RE: An user's point of view on the privacy issue

["Ross Wm. Rader" <ross@tucows.com>]

> would like to see less soap-box speechs and more work towards 

Agreed - *but* I don't expect that we'll see many as long as you're up
there. I don't know about the rest of you, but I do appreciate Vittorio
taking the time out to specify what his requirements for the mechanism
might be. Once the smart guys figure out where that should happen,
specifications such as his will most undoubtedly help you figure out how
to make "what it looks like" work.

I've dropped out of even lurking for the past few days, but suffice to
say that this is all moot if the question is still "who" as per Joe's
question of the 8th... And, at the risk of getting ahead of myself, I'm
also not sure that I've seen an answer to Andrew's question of the 9th
regarding what basic "privacy" actually is. From my standpoint, the
entire line of conjecture is a bit of a red herring - it may simplify
the discussion to look at this as a data ownership/entity
relationship/data rights management issue as opposed to the more charged
(and elusive) question of "privacy" - unless someone has a reasonable
definition of "privacy" that they haven't shared with us...



                       -rwr




"There's a fine line between fishing and standing on the shore like an
idiot."
- Steven Wright

Get Blog... http://www.byte.org/blog


 

> -----Original Message-----
> From: owner-ietf-provreg@cafax.se 
> [mailto:owner-ietf-provreg@cafax.se] On Behalf Of Michael Young
> Sent: Friday, January 17, 2003 8:49 AM
> To: 'Vittorio Bertola'; ietf-provreg@cafax.se
> Subject: RE: An user's point of view on the privacy issue
> 
> 
> Thank you for providing your opinion on privacy issues 
> Vittorio.  I think you'll find by reviewing the list that the 
> current debate in the provreg working group is not about 
> whether or not a privacy mechanism is desirable, but really 
> about the technical implementation and where that should 
> happen.  There are multiple approaches to how to solve for 
> this problem, and all of them have their perceived advantages 
> and disadvantages. Some approaches that are being heavily 
> advocated from non-technical stakeholders have some serious 
> implementation and performance impacts, and that's really 
> whats at the heart of the debate right now.  BTW in my 
> opinion, this forum is not meant as a venue for the amount of 
> policy based discussion that has occurred of late - it is 
> meant to be a technical working group.  Hence I honestly 
> would like to see less soap-box speechs and more work towards 
> a compromise, such as the one Janusz posted to the list.  
> Although that idea got shot down, it
> was the right kind of effort we should be concentrating on.     
> 
> 
> Michael Young 
> 
> -----Original Message-----
> From: owner-ietf-provreg@cafax.se [mailto:owner-ietf-provreg@cafax.se]
> On Behalf Of Vittorio Bertola
> Sent: January 17, 2003 5:03 AM
> To: ietf-provreg@cafax.se
> Subject: An user's point of view on the privacy issue
> 
> 
> Hello,
> 
> I am a newbie of this group and of the IETF WGs in general 
> (please pardon me for anything inappropriate I might 
> unvoluntarily do). However, I have been discussing DNS 
> privacy issues extensively in the last years, so please allow 
> me to give my point of view on the ongoing privacy discussion.
> 
> Not addressing the privacy issue in the base protocol would 
> likely imply that the service would often be deployed in real 
> life without any means to achieve privacy protection. 
> Unfortunately, the present lack of privacy protection in the 
> WHOIS system is plainly illegal in many countries, and I 
> don't think it's reasonable to think that this situation can 
> go on for long without actual lawsuits starting to happen, 
> both towards ccTLD and gTLD registries and registrars. 
> 
> In fact, as others have already pointed out, many registries 
> (especially European ccTLDs) have already started to allow 
> opting out from WHOIS under certain conditions or for certain 
> types of data, or even, have already been sued on this. 
> Personally, I think that the present situation where gTLD 
> registrants are required to make all their data public won't 
> last long.
> 
> Thus, any new protocol being created in this field should be 
> able to support the ability to mark data as private - 
> otherwise in the end it might be useless or even damaging. If 
> this protocol doesn't implement any simple and standard way 
> to specify reasonable privacy directives together with data, 
> it is likely that many registrars and registries will be soon 
> forced, by law, lawsuits, or public opinion pressure, to add 
> their own (non-standard and non-interoperable) ones.
> 
> The protocol must allow customers to specify privacy 
> conditions with the highest possible granularity, because it 
> must be able to support policies that will be very different 
> one from the other and will vary often (much more often than 
> the protocol itself) according to non-technical decisions. No 
> privacy policy should be hard-wired in the protocol (and this 
> includes the policy of "no privacy is possible" that would 
> result from the lack of privacy specification tools in the 
> base protocol).
> 
> I must also point out that, according for example to the 
> European law, it is the customer, nor the registrar nor the 
> registry nor any policy or standard making body, that decides 
> what should be published and what should not. The registrar 
> or registry are not allowed to alter the customer's 
> indications on privacy. At most, the registrar/registry may 
> refuse to supply the service if the customer does not accept 
> to distribute data that are strictly necessary for the 
> service to work. (It seems to me very doubtful that 
> publishing my name and e-mail to the whole world is strictly 
> necessary for my name servers to work. But this is a policy 
> and legal discussion anyway, and is out of this list's
> scope.)
> 
> So, the minimum level of granularity that the protocol should 
> support to be applicable in real life is the ability to mark 
> each field of each domain name registration form as private 
> or public, singularly for each (domain, field) couple.
> 
> The EU law also states that the owner of the data has the 
> right to verify and update the data and retire the consensus 
> to the distribution at any time. So the protocol should allow 
> for updates not only of the data but of the privacy indications too.
> 
> Theoretically, a registrar could ask separate approvals to 
> the customer for different uses of the same data. In this 
> case, a mechanism with more levels of privacy would be 
> necessary. However, this is an option for the registrar, not 
> a requirement, so this could be left to extensions. 
> Similarly, a specific approval is required to export data 
> outside of the European Union, so a mechanism to specify a 
> list of countries to which data can(not) be exported could be 
> of use, but this problem can be easily avoided by the 
> registrar by asking for such consensus, so this could be left 
> as a possible extension too.
> 
> Thus, summarizing, I support the idea that a mechanism to specify (at
> least) whether each single field of each single domain name 
> is meant to be public or private should be added to the base 
> protocol, and its implementation should be mandatory.
> -- 
> vb.                  [Vittorio Bertola - vb [at] bertola.eu.org]<---
> -------------------> http://bertola.eu.org/ <-----------------------
> 
>