[ppml] Privacy Legislation and new proposals affecting residential privacy

[william(at)elan.net]

On Wed, 25 Aug 2004 Michael.Dillon at radianz.com wrote:

> Let's not forget that there have been other proposals regarding privacy of 
> the whois directory entries. In particular, I presented this proposal 
> http://www.arin.net/policy/2004_4.html last year but it was rejected by a 
> very small subset of ARIN members who were at the poorly attended meeting 
> in Vancouver. This upcoming meeting at Reston should have a much larger 
> subset of ARIN members present and if people feel that some of the ideas 
> in my previous proposal should be incorporated into ARIN policy, then you 
> should say so on this list. The ARIN Advisory Council can and will modify 
> the current proposals before submitting them to a members vote.

Doubt that, they've already discussed it privately for a while, see few 
glimps in the published minutes of AC meetings ... But that that does 
not mean the proposal would pass in next meeting and if does not than
they could/would modify it, although I'm hoping it could be dropped 
entirely for something better.

> However they don't do this based on their own whims, rather they pay 
> attention to the comments expressed on this mailing list.
I've not seen much of that either...

> In particular, there have been comments that the current privacy proposal 
> will make life difficult for researchers. If you read the full text of my 
> previous proposal you will see that I attempted to provide for reasonable 
> research activities without compromising the right on individuals to 
> privacy.

Well, not really... At least what you proposed would not have helped 
researches if swip information becomes optional. That is not to say that 
you had did not have good ideas or that your proposal was bad - it was 
step in the right direction. I think there needs to be entire new section 
and set of policies on whois that covers database purpose, what information
must be put there, privacy directions regarding this information, 
availability and accuracy of data and protection of data from misuse.

> This is an important issue because today, there are no clear rules about 
> what must be in a whois directory. Many of us do business in multiple 
> legal jurisdictions and the temptation is there to simply stop publishing 
> all whois data entirely because it may violate the law in one or more of 
> the countries in which we operate. ARIN would have no recourse in this 
> instance because ARIN has no policies that justify the whois directory. In 
> fact, the activities of SPAM chasers such as William Leibzon could easily 
> be used in court to set a precedent banning whois entirely. I'm not 

Perhaps partly based on my remarks, you seem to be of the opinion that I'm
some big anti-spammer and constantly bug ARIN and go through their data.
That is not accurate, I've done very little of direct spammer chasing 
unlike numerous other people (from organizations such as spamhaus, those 
associated with spews - whoever they are :), spamcop or many people at 
NANAI or SPAM-L), but I do know some of these people and what they use.
I'm primarily involved with providing tools and help on how to find the 
information people need and I've also made number of posts educating on 
what people can and can not do and if they cant what is the approriate 
political body to contact or what are appropriate steps to change the 
policy. And I've always advocated following the law and and letting correct 
organations and law enforcement know about abuse and having them handle 
the problems and limiting direct anti-spammer activities to something like 
investigative reporting done by journalists.

My personal involvement and research was actually only limited to whois
entries entered directly at the top level (i.e. ARIN and other RIR 
assignments & allocations), so current privacy policies proposed would 
not really effect any of that. But having seen what kind of data real spam
researches are using and how they do it, I can tell you that SWIP
data is being used quite a bit and is very helpfull. And despite some
of the contact information not always being accurate the majority of 
them are. And most important the organization data that ISPs enter
as to who they allocated the block to is even more accurate and a lot 
more helpfull - this is not surprising as that is company officially 
client of that ISP and it must be real entity to be able to pay its bills 
(those cases where such info is not accurate usually do not last long, 
 maybe these are exactly the cases when ISP does not get paid :)

Almost all my involvement had been with research on the protocol level
(i.e. at IETF) or policies issues (i.e. at ARIN) as I get involved when
I think existing protocol has security issues that can not be corrected
without some necessary changes/additions and similarly on policies side.

> attacking William here or saying anything about the legitimacy of his 
> activities, just that he does mine the whois directory and he works 
> aggressively to get whois entries corrected according to his understanding 
> of the scope and purpose of the whois directory.

I've never corrected any whois entry - ARIN that did after its own extensive
research on each case. I did prior research as to if there is exists
situation where whois data (on the top level, i.e. direct ARIN or IANA 
allocation) is or is not accurate and it so happens I was right every 
time when I concluded it was not (that just shows I have pretty good 
understanding on what is not good data and that unlike others I do not 
make 100s reports to ARIN and overload their staff and only do reports 
after extensive investigation into each case).

> I don't agree with all of William's views as to the purpose and scope of 
> the whois directory and I don't think that the overall ISP community 
> agrees with this view either.

The purpose of the whois directory should not be exclusive to what ISPs 
want or what ISPs agree to. This is a global directory that has lot wider 
use than only in the ISP community in deciding their own tech issues, that 
is exactly the point I've been trying to make all around. 

Unfortunetly ARIN itself is not really a global North-American wide policy
group and its dominated by ISPs, which means these issue are not being
clearly understood from the perspective of others who may use the data and 
despite ARIN policy meetings being open (and this mailing list), there 
are very few people there (or I suspect on this list) who are not representing
organization that is ISP (or research or govermental institution) that is 
receiving services from ARIN. This includes me as well as I represent ISP 
or other I probably would not have gotten involved in the first place ...

> And I would urge each and every one of you to review this issue internally
> with your legal and regulatory people and not just make your decisions 
> based on personal prejudices. We clearly have to change the nature of 
> whois but we do have some leeway in how we do this.
>
> I do agree with William that any data published in the whois directory 
> should be accurate, that there should be a mechanism to test and report on 
> the accuracy of the information, and that the directory should point to 
> contact people within an ISP who is responsible for dealing with network 
> problems including network abuse. The current proposal, unfortunately, 
> doesn't address any of these issues and merely makes it entirely optional 
> for an ISP to publish whois information at all.
> 
> If the current proposal passes, my organization will shut down our rwhois 
> server. It's an ancient piece of software that is a royal pain to deal 
> with and we'll be happy to see the end of it. We will cease to publish any 
> whois data at all beyond the top level records showing the allocations 
> received by ARIN. We will provide ARIN with a complete database of all our 
> internal whois data (no /29 boundary) on demand any time they ask, 
> possibly by providing a .CSV file on a password protected secure http 
> server so they can pick up the latest daily dump whenever they want it.
>
> How many of you will do the same?

And the above is exactly the kind thing I'm afraid many other ISPs would 
do which will inevitably seriously decrease value of the whois directory.

-- 
William Leibzon
Elan Networks
william at elan.net