Hello, I briefly previously in an e-mail that there was no way to handle warrants or other court orders via RDAP. Someone on the recent WG call said that this was covered in RDAP. I had a quick look through 4 RDAP RFC's (RFC 7480, RFC 7481, RFC 7482, and RFC 7483) and didn't see anything that seemed to match. Warrant Example =============== For a warrant, ideally the RDS would support a system like that which we have in place in every other part of the universe today. That is, if a court or some other authorized legal authority (this varies widely per jurisdiction, I know) issues a statement approving a search, then someone can be forced to turn over information. So, if the police get a warrant they can go to the company where you bought airline tickets and find out when and where you traveled. I think we all agree that this makes sense, although of course the details can be delightfully complicated. What I do not see in RDAP is any way for a registry or registrar to be served a warrant or other equivalent document. It IS possible for the police to have authorization to view private data, but I don't see any way for them to ONLY have authorization for this data if it is approved by a court on a case-by-case basis. I may have missed this! Please point me in the right direction so I can have a look at how RDAP proposes handling this. :) Credit Checks ============= Another use case that we discussed is possibly similar. In that case some agency was doing some sort of checks to make sure that a given applicant was going to be using a domain for an approved purpose. In order to do this they use the current WHOIS data to do some sanity checks and look for various patterns that signal fraud. In my mind, this *could* be similar because it also involves getting access to private data only for a specific lookup. So, rather than granting a for-profit, private company access to all private data of everyone with a domain name, the person who wants a service can authorize a sort of credit/background check. This check could indeed give complete access to all records for that person, but in principle need not give the company access to all data. Again, I don't think that any of the current technologies support this, but I am hardly an expert in authentication or authorization systems, so this sort of thing might be supported today. Happy Thoughts ============== I saw/heard on the call the tension between WG members who lean towards minimal access (privacy advocates, human rights representatives, dirty hippies like myself) and WG members who lean towards insuring responsible use of systems and helping authorities prevent crime and other abuse (LEA representatives, IP lawyers, and so on). We didn't delve into it too deeply but I am looking forward to a policy that balances everyones needs. I was heartened that everyone was polite and constructive! Cheers, -- Shane