Hi Stephanie,
Thanks for continuing the dialogue here. To respond to your second question, my
preference and suggestion would be to narrow the gulf between the two as best
we can, but to aim to take ambitious but decisive action on the RDS when it
comes to protecting registrant privacy. After all, I would not wish to strike a
Faustian bargain just to reach consensus.
As
to your first question, I would like to preface my remarks with a caveat that I
am no expert here, so it is possible (if not probable!) that I need to do further
reading to understand the issues at hand. If I am on the wrong track, I am happy
to be pointed in a different direction.
Which protocols
that have been developed to process and manage data are useful and why?
Which are not, and why?
My understanding is
that we have only four options to consider: the Extensible Provisioning Protocol,
the Internet Registry Information Service Protocol, the Registration Data
Access Protocol (RDAP), and WHOIS. Of those, I believe only RDAP and WHOIS have
been deployed. Unless we can persuade the technical community that none of
these are fit for purpose and thus they must create something bespoke for us (and
I do not know that we can make that argument), I do not think we have much
choice but to use RDAP if we find that gated access to certain data is
necessary.
What
registration data needs to be collected, used, retained and disclosed in order
to operate the DNS in a manner which ensures the security and stability of the
Internet, and fair competition among provdiers, stakeholders, and contracted
parties.
I am going to turn here to Rob Golding’s email yesterday to the
main mailing list. He indicated that the only pieces of data which are critical
to the operation of the DNS are: the domain name itself, the registrar (for a gTLD
with a registry/registrar model), the domain name’s expiry date, and its status
(registered / not registered). For it to be of functional use, there are two
optional fields: nameservers, and the auth-code (Rob suggested the auth-code
was imperative, but I believe it to be a value-added feature). As we can see,
the RDS does not need to collect much information at all to function.
My suggestion would be that the RDS only collect that
registration data which is essential to the technical operation of the DNS. This
is a best practice approach to the cross-border transfer of data that the OECD
Working Party on Information Security and Privacy has endorsed: in its primary
framework, the working party says that organisations should take care to ensure
that only an absolute minimum amount of information is collected, is done so
with the knowledge and consent of the data subject, is used only for the stated
purpose, is retained only for as long as is necessary, and is safeguarded
against unauthorised access.
I realise I am jumping ahead of the work plan here, but I hope
you do not mind me expressing my personal view on this topic in just one
sentence: that there are already some parties who rely on the WHOIS system’s
public records does not mean we must continue to collect, let alone publish in
an open-access directory, this information.
I consider any additional data to be registrar-registrant
contract information. As such, it is up to the registrar to determine how they
wish to store this data, and to whom they wish to release it, in accordance
with local laws and the informed consent of their customers.
Who needs to
have data, and under what circumstances should it be released to third party
requestors?
The answer to this question depends on what data elements we are
talking about, the physical location of the registrar, and the physical
location of the registrant. Ultimately, I would like to see due process
respected. The alternative could lead us down a dangerous path which threatens
to destroy the many benefits that the Internet has brought about.
Who should bear
the costs of data storage, and data sharing?
I do not have an opinion on this question at this time.
Best wishes,
Ayden