[At-Large] FW: Withdraw the gun database

[Holly Raiche]

Thank you Karl

Your steps are exactly what I had in mind.  You're right - it will take time, and cost. But could we all please start on this journey.

Holly
On 20/01/2013, at 8:48 PM, Karl Auerbach wrote:

> On 01/19/2013 05:05 PM, Holly Raiche wrote:
> 
>> For me (and I suspect you), the hard bit will be working out what
>> amount to legitimate rights to what data - and ensuring that there is
>> a process to ensure that any access that is granted is only done
>> after the bona fides of the access seeker and reasons for access are
>> established.
> 
> Thanks for returning us to a rational, and I hope, productive
> discussion.  (By-the-way, if you, or anyone else reading this, are ever
> in the Monterey Bay area of California and want to chat about details of
> this stuff drop me a note offline.)
> 
> The balance of rights is something that I sense needs to be
> muddled-through via our well trod path of declarations of rules that are
> adjusted through use in actual situations.  For example, simply
> identifying people making inquiries is hard enough; proving that
> identity is even harder.
> 
> Personally I tend to lean towards the "privacy" - because one can
> usually remedy an incorrect decision to protect privacy when such
> protection is not warranted.  But the converse is not true - once
> privacy is breached it is hard to put the information back into the bottle.
> 
> Over the last dozen years I've posited variations on a general process
> that would be largely, but not entirely, mechanical.  The nugget of
> difficult has always been that "not entirely mechanical" part.
> 
> Procedure does not scare me - perhaps that is because as an attorney I
> have learned that good and fair procedure is very, very important.  I am
> very scared about rushes to judgment that trample sane and deliberate
> processes or, even worse, "Ox Bow Incident" vigilantism.
> 
> I do think that some WHOIS access procedural aspects can be set forth:
> 
> 1. Every query would be recorded and that record would persist for at
> least a couple of years.
> 
> 2. There would be some means so that data subjects (domain name owners)
> could obtain records of those queries that relate to their domain names.
> 
> 3. Anyone who wants to make an inquiry must identify himself and present
> proofs of that identity.  That identify and at least a summery of the
> proofs would be saved in the access record.  (People who make a lot of
> inquiries, such as IP protection attorneys might pre-establish
> identities and credentials to make the process faster and reduce costs.)
> 
> 4. The person making the inquiry would have to assert that some
> cognizable legal right of that person is being violated by the accused
> domain name owner.  That assertion would have to be fairly specific and
> be backed by some specific evidence to back that assertion.  This
> accusation and evidence would be saved in the access record and thus be
> available to the data subject.  This could be fairly formulaic - there
> could be a checklist of common accusations and I am sure that supporting
> evidence would soon assume a rather standard shape and form.
> 
> 5. The person making the inquiry would have to put up some $$ to cover
> the cost of processing the inquiry and also to serve as a bond (payable
> to the data subject) if the inquiry is found to be frivolous or abusive.
> The bond portion would be returned after some period of time - perhaps
> 90 days?  (Lest one think that this puts all the costs onto the person
> making the inquiry, I note that the domain name owner has paid a yearly
> registry fee and ICANN fee.  And that a name that is successfully
> challenged does not give rise to a refund for those fees.)
> 
> 6. Unless someone can come up with some sort of super-Turing tool to
> examine the accusations and evidence, there would have to be some quick
> and fast review of the accusation and evidence by a human.  This is the
> step that is the most troublesome in terms of cost and delay.  If this
> review sees no clear problem then the data access is granted.
> 
> 7. A periodic summary of all accesses for each name would be sent to the
> domain name owner.  This would allow the name owner to know who is
> asking about his names, understand the accusations being made, and see
> the evidence being presented.  (Remember, by this time the record has
> already been made available to the person making the inquiry.) This
> would allow the name owner to raise a challenge to sufficiency.  Such
> challenges would be reviewed by someone other than the original reviewer
> of the initial accusation.  If the accusation is found inadequate the
> bond would be paid to the name owner to at least partially compensate
> for the violation of their privacy.  (This payment ought not be
> construed as a waiver of any rights to civil action that the domain name
> owner might have against the accuser for making false accusations or
> representations.)
> 
> 8. A periodic gazette (web page) would summarize to the public what
> names are being inquired-of, who is making the largest numbers of
> inquiries (broken down by accusation type, success/failure counts, etc)
> This would let the public see who are being domain name trolls.
> 
> This is not a free system, and it has friction - which is quite
> intentional.  I have concern that it would take some work to build the
> machinery and operate it, and that the human steps could cost too much
> (more than a few dollars per event would be too much) or that it could
> become merely a rubber stamp.  ICANN's new gTLD program has shown us how
> little things can be ballooned into bloated, expensive, systems of
> Rube-Goldberg complexity.
> 
> 
>> ...What the Whois
>> Final Report did say is that, if people are more confident about
>> having their privacy respected, they will have less reason to provide
>> false information.  At that point, ICANN can and should insist on
>> complete and accurate data being provided.
> 
> This is a very good point that ought to carry a lot of weight.
> 
> 	--karl--
> 
>