked there is nothing in the US Constitution - and I am not aware of any such provision in other constitutions - that says that citizens exist for the benefit of the government or must conform their lawful activities for the convenience of law enforcement.
Closing one's windows at night also is a deliberate act that would frustrate a police officer who is looking for burglers. So I guess that when I draw my blinds at night that I ought to be treated as a criminal?
Attorney-client privilege also frustrates law enforcement. Should we abandon that privilege?
Let me suggest that everyone here go out and read "The Oxbow Incident" and consider the dangers of making accusations and executing judgment without affording due process.
--karl--
http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.3 So you scoff at this? This is the portioned being played behind a front of lawyers: http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.7.7.3 http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.7.7.9 Yet you actively target an abusive subsection of the market for your client base. You allow them to use fake shopfronts, spam etc. What fascinates me is that you can have an agreement with a non-existent party or a party who you do not know who it is, because you deliberately did not want to know, yet are willing to take his $10/$20 knowing full well you allow this and then afford them the protection of your legal team. Then the end user on the internet meets this: http://www.scribd.com/doc/45487838/Balsam-v-Tucows-No-09-17625-9th-Cir-Dec-1... (Off topic, in my personal experience Tucows is a fine Registrar that actually looks out for the end users on the net and does not condone deliberate abuse of their services) So, what protection does the casual internet user, who may or may not be a domain owner, have? Derek
On 01/31/2011 05:03 PM, Derek Smythe wrote:
http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3.3 So you scoff at this?
Why do you think that is relevant? Because of the lack of third party beneficiary rights neither you nor I have any rights to enforce it. It is simply a contract between ICANN and an ICANN guild member about the guild's products and sales practices. ICANN tself may be trumped by this in the US and by similar laws in other countries: http://www.law.cornell.edu/uscode/uscode15/usc_sec_15_00000001----000-.html The issue being discussed here is the same one that was discussed at the IFWP meetings before ICANN was even formed - the matter of how to protect privacy of domain name registration information (whois). The registrar agreements with ICANN are reflections of that issue, not the source of authority for that issue; those agreements can be changed to reflect policy changes.
What fascinates me is that you can have an agreement with a non-existent party or a party who you do not know who it is
No. A corporation is not a "non-existent" party; it is fully responsible and identifiable "person" under the law. But it is a "person" that can not be jailed, can be so thinly funded that it can't satisfy a judgment, and which would then have to be penetrated in order to find its owners (who themselves might be thin or offshore corporate entities.) The point is that we allow those corporate things to register domain names - yet they are really nothing more than a entry in a secretary of state's database - and yet start to scream against natural people who seek the same kind of privacy for their affairs.
So, what protection does the casual internet user, who may or may not be a domain owner, have?
Privacy protection? Under the lex-ICANNia, none. If a domain name owner has a mark, they've got the UDRP and other laws. If you get spam, then get your attorney general to act to enforce the laws that exist. He/she won't act - then get a new one using the political process (most of us elect our local attorney generals). --karl--
+1 John. On 2011/01/31 18:37, John R. Levine wrote: ....
I talk to many of the same law enforcement people that Neil does, and I hear the same thing: even in its current imperfect form WHOIS is an invaluable tool for tracking down the criminals who prey on the non-technical users that the ALAC purportedly represents. You may not like it, but it's the truth.
In fact this should be old news for Lutz, see http://www.icann.org/en/presentations/leibowitz-mar-26jun06.pdf: " In some instances, though, even inaccurate Whois information can be useful in tracking down Internet fraud operators. " [Jon Leibowitz, FTC] All I can say here is that whois details does serve to link together malicious and predatory behavior on the net, and in some cases prevent and defend ordinary Internet users from that abuse some put the net to, the usage of which includes domain names. Also, anybody wishing to refute that non-LE third parties play an important part in fighting Internet abuse, is not in touch with what is happening on the Internet currently. Derek
+1, but I will add some more here. Under 18 USC 1037(4) the use of false whois information of two or more domain names used in commercial e-mail is a crime. If the Whois information is considered useless, why would it be a crime to provide false information? False whois information has always been a factor in determining bad faith registration in ACPA and UDRP actions. And lets not forget the argument, that the FTC used for not requiring the labeling of spam; people who will disobey the rule will be breaking the law, so why bother having the rule? With that law, I'd like to suggest some other changes in the law, eliminate tax evasion laws because only tax evaders will break it.
+1 John.
On 2011/01/31 18:37, John R. Levine wrote: ....
I talk to many of the same law enforcement people that Neil does, and I hear the same thing: even in its current imperfect form WHOIS is an invaluable tool for tracking down the criminals who prey on the non-technical users that the ALAC purportedly represents. You may not like it, but it's the truth.
In fact this should be old news for Lutz, see http://www.icann.org/en/presentations/leibowitz-mar-26jun06.pdf: " In some instances, though, even inaccurate Whois information can be useful in tracking down Internet fraud operators. " [Jon Leibowitz, FTC]
All I can say here is that whois details does serve to link together malicious and predatory behavior on the net, and in some cases prevent and defend ordinary Internet users from that abuse some put the net to, the usage of which includes domain names.
Also, anybody wishing to refute that non-LE third parties play an important part in fighting Internet abuse, is not in touch with what is happening on the Internet currently.
Derek
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/31/2011 11:04 AM, Bill Silverstein wrote:
If the Whois information is considered useless, why would it be a crime to provide false information?
Because the intellectual property protection industry (of which I am a dues paying member) desires whois as an inexpensive extra-judicial means of tracking down those who we believe are offending against the trade and service marks of our clients. The goal is cheap and fast - fairness is not part of the equation. (By-the-way, I draw a big line between the intellectual property *protection* industry and the intellectual property *creation* industries.)
False whois information has always been a factor in determining bad faith registration in ACPA and UDRP actions.
Again, because it makes it easier, faster, and cheaper for intellectual property protection lawyers to take domain names away from people who may discomfort their clients even if under the laws of trade and service marks they would not have a leg to stand upon. The industry of intellectual property protection lawyers, is big in DC and big in ICANN. It's no wonder why the UDRP was a big expansion over trade and service mark law. The UDRP was designed only to protect trademarks; the UDRP does not protect other legitimate rights in names. "Bad faith" is only valid in the context of protecting trademarks. If one feels that the name of their family, their school, their religion, their god, their country is offended then the UDRP does not apply and neither does "bad faith". "Bad faith" is an invention of ICANN's UDRP; and the UDRP was ramrodded through ICANN during its very early days by the intellectual property protection constituency at a time before those contrary constituencies recognized by ICANN at the time had a chance to form. The drumbeat by the intellectual property protection industry for the UDRP was so intense that a request for a slow-down in the process in order to allow other voices to form - a request made by respected academics and professionals - people such as Larry Lessig - caused ICANN's own President to label those voices of reason as "arrogant" "juveniles". As for Savonarola and his bonfires - I take issue with the claim that just because the desire for domain names might be a vanity that we should therefore dispense with privacy and even anonymity. Trademark owners wouldn't be so hot to protect their marks if that vanity were not also valuable. It may be vain to own a diamond, but the diamond is valuable despite the vanity. Moreover events of the last few years in Asia and the last weeks in northern Africa are re-teaching the lesson that there are groups, governments, and people out there who will go to great lengths to silence voices that cause discomfort. Whois helps that suppression. As I wrote a few weeks back there are methods to introduce some degree of balance and fair process back into Whois access. The most basic being a requirement that those asking for whois data leave their own names and state the nature of their accusation and supporting evidence. Real law enforcement agencies are not part of the whois equation - those agencies have investigative powers beyond those of normal people. And along with those powers they are bound (we hope) by rules that conform the use of those powers to the requirements of due process and fairness. (A bigger question is not "whether law enforcement" but "who is law enforcement"?) --karl--
* Karl Auerbach wrote:
Real law enforcement agencies are not part of the whois equation
Unfortunly that's not correct. The AoC 9.3.1 set up the mandate for the review team as follows: ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust. [... organizational details ...] One can argue, that the review team is not allowed to even consider to think about the whois servies itself and it's access rules, but have to concentrate on the question how to reach a whois quality fitting the needs of law enforcment. Please wait for the transcript or hear into the recording. This question is obviously a starter item.
(A bigger question is not "whether law enforcement" but "who is law enforcement"?)
Exactly this question was considered as important enought to form a subgroup.
* Derek Smythe wrote:
In fact this should be old news for Lutz
I do understand the usefulness of whois. I do use it myself. I even wrote a paragraph about this use case (in the light of LA): : Whois information is unusable for law enforcement. Current Whois services : are often used to solve low level internet crime. Ten doller fraud does : not legitimate preidentification of all users of before accessing internet : services. Introducing a system like Whois today to fight low level crime : would be unconstitutional. And I do not want to remove whois alltogether: : If the review reveals use cases which are legitimate and worth to : perserve, Whois services must be restructured as "thin whois": A : hierarchical distributed database publishing only links to down reseller : chain. To query information from leafs, where data is originated, correct : and complete, the final response is covered by the protection of national : law. In the light of the RAA (every registrar has to provide whois services itself), the thin whois approach seems not that unlikely. OTOH, there might an other outcome : If the review reveals no legitimate use cases or a majroity of misuse, : Whois services need to be shut down.
John: I generally support the tone of your response but take exception o the coloration you place on ALAC's posture on WHOIS. I cannot accept that there cannot be a balance between the right to privacy and the right to know for those harmed by an act traceable to a domain. I certainly do not consider myself as a front for domain registrants and I strongly doubt others of the group would as well. I consider the requirement for WHOIS data for all registrants ordinary and well-intended. I consider the falsification of WHOIS data in a similar light to the falsification of any public record; incivil, at least. I consider the lax enforcement of recorded WHOIS data - especially the quality of it - by ICANN contrary to their own mediocre requirements and, for the most part, vacillatory. Carlton Samuels Chair, WHOIS WG At-Large ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround ============================= On Mon, Jan 31, 2011 at 11:37 AM, John R. Levine <johnl@iecc.com> wrote:
That's bullshit. Whois makes it easy. But it's not necessary.
It's unlikely to reflect well on the ALAC or yourself to reject Neil's expertise simply because it contradicts your personal preferences.
I talk to many of the same law enforcement people that Neil does, and I hear the same thing: even in its current imperfect form WHOIS is an invaluable tool for tracking down the criminals who prey on the non-technical users that the ALAC purportedly represents. You may not like it, but it's the truth.
Arguments about what's "necessary" are silly. The DNS isn't "necessary". Telephones aren't "necessary". E-mail isn't "necessary". We could just grab big sticks and run off and hunt the bad guys.
I really wish that the ALAC would get over the 1990s idea that somehow it represents the tiny handful of individual vanity domain registrants (such as me) in preference to the vast majority of users who have never registered a domain and never will.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
I cannot accept that there cannot be a balance between the right to privacy and the right to know for those harmed by an act traceable to a domain.
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants, it is silly to argue that the two interests are of the same weight and also to argue, as many have over the past decade, that vanity registrants must not be put to any extra or effort at all if they don't want to be treated the same as the businesses and organizations that register the vast majority of domains. I also have to say that it is not helpful when people make claims, as we've seen recently, that WHOIS is useless for tracking miscreants, which is false, or that it's only used to research trivial misbehavior, which is equally false. It is also unhelpful when people refuse to recognize the scale of the modern Internet, in which web hosts routinely turn down thousands of domains every day for anti-social behavior. The real surprise is that they don't make more mistakes than they do. All of my own domains have accurate WHOIS info. I use a post office box to receive my mail, so they don't show my home address, which I don't think is an unreasonable burden. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Dear John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Why do you continue to call then vanity domains? I find that as offensive as some would probably find me referring to nosy commercial users who wanted to know my phone number and email so they could try to sell me stuff or try to get me to transfer my domain. Or if I referred to viscous lawyer users who want to scare me because I used some word in my blog that they find offensive to their client. With all due respect, a. On 2 Feb 2011, at 15:11, John R. Levine wrote:
I cannot accept that there cannot be a balance between the right to privacy and the right to know for those harmed by an act traceable to a domain.
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants, it is silly to argue that the two interests are of the same weight and also to argue, as many have over the past decade, that vanity registrants must not be put to any extra or effort at all if they don't want to be treated the same as the businesses and organizations that register the vast majority of domains.
I also have to say that it is not helpful when people make claims, as we've seen recently, that WHOIS is useless for tracking miscreants, which is false, or that it's only used to research trivial misbehavior, which is equally false. It is also unhelpful when people refuse to recognize the scale of the modern Internet, in which web hosts routinely turn down thousands of domains every day for anti-social behavior. The real surprise is that they don't make more mistakes than they do.
All of my own domains have accurate WHOIS info. I use a post office box to receive my mail, so they don't show my home address, which I don't think is an unreasonable burden.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Avri, With due respect, you are making the same presumptions that you accuse John of. Firstly, the whois information is not to be used for marketing (see the terms). Second, you are talking about using "some word" but, you ignore the other part which there is truly is libel. Third, you ignore the commercial aspect, of you running your little (or big) online store and your customer has a problem. Or you are the one who is sending out the solicitation for the whois information, and I want to make sure you stop. You also ignore that when you register a domain name, you voluntarily agree to 3.7.7.1, 3.7.7.2 of the ICANN contract which requires TRUTHFUL information. Intentional provision of false information is fraud. There is a simple solution change the contract that permits a proxy service, but the proxy service will be liable for the use of the domain. That way, if web site operating using their domain name there is someone responsibility. Free speech has a cost, it is called responsibility.
Dear John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Why do you continue to call then vanity domains?
I find that as offensive as some would probably find me referring to nosy commercial users who wanted to know my phone number and email so they could try to sell me stuff or try to get me to transfer my domain. Or if I referred to viscous lawyer users who want to scare me because I used some word in my blog that they find offensive to their client.
With all due respect,
a.
On 2 Feb 2011, at 15:11, John R. Levine wrote:
I cannot accept that there cannot be a balance between the right to privacy and the right to know for those harmed by an act traceable to a domain.
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants, it is silly to argue that the two interests are of the same weight and also to argue, as many have over the past decade, that vanity registrants must not be put to any extra or effort at all if they don't want to be treated the same as the businesses and organizations that register the vast majority of domains.
I also have to say that it is not helpful when people make claims, as we've seen recently, that WHOIS is useless for tracking miscreants, which is false, or that it's only used to research trivial misbehavior, which is equally false. It is also unhelpful when people refuse to recognize the scale of the modern Internet, in which web hosts routinely turn down thousands of domains every day for anti-social behavior. The real surprise is that they don't make more mistakes than they do.
All of my own domains have accurate WHOIS info. I use a post office box to receive my mail, so they don't show my home address, which I don't think is an unreasonable burden.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Hi, I believe there is a middle way. As a registrant-user, I just found the constant reference to vanity domains highly offensive and was showing other terms that one could use that might be equally as offensive without going anywhere near a Godwin. And yes, I know that there are many legitimate uses of the information but if it is out there for anyone to look out it will be misused, no matter what the rules say about it. I do believe there are ways for us to have our proxies, to give correct information, and for legitimate access to the information to be possible while protecting privacy. I spent years working towards it during one of my more optimistic periods in ICANN, i.e. when I still believed we could all get along. (Actually I still believe that! Pitiful, I know.) I did not ignore any of the stuff you think I ignored. I just mentioned several misuses that have happened to me (yes, I still have some of my whois info in the open - though I am slowing moving to a wonderful registrar that automatically proxies it - I love them). I even paid for a Skype dial-in number so I could have a true number they could call that i would never have to answer but which would give me messages. But I hate that my address is there for all to see. And since I am the type who sometimes antagonizes people (imagine that), having my address displayed so prominently is a personal liability in this age of violent crazies. It makes me uneasy. Just imagine if all of the address information and phone numbers that are sometimes required to get user accounts were publicly displayed. Would this be a good thing? I mean it is not only registrants that sometimes do bad things. People who don't have a domain names can do bad things on the network too. For example, there are all those lovely people who send me exciting notices about the rewards and investment opportunities. They don't have domain names, but without assuming anything untoward about them as a class, I bet at least some of them are not on the up and up, no matter how sweet they might appear. So are you also suggesting that there should be a global public users list with names and addresses for all email accounts? It is the same thing as far as I can tell, it is not like they need and email account? Or is it? a. On 2 Feb 2011, at 16:46, Bill Silverstein wrote:
Avri, With due respect, you are making the same presumptions that you accuse John of. Firstly, the whois information is not to be used for marketing (see the terms). Second, you are talking about using "some word" but, you ignore the other part which there is truly is libel. Third, you ignore the commercial aspect, of you running your little (or big) online store and your customer has a problem. Or you are the one who is sending out the solicitation for the whois information, and I want to make sure you stop. You also ignore that when you register a domain name, you voluntarily agree to 3.7.7.1, 3.7.7.2 of the ICANN contract which requires TRUTHFUL information. Intentional provision of false information is fraud. There is a simple solution change the contract that permits a proxy service, but the proxy service will be liable for the use of the domain. That way, if web site operating using their domain name there is someone responsibility. Free speech has a cost, it is called responsibility.
Dear John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Why do you continue to call then vanity domains?
I find that as offensive as some would probably find me referring to nosy commercial users who wanted to know my phone number and email so they could try to sell me stuff or try to get me to transfer my domain. Or if I referred to viscous lawyer users who want to scare me because I used some word in my blog that they find offensive to their client.
With all due respect,
a.
On 2 Feb 2011, at 15:11, John R. Levine wrote:
I cannot accept that there cannot be a balance between the right to privacy and the right to know for those harmed by an act traceable to a domain.
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants, it is silly to argue that the two interests are of the same weight and also to argue, as many have over the past decade, that vanity registrants must not be put to any extra or effort at all if they don't want to be treated the same as the businesses and organizations that register the vast majority of domains.
I also have to say that it is not helpful when people make claims, as we've seen recently, that WHOIS is useless for tracking miscreants, which is false, or that it's only used to research trivial misbehavior, which is equally false. It is also unhelpful when people refuse to recognize the scale of the modern Internet, in which web hosts routinely turn down thousands of domains every day for anti-social behavior. The real surprise is that they don't make more mistakes than they do.
All of my own domains have accurate WHOIS info. I use a post office box to receive my mail, so they don't show my home address, which I don't think is an unreasonable burden.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
By-the-way, several years ago a suggestion was made (I believe by Kent Crispin) that those who have a domain name create a set of text records under the name "whois.name.tld" that would give the contact information that that person desires to make public. For instance, I've got TXT records under the name whois.cavebear.com You can take a look by fetching 'em. Linux/Unix users can do: dig whois.iwl.com txt You should get something like:
;; QUESTION SECTION: ;whois.iwl.com. IN TXT
;; ANSWER SECTION: whois.iwl.com. 172800 IN TXT "company-name: InterWorking Labs" whois.iwl.com. 172800 IN TXT "phone-number: +1.831.460.7010" whois.iwl.com. 172800 IN TXT "fax-number: +1.831.401.2320" whois.iwl.com. 172800 IN TXT "address-1: PO Box 66190" whois.iwl.com. 172800 IN TXT "address-2: Scotts Valley, CA 95067" whois.iwl.com. 172800 IN TXT "address-3: USA" whois.iwl.com. 172800 IN TXT "website: http://www.iwl.com/"
I don't know what tools there are for that on Microsoft systems. Most of the discussion that occurred around this idea was not on the idea itself but more on the list of items and the format to use. I used raw text, some folks like something more structured, perhaps even XML. These would be protected by DNSSEC when it comes into full use. --karl--
* Karl Auerbach wrote:
By-the-way, several years ago a suggestion was made (I believe by Kent Crispin) that those who have a domain name create a set of text records under the name "whois.name.tld" that would give the contact information that that person desires to make public.
For instance, I've got TXT records under the name whois.cavebear.com
I also took this approach for my private TLD "bofh" (@2001:4bd8:1::1). Unfortunly it does not work for two reasons: a) Whois was designed to be an out of band way to contact the responsible person in order to repair broken network or host setups. So any in band communication is not available in the case it's desperatly needed. b) Whois should contain the data of the delegatee from the delegator. DNS only provides glue at the delegator site. So there es no way to provider the correct information using DNS. Example: $ dig axfr bofh @2001:4bd8:1::1 | grep alt-f4.*TXT alt-f4.bofh. [...] TXT "Dominik ..." $ dig TXT alt-f4.bofh. @2001:4bd8:1::1 +norec ;; QUESTION SECTION: ;alt-f4.bofh. IN TXT ;; AUTHORITY SECTION: alt-f4.bofh. 86400 IN NS susi.studfb.unibw-muenchen.de. So putting Whois into DNS is the wrong approach.
On 02/03/2011 12:57 AM, Lutz Donnerhacke wrote:
For instance, I've got TXT records under the name whois.cavebear.com
I also took this approach for my private TLD "bofh" (@2001:4bd8:1::1). Unfortunly it does not work for two reasons:
a) Whois was designed to be an out of band way to contact the responsible person in order to repair broken network or host setups.
I've always felt that the arguments about "the original intent of whois" are written by people who weren't there at the time. The early listings of people on the net were much more like a club roster than a public directory. Getting to your comment about repairing things: That argument makes sense (a great deal of sense) for the IP address whois. But I don't find it very strong in the domain name whois, which is the one we mainly talk about for the following reason: Today's domain name operator is usually hardly the kind of technical animal that would qualify as a network manager with the ability to repair much of anything. On the other hand, folks listed in IP address whois generally have a great deal of ability to fix things. --karl--
On 02/02/2011 01:46 PM, Bill Silverstein wrote:
...Third, you ignore the commercial aspect, of you running your little (or big) online store and your customer has a problem.
We have perfectly viable pre-existing systems for that. I operate some of my domains in conjunction with a state (or city, an arm of the state) business license, which is a public record. And I have also published fictitious name statements, as required by law. There is no need to burden the domain name system with mechanisms that are well established and in current use. You might complain that people on the net are not following those laws. That would be a valid complaint. But the answer to that is to enforce those laws, not create new ones and cause wholesale privacy violations as a side effect. I am perfectly happy with a requirement, whether from national, regional, or local governments that a publicly accessible business license be required of anyone engaging in commerce on the internet. (Spamming I consider to be "in commerce".)
You also ignore that when you register a domain name, you voluntarily agree to 3.7.7.1, 3.7.7.2 of the ICANN contract
I'd suggest that the word "voluntarily" is not particularly accurate. ICANN controls a monopoly marketplace. When the choice is to agree or to not be able to participate as a fully voiced member of the internet community then the choice is more of a compulsion than a voluntary act. I would also remind everyone that those contracts were created without any valid public participation in the process. Moreover, as I have mentioned, corporate entities are free under the lex-ICANNia to use intermediate shell corporations in which the actual hands of control are deeply shrouded and protected. Unless we accept the proposition that corporations are more important than humans we ought to allow humans to act with the same degree of self-protection as we allow to corporations. --karl--
On 02/02/2011 12:11 PM, John R. Levine wrote:
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants,
I do not accept the "vanity" distinction. Certainly "ibm.com" is a vanity. So is "iecc.com" as is "auerbach.com". Indeed pretty much anything with intended semantic content can be classed as a vanity. And even if vanity were somehow bad - a conception that kinda got burned at the stake in Florence some centuries back - why should that matter? A right to privacy exists whether a person is acting out of vanity or out of some altruistic impulse. I've proposed what I believe is a balanced, fair, and reasonably inexpensive procedure for whois access (one that I believe might possibly be operated entirely by software.) - That the person making an inquiry provide the following things which would be recorded into a permanent record and also provided to the data subject contemporaneously with the data access. + Provide an accurate identification to a legally cognizable person or legally created entity (such as a corporation) and that that identification be backed by trustworthy credentials (the type and form of the credentials would be recorded, but not any critical items such as credit card numbers or the like, if used.) For those who tend to use this process frequently, such as trademark attorneys or anti-spam fighters, this might be done through some sort of pre-arrangement, which would save money and time for everyone involved. + Provide a statement of the rights that the person making the inquiry believes he has in the domain name. + Provide a statement of how those rights are being injured by the domain name, backed by evidence that that injury is in fact occurring. + Post some amount of money with the registrar (or some other third party) (this money could be provided through some pre-arrangement, perhaps with a discount, for those who tend to make several inquiries, people such as trademark attorneys or anti-spam advocates.) + To cover the costs to the accused domain name should the accusation be shown to be made without grounds. + To cover the costs of validating the identification and authentication. - That every few months that the record of data inquiries be processed and published to the public giving tallies of who is making the most inquiries, how many were based on what kind of grounds (trademark accusation, etc), how many were rejected as being baseless. Similarly the report would show which domains were most inquired about. The purpose of this report would be to help reveal those who abuse the system, but on the inquiry side and also what domains are exhibiting the most suspicious behavior. --karl--
I do not accept the "vanity" distinction.
It's not about you, or what you'd like to accept. Really, we understand that you want to register personal vanity domains, you want to have your personal information obscured, and you want someone else to pay for the costs of all that. Maybe this position seemed to make sense in 1996, but it's absurd nostalgia now. The vast majority of individual Internet users, like 99.999%, do fine without their own second level domain. There's nothing wrong with having your own domain (I have a bunch of them) but it is not ICANN's job to solve your problem if you want the terms to be different from what everyone else gets. I used to have a T1 phone line to my house. Since the vast majority of T1 users are businesses, the only price available is the expensive business rate. I did not spend a lot of time complaining about how outrageous it was that I had to pay the same price and take the same terms as IBM, even though I was not a business. Deal with it. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
* John R. Levine wrote:
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants
Whois is more than "second level domain" information. It's also IP address information. What's the problem with thin whois ... delegating the whois down to the registrar or reseller, down to the access ISP? This way the collection, deletion and publishing laws can be respected directly.
There certainly should be a balance. But when there are a billion Internet users, and thousands of individual vanity domain registrants
Whois is more than "second level domain" information. It's also IP address information.
ICANN has nothing to do with IP address WHOIS, which is managed by the RIRs. Surely anyone who's involved in the WHOIS review is familar with that basic fact.
What's the problem with thin whois ... delegating the whois down to the registrar or reseller, down to the access ISP? This way the collection, deletion and publishing laws can be respected directly.
Ah. You must never actually tried to get useful information out of the .COM and .NET WHOIS. It's a disaster for many reasons, as is apparent to anyone who tries to use it. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Great initiative, Lutz. Transparency is never enough. Best from .br, Omar 2011/1/31 Lutz Donnerhacke <lutz@iks-jena.de>:
As an AtLarge delegate to the whois review team, I'd like to keep you informed. Of course I'll not talk about interna, but give you background about my activities.
http://wwwneu.iks-jena.de/eng/Blog/That-s-the-way-it-always-have-been or http://wwwneu.iks-jena.de/Blog/Das-war-schon-immer-so
Please note that "wwwneu.iks-jena.de" is a staging system, so please do blame me for errors and inconstencies. _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
I was indicated by GAC (brazilian diplomacy) but I'm not a formal GAC representative. BTW I'm still defending the end user POW as an LAC-RALO representative. No conflicts of interest. Best, Omar 2011/1/31 Lutz Donnerhacke <lutz@iks-jena.de>:
* Omar Kaminski wrote:
Great initiative, Lutz. Transparency is never enough.
May I cite you as a GAC representative? _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Thanks for this, Lutz. I have a few questions. About the membership of the review team: are there any data protection offices represented, law enforcement agencies ? About the technical aspects of the WHOIS: it has long been said several times that the current WHOIS system is broken, not only because it does not support anything else than US-ASCII gracefully, but also because it does not allow any credentials-based access, etc. There have been several suggestions, from the IRIS standard to REST interfaces, like the one developed by ARIN. Is this part of the discussion ? This being said, I would tend to agree with Neil that the WHOIS might contain clues that eventually lead to the criminal. It is certainly useful to an extend to LEAs. But that does not mean that the WHOIS should be open to all. To take an example that has already been mentioned : the car registration plate databases are open to LEAs, possibly insurance companies, emergency services, etc. But these parties are clearly identified. This is not the case with the WHOIS. It is open to all, including the bad guys. The "good guys" that could justify a genuine interest to the WHOIS can certainly be identified and be granted unlimited WHOIS access. On 31 Jan 2011, at 18:27, Derek Smythe wrote:
Also, anybody wishing to refute that non-LE third parties play an important part in fighting Internet abuse, is not in touch with what is happening on the Internet currently.
What *is* happening is one thing. What should be happening is another. I would have little problem with private organizations using the WHOIS to fight Internet abuse. As long as they can transparently show who pays for their work, which agreements they have signed with which LEAs, etc. We do not have a democratic control over them, so transparency is the minimum required in that case. LEAs, may be slow, overloaded, etc, but, at least, they are under the control of the democratic system we voted for (in democratic countries, at least). I come from a cultural and societal background where private investigations have bad press. More often than not, the discoveries of private investigations are dismissed in court, because they were conducted by unaccountable parties. It may be that other cultures are OK with private investigations. But because the gTLD market is global by definition, we need policies that are global , and not one based on that of a particular society. -- Patrick Vande Walle
On 31 Jan 2011, at 13:34, Patrick Vande Walle wrote:
ot only because it does not support anything else than US-ASCII gracefully,
I would note that there is a SSAC/GNSO group working on the problem of the ASCII only nature of the WHOIS service. This group will be doing outreach fairly soon on the requirements for non ascii information for the WHOIS service.
This being said, I would tend to agree with Neil that the WHOIS might contain clues that eventually lead to the criminal. It is certainly useful to an extend to LEAs. But that does not mean that the WHOIS should be open to all. To take an example that has already been mentioned : the car registration plate databases are open to LEAs, possibly insurance companies, emergency services, etc. But these parties are clearly identified. This is not the case with the WHOIS. It is open to all, including the bad guys. The "good guys" that could justify a genuine interest to the WHOIS can certainly be identified and be granted unlimited WHOIS access.
I was with you until you said unlimited access. I would thank that rarely would anyone merit unlimited access. I would think most access would need to be subject to due process. But certainly the idea that there are access rights that can be granted and withdrawn for specific purposes within the bounds of applicable law is reasonable. a.
On 31 Jan 2011, at 20:01, Avri Doria wrote:
This being said, I would tend to agree with Neil that the WHOIS might contain clues that eventually lead to the criminal. It is certainly useful to an extend to LEAs. But that does not mean that the WHOIS should be open to all. To take an example that has already been mentioned : the car registration plate databases are open to LEAs, possibly insurance companies, emergency services, etc. But these parties are clearly identified. This is not the case with the WHOIS. It is open to all, including the bad guys. The "good guys" that could justify a genuine interest to the WHOIS can certainly be identified and be granted unlimited WHOIS access.
I was with you until you said unlimited access. I would thank that rarely would anyone merit unlimited access. I would think most access would need to be subject to due process.
But certainly the idea that there are access rights that can be granted and withdrawn for specific purposes within the bounds of applicable law is reasonable.
I meant "access to the full set of data", as opposed to a very limited set of data that would be granted to Joe Public. But indeed, there should be limits to the number of queries per day, for example. And of course, access could be revoked in case of "bad behaviour" (TBD).
And how about the so called proxies? Omar 2011/1/31 Patrick Vande Walle <patrick@vande-walle.eu>:
On 31 Jan 2011, at 20:01, Avri Doria wrote:
This being said, I would tend to agree with Neil that the WHOIS might contain clues that eventually lead to the criminal. It is certainly useful to an extend to LEAs. But that does not mean that the WHOIS should be open to all. To take an example that has already been mentioned : the car registration plate databases are open to LEAs, possibly insurance companies, emergency services, etc. But these parties are clearly identified. This is not the case with the WHOIS. It is open to all, including the bad guys. The "good guys" that could justify a genuine interest to the WHOIS can certainly be identified and be granted unlimited WHOIS access.
I was with you until you said unlimited access. I would thank that rarely would anyone merit unlimited access. I would think most access would need to be subject to due process.
But certainly the idea that there are access rights that can be granted and withdrawn for specific purposes within the bounds of applicable law is reasonable.
I meant "access to the full set of data", as opposed to a very limited set of data that would be granted to Joe Public. But indeed, there should be limits to the number of queries per day, for example. And of course, access could be revoked in case of "bad behaviour" (TBD).
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
hi, Given that without proxies those honest citizens with registrations would be hanging out there with our privacy flapping in the breeze,. I think they are necessary until there is a proper and well formed WHOIS system that only gives access to such information to those authorities who have legal right to it. Once, several years ago, we almost had agreement on such a system - the OPOC, but the compromise support was withdrawn because some parties wanted even more. Proxies are the only way I have as a registrant to both give my accurate information and not be bombarded by all sort of people who want to misuse my information. a. On 31 Jan 2011, at 14:23, Omar Kaminski wrote:
And how about the so called proxies?
Omar
2011/1/31 Patrick Vande Walle <patrick@vande-walle.eu>:
On 31 Jan 2011, at 20:01, Avri Doria wrote:
This being said, I would tend to agree with Neil that the WHOIS might contain clues that eventually lead to the criminal. It is certainly useful to an extend to LEAs. But that does not mean that the WHOIS should be open to all. To take an example that has already been mentioned : the car registration plate databases are open to LEAs, possibly insurance companies, emergency services, etc. But these parties are clearly identified. This is not the case with the WHOIS. It is open to all, including the bad guys. The "good guys" that could justify a genuine interest to the WHOIS can certainly be identified and be granted unlimited WHOIS access.
I was with you until you said unlimited access. I would thank that rarely would anyone merit unlimited access. I would think most access would need to be subject to due process.
But certainly the idea that there are access rights that can be granted and withdrawn for specific purposes within the bounds of applicable law is reasonable.
I meant "access to the full set of data", as opposed to a very limited set of data that would be granted to Joe Public. But indeed, there should be limits to the number of queries per day, for example. And of course, access could be revoked in case of "bad behaviour" (TBD).
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
On 01/31/2011 11:23 AM, Omar Kaminski wrote:
And how about the so called proxies?
Corporate shells are frequently used by corporate entities to hide the actual ownership and control. And we allow those corporate shells to register domain names without any complaint - we accept their identities as legitimate. Why are we so unwilling to accord to people the same protective rights as we do to corporations? --karl--
* Patrick Vande Walle wrote:
Thanks for this, Lutz. I have a few questions.
I'll only ask those, I'm feeling good with. It's not good style to talk about private conversation in public. OTOH I'm happy to read the interesting discussion here. I'll learn from your messages, but try to abstain from the discussion. Please do not consider it as missing interest from my side. It's simply to concentrate myself to the RT instead of the same discussion at an other, not that pressing place.
About the membership of the review team: are there any data protection offices represented, law enforcement agencies ?
There are law enforcement people, there are laywers, but there are no specialized data protection people. Despite this fact, there are several good people with a strong knowledge in the diversity of national data protection laws.
it has long been said several times that the current WHOIS system is broken, not only because it does not support anything else than US-ASCII gracefully, but also because it does not allow any credentials-based access, etc. There have been several suggestions, from the IRIS standard to REST interfaces, like the one developed by ARIN. Is this part of the discussion ?
We have a specialist on internationalization issues in the group and already discussed some parts of this subject. Please wait for the transcript.
What *is* happening is one thing. What should be happening is another.
Thank you for shortening my position that clearly.
participants (12)
-
Avri Doria -
Bill Silverstein -
Carlton Samuels -
Derek Smythe -
Evan Leibovitch -
Franck Martin -
John R. Levine -
Karl Auerbach -
Lutz Donnerhacke -
Neil Schwartzman -
Omar Kaminski -
Patrick Vande Walle