[At-Large] FW: Withdraw the gun database

Karl Auerbach karl at cavebear.com
Sun Jan 20 09:48:01 UTC 2013

On 01/19/2013 05:05 PM, Holly Raiche wrote:

> For me (and I suspect you), the hard bit will be working out what
> amount to legitimate rights to what data - and ensuring that there is
> a process to ensure that any access that is granted is only done
> after the bona fides of the access seeker and reasons for access are
> established.

Thanks for returning us to a rational, and I hope, productive
discussion.  (By-the-way, if you, or anyone else reading this, are ever
in the Monterey Bay area of California and want to chat about details of
this stuff drop me a note offline.)

The balance of rights is something that I sense needs to be
muddled-through via our well trod path of declarations of rules that are
adjusted through use in actual situations.  For example, simply
identifying people making inquiries is hard enough; proving that
identity is even harder.

Personally I tend to lean towards the "privacy" - because one can
usually remedy an incorrect decision to protect privacy when such
protection is not warranted.  But the converse is not true - once
privacy is breached it is hard to put the information back into the bottle.

Over the last dozen years I've posited variations on a general process
that would be largely, but not entirely, mechanical.  The nugget of
difficult has always been that "not entirely mechanical" part.

Procedure does not scare me - perhaps that is because as an attorney I
have learned that good and fair procedure is very, very important.  I am
very scared about rushes to judgment that trample sane and deliberate
processes or, even worse, "Ox Bow Incident" vigilantism.

I do think that some WHOIS access procedural aspects can be set forth:

1. Every query would be recorded and that record would persist for at
least a couple of years.

2. There would be some means so that data subjects (domain name owners)
could obtain records of those queries that relate to their domain names.

3. Anyone who wants to make an inquiry must identify himself and present
proofs of that identity.  That identify and at least a summery of the
proofs would be saved in the access record.  (People who make a lot of
inquiries, such as IP protection attorneys might pre-establish
identities and credentials to make the process faster and reduce costs.)

4. The person making the inquiry would have to assert that some
cognizable legal right of that person is being violated by the accused
domain name owner.  That assertion would have to be fairly specific and
be backed by some specific evidence to back that assertion.  This
accusation and evidence would be saved in the access record and thus be
available to the data subject.  This could be fairly formulaic - there
could be a checklist of common accusations and I am sure that supporting
evidence would soon assume a rather standard shape and form.

5. The person making the inquiry would have to put up some $$ to cover
the cost of processing the inquiry and also to serve as a bond (payable
to the data subject) if the inquiry is found to be frivolous or abusive.
 The bond portion would be returned after some period of time - perhaps
90 days?  (Lest one think that this puts all the costs onto the person
making the inquiry, I note that the domain name owner has paid a yearly
registry fee and ICANN fee.  And that a name that is successfully
challenged does not give rise to a refund for those fees.)

6. Unless someone can come up with some sort of super-Turing tool to
examine the accusations and evidence, there would have to be some quick
and fast review of the accusation and evidence by a human.  This is the
step that is the most troublesome in terms of cost and delay.  If this
review sees no clear problem then the data access is granted.

7. A periodic summary of all accesses for each name would be sent to the
domain name owner.  This would allow the name owner to know who is
asking about his names, understand the accusations being made, and see
the evidence being presented.  (Remember, by this time the record has
already been made available to the person making the inquiry.) This
would allow the name owner to raise a challenge to sufficiency.  Such
challenges would be reviewed by someone other than the original reviewer
of the initial accusation.  If the accusation is found inadequate the
bond would be paid to the name owner to at least partially compensate
for the violation of their privacy.  (This payment ought not be
construed as a waiver of any rights to civil action that the domain name
owner might have against the accuser for making false accusations or

8. A periodic gazette (web page) would summarize to the public what
names are being inquired-of, who is making the largest numbers of
inquiries (broken down by accusation type, success/failure counts, etc)
 This would let the public see who are being domain name trolls.

This is not a free system, and it has friction - which is quite
intentional.  I have concern that it would take some work to build the
machinery and operate it, and that the human steps could cost too much
(more than a few dollars per event would be too much) or that it could
become merely a rubber stamp.  ICANN's new gTLD program has shown us how
little things can be ballooned into bloated, expensive, systems of
Rube-Goldberg complexity.

> ...What the Whois
> Final Report did say is that, if people are more confident about
> having their privacy respected, they will have less reason to provide
> false information.  At that point, ICANN can and should insist on
> complete and accurate data being provided.

This is a very good point that ought to carry a lot of weight.


More information about the At-Large mailing list