Sky
Vittorio vb Bertola
Fasendse vëdde an sla Ragnà dal 1995

Vën 19 - 9:52
Cerea, përson-a sconòssua!
Italiano English Piemonteis
chi i son
chi i son
guida al sit
guida al sit
neuve ant ël sit
neuve ant ël sit
licensa
licensa
contatame
contatame
blog
near a tree [it]
near a tree [it]
vej blog
vej blog
përsonal
papé
papé
fotografie
fotografie
video
video
musica
musica
atività
net governance
net governance
consej comunal
consej comunal
software
software
agiut
howto
howto
internet faq
internet faq
usenet e faq
usenet e faq
autre ròbe
ël piemonteis
ël piemonteis
conan
conan
mononoke hime
mononoke hime
vej programa
vej programa
travaj
consulense
consulense
conferense
conferense
treuvo travaj
treuvo travaj
angel dj'afé
angel dj'afé
sit e software
sit e software
menagé
login
login
tò vb
tò vb
registrassion
registrassion

[IETF-Provreg] A user's point of view on the privacy issue

(Inglese, messaggio sulla lista del gruppo di lavoro Provreg della IETF, 17 Gené 2003)

To: ietf-provreg@cafax.se
From: Vittorio Bertola <vb@bertola.eu.org>
Date: Fri, 17 Jan 2003 11:03:26 +0100
Sender: owner-ietf-provreg@cafax.se
Subject: A user's point of view on the privacy issue

 

Hello,

I am a newbie of this group and of the IETF WGs in general (please
pardon me for anything inappropriate I might unvoluntarily do).
However, I have been discussing DNS privacy issues extensively in the
last years, so please allow me to give my point of view on the ongoing
privacy discussion.

Not addressing the privacy issue in the base protocol would likely
imply that the service would often be deployed in real life without
any means to achieve privacy protection. Unfortunately, the present
lack of privacy protection in the WHOIS system is plainly illegal in
many countries, and I don't think it's reasonable to think that this
situation can go on for long without actual lawsuits starting to
happen, both towards ccTLD and gTLD registries and registrars. 

In fact, as others have already pointed out, many registries
(especially European ccTLDs) have already started to allow opting out
from WHOIS under certain conditions or for certain types of data, or
even, have already been sued on this. Personally, I think that the
present situation where gTLD registrants are required to make all
their data public won't last long.

Thus, any new protocol being created in this field should be able to
support the ability to mark data as private - otherwise in the end it
might be useless or even damaging. If this protocol doesn't implement
any simple and standard way to specify reasonable privacy directives
together with data, it is likely that many registrars and registries
will be soon forced, by law, lawsuits, or public opinion pressure, to
add their own (non-standard and non-interoperable) ones.

The protocol must allow customers to specify privacy conditions with
the highest possible granularity, because it must be able to support
policies that will be very different one from the other and will vary
often (much more often than the protocol itself) according to
non-technical decisions. No privacy policy should be hard-wired in the
protocol (and this includes the policy of "no privacy is possible"
that would result from the lack of privacy specification tools in the
base protocol).

I must also point out that, according for example to the European law,
it is the customer, nor the registrar nor the registry nor any policy
or standard making body, that decides what should be published and
what should not. The registrar or registry are not allowed to alter
the customer's indications on privacy. At most, the registrar/registry
may refuse to supply the service if the customer does not accept to
distribute data that are strictly necessary for the service to work.
(It seems to me very doubtful that publishing my name and e-mail to
the whole world is strictly necessary for my name servers to work. But
this is a policy and legal discussion anyway, and is out of this
list's scope.)

So, the minimum level of granularity that the protocol should support
to be applicable in real life is the ability to mark each field of
each domain name registration form as private or public, singularly
for each (domain, field) couple.

The EU law also states that the owner of the data has the right to
verify and update the data and retire the consensus to the
distribution at any time. So the protocol should allow for updates not
only of the data but of the privacy indications too.

Theoretically, a registrar could ask separate approvals to the
customer for different uses of the same data. In this case, a
mechanism with more levels of privacy would be necessary. However,
this is an option for the registrar, not a requirement, so this could
be left to extensions. Similarly, a specific approval is required to
export data outside of the European Union, so a mechanism to specify a
list of countries to which data can(not) be exported could be of use,
but this problem can be easily avoided by the registrar by asking for
such consensus, so this could be left as a possible extension too.

Thus, summarizing, I support the idea that a mechanism to specify (at
least) whether each single field of each single domain name is meant
to be public or private should be added to the base protocol, and its
implementation should be mandatory.
-- 
vb.                  [Vittorio Bertola - vb [at] bertola.eu.org]<---
-------------------> http://bertola.eu.org/ <-----------------------

Torna alla categoria "Guide e scritti tecnici"

Creative Commons License
Cost sit a l'è (C) 1995-2024 ëd Vittorio Bertola - Informassion sla privacy e sij cookies
Certidun drit riservà për la licensa Creative Commons Atribussion - Nen comersial - Condivide parej
Attribution Noncommercial Sharealike