[At-Large] [ALAC] WHOIS Studies

[Karl Auerbach]

Derek Smythe wrote:

>> I have long suggested that any one who makes an inquiry into the whois 
>> data should be obligated to leave an electric "calling card" record 
>> that informs the data subject of the name, identity...

> We have a perfect world vs a real world scenario here.
> 
> In theory the answer would be yes of course. In reality it may not be a 
> good idea.

While the objections you raise are valid, it seems to me that the easier answer is to say 
that if someone tries to make an inquiry of the whois system and who is unable 
himself/herself to provide an easily authenticated identification, then the query should 
be flatly denied (although a record of the attempt should be kept so that the data subject 
can see how many times a failed assult on his/her privacy has been made.)

How might one be authenticated?  One place is the already existing bulk whois system in 
which real money has been handed over - ICANN could keep a list of those people and with a 
bit of extra stuff (something akin to the CSV on the back of a credit card) list could be 
used to authenticate whois queriers.

Other places could be a set of digital keys - like the ever expanding interlocking ring of 
PGP/GPG keys.

Then there could be the slowly growing (some may say stagnating) reputation services.

The burden of proving an authentic ID ought to fall upon the person making the query; we 
ought not to sacrifice privacy on the altar of the querier's convenience.

If the querier can't meet that burden then he/she should be sent packing, which is an 
aptly ironic result considering that the querier was most trying to penetrate the identity 
of the domain name.

		--karl--