[At-Large] Same discussion over again? The recurring WhoIs issue

Roberto Gaetano roberto_gaetano at hotmail.com
Thu Jan 24 09:35:17 UTC 2013


I think that over the years I have heard the same discussions, with the same
argumentation, many times.

I had therefore planned not to reply.

However, since I have already broken this plan with my previous message, I
might as well provide my full version (which is not much different from the
conclusions of the WG).

First of all, I do not enter in the gun registry issue, because this is a
local issue, and must be fully on the authority of the local laws. Different
countries (maybe even different States in the US) have different
legislation, and there is no need for a globally uniform approach. But for
the Internet, as global resource, things are different, and therefore more
complicated.

My approach can be summarized in the following points:

.         WhoIs data *must* be complete and accurate. There's no point in
even having a WhoIs if we cannot rely on its content

.         The entity that accepts the registration (generally it will be the
Registrar or the resellers that act anyway under the authority of the
Registrar) are responsible for completeness and accuracy of data. Of course,
this is an additional burden on Registrars, but if it is enforced in the
whole system it will not cause competitive advantage by some.

.         ICANN must have the authority (and the means) of enforcing the
completeness and correctness of the data. This does not mean that a
Registrar will be sanctioned if an entry is incorrect, it means that
procedures have to be defined to deal with these cases. We have to
understand that data can be complete and accurate at the creation, but might
become inaccurate in time.

.         WhoIs information will be of two types: public and restricted. We
can even think of using the experience of social networks to define what is
public and what not, for instance we can allow a nickname to be public and
the real name being hidden, if the result of the PDP is going in this
direction.

.         Information on organization and individuals are not necessarily
the same. In particular, the public and private part might differ. Of
course, in some jurisdiction it is OK to have a completely fake
organization, but this is a problem that we cannot solve as it impacts local
legislation. I assume that those "fake" organizations will be clustered
among a small subset of Registrars, and since the Registrar is known...

.         LEAs have full access to Registrant's data. ICANN maintains a list
of the organizations that have full access (it can be slightly wider than
LEAs themselves, it will include probably ICANN itself, the Registries, the
RIR, and others. GAC will have access to the list and has the authority to
determine whether an organization operating in the country they represent is
authorized or not. International LEAs, like Europol and Interpol, are a
limited number anyway.

.         Local organizations like vigilantes can get the right to access
data if they are recognized and authorized by a LEA. The LEA is fully
responsible for the actions of the entities to whom they have delegated
authority, as well of keeping complete and accurate data of them. ICANN, in
particular the compliance department, has full access to the complete data
of these organizations that act under LEAs' authority. These data are
otherwise restricted (unless the organization itself wants to make them, or
part thereof, public).

.         A private citizen will have access only to the public part of the
WhoIs data. To access the restricted part, he/she must do so via a LEA or
authorized vigilante (I am using this term for lack of a better term). I am
working under the assumption that there will be organizazions, like
SpamHaus, who will be accessible by private citizen to perform requests in
their behalf and that will be more responsive than the official LEAs.

Of course, there are problems. For instance, privacy is not fully
guaranteed. We have the potential case of refugees from a regime whose data
can be detected by a LEA operating under that very regime. However, I
believe that we cannot solve this problem because it would never be
acceptable that a LEA, by its very nature, cannot access the WhoIs data. We
have to think about other means to exert the right of free speech in a way
that does not necessarily implies the registration of a domain name. I am
sure that in the world there exist already so many cases of fighters for
freedom who have obtained substantial results without registering domain
names.

I know I am not making friends here, but I have the right to free speech as
well. The consequence is that I have to be ready to accept flames.

Cheers,

Roberto

 




More information about the At-Large mailing list