ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

On Dec 3, 2009, at 12:10 PM, Milton L Mueller wrote:

>
>> -----Original Message-----
>> From: tvest at eyeconomics.com [mailto:tvest at eyeconomics.com]
>>
>> Since you've raised this issue yet again (c.f., June 10 ~ Aug. 31
>> 2009), perhaps now you'll be willing to share with us your
>> view of the proper balance between "legitimate" privacy concerns and
>> "convenience"  of technical administration? Rephrasing the two  
>> queries that went
>> unanswered last time:
>
> Tom:
>
> Privacy norms, standards and laws are well known and not that hard  
> to apply to this case.
> Here is a link to a boilerplate explanation of basic data protection  
> principles:
> http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPPrinciples.htm
> Respectful suggestion: do some homework on how this issue gets  
> handled before wading into a policy arena with global human rights  
> implications.

Hi Milton,

Thanks for the respectful suggestion. I will take it under advisement.

However, I would respectfully suggest that providing more substantive  
answers here would be useful both to you (if your goal is, in fact, to  
help inform number resource policies), as well as to those list  
members who are not likely to go off and do a lot of homework on this  
issue.

>> 1. Would you say that the proper balance between these two opposing
>> goals is reflected in current DNS whois arrangements?
>
> Absolutely not. (And you know perfectly well that I've answered this  
> question, not only on this list, but in lengthy scholarly articles,  
> and in years of work on DNS Whois Working Groups and Task Forces.)
>
> It would be very easy for DNS Whois to contain the requisite  
> technical information needed for both law enforcement and technical  
> management without providing indiscriminate public access to anyone  
> and everyone, for any purpose.

Okay, in that case I call:

1. Could you suggest how, exactly, a registration/whois system can be  
both very accurate, very reliable, and very easy for technical  
administrators to access (when justified) for real-time network  
management requirements*, while at the same time satisfying the the  
legitimate* privacy concerns of the individuals and institutions who  
are represented in that registration data?

2. Could you also suggest how those conditions that are accurately  
deemed to be legitimate*, required*, etc. by both groups might be  
sustained over time? Specifically, if revelation of whois inaccuracies  
is generally only possible as a result of outages or other "events"  
that require technical administrator action, and discovery of correct  
whois information in such cases is generally only possible through  
legal mechanisms (warrants, subpoenas, lawsuits, registry  
disaccreditations, etc.) which do not operate at time scales that are  
consistent with real-time network management, what method(s) would you  
propose for reconciling this critical mismatch?

3. Finally (and if appropriate), could you also suggest how those  
conditions might be preserved in an environment of competitive  
commercial provision of registration and whois services? Specifically,  
what mechanisms would you recommend to encourage registration and  
whois service providers to maintain the proper level of investment in  
and ongoing support for this secondary, non profit-making function?  
What mechanisms would you advocate to assure that individual  
commercial registration and whois service providers resist the  
temptation to differentiate themselves by cutting their whois-related  
support and/or by relaxing their whois-related customer requirements?

Since (3) presumes that you advocate the competitive provision of  
registration and whois services, with at least some competitors being  
private/not-governmental entities, please disregard this question if  
this presumption is inaccurate.

> The only reason this doesn't happen: DNS Whois arrangements have  
> been hijacked by trademark protection firms, LEAs too lazy to get  
> the proper authorizations, and by companies that collect and sell  
> the data for various and sundry purposes. See data protection  
> principle #2 for my opinion about that.

If I'm interpreting your reference correctly, data protection  
principle #2 reads:
"Personal data shall be obtained only for one or more specified and  
lawful purposes, and shall not be further processed in any manner  
incompatible with that purpose or those purposes."

If we stipulate for the moment that we're only talking about protocol  
number whois as used for legitimate technical administrative purposes  
that are consistent with the law, then the relevance of data  
protection principle #2 is still ambiguous. One justification for open  
public whois is that public scrutiny provides a kind of continuous  
distributed error detection and correction mechanism, which helps to  
maintain whois completeness and accuracy in between those critical  
moments when technical-administrative action is both legal and  
justified -- and at which points the belated discovery of whois  
inaccuracies can have the most adverse consequences.

Is it your view that the very existence and/or maintenance of accurate  
personal data should be subject to a different, higher standard than  
the standard suggested by data protection principle #2?

>> 2. Are the "legitimate privacy concerns" of artificial
>> persons (i.e.,
>> corporations) different from the "legitimate privacy concerns" of
>> natural persons?
>
> Sigh. Overlooking your complete ignorance of applicable law, I will  
> simply answer yes.
> The distinction is well-established in law, not to mention common  
> sense. Yes, Tom, there are differences between the privacy rights  
> and legal norms applicable to publicly registered corporate entities  
> and flesh and blood persons and their homes and personal property.

Ignoring the insult, I'll just observe again that a less clever but  
more substantive response would have probably been more useful, to you  
and everyone else.

>> If so, how -- and how should the differences be
>> reflected in rotocol number-related registration data and whois?
>
> Yes, of course the differences should be reflected. How? Not that  
> hard, but as I said in my last message, let's debate specific  
> arrangements and proposals, not ideology.

Excellent. Here's your chance to debate specifics.

It's good to know that it won't be that hard...

Thanks,

TV