[ppml] Policy Proposal 2003-3: Residential Customer Privacy

Fri Jul 25 12:30:38 EDT 2003

>ISPs with downstream residential customers may substitute
>that ISP's name for the customer's name, e.g. 'Private
>customer - XYZ Network', and the customer's street address
>may read 'Private Residence.' Each private downstream residential 
>reassignment must have accurate upstream Abuse and Technical POCs 
>visible on the WHOIS record for that block.

It's nice and short, it gets to the point and it is understandable.
All good things. But it still is a waste of our time to deal with
things like this. This proposal is picking nits, trying to solve a
specific special case before we've dealt with the general problem.
I suggest that we reject this proposal.

What we really need is a proposal that gives us a workable whois policy.
We need to clearly state what is the overall purpose of whois and
"tradition" is not the right answer. We need to clearly state the data
items that will be published in the whois directory and we need to
clearly state the purpose of each item to be published.

Having defined what the whois directory is, then we can clearly state
when whois data should be published and when it should not.

I believe that the whois directory is a public directory of contact
information for organizations who have registered "objects" with ARIN
and that it should provide data items that can be used to contact
these organizations. The data items should include things like email
addresses, phone numbers, IM userids, URLs and postal addresses but 
should not contain street addresses unless that is also the organization's
postal address. The purpose of each of these data items should be to
clearly identify a communication mechanism and an address that can be
used to establish prompt two-way communication with a human being. There
should be no mandatory email addresses tagged with labels like "abuse" 
which will likely lead to the email being /dev/nulled because that does
not establish two-way communication with a human being.

And this whois data should only be published when and if there are human 
beings at the other end who are ready, willing and able to do something 
about the communications that they may receive. The only organizations
for which it shall be mandatory to publish whois data are those 
organizations
who hold AS numbers. Any organization receiving IP addressed from ARIN who
then delegates a portion of those addresses to another organization can
choose to submit whois data for the recieving organization if the 
receiving
organization is ready, willing and able to establish communications and 
take
actions. If not, then the responsibility for establishing communications 
and
taking actions remains with the delegator organization.

In other words, whois is for publishing contact information for 
organizations
that are ready, willing and able to talk and to act.

Yes, it would be good to regularly poll these contacts and to flag the 
ones
that appear to be getting stale and remove the ones that no longer 
connect.

The end result of implementing such a policy will be a clean whois 
directory 
and some additional responsibility on the shoulders of the larger ISPs, 
i.e.
they will have to deal with their downstream's abuse or pester their 
downstreams
to provide working whois contact info.

Let's try to fix this festering sore, not just stick a bandaid on it.

--Michael Dillon

P.S. in case you hadn't noticed, residential customers typically are not 
ready, willing
and able to receive communications from random sources and act on them, 
therefore they
just won't be in the directory.

P.P.S. we are talking about the public whois directory here, not ARIN's 
internal
databases which they collect from us under NDA. There will, of course, be 
a lot more
detail about allocations and assignments in ARIN's internal systems.