Re: privacy

[Jaap Akkerhuis <jaap@sidn.nl>]

    If I remember correctly, Jaap did say somewhere on the list that the
    proposal could work for .nl...
    

As promised, here follows the story of of it could work.

Disclaimer 1: I describe here the future situation (starting 29
January 2003) when our new Rules and Regulation go in effect.

Disclaimer 2: We are currently not using EPP for registrations, up
to now this is just an exercise in how we would deal with it.
Therefore, this description is likely incomplete.

Registry Model

For the purpose of this discussion, the .nl registry follows the
``thick'' model. That means, we keep a database witch all the
information necessary for registration domain names. From this
database we publish a subset in the whois server and, of course,
in the .nl name server.

Privacy policy

Some details about The dutch Personal Data Protection Act (as far
as I know, I'm not a lawyer, and as far relevant to this discussion).
Although in the law there is a part which tell you what kind of
things you are never supposed to disclose, such as social security
numbers, medical information, the usual stuff, there isn't really
anywhere detailed what is allowed and what isn't.

For personal data, each database holder is required to have a data
policy. That must state which data is collected, the purpose and
use of the data collected, how data might be collected and which
data is published in relation to with the purpose. It must be
possible to suppress some of the Personal data published when the
interest of the Person to withhold the data is higher the standard
disclosure process. So it is actually a balancing act and is depending
on the interests and within relation to the Person whether or not
this opt-out is granted.

Some studies have been conducted how this related the domain name
registration, discussions with the privacy authorities etc. (These
reports are on line in case someone wants to read them).  This
resulted in the end in the a policy document, published at
http://www.domain-registry.nl/sidn_english/flat/General/Rules/New_regulations/New_SIDN_regulations_pursuant_to_the_Personal_Data_Protection_Act/index.html

Among other things it states

Article 2 Purpose

 2.1 The purposes of Processing are:

     a. the processing of Applications for Domain Names and Personal
     Domain Names and all associated and resulting activities;

     b. the consideration of requests and complaints submitted by
     Holders of a Domain Name and Data Subjects;

     c. the provision of data to Participants(*) to facilitate their
     work;

     d. the inclusion of the data in the zone file;

     e. the inclusion, in addition to the above purposes, in the
     public section of the Register as referred to in Article 23.2
     of the Regulations for the Registration of .nl Domain Names
     of the data specified in Annex I for the purpose of:

	- solving any technical problems regarding the operation
	of the Internet;

	- Applications for Registration of (free) Domain Names;

	- the protection of intellectual property rights;

	- the prevention and combating of illegal and harmful content
	on the Internet.

(*) Participant == registrar

Note also that all this policy stuff is actually enforced by the
contracts between the registry, registrars and registrants.

In the Annex you 'll find:

Annex I Publicly accessible data

Domain Name/Personal Domain Name
Date of registration
Name and address of Holder of the Domain Name
Status of the domain (active, blocked, free)
Name, telephone number and e-mail address of the Holders administrative
	contact person
Name, telephone number and e-mail address of one or more technical
	contact persons
Master and slave Nameserver names and IP numbers


So these are the things that will be disclosed and in EPP the
disclosure attribute should have this as default value in the
registration request.  The request will processed and the name
registered if there aren't other problems.

If you put opt-out (non-Disclose) attributes to these, a different
process is followed, the balancing of interest need to take place.

Sometimes this is obvious. For some of the data elements the opt-out
will cause a straightforward denial of the request. We consider the
main purpose of a domain name registry to p[publish information in
the DNS, so, if you don't want to disclose these things, there is
no point for a registration at all. Also, there are case where the
opt-out is granted directly (see the policy document), so then the
request will follow the standard registration process and the opt-out
will happen.

However, when it when the opt-out request requires really to be
judged, the request is put in the pending state and put into a
separate queue. Then the process of the opt-out will take place.
If the outcome of that is something that the requester doesn't agree
which, he/she can actually appeal to an appeal committee
(which is independent from the registry). Depending on all of this,
the request for opt-out might be ignored or granted. In any case,
this is all outside the EPP protocol.

So yes, the non-disclose attribute will work for us without any
problem. It is possible that we might do extensions to aid with the
balancing of interest process if we get experience about this.
However, since policies change much quicker and easier due to changes
of laws etc. then protocols, it is unlikely that we do that.

The upshot of this is that all the attribute doesn't define a privacy
policy in anyway. That is done with the contracts, rules & regulations.
The attribute just makes it possible to automate the process somewhat.

A registrar dealing with multiple registries with different policies
should have set different defaults for these registries in the
application that generates the EPP. For the .se these defaults, for
the .nl others. I think that these defaults is not something which
should be in the specifications. Of course, you might want some
default in case it isn't specified. In that case, Disclose, is the
most practical.

	jaap