June 7, 2003

Privacy and Whois (A continuing blog-dialog with Ross Rader)

Privacy is a complex topic.  The decision whether information is to be private or not is the result of a balance of equities.  As in any such balancing act the weights assigned to the various equities frequently dictates the outcome.  And loss of privacy is a ratcheting event - once privacy is breached, it remains breached.

During the 1970s and 1980s privacy issues were distilled into collections of principles.  These principles represent broad consensus of opinion among many actors, private and commercial, governmental and institutional.  Many of these principles underlie imperative laws in many nations around the world and ought not be thoughtlessly disregarded.

When a person discloses personal information a kind of rough social bargain is struck - the person makes a choice, perhaps unknowingly, to disclose or not to disclose based on that person's evaluation of the benefits to be obtained versus the costs and burdens to be incurred.  To come in at a later time and rewrite the terms of that bargain is unfair and will eventually result in people becoming overprotective of their personal information.

In other words, it is axiomatic that the privacy balance must be based on the conditions present and known to the person at the time of the transaction in which he/she chose to disclose his/her private information.

A corollary is that in the balance of equities to decide whether the personal data should be disclosed to a third party it is crucial that primary weight be given to the use of that data that was intended by, or expected by, the person who disclosed the data.  If the third party is requesting a use that is within the reasonable scope of that intended or expected use then the hurdles to be overcome should be comparitively lower.  If the third party is requesting a use that is beyond the reasonable scope, then the hurdles to be overcome should be rather higher.

Someone must have been telling lies about Joseph K., for without having done anything wrong he was arrested one fine morning. - opening sentence of The Trial by Franz Kafka.

It is difficult to accept a balance as having been fairly made if the parties to the issue have not been allowed to make their case or even be allowed to be aware that a balance concerning their interests is being struck.

Consequently, is is very important that inquiries for private data be neither anonymous nor unrecorded.  The data subject - the person who the data concerns - ought to be able to learn who has been asking questions, perhaps questions based on false presumptions or even upon lies.

To make some of these thoughts more concrete let me apply them in the context of the Domain Name System (DNS) "whois" database.

First, what is the expectation of the person, the customer, who is disclosing his/her information when he/she decides to acquire a domain name?  Certainly we can say that the purpose is to allow the vendor - the domain name registrar - to complete the transaction and to collect any fees that may be charged.  And certainly the purpose includes the ability of the customer to give the registrar adequate information to allow the customer to maintain the viability of the name server address information that makes the registration workable on the internet.

But does that purpose encompass an intent to provide information to third parties, such as intellectual property holders, for the purpose of easing the cost and removing the protections offered by legal procedures of bringing accusatory actions against the customer?  I would suggest that it is unreasonable to conclude that domain name customers intend to confer such benefits on those third parties.

Thus is it reasonable to conclude that disclosure that facilitates the ability of the registrar to consummate the registration agreement is readily permissible.

However, disclosure to an intellectual property attorney who is seeking to accuse the customer/data-subject/domain-name-holder is not so obvious.  So we start to balance the equities.

I expect one of the first assertions to be made by the intellectual property attorney is that we should imply an intent onto the data-subject that he/she intends to obey the law.  I agree.  However, that implication applies to all of our transactions in life and if that implication is sufficient to allow privacy to be breached in the whois context then one has to wonder whether could remain any area in life in which privacy might continue to exist?

And I would add to that assertion that there are well established procedures and remedies, established through thousands of years of trial and error, for an aggrieved party to seek redress.  If those procedures are slow and expensive it seems to me that the cure is to fix the procedures rather than to eliminate the right to privacy on nothing stronger than a mere accusation.  If one examines the power of the intellectual property bar relative to the average data subject, the former has a much, much greater ability to affect changes in the legal system and its procedures and costs.

Recognizing the force of the intellectual property interests in ICANN, there is reason to believe that an extra-legal route into whois will be established (if it has not been established already) despite or, and indeed in lieu of, established legal processes.

If such a route is established then I suggest that there also be established a magisterial process through which those who claim that they need access to whois data may present their reasons for such access and have them evaluated for sufficiency.  In such a process, unless the data subject has been given notice and an opportunity to appear in a convenient venue, all questions not supported by compelling evidence ought to be decided in favor of the data subject.

All people and entities that seek access to whois data ought to be required to demonstrate, using verifiable credentials, their identity and contact information.  That identity, contact information, and the basis upon which access is being requested, ought to be recorded in a permanent audit file.

Except in the case of legitimate law enforcement activities (which are presumably governed by bodies of laws and constitutional limitations) that audit file ought to be available to the data subject - much like credit reports are available.  The cost of this system and of a reasonable number of reports (e.g. one report per quarter) ought to be covered by a system that recoups the costs from those who register domain names and those who seek to penetrate whois privacy.

(I have noticed that some people read more into my proposal than I intend - It is my intent that there be an audit trail, not that there be real-time notification of the data subject.  I would prefer the latter, except in cases of legitimate law enforcement, however my sense is that it is beyond today's technology and would be more of a nuisance than a benefit.)

Identification need not be burdensome or expensive.  There are certain classes of people and entities who would be expected to be frequently in need of whois data.  These include operators in Network Operations Centers (NOCs) who must track down network problems, often in the wee hours of the night and often under emergency conditions.  Intellectual property attorneys who engage in domain name versus trademark disputes would similarly be likely to require frequent access.

In such cases it would be appropriate to pre-establish identities and credentials.  The cost of such a system really need no more than the cost of a signed entry on a PGP or GPG key ring - i.e. almost nil.

For those who do not have pre-arranged credentials, data access could be constrained in non-burdensome ways.  For example, for those who do not have pre-established credentials, the result of the query could be delivered by e-mail, which creates at least a rough handle, if perhaps only for a short while, leading to the person purported to be making the inquiry.  Or the result could be made less precise - telephone area codes/country codes could be substituted in lieu of the full telephone number of the data subject.  Similarly, only postal code information might be available instead of an exact street address.

Posted by karl at June 7, 2003 11:03 PM