Re: Difference between bulk access and individual access (Was: Policy for an Internet registry [EUreg #2656] from Rigo Wenning on 2002-09-05 (www-p3p-policy@w3.org from September 2002)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 5 Sep 2002 17:13:27 +0200
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: www-p3p-policy@w3.org
Message-ID: <20020905151327.GD7003@localhost>

Dear Stephane, 

I know this concept as it also applies to the phone directories in
Europe. Access to a specified individual data-set is something different
than getting the whole database. 

The question here is treated by the <Recipient> - Element in P3P[1]. As
we had already many different types of recipients, we haven't thought of
the distinction between public-access and bulk-public-access. While
there might be some difference in the ease of access, it is not too
difficult to read out even restricted public accessible databases with
some perl-script. So we might see a shift on the apreciation of that
distinction between public-access to individual files and public access
(selling) of the bulk-database. 

So within the current vocabulary, you might want to describe the
recipient as <public> full stop. The further distinction could only be
done with an extension to the <Recipient> - Element[2]. Using the
extension mechanism, you'll risk, that a user-agent will be unable to
interpret the semantics correctly. 

Another alternative is to use the longdesc - attribute on <public> to
describe the two different notions of public you mean. 

But this might be an excellent input for the upcoming P3P Workshop in
Dulles. Please see the CfP[3] as it is not only important for registries
of internet-domain-names, but also for phone-companies giving access to
the directory of their customers.

  1. http://www.w3.org/TR/P3P/#RECPNT
  2. http://www.w3.org/TR/P3P/#extension
  3. http://www.w3.org/2002/p3p-ws/cfp-p3p1_1

Best, 
-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

On Fri, Aug 16, 2002 at 10:05:49AM +0200, Stephane Bortzmeyer wrote:
> According to our lawyer, there is an important legal difference
> between allowing public access to individual data (in the whois
> context, allowing the public to query the contacts of a domain name,
> giving the exact domain name) and bulk access (having the whole
> database at your disposition or a substantial part of it, may be
> through fuzzy search criteria such as the ability the find all domains
> matching a given string).
> 
> In the French registry, at the present time, we therefore have a
> public whois (anyone can retrieve personal information from anywhere)
> but no bulk access at all (the database is not transferred and we
> patched the RIPE-NCC whois server to disallow some privacy-invading
> search features).
> 
> Is there a way to express that in P3P? I plan to have several
> STATEMENT, with different RECIPIENT and expressing in the CONSEQUENCES
> element that one STATEMENT is for bulk access and the other for
> individual access only.

Received on Thursday, 5 September 2002 11:23:47 UTC