[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)

To: lwc at roke.co.uk
Subject: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
From: "Peter Williams" <home_pw at msn.com>
Date: Sat, 26 Jun 2004 10:07:24 -0700
Cc: enum at ietf.org
List-help: <mailto:enum-request@ietf.org?subject=help>
List-id: Enum Discussion List <enum.ietf.org>
List-post: <mailto:enum@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/enum>, <mailto:enum-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/enum>, <mailto:enum-request@ietf.org?subject=unsubscribe>
Sender: enum-bounces at ietf.org


As I understand it, the DPA does not cover personal web sites or data
that I ask to be published; it covers the use of that data by the people
storing it. In the case of a web hosting service, that's the whole point
(i.e. it's what I'm paying them to do).

Many of these protection schemes that address privacy issues (both in the US, and the EU) regulate providers, who can be reasonably assumed to have subscribers with certain expectations about privacy. Privacy is a hard social issue, with no clear definition. However, there are accepted inflections in public law, statutes and administrative law. We have public data whose sole purpose is sharing, personal data that needs protection against unwarranted exploitation by third parties, private information that one secures appropriately with a technical mechanism, and other important categories.

Richard has a certain belief about the privacy expectations of all ENUM Provider subscribers, and argues (rather coarsely) his position. His argument is articulate, but rather unpursuasive, as the basis for his claims are his personal expectations as a subscriber. He happens to be a person with low expectations about certain elements of his personal data, viewing that data has necessarily public in order to achieve his individual communication goals.

Now, if you believe that the web hosting service has to find what personal data I've just pushed to my web site, then notify the Government to say what that data is and how they're using it, then we're in LaLa Land.

As a potential service provider, lwc, if your website is based on FrontPage, say, and it offers a registration and messaging module for others who can post memos to your site, YOU might be advised to pay a visit to the registrar. I would expect you to do this for any website YOU host at a third party service bureau, a web site you host yourself, or for a DNS server that you operate or cause to be operated - and which distributes personal data about others to others.

Your need to comply with data protection regulation, if any, is, "of course," a private and privileged disclosure matter to be shared by you and your legal advisor.

When the DPA first came in and the DP Registrar was totally overwhelmed with paperwork flying in their direction; notification of personally published data would be an absurdity that WILL be ignored as it would make that look like a very quiet day in the office.

The US Federal government consider many suggestions made to address the problem of people setting and publishing their expectations of privacy. It chose decentralized disclosure making, rather than EU-style registration of disclosures by central bodies; with obvioius impact on the ease by which the scheme could be engendered and indirectly managed into place over time, on a massive scale.

In the US commercial arena, the practices for expectation setting settled on placing obligations on the party with most control and the most to gain from exploitation - the telematic service provider. That is, certain (ambiguous) privacy expectations were presumed for all consumers, and a provider may disclose a policy in order to negotiate those expectations down to something acceptable to that person, engaging with the user as they subscribe, or as they use the service (if the providers policy provides notice of its ability to change) or if the user is not a susbcriber.

If one expects DNS Providers to do this is, then that random neural firing is, in my opinion, equally bizarre.

An ENUM provider is not a classical DNS service provider: ENUM necessarily binds two name forms from two (or more than two) distinct naming authorities. the ENUM provider will be asserting control of that binding of different personal data items, much as a CA binds several personal names in its certificates. In each case, the ENUM provider goes beyond DNS, and goes onto exercise direct control over the delivery of privacy-enhanced (ENUM) or security-enhanced services in the case of ENUM service enhaced with offline certificate chain URIs.

While an EU TTP operating ENUM service may attempt to claim it is an unknowing outsourcing contractor supporting a relationship between a subscriber and a SIP-enabled telco, the US TTPs currently fighting for control of ENUM business through ICANN and IAB-related law suits are unlikely to proceed on this course: they need to assert control for their assurance to have much economic value: CISCO can provide critical infastructure-grade servers and operational knowhow to a telco just as well as it can supply it to ******, say, when acting as a TTP operating DNS servers mastering a critical infrastructure zone within .arpa.

In short:
If I want to publish my contacts, then "Get Your Tanks Off My Lawn".
If I want to control who gets to see what contacts, then I'll use
a PUA system, with a "global" entry in ENUM pointing to that.

Contracts suggest that the data is not personal in nature. While contracts often contain personal data, the use of the contract form already suggests the parties are quite sophisticated, and can negotiate privacy issues (if any) in the terms of the contract - probably with the advice of appropriate legal professionals. The terms may involve the removal of equipment from lawns, if the parties so desire, and can select any security- or privacy-filtering technology that the parties may agree to. In the UK, in particular, third party rights may be implied here, as third parties now have certain rights even though they are not parties to contracts addressing telematic services or information upon which they are induced to rely by the contracting parties.

The IETF and (eventually) IANA and the ITU/IAB have done their job.

But ICANN have not, and neither (in the US) has the DoC - in revising the procurement contract it places (and must surely revise) with ICANN to address ENUM - given ENUM must use .arpa delegated zones, by IAB mandate. The DOC actions must be publicly reviewed, and the influence of IAB over DoC must be similarly disclosed, if there is any. IAB is acting for and as IETF. Quite properly it discloses its ITU communications (somewhat late, note, for public input), and will surely and necessarily disclose its US government communications on the topic of ENUM regulation. We must recall that IAB has considerable influence over the technical standards controlling operators of those regions of the DNS it designates as critical infrastructure, and has had a history of assigning a critical infrastructure contract (to RIPE) showing coordination with the Internet Society on a topic related to ENUM, and disclosed in an Informational RFC specifically discussing ENUM planning.

I have a mechanism to do at least the global publication.

We have several mechanisms for performing the act of publishing personal data for distribiution by the DNS, and for use in delivering an IETF-standardized or a proprietary E2U-based telematic data lookup service. And there are IAB mandates essentially on how operators MUST then distribute and control the data that has been so published in the ENUM portion of the DNS. There is, also, evidence of attempts to scope an IETF WG session on the topic of amending the IAB mandate on the options for such distribution, taking input from a closed European Standardization organization; and there is evidence of specific and maintained resistance to the call for the sub-session addressing the possible change in mandate to consider privacy issues, as propery articulated by members of the IETF ENUM WG mailing list

Now, on the PUA stuff you can bury it in Legal issues until hell freezes over. For the rest, it's my risk, and my choice. I don't live in California.

Unforuantely, CA law may address your activities, in much the same way that national laws derived from the EU directive in question threaten Americans with liability for their actions.


all the best,
  Lawrence

On 25 Jun 2004, at 20:15, Stastny Richard wrote:

<snip>
I know that people in the UK are paranoic about
privacy, e.g. 30% are unlisted in the phonebook,
in Austria this 5-10%. But UK is not really Europe.
<snip>


_______________________________________________
enum mailing list
enum at ietf.org
https://www1.ietf.org/mailman/listinfo/enum


_______________________________________________
enum mailing list
enum at ietf.org
https://www1.ietf.org/mailman/listinfo/enum

Prev by Date: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Next by Date: RE: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Previous by thread: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Next by thread: RE: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Index(es):
- Date
- Thread