ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

On Dec 3, 2009, at 3:15 PM, Milton L Mueller wrote:

> Tom,
> there's a logical fallacy in your attempt to avoid the drivers  
> license (DL) analogy: you have assumed that defeating the analogy  
> justifies the existing system, in which anyone has access to  
> potentially sensitive contact information.

Hi Milton,

Is there some reason that you ignored the questions in the message  
that I sent *before* I responded to Chris' driver's license analogy?  
It seems to have founds its way safely to the ppml archive:

http://lists.arin.net/pipermail/arin-ppml/2009-December/015680.html

On the outside chance that you didn't receive the message, I've copied  
it again below.

I'm assuming here that you're not planning to "defeat" my questions by  
simply ignoring them...?
I think that defeating them in the more conventional way (i.e., by  
answering them) would be more constructive.

As you may note, the questions that I posed to you have nothing in  
particular to do with specific institutions, past, present, or  
imaginary. They have to do with properly defined functions of an  
Internet protocol number resource registry, and the source(s) of  
incentives and disincentives that might make it possible for a  
properly functioning registry to be sustainable over time (a) based  
solely on voluntary participation, and/or (b) in an environment of  
competitive registration service delivery.

I look forward to your responses.

TV


>> Tom:
>>
>> Privacy norms, standards and laws are well known and not that hard  
>> to apply to this case.
>> Here is a link to a boilerplate explanation of basic data  
>> protection principles:
>> http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPPrinciples.htm
>> Respectful suggestion: do some homework on how this issue gets  
>> handled before wading into a policy arena with global human rights  
>> implications.
>
> Hi Milton,
>
> Thanks for the respectful suggestion. I will take it under advisement.
>
> However, I would respectfully suggest that providing more  
> substantive answers here would be useful both to you (if your goal  
> is, in fact, to help inform number resource policies), as well as to  
> those list members who are not likely to go off and do a lot of  
> homework on this issue.
>
>>> 1. Would you say that the proper balance between these two opposing
>>> goals is reflected in current DNS whois arrangements?
>>
>> Absolutely not. (And you know perfectly well that I've answered  
>> this question, not only on this list, but in lengthy scholarly  
>> articles, and in years of work on DNS Whois Working Groups and Task  
>> Forces.)
>>
>> It would be very easy for DNS Whois to contain the requisite  
>> technical information needed for both law enforcement and technical  
>> management without providing indiscriminate public access to anyone  
>> and everyone, for any purpose.
>
> Okay, in that case I call:
>
> 1. Could you suggest how, exactly, a registration/whois system can  
> be both very accurate, very reliable, and very easy for technical  
> administrators to access (when justified) for real-time network  
> management requirements*, while at the same time satisfying the the  
> legitimate* privacy concerns of the individuals and institutions who  
> are represented in that registration data?
>
> 2. Could you also suggest how those conditions that are accurately  
> deemed to be legitimate*, required*, etc. by both groups might be  
> sustained over time? Specifically, if revelation of whois  
> inaccuracies is generally only possible as a result of outages or  
> other "events" that require technical administrator action, and  
> discovery of correct whois information in such cases is generally  
> only possible through legal mechanisms (warrants, subpoenas,  
> lawsuits, registry disaccreditations, etc.) which do not operate at  
> time scales that are consistent with real-time network management,  
> what method(s) would you propose for reconciling this critical  
> mismatch?
>
> 3. Finally (and if appropriate), could you also suggest how those  
> conditions might be preserved in an environment of competitive  
> commercial provision of registration and whois services?  
> Specifically, what mechanisms would you recommend to encourage  
> registration and whois service providers to maintain the proper  
> level of investment in and ongoing support for this secondary, non  
> profit-making function? What mechanisms would you advocate to assure  
> that individual commercial registration and whois service providers  
> resist the temptation to differentiate themselves by cutting their  
> whois-related support and/or by relaxing their whois-related  
> customer requirements?
>
> Since (3) presumes that you advocate the competitive provision of  
> registration and whois services, with at least some competitors  
> being private/not-governmental entities, please disregard this  
> question if this presumption is inaccurate.
>
>> The only reason this doesn't happen: DNS Whois arrangements have  
>> been hijacked by trademark protection firms, LEAs too lazy to get  
>> the proper authorizations, and by companies that collect and sell  
>> the data for various and sundry purposes. See data protection  
>> principle #2 for my opinion about that.
>
> If I'm interpreting your reference correctly, data protection  
> principle #2 reads:
> "Personal data shall be obtained only for one or more specified and  
> lawful purposes, and shall not be further processed in any manner  
> incompatible with that purpose or those purposes."
>
> If we stipulate for the moment that we're only talking about  
> protocol number whois as used for legitimate technical  
> administrative purposes that are consistent with the law, then the  
> relevance of data protection principle #2 is still ambiguous. One  
> justification for open public whois is that public scrutiny provides  
> a kind of continuous distributed error detection and correction  
> mechanism, which helps to maintain whois completeness and accuracy  
> in between those critical moments when technical-administrative  
> action is both legal and justified -- and at which points the  
> belated discovery of whois inaccuracies can have the most adverse  
> consequences.
>
> Is it your view that the very existence and/or maintenance of  
> accurate personal data should be subject to a different, higher  
> standard than the standard suggested by data protection principle #2?
>
>>> 2. Are the "legitimate privacy concerns" of artificial
>>> persons (i.e.,
>>> corporations) different from the "legitimate privacy concerns" of
>>> natural persons?
>>
>> Sigh. Overlooking your complete ignorance of applicable law, I will  
>> simply answer yes.
>> The distinction is well-established in law, not to mention common  
>> sense. Yes, Tom, there are differences between the privacy rights  
>> and legal norms applicable to publicly registered corporate  
>> entities and flesh and blood persons and their homes and personal  
>> property.
>
> Ignoring the insult, I'll just observe again that a less clever but  
> more substantive response would have probably been more useful, to  
> you and everyone else.
>
>>> If so, how -- and how should the differences be
>>> reflected in rotocol number-related registration data and whois?
>>
>> Yes, of course the differences should be reflected. How? Not that  
>> hard, but as I said in my last message, let's debate specific  
>> arrangements and proposals, not ideology.
>
> Excellent. Here's your chance to debate specifics.
>
> It's good to know that it won't be that hard...
>
> Thanks,
>
> TV