To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
cc:
"'Joe Abley'" <jabley@isc.org>, "'Edward Lewis'" <edlewis@arin.net>, ietf-provreg@cafax.se
From:
Jaap Akkerhuis <jaap@sidn.nl>
Date:
Fri, 10 Jan 2003 13:43:22 +0100
In-reply-to:
Your message of Wed, 08 Jan 2003 12:47:24 -0500. <3CD14E451751BD42BA48AAA50B07BAD6033704CD@vsvapostal3.prod.netsol.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: privacy
If I remember correctly, Jaap did say somewhere on the list that the proposal could work for .nl... As promised, here follows the story of of it could work. Disclaimer 1: I describe here the future situation (starting 29 January 2003) when our new Rules and Regulation go in effect. Disclaimer 2: We are currently not using EPP for registrations, up to now this is just an exercise in how we would deal with it. Therefore, this description is likely incomplete. Registry Model For the purpose of this discussion, the .nl registry follows the ``thick'' model. That means, we keep a database witch all the information necessary for registration domain names. From this database we publish a subset in the whois server and, of course, in the .nl name server. Privacy policy Some details about The dutch Personal Data Protection Act (as far as I know, I'm not a lawyer, and as far relevant to this discussion). Although in the law there is a part which tell you what kind of things you are never supposed to disclose, such as social security numbers, medical information, the usual stuff, there isn't really anywhere detailed what is allowed and what isn't. For personal data, each database holder is required to have a data policy. That must state which data is collected, the purpose and use of the data collected, how data might be collected and which data is published in relation to with the purpose. It must be possible to suppress some of the Personal data published when the interest of the Person to withhold the data is higher the standard disclosure process. So it is actually a balancing act and is depending on the interests and within relation to the Person whether or not this opt-out is granted. Some studies have been conducted how this related the domain name registration, discussions with the privacy authorities etc. (These reports are on line in case someone wants to read them). This resulted in the end in the a policy document, published at http://www.domain-registry.nl/sidn_english/flat/General/Rules/New_regulations/New_SIDN_regulations_pursuant_to_the_Personal_Data_Protection_Act/index.html Among other things it states Article 2 Purpose 2.1 The purposes of Processing are: a. the processing of Applications for Domain Names and Personal Domain Names and all associated and resulting activities; b. the consideration of requests and complaints submitted by Holders of a Domain Name and Data Subjects; c. the provision of data to Participants(*) to facilitate their work; d. the inclusion of the data in the zone file; e. the inclusion, in addition to the above purposes, in the public section of the Register as referred to in Article 23.2 of the Regulations for the Registration of .nl Domain Names of the data specified in Annex I for the purpose of: - solving any technical problems regarding the operation of the Internet; - Applications for Registration of (free) Domain Names; - the protection of intellectual property rights; - the prevention and combating of illegal and harmful content on the Internet. (*) Participant == registrar Note also that all this policy stuff is actually enforced by the contracts between the registry, registrars and registrants. In the Annex you 'll find: Annex I Publicly accessible data Domain Name/Personal Domain Name Date of registration Name and address of Holder of the Domain Name Status of the domain (active, blocked, free) Name, telephone number and e-mail address of the Holders administrative contact person Name, telephone number and e-mail address of one or more technical contact persons Master and slave Nameserver names and IP numbers So these are the things that will be disclosed and in EPP the disclosure attribute should have this as default value in the registration request. The request will processed and the name registered if there aren't other problems. If you put opt-out (non-Disclose) attributes to these, a different process is followed, the balancing of interest need to take place. Sometimes this is obvious. For some of the data elements the opt-out will cause a straightforward denial of the request. We consider the main purpose of a domain name registry to p[publish information in the DNS, so, if you don't want to disclose these things, there is no point for a registration at all. Also, there are case where the opt-out is granted directly (see the policy document), so then the request will follow the standard registration process and the opt-out will happen. However, when it when the opt-out request requires really to be judged, the request is put in the pending state and put into a separate queue. Then the process of the opt-out will take place. If the outcome of that is something that the requester doesn't agree which, he/she can actually appeal to an appeal committee (which is independent from the registry). Depending on all of this, the request for opt-out might be ignored or granted. In any case, this is all outside the EPP protocol. So yes, the non-disclose attribute will work for us without any problem. It is possible that we might do extensions to aid with the balancing of interest process if we get experience about this. However, since policies change much quicker and easier due to changes of laws etc. then protocols, it is unlikely that we do that. The upshot of this is that all the attribute doesn't define a privacy policy in anyway. That is done with the contracts, rules & regulations. The attribute just makes it possible to automate the process somewhat. A registrar dealing with multiple registries with different policies should have set different defaults for these registries in the application that generates the EPP. For the .se these defaults, for the .nl others. I think that these defaults is not something which should be in the specifications. Of course, you might want some default in case it isn't specified. In that case, Disclose, is the most practical. jaap