[ppml] Policy Proposal 2005-2: Directory Services Overhaul

william(at)elan.net william at elan.net
Fri Apr 15 15:24:39 EDT 2005

On Fri, 15 Apr 2005, Leo Bicknell wrote:

> In a message written on Fri, Apr 15, 2005 at 09:53:41AM -0700, Azinger, Marla wrote:
>> 1.  I feel it would be best for us to get a definative answer on
>> Privacy Laws and what should and should not be made public accesible
>> information.  Along with a definition of what "public Accessible"
>> really entails.
> I've talked to ARIN Council and to a number of other people about
> "privacy laws" and the answer is that the problem is almost
> intractable.
> There are literally several hundred federal laws that deal with
> privacy in various circumstances, and if you throw in the state,
> province, and city laws you could realistically be looking at over
> 10,000 or even over 100,000 laws affecting privacy inside the ARIN
> region.

And every one of those laws deals with INDIVIDUAL privacy rights,
not those of corporate or business identity. If anything the trend is
that information on what public resources companies use should be made
public with easier access to such data.

Note that we already have policies right now in ARIN region that DO NOT 
require publishing personal name as contact (ISP can always choose to use 
their own contacts and simple reassignment does not require publishing 
contacts either) and that allow to not withhold individual name or address 
when type of access is residential. As such I think current ARIN policies
already give ISPs the leverage to comply with existing laws.

Where as the new policies if approved would restrict access to information
on use what most consider public resources by commercial entities and 
severally restrict research that can be conducted on the use of these

> What's more, many of them are conditional on various other
> criteria.  Examples include Canada, where you can't publish information
> without consent of the party who's information is being published,
> or the Children's Online Protection Act, which prevents you from
> publishing information on people under the age of 13, or under 18
> without parents consent.  Is it reasonable for ARIN to require an
> ISP to obtain consent in these cases?  Is it reasonable to deny
> someone under the age of 13 IP addresses because they cannot have
> their information published?

Current residential privacy policy would allow to withheld the person's 
name. I would also note that under laws in US, the persons under 18 in US 
(16 in Canada) can not enter into legal agreement (except with consent of
their guardian) so I find it unlikely that it strange how under these
circumstances they can become customers of the ISP (and I'm pretty sure
no ISP would want 13 year old as a customer without parent's consent).

> I started off investigating the legal aspects of this policy and
> quickly backed away.  To say the legal side of things is a can of
> worms grossly understates the problem.  Add to this that this is
> an area of law that's rapidly changing.  Look at the recent identity
> thefts that have made the news.  There are now over 100 bills pending
> in congress that all have provisions dealing with keeping "private
> information" "private".

Yes and all of them deal with what is already private data that some
companies keep in their database and want to insure such data is protected.
Such data is not part of current public whois database (social security 
numbers, credit cards, etc) but ARIN does keep some of this info in
their private database and so such laws would apply to ARIN if they
pass and require ARIN to keep this info more secure.

By classifying majority of what is currently public ARIN data as private,
you may well cause additional expenses on arin if it has to keep safe
(by standards of new laws that may pass) a lot larger part of their database.

> Since many of you work for companies with legal teams, what I would
> do is urge you to ask your own lawyers.  Tell them ARIN currently
> requires you to publish your client's name, address, and e-mail
> address under certain circumstances

Again see above as to that if the client is a person with what can
be classified as consumer access, then none of the information need
to be public made public. In other circumstances only client's name
and address need to be made public but email address IS NOT require
to be made public (unless this client is listed as contact for ip
block, but there is no requirement for ISP to do that).

> legal for your company to do so in your jurisdiction.  I believe
> that the conversation that you have will be very interesting.

And most likely after they fully examine current ARIN policies and 
understand clarification that I've just made, they will find that
there is no serious problem.

William Leibzon
Elan Networks
william at elan.net

More information about the ARIN-PPML mailing list