Zone Transfer Policy Review - Proposed New Policy Submission

From:		Ewen McNeill
Received:	29 February 2004


The proposed policy can be summarised in two sentences "Access to transfer 
zones is at the discretion of the DNC.  Access is unlikely to be given without 
evidence of public benefit and protection of privacy". It appears to have 
ignored many of the submissions that were made on the previous policy.

Clause 3.1 should be reworded to say "Zone files will generally not be 
released to third parties in order to protect registrants' privacy and 
interests" (not change of ordering to emphasise that not releasing is 
protecting the privacy interest, rather than that the zones are not being
 released in order to hinder the protection of that privacy interest).

The policy should address other sources of data that might be obtained from 
the zone file; for instance summary statistical information is already 
published, and there might well be a procedure whereby specific statistics 
could be requested from the DNC if they are only needed once.

In general I think that zone transfers are most appropriate where there is 
an ongoing need for information -- for instance to track trends -- rather than 
once only.  This should be reflected both in the policy and in the process.  
Indeed the process should probably require a defence as to why the information 
that will be extracted from the zone transfer cannot be obtained in some other 
fashion.  (Where there is a need for an ongoing set of data I would say that 
the general rule should be towards approving the transfers as the most expedient 
way to provide the ongoing access.  One off transfers should be an exceptional 
case.)

I tend towards the view that there is nothing private in the zone data itself; 
it's been published in the DNS after all.  However it is obviously a useful set 
of source data for someone who wants to engage in "data mining" via the whois 
server or otherwise.   Possibly the privacy concerns should be reworded in light 
of that observation (i.e., that the data itself is not sensitive, but that it can 
be used for activities which may result in privacy violations).

I also don't think that a lack of public good should be fatal to an application.  
Providing there isn't public detriment, I think that an application should be 
approved if it otherwise meets the criteria. Public good coming out of the 
release would obviously be a positive factor in favour of the release.

In view of the fact that these comments go to the "core" of the proposed policy 
I would like to suggest that a revised version be prepared and consulted on again.