[arin-ppml] Privacy rights & IP number whois

[Ted Mittelstaedt]

-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm at ipinc.net]
>That is a poor example since it's absolutely false.  DMV record
>availability is set by the state governments in the US not feds
>and it differs from state to state.


>>About 6-8 years ago in my
>>state there were no restrictions at all, none whatsoever and it
>>WAS perfectly legal to do this.

>I'd like to verify. Please name the state.

For starters, please do a favor and use plain text posting, it is
a pain to respond to htmlized mail. Thanks!

Here is the info:

In 1996 a  computer "consultant" named Aaron Nabil bought, for $222,
a full list of the State of Oregon's auto registrations and posted
it to his website.  He put in a lookup that was anonymous, anyone
could view a license registration.  At the time this was perfectly
legal.  Complaints streamed in.  Nabil took it offline when then-Governor
John Kitzhaber personally called him, and promised to issue some
executive rules that would restrict this in the future.  (I think
that what they did was today you can still buy the CD but you have
to agree to restrictions on posting it)

And yes I was off a bit on the years, it was more like 11-12 years
ago.

> Also: Where there were "no restrictions at all" was the access
> available anonymously via Internet?

Yes

>Was the data subject notified?

No

>Was a purpose requested? 

No

>Was the requestor's information recorded?

No

>If the answer to the first question was "no" and to all the others "yes",
>then my assertion is verified, not refuted by your example.

Sorry.  This is the problem with using off-the-cuff sweeping
generalizations, as I am well aware of, having been caught myself.

That is why I use auto analogies when possible since I am very familiar
with the automotive market, and such analogies are easy for most
people to grasp.

>If the answer to the first question is "yes," do you think it
>unreasonable that they stopped doing that?
>Can you appreciate why they might have stopped doing that?
>These are honest, not rhetorical questions. I want to know
>why you would feel that it is important for Internet users not
>to be anonymous but you would support anonymous downloading and
>use of sensitive information.

Well, primarily I was pointing out the holes in the analogy,
but if you want to have a discussion then here it is.

>From an ideal standpoint I do
not support the idea that automotive license numbers should have
any restrictions whatsoever.  If someone is on a public road that
is paid by my tax dollars then I feel the public has a right to
know who they are.  If people don't like this they can just take
the bus.

However, realistically I do support some restrictions, on the local
level.  In short, I absolutely support the idea that a DMV clerk 
should be able to have the authority to deny access to license data
to anyone who walks in the door, with no requirement for justification.

Meaning, if a DMV clerk is sitting there and some guy walks up and
demands to know who owns MGV800 then if the clerk has a gut feeling
that he is up to no good, then I think she should be able to tell him
"sorry, I'm not giving you that data" and if he starts to make a stink
about it, then he can be thrown out by the security people.

You have to realize that if someone is up to no good and they are
persistent, they can get the data.  For example, if some kook gets
into a fit of road rage because he thinks I cut him off, then all
he really has to do is follow me until I get where I'm going, then
park and wait me out, then keep following me.  Eventually I will end
up at home and then he has my home address, and if he's going to
stuff a stink bomb in my mail slot in retaliation, or key my car, 
or dump my garbage cans all over the front lawn, well frankly I
can't really stop him.  He does not need to walk into the DMV with
my license number to "get me"  That is why I do not see the value
or need to totally lock down vehicle license numbers from public
access.  There is value to putting up some really weak barriers so
that someone who is drunk or is in a fit of passion cannot do
something that they would later regret, but ultimately, if your
driving a car on a public road, and someone wants to know who you
are, you cannot really stop them from finding out.

>I have done so recently in fact.  And this is if the vehicle is
>a privately owned car.  If it is commercially owned then yes,
>you absolutely have the right for this information, no questions
>asked, and the DMV in my state will give it to you, no questions
>asked.

>But that's the legal person / natural person distinction. That's
>grounded in privacy law. And in either case, the DMV still has to
>verify who the owner is before you get any data, right?

No.  I can see you probably never bought a car other than through
the tender ministrations of a car dealer.

In the particular recent case of mine, I bought a vehicle with
no title, from a guy who was not the listed owner and therefore
could not give me a bill of sale which would be of any use.
Naturally I am not stupid and so before paying the guy
I called the VIN into the cops, who ran it and verified it
was not stolen.  So I bought it and needed to title it.  To
do that I had to send a certified letter to the actual owner,
asking for a title signoff.  IF and when the letter is returned
invalid recipient, I can then take that letter with the postal
stamps all over it to the DMV who will then issue the title.
But to send the letter I of course have to have all the data on
the vehicle, name, address, etc.  It was no problem getting that
from the DMV.  And of course, they did not notify the actual 
vehicle owner that I was getting the data.

The letter was returned invalid recipient, by the way.

>But ARIN's address Whois does not -- and, I hope you agree, should not
> -- tell anyone in the world who wants to know what Ted Middlstaedt's phone
> number is and what he did on the Internet last night, simply because
> they somehow got hold of your IP address number. 

Well it likely couldn't because it's Mittelstaedt, not Middlstaedt,
But seriously, I'm in the white pages and don't have an unlisted number
and I use my real name when posting - Google me up and I'm sure you
will get lots of likely boring information about me.  I know and I
frankly don't give a crap.

Issac Asimov when he was still alive also specifically did not maintain
an unlisted phone number in the NYC telephone directory.  He used to
occasionally get calls from fans and told a humorous story once about
a young woman who called him, crying and heartbroken that the Universe was
going to eventually explode in 12 billion years or whatever time period
it was, wanting to know what the point of life was if it was all going
to come to an end.  She called at something like 4 am, unaware of the
time zone difference.

He knew, as do I, and, apparently as you do not, that only the nobodies
who do absolutely nothing in this world of any value are the ones who
cannot be found.  There really is no privacy other than what people give
to each other.  It really is like when you go camping with a group
and someone needs to change clothes, so everyone else simply looks the
other way.  Because, when it is their turn, they want everyone else to
look away from them as well.  (well, most of them do I guess)

>As Verizon claimed at the time, the RIAA's position "opens the door for
>any person claiming to own a copyright to submit a one-page form to a clerk
>of a court and obtain the unlimited ability to collect private subscriber
>information" based on the collection of an IP address from a p2p site.

The fact of the matter here is that as everyone knows, the real issue
is people buying CD's then ripping tracks off them and either e-mailing
or otherwise making them publicly available.  It is unfortunately a
shame that the EFF and all the privacy advocates took the position
that people should be allowed to do this behind anonymous IP addresses,
because what that forced the RIAA to do is to go by the book and
work through the courts.  As a result, nowadays when they catch
someone doing this, they have spend so damn much money and time that
the person they catch is going to pay them money, come hell or high
water.  The option of simply telling the 16 year old that yeah, we
know you ripped that track and gave it to your friends last night,
and if you do it again your going to juvenile hall, that option isn't
open to the RIAA anymore.

So while perhaps you might have gained something so that you can
post your pro-wiccan website without me knowing who you are right
off the bat, there's a lot of people out there fighting multi-thousand
dollar lawsuits because they have dumbass teenagers as a result
of this.

We lost a community and gained an uncaring, anonymous city.  And
this is a good thing?

>The legislatures, courts and constitutions of different countries
>in the world all differ greatly on this, and what laws there are
>out there differ widely.  This kind of issue is what the United
>Nations was created to solve.  And so far the UN has not issued
>guidelines and directives on this for IP addresses.

>Are you inviting the UN to intervene in address policy? Shall I
>forward this message to the ITU and tell them that an ARIN ppml
>member really wants them to get involved? 

THEY don't WANT to get involved.  If they did, they would have
got involved years ago.  What they are all hoping for is that we,
the technologists, can come up with a semi-fair solution that
keeps the complaints down to a tolerable level.  The only reason
they stepped in on the DNS system is that the technologists
running that were too effing stupid to recognize that your not
going to be able to let Joe Sixpack register the DNS name
mcdonalds.com, just because his uncle on his mother's side lived
in ye 'ol British Isles, a century ago.

Ted